Page 25 - Digital Financial Services security assurance framework
P. 25
a. The Information Security Management System c. Political and social environment, this includes
based on the ISO/IEC 27001 the normative docu- demographics like level of education of the pop-
ments must be considered or implemented. ulation, mobile device uptake and level of smart-
b. DFS stakeholder overall organization structure phone penetration to the target population.
and how DFS fit into this structure of the organi- d. Competing alternatives and complementing ser-
zations and its objectives. vices to digital financial services.
c. The DFS assets this includes the supporting tech- e. Emerging risks and their influence, both to the
nology and information systems, physical infra- financial service and stakeholders.
structure, software applications, hardware, agent
networks, customer/agent/merchant devices that The outcome of this phase is a recorded summary
are used to access DFS. of all information gathered. The information will form
d. Existing internal controls, previous security risk input into the risk assessment process.
events, previous fraud incidents, previous audit
reports and DFS project documents. 7�3 Security Assessment
e. Regulatory requirements. The risk assessment helps stakeholders to get indic-
f. The risk tolerance and risk appetite. ative measures of the current security level in the
DFS ecosystem, the security risk assessment process
Amongst other aspects, the external context con- includes identification, analysis and evaluation of
siders the following. risks. The DFS risk assessment should be conduct-
ed periodically and the results feedback to manage-
a. Law and regulations related to digital financial ment.
services The overview of the process flow is shown below.
b. Key DFS stakeholders.
Figure 12 - Risk assessment process flow
Risk Identification Risk Analysis Risk Evaluation
qIdentify DFS assets
qIdentify associated vulnerabilities qAssessment of consequences qIdentify controls implemented to reduce
vulnerability
qIdentify threats qAssess likelihood & impact of occurrence qEvaluate effectiveness of existing controls
qAssess the inherent risks
qIdentify existing controls qAssess the residual risks qDefine Risk Impact
qIdentify consequences
7�4 Risk Identification
Risk identification is to determine what, how, where hardware, agent equipment, customer/agent/
and why DFS vulnerabilities might be exploited, this merchant devices used to access DFS services
involves identifying critical DFS assets, associated and the communication network devices. Identifi-
threats and vulnerabilities, probability of occurrence, cation enables the stakeholder to classify the DFS
weaknesses in existing controls, impact or conse- assets based the impact an incident to the asset
quences of threats and vulnerabilities once exploited. will have to the DFS ecosystem, classification aims
In the process of risk identification, the stakehold- at categorizing assets based on the value and crit-
er should be cognizant of the internal and external icality to the DFS ecosystem.
considerations in section 7.2 above. ii. Vulnerability Identification: a vulnerability is a
In risk identification DFS stakeholders should con- weakness or flaw that enables a threat to attack
sider five critical actions: an asset, these include, but are not limited to,
weaknesses in the: physical layout, organization
i. Asset Identification: This entails listing all assets procedures, personnel, management, hardware,
in the DFS ecosystem and who is responsible for software, network etc. They may be exploited by
them, assets in DFS include, but not limited to a threat, which may cause harm or damage to the
the physical infrastructure, software applications, system. The vulnerabilities identified should be
Digital Financial Services Security Assurance Framework 23
