Page 10 - FIGI: Digital Financial Services security audit guideline
P. 10
ii) Authentication customer personal data and steal customer
funds from a DFS system.
Audit guidelines in this group assess a DFS
application's capability to verify the authen- v) Network security
ticity of the users.
Audit guidelines in this group assess the
iii) Availability controls in place to protect the underlying
network infrastructure from unauthorized
Audit guidelines in this group assess the DFS access, misuse, malfunction, modification,
infrastructure and application for reliability destruction, or improper disclosure. These
and ability to grant timely access to autho- can also be used to test whether information
rised DFS users. The application and infra- only flows between authorized endpoints
structure are validated for resistance to deni- without being diverted or intercepted.
al-of-service attacks.
vi) Privacy and confidentiality
iv) Fraud detection
Audit guidelines in this group assess the
Audit guidelines in this group to assess the controls in place to protect DFS partici-
controls in place within the DFS systems to pants/user's data from unauthorised disclo-
detect intentional and unlawful intercep- sure, including data protection that might be
tion by internal or external entities to obtain derived from observing network activity.
The DFS security audit guideline is structured in the format below:
Impacted DFS Group Risk and Vulner- Control Security audit Applicable policy or
Entity ability question procedure
The table above shows the DFS security risks and vulnerabilities, the DFS entities affected by those risks,
controls to mitigate the risks, the security audit question an auditor would ask and the respective policy and
procedure.
• The "Impacted DFS entity" lists the entity affected by the risk and vulnerability within the DFS ecosystem.
• The "Risk and vulnerability" column outlines the threats that an entity within the DFS ecosystem will face
based on the eight security dimensions (SD).
• The "control" column lists the DFS controls for each of the DFS entities within the ecosystem.
• The "Security audit question" column outlines the auditor's question for compliance checking of the specif-
ic control.
• The "Applicable policy or procedure" column suggests the applicable policy or procedure documents that
guide the day-to-day actions and strategies of a particular entity based on ISO/IEC 27001- Information
Security Management [2].
The structure table above is elaborated in section 3 and includes the detailed audit checklist for all the security
controls in DFS security assurance framework. The table outlines the various security checks that need to be
undertaken at the DFS provider and mobile network operator level to verify compliance. This table can be used
as a guideline by telco and financial services regulators, security auditors, and DFS providers for internal and
external security audits.
Section 4 describes the process the security auditors may adopt by outlining a series of questions from Table 1
grouped by category for easy reference.
8 Digital Financial Services security audit guideline
