Page 9 - FIGI: Digital Financial Services security audit guideline
P. 9
Digital Financial Services
security audit guideline
1 INTRODUCTION
The Digital Financial Services (DFS) Security Audit DFS provider, mobile network operator, and other
Guidelines complements the DFS Security Assur- third parties within the ecosystem.
ance Framework [1], to help stakeholders determine In a DFS application, a deficiency in any one of the
and identify security control deficiencies within the controls increases the likelihood of a breach of priva-
DFS infrastructure. The guidelines are based on the cy, access to DFS data, confidentiality, user authen-
DFS Security Assurance Framework which provides tication and authorisation, DFS service availabili-
a systematic security risk management process for ty, fraud (internal and external) network security.
identifying threats and vulnerabilities. The DFS Secu- The audit checklist can be used by DFS regulators,
rity Assurance Framework also proposes security providers, and operators in assessing whether the
control measures that should be implemented by the controls in the DFS Security Assurance Framework
are present and functioning as intended.
2 DFS SECURITY AUDIT GUIDELINE
The DFS security audit guidelines are categorised DFS Security audit Guidelines are categorised into
into six different groups that a regulator, internal/ the following groups:
external application security auditor, mobile network
operator, or DFS provider can use to assess the imple- i) Access control
mented DFS security assurance control measures.
Each group provides a series of questions that the Audit guidelines in this group assess wheth-
auditor can use as a checklist for the security audit of er sufficient selective restrictions on appro-
the DFS infrastructure. priate access to DFS associated systems,
services, resources, and controls are in place
to guarantee protection against unautho-
rized use of network resources.
Digital Financial Services security audit guideline 7
