Page 12 - FIGI: Digital Financial Services security audit guideline

P. 12

(continued)

Impacted Group Risk and vulner- Control Security audit question Applicable policy
DFS Entity ability or procedure
MNO Network - Exposure of internal C15: Use Network Address Translation to Are there technical controls in place to limit Communications
Security network to external limit external exposure of DFS IP address exposure of internal DFS systems addresses Security Policy
adversaries (SD: and routing information. (like database IP addresses? - Network security
access control) management
DFS Network - Insufficient pro- C16: Avoid direct access by external Are there logical boundaries that limit access Communications
Provider Security tection of internal systems to the DFS backend systems by to the DFS systems from all other systems? Security Policy
systems against setting up a DMZ that logically separates (For example, are other unauthorized inter- - Network security
external adversaries the DFS system from all other internal and nal users logically and/physically limited on management
(SD: access control) external systems. the network from accessing DFS processing
systems)
DFS Privacy and - Reliance by DFS C17: Ensure that security libraries offered Are the cryptographic libraries used by the Cryptography policy
Provider Confidenti- application on secu- by the operating system are correctly operating system or by the application cor- - Cryptographic
ality rity libraries offered designed and implemented and that the rectly designed and implemented and are controls
by operating systems cipher suites they support are sufficiently they up to date? Do the cryptographic librar-
(SD: communication strong. ies support strong cryptographic ciphersuites
security) and do they prevent or discourage use of
weak ciphersuites? Are hashing algorithms
used that have not been deprecated and are
adequate digest lengths supported? (Any-
thing less than SHA512 is considered weak
today. MD5 and SHA1 have been broken.)
For symmetric encryption ciphers, are strong
ciphers used and are adequate key lengths
supported? (For example, AES is considered
secure to use while 3-DES is no longer a pre-
ferred cipher because of the SWEET-32 attack,
and it is encouraged to move away from it
to AES as soon as possible.) - For public-key
encryption, are key lengths chosen to be an
appropriate size for the public key algorithm
being used?
Are the criteria used for selecting cryp-
tographic algorithms and key sizes based on
public and well-examined standards? (For
example, NIST 800-57 special publication has
guidelines on minimum key sizes for each
algorithm and how long this key size is good
for)
MNO Privacy and - Weak encryption C18: Ensure all sensitive consumer data Has all sensitive consumer data been Cryptography policy
Confidenti- practices or sending such as PINs and passwords are encrypted, encrypted by the application or the operating - Cryptographic
ality sensitive information when traversing the network and while the system? Are unencrypted versions of the controls
in clear text over inse- data is at rest. data accessible in the device, for example,
cure traffic channels in temporary buffers or in memory? Is all
like SMS and USSD information sent over a network connection
(SD: communication encrypted with a strong encryption cipher?
security) (See C17 for more discussion of what com-
prises a strong encryption cipher.)
DFS Pro- Fraud - Inadequate data C19: Remove customer sensitive data from Do trace logs and event data records capture/ Operations secu-
vider and Detection protection controls trace logs. Examples of data that should store sensitive user data? (e.g. are customer rity - Logging and
Third-party (SD: privacy) be removed include cash retrieval voucher PINs stored in EDRs) monitoring
providers codes, bank account numbers, credentials.
Instead, use place holders, where possible,
to represent this data in logs.
DFS Pro- Privacy and - Exposure of cus- C20: DFS providers should restrict sharing Is there limitation on customer sensitive infor- Operations security
vider and Confidenti- tomer sensitive of DFS user information to the minimum mation shared during transaction processing policy - Operational
Third-party ality information during amount required for transactions with with third parties? (e.g. Only information procedures and
providers transactions or third parties and service providers. needed for processing the transaction is responsibilities
through APIs (SD: shared with the third party)
privacy)

10 Digital Financial Services security audit guideline

7 8 9 10 11 12 13 14 15 16 17