CSP Checklist Zos
CSP Checklist Zos
CSP Checklist Zos
Services
for z/OS
Version 3 Release 0
IBM
This edition applies to Version 3 Release 0 of IBM® Financial Transaction Manager for SWIFT Services for z/OS (5655-
FTB) and to all subsequent releases and modifications until otherwise indicated in new editions.
Reference key: 20191216-1100
© Copyright International Business Machines Corporation 2019.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM Corp.
Checklist for SWIFT Customer Security Program (CSP)
The following table helps you to create a self-attestation status report for the SWIFT Customer Security
Program (CSP). The columns provide the following information:
No.
The control number in SWIFT's Customer Security Framework document
Topic
The topic to which the control number refers
Condition
The condition whose compliance must be ensured
Applicable?
Boxes where you can put a tick (☑) for the following cases:
• The condition is applicable to FTM SWIFT
• The condition is applicable to other product(s) you use
• The condition is not applicable
For example, if you do not use FTM SWIFT's software integrity checker (SIC) but another product or
method to ensure software integrity, tick box "Other" for the first condition in topic 6.2, Software
integrity (and ignore the subsequent conditions).
Note: The boxes are not available for the following conditions:
• Conditions that do not depend on specific products (for example, the condition regarding
interactions with systems outside the secure zone in topic 1.1, Environment protection)
• Conditions that apply to FTM SWIFT only (for example, the condition regarding usage of FTM
SWIFT's command-line interface (CLI) in topic 1.2, Operating system privileged account control)
Comment
In this column you can enter any comment, for example:
• The date on which you checked the condition and found that its compliance is ensured
• The name of the person who checked the condition
• The reason why the condition does not apply to your system (if so)
• Another solution that you implemented to ensure the condition
Your operators can access the secure zone components only as ☐ FTM SWIFT
follows:
☐ Other
4 IBM Financial Transaction Manager for SWIFT Services for z/OS : Checklist for CSP
• From a dedicated operator system within the secure zone
☐ Not applicable
• From a general purpose operator system via a jump server located
within the secure zone
• From a general purpose operator system, if they only access the
messaging interface services of FTM SWIFT (FIN, MSIF, RMA) by
means of a browser-based GUI. In this case you restricted internet
access by using a remote desktop access or virtual machines, or by
disabling internet access at all.
Table 1. Evaluation of CSP requirements (continued)
No. Topic Condition Applicable? Comment
1.2 Operating You encapsulated invocation of utility programs in jobs or scripts that ☐ FTM SWIFT
system can be executed only within a controlled scope.
☐ Other
privileged
account ☐ Not applicable
control
You use FTM SWIFT's command-line interface (CLI) only for:
• Installation tasks
• Resolution of emergency situations
• Usage in jobs or scripts that can be executed only within a controlled
scope
6 IBM Financial Transaction Manager for SWIFT Services for z/OS : Checklist for CSP
Table 1. Evaluation of CSP requirements (continued)
No. Topic Condition Applicable? Comment
2.2 Security You regularly ensure the following for all hardware and software inside ☐ FTM SWIFT
updates the secure zone and on operator workstations:
☐ Other
• It is within the support lifecycle
☐ Not applicable
• It is upgraded with mandatory software updates
• All security updates are applied immediately
You regularly implement the latest published security bulletins for FTM
SWIFT and all its prerequisite products.
Reference: IBM Security Vulnerability Management (PSIRT)
2.3 System You disabled all features and services that are not required for normal
hardening system operations. In particular, you did the following for all operator
workstations, FTM SWIFT related applications, and the infrastructure
within secure zones:
• You disallowed default passwords
• You disabled or removed unnecessary user accounts
• You disabled or restricted unnecessary services, ports, and protocols
• You removed unnecessary software
• You disabled unnecessary physical ports
• You adjusted any default configurations known to be vulnerable
• You enabled message broker administration security to limit access
to the broker
For applications that transfer files larger than 100 MB using SWIFTNet ☐ Not applicable
FileAct:
You established a secure file transport between the back office
application and MSIF supporting the SWIFT requirements (for
example, by using IBM MQ Managed File Transfer (MFT) or IBM
Connect:Direct).
2.5A External You ensure the confidentiality of data that you extract from FTM
transmission SWIFT (for example, for off-line processing or backup purposes) and
data that you transfer outside the secure zone.
protection
In particular:
• You protect files containing FIN messages that you exported from
FTM SWIFT by using the Sequential Data Facility (for example, you
protect them by encryption)
• You protect trace files that you transfer to IBM for analysis (for
example, you protect them by encryption)
8 IBM Financial Transaction Manager for SWIFT Services for z/OS : Checklist for CSP
2.6A User session You configured expiration of LTPA tokens for IBM WebSphere ☐ FTM SWIFT
confidentiality Application Server applications.
☐ Other
and integrity
Reference: WebSphere Application Server Knowledge Center
Table 1. Evaluation of CSP requirements (continued)
No. Topic Condition Applicable? Comment
2.9A Transaction • If you are using FTM SWIFT's Relationship Management Application ☐ FTM SWIFT
business (RMA), you configured dual authorization for relationship ☐ Other
controls management administration using the following values:
☐ Not applicable
– Number of approval steps: 1 or 2
– User restriction: notprevious or alldifferent
To check these values for all OUs:
1. Issue the following CLI command to the system configuration
service (DNI_SYSADM) and SYSOU:
2. Check the command output and ensure that, for each OU, the
value of attribute ApprovalSteps is either 1 or 2
3. Issue the following CLI command to the system configuration
service (DNI_SYSADM) and SYSOU:
4. Check the command output and ensure that, for each OU, the
value of attribute ApprovalUserRestriction is either
notprevious or alldifferent
Reference: Configuring the approval process for the RMA
• Otherwise, you implemented 4-eyes principle for the used
Relationship Management Application
You established additional controls based on your needs (for example, ☐ FTM SWIFT
restricted operator sign-on hours by using an adequately configured
☐ Other
identity provider component).
☐ Not applicable
Workplace environment:
• Your operator workstations are located in a secured workplace
environment where access is controlled and granted only to
employees and other authorized workers and visitors
• Your printers used for SWIFT transactions are located in a secured
workplace environment, and their access is restricted
• USB and other external access points on operator PCs are disabled
to the maximum extent possible, while still supporting operations
You established a security policy to support expected use cases for ☐ Not applicable
10 IBM Financial Transaction Manager for SWIFT Services for z/OS : Checklist for CSP
remote workers (for example, teleworkers or "on call" duties) where
you considered the following items when establishing this policy:
• Physical security of the expected teleworking environment
• Rules for personal equipment used for SWIFT business purposes (for
example, personal workstations cannot be used to access the SWIFT
infrastructure; however, personal mobile devices can be used as a
second authentication factor)
• Security during use in public environments
Table 1. Evaluation of CSP requirements (continued)
No. Topic Condition Applicable? Comment
4.1 Password Your password policy defines at least the following criteria: ☐ Other
policy
• Password expiration
• Password length, composition, complexity, and other restrictions
• Password reuse
• Lockout after failed authentication attempts, and remedy
• Passwords for secure zone systems are only stored within the secure
zone
• The password requirements are modified as necessary for specific
use cases:
– In combination with a second factor (for example, one-time
password)
– Authentication target (for example, operating system, application,
mobile device, token)
– Type of account (general operator, privileged operator,
application-to-application account or local authentication keys)
You defined your user accounts according to least privilege principles, ☐ FTM SWIFT
that is:
☐ Other
• User and administrator privileges are controlled in a way that allows
all privileges to be tailored to individual needs
• Accounts are granted only the privileges that are necessary, and
additional privileges are only granted on a temporary basis
You review your user accounts at least annually, and you adjust them ☐ FTM SWIFT
as required.
☐ Other
You revoke privileges promptly when an employee changes roles or ☐ FTM SWIFT
leaves the organization.
☐ Other
12 IBM Financial Transaction Manager for SWIFT Services for z/OS : Checklist for CSP
• Operational use of the emergency procedure is logged
• The access of an emergency account is controlled
• The usage of the account is logged
• The password is changed immediately after the emergency incident
Table 1. Evaluation of CSP requirements (continued)
No. Topic Condition Applicable? Comment
You defined your user accounts according to segregation of duties ☐ FTM SWIFT
principles, that is:
☐ Other
• You enabled dual authorization for the system configuration service.
To check this:
1. Issue the following CLI command to the system configuration
service (DNI_SYSADM) and SYSOU:
2. Check the command output and ensure that the value of attribute
DniFlagDoubleAuthCfg is Yes
Reference: Setting dual authorization for the system configuration
service
• You enabled dual authorization for the security administration
service. To check this for all OUs (including SYSOU and DNFSYSOU):
1. Issue the following CLI command to the system configuration
service (DNI_SYSADM) and SYSOU:
2. Check the command output and ensure that, for each OU, the
value of attribute DniFlagDoubleAuthSecAdm is Yes
Reference: Setting dual authorization for the security administration
service
• Sensitive duties are separated. That is, some roles cannot be
represented by the same individual, for example:
– Application administrator and security officer
– Network administrator and operating system administrator
– Database administrator (who creates tables and procedures) and
data user (who selects, inserts, updates or deletes data)
– IBM Integration Bus administrator and broker started task
• The user ID under which the broker runs is only a technical user ID,
6.2 Software You ensure software integrity of FTM SWIFT by either of the following: ☐ FTM SWIFT
integrity
• Using FTM SWIFT's software integrity checker (SIC) ☐ Other
In this case, continue with the subsequent conditions in 6.2,
Software integrity.
• Using another product or method
In this case, ignore the subsequent conditions in 6.2, Software
integrity.
You execute the software integrity checker (SIC) during startup of FTM ☐ Not applicable
SWIFT automatically.
Reference: Software Integrity Checker
You monitor syslog messages and FTM SWIFT events written by the ☐ Not applicable
14 IBM Financial Transaction Manager for SWIFT Services for z/OS : Checklist for CSP
SIC.
Reference: Monitoring software integrity
You verify the signature of the SIC JAR file regularly. ☐ Not applicable
Reference: Monitoring software integrity
Table 1. Evaluation of CSP requirements (continued)
No. Topic Condition Applicable? Comment
6.3 Database Your database audit facility is enabled to monitor system
integrity administration actions and to perform audits on a regular basis.
Your database administrators have no access to data in FTM SWIFT
database tables, and the INSERT, UPDATE, DELETE and SELECT
privileges are revoked for those users.
You ensure data integrity of FTM SWIFT by either of the following: ☐ FTM SWIFT
• Using FTM SWIFT's data integrity framework ☐ Other
In this case, continue with the subsequent conditions in 6.3, Data
integrity.
• Using another product or method
In this case, ignore the subsequent conditions in 6.3, Data integrity.
You enabled the FTM SWIFT data integrity framework. ☐ Not applicable
Reference: Activating the data integrity framework
You run the data integrity checker (DIC) command check periodically ☐ Not applicable
(for example, by a cron job), and you check its return code after
termination.
Reference: DIC command check
You change the password used by the data integrity framework ☐ Not applicable
according to your policies by issuing the DIC command changepw.
Reference: DIC command changepw
You monitor the system log for the following: ☐ Not applicable
• Messages DNPD1310, DNPD1311, DNPD1312, DNPD1313, and
DNPD1314 from the FTM SWIFT data integrity framework
• Any SQLSTATE dealing with the FTM SWIFT data integrity framework
Reference: Monitoring data integrity
You verify the signature of the DIC JAR file regularly. ☐ Not applicable
Reference: Monitoring data integrity
6.4 Logging and You implemented logging of security-relevant activities, and you
monitoring configured alarms for suspicious security events. For example:
• You implemented logging capabilities to detect abnormal usage
within the secure zone as well as any attempt to undermine the
effectiveness of controls within the secure zone
• Your FTM SWIFT messaging interface audit logs are retained for no
less than 12 months and are sufficiently protected from an
enterprise administrator-level compromise (for example, your log
files are transferred to a separate system with different system
administrator credentials)
• You keep the following logs for at least 31 days:
– Operator workstation logs
– Firewall logs
– Database audit logs
• You record at least the following data:
– Command line history for privileged operating system accounts on
16 IBM Financial Transaction Manager for SWIFT Services for z/OS : Checklist for CSP
servers
– Messaging and communication interface application and operating
system logs that include details of abnormal system behavior (for
example, multiple failed log-in attempts, authentication errors,
changes to user groups)
– Firewall log files
– Database log files
Table 1. Evaluation of CSP requirements (continued)
No. Topic Condition Applicable? Comment
You implemented monitoring of security events in logs and for
monitoring of other data (for example, real-time business activities
through the GUI):
• Procedures are in place to identify suspicious log-in activities into
any privileged operating system or application account
• Monitoring processes are in place to review server, application and
database monitoring data either daily via human reviews or via
automated monitoring with alerting
• Monitoring processes are in place to review network monitoring data
on a regular basis
• Unusual or suspicious activity is reported for further investigation to
the appropriate security team
You created a formal backup and recovery plan for all critical business
lines.
You do the following in case of cyber incidents that compromise the
confidentiality, integrity or availability of SWIFT services and products:
• You notify the appropriate internal and external stakeholders
• You involve skilled security professionals to identify and resolve the
incident
• You notify the SWIFT Customer Support Centre promptly after the
identification of the problem
• You notify the involved parties when the incident is resolved
• You analyze post-incident problems to identify and remediate
vulnerabilities
• You fully document the incident
18 IBM Financial Transaction Manager for SWIFT Services for z/OS : Checklist for CSP
If you share threat information for root cause analysis or other
purposes:
• You first evaluate it to ensure compliance with applicable laws and
regulations (for example, privacy of personal data, confidentiality of
investigations)
• You protect it against the unintended sharing of sensitive data or
data beyond the relevance of the incident