Page 23 - FIGI Digital Financial Services security assurance framework
P. 23

Figure 10 - Plan, Do, Check, Act

                                                                                       A
                                 C
                                 C
                                A A
                                                                                       A
                                                                                       A
                                 C
                                                                                         N
                                  T
                                  T
                                                                                         N
                                  T
                                                                                         N
                                A ACT                                                P PLAN
                                                                                      L
                                                                                      L
                                                                                      L
                                                                                     P P
                                                                                               e
                                                                                             e
                                                                                          d
                                                                                               e
                                                                             b
                                                                                                  p
                                                                                          d
                                                                                                  p
                                                                                              v
                                                                                              v
                                                                                                o
                                                                                                o
                                                                            a
                                                                                            d
                                                                                            d
                                                                             b
                                                                                             e
                                                                                 c
                                                                            a
                                                                                 c
                                                                         E Establish context and develop risk
                                                                                                     k
                                                                                        a
                                                                                  o
                                                                                                     k
                                                                                  o
                                                                                     e
                                                                                     e
                                                                         E E s s s t t t a b l l l i i i s s s h       c o n t t t e x x x t t t       a n d       d e v e l l l o p       r r r i i i s s s k
                                                                                         n
                                                                                h
                                                                                         n
                                                                                   n
                                                                                   n
                                                                                h
                                                                                        a
                                                                                             a
                                                                                             a
                                                                             a assessment and treatment
                                                                                    e
                                                                                    e
                                                                                     n
                                                                                     n
                                                                                         d
                                                                                        n
                                                                                         d
                                                                                  m
                                                                                  m
                                                                                       a
                                                                                       a
                                                                                            e
                                                                                        n
                                                                                            e
                                                                                                 n
                                                                               e
                 T Treat Risks: this involves taking corrective
                   a
                                                                               e
                 T T r r r e a t t t       R i i i s s s k s s s :  t h is  in v o l v e s   t a k in g  c o r r e c t iv e    a a s s s s s s e s s s s s s m e n t t t       a n d       t t t r r r e a t t t m e n t t t
                                                                                                e
                                                                                                e
                      R
                      R
                   a
                  e
                  e
                        k
                                                                                              m
                                                                                              m
                                                                                                 n
                        k
                                                                                                  e

                                                                           t
                                                                                     l
                                                                                  eh
                                                                      n
                                                                                a
                                                                                                       t
                                                                                        s
                                                                               s
                                                                                                     s
                                                                         s
                                                                                                     y
                                                                                                      s
                                                                                          i
                                                                                                   c
                                                                                     d
                                                                           s
                                                                                      er
                                                                                                    o
                                                                                         n
                                                                               t
                                                                                            e
                                                                                    o
                                                                         i
                                                                            ep
                                                                        h
               and preventive actions, based on the results of
               a n d  p r ev e n t i v e a c t i o n s ,  b a s ed  o n   t h e r es u l t s  o f    I In this step stakeholders in the DFS ecosystem
                                                                                              D
                                                                                               F
                                                                                 k
                                                                        t
                                                                                           t
                                                                                                        em
                                                                                                S
                                                                                            h
                                            o
                            n
                         at
                                          ac
                              l
                                                t
                                        r
                                             n
                  an
                              i
                  an evaluation like an audit or actions to           id e n t if y  a s s e t s ,  t h r e a t s  a n d  v u ln e r a b ilit ie s  t h a t
                                           t
                              k
                                               s
                                            i
                                                                      identify assets, threats and vulnerabilities that
                               e
                                     d
                                      i
                     v
                                 an
                          i
                      al
                                   au
                                        o
                        u
                     e
                           o
                                      t
                                                o
                                                                              f
                                                                        c
                                                                                                       f
                                                                                     a
                                                                                   e
                                                                               e
                                                                         o
                                                                                      s
                                                                           l
                                                                           d
                                                                                           n

                                                                                           a
                                                                                                  l
                                                                                               ei

                                                                                 t
                                                                                            d
                          combat an incident.
                                                                                                 r
                                                                                c
                          c o m b a t  a n  i nc i d e nt .             could affect the assets and their level of
                                                                                  th
                                                                              f
                                                                                        ts
                                                                                              t
                                                                                       s
                                                                                                       o
                                                                                       e

                                                                          u
                                                                                              h
                                                                                                  e
                                                                                                    el
                                                                             a
                                                                                                   v
                                                                                         c
                                                                                        a
                                                                                     mp
                                                                                     i impact. .
                                                                                          t
                               H
                                  C
                                   K
                                   K
                                   K
                                 E
                                 E
                                  C
                                 E
                                  C
                                                                                        O
                               H
                                                                                      D D
                              C CHECK                                                 D DO
                              C C
                                                                                        O
                               H
                                                                                        O
                                                                                             F

                                                                                                st
                                                                                                 a
                                                                                              S
                                                                               i
                                                                               i
                                                                                                        e
                                                                                                         s
                                                                               i
                                                                                                        r
                                                                                                    h
                                                                                                   e
                                                                                                  k
                                                                                                       d
                                                                                                      l
                                                                                                     o
                                                                                o
                                                                                       s st
                                                                                      i
                                                                                  :
                                                                                          e

                                                                                     t
                                                                                   n
                                                                                   I
                                                                                     h
                                                                                 n
                                                                                 n
                                                                                o
                                                                                o
                                                                                             D
                                                                                  :
                                                                                  :
                                                                                 n
                                                                                           p
                                                                        k
                                                                        k
                 o
                                                                       s
                                                                       s
                                                                        k
                M M o n i i i t t t o r r r       a a a n d       r r r e v i i i e w : : :   t h i s i n v o l v e s  a sse ssi n g    R Risk Mitigation: In this step DFS stakeholders
                                                                          M
                            v
                                                                          M



                                                                       s
                  n
                               w
                               w
                  n
                           e
                           e
                 o
                                                                       i
                                                                       i
                              e
                M Monitor and review: this involves assessing
                              e
                                                                       i R R
                                                                          M
                                                                             g
                        n
                                                                              a
                     o
                                                                             g
                                                                             g
                                                                              a
                                                                               t
                                                                               t
                                                                               t
                                                                              a
                        n
                     o
                         d
                                                                           i
                            v
                                                                           t
                         d
                                                                           i
                                                                           i
                                                                            i
                                                                            i
                                                                            i
                                                                           t
                                                                           t
                                           c
                                        m
                                          n
                                         a
                 n
                  d
                                i
                     ea
                                r
                                 t
                                 y
                                   p
                                      o
                               u
                                       r
                                    er
                    m
                                     f
                                                 F
                          g

                                               f
                                                D
                                                  S
                        r
                       u
                         i
                                                                     mitigate security threats and vulnerabilities by
                          n
                            s
                a
                and measuring security performance of DFS            m it ig a t e  s e c u r it y  t h r e a t s  a n d  v u ln e r a b ili t ie s  b y
                             ec
                       s
                                            e o
                                y
                                                                                              o

                               t
                                                                                                  r
                         st
                        n
                             u
                              r
                                                                                                   c
                                                                                                 p
                     g
                                                                                               l
                               i
                                                                                             r
                       i
                           sec
                                                                                                ,
                                                                                            t
                                                                                                  o
                                                                                               s

                      a
                                                                                           n
                                                 r
                                                                                     u
                                                e
                                                   l
                                                   a
                                                  n
                                              i
                                            h
                ss
                                               t
                                                                                      r
                                              n
                                                                       m
                                                                             n
                                                                                g
                                                                            e
                                                                               i
                                                                              t
                                                                               n
               a assets against security checklists both internal      i implementing  security controls, processes,  ,
                                                                         p
                                                                                   ec
                                                                                    s
                                                                          em
                                                                          l
                                    c
                                                                                         c
                   s
                                      l

                                     k
                                                                                          o
                     a
                                  c
                                   e
                                                                                                    es
                                  h
                                       i
                                                                                                       es
                                           o
                                                                                                      s
                                                                                       i
                                            t
                                                                                       t
                 et
                                                                                        y
                                       st
                                        s
                                          b
                      a and external like regulators.                            a and procedures. .
                       n
                                        a
                                         t
                                          o
                                        l
                                     eg
                                       u
                                                                                        e
                                                                                       c

                                                                                   d pr
                                                                                  n
                                                                                      o
                                           r
                                           s
                                            .
                              n
                                                                                             s
                                                                                            e
                            er
                        d
                          ex
                            t
                               a
                                  k
                                  e r
                                                                                         du
                                 i
                                 l
                                l
                                                                                           r
                                                                Digital Financial Services Security Assurance Framework  21
   18   19   20   21   22   23   24   25   26   27   28