Ryan Good points which should form part of all MFIs' security policies.
> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Ryan Whitney > Sent: Monday, 15 September 2008 00:41 > > Hello all, > > Discussion item numero #2 :) > > Looking to collect a general list of recommendations we can > make to MFIs when deploying Mifos. > > Some ideas I have already > > * No sharing of accounts - For obvious tracking and > anti-fraud issues, nobody should EVER share their account. Absolutely. Another related problem to be addressed is escalation of privileges: - Alice goes on leave and delegates her authority to Bob. - Bob MUST NOT be given Alice's password under any circumstances. - Bob is granted Alice's authority level _temporarily_. - Alice returns, but there is no process in place to return Bob's privileges to the previous level. - Temporarily? We don't understand... - Before long, all employees have full privileges. > * Passwords > * MFIs should require their employees to create > strong passwords Yes, and this can be enforced by Mifos. I believe that standard routines are available to check password strength and history. password01 has expired; let's choose password02. No! True story: I was part of a small team (of 2!) writing a security policy to ISO 17799 for an organisation that handled millions of dollars on behalf of other people. The deputy general manager couldn't understand all this security nonsense. His password was the letter "x". True story part B: The stairs in their building were unsecured 0730 - 1800 and open to the public on the ground floor. Access to the men's toilet in the stairwell was via a door in the office that could not be seen from the reception desk. The general manager saw that this was a security risk and had the door fitted with an electronic combination lock. The same deputy general manager as above didn't like having to enter a combination every time he returned from the toilet. When the GM was away he had a latch fitted to the door so it was held open all day. He couldn't understand why women working alone in the office felt nervous - or that any of the organisation's assets or information might be at risk. > * Nobody should be writing passwords down > anywhere (like on a piece of paper next to the computer ;)) Awww... No yellow stickies? :-( See: http://www.schneier.com/blog/archives/2005/06/write_down_your.html > * Enforce employees to choose a new password > every 3,6, or 12 month Again, can be enforced by Mifos, best through a configurable option. > * Set policies on whether employees can access Mifos from > home or not Hmmm... How do we enforce this? IP addresses are useless, as they change for dial-up or most ADSL links. Check the MAC address of the PC? Tokens? Enforce connection through a VPN and make all traffic pass through the VPN while the user is connected? > * Immediately Turning off accounts when employees are terminated This should be in the MFI's HR policies and procedures. > Obviously, some of these can be resolved technically > (infrastructure setup, feature requests to mifos, possibly > reports - ie, one reporting the last time people logged in), > but its still good to have these written down. I believe that a MFI should have a good security policy and signing it should be a condition of employment. Where controls can be implemented by the software, this should be done. All logon attempts - failed and successful - should be logged. See auth.log on a Linux system or the Security log on a Windows system. Timestamps should be accurate to the second (or better) in case they need to be correlated with other events. Which implies that system clocks in the network should all be synchronised with a suitable time standard. Simple to implement, but often overlooked... Another one I think should be addressed is segregation of duties. A person entering a request for a loan or payment should not be allowed to approve or disburse it. An entirely separate person must make the approval or payment. This means that, unless passwords have been shared in violation of policy or privilege escalation has occurred, the most basic form of fraud requires two people acting together. Sorry if this was a bit long, but there is a lot of ground to cover here. Regards Graeme ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Mifos-functional mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/mifos-functional
