CSP Checklist Zos

IBM Financial Transaction Manager for SWIFT
Services
for z/OS
Version 3 Release 0
Checklist for SWIFT Customer Security

Program (CSP)
IBM
This edition applies to Version 3 Release 0 of IBM® Financial Transaction Manager for SWIFT Services for z/OS (5655-
FTB) and to all subsequent releases and modifications until otherwise indicated in new editions.
Reference key: 20191216-1100
© Copyright International Business Machines Corporation 2019.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM Corp.
Checklist for SWIFT Customer Security Program (CSP)
The following table helps you to create a self-attestation status report for the SWIFT Customer Security
Program (CSP). The columns provide the following information:
No.
The control number in SWIFT's Customer Security Framework document
Topic
The topic to which the control number refers
Condition
The condition whose compliance must be ensured
Applicable?
Boxes where you can put a tick (☑) for the following cases:
• The condition is applicable to FTM SWIFT
• The condition is applicable to other product(s) you use
• The condition is not applicable
For example, if you do not use FTM SWIFT's software integrity checker (SIC) but another product or
method to ensure software integrity, tick box "Other" for the first condition in topic 6.2, Software
integrity (and ignore the subsequent conditions).
Note: The boxes are not available for the following conditions:
• Conditions that do not depend on specific products (for example, the condition regarding
interactions with systems outside the secure zone in topic 1.1, Environment protection)
• Conditions that apply to FTM SWIFT only (for example, the condition regarding usage of FTM
SWIFT's command-line interface (CLI) in topic 1.2, Operating system privileged account control)
Comment
In this column you can enter any comment, for example:
• The date on which you checked the condition and found that its compliance is ensured
• The name of the person who checked the condition
• The reason why the condition does not apply to your system (if so)
• Another solution that you implemented to ensure the condition
© Copyright IBM Corp. 2019 3

Table 1. Evaluation of CSP requirements
No. Topic Condition Applicable? Comment
1.1 Environment The following components of your FTM SWIFT system reside in ☐ FTM SWIFT
protection secured zones:
☐ Other
• All FTM SWIFT instances (customized and runnable)
☐ Not applicable
• The necessary middleware
• The communication interface (SAG), the FTM SWIFT SAG Add-On,
and the related SWIFT components SWIFTNet Link and Hardware
Security Module (HSM)
• Any applicable operator workstation dedicated to the operation or
administration of the local SWIFT infrastructure
• Systems providing a remote desktop to users outside the secure
zone (jump servers)
Your interactions with systems outside the secure zone are:

• Limited to:
– Communication with back-office applications
– Logging data exchanged with outbound systems
• Controlled by transport layer firewalls, optionally in combination with
access control lists (ACLs)
Your operators can access the secure zone components only as ☐ FTM SWIFT
follows:
☐ Other
4 IBM Financial Transaction Manager for SWIFT Services for z/OS : Checklist for CSP
• From a dedicated operator system within the secure zone
☐ Not applicable
• From a general purpose operator system via a jump server located
within the secure zone
• From a general purpose operator system, if they only access the
messaging interface services of FTM SWIFT (FIN, MSIF, RMA) by
means of a browser-based GUI. In this case you restricted internet
access by using a remote desktop access or virtual machines, or by
disabling internet access at all.
Table 1. Evaluation of CSP requirements (continued)
1.2 Operating You encapsulated invocation of utility programs in jobs or scripts that ☐ FTM SWIFT
system can be executed only within a controlled scope.
☐ Other
privileged
account ☐ Not applicable
control
You use FTM SWIFT's command-line interface (CLI) only for:
• Installation tasks
• Resolution of emergency situations
• Usage in jobs or scripts that can be executed only within a controlled
scope
You have: ☐ FTM SWIFT

• Restricted the use of administrator-level operating system accounts ☐ Other
to the maximum extent possible (unless needed to install, configure,
☐ Not applicable
maintain, operate and support emergency activities)
• Ensured that no other operating system accounts have access to file
system resources, database resources, IBM MQ and IBM Integration
Bus resources of FTM SWIFT
You perform regular administrative and operational tasks for FTM

SWIFT only by using the Administration & Operation browser UI
(including its console to issue CLI commands).
Checklist for SWIFT Customer Security Program (CSP) 5

2.1 Internal data You use only HTTPS for the browser-based GUI applications. ☐ FTM SWIFT
flow security
Reference: Securing WebSphere MQ connection to WebSphere ☐ Other
Application Server
☐ Not applicable
You use two-way SSL authentication for IBM MQ communications

between FTM SWIFT server components, that is, you use two-way SSL
authentication between:
• IBM MQ queue managers
• IBM WebSphere® Application Server and IBM MQ queue managers
• SAG (MQHA) and IBM MQ queue managers
Reference: IBM MQ Knowledge Center
You use one-way SSL authentication for IBM MQ communications ☐ Not applicable
between the Sequential Data Facility and IBM MQ queue managers.
2.2 Security You regularly ensure the following for all hardware and software inside ☐ FTM SWIFT
updates the secure zone and on operator workstations:
☐ Other
• It is within the support lifecycle
☐ Not applicable
• It is upgraded with mandatory software updates
• All security updates are applied immediately
You regularly implement the latest published security bulletins for FTM
SWIFT and all its prerequisite products.
Reference: IBM Security Vulnerability Management (PSIRT)
You established a security risk assessment process to determine the

treatment of security updates and patches.
You did either of the following:
• You established user-defined deployment timelines for applying
patches based on criticality, system type, and required patch testing
• You use Common Vulnerability Scoring System (CVSS) Version 3 or
another de facto standard as a guideline for criticality
2.3 System You disabled all features and services that are not required for normal
hardening system operations. In particular, you did the following for all operator
workstations, FTM SWIFT related applications, and the infrastructure
within secure zones:
• You disallowed default passwords
• You disabled or removed unnecessary user accounts
• You disabled or restricted unnecessary services, ports, and protocols
• You removed unnecessary software
• You disabled unnecessary physical ports
• You adjusted any default configurations known to be vulnerable
• You enabled message broker administration security to limit access
to the broker

2.4A Back-office For applications that transfer messages using SWIFTNet FIN or
data flow SWIFTNet InterAct and for applications that need to transfer files
security smaller than 100 MB using SWIFTNet FileAct:
You configured IBM MQ with two-way SSL/TLS authentication as
transport layer between back office application and MSIF.
For applications that transfer files larger than 100 MB using SWIFTNet ☐ Not applicable
FileAct:
You established a secure file transport between the back office
application and MSIF supporting the SWIFT requirements (for
example, by using IBM MQ Managed File Transfer (MFT) or IBM
Connect:Direct).
2.5A External You ensure the confidentiality of data that you extract from FTM
transmission SWIFT (for example, for off-line processing or backup purposes) and
data that you transfer outside the secure zone.
protection
In particular:
• You protect files containing FIN messages that you exported from
FTM SWIFT by using the Sequential Data Facility (for example, you
protect them by encryption)
• You protect trace files that you transfer to IBM for analysis (for
example, you protect them by encryption)
2.6A User session You configured expiration of LTPA tokens for IBM WebSphere ☐ FTM SWIFT
confidentiality Application Server applications.
☐ Other
and integrity
Reference: WebSphere Application Server Knowledge Center
2.9A Transaction • If you are using FTM SWIFT's Relationship Management Application ☐ FTM SWIFT
business (RMA), you configured dual authorization for relationship ☐ Other
controls management administration using the following values:
☐ Not applicable
– Number of approval steps: 1 or 2
– User restriction: notprevious or alldifferent
To check these values for all OUs:
1. Issue the following CLI command to the system configuration
service (DNI_SYSADM) and SYSOU:
list -ou % -ct DnfRmParameters

-co DnfRmParameters
-attr ApprovalSteps
2. Check the command output and ensure that, for each OU, the
value of attribute ApprovalSteps is either 1 or 2
list -ou % -ct DnfRmParameters

-co DnfRmParameters
-attr ApprovalUserRestriction
value of attribute ApprovalUserRestriction is either
notprevious or alldifferent
Reference: Configuring the approval process for the RMA
• Otherwise, you implemented 4-eyes principle for the used
Relationship Management Application
You established additional controls based on your needs (for example, ☐ FTM SWIFT
restricted operator sign-on hours by using an adequately configured
☐ Other
identity provider component).
☐ Not applicable

2.10A Application You secured the application serving environment of your IBM
hardening WebSphere Application Server.
Reference: Securing applications and their environment
3.1 Physical Removable equipment:

security
• Your sensitive removable equipment (for example, PIN Entry Device
(PED), PED keys, USB Tokens) is supervised or securely stored when
not in use
• Your sensitive removable equipment required for normal continuous
operations (for example, hot swappable disks, HSM devices) is
hosted in a data center or, at a minimum, in a locked room
• Your back-up media (for example, tapes) is physically secured
Workplace environment:
• Your operator workstations are located in a secured workplace
environment where access is controlled and granted only to
employees and other authorized workers and visitors
• Your printers used for SWIFT transactions are located in a secured
workplace environment, and their access is restricted
• USB and other external access points on operator PCs are disabled
to the maximum extent possible, while still supporting operations
You established a security policy to support expected use cases for ☐ Not applicable
remote workers (for example, teleworkers or "on call" duties) where
you considered the following items when establishing this policy:
• Physical security of the expected teleworking environment
• Rules for personal equipment used for SWIFT business purposes (for
example, personal workstations cannot be used to access the SWIFT
infrastructure; however, personal mobile devices can be used as a
second authentication factor)
• Security during use in public environments
4.1 Password Your password policy defines at least the following criteria: ☐ Other
policy
• Password expiration
• Password length, composition, complexity, and other restrictions
• Password reuse
• Lockout after failed authentication attempts, and remedy
• Passwords for secure zone systems are only stored within the secure
zone
• The password requirements are modified as necessary for specific
use cases:
– In combination with a second factor (for example, one-time
password)
– Authentication target (for example, operating system, application,
mobile device, token)
– Type of account (general operator, privileged operator,
application-to-application account or local authentication keys)
Your password policy is enforced by technical means (where possible).

Your password policy is reviewed at least annually.
4.2 Multi-factor You implemented multi-factor authentication for all sensitive
authentication components of the SWIFT infrastructure like operator workstations,
jump servers and web based user interfaces of FTM SWIFT systems.
References:
• Multi-factor authentication
• Adapt FTM SWIFT MER for usage with a reverse proxy

5.1 Logical access You defined your user accounts according to need-to-know access ☐ FTM SWIFT
control principles, that is:
☐ Other
• Only operators (users and administrators) who have a continuing
requirement to access the secure zone are allowed to have accounts
within the secure zone
• Privileges are only assigned to an operator with a validated need-to-
know, and access to other system functions is disabled
You defined your user accounts according to least privilege principles, ☐ FTM SWIFT
that is:
☐ Other
• User and administrator privileges are controlled in a way that allows
all privileges to be tailored to individual needs
• Accounts are granted only the privileges that are necessary, and
additional privileges are only granted on a temporary basis
You review your user accounts at least annually, and you adjust them ☐ FTM SWIFT
as required.
☐ Other
You revoke privileges promptly when an employee changes roles or ☐ FTM SWIFT
leaves the organization.
☐ Other
You documented an emergency procedure to access privileged ☐ FTM SWIFT

accounts when authorized persons are unavailable due to unexpected
☐ Other
circumstances, and, in such a case, you proceed as follows:
• Operational use of the emergency procedure is logged
• The access of an emergency account is controlled
• The usage of the account is logged
• The password is changed immediately after the emergency incident
You defined your user accounts according to segregation of duties ☐ FTM SWIFT
principles, that is:
☐ Other
• You enabled dual authorization for the system configuration service.
To check this:
list -ou SYSOU -ct DniSysAdm -co DniSysAdm
2. Check the command output and ensure that the value of attribute
DniFlagDoubleAuthCfg is Yes
Reference: Setting dual authorization for the system configuration
service
• You enabled dual authorization for the security administration
service. To check this for all OUs (including SYSOU and DNFSYSOU):
list -ou % -ct DniSecAdm -co DniSecAdm
value of attribute DniFlagDoubleAuthSecAdm is Yes
Reference: Setting dual authorization for the security administration
service
• Sensitive duties are separated. That is, some roles cannot be
represented by the same individual, for example:
– Application administrator and security officer
– Network administrator and operating system administrator
– Database administrator (who creates tables and procedures) and
data user (who selects, inserts, updates or deletes data)
– IBM Integration Bus administrator and broker started task
• The user ID under which the broker runs is only a technical user ID,

but not allowed to use interactive sessions or Web Applications
6.1 Malware You installed and you keep up-to-date anti-malware software on the ☐ FTM SWIFT
protection following systems:
☐ Other
• Operator PCs where applicable (at least operator PCs with a
Microsoft Windows operating system)
• Jump servers where applicable (at least jump servers with a
Microsoft Windows operating system)
• SWIFT-related servers in secure zones where applicable (at least
SWIFT-related servers with a Microsoft Windows operating system in
secure zones)
6.2 Software You ensure software integrity of FTM SWIFT by either of the following: ☐ FTM SWIFT
integrity
• Using FTM SWIFT's software integrity checker (SIC) ☐ Other
In this case, continue with the subsequent conditions in 6.2,
Software integrity.
• Using another product or method
In this case, ignore the subsequent conditions in 6.2, Software
integrity.
You execute the software integrity checker (SIC) during startup of FTM ☐ Not applicable
SWIFT automatically.
Reference: Software Integrity Checker
You monitor syslog messages and FTM SWIFT events written by the ☐ Not applicable
SIC.
Reference: Monitoring software integrity
You verify the signature of the SIC JAR file regularly. ☐ Not applicable
Reference: Monitoring software integrity
6.3 Database Your database audit facility is enabled to monitor system
integrity administration actions and to perform audits on a regular basis.
Your database administrators have no access to data in FTM SWIFT
database tables, and the INSERT, UPDATE, DELETE and SELECT
privileges are revoked for those users.
You ensure data integrity of FTM SWIFT by either of the following: ☐ FTM SWIFT
• Using FTM SWIFT's data integrity framework ☐ Other
In this case, continue with the subsequent conditions in 6.3, Data
integrity.
• Using another product or method
In this case, ignore the subsequent conditions in 6.3, Data integrity.
You enabled the FTM SWIFT data integrity framework. ☐ Not applicable
Reference: Activating the data integrity framework
You run the data integrity checker (DIC) command check periodically ☐ Not applicable
(for example, by a cron job), and you check its return code after
termination.
Reference: DIC command check
You change the password used by the data integrity framework ☐ Not applicable
according to your policies by issuing the DIC command changepw.
Reference: DIC command changepw
You monitor the system log for the following: ☐ Not applicable
• Messages DNPD1310, DNPD1311, DNPD1312, DNPD1313, and
DNPD1314 from the FTM SWIFT data integrity framework
• Any SQLSTATE dealing with the FTM SWIFT data integrity framework
Reference: Monitoring data integrity

You monitor FTM SWIFT events written by the DIC. ☐ Not applicable
You verify the signature of the DIC JAR file regularly. ☐ Not applicable
6.4 Logging and You implemented logging of security-relevant activities, and you
monitoring configured alarms for suspicious security events. For example:
• You implemented logging capabilities to detect abnormal usage
within the secure zone as well as any attempt to undermine the
effectiveness of controls within the secure zone
• Your FTM SWIFT messaging interface audit logs are retained for no
less than 12 months and are sufficiently protected from an
enterprise administrator-level compromise (for example, your log
files are transferred to a separate system with different system
administrator credentials)
• You keep the following logs for at least 31 days:
– Operator workstation logs
– Firewall logs
– Database audit logs
• You record at least the following data:
– Command line history for privileged operating system accounts on
servers
– Messaging and communication interface application and operating
system logs that include details of abnormal system behavior (for
example, multiple failed log-in attempts, authentication errors,
changes to user groups)
– Firewall log files
– Database log files
You implemented monitoring of security events in logs and for
monitoring of other data (for example, real-time business activities
through the GUI):
• Procedures are in place to identify suspicious log-in activities into
any privileged operating system or application account
• Monitoring processes are in place to review server, application and
database monitoring data either daily via human reviews or via
automated monitoring with alerting
• Monitoring processes are in place to review network monitoring data
on a regular basis
• Unusual or suspicious activity is reported for further investigation to
the appropriate security team
You established a plan to treat reported alarms.

7.1 Cyber incident You created a cyber incident response plan that fulfills the following
response conditions:
planning
• It includes up-to-date contact details (internal and external) and
escalation timers
• It is reviewed annually
• It is tested at least every two years ensuring safe recovery of critical
business operations
You created a formal backup and recovery plan for all critical business
lines.
You do the following in case of cyber incidents that compromise the
confidentiality, integrity or availability of SWIFT services and products:
• You notify the appropriate internal and external stakeholders
• You involve skilled security professionals to identify and resolve the
incident
• You notify the SWIFT Customer Support Centre promptly after the
identification of the problem
• You notify the involved parties when the incident is resolved
• You analyze post-incident problems to identify and remediate
vulnerabilities
• You fully document the incident
If you share threat information for root cause analysis or other
purposes:
• You first evaluate it to ensure compliance with applicable laws and
regulations (for example, privacy of personal data, confidentiality of
investigations)
• You protect it against the unintended sharing of sensitive data or
data beyond the relevance of the incident
You report any identified incident of FTM SWIFT immediately to the

IBM Product Security Incident Response Team (PSIRT) for further
analysis.
IBM®
Product Number: 5655-FTB

CSP Checklist Zos

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CSP Checklist Zos

Uploaded by

Copyright:

Available Formats

IBM Financial Transaction Manager for SWIFT

Checklist for SWIFT Customer Security

© Copyright IBM Corp. 2019 3

Your interactions with systems outside the secure zone are:

You have: ☐ FTM SWIFT

You perform regular administrative and operational tasks for FTM

Checklist for SWIFT Customer Security Program (CSP) 5

You use two-way SSL authentication for IBM MQ communications

You established a security risk assessment process to determine the

Checklist for SWIFT Customer Security Program (CSP) 7

list -ou % -ct DnfRmParameters

list -ou % -ct DnfRmParameters

Checklist for SWIFT Customer Security Program (CSP) 9

3.1 Physical Removable equipment:

Your password policy is enforced by technical means (where possible).

Checklist for SWIFT Customer Security Program (CSP) 11

You documented an emergency procedure to access privileged ☐ FTM SWIFT

list -ou SYSOU -ct DniSysAdm -co DniSysAdm

list -ou % -ct DniSecAdm -co DniSecAdm

Checklist for SWIFT Customer Security Program (CSP) 13

Checklist for SWIFT Customer Security Program (CSP) 15

You established a plan to treat reported alarms.

Checklist for SWIFT Customer Security Program (CSP) 17

You report any identified incident of FTM SWIFT immediately to the

Product Number: 5655-FTB

You might also like