Professional Documents
Culture Documents
TO: IT MANAGER
DATE: 28/02/2022
Contents
OBJECTIVES OF THE REVIEW:.................................................................................................4
CONTEXT 4
INTRODUCTION..................................................................................................................5
FINDINGS AND RECOMMENDATION......................................................................................6
Recommendation 1........................................................................................................6
Recommendation 2........................................................................................................6
Recommendation 3........................................................................................................7
Recommendation 4........................................................................................................7
Recommendation 5........................................................................................................7
Recommendation 6........................................................................................................7
Recommendation 7........................................................................................................8
Recommendation 8........................................................................................................8
Recommendation 9........................................................................................................8
Recommendation 10......................................................................................................8
Recommendation 10.1...........................................................................................9
Recommendation 11......................................................................................................9
Recommendation 12.....................................................................................................10
Recommendation 13.....................................................................................................10
Recommendation 14.....................................................................................................10
Recommendation 15.....................................................................................................11
Recommendation 16.....................................................................................................11
Recommendation 17.....................................................................................................12
Recommendation 18.....................................................................................................12
Recommendation 19.....................................................................................................12
• Administrative Security
• Physical Security
CONTEXT
international standards;
INTRODUCTION
Our Information Security review is to evaluate the process that helps identify vulnerabilities and
security risks in NFC BANK IT Infrastructure. Risk exposure does not just impact the security of systems
and Infrastructure but also affects the overall business operation. Information Security is not just about IT
security, but also Information/Data security
1. The bank's servers are accessible from abroad, particularly from India, by our OFSS
partners. the IT team is not able to control, supervise and restrict certain accesses on
the servers to those of our partners who access our network from abroad.
Recommendation 1
IT should speed up the implementation of a mechanism that safeguards identities with
special access or capabilities beyond regular users . the solution is called Privileged Access
Management (PAM) which is an information security powerful solution to manage, control
and audit access to network resources with a strong security posture ensuring that only the
right person is accessing the right IT resources.
2. The majority of applications and operating systems installed on the servers of the
server farm have not received the latest security patches from the various
manufacturers , which exposes them to vulnerabilities.
Recommendation 2
IT should put in place A patch management policy to manage patches.
3. The SYGMA machine tokens are permanently connected to the machines, which are
even easily accessible to anyone who has access to the Systac room.
Recommendation 3
Install SYGMA machines in the datacenter and give remote access to these machines to
SYGMA application users.
4. For more than two years, no intrusion test and vulnerability scan have been carried
out on the banking network
10. there is no formal IT risk register. IT and risk directorate have no defined and
updated risk acceptance criteria.
Recommendation 10
A formal risk register should be established.
11. The last vulnerability assessments done by DELOITTE audit team have highlighted
critical vulnerabilities in the infrastructure, and they have suggested a number of
areas where security could potentially be improved – such as data loss prevention.
Mitigating cyber risk requires personnel who are able to better understand cyber-attack
vectors, assess the threat horizon, and identify and implement appropriate technical and
procedural counter measures, and we note that IT does not have staff with high professional
cyber-attack qualifications, such as Certified Information Systems Security Professional
Recommendation 11
The acquisition of recognized qualifications by staff responsible for security would
provide a stronger governance position, and assurance to the management of the bank that
the IT function has the capability to identify and, as a result, mitigate the widest set of cyber
threats.
12. The Kaspersky antivirus is deployed across 100% of PC of the bank. The antivirus
is set to auto- update and pushes out the signature updates as and when they are
received. Internal and on-access scanning are enabled and carried out automatically.
Our Kaspersky antivirus is not configured to block suspicious emails, because we are using a mail
server hosted by a third party google.
Recommendation 12
IT should work with google's security teams to set up an IT alert in the event of a suspicious email sent to
one of the bank employees
NFC Bank Information System Security Review Report CONFIDENTIAL Page 9
13. The mail server of the bank is hosted by google and there is no copy of this server
in our datacenter. in case of breach of contract with Google the bank will not be able
to recover its information (emails and attachments) contained in our mail server.
Recommendation 13
IT should create a Google mail server cluster in our datacenter.
14. NFC BANK makes use of a number of mobile devices like laptop and mobile
phone, which are used by a largely mobile workforce. Various data can be accessed
using the devices, including email, documents and photos, and they can backup data
to Cloud-based accounts. Some users have more than 3 devises connected to the
WIFI of then bank.
There is no formal bring your own device (BYOD) policy. Furthermore, a lack
of mobile device management means that technical controls are also not in place to help
govern the use of mobile devices on the WIFI.
Recommendation 14
IT should formalize the bring your own device (BYOD) policy.
15. The NFC BANK SIEM (Security Information and Event Management) is out of
date the current version on the server is the 5.2, the latest version available is 6.4.
Recommendation 15
The security information and event management system (SIEM) of the bank that
centrally logs key events and security type events from servers, network devices and other
has an obsolete version 5.2 we must quickly update it to version 6.4
16. The bank has migrated from flexcube 11 to FLEXCUBE 14.3 since January 17
NFC Bank Information System Security Review Report CONFIDENTIAL Page 10
2022 and until February 28 2022 , fund transfers are not done automatically and
most often do not even work. the application that serves as an interface between
FLEXCUBE 14.3 and the SYSTAC platform has not been properly updated to
interpret the new file format generated by FLEXCUBE 14.3, which causes
enormous inconvenience for our customers because the transfers are not made
within the delays and also financial losses for the bank because sometimes the
management of operations is obliged to pass the transfers by SYGMA at xaf 10 000
per transfer instead of SYSTAC which only cost xaf 2 000 per transfer.
This malfunction of our transfer process on FLEXCUBE 14.3 occurs in a context of strong
competition from colleagues and therefore the impact can only be negative for the image of our
bank.
Recommendation 16
IT should give us a timeline for the resolution of this problem.
17. NFC bank does not have a security policy for digital payment.
Sensitive payment and personal data in the digital banking platform have not been defined,
Recommendation 17
EBS and IT should put in place a security policy for digital payment.
18. NFC bank does not have fraud detection and prevention solutions in place for
identifying suspicious transactions. This implies that there is no solution in place to
monitor transactions through the digital banking platform.
Recommendation 18
EBS and IT should provide a solution which will alert customer by sms or email for