This is an approximate translation. Document will be reworked later
Announcement from Bank of Thailand SRK. 3/2552
Subject: Policy and Measurement control on Security Information for E-Commerce payment
4.1 Policy of Security Technologies System
(1) Service provider must provides
• Provide policy and security technologies in written and be approved by management team or company board.
•Service provider is obligated to provide training related to the policy and security technologies regularly to employee team
•Policy need to be updated regularly to suitable with current situation
(2) Scope of policy and security technologies
•Control Access and able to identify user identity
•Able to secure the confidential data and Security technologies
System must reliable
•Maintenance Security technologies System for ready to use.
•Inspection Security of the system
4.2 Measurement of Security technologies system
•Service provider must have measurement of security technologies system to
conform with E-payment Security Technologies system Policy.
•The measurement must be matched with the type of business and cover
– user access identity
– Able to secure the confidential data
– Reliable Security technologies System
– Maintenance Security technologies System for ready to use.
•It is the obligation to have security technologies audit once a year
1. Control Access and able to prove user identity
1.1 Assign job to the right person
•Assign roles and responsibilities by balancing the power of employees to avoid risk that may occur.
•To training regularly to current and new employees
• Setting penalty policy to employee who against the policy
1.2 System access control
1. Preparing list of company assets and IT system equipment correctly. This is
also including person who has to responsible and take care the asset.
2. Setting rules and regulation how to use Security technologies System
3. Access to security technologies system need to be controlled and protected.
This need to cover to :
(1) Setting the equipment in the proper areas to protect from people who may access from internal and external organization.
ex. Setting in the restriction area, Control accessible to the equipment area,
(2) Setting policy and right to access the IT system that is related to service by duty power of the employee. Recheck the right to access the IT system both users and employees. Review and adjust the access right regularly
(3) Record the IT system access of the customer and employees. This will help to follow up abnormal activity
1.3 Monitor user identity and protect people who may refuse responsibility (repudiation)
User must able recheck the prove of identity and right the access right thru – Password
– Personal Identification
– Token or Smart Card
– Public Key infrastructure
(1) Setting instruction how to control and how to identify the access identity before login to system both customer and employee
(2) Record users who has access to system. This will be used as the key evidence to avoid protect people who may refuse
2. Confidentiality and reliability of the IT system
2.1 Confidentiality data
(1) Setting confidential access level according to how important of data. This
is including setting the right to only specific users.
(2) Manage of sending/ receiving, data report. The confidential data must be kept according to the important level. (Protect someone to access to adjust and without permission)
(3) Set the instruction how to keep, use and how to destroy the confidential data
2.2 Changing, update or improve system or equipment control
It is an obligation to set up the working step to control the adjustment and IT system. This will help to reduce the risk to damage system or improper working.
(1) Set a system to control on changing data , send/receive data, data storage location, improve equipment and IT system development
For example, set a evaluation step on the effect of authorization power,
Step of development or adjustment , trial process and including update recorded data. As, A letter should be written to inform people who be affected by the result of these changes.
(2) Trial and real version, they need to be separated completely
Example, need to separate version by difference machine running or use difference controller
(3) In case company is using external service provider (Subcontract)
3.1 The contract must be in written. The scope of service, duty and responsibility of the provider and users clearly must be written.
3.2 Prepare Risk Assessment and Management of the other alternative service providers. This is including selection, follow up and evaluate service regularly
3.3 Data must be secured. This includes keeping confidentiality and private data of the users
3.4 Responsible toward users, stable, security and reliability and service continuality must have similar company policy.
3.5 Contingency plan of IT system running must be conformed to the company
(4) Manual or handbooks related to IT system service that company is using. The sub contractor must be provided and give to employee for reference.
2.3 Service Network Management (protect to access to the system)
- Network Management to avoid external access to the system
1.1 Setting policy for Network Control Access from external
1.2 Identify the access identity in the system
1.3 Separate the Networking service according to the IT service
1.4 Setting the protection system from the external access
2. Policy to control virus and update
3. Maintenance service ( Make sure that business is ready to use)
Service Provider must provide maintenance service to be ready to use.
There must be enough access for customers all the time and able to correspondence with proper speed during working hour and peak time.
This includes a data backup system that can recover the system in case the service crash down.
3.1 Evaluation Process and Risk Assessment of Service System
Service provider must have appropriate risk assessment system to match with their services.
• They must have IT risk tolerance
• Define IT risk scope
• Identify how to handle risk
Service provider must regularly review the risk assessment system to correlated to IT development and current situation
1. Set up the risk assessment evaluation process manual ( make it realistic)
2. Analyze and define IT risk that happen directly to the failure of service provider’s Security Technologies System
3. Set up a IT risk tolerance and acceptance level
4. Specific and evaluate how to handling risk with alternative options
3.2 Follow up and check the improper running in IT system.
Service provider must schedule to follow up and check improper running in IT system. This is including follow up news related to bug or weakness (Vulnerability Assessment) of service system for the risk assessment and set up policy to avoid the risks.
1. Follow irregular transaction which may cause the damage or hidden access to IT system
2. Vulnerability Assessment to prepare the corrective or eliminating the chance to external access to the system especially on the service network with no right. This is including system working program and data base.
3. In case, the risk assessment is high. Service provider must have penetration test to check the IT security system efficient
3.3 In case of incident occurred, the problem solving & record and report need to be prepared.
Service provider must have the policy to follow up, record and report the incident of Security Technologies System thru the policy step. This process need to be urgent as soon as possible and prevention method must be provided to be used for the same incident in the future.
(1) Setting the step how to fix the problem, assign the team and responsible. This included producing report of incident and submits to management team and informs related people
(2) Collecting useful data & evident
(3) Record incident or Arrange the written report as the guideline how to solve the problem
Service provider must to arrange for back up and regular test backup data regularly. This is to ensure that the completeness of data and make sure that service is ready to use
(1) Back up important data and other information that related to work, Back up must be ready to use.
(2) Set the process or step to backup the data example,
– What type of data must be back up ,
– backup frequency per month , per week, per day,
– Media to keep ( server, hard disk .. etc.)
– Location, how to keep, how to bring back to use
(3) Test to running backup to data regularly, make sure that it follows the instruction backup of service provider
3.5 Contingency or Emergency Plan to keep business run continuously
Service provider must have a plan or alternative service to keep e-payment run continuously.
1 Analyze and make a possible list
– Key points on e-payment service
2. Set a recovery time objective (how long can we accept the period of incident to be recovery)
3 Set a written plan, Instruction how to do when the system stop in order to recovery the system. The plan must be compounded with
A. Plan name
B. Objective and Scope
C. Details of IT Security System and Asset to be used if the 1st operation is crashed down
D. Responsible person and decision maker, way to communication with internal and external related worker
E. How to work if there is the problem and where is the second working location ( example flooding)
4. Training for the employees and related worker on the contingency plan
5. Test and review the plan at least once a year or adjust according to the risk factors
3.6 Equipment must be regularly maintenance
Action: Schedule the equipment maintenance regularly
Equipment must be ready to use
4. Check IT Security
Service provider must have an annual check at least once a year to secure the policy and measurement of the IT security and able to provide business running continuously.
1. Auditor must check IT security of service provider on risk assessment or things that related to service once a year. There must be report to submit to manage to consider the level of risk and set and path way to improve the system as well as inform to internal department for an action
2. Follow up the payment electronic according to rule and regulation. Avoiding the illegal , follow up the contract and instruction on the security process.