Practical security resources for East African organisations

BNR Cybersecurity Compliance Checklist

For banks, MFIs, insurance companies, payment service providers and mobile money operators supervised by the National Bank of Rwanda.

1. Governance & Policy

• Board-approved information security policy in place and reviewed annually
• Designated information security officer or equivalent role
• Board receives regular cybersecurity risk reports (at minimum quarterly)
• IT risk register maintained and reviewed
• Security roles and responsibilities documented for all staff

2. Risk Assessment

• Annual information security risk assessment conducted
• Risk assessment covers all critical systems and business processes
• Risk treatment plan with assigned owners and timelines
• Risk assessment methodology documented

3. Vulnerability Assessment & Penetration Testing (VAPT)

• Annual VAPT conducted by a qualified external provider
• VAPT covers all internet-facing systems (web apps, APIs, mobile, USSD)
• VAPT conducted by a qualified provider with demonstrable hands-on testing credentials
• Formal written report delivered with severity ratings and remediation guidance
• Critical and high findings remediated and re-tested
• VAPT conducted after significant system changes

4. Access Management

• All accounts are individual (no shared credentials)
• Principle of least privilege applied to all accounts
• Multi-factor authentication enabled for all staff on critical systems
• Privileged account management policy and monitoring
• Access review conducted at least quarterly
• Terminated staff accounts disabled within 24 hours

5. Incident Response

• Documented incident response plan (IRP)
• IRP tested at least annually (tabletop exercise)
• Designated incident response team with clear roles
• BNR incident reporting procedure known and documented
• Incident log maintained for all security events
• Post-incident review process in place

6. Security Awareness Training

• Security awareness training provided to all staff annually
• Training covers phishing, social engineering, password security, incident reporting
• Training completion records maintained
• Phishing simulation conducted at least annually
• Board and senior management receive security awareness briefing

7. Data Protection & Encryption

• Customer and sensitive data classified
• All data encrypted in transit (TLS 1.2 minimum)
• Sensitive data encrypted at rest
• Data retention and deletion policy
• Data breach notification procedure documented

8. Third-Party Risk Management

• Security due diligence conducted before engaging new vendors
• Security clauses in all contracts with third parties accessing your systems or data
• Annual review of critical third-party security posture
• Cloud provider security assessment and data location documented

9. Vulnerability & Patch Management

• Asset inventory of all hardware and software maintained
• Monthly vulnerability scanning of all internet-facing assets
• Critical patches applied within 72 hours; high within 7 days; medium within 30 days
• End-of-life software identified and remediation plan in place

10. Business Continuity & Disaster Recovery

• Business continuity plan (BCP) documented and tested annually
• Data backups taken regularly and restoration tested
• Recovery Time Objective (RTO) and Recovery Point Objective (RPO) defined
• Alternative processing arrangements for critical systems documented

Penetration Testing Buyer's Guide for East Africa

What you are buying

A penetration test is a structured, authorised attack on your systems by a skilled professional. The goal is to find and prove real vulnerabilities before attackers do. The deliverable is a written report with findings, proof of exploitation, severity ratings, and remediation guidance.

Certifications to require

• OSCP (Offensive Security Certified Professional): the gold standard. Requires practical hacking under exam conditions. Cannot be passed by memorising content.
• CEH: knowledge-based technical certification, less practical than OSCP. CISM, CISSP: governance and management certifications. None are substitutes for OSCP when evaluating a hands-on tester.
• Ask to see the actual certificate, not just a claim on the website.

Questions to ask every provider

• "Can I see a sample report from a previous engagement?" A real provider will have a redacted sample. Thin reports (5 pages) that are mostly scanner output are a red flag.
• "Who will actually conduct the test?" Verify the tester's credentials, not just the company's branding.
• "Do you include a free re-test of critical and high findings?" This should be standard, not an extra charge.
• "How do you handle testing of production systems?" Listen for safeguards: out-of-hours testing, scope limitations, rollback procedures.
• "Can you provide a signed Rules of Engagement before testing starts?" If they don't know what this is, look elsewhere.

Red flags: walk away if you see these

• Promises to test everything in 1 day at a very low price. Real testing takes days, not hours
• Report is purely scanner output (Nessus, Qualys) with no manual testing evidence
• No Rules of Engagement or NDA before testing starts
• Tester cannot name their certification or explain their methodology
• Vague scope: a good pentest requires a precisely defined scope
• No debrief call offered after the report is delivered

What your report should contain

• Executive summary: in plain language, suitable for board presentation
• Scope and methodology: what was tested, how, for how long
• Findings: each with description, severity, proof of concept (screenshots/steps), business impact, and specific remediation guidance
• Risk heat map: visual summary of all findings
• Remediation roadmap: prioritised action list
• Tester details: name, certifications held

Scope: what to include

• All internet-facing web applications
• All APIs (especially mobile banking and agent APIs)
• Mobile banking apps (Android + iOS)
• USSD gateways if applicable
• External network perimeter (publicly reachable IPs)
• Social engineering (phishing simulation), consider annually
• Internal network, if budget allows, add at least every other year

Security Awareness Training Session Template

Estimated duration: 2 hours. Suitable for all staff levels. Adapt as needed for your organisation.

Session structure

• 0:00-0:15 Introduction: why security matters for your organisation, recent incidents in East Africa
• 0:15-0:35 Module 1: Phishing and email threats
• 0:35-0:55 Module 2: Passwords, MFA, and account security
• 0:55-1:10 Module 3: Social engineering and vishing (phone attacks)
• 1:10-1:25 Module 4: Incident reporting, what to do when something looks wrong
• 1:25-1:45 Module 5: Mobile device and remote work security
• 1:45-2:00 Quiz and Q&A

Module 1: Phishing, key messages

• Phishing emails often impersonate trusted sources: your bank's IT team, BNR, RRA, MTN, or Airtel
• Red flags: urgency, unexpected requests, mismatched sender domains (check the full email address, not just the display name)
• Never click links in unexpected emails. Go directly to the site by typing the address
• Never enter credentials on a page you reached via a link in an email
• Discussion prompt: "Has anyone received a suspicious email at work in the last 6 months? What did you do?"

Module 2: Passwords & MFA, key messages

• Password reuse across accounts is the single biggest account security mistake
• A strong password is long (14+ characters) and random. Use a password manager
• MFA (the code on your phone) protects your account even if your password is stolen
• Never share your MFA code with anyone, including people claiming to be IT support

Module 3: Social engineering, key messages

• Social engineers exploit trust, urgency, and authority, not technical vulnerabilities
• A phone call claiming to be from the CEO, BNR, or IT support is not automatically legitimate
• Verification procedure: hang up, find the caller's number independently, call back
• You are never "in trouble" for following verification procedures. Management should back you

Module 4: Incident reporting, key messages

• Report suspicious activity immediately. The first hour matters most in a breach
• Who to report to: [fill in your organisation's security contact here]
• No blame for reporting in good faith. Early reporting is celebrated, not punished
• What to report: unexpected popups, suspected phishing, anything that looks wrong

Post-session quiz (10 questions)

Use these questions to test retention after the session. Review answers as a group.

1. What is the first thing you should check if you receive an unexpected email asking you to reset your password?
2. If someone calls you claiming to be from BNR and asks for your login credentials, what should you do?
3. What is multi-factor authentication and why does it matter?
4. What are three signs that an email might be a phishing attempt?
5. If you click on a suspicious link by accident, what should you do next?
6. What makes a password strong?
7. What is a social engineering attack?
8. How long can you wait before reporting a suspected security incident?
9. Is it okay to use your work laptop on a public WiFi at a cafe without a VPN?
10. If a colleague asks to borrow your access credentials because they forgot theirs, what should you do?