Open in app

Sign in

Write

Sign in

Cyber Security Maturity Assessment Approach for NBFC Sector

WeSecureApp
4 min readApr 19, 2023

--

WeSecureApp develops customized solutions as per the client’s requirements and always provides a business-friendly approach towards amending or formulating its methodology, tools, and technologies supporting the applicable regulatory norms as well as the client’s business objectives. Hence, understanding the criticality of maintaining a security posture for an NBFC firm, WeSecureApp follows the below Cyber Security Maturity Assessment (CSMA) approach.

The prime agenda for going ahead with the CSMA approach is to

  • Quantitatively describe the security posture of the firm.
  • Highlighting the holistic view of the firm’s cyber tenacity and gaps in existing strategies.
  • Secure their dependency on Information Systems and Technology.
  • Provide support in formulating future security roadmaps.

Step 1: Reconnaissance

  • Understanding business operations
  • Identification of Critical Elements w.r.t People, Process, and Technology.
  • Comprehend the desired level of security competency.

Step 2: Analysis

  • IDENTIFY: Understanding the business environment, the resources supporting crucial operations, and the associated cyber security concerns.
  • PROTECT Outlines appropriate safeguards to ensure the delivery of critical infrastructure services.
  • DETECT: Defines the appropriate activities to identify the occurrence of a cyber security event.
  • RESPOND: Supports the ability to contain the impact of a potential cyber security incident.
  • RECOVER: Supports timely recovery to normal operations to reduce the impact of a cyber security incident.

Step 3: Roadmap Blueprint

With this approach, we moved ahead with optimizing the cybersecurity framework to best serve the organization via the framework highlighted below:

During the Analysis phase, a comprehensive and detailed evaluation was performed of all the critical processes serving the business operations. Major assessment areas are highlighted below:

Cloud Infrastructure

  • AWS Cloud Infrastructure Security Review using the CIS and NIST benchmarks.
  • Examination of AWS Managed RDS to ensure handling of Financial and PII Data complies with regulatory obligations.
  • In-depth analysis of VPCs to validate security group configuration.
  • Assessment of AWS IAM policies to analyze the logic/implementation of access control mechanisms across the network infrastructure.

Customer Facing Interfaces

  • Comprehensive assessment of all the web and mobile interfaces opting OWASP & SANS 25 methodology.
  • Verification of data protection techniques like Encryption, Masking, and Encoding across all API Endpoints processing PII and Payment data.

Software Development

  • Intensive code review for identification of security flaws at the root level via adopting manual and automated approaches.
  • Static Code Analysis for identifying susceptible threats at the code level without executing the application.
  • Semantic analysis is being performed to identify tokenization flaws and examine syntax, identifier, and resolving types from code.
  • Structural Analysis for examining framework-specific code structures for inconsistencies with secure programming practices and techniques.

Business Use-case

  • Executing test cases with respect to pervading the ideal business logic flow.
  • Detailed design analysis of business operations facilitating payment-related functionalities features for agent and partner portal.

Third-party Infrastructure

  • A Comprehensive Review of third-party integration emphasizing access control and data sharing obligations w.r.t agents and contractors driving the customer interaction in offline mode with the provided digital interfaces.

Data Localisation Implementation

In line, with the RBI requirement of localizing all the data that is being stored, transmitted, or processed by the organization (as it integrates its business services with one of the reputed banks), WeSecureApp compliance experts conducted an audit for Data Localisation in which the organization processes were being reviewed and evaluated with respect to local laws and regulations regarding the storage and handling of data.

Gaining an understanding of the client’s infrastructure in scope for audit.

Understanding the entire data flow throughout the business module in scope and identifying all the relevant components.

The following domains will be evaluated (w.r.t RBI circular) during the assessment:

  • Payment Data Elements
  • Transaction/Data Flow
  • Application and Network Architecture
  • Cross Border Transactions
  • Activities post Payment processing
  • Data Storage
  • Access Management
  • Data Security
  • Transaction processing

A Risk Assessment Process to be Conducted and appropriate artifacts need to be analyzed

A descriptive report needs to be generated summarizing the entire audit process and highlighting the observations identified.

Cyber Resiliency through Organisation Policies

Policies and procedures of any organization reflect the company’s vision and these policies govern the different aspects of the business. These policies help in standardizing all the processes as the company changes and grows.

WeSecureApp conducted an effective review of all the policies and processes being followed in the organization. We majorly focussed on the below domains in order to ensure that the organization is up to date with the latest regulations and technologies, as well as consistent with the industry’s best practices.

  1. Information Security Management
  2. Asset Management
  3. Identity and Authentication Management
  4. Operations Security
  5. System Acquisition, Development, and Maintenance
  6. Information Security Aspects of Business Continuity
  7. Information Security Incident Management

Conclusion

Utilizing our extensive knowledge and experience in the field of cyber security, we provide our customers with concrete advice that assists in protecting their valuable assets and critical data. This technical risk assessment paved the road for the WeSecureApp team to help companies looking for cyber risk analysis in their new investment ventures.

Get the Cert-In Empanelled Audit Report — Click Here

Originally published at https://wesecureapp.com on April 19, 2023.

Risk Assessment
Cybersecurity
Cyber Security Awareness
Compliance
Cyberattack

--

--

WeSecureApp

Written by WeSecureApp

76 Followers

Cybersecurity Hub (https://wesecureapp.com). #Cybersecurity #CISOs #RiskManagement #Governance #InfoSec

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams