Cyber Security Maturity Assessment for NBFCs: WeSecureApp’s Approach
By Garima MaithaniPublished On April 19, 2023
WeSecureApp develops customized solutions as per the client’s requirements and always provides a business-friendly approach towards amending or formulating its methodology, tools, and technologies supporting the applicable regulatory norms as well as the client’s business objectives. Hence, understanding the criticality of maintaining a security posture for an NBFC firm, WeSecureApp follows the below Cyber Security Maturity Assessment (CSMA) approach.
The prime agenda for going ahead with the CSMA approach is to
Quantitatively describe the security posture of the firm.
Highlighting the holistic view of the firm’s cyber tenacity and gaps in existing strategies.
Secure their dependency on Information Systems and Technology.
Provide support in formulating future security roadmaps.
Step 1: Reconnaissance
Understanding business operations
Identification of Critical Elements w.r.t People, Process, and Technology.
Comprehend the desired level of security competency.
Step 2: Analysis
IDENTIFY: Understanding the business environment, the resources supporting crucial operations, and the associated cyber security concerns.
PROTECT Outlines appropriate safeguards to ensure the delivery of critical infrastructure services.
DETECT: Defines the appropriate activities to identify the occurrence of a cyber security event.
RESPOND: Supports the ability to contain the impact of a potential cyber security incident.
RECOVER: Supports timely recovery to normal operations to reduce the impact of a cyber security incident.
Step 3: Roadmap Blueprint
Suggesting strategic change to manage risk sufficing the risk acceptance.
With this approach, we moved ahead with optimizing the cybersecurity framework to best serve the organization. During the Analysis phase, a comprehensive and detailed evaluation was performed of all the critical processes serving the business operations. Major assessment areas are highlighted below:
AWS Cloud Infrastructure Security Review using the CIS and NIST benchmarks.
Examination of AWS Managed RDS to ensure handling of Financial and PII Data complies with regulatory obligations.
In-depth analysis of VPCs to validate security group configuration.
Assessment of AWS IAM policies to analyze the logic/implementation of access control mechanisms across the network infrastructure.
Customer Facing Interface
Comprehensive assessment of all the web and mobile interfaces opting OWASP & SANS 25 methodology.
Verification of data protection techniques like Encryption, Masking, and Encoding across all API Endpoints processing PII and Payment data.
Intensive code review for identification of security flaws at the root level via adopting manual and automated approaches.
Static Code Analysis for identifying susceptible threats at the code level without executing the application.
Semantic analysis is being performed to identify tokenization flaws and examine syntax, identifier, and resolving types from code.
Structural Analysis for examining framework-specific code structures for inconsistencies with secure programming practices and techniques.
Executing test cases with respect to pervading the ideal business logic flow.
Detailed design analysis of business operations facilitating payment-related functionalities features for agent and partner portal.
Third Party Infrastructure
A Comprehensive Review of third-party integration emphasizing access control and data sharing obligations w.r.t agents and contractors driving the customer interaction in offline mode with the provided digital interfaces.
Data Localisation Implementation
In line, with the RBI requirement of localizing all the data that is being stored, transmitted, or processed by the organization (as it integrates its business services with one of the reputed banks), WeSecureApp compliance experts conducted an audit for Data Localisation in which the organization processes were being reviewed and evaluated with respect to local laws and regulations regarding the storage and handling of data.
Gaining an understanding of the client’s infrastructure in scope for audit.
Understanding the entire data flow throughout the business module in scope and identifying all the relevant components.
The following domains will be evaluated (w.r.t RBI circular) during the assessment:
Payment Data Elements
Application and Network Architecture
Cross Border Transactions
Activities post Payment processing
A Risk Assessment Process to be Conducted and appropriate artifacts need to be analyzed
A descriptive report needs to be generated summarizing the entire audit process and highlighting the observations identified.
Cyber Resiliency through Organisation Policies
Policies and procedures of any organization reflect the company’s vision and these policies govern the different aspects of the business. These policies help in standardizing all the processes as the company changes and grows.
WeSecureApp conducted an effective review of all the policies and processes being followed in the organization. We majorly focussed on the below domains in order to ensure that the organization is up to date with the latest regulations and technologies, as well as consistent with the industry’s best practices.
Information Security Management
Identity and Authentication Management
System Acquisition, Development, and Maintenance
Information Security Aspects of Business Continuity
Information Security Incident Management
Utilizing our extensive knowledge and experience in the field of cyber security, we provide our customers with concrete advice that assists in protecting their valuable assets and critical data. This technical risk assessment paved the road for the WeSecureApp team to help companies looking for cyber risk analysis in their new investment ventures.
Get the Cert-In Empanelled Audit Report – Click Here