Area/Unit/Process: Cybersecurity Audit

Issu Findings / Observations Risk & Risk Recommendatio Auditee’s Responsible Status
e Implications Rating n Response Officer /
No Due
Date
6. Cybersecurity Awareness lack of specific Medium InfoSec team The bank’s Zachariah Close
in the Bank was not Job cybersecurity should provide Cybersecurity was Akinpelu d
Specific but Generic awareness customized\ job not generic as
training for specific claimed by Audit.
The bank’s cybersecurity We have different
employees with cybersecurity
awareness program was level of training for
privileged awareness
generic. Therefore, the bank different level of
access/permissi training for
was unable to demonstrate staff. The evidence
ons can lead to employees based
that employees with was shared with
increased cyber on their specific
privileged Audit team.
risks and roles and
access/permissions such as
potential responsibilities.
database administrators,
negative
software developers, tellers,
consequences,
treasury operations staff etc.
including cyber-
received additional
attacks, insider
cybersecurity awareness
threats,
training commensurate with
regulatory non-
their levels of responsibilities
compliance, and
and their particular business
loss of customer
risks.
trust.
8. Lack of Without prompt Medium There should be There is Zachariah
intercommunication collaboration provision for intercommunicati Akinpelu
between critical trends of intercommunicati on between
department handling cybersecurity on between Information
cybersecurity issues. related fraud Information Security team and
and exploitation security team and other Critical Unit
Information sharing between including IS
could not be other critical unit
strategic business units Control that
easily handling cyber
(SBUs) and the information manages the
identifying and security fraud
Security Team should be Fraud Desk. The
investigated. and investigation.
harnessed for improved constitution of
Forensic audit
security. For instance, the ICSS Steering
and could also
SBU in charge of the bank’s committee
be difficult.
Fraud & Forgery and comprises all the
Suspicious Transaction stakeholders
Reporting should collaborate
with the Information Security
team to address the root
cause of all fraud and
cybersecurity-related cases.

9. Unsupported Network Older Devices High All the devices This is CIO CIO
Devices and ATMs and operating that has reached functions
Operating System. system is more end of life should
vulnerable to be discarded for
Most the bank’s network
exploitation, an upgrade while
devices (routers and
cyber-attack the ATM machine
switches) and ATM
since it doesn't operating system
Operating Systems(Win 7)
receive critical should be
 had reached End of Life patches and in upgraded to the
(EOL); hence, their turn may current or
manufacturers no longer becomes a supported
supported them. The lack of magnet for premium version.
security fixes or critical bug cyberattacks.
resolution for these devices,
made the bank’s system
vulnerable to cyber-attack.
10. No Tool/Solution for Without Medium Bank should We need more Zachariah
Monitoring Confidentiality monitoring, it implement clarification on Akinpelu
of Customer’s Data. becomes appropriate this as this
There was no technology challenging to measures and ambigous
solution to ensure the detect data solutions to
confidentiality of customers' breaches, and protect
data in the bank. For
attackers may customers’ data
instance, the continuous use
exploit the and comply with
of production data in non-
production environments security regulatory
(test and development loopholes to requirements
servers) exposes customers' access where necessary
personal and financial confidential
information to unintended customer data.
users, privilege abuse and This puts the
fraud. the risks associated customer's
with not having a tool or information at
solution for monitoring the risk of theft or
confidentiality of customer unauthorized
data can be severe. access, leading
to potential
financial losses
or reputational
 damage for the
organization.
11. BYOD: Process and There could be Medium Bank should have Zachariah
Procedure for exposure to a documented Akinpelu
Data leakage, process and
Installing and Deleting
Malware procedure in
Data not in Place. infections, place to install
Audit observed that bank and delete data
Non-compliance,
did not have a process on mobile
and procedure in place to Loss of control, devices.
Encryption model
install and delete data on leading to
to be used for
mobile devices remotely dissatisfaction
encrypting
in the event of theft or and reduced
confidential data
productivity.
misplacement. install on Mobile
devices should be
stablished.
Also, Mobile devices were
not encrypted when used
to store confidential data.

12. Data Flow Diagram There is a risk Medium Threat modelling CRO
Showing Information that sensitive for bank digital
Flow to Third Party not information products and
could be services should
Evidenced:
exposed or be conducted
The bank did not conduct misused. it with evidence
threat modeling for its could also result showing data
 digital product and to a violation of flow diagram to
services. Consequently, privacy external parties
there was no documented regulations or involved.
contractual
data flow diagrams
agreements.
showing information flow
to external parties for
proper cyber risk
management.

13. The Critical Business This could Medium It is essential for We need more Zachariah
Processes that are increase the the Bank to map clarification on Akinpelu
Dependent on External likelihood of a their critical this as this
Connectivity are not cybersecurity processes to ambigous
Identified. incident or third-party
breach. Third- connections and
Critical business processes
party allocate
were not mapped to
connections can appropriate
supporting external
create cybersecurity
connections for efficient
vulnerabilities in resources to
allocation of cybersecurity
a company's mitigate the
resources geared toward
network, and associated risks.
mitigating risks associated
without proper
with third-party connections.
mapping and
allocation of
resources, these
vulnerabilities
may go
unnoticed or
 unaddressed.
14. Risk profile of Third Failing to High it is crucial for Risk Management is
Parties Vendor not maintain and the Bank to have taken care of by
maintained and Measured measure the risk a comprehensive Enterprise Risk Chris
profile of third- third-party risk Management team Nwambu
The bank did not maintain a
party vendors management
risk profile of its vendors in
can result in program in place
accordance with the
several risks for that includes
criticality and sensitivity of
an Bank, regular
services offered, or
including but assessments and
information that the vendors
not limited to monitoring of
have access to.
cybersecurity vendors' risk
Thus, periodic on-site risk, compliance profiles.
assessments of high-risk risk, reputation
vendors were not conducted risk, operational
to ensure appropriate risk, and supply
security controls were in chain risk.
place to mitigate their
inherent risks.

15. Generic Cyber-Incident A generic plan Medium The Cyber CRO

Response Plan: may not cover incidence
all potential response plan
The cyber-incident response
cyber incidents should be roles’
plan was generic and had no
or may not be defined and well-
well-defined roles and
updated to coordinated
responsibilities for members
reflect the latest among
of the incident response
threats, leaving responsible
team, for coordinated and
the bank members.
prompt incidence response.
 vulnerable to
attacks.
Also,
responsible
member might
not aware of
his/her
immediate
response to an
incidence.
16. Cybersecurity Incident The risks of not Medium It is important for CRO
Response Qualitative and defining bank to define
qualitative and and track
Quantitative Metrics not
quantitative relevant metrics
Defined: metrics for to improve their
Qualitative and quantitative cybersecurity incident response
metrics, which are used to incident capabilities and
response can reduce the
ascertain the effectiveness of
result in a lack impact of cyber
the cybersecurity incident of effectiveness, incidents.
response process and guide inefficient
the bank in identifying areas resource
allocation, lack
for continuous improvement,
of
were not implemented. accountability,
and an inability
to learn from
past incidents.
18. Inventory of Service Without proper High Inventory of all Identity DH, Internal
 Accounts in the Bank not tracking, it service accounts Management is COntrol
evidenced becomes easier should be tracked taken care of by
for unauthorized and documented. Internal COntrol
Overall, monitoring service
users to gain It should be
accounts is an important part
access to dualised between
of maintaining a secure and
sensitive internal control
compliant IT environment. At
information, and the service
the time of the audit,
which can lead owner.
inventory of service accounts
to data breaches
created on bank’s
and other
infrastructures for
security
authentication was requested
incidents. Also,
for, however, it was not
it becomes
availed for review which
difficult to hold
indicates that Bank could not
individuals
keep track of the inventory
accountable for
for possible dualisation and
their actions,
custodianship
which can lead
to a lack of
transparency
and trust within
the organization
19. Privilege Access There could be Medium Organizations POV has started Zachariah
Management risk of should establish for other PAM Akinpelu.
Solution/Tools (PAM) not Unauthorized policies and tools
Capturing or Monitoring access, misuse procedures for
Service Accounts. of privileges, managing and
Compliance monitoring
Audit observed that Privilege
violations, Data service accounts
Access Management
to minimize the
 Tool/Solution (ARCON) breaches and risk of security
deployed in the Bank for incidents and
Lack of
identity and security compliance
accountability.
management does not violations.
capture nor monitor privilege
service accounts in the bank
Without proper
and Service accounts often
monitoring, it
have elevated privileges that
can be difficult
allow them to perform
to track and
specific tasks or access
audit the
certain resources. If these
activities of
privileges are misused or
service
abused, it can lead to data
accounts. This
loss or other security
can make it
incidents. This is contrary to
difficult to
what was in the BRD and
identify the
discoursed at POC level.
source of
security
incidents or to
hold individuals
accountable for
their actions.

21. Use of Unlicensed Legal High It is important to CIO

Microsoft Operating consequences use licensed
System and Office suite. using unlicensed software to avoid
software can these risks and
 Audit through our various result in legal ensure the
engagement and reviews action from optimal
observed that there are software performance and
influx of unlicensed vendors, which security of Bank’s
Microsoft operating system may lead to systems/endpoint
and office suite installed on fines or even s. All inactivated
Servers, Desktop/Laptop criminal windows
consoles and all Endpoints. charges. Other operating system
risk could be within the system
Security needs to be
vulnerabilities, activated.
Reduced
functionality,
Compatibility
issues, Lack of
support.
22. Customers' PAN exposure the exposure of Medium Bank should POV on DLP Zachariah Open
to the public domain customers' ensure solution is ongoing Akinpelu.
(Data Masking-) - Insider PANs to the Customers’ PAN
Risks: public domain are masked or
can have severe encrypted where
The exposure of customers' consequences necessary and If
PAN (Primary Account
for both the there are
Number) to the public
customers and challenges with
domain can pose a
significant risk to the the the restriction
security and privacy of their organizations imposed on un-
financial information. PANs that hold their masked PAN
are unique identifiers data, including internally as
associated with credit and financial loss, other emails with
debit cards, and if exposed, reputation none-PAN
 can be used for fraudulent damage, and numbers were
transactions or identity theft. legal and being blocked on
regulatory exchange. We
The restriction on passing consequences. recommend that
un-masked PAN over email Bank should
using exchange was not explore other
implemented for outgoing
ways by which
email and emails within the
this can be
Bank. However, we observed
through review that full card achieved.
PAN can still be stored on
system and sent without
masking via Email and
Instant Messaging. This
meant that restriction
imposed on the forwarding of
un-masked PAN outside the
bank is not in force.
23. Operating Systems and Un-authorized Medium Head, IT Security Zachariah Open
Application Software Files access, changes should ensure Akinpelu.
Not Monitored: and potential that the
security applications
The integrity of the operating compromises to /operating
systems and application operating systems be on-
software files of some of the
systems and boarded on the
applications in scope are not
application File Integrity
being monitored to detect un-
authorized changes or software files Monitoring
potential security that may Solution of the
compromises as they have indicate a cyber- bank for
not been on-boarded on the attack might not monitoring of un-
File Integrity Monitoring be promptly authorized
(FIM) Solution of the bank detected until access, changes
 (CIMTRAK). irreparable and potential
damage or security
CBN Risk Based Cyber- colossal financial compromises.
Security Framework. loss has been
Appendix III (2f) states suffered.
that "Devise a mechanism
to monitor, detect, log and
report all unauthorized
system configuration
changes".

24. No Inventory of the Difficulty and/or Medium An inventory of Zachariah Open

Entity’s (Bank’s) Trusted impossibility of the Bank’s Akinpelu.
Keys, Encryption tools and keeping track of Trusted Keys and
Certificates: the algorithms, Certificates used
protocols, key to protect PAN
As at the time of the audit, strength, key during
there was no inventory of the custodians, and transmission
Banks' trusted keys and key expiry dates should be
certificates used to protect in enabling the maintained and
PAN, Servers and its bank respond updated at
Application during quickly to defined intervals.
transmission. vulnerabilities
Also, we observed that there discovered in
is no security tools or encryption
application for encrypting software,
cardholder/account data and certificates, and
PAN details on cryptographic
storage/archive and during algorithms.
transmission.
Instance of such app is: True
 Crypt.
PCIDSS 4.2.1.1 An
inventory of the entity’s
trusted keys and
certificates used to
protect PAN during
transmission is
maintained.
26 Automated Information Lack of Medium We recommend This is not a risk Zachariah Close
Security Simulation Test sensitization that a robust as we have much Akinpelu. d
not Conducted Often: through simulation robust solution
simulation could solution/tool like Rapid 7.
At the time of the audit, we make staff (SafeBreach , Phishing
observed that there was no members to lack Picus Security , Simulation
Automated tool for carrying required Cymulate · XM solution has been
out automated information knowledge to Cyber, AttackIQ , deployed and
security simulation test (such detect and CyCognito) is bankwide
as sample phishing mail and report a acquired to simulation was
social engineering
potential tackle this issue. conducted late
techniques) to ascertain the
security attack. last year
level of cybersecurity
Staff might not
awareness among unity Bank
Staff members. We also have quick
noted this simulation test insight to the
were not being conducted recent but
(often) as stipulated in CBN prevalent cyber-
Cybersecurity Strategy 2021- attack.
2022. However, InfoSec
could not avail us their
Cybersecurity Strategy for
2022-2023 for sighting and
review.
28 Cryptographic Keys and There is Medium It is More clarification Zachariah Open
Digital Certificate usages cybersecurity recommended is required Akinpelu.
not reviewed: issue because that Bank's
A digital certificate, also data encryption Cryptographic
known as a public key and mutual Keys and Digital
certificate, is used to authentication is Certificates of all
cryptographically link at risk. As a the servers
ownership of a public key result, both usages are
with the entity that owns it. Bank’s website reviewed always.
They are for sharing public and users are And where
keys to be used for
susceptible to expired, it should
encryption and
malware attacks be renewed.
authentication.
Audit review revealed that and viruses. Also, this role
Cryptographic Keys and Also, a hacker should be handed
Digital Certificate usages are can take over to
not being reviewed. This is advantage of a Information
evidenced as critical servers Bank websites Security team if
have their digital certificates with an expired not yet handed
expired as at the time of SSL certificate over.
review and the custodian and create a
could not be established at fake website
the time of this audit. identical to it.
29 Absence of Security There is a risk of High We recommend This is in place Zachariah Close
Baselines for Assets: not having an that Security Akinpelu. d
There was no approved accurate picture baselines should
Servers and Workstations of the business be developed and
Security baselines to confirm weaknesses. It documented for
evidence of system leaves the all endpoint
hardening on all Operating bank's overall assets across
systems, servers, routers, assets security board.
workstations, gateway and impact on the
other endpoints. network
unknown.

__________________________ ____________________________
Prepared by Concurred by
Oluwasoji Adeyehun Olusegun Famoriyo
Head, IT & eChannels Audit Chief Audit Executive

_________________________
Approved By
Managing Director/CEO