NFC BANK IT Security Review Repor

INTERNAL AUDIT
REVIEW AREA REVIEW DATE OF REVIEW REPORT

PERIOD NO.
IT security Febuary 9th to 14th 2022

2022.1
TO: IT MANAGER
Cc: General Manager
FROM: Internal Audit
DATE: 28/02/2022
Contents
OBJECTIVES OF THE REVIEW:.................................................................................................4
NFC Bank Information System Security Review Report CONFIDENTIAL Page 2

SCOPE AND METHODOLOGY OF THE REVIEW:............................................................................4
CONTEXT 4
INTRODUCTION..................................................................................................................5
FINDINGS AND RECOMMENDATION......................................................................................6
Recommendation 1........................................................................................................6
Recommendation 2........................................................................................................6
Recommendation 3........................................................................................................7
Recommendation 4........................................................................................................7
Recommendation 5........................................................................................................7
Recommendation 6........................................................................................................7
Recommendation 7........................................................................................................8
Recommendation 8........................................................................................................8
Recommendation 9........................................................................................................8
Recommendation 10......................................................................................................8
Recommendation 10.1...........................................................................................9
Recommendation 11......................................................................................................9
Recommendation 12.....................................................................................................10
Recommendation 13.....................................................................................................10
Recommendation 14.....................................................................................................10
Recommendation 15.....................................................................................................11
Recommendation 16.....................................................................................................11
Recommendation 17.....................................................................................................12
Recommendation 18.....................................................................................................12
Recommendation 19.....................................................................................................12

NFC BANK IT SECURITY REVIEW REPORT
OBJECTIVES OF THE REVIEW:

IT security review that we made on the 9 to the 14 of Febuary 2022 have help us to identify and
analyze some potential information system security risks, how to mitigate or remove them, with the aim of
maintaining the functioning of the security of the information system and the NFC 's BANK overall
business.
Our IT security review is a systematic, measurable technical assessment of how the BANK s security policy
is employed.
SCOPE AND METHODOLOGY OF THE REVIEW:

The information used in this report was collected through the review of relevant documents,
interviews and visual inspections of security measures on site. Interviews were also completed with key IT
stakeholders to obtain their comments and determine their understanding and capability to apply the
security practices and standards in their own environment. The following elements were reviewed:
• IT Security Policies and procedures.
• Security Management Control Framework
• Administrative Security
• Physical Security
CONTEXT
Following the regulator's observation of the proliferation of increasingly sophisticated

cyberattacks, of which victims bank, microfinance and payment institutions in the CEMAC zone, the
Commission Bancaire en Afrique Centrale (COBAC) issued on January 21, 2022, circular letter
LC-COB/04 relating to the strengthening of the
control of IT risks (security of information systems and cybersecurity). Indeed, in this
document, the regulator urges banks, among other things, to:
 The implementation of an information system security policy in line with best practices and
international standards;
 The implementation of an anti-fraud mechanism;
 Adequate assessment of operational risks in this case cyberattacks;
 The implementation of measures to detect unauthorized transactions and measures to respond to
attacks and restoring the functioning of their information system;
INTRODUCTION
Our Information Security review is to evaluate the process that helps identify vulnerabilities and
security risks in NFC BANK IT Infrastructure. Risk exposure does not just impact the security of systems
and Infrastructure but also affects the overall business operation. Information Security is not just about IT
security, but also Information/Data security

FINDINGS AND RECOMMENDATION
1. The bank's servers are accessible from abroad, particularly from India, by our OFSS
partners. the IT team is not able to control, supervise and restrict certain accesses on
the servers to those of our partners who access our network from abroad.
Recommendation 1
IT should speed up the implementation of a mechanism that safeguards identities with
special access or capabilities beyond regular users . the solution is called Privileged Access
Management (PAM) which is an information security powerful solution to manage, control
and audit access to network resources with a strong security posture ensuring that only the
right person is accessing the right IT resources.
2. The majority of applications and operating systems installed on the servers of the
server farm have not received the latest security patches from the various
manufacturers , which exposes them to vulnerabilities.
Recommendation 2
IT should put in place A patch management policy to manage patches.
3. The SYGMA machine tokens are permanently connected to the machines, which are
even easily accessible to anyone who has access to the Systac room.
Recommendation 3
Install SYGMA machines in the datacenter and give remote access to these machines to
SYGMA application users.
4. For more than two years, no intrusion test and vulnerability scan have been carried
out on the banking network

Recommendation 4
The ISO 27001 standard in its paragraph A12.6 (Management of technical
vulnerabilities) indicates that "any information concerning any technical vulnerability of the
information systems by exploiting it must be obtained in time, the exposure of the
organization to the said vulnerabilities must be assessed and appropriate actions should be
taken to address the associated risk”.
Penetration testing should be carried out on an annual basis to assist in preventing

threats .
5. There is No monthly or quarterly activity report on the security of the bank

information system .
Recommendation 5
IT should produce a monthly report on the security of the information system.
6. There is no Review of access rights to users on the information system

Recommendation 6
IT should on a monthly basis review user authorizations on the entire information

system.

7. All crucial database are not connected to Oracle audit vault for audit .
Recommendation 7
IT should implement oracle audit vault on various database to audit data and critical
events from various database systems.
8. There is no Incident log at IT.

Recommendation 8
It should implement an incident register to register all the incident which occur on the IS of
the bank and update the incident respond plan.
9. No segregation of tasks at the IT management level, the person in charge of

computer security is an operational person from other departments, in particular
network and application, which poses a huge problem because it is often said that
responsibility is not shared.
Recommendation 9
The IS security officer should devote himself only to tasks related to the security of the
information system and should no longer take part in the operational activities of other IT
departments.
10. there is no formal IT risk register. IT and risk directorate have no defined and
updated risk acceptance criteria.
Recommendation 10
A formal risk register should be established.

Recommendation 10.1
A suitable IT risk appetite should be defined so that the amount and type of risk that NFC
BANK is willing to take in order to meet its strategic objectives and support sustainability is
recorded
11. The last vulnerability assessments done by DELOITTE audit team have highlighted
critical vulnerabilities in the infrastructure, and they have suggested a number of
areas where security could potentially be improved – such as data loss prevention.
Mitigating cyber risk requires personnel who are able to better understand cyber-attack
vectors, assess the threat horizon, and identify and implement appropriate technical and
procedural counter measures, and we note that IT does not have staff with high professional
cyber-attack qualifications, such as Certified Information Systems Security Professional
(CISSP), Certified Information Security Manager (CISM) cyber security qualifications.
Recommendation 11
The acquisition of recognized qualifications by staff responsible for security would
provide a stronger governance position, and assurance to the management of the bank that
the IT function has the capability to identify and, as a result, mitigate the widest set of cyber
threats.
12. The Kaspersky antivirus is deployed across 100% of PC of the bank. The antivirus
is set to auto- update and pushes out the signature updates as and when they are
received. Internal and on-access scanning are enabled and carried out automatically.
Our Kaspersky antivirus is not configured to block suspicious emails, because we are using a mail
server hosted by a third party google.
Recommendation 12
IT should work with google's security teams to set up an IT alert in the event of a suspicious email sent to
one of the bank employees
13. The mail server of the bank is hosted by google and there is no copy of this server
in our datacenter. in case of breach of contract with Google the bank will not be able
to recover its information (emails and attachments) contained in our mail server.
Recommendation 13
IT should create a Google mail server cluster in our datacenter.
14. NFC BANK makes use of a number of mobile devices like laptop and mobile
phone, which are used by a largely mobile workforce. Various data can be accessed
using the devices, including email, documents and photos, and they can backup data
to Cloud-based accounts. Some users have more than 3 devises connected to the
WIFI of then bank.
There is no formal bring your own device (BYOD) policy. Furthermore, a lack
of mobile device management means that technical controls are also not in place to help
govern the use of mobile devices on the WIFI.
Recommendation 14
IT should formalize the bring your own device (BYOD) policy.
15. The NFC BANK SIEM (Security Information and Event Management) is out of
date the current version on the server is the 5.2, the latest version available is 6.4.
Recommendation 15
The security information and event management system (SIEM) of the bank that
centrally logs key events and security type events from servers, network devices and other
has an obsolete version 5.2 we must quickly update it to version 6.4
16. The bank has migrated from flexcube 11 to FLEXCUBE 14.3 since January 17
2022 and until February 28 2022 , fund transfers are not done automatically and
most often do not even work. the application that serves as an interface between
FLEXCUBE 14.3 and the SYSTAC platform has not been properly updated to
interpret the new file format generated by FLEXCUBE 14.3, which causes
enormous inconvenience for our customers because the transfers are not made
within the delays and also financial losses for the bank because sometimes the
management of operations is obliged to pass the transfers by SYGMA at xaf 10 000
per transfer instead of SYSTAC which only cost xaf 2 000 per transfer.
This malfunction of our transfer process on FLEXCUBE 14.3 occurs in a context of strong
competition from colleagues and therefore the impact can only be negative for the image of our
bank.
Recommendation 16
IT should give us a timeline for the resolution of this problem.
17. NFC bank does not have a security policy for digital payment.
Sensitive payment and personal data in the digital banking platform have not been defined,
though the IT security policy of the bank.
Recommendation 17
EBS and IT should put in place a security policy for digital payment.
18. NFC bank does not have fraud detection and prevention solutions in place for
identifying suspicious transactions. This implies that there is no solution in place to
monitor transactions through the digital banking platform.
Recommendation 18
IT should put in place a solution to monitor digital transactions .

19. NFC bank does not provide alerts to customers (e.g. phone calls, SMS, etc.) for
suspicious or high risk payment transactions. Hence customers are not informed in
real-time whenever such suspicious transactions take place through their mobile
banking accounts.
Recommendation 19
EBS and IT should provide a solution which will alert customer by sms or email for
suspicious transaction ON their mobile banking.

NFC BANK IT Security Review Repor

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NFC BANK IT Security Review Repor

Uploaded by

Copyright:

Available Formats

INTERNAL AUDIT

REVIEW AREA REVIEW DATE OF REVIEW REPORT

IT security Febuary 9th to 14th 2022

Cc: General Manager

FROM: Internal Audit

NFC Bank Information System Security Review Report CONFIDENTIAL Page 2

NFC Bank Information System Security Review Report CONFIDENTIAL Page 3

OBJECTIVES OF THE REVIEW:

SCOPE AND METHODOLOGY OF THE REVIEW:

• IT Security Policies and procedures.

• Security Management Control Framework

Following the regulator's observation of the proliferation of increasingly sophisticated

 The implementation of an anti-fraud mechanism;

 Adequate assessment of operational risks in this case cyberattacks;

 The implementation of measures to detect unauthorized transactions and measures to respond to

attacks and restoring the functioning of their information system;

NFC Bank Information System Security Review Report CONFIDENTIAL Page 5

NFC Bank Information System Security Review Report CONFIDENTIAL Page 6

Penetration testing should be carried out on an annual basis to assist in preventing

5. There is No monthly or quarterly activity report on the security of the bank

6. There is no Review of access rights to users on the information system

IT should on a monthly basis review user authorizations on the entire information

NFC Bank Information System Security Review Report CONFIDENTIAL Page 7

8. There is no Incident log at IT.

9. No segregation of tasks at the IT management level, the person in charge of

NFC Bank Information System Security Review Report CONFIDENTIAL Page 8

(CISSP), Certified Information Security Manager (CISM) cyber security qualifications.

though the IT security policy of the bank.

IT should put in place a solution to monitor digital transactions .

NFC Bank Information System Security Review Report CONFIDENTIAL Page 11

suspicious transaction ON their mobile banking.

NFC Bank Information System Security Review Report CONFIDENTIAL Page 12

You might also like