IT RMS Policy
Build the IT Steering Committee - refer to IT RMS.a.1
Document IT policies, procedures, and standards - refer to IT RMS.a.2
IT Governance / Management
IT Audit, see #3
IT Risk, see #5
IT KPI’s and Metrics, see #4
Development and Acquisition
Align with detailed guidelines/standards on Project Management/Development and Acquisition and Change Management - Appendix 76 of BSP MORB
IT Operations
Align with detailed guidelines/standards on IT Operations - Appendix 77 of BSP MORB
Communication networks
Establish process in reporting and advisories, see #7 in collaboration to SaFi Compliance team
Information Security
Align with detailed guidelines/standards on information security - Appendix 75 of BSP MORB
Electronic Banking / Electronic Products and Services (need help from VL to implement)
Implement minimum controls described in Appendix 79 of BSP MORB
Implement Account Origination and Customer Verification (handled already by Onboarding and eKYC)
Implement Authentication (handled already by Okta and Vida)
Implement MFA for transactions (need to define transaction metrics for each additional authentication like biometrics, PIN, Passcode, etc.)
Implement PKI assisted authentication and verification to unique identify the user (handled already using WebAuthN protocol)
Implement Authorization controls and Access privileges in Back Office (handled already using Okta, but requires implementation on specific user role matrix)
Implement Attribute based access control on top of Role Based Access Control to Back Office features (Fine-grained user access rights appropriate to role matrix and implement in Okta)
Baked Application Security processes into the development of products and services
Implement input validation techniques to user inputs (both mobile and back office)
Implement high level or generic error messaging, no trace possible in user perspective.
Implement secure session management during user activities
Implement Vulnerability management
Implement Hardening practices
Establish SIEM
Creation of use cases in Grafana for security alerts and fraud detection
Implement Audit trails to all components of SaFi applications
Audit trails for user activities in mobile app (login, transactions, etc.)
Audit trails for back office user activities in Back office app (login, access to user details, performed activities)
Implement RBAC to Back Office based on user Role matrix
Implement customer awareness program
Implement Service Availability and Business Continuity (Disaster Recovery, Fail over mechanisms)
Establish incident response and management procedures
Implement customer privacy and confidentiality controls
Customer data masking in SIEM
Encryption of customer data during exports from our databases, bank statements, ledgers, journals etc.
Customer privacy awareness
mechanism to authenticate official website to protect customers from spoofed or faked websites.
Implement data protection mechanism during data transmission in m-banking
Implement adoption of dual authentication process in transactions to ensure the security per level of risks
Require customers to download its mobile online services and payment applications directly from third party repositories (e.g., Apple store, Google Play and Windows Market Place)
Implement encryption of Sensitive data in storage, transmission and during processing
IT Outsourcing / Vendor Management
Align with detailed guidelines/standards on IT Outsourcing/ Vendor Management and on the adoption of outsourced cloud computing model - Appendix 78 (collaboration with Legal on outsourcing)
Establish IT Audit - refer to IT RMS.a.3
Build IT Audit Guild to support SaFi internal auditors from Audit tribe determined by SaFi senior management
IT Audit Guild establish process aligned with BSP MORB Appendix 74
Establish Management Information System (MIS) or IT Metrics or KPIs for management decision making - refer to IT RMS.a.5 and related to 6.f.i.
Establish IT Risk process, determine the following to IT processes - refer to IT RMS.a.6
Build IT Risk Guild to support SaFi Risk Team for IT related risks
Identify below risk related to IT
Operational risks
Strategic risks
Reputational risks
Compliance risks
Implement satisfactory control practices to mitigate risks - refer to IT RMS.c
Establish Information Security Risk Management framework - refer to IT RMS.c.1
Establish Info Sec process in AppSec team
Implement #2.e
Establish a framework for management of IT-related projects - refer to IT RMS.c.2
Build IT Project Guild to handle
Project Management
Development and Acquisition
Change Management
Implement #2.b
Establish IT Operations process - refer to IT RMS.c.3
Build IT Operations Guild
Implement #2.c
Establish IT Outsourcing / Vendor Management Program - refer to IT RMS.c.4
Build IT Outsourcing and Vendor Management Guild
Implement #2.g in collaboration to SaFi finance team.
Risk Assess electronic products and services - refer to IT RMS.c.5
IT Risk Guild assess SaFi Bank product and services aligning to #2.f
Measure the risks from Risk Assessment - refer to IT RMS.d
IT Risk Guild determine and manage performance metrics based on strategic plans
IT Risk Guild identify benchmarks to performance metrics
Establish QA and QC process
IT Audit determine compliance to the determined performance metrics
IT Audit Guild establish external 3rd party auditors for IT processes as external audit
IT Audit and Risk Guild establish IT Reporting and Notification process and standards. - refer to IT RMS
Todo list and sorted by priority
MFA for transactions
Define criteria’s and controls for step up transactions - Fraud, c/o James coordinating it
Implement the business logic in the code - Vacuum labs, c/o <need to define>
ABAC and RBAC in Back Office
Define user role and access matrix - Business
Translation into technical requirements for Okta implementation, c/o James
Implementation of matrix in Okta - Vacumm labs, c/o <need to define>
Data validation techniques to user inputs
All input of users in Back Office and Mobile App needs to be validated - Vacumm labs to design and implement, c/o <need to define>
Malicious inputs like injections, scriptings, forgeries, MiTM must thrown as generic error 404 without any error messages related to the inputs (do not entertain) - Vacuum labs to design and implement, c/o <need to define>
Log the events and create alerts in SIEM - Vacuum labs to design and implement, c/o <need to define>
Generic error messages like
3xx and 4xx - “its missing”
5xx - “something went wrong”
Log the errors as events and create alerts in SIEM
Audit logging for all SaFi components
Client activities including their transactions in Mobile App
Back Office users activities including what client they accessed and what action they perform related to client data.
Meiro users activities same requirement as Back Office
Thought Machine users activities same requirement as Back Office
Genesys user activities same requirement as Back Office
Cloudflare Hardening
Block IP ranges from North Korea (AML issue)
Block IP ranges from Iran (AML issue)
harden rulesets
configuration fine-tune
Perform VAPT
External - Mantua
Internal - AppSec team c/o James
Develop Security Awareness Program
Creation alerts for security use cases in SIEM
Create alerts in SIEM for traffic from Block IP’s
Create alerts in SIEM for traffic in AML grey lists below:
Albania
Barbados
Burkina Faso
Cambodia
Cayman Islands
Gibraltar
Haiti
Jamaica
Jordan
Mali
Morocco
Myanmar
Nicaragua
Pakistan
Panama
Philippines
Senegal
South Sudan
Syria
Turkiye
Uganda
United Arab Emirates
Yemen
Create alerts for use cases listed in OWASP Attacks
Create alerts for use cases listed in MITRE
Create procedures what to do with those alerts
Build IT Steering Committee
Build the IT Guilds / sub committee’s
IT Operations
IT Audit
IT Risks
IT Project
InfoSec
IT Outsourcing / Vendor Management
Perform risk assessment
Define risk metrics, benchmarks, performance KPIs
Perform audit reviews
Document everything aligned with BSP Standards and Guidelines:
Policy
Guidelines
Procedures