Page 24 - Digital Financial Services security assurance framework
P. 24

A high-level risk management process plan is shown in figure 11 below, which encompasses the four phases of
            the PDCA.

            Figure 11 - Risk Management process



                                                   Establish Context

                                                   Risk Assessment
                                                    Identify Risks

                                                    Analyze Risks


                                                    Evaluate Risks         No
                              Communicate Risks       Is risk




                                                     complete
                M M M                                Assessment                       Monitor and Review  Assurance  I I I Interested nterested nterested nterested
                Managementanagementanagementanagement
                                                       Yes                                          R R R P P P Parties, arties, arties, arties,
                                                                                                    Regulatorsegulatorsegulatorsegulators
                                                      Treat Risks


                                                      Are Risks
                                                     acceptable       No


                                                       Yes

                                                    Risk Acceptance




            7�1  Scope                                           This framework also includes the controls that
            The DFS security assurance framework is applica-   have to be deployed by the DFS provider who may
            ble to stakeholders in the DFS ecosystem. It defines   be a financial institution like a bank or non-bank pro-
            security controls to be adopted by DFS users, mobile   vider, in some cases the communications network
            network operators, providers including banks and   provider is also the digital financial services provider.
            other licensed non-bank financial institutions, who
            supply financial products and services through digi-  7�2  Establishing a context
            tal means; these controls can be applied to the assets   This is the initial step in the risk management process
            such as the infrastructure, applications and devices   and the objective is for the stakeholder to gain an
            that make digital financial services possible.     understanding the DFS operating environment.  This
               For the user, the framework focuses on the securi-  involves identifying internal and external events that
            ty controls for the devices like mobile handsets used   affect the ability to achieve end to end security, it
            to access digital financial services. The means and   is therefore important for the stakeholder to under-
            technology are usually provided by a mobile network   stand  and  assess  the  internal  and  external  context
            operator that allows for communication between the   within which digital financial services operate, this
            user and the DFS provider, the framework focuses on   also helps frame the scope of the risk assessment.
            what the communications network provider has to      In order to establish the internal context, the fol-
            do to secure the ecosystem.                        lowing must be formulated.



           22    Digital Financial Services Security Assurance Framework
   19   20   21   22   23   24   25   26   27   28   29