mojaloop · lewisdaly · Jan 21, 2021 · Nov 25, 2020 · Nov 25, 2020 · Nov 26, 2020
@@ -0,0 +1 @@
+<mxfile host="app.diagrams.net" modified="2020-11-26T02:02:40.441Z" agent="5.0 (Macintosh)" etag="AMiprtBaqhUPbJzT7Eg4" version="13.10.3" type="device"><diagram id="yKDZ4kQin1TY66VNlRbs" name="Page-1">1ZZNc9sgEIZ/jY6ZESA57tFV7bSdeKapD8mVSFiiRaBiZMv59V0E+oqaTjNNMq0PGngXdlmeXckBScrmStOq2KqMiQCHWROQDwHGSxTD0wpnJ8SdkGueOQkNwo4/MC+GXq15xg6ThUYpYXg1FVMlJUvNRKNaq9N02V6JadSK5mwm7FIq5uotz0zh04rDQf/IeF50kVHoLSXtFnvhUNBMnUYSWQck0UoZNyqbhAl7d929uH2bJ6z9wTST5k82bL+d764/31xvYp7ebh9oc1ceLyLn5UhF7RMO8EKAv/f3MMjtoBP2CuJAGubs72bxo1ad4eLQklvBAoSqZjB2Xm5qKrg5B/aQIIY7lta6FZx3OLcLMA0K8uggeBIfa1XLjNn0EJhPBTdsV9HUWk9QjKAVphTebL378kIE5lSn3RRmR6YNB+orwXMJmlGV35MooXQbj2zan9W5ECOdLKPV5Qr0g9HqO+ssUknWH9sGYM2T6FBfENBITJXMaHtXTV9VbotvIhQt3Pw0lCR559cUo3LE2AOmvg3y3vdQKTDwxfKMwkGzwvmiVa5pCeKWSmiL0ib3V8gGRLgD6D2Fj4DGcygoJDja/Abi68FaTmEtyQwWwr+AhZbhK8HCM1g7Q2VGdXZoG3JBS3v17gnKlX3pCi7hxfuWAJ8D6hHtaBNFcfIyAHEU/2sAyQzgV7ZnkBBcPA4/lZVo240aruT/ggwneN026AsgI5fk7ZDBdPhqt7bRXx+y/gk=</diagram></mxfile>
@@ -0,0 +1,77 @@
+# Program Management
+
+This section provides an overview of Mojaloop's Risk and Security Management Initiatives.
+
+**Who is this for?**  
+*Risk Management, Compliance, Governance, Regulatory, and Leadership Stakeholders*
+
+## 1. Mojaloop Data Security and Privacy Program:
+### 1.1 Code Quality & Security Program Overview
+
+**Objective:** Continuously improve the Trust (reliability, transparency, privacy, quality, and security) of the Mojaloop System.
+
+**Delivery Model:** Supports both functional and non-functional requirements of the project, working alongside with other workstreams & various governance committees on a shared responsibility Model.
+
+#### Approach:
+- Standards and Control Centric – Define and maintain Mojaloop software quality and security standards and guidelines – In certain areas we provide reference implementation.
+- Risk and Threat Centric – Perform risk and threat modelling to identify, validate, classify & prioritize security requirements.
+
+#### Key Milestones:
+- PI 1 – 8: Foundation Phase - Built-in confidentiality and Integrity as part of the Core Mojaloop Architecture.
+  - Developed and Implemented (To some degree) Signatures, MTLS, PKI, encryption standards 
+  -	Established a code quality and security framework - DevOps & CI/CD Tools automation, workflows & policies
+- PI 9 – Current: Improvement Phase – Consolidate, optimize & improve.
+  - Introduced a risk and threat driven approach 
+  - Baselining Mojaloop against best practice standards – PCI DSS and GDPR
+  - Focus on the data – Data Protection Standards and Introduction of a Cryptographic Processing Module (CPM)
+
+#### Guiding Principles:
+- We endeavor to ensure that our policy and governance framework is as lightweight as possible to encourage community volunteers to contribute freely and easily.
+- The overarching aim of the Code is to prescribe the use of certain quality/security practices and techniques delivered as guidelines and in some areas, we have reference technology implementations whereas for other areas we require certain policies or standards to be adhered to and verifiable.
+
+### 1.2 Current PI Objectives (PI 12)
+
+1.	Enhance security in new functionality additions
+2.	Support major implementations
+3.	Design a secure cryptographic processing module
+4.	Improve data protection measures and controls
+5.	Baselining of Mojaloop against industry standards
+6.	Maintain and enhance secure DevOps/CI CD practices
+7.	Improve communication and community engagement
+8.	Improve access control measures
+
+#### Epics:
+1.	Data Protection and Privacy
+2.	Core Functionality Support
+3.	Implementation Support
+4.	Community Engagement
+5.	Identity and Access Management
+6.	DevSecOps Integration
+7.	Cryptography Support
+8.	Standard Baselining
+
+### 1.3 PI Reports (8 – 10)
+
+1. [PI 8](https://raw.githubusercontent.com/mojaloop/documentation-artifacts/master/presentations/September%202019%20PI-8_OSS_community%20session/cqs_pi_08_report.pdf)
+1. [PI 9](https://raw.githubusercontent.com/mojaloop/documentation-artifacts/master/presentations/January%202020%20OSS%20Community%20Session/cqs_pi_09_report.pdf)
+1. [PI 10](https://github.com/mojaloop/documentation-artifacts/blob/master/presentations/April%202020%20Community%20Event/Presentations/code_quality_and_security-PI%2010%20final.pdf)
+1. [PI 11](https://github.com/mojaloop/documentation-artifacts/blob/master/presentations/July%202020%20Community%20Event/Presentations/Code%20Quality%20Security%20PI%2010%20Report%20-%2020%20July%202020%20v1.9%20Final.pdf)
+1. PI 12 _(link coming soon)_
+
+### 1.4 Vulnerability disclosure procedure
+
+See [Vulnerability Disclosure Procedure](./vulnerability-disclosure-procedure.md) for more information
+
+
+## 2. Scheme Rules Risk Management, Security, Privacy and Data Confidentiality
+
+See [Scheme Rules Guidelines](./scheme-rules-guidelines.md) for more information
+
+## 3. Standard Baselining Reports
+
+- [GDPR Scoping Analysis Report](https://raw.githubusercontent.com/mojaloop/documentation-artifacts/master/reference/gdpr_scope_analysis_report.pdf)
+- [PCI DSS Baseline report and recommendations – Responsibility matrix (Hub/Switch)](https://github.com/mojaloop/documentation-artifacts/raw/mojaloop/reference/Mojaloop%20PCI%20DSS%20Compliace%20Baseline%20Requirement%20Overall%20Report%20v1.0%2005012021.xlsx)
+
+## 4. Code Security Overview
+
+Refer to [this presentation](https://raw.githubusercontent.com/mojaloop/documentation-artifacts/master/reference/code_security_overview.pdf) for an overview of the Code Security Practices in the Mojaloop Community.
@@ -0,0 +1,51 @@
+# Security, Risk Management, and Data Confidentiality
+
+> Note: this document is a reference from the [Scheme Business Rules](https://docs.mojaloop.io/mojaloop-business-docs/documents/scheme-business-rules.html)
+> Please refer to [Mojaloop Business Docs](https://docs.mojaloop.io/mojaloop-business-docs/) for more information and context
+
+## 1.1 Confidentiality and Protection of Personal Information
+- Confidential Information of the Scheme that is disclosed to Participants will be held in confidence by Participants and will be used only for the purposes permitted by the Rules. Scheme Confidential Information may include proprietary technology and other matters designated by the Scheme.
+- Transaction data will not be owned by the Scheme and will be owned by a Participant as it relates to its Customer's Transactions.
+- The confidentiality of Transaction data and any Personal Information processed in the Platform will be protected by the Scheme and Participants according to Applicable Law.
+- Statistics or data which identify a Participant or from which the Participant may be identified will not be disclosed to other Participants. The Scheme may prepare for internal use and disclose to third parties for promotional purposes statistics based on aggregate, anonymized data as permitted by Applicable Law.
+- The Scheme will make disclosures of Confidential Information to comply with Applicable Law or the directive of a Regulatory Authority.
+- The Scheme will protect Personal Information in its possession or under its control from misuse and otherwise treat such information in accordance with Applicable Law protecting privacy of individuals.
+- The Scheme will maintain industry leading security measures to protect information from unauthorized access and use.
+- Participants will notify the Scheme and acknowledge that the Scheme may notify other Participants, of any Security Incident in the systems or premises of the Participant, its affiliated entities or any third-party vendor engaged by the Participant to provide services in support of the Participant's participation in the Scheme.
+- The Scheme may conduct investigations into Security Incidents. Participants will cooperate fully and promptly with the investigation. Such investigations will be at the expense of the affected Participant.
+- The Scheme may require a Participant to conduct investigations of Security Incidents and may require that such investigations be conducted by qualified independent security auditors acceptable to the Scheme.
+- The Scheme may impose conditions of continued participation on the affected Participant regarding remedy of the causes of the Security Incident and ongoing security measures.
+- The investigation and report, as well as remedies that may be required will be held confidential to the extent permitted by Applicable Law.
+
+## 1.2 Risk Management Policies
+
+This section assumes that the development of risk management policies by the Scheme and its participants will be evolving. This section contemplates that some of these policies will (eventually) be in the Rules; others will not
+
+- Risk management policies and procedures may be stated in the Rules, in Associated Documents, or in other written policy documents created by the Scheme and distributed to Participants
+- Risk management policies and procedures will include fiscal soundness, system integrity, compliance with Applicable Law, particularly as to Anti-Money Laundering/Combatting Terrorism Financing measures, privacy of personal information and data security
+- Risk management functions include procedures applicable to Participants for monitoring of risks, including reporting requirements and audits
+
+
+## 1.3 Business Continuity
+- Provisions to ensure business continuity on the part of the Scheme, its vendors, and Participants.
+
+
+## Appendix: Risk Management, Security, Privacy, and Service Standards
+> Schemes may or may not want to specify standards or require that Participants comply with other established standards. Schemes may furthermore specify different standards for different categories of Participants. The list below is given purely as an example.
+
+Participants must adhere to the following practices of service quality security, data privacy and customer service as they apply to a Participant in connection with the Scheme.
+- Participants will establish a risk management framework for identifying, assessing and controlling risks relative to their use of the Scheme.
+- Participants will ensure that the systems, applications and network that support the use of the Scheme are designed and developed securely.
+- Participants will implement processes to securely manage all systems and operations that support the use of the Scheme.
+- Participants will implement processes to ensure that systems used for the Scheme are secure from unauthorized intrusion or misuse.
+- Participants will implement processes to ensure the authentication of their customers in creating and approving transactions that use the Scheme.
+- Participants will develop effective business continuity and contingency plans.
+- Participants will manage technical and business operations to allow timely responses to API calls received from the Scheme Platform or from other Participants via the Scheme Platform.
+- Participants will establish written agreements governing their relationship with agents, processors, and other entities providing outsourced services that pertain to the Scheme.
+- Participants will develop policies and processes for ongoing management and oversight of staff, agents, processors, and other entities providing outsourced services that pertain to the Scheme.
+- Participants will ensure that customers are provided with clear, prominent, and timely information regarding fees and terms and conditions with respect to services using the Scheme.
+- Participants will develop and publish customer service policies and procedures with respect to services using the Scheme.
+- Participants will provide an appropriate mechanism for customers to address questions and problems. Participants will specify how disputes can be resolved if internal resolution fails.
+- Participants will comply with good practices and Applicable Laws governing customer data privacy.
+- Participants will ensure that Customers are provided with clear, prominent, and timely information regarding their data privacy practices.
+