Program Management

This section provides an overview of Mojaloop's Risk and Security Management Initiatives.

Who is this for? Risk Management, Compliance, Governance, Regulatory, and Leadership Stakeholders

1. Mojaloop Data Security and Privacy Program:

1.1 Code Quality & Security Program Overview

Objective: Continuously improve the Trust (reliability, transparency, privacy, quality, and security) of the Mojaloop System.

Delivery Model: Supports both functional and non-functional requirements of the project, working alongside with other workstreams & various governance committees on a shared responsibility Model.

Approach:

• Standards and Control Centric – Define and maintain Mojaloop software quality and security standards and guidelines – In certain areas we provide reference implementation.

• Risk and Threat Centric – Perform risk and threat modelling to identify, validate, classify & prioritize security requirements.

Key Milestones:

• PI 1 – 8: Foundation Phase - Built-in confidentiality and Integrity as part of the Core Mojaloop Architecture.

  • Developed and Implemented (To some degree) Signatures, MTLS, PKI, encryption standards

  • Established a code quality and security framework - DevOps & CI/CD Tools automation, workflows & policies

• PI 9 – Current: Improvement Phase – Consolidate, optimize & improve.

  • Introduced a risk and threat driven approach

  • Baselining Mojaloop against best practice standards – PCI DSS and GDPR

  • Focus on the data – Data Protection Standards and Introduction of a Cryptographic Processing Module (CPM)

Guiding Principles:

• We endeavor to ensure that our policy and governance framework is as lightweight as possible to encourage community volunteers to contribute freely and easily.

• The overarching aim of the Code is to prescribe the use of certain quality/security practices and techniques delivered as guidelines and in some areas, we have reference technology implementations whereas for other areas we require certain policies or standards to be adhered to and verifiable.

1.2 Current PI Objectives (PI 12)

1. Enhance security in new functionality additions

2. Support major implementations

3. Design a secure cryptographic processing module

4. Improve data protection measures and controls

5. Baselining of Mojaloop against industry standards

6. Maintain and enhance secure DevOps/CI CD practices

7. Improve communication and community engagement

8. Improve access control measures

Epics:

1. Data Protection and Privacy

2. Core Functionality Support

3. Implementation Support

4. Community Engagement

5. Identity and Access Management

6. DevSecOps Integration

7. Cryptography Support

8. Standard Baselining

1.3 PI Reports (8 – 10)

1. PI 8

2. PI 9

3. PI 10

4. PI 11

5. PI 12 (link coming soon)

1.4 Vulnerability disclosure procedure

See Vulnerability Disclosure Procedure for more information

2. Scheme Rules Risk Management, Security, Privacy and Data Confidentiality

See Scheme Rules Guidelines for more information

3. Standard Baselining Reports

• GDPR Scoping Analysis Report

• PCI DSS Baseline report and recommendations – Responsibility matrix (Hub/Switch)

4. Code Security Overview

Refer to this presentation for an overview of the Code Security Practices in the Mojaloop Community.