SaFi Bank Space : WIP: Regulatory Requirements and Risk Management

Created by User b6b4a, last modified on Oct 07, 2022

IT RMS Policy

  1. Build the IT Steering Committee - refer to IT RMS.a.1

  2. Document IT policies, procedures, and standards - refer to IT RMS.a.2

    1. IT Governance / Management

      1. IT Audit, see #3

      2. IT Risk, see #5

      3. IT KPI’s and Metrics, see #4

    2. Development and Acquisition

      1. Align with detailed guidelines/standards on Project Management/Development and Acquisition and Change Management - Appendix 76 of BSP MORB

    3. IT Operations

      1. Align with detailed guidelines/standards on IT Operations - Appendix 77 of BSP MORB

    4. Communication networks

      1. Establish process in reporting and advisories, see #7 in collaboration to SaFi Compliance team

    5. Information Security

      1. Align with detailed guidelines/standards on information security - Appendix 75 of BSP MORB

    6. Electronic Banking / Electronic Products and Services (need help from VL to implement)

      1. Implement minimum controls described in Appendix 79 of BSP MORB

        • Implement Account Origination and Customer Verification (handled already by Onboarding and eKYC)

        • Implement Authentication (handled already by Okta and Vida)

        • Implement MFA for transactions (need to define transaction metrics for each additional authentication like biometrics, PIN, Passcode, etc.)

        • Implement PKI assisted authentication and verification to unique identify the user (handled already using WebAuthN protocol)

        • Implement Authorization controls and Access privileges in Back Office (handled already using Okta, but requires implementation on specific user role matrix)

        • Implement Attribute based access control on top of Role Based Access Control to Back Office features (Fine-grained user access rights appropriate to role matrix and implement in Okta)

        • Baked Application Security processes into the development of products and services

          • Implement input validation techniques to user inputs (both mobile and back office)

          • Implement high level or generic error messaging, no trace possible in user perspective.

          • Implement secure session management during user activities

          • Implement Vulnerability management

          • Implement Hardening practices

        • Establish SIEM

          • Creation of use cases in Grafana for security alerts and fraud detection

        • Implement Audit trails to all components of SaFi applications

          • Audit trails for user activities in mobile app (login, transactions, etc.)

          • Audit trails for back office user activities in Back office app (login, access to user details, performed activities)

        • Implement RBAC to Back Office based on user Role matrix

        • Implement customer awareness program

        • Implement Service Availability and Business Continuity (Disaster Recovery, Fail over mechanisms)

        • Establish incident response and management procedures

        • Implement customer privacy and confidentiality controls

          • Customer data masking in SIEM

          • Encryption of customer data during exports from our databases, bank statements, ledgers, journals etc.

          • Customer privacy awareness

          • mechanism to authenticate official website to protect customers from spoofed or faked websites.

        • Implement data protection mechanism during data transmission in m-banking

        • Implement adoption of dual authentication process in transactions to ensure the security per level of risks

        • Require customers to download its mobile online services and payment applications directly from third party repositories (e.g., Apple store, Google Play and Windows Market Place)

        • Implement encryption of Sensitive data in storage, transmission and during processing

    7. IT Outsourcing / Vendor Management

      1. Align with detailed guidelines/standards on IT Outsourcing/ Vendor Management and on the adoption of outsourced cloud computing model - Appendix 78 (collaboration with Legal on outsourcing)

  3. Establish IT Audit - refer to IT RMS.a.3

    1. Build IT Audit Guild to support SaFi internal auditors from Audit tribe determined by SaFi senior management

    2. IT Audit Guild establish process aligned with BSP MORB Appendix 74

  4. Establish Management Information System (MIS) or IT Metrics or KPIs for management decision making - refer to IT RMS.a.5 and related to 6.f.i.

  5. Establish IT Risk process, determine the following to IT processes - refer to IT RMS.a.6

    1. Build IT Risk Guild to support SaFi Risk Team for IT related risks

    2. Identify below risk related to IT

      1. Operational risks

      2. Strategic risks

      3. Reputational risks

      4. Compliance risks

  6. Implement satisfactory control practices to mitigate risks - refer to IT RMS.c

    1. Establish Information Security Risk Management framework - refer to IT RMS.c.1

      1. Establish Info Sec process in AppSec team

      2. Implement #2.e

    2. Establish a framework for management of IT-related projects - refer to IT RMS.c.2

      1. Build IT Project Guild to handle

        1. Project Management

        2. Development and Acquisition

        3. Change Management

      2. Implement #2.b

    3. Establish IT Operations process - refer to IT RMS.c.3

      1. Build IT Operations Guild

      2. Implement #2.c

    4. Establish IT Outsourcing / Vendor Management Program - refer to IT RMS.c.4

      1. Build IT Outsourcing and Vendor Management Guild

      2. Implement #2.g in collaboration to SaFi finance team.

    5. Risk Assess electronic products and services - refer to IT RMS.c.5

      1. IT Risk Guild assess SaFi Bank product and services aligning to #2.f

    6. Measure the risks from Risk Assessment - refer to IT RMS.d

      1. IT Risk Guild determine and manage performance metrics based on strategic plans

      2. IT Risk Guild identify benchmarks to performance metrics

      3. Establish QA and QC process

      4. IT Audit determine compliance to the determined performance metrics

      5. IT Audit Guild establish external 3rd party auditors for IT processes as external audit

  7. IT Audit and Risk Guild establish IT Reporting and Notification process and standards. - refer to IT RMS

Todo list and sorted by priority

  1. MFA for transactions

    1. Define criteria’s and controls for step up transactions - Fraud, c/o James coordinating it

    2. Implement the business logic in the code - Vacuum labs, c/o <need to define>

  2. ABAC and RBAC in Back Office

    1. Define user role and access matrix - Business

    2. Translation into technical requirements for Okta implementation, c/o James

    3. Implementation of matrix in Okta - Vacumm labs, c/o <need to define>

  3. Data validation techniques to user inputs

    1. All input of users in Back Office and Mobile App needs to be validated - Vacumm labs to design and implement, c/o <need to define>

    2. Malicious inputs like injections, scriptings, forgeries, MiTM must thrown as generic error 404 without any error messages related to the inputs (do not entertain) - Vacuum labs to design and implement, c/o <need to define>

    3. Log the events and create alerts in SIEM - Vacuum labs to design and implement, c/o <need to define>

  4. Generic error messages like

    1. 3xx and 4xx - “its missing”

    2. 5xx - “something went wrong”

    3. Log the errors as events and create alerts in SIEM

  5. Audit logging for all SaFi components

    1. Client activities including their transactions in Mobile App

    2. Back Office users activities including what client they accessed and what action they perform related to client data.

    3. Meiro users activities same requirement as Back Office

    4. Thought Machine users activities same requirement as Back Office

    5. Genesys user activities same requirement as Back Office

  6. Cloudflare Hardening

    1. Block IP ranges from North Korea (AML issue)

    2. Block IP ranges from Iran (AML issue)

    3. harden rulesets

    4. configuration fine-tune

  7. Perform VAPT

    1. External - Mantua

    2. Internal - AppSec team c/o James

  8. Develop Security Awareness Program

  9. Creation alerts for security use cases in SIEM

    1. Create alerts in SIEM for traffic from Block IP’s

    2. Create alerts in SIEM for traffic in AML grey lists below:

      • Albania

      • Barbados

      • Burkina Faso

      • Cambodia

      • Cayman Islands

      • Gibraltar

      • Haiti

      • Jamaica

      • Jordan

      • Mali

      • Morocco

      • Myanmar

      • Nicaragua

      • Pakistan

      • Panama

      • Philippines

      • Senegal

      • South Sudan

      • Syria

      • Turkiye

      • Uganda

      • United Arab Emirates

      • Yemen

    3. Create alerts for use cases listed in OWASP Attacks

    4. Create alerts for use cases listed in MITRE

    5. Create procedures what to do with those alerts

  10. Build IT Steering Committee

  11. Build the IT Guilds / sub committee’s

    1. IT Operations

    2. IT Audit

    3. IT Risks

    4. IT Project

    5. InfoSec

    6. IT Outsourcing / Vendor Management

  12. Perform risk assessment

  13. Define risk metrics, benchmarks, performance KPIs

  14. Perform audit reviews

  15. Document everything aligned with BSP Standards and Guidelines:

    1. Policy

    2. Guidelines

    3. Procedures