Page 22 - FIGI: Digital Financial Services security audit guideline
P. 22

4  SECURITY AUDIT CHECKLIST


            4�1  Access Control                                4�1�14   Has the DFS provider set USSD and STK DFS
            4�1�1   Are login credentials of terminated DFS    sessions to automatically disconnect after a set peri-
            administrators, agents and users deactivated. Are   od of user inactivity?
            dormant DFS accounts deactivated?                  4�1�15   Is the DFS provider performing real time
            4�1�2   Are default system accounts removed from   device validation before transaction processing?
            the DFS system and all systems that connect to DFS   4�1�16   Is the password transmitted securely? Is the
            systems?                                           user required to change password after first time
            4�1�3   Are DFS vendor and support system          login?
            accounts deactivated after support duties are      4�1�17   Is there a maximum number of failed login
            completed?                                         attempts set before account is locked?
            4�1�4   Are the following logical controls set for DFS   4�1�18   Is there a sufficient way of validating user
            user sessions: i) auto logouts and session time out   identity  before  activating  previously dormant
            ii) Maximum failed password login attempts iii) Pass-  accounts for example biometric validation?
            word and PIN complexity. iv) Password/PIN reuse
            periods                                            4�2  Authentication
            4�1�5   Are there procedures in place for the DFS   4�2�1   Are processes and policies in place to ensure
            provider to  detect  suspicious SIM swaps  and SIM   that identity verification is in place prior to SIM swap
            recycling?                                         operations? Are there technical mechanisms in place
            4�1�6   Are there controls in place to prevent multi-  to prevent any leakage or transfer of information
            ple simultaneous logons through multiple channels?      until the SIM swap has been confirmed?
            Is the DFS provider only allowing a single session per   4�2�2   Are DFS user authentication credentials
            user at a time to connect to the DFS network? (multi-  transmitted via a different channel/out-of-band?
            ple sessions through different channels could be an   (e.g., if account setup is done via USSD channel are
            indication of a breach)                            one-time passwords transmitted via e-mail or voice
            4�1�7   Are  there controls  to limit  access  to DFS   calls?)
            systems especially for remote login users?         4�2�3   Are there controls to check validate privi-
            4�1�8   Are there policies and processes in place   leged users? For example, through IP validation and
            to manage a new threats and attacks to the DFS     checking login time?
            systems?                                           4�2�4   Does the DFS app stores or transmits
            4�1�9   Are there sufficient physical and logical   Personal Account Number/Sensitive Authentication
            barriers to limit access to DFS infrastructure?    Data in plain text over SMS/email?
            4�1�10   Does the DFS provider use Role Based      4�2�5   Does the DFS provider enforce server-based
            Access Controls?                                   authentication for all access requests?
            4�1�11   Does the DFS system have capability to    4�2�6   Does the mobile network operator perform
            detect out-of-pattern transactions based on custom-  biometric  authentication  before  SIM  swaps  or  SIM
            er profile?  For example: Does the DFS provider check   replacement?
            authenticity of transactions using location-based   4�2�7   Does the mobile network operator securely
            validation of transactions, for example through    store SIM data like IMSI, Kc and Ki?
            geo-velocity tracking or other means?              4�2�8   Is multi factor used for authenticating users?
            4�1�12   Has the DFS provider limited concurrent   4�2�9   Is multifactor authentication used when
            user  logins and provided the option for customers   connecting to DFS accounts?
            to opt into other login channels? For example, are   4�2�10  Is the DFS provider able to detect a SIM
            customers who use USSD able to optionally choose   swap or SIM change for a DFS account?
            to use a DFS app channel before the DFS provider   4�2�11   Is the DFS provider checking the IMSI of
            activates access through this channel?             mobile numbers used for DFS transactions to protect
            4�1�13   Has the DFS provider set a dormancy period   against SIM swaps?
            after which inactive admin accounts are deactivat-  4�2�12  Is the DFS provider involved in the SIM recy-
            ed? Are all  inactive  dormant  internal  staff  and  API   cling process for DFS accounts?
            accounts deactivated?                              4�2�13  Is  the  DFS  provider  performing  XML  vali-
                                                               dation of data through APIs and USSD requests?



           20    Digital Financial Services security audit guideline
   17   18   19   20   21   22   23   24   25   26   27