IV.3 Specific findings regarding the Confidentiality,
Integrity, Availability (CIA) IV.3.1 Confidentiality
The confidentiality of the e-payment system is guaranteed by
the existence of the firewall and the encryption system in the network
infrastructure. The table below shows the results of the availability of these
two elements in the assessed organizations.
Table 7: Confidentiality elements
|
Element
|
Number of company
|
|
Firewall
|
6
|
|
Encryption
|
3
|
The study results show that 100% of the responding
institutions have a firewall installed in their IT infrastructure and 50% have
an encryption system deployed.
However, the integrity check of the firewall is an important
element to assess the real value of the firewall in the LAN infrastructure.
The table below shows the result of the integrity of the
e-payment systems reviewed. According to the likert scale used for the
questionnaire, the occurrence table of the integrity check of the firewall
configuration is provided per institution.
Table 8: Integrity check of the firewall configuration
|
Institution
|
Score
|
|
Bank 1
|
4
|
|
Bank 2
|
3
|
|
Bank 3
|
2
|
|
Bank 4
|
3
|
|
Mobile operator 1
|
2
|
|
Mobile operator 2
|
2
|
Page | 46
From the table above, the extracted table below shows how
often the configuration of the firewall is checked for integrity.
Table 9: Integrity check of the firewall configuration
|
Response / Score
|
Frequency
|
Percentage
|
|
Not sure / 2
|
3
|
50%
|
|
Monthly / 3
|
2
|
33.33%
|
|
Weekly / 4
|
1
|
16.67%
|
|
6
|
100%
|
This result shows that the most observed value is the score 2
(Not sure) which is the mode of this frequency distribution. This means that
50% of the observed institutions do not have an integrity check of the firewall
configuration in place increasing the vulnerability of the system. 33.33% have
a monthly check while only 16.67% have a weekly check.
So the integrity of the configuration of the firewall can be
compromised and it'll take at least a week to discover the exploit.
IV.3.2 Integrity
The integrity has to be assessed through the existence of
digital certificate system, authentication and authorization for data access,
and the protection against the virus.
Table 10: System integrity result
|
Capability
|
Number of institution
|
|
Digital certificate
|
1
|
|
Authentication
|
6
|
|
Authorization
|
6
|
|
Antivirus
|
6
|
|
|
The study result shows that the majority of assessed
institutions don't have a digital certificate system in place; only one of them
has a certificate server deployed.
Page | 47
The assessment of the integrity through the reporting of the
unauthorized attempts to sensitive data and physical access control to
computers hosting sensitive data is given in the table below.
Table 11: Reporting of unauthorized attempts to sensitive
data
|
Institution
|
Score
|
|
Bank 1
|
5
|
|
Bank 2
|
5
|
|
Bank 3
|
5
|
|
Bank 4
|
5
|
|
Mobile operator 1
|
2
|
|
Mobile operator 2
|
5
|
This table shows that the majority of the assessed companies have
a reporting system in place for unauthorized attempts to access sensitive
data.
However, the physical access control of the system holding
sensitive data is an important element to guarantee integrity of data.
Table 12: Additional physical access control
|
Institution
|
Score
|
|
Bank 1
|
2
|
|
Bank 2
|
2
|
|
Bank 3
|
1
|
|
Bank 4
|
1
|
|
Mobile operator 1
|
2
|
|
Mobile operator 2
|
1
|
The frequency distribution table of the additional physical
access control to system holding sensitive data is given in the table 13
below.
Table 13: Frequency distribution of additional physical access
control
|
Score
|
Frequency
|
Percentage
|
|
No / 1
|
3
|
50%
|
|
Not sure / 2
|
3
|
50%
|
|
6
|
100%
|
The table above shows that 100% of the assessed institutions
don't have a strict physical access control mechanism on top of logical access
controls for computers storing sensitive data. Even though unauthorized
attempts to sensitive data are reported, strong physical access control
mechanisms to computers systems holding sensitive data missed.
| 
