Mullayangiri : RISK MANAGEMENT POLICY
1. Introduction
Mullayangiri realizes the fact that the Digital Payment Industry is a high-risk industry and vulnerable to all kind of risks, including technological risk, compliance risk, risk of data security breach/loss, risk of fraud, risk of hacking etc., accordingly the Applicant has, developed a comprehensive framework of check and balances to mitigate such risk.
The list of risks is long and diverse, spanning events as varied as fraud, data entry errors, failure of information systems, shutdown of physical infrastructure, commercial disputes, and natural disasters. As a result, strong but prioritized operational risk management and regulation is critical. Mullayangiri has developed a systematic approach to operational risk that identifies these risks where they arise in business processes is both actionable and flexible. Such an approach can be applied to a wide variety of payment systems across many different markets, to understand the system-specific risks to providers, consumers, and the financial system at large.
In this section, we describe such an approach to identify, quantify, and manage operational risks in digital payments. We have structured this section around the four parts of the approach. The parts describe how to:
- Identify the most critical risks by tying them to business
- Quantify the severity of the identified risks, if they do
- Quantify the size of risks by weighing their severity against the likelihood that they will actually occur
- Shape a prioritized approach to operational risk management or
2. Measures to Mitigate Risk
Our Company assures and undertakes to adopt the indicative baseline technology-related recommendations as mentioned in the related RBI guidelines on Payment Aggregation upon receipt of permission/ License to continue to carry on business as Payment Aggregator and payment Gateways. Several features have already been adopted by the company and is in practice.
2.1 Board Approved IT Policy
Our company also ensures for the board approved IT policy already in place for purpose of regular management of IT functions and ensure that detailed documentation in terms of procedures and guidelines exists and are implemented. The Board level IT Governance framework shall have major role of the Board /Top Management and shall involve approving information security policies, establishing necessary organizational processes /functions for information security and providing necessary resources.
2.2 IT Steering Committee
An IT Steering Committee always ensured to be created with representations from various business functions as appropriate. The Committee shall assist the Executive Management in implementation of the IT strategy approved by the Board. It shall have well defined objectives and actions. Our company ensures to establish and maintain an enterprise information model to enable applications development and decision-supporting activities, consistent with board approved IT strategy. The model shall facilitate optimal creation, use and sharing of information by a business, in a way that it maintains integrity, and is flexible, functional, timely, secure, and resilient to failure. Cyber Crisis Management Plan is also ensured to be comprehensively prepared timely as approved by the IT strategic committee and will incorporate components such as Detection, Containment, Response and Recovery.
2.3 Enterprise Data Dictionary
Mullayangiri ensures to maintain an “enterprise data dictionary” incorporating the organization’s data syntax rules. This shall enable sharing of data across applications and systems, promote a common understanding of data across IT and business users and prevent creation of incompatible data elements.
2.4 IT Maturity Level
Mullayangiri considered assessing the IT maturity level of their Merchants and other Tech Service Providers, based on well-known international standards, design an action plan and implement the plan to reach the target maturity level. It shall select encryption algorithms which are well established international standards, and which have been subjected to rigorous scrutiny by an international community of cryptographers or approved by authoritative professional bodies, reputable security vendors or government agencies. All security events from Mullayangiri infrastructure including but not limited to application, servers, middleware, endpoint, network, authentication events, database, web services, cryptographic events and log files shall be collected, investigated, and analyzed for proactive identification of security alerts. Mullayangiri would make certain to take preventive measures to ensure storing data in infrastructure that do not belong to external jurisdictions. Appropriate controls shall be considered to prevent unauthorized access to the data.
2.5 Other Security Measures
IT Infrastructure and process of Mullayangiri has robust IT Security features such as access control of physical IT infrastructure and monitoring of the same by CCTV while non-physical IT infrastructure secured by limiting access to only authorized person by password. Mullayangiri also undertake comprehensive security assessment during merchant onboarding process to ensure these minimal baseline security controls are adhered to by the merchants.
2.6 Audit/Certification
Mullayangiri has obtained Certificate of Compliance. In addition to implementation of PCI DSS, Mullayangiri ensures for adoption and implementation of some of the other best practices like PA-DSS, latest encryption standards, transport channel security, etc.
Mullayangiri would ensure to carry out and submit to the IT Committee quarterly internal and annual external audit reports; bi-annual Vulnerability Assessment / Penetration Test (VAPT) reports; PCI-DSS including Attestation of Compliance (AOC) and Report of Compliance (ROC) compliance report with observations noted if any including corrective / preventive actions planned with action closure date; inventory of applications which store or process or transmit customer sensitive data; PA-DSS compliance status of payment applications which stores or processes card holder data.
2.7 Regular Security Risk Assessment
Mullayangiri on regular interval carry out comprehensive security risk assessment of its people, IT, business process environment, etc., to identify risk exposures with remedial measures and residual risks. These can be an internal security audit or an annual security audit by an independent security auditor or a CERT-In empaneled auditor. Reports on risk assessment, security compliance posture, security audit reports and security incidents are presented to the Board timely. Integrated IT risk management in Mullayangiri digital financial services value chain are relying on increasingly complex IT (e.g., increased use of vendors, new digital channels and processes, ageing legacy systems) that needs to meet increasingly high standards (e.g., for prevention of fraud and anti-money laundering). This is introducing new risks and increasing the potential downside of existing risks. To meet the challenges of these risks, IT risk management needs competencies across seven disciplines.
2.8 Information and Cyber Security
To fight leakage of confidential customer and internal data, fraudulent transactions, blackmail, and hacktivism, identify and protect the most critical information assets, working backwards from desired business outcomes.
2.9 Resilience and Disaster Recovery
To minimize recurring or prolonged interruptions of IT services that support critical processes; and, to define technology requirements, and closing gaps in technology, based on the prioritized business requirements for such processes.
2.10 Vendor and Third Party Management
Mullayangiri has a vendor and third-party management system, to ensure that vendors and third parties deliver reliable and secure service, establish clear standards for security and continuity/disaster recovery, enforce in a risk-prioritized way, and involve critical partners in proactive enterprise risk management.
2.11 Project and Change Management
To keep IT projects on schedule, within budget, and of high quality, and apply a comprehensive set of value assurance levers, including an improved operating model, alignment of stakeholders, and monitoring and tracking.
2.12 Software Architecture, Development and Testing
To ensure quality system design that supports long-term affordable, reliable, and maintainable service, and to develop clear enterprise architectural standards and a review process.
2.13 Data Quality and Storage
Data quality and storage is regularly watched in Mullayangiri, to avoid regulatory issues or errors in transaction settlement stemming from inaccurate, inconsistent, or missing data, to establish consistent enterprise data architecture, data ownership and controls to ensure data quality.
3. Conclusion
Mullayangiri always assures and adheres the most advanced security system for its transaction platform for its users/merchants.