Scribd
Upload
41 views4 pages

IT Compliance Checklist

Uploaded by

rizwan.rasg
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
41 views4 pages

IT Compliance Checklist

Uploaded by

rizwan.rasg
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

THE NON-BANKING FINANCE COMPANIES

IT SYSTEM COPMLIANCE REQUIREMENT

Checklist

Requirement for Mobile Application Security of Digital


Lending App

1) Secure Access Management:


 Approved Policies & Procedure for Secure access management.
 Disable user accounts of employees leave organization.
 No privileged (admin) user IDs are in use without formal approval.
 Maintain inventory of privileged accounts and review frequency
should be defined.
 Access rights review document for application is in place.
 Appropriate user creation, modification of rights, revocation of
rights should be performed and approvals from line manager
should be in place.
 Strong password policy is implemented which covers password
complexity, minimum length, history and minimum age.

2) Perimeter & Network Security:


 High level network diagram of mobile application environment
indicating the location of network devices, app and database
servers and other components attached.
 Protect against unauthorized access or attacks.
 Inbound security policies are enabled for in scope application
environment.
 Firewall that only trusted users are allowed to access the
applications.
 Logging and monitoring process on firewall.
 Details of Encryption mechanism, TLS version, digital certificate on
application portal.

3) Endpoint Server & Cloud Security:


 Versions and patches of all endpoints are updated and secured.
 Software installation and upgradation rights on servers/instance is
only limited to the Authorized person
 Software installation on endpoints should be restricted and
approved on a need-to-use basis

4) Application-level Security:
 Components required for the application such as web server and
other components are updated and running on latest versions.
 Implementation of Web Application Firewall (WAF) on customer
facing interfaces.
 Maintain details of the latest VAPT conducted on mobile application
portal/mobile app, system, and database.
 Conduct VAPT on the in-scope system, including the mobile
application portal/mobile app, system, and database.
 Ensure that API are not using outdated SSL/TLS protocols.
5) Data Security:
 Approved data security policy and procedure should be in place.
 Encrypt data at rest (including backups) and in transit using strong
and non-obsolete cryptographic algorithms.
 Ensure appropriate measure have been taken to avoid accidental
deletion or overwrite of data/information.
 Ensure that the separate channels are being used for storage and
transmission of critical data.

6) Incident Surveillance & Monitoring:


 Ensure the policies and procedures are in place for Incident
Management and Reporting.
 Anomalies are detected and resolved in a timely manner.
 Incident management procedure is implemented and appropriate
reporting matrix is maintained for such incidents.
 Incident response functions shall be implemented in application
system, responses to any incident should be documented for
record.
 Potential risks and vulnerabilities are identified in a timely manner
impacting business continuity.

7) Patch Management:
 Log of patches deployed are documented.
 Formal process of approval is in place for patch testing.
 User acceptance testing and migration to production.
 Approved patch management policies and procedures.
 Procedure for approval of tested patches should be defined.
 UATs of the patches should be in segregated environment.
 Validate that patches are applied on test system first before
provisioning to live.

8) Logging & Backups:


 Validate that policies and procedures are approved and
implemented for Backup and recovery of in-scope application.
 Validate that logging is enabled at application, platform, database
and operating system levels.
 Validate that log file can't be modified, even system administrator
not have access to.
 Modify own logs and logs must be secured at directory levels.
 Frequency of backups should be defined in the system for both
production and development, same shall be documented in relevant
policy.
 Digital Lenders shall develop a policy governing mobile Apps
business objectives, standards, compliance, guidelines, controls,
responsibilities and liabilities.
 The policy shall at least be revisited annually and/or when a
significant change is made in the environment.
To manage mobile App development projects, Digital Lenders shall:
 Put in place necessary App documentation including manuals on
development, testing, training, production, operational
administration
 User guides and Service Level Agreements (SLAs).
 Carry out vulnerability assessment, penetration testing and
performance assessment of mobile Apps to ensure effective and
smooth operation.
 Carry out system and User Acceptance Testing (UAT) in an
environment separate from the production environment
 Put in place an escrow arrangement in cases where third party
vendors develop mobile Apps but the source codes are not released
to the Digital Lender.
 Data shall not be stored on any cloud infrastructure outside the
jurisdiction of Pakistan.
 Digital Lenders shall ensure compliance with the requirements
relating to the mobile App.
Annexure-C to this Circular:
 Digital Lender from the date of whitelisting of the app shall submit
the reports to Commission within one month.
(a) self-assessment on semi-annual basis in the format
specified by the Commission
(b)third party vulnerability assessment, penetration testing
and performance assessment of mobile Apps on annual
basis from the date of whitelisting
 Digital lenders shall arrange at least once every three years from
the date of whitelisting.
 IT audits of its IT infrastructure including the App by an
independent audit service provider having qualified CISA /
Certified ISO27001:2013.
 Lead Auditor certification to check compliance with regulatory
requirements and shall submit the report to the Commission within
the three months.
 The Digital Lender shall ensure compliance of all applicable laws in
force in Pakistan related to cyber security, personal data
protection, cloud usage and data privacy.
 The Digital Lender shall solely be responsible for any digital fraud
as a result of security lapse, operational issues, architecture of the
App or any other malfunction of the App.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy