CANADIAN PAYMENTS ASSOCIATION ASSOCIATION CANADIENNE DES PAIEMENTS STANDARD 012 IMAGE SECURITY STANDARD

Transcription

1 CANADIAN PAYMENTS ASSOCIATION ASSOCIATION CANADIENNE DES PAIEMENTS STANDARD 012 IMAGE SECURITY STANDARD 2013 CANADIAN PAYMENTS ASSOCIATION 2013 ASSOCIATION CANADIENNE DES PAIEMENTS This Rule is copyrighted by the Canadian Payments Association. All rights reserved, including the right of reproduction in whole or in part, without express written permission by the Canadian Payments Association. By publication of this standard, no position is taken with respect to the intellectual property rights of any person or entity. The CPA does not assume any liability to any person or entity for compliance with this standard, including liability (which is denied) if compliance with the standard infringes or is alleged to infringe the intellectual property rights of any person or entity.

2 Implementation and Revisions Implemented June 1, 2010 Amendments 1. To remove the requirement to create and maintain logs when images are read, updated, or deleted. Approved by the Board June 16, 2010, effective August 16, Amendments to accommodate Image Captured Payments. Approved by the Board June 13, 2013, effective August 12, 2013.

3 Table of Contents 1. Introduction and Scope Definitions Operational Principles Process Areas Security Requirements... 2 (a) Logical and administrative access control... 4 (b) Malicious Code... 5 (c) Incident Detection and Response... 5

4 Page 1 1. Introduction and Scope This Standard sets out the minimum security requirements for the handling of Images, Codeline and other data as per ANSI X with respect to: Confidentiality (only authorized individuals can access information to protect personal privacy and sensitive information); Integrity (information can only be modified or destroyed by authorized individuals); Authentication; Authorization; and Non-repudiation. This Standard seeks to ensure the integrity of Images and Codeline for business purposes and in the event that such Images and Codeline are to be used in legal proceedings. For this purpose: - An Image must be traceable to its initial point of capture; - Members must validate the Delivering Institution when receiving Images and any Codeline data; - The integrity of origin, receipt and content of Images and Codeline data must be ensured by way of administrative, technical, and physical controls; and - Access controls must be employed to ensure only authorized individuals can access stored or archived Images and Codeline. This Standard applies to Images and Codeline Data whenever such information is used by or on behalf of a Member for any of the Process Areas defined in Section 4, below. As such where a Member has a third party or other agent perform any process or transmit client data, that Member is accountable for ensuring that the third party or other agent adheres to the requirements set out in this Standard. This Standard does not apply to data that is derived from the Archive and used for other purposes, such as pay/no payment decisions, statement rendering, etc. For requirements regarding the destruction of original physical items (paper), please refer to Rule A10. This Standard relies on authoritative sources for the creation, management, and examination of a security infrastructure such as: 2. Definitions Federal Financial Institutions Examination Council (FFIEC) Information Security IT Examination Handbook, July 2006 ISO/IEC In this standard, 2.1 Delivering Institution means the Member sending Image of Codeline transmissions to another Member for the purpose of clearing and settlement. 2.2 Principle of Least Privilege means the minimum possible privileges to permit a legitimate action, in order to enhance the protection of data and functionality from faults and malicious behaviour. 2.3 Receiving Institution means the Member receiving Image or Codeline transmissions from another member for the purpose of clearing and settlement. 2.4 Secure Environment means a system which implement controlled and protected storage and use of information.

5 Page Transmission means the exchange of Image or Codeline files between physical locations (e.g. between Direct clearer sites, between regional and central sites, between Direct Clearers and Indirect Clearers, and between CPA Member Institutions and clients.) 3. Operational Principles Each Member who captures or purports to capture, exchange, or store Images or Codeline Data must ensure such capture, exchange, and storage takes place in a Secure Environment and that adequate controls and processes are in place to maintain the integrity, confidentiality, and availability of Images and Codeline Data. 4. Process Areas The Process areas set out in this Standard are namely: 4.1 Capture The capture process transforms physical items to Images or Images and Codeline Data and retains the physical items for periods described in CPA Rule A Storage The storage process involves recording Images, Codeline Data, or both on media for short-term use. 4.3 Transmission The transmission process is the exchange of Images, Codeline Data, or both between physical locations. The transmission process ends when the Receiving Direct Clearer acknowledges the receipt of transmitted files. 4.4 Archival The archival process moves or copies Images, Codeline Data, or both to a repository used to store and index Images and associated information at a Member branch or data centre. The archival process ends when an Image and any related Codeline Data is deleted. 4.5 Retrieval The retrieval process involves a request for the retrieval of specific Images and any related Codeline Data from an archive, which is received and authorized for processing. The Retrieval process ends when the Image is retrieved and delivered to the entity requesting the retrieval. 4.6 Deletion The deletion process involves the deletions of Images, Codeline Data, or both. The Deletion process is completed when no further access to the Images or Codeline data is possible. 4.7 Back up The back-up process creates and retains copies of information containing Image, Codeline Data, or both. 5. Security Requirements The requirements regarding Image and Codeline processes in this section are organized under the following security headings:

6 Page 3 (a) Logical and administrative access control; (b) Malicious Code; and (c) Incident Detection and Response. Members are accountable for ensuring adherence to the security requirements outlined below at all sites including respective back-up and recovery sites. This requirement applies to a Member even in situations where the services are performed by a third party or another Member on behalf of that Member.

7 Page 4 (a) Logical and administrative access control Process Area General Security requirement Logical and administrative access control a) Images and codeline data must be protected from unauthorized access and tampering via documented access control mechanisms. This protection is to be in effect from the point of capture to the point of deletion. b) Access to Images and Codeline Data must be restricted based on the principle of least privilege to both individuals and software that are authorized and authenticated. c) Access rights must be subject to regular reviews (annually, at a minimum). When access is granted, changed, or revoked it must be verified against approvals. d) A password policy must be in place that establishes at minimum, password controls for users. Capture a) The software used in the capture of Images or Codeline Data and the media created must be protected from unauthorized access. b) All changes to branch, ABM, or Data Centre capture systems performed by maintenance or repair personnel must be logged. Transmission All transmission of Image, Codeline Data, or both must take place in a Secure Environment. Storage Archival Retrieval Deletion Logical access to the storage devices and to the software must be restricted to authorized and authenticated individuals and software. Logical access to archived Images and Codeline Data must be restricted to individuals based on the principle of least privilege. Access to Images and Codeline Data must be restricted to authorized and authenticated individuals and software. When removing or retiring media from an entity s security perimeter* that may have been used to store Images, Codeline Data, or both: (a) If the media can be overwritten it must be sanitized through secure software overwrite**, degaussed, or physical destruction***. (b) If the media cannot be overwritten it must be physically destroyed. * Security perimeter refers to the area bounded by physical area in which a Member can exert complete control over its computer hardware, network hardware, premises, and Images including areas where Members use third party processors. ** Involves overwriting the storage media, including unused portions thereof, with random and patterned data, with the intent of making the recovery of the original data virtually impossible. Secure software deletion must follow industry accepted standards such as US DOD M or more current ANSI/X9 equivalents. *** Involves the physical incineration or shredding of the storage media with the intent of making recovery of original data impossible.

8 Page 5 (end) Back-up Logical access to the copies of information containing Image or Codeline Data and associated software and versions thereof is to be restricted to individuals based on the principle of least privilege. (b) Malicious Code Process Area General Security requirement Malicious Code The systems used for creating, storing, archiving, and transmitting Images and Codeline Data must be guarded, in accordance with industry best practices, against malicious code to prevent unauthorized modifications and security incidents. (c) Incident Detection and Response Process Area General Security requirement Incident Detection and Response a) Processes and procedures must be in place to identify and respond to unauthorized access attempts or breaches with respect to Images and Codeline transmissions and related systems. b) An incident response team must be in place with a formal incident response process to investigate possible unauthorized events. c) Where a breach or other failure of a Member s security safeguards results in a third party gaining unauthorized access to another Member s client data, the Member subject to the breach of failure must notify the other Member as soon as possible following the discovery of such unauthorized access.