Thank you Victor. If Raul can share the english version, I'd be happy to try to generate a Wiki Page that covers the content that you've shared. I think the presentation content would provide a good starting point for developing a "best practices guide", but with lots of caveats... as you said, the Institution's CISCO is ultimately responsible.
On Wed, Oct 20, 2021 at 2:31 PM VICTOR MANUEL ROMERO RODRIGUEZ < [email protected]> wrote: > Hello James, > > For Mifos/Fineract In the practice we use the Risk Assessment Control as > part of the Risk Management. > > There are different layers in Risk and also the level of impacts. > > Most of them are related to Identify: > The Risks > The Controls > > This is work that is done with the CISO (Chief Information Security > Officer), which at least in Mexico is position required in the Financial > Institution by the regulators. > > We create another matrix for setting the: > > Risk Category, Risk, Control, Action Plan (Project or Process) > > A quick example is visible here (Spanish version) > > > https://docs.google.com/presentation/d/1R7GyEo-vReT0dTwBXi_lQVWYEoku9gmITzHb-uaE54M/edit?usp=sharing > > I am ccing Raul, who will help us to share this checklist (English > version). > > It is important to mention that we used automated tools for gathering > information (statically and dynamically) also the Financial Institutions > can request to external parties to do these audits. > > Regards > > El mié, 6 oct 2021 a las 14:02, James Dailey (<[email protected]>) > escribió: > >> Devs - >> >> You can find our current security page at >> https://cwiki.apache.org/confluence/display/FINERACT/Fineract+Project+Security+Report >> >> >> CONTEXT >> >> 1. The Apache Fineract project welcomes reports by security experts >> to identify issues - and applies a risk framework for reported issues. >> 2. Apache Fineract follows the framework for vulnerabilities called >> "DREAD" and works with the Apache security team for assignment of >> severity >> of vulnerability >> 3. DREAD scores five categories, which are summed together and >> divided by five, the result is a score from 0-10 where 0 indicates no >> impact and 10 is the worst possible outcome: Risk = (DAMAGE + >> REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5 >> 4. As Fineract is used in banking and financial services, where >> confidence in account transactions and validity of account information is >> a >> requirement, the potential for Damage is always high. >> 5. System integrators and deployment users should be aware that they >> should apply their own security practices on top of Fineract. >> 6. Fineract Code review >> >> <https://cwiki.apache.org/confluence/display/FINERACT/Code+Review+Guide>already >> includes two security related questions: Is the code free of code >> injection vulnerabilities? and Does the code adequately protect >> sensitive data such as passwords, user names, and financial information? >> and, to this we would add: Is the feature at least as secure as it was >> before this code change? >> >> ASKING FOR YOUR HELP >> >> 1. To assist with real world implementation, the Fineract Security >> Tip Sheet (wiki page) is a proposed set of "best practices" and we invite >> people with experience in these deployments to provide further >> information. >> To illustrate trivially, *https* with signed certificates should be >> used for all servers in production. >> 2. I now invite you to share your experiences and results of security >> practices. Have you used fineract in production and created a secure >> environment? Passed a security audit? Do you have a checklist? >> 3. If you wish to report a security vulnerability or to share >> privately your security approach, the email is >> [email protected]. (monitored by a few Committers in the >> project) >> >> >> Thank you for your contributions to the project. >> >> - James >> >
