Page 21 - FIGI: Digital Financial Services security audit guideline
P. 21
(continued)
Impacted Group Risk and vulner- Control Security audit question Applicable policy
DFS Entity ability or procedure
MNO, DFS Network - Discovery of new C109: MNOs along with DFS providers and Are the DFS systems patched against known Operations secu-
providers, Security exploits against payment services providers should patch vulnerabilities? rity - Technical
and Third deployed systems systems to the latest versions provided vulnerability
parties and the inability to by the vendor to defend against attacks
deploy solutions that have been developed from older
against these exploits vulnerabilities
(SD: Data Confidenti-
ality, Access Control,
Availability)
MNO, DFS Access - Discovery of new C110: Providers and MNOs should have Are there policies and processes in place to Operations security
providers, control exploits against contingency plans in place with vendors to manage a new threats and attacks to the DFS - Technical vulnera-
and Third deployed systems quickly acquire patches and system reme- systems? bility management
parties and the inability to diation if a zero-day attack has been found
deploy solutions in the wild. Part of this strategy involves
against these exploits the proper use of backups.
(SD: Data Confidenti-
ality, Access Control,
Availability)
MNO Network - Insecure devices C111: MNOs should monitor devices used Are all devices used to connect to DFS sys- Operations security
Security connected to the DFS to connect to or otherwise access the tems scanned for threats and checked for the - Technical vulnera-
infrastructure (SD: DFS system to ensure that such devices latest software patches? bility management
Data Integrity) have the latest patches, updated antivirus
software, are scanned for rootkits and
key loggers, and do not support network
extenders.
Authentica- - Overly permissive C115: Before authenticating DFS users, Is the DFS provider checking the IMSI of Access control
tion access to the DFS when possible, validate the IMSI, device, mobile numbers used for DFS transactions to Policy - User access
infrastructure (SD: and location, and IP address of the user protect against SIM swaps? management
Authentication) to establish their identity and to prevent
unauthorized access to the network
infrastructure.
Third-Party Fraud - Inadequate transac- C116: Payment service providers should Do the DFS customers get alerts when DFS Access control
Provider detection tion verification (SD: ensure that companion general-purpose transactions are performed on their accounts? Policy - User access
Non-Repudiation) reloadable cards linked to DFS accounts management
require the use of EMV chips with card-
holder verification methods, such as PINs
or biometrics, when practical, and that all
transactions result in an alert to customers.
DFS Privacy and - Inadequate over- C117: DFS providers should ensure that Is there proper segregation of data Asset management
Provider Confidenti- sight and controls in customer data in production environments implemented for tests and production - Media handling
ality test environments is not used in test environments unless environments?
(SD: privacy) anonymized according to best practices. Are there processes that limit the use of
Conversely, test data should not be
migrated to the product. customer data for test purposes? Such as data
anonymization.
Third-Party Privacy and - Exposure of cus- C118: Third-party providers should restrict Are there processes that limit the data shared Asset management
Provider Confidenti- tomer-sensitive the sharing of information with other par- with third parties when transactions are being - Media handling
ality information in trans- ties such as payment service providers and performed?
actions or through DFS providers to the minimum required to
APIs (SD: privacy) assure the integrity of the transaction.
Third-Party Privacy and - Insufficient data C119: Providers should ensure that cus- Do event logs contain customer-sensitive Operations secu-
Provider Confidenti- protection controls tomer-sensitive data is removed from data such as PINs? rity - Logging and
ality (SD: privacy) environments such as trace logs (for exam- monitoring
ple, cash retrieval voucher codes, bank
account numbers, and credentials). Use
place holders whenever possible to repre-
sent this data in log files.
This audit checklist table [4] above is available to download in excel using this link: https:// itu .int/ en/ ITU -T/ extcoop/
figisymposium/ Documents/ Digital %20Financial %20Services %20security %20audit %20checklist .xlsm
Digital Financial Services security audit guideline 19
