Page 14 - FIGI: Digital Financial Services security audit guideline
P. 14
(continued)
Impacted Group Risk and vulner- Control Security audit question Applicable policy
DFS Entity ability or procedure
DFS Network - Addition of test data C30: The DFS provider should employ Is the DFS provider performing input valida- System acquisition,
Provider Security into production data robust input validation routines on tion checks? development,
(SD: data integrity) external-facing services by checking and maintenance
out-of-range values and unpermitted char- - Security in devel-
acters in fields, and by constraining and opment and support
sanitizing input. Input validation should processes
happen at the earliest possible point and
should be done both on the client, and
server-side, however, the server should not
rely solely on client-side validation. Addi-
tionally, block, log and review all requests
that violate the Web Services Description
Language (WSDL) and schemas.
DFS Fraud - Addition of test data C31: Use database fingerprinting to detect Are there mechanisms in place to detect data Operations secu-
Provider detection into production data tampering and modification of data after it modification and tampering on the database? rity - Logging and
(SD: data integrity) has been stored monitoring
DFS - Addition of test data C32: Ensure all test data is removed from Is test data and test user accounts deleted System acquisition,
Provider into production data code before it is migrated to the produc- from the production environment? development, and
(SD: data integrity) tion environment. maintenance - Test
data
DFS Fraud - Absence of logging, C33: DFS systems should use logging Are DFS logs stored securely in a tamper proof Operations secu-
Provider detection ability to alter logs, mechanisms, including capturing the prov- module? e.g., SIEM rity - Logging and
and insufficient infor- enance of user actions or logging of critical monitoring
mation in logs (SD: actions into tamper-proof storage, secure
non-repudiation) DFS system logs from tampering, editing,
deleting, stopping.
DFS Network - Inaccurate and C34: Ensure clock accuracy synchroniza- Are the clocks within the DFS ecosystem Operations secu-
Provider Security unsynchronised tion on all systems connected to the DFS synchronized? rity - Operational
clocks (SD: data system. NTP and SNTP are some of the pro- procedures and
integrity) tocols used to sync accurate time; however, responsibilities
these must be deployed securely.
MNO Network - Weak over-the-air C38: Discontinue the use of A5/0, A5/1, Has the use of known weak ciphers been Communications
security encryption (SD: com- and A5/2 GSM encryption ciphers. Closely discontinued? Has the deployment been security: Informa-
munication security) monitor results from the security and prepared for new ciphers? tion transfer
cryptographic community regarding the
feasibility and ease of compromising A5/3
and A5/4 and begin considering stronger
ciphers. Have a deployment strategy ready
for these newer ciphers.
MNO Fraud - Weak Calling Line C39: MNOs should do CLI analysis for calls/ Are there mechanisms to detect SMS and call Communications
detection Identification filtering SMS to detect calls and SMS that may be spoofing? E.g., CLI analysis? security: Informa-
(SD: communication spoofed to appear like DFS provider calls. tion transfer
security)
DFS Authentica- -Missing/Inad- C40: Require user authentication and Is there additional authorisation and authen- Access control
Provider tion equate account authorization for high-risk account tication for high value transactions and Policy - User access
configuration and changes and transaction and deny per- changes on DFS user accounts? For example, management
authorisation controls forming of transactions even when the what additional checks are done when
(SD: authentication) device is logged in until knowledge of PIN increasing transaction limits?
or password has been demonstrated.
Third-Party Privacy and - Weak encryption C41: Sufficiently secure encryption should Have strong encryption ciphers and integrity
Providers confidenti- algorithms used on be employed for both data protection protection mechanisms such as message Cryptography policy
ality data stored in the within the mobile application and com- authentication codes been used for data - Cryptographic
device and data munication with backend DFS systems stored on the device and when data is com-
transmitted (SD: and whenever possible, mask, truncate or municated to backend DFS systems? (See controls
privacy) redact customer confidential information. C17 for a discussion of strong encryption
algorithms.) Are policies in place to assure the
reaction of sensitive customer confidential
information?
Third-Party Privacy and - Lack of encryption C42: Use digital signatures to identify third Are digital signatures used to identify third Access control
Providers confidenti- of communications parties connected to the DFS system when party providers that connect to the DFS Policy - System and
ality (SD - communication transactions are performed. systems? application access
security) control
12 Digital Financial Services security audit guideline
