As part of the initial research thrusts of CyLab-Africa’s focus on improving financial inclusion, free surveys and vulnerability assessments are being conducted for partner institutions. 

To learn more about enrolling your organization in this free assessment, please reach out to CyLab-Africa@cmu.edu. 

The outcome of your organization's assessment will be completely confidential, and will not be published, shared with any third parties, or otherwise disseminated. 

Partaking in this would entail a survey, a vulnerability assessment, and continuous monitoring, as described below.

Survey

CyLab-Africa is conducting an assessment of existing cybersecurity programs at participating small- to medium-sized financial institutions and fintech enterprises. The assessment is a standardized, open-source survey for evaluating the state of your organization’s cyber-readiness. The assessment is presented as an online questionnaire, and will assess the respondent’s existing investments and capabilities in the following cybersecurity areas: 

  1. Security Governance — Evaluate the alignment of the organization’s current information security program with business objectives. Sections covered include: 
    • Strategic planning 
    • Security policy framework 
    • Organizational structure 
    • Performance metrics 
    • Workforce management 
  2. Security Risk Management — Evaluates the organization’s risk management framework and processes. Sections covered include: 
    • Risk management framework 
    • Threat management 
    • Security awareness 
  3. Data Protection — Evaluates the organizations data protection framework and underlying data protection capabilities. Sections covered include: 
    • Data protection framework 
    • Data classification 
    • Data protection policies 
    • Data retention 
    • Data loss 
    • Data recovery 
  4. Access Management — Evaluates the organization’s access management policies and procedures to determine if they reduce the risk of inappropriate access to sensitive data. Sections covered include: 
    • Identity management 
    • Access controls 
    • Separation of duties 
    • Privileged access management 
    • Remote access 
    • Third-party access 
  5. Security Architecture — Evaluates the organization’s use of various tools/technologies to determine their effectiveness in providing visibility into network, host and application-based activities. Sections covered include: 
    • Network protection 
    • Endpoint protection 
    • Application protection 
  6. Incident Response — Evaluates the organization’s existing processes and technologies that are deployed to detect, analyze and contain cyber attacks. Sections covered include: 
    • Incident readiness 
    • Incident detection 
    • Incident remediation 

The assessment areas are aligned with existing cybersecurity industry frameworks such as NIST 800-53 and ISO/IEC 27001. Each assessment area is scored on a linear scale based on the organization’s responses and the assessor’s industry experience in conducting similar objective reviews. We will also collect information regarding demographics (e.g., gender), both of enterprise employees at large, and of cybersecurity professionals. 

Vulnerability assessment

The CyLab-Africa team will conduct controlled testing of the organization's computing infrastructure. Testing simulates the tools and techniques that an attacker would use to gather unauthorized knowledge of organization's network, systems and applications to identify security weaknesses they can exploit. Working with the organization's designated liaison, the CyLab-Africa team will identify the most appropriate systems to include in the assessment, while also minimizing impact on business operations. The selected networks and systems should constitute a representative sample of the key components of your computing infrastructure.

Key phases of the vulnerability assessment exercise include:

  1. Pre-engagement – meet with the organization to define the project scope and rules of engagement
  2. Reconnaissance – gather information about the organization's computing infrastructure using passive and active techniques to map network boundaries and identify active systems
  3. Vulnerability Identification – use port scanning software to identify open ports or services on active systems, and test for critical software vulnerabilities
  4. Vulnerability Validation – manually confirm the existence, probability of exploitation and potential impact of identified vulnerabilities
  5. Reporting – prepare detailed documentation of identified vulnerabilities and recommendations to remediate them.

Continuous monitoring

The CyLab-Africa team will collect and analyze various network telemetry and system logs for indicators of compromise of the organization's computing infrastructure. Working with the organization's designated liaison, the CyLab-Africa team will identify the appropriate scope and duration of the monitoring.

Key phases of the continuous monitoring exercise include:

  1. Sensor Deployment — deploy physical or virtual sensors at critical network points to monitor internal and external traffic for suspicious activity
  2. Agent Deployment — deploy software agents on the organization's servers and workstations to collect and analyze system logs for suspicious activity
  3. Reporting – prepare detailed documentation of identified intrusions and recommendations to contain them

The benefits to organizations participating in these activities, is to gain a better understanding of their current cybersecurity gaps, while receiving expert guidance on how to improve their overall cybersecurity maturity.