[prev in list] [next in list] [prev in thread] [next in thread]
List: mifos-functional
Subject: Re: [Mifos-functional] Discussion: Recommended IT Policies for MFIs
From: "Aliya Walji" <awalji () grameenfoundation ! org>
Date: 2008-09-22 5:43:58
Message-ID: 9DD845C1ED0D5D40B4B56DF5A4B1EB0E0385BB16 () gfmail ! gfusa ! org
[Download RAW message or body]
--===============4416781040241290799==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C91C76.3597BE7F"
This is a multi-part message in MIME format.
Apologies for the delay in setting up the users list. I spoke with
Emily and others on the team last week about getting this done and due
to a few other pressing tasks, we decided to wait for a couple weeks
until we had some bandwidth. We've decided to set up a new list called
"Mifos Help" which will be for anyone who is setting up or using Mifos
in production. This will be the place to share information and ask
questions about installing and deploying Mifos, troubleshooting
deployment issues, discussing best practices around the implementation
process, etc.
Below is a chart we put together describing the different categories of
discussions, which list they used to take place on and where they should
take place once we have the new list set up. If you (or anyone else)
has any final feedback before I set up the new lists this week, let me
know.
Thanks,
Aliya
Use/Need
User Group
Current List
Future List
Discussing code design/development of new features or bug fixes
Software development teams
Developer
Developer
Patch review notifications
Software development teams
Developer
Developer
Discussing design of new features to be developed
Software development teams/IT specialists/MFIs
Functional
Functional
Asking questions about current functionality
IT Specialists/MFIs
Functional
Functional
Investigating potential bugs in the system from a functional perspective
IT Specialists/Software developers
Functional/Developer
Functional
Asking technical questions about how to deploy Mifos in production
(software stack, server set up, etc)
IT Specialists
Developer
Help
Asking questions about data migration
IT Specialists
Developer/Functional
Help
Asking questions about how to create reports
IT Specialists
Developer
Help
Asking questions about deployment process (UAT, training, etc)
IT Specialists
Functional/developer
Help
Raising production issues/bugs (e.g. performance issues, logging issues,
functional issues, etc)
IT Specialists
Developer
Help
Asking questions about how to integrate Mifos with other systems
IT Specialists
Developer
Help
From: Graeme Ruthven [mailto:graeme@kula.co.nz]
Sent: Friday, September 19, 2008 9:11 PM
To: 'Mifos functional discussions'
Subject: Re: [Mifos-functional] Discussion: Recommended IT Policies for
MFIs
Ryan
I think that this type of discussion is well worthwhile but, as you say,
we're getting way off-topic for either the developer or functional
lists.
Perhaps it's time to revisit the earlier threads about setting up a
users list? As you also say, gathering together ideas that will help
MFIs formulate their policies is a great idea and I'm sure that there
are many of us with general IT and business experience who can
contribute.
This discussion is getting a bit messy, with lots of topics being
discussed, with a wide range of general policy stuff and Mifos
specifics. Not to mention confusion from different email formats.
Can anyone suggest a better way of tracking the items - a wiki page
perhaps?
________________________________
From: mifos-functional-bounces@lists.sourceforge.net
[mailto:mifos-functional-bounces@lists.sourceforge.net] On Behalf Of
Ryan Whitney
Sent: Friday, 19 September 2008 01:00
To: Mifos functional discussions
Subject: Re: [Mifos-functional] Discussion: Recommended IT
Policies for MFIs
On 9/18/08 11:10 AM, "Graeme Ruthven" <graeme@kula.co.nz> wrote:
> * Passwords
> * MFIs should require their employees to create
> strong passwords
Yes, and this can be enforced by Mifos.
Are you saying we have this feature in Mifos or its something we
could add? I'm thinking the latter in hopes I'm not that ignorant about
Mifos ;)
I don't believe that this is a feature, but it could be added if
required. Google suggests that suitable libraries are available.
> * Nobody should be writing passwords down
> anywhere (like on a piece of paper next to the
computer ;))
Awww... No yellow stickies? :-(
I always figured the answer to this is not to punish anyone who
you find doing that. Just walk around the office once a month and black
them out with sharpie. That out to get people's attention ;)
> * Enforce employees to choose a new password
> every 3,6, or 12 month
Again, can be enforced by Mifos, best through a configurable
option.
Another possible feature request, right? (Scaring me here ;))
Yep, I believe that would have to be a feature request. I should
have said "could", not "can"! A lot of applications, together with
Windows and Linux, are able to enforce password strength and expiry,
although this isn't always turned on.
> Obviously, some of these can be resolved technically
> (infrastructure setup, feature requests to mifos,
possibly
> reports - ie, one reporting the last time people
logged in),
> but its still good to have these written down.
I believe that a MFI should have a good security policy
and signing it
should be a condition of employment.
Where controls can be implemented by the software, this
should be done.
I agree 100%, which is why I brought this up. I'm realizing that
what we're doing here is more than just building MFI software, we're
having to help people run it safely and securely ;)
Hence my comment at the start. I totally agree. Perhaps a wiki
page on security to capture the various thoughts.
We need to be prepared for a wide range of opinions and some
healthy debate.
All logon attempts - failed and successful - should be
logged. See auth.log
on a Linux system or the Security log on a Windows
system. Timestamps should
be accurate to the second (or better) in case they need
to be correlated
with other events. Which implies that system clocks in
the network should
all be synchronised with a suitable time standard.
Simple to implement, but
often overlooked...
I'm not sure, but I believe we track that. Can someone else
confirm this?
I don't believe so. Table "personnel" has a "LAST_LOGIN" field
for each user, but this only records the date (of the last logon), which
I don't see as fine enough granularity.
I recommend that IP address is logged as well.
I would prefer to see a log along the lines of a Linux auth.log
as above. Surely there must be a Java library that supports syslog-type
output?
Another one I think should be addressed is segregation
of duties. A person
entering a request for a loan or payment should not be
allowed to approve or
disburse it. An entirely separate person must make the
approval or payment.
This means that, unless passwords have been shared in
violation of policy or
privilege escalation has occurred, the most basic form
of fraud requires two
people acting together.
I agree and disagree, this is a kind of gray area (and going to
sort of contradict something I said earlier...). The previous points
above are general IT policy questions, but this is more of a procedural
issue (And I'm a tech guy, not a MF expert... Not yet at least).
Certainly its something worth discussing, especially with how Mifos is
involved with the process, but I'd hesitate before I decided on any
absolutes like that.
I think Mifos's goals should be to provide the flexibility for
MFI's to model their processes and procedures as closely as possible**
and provide a detailed audit trail.
And in practice, I'm not sure I agree with your example either.
Take for instance a manager who oversees 50 loan officers, each who are
creating around 10 new loans a day, meaning he or she has somewhere
around 500 new loan accounts to approve everyday (a real scenario,
actually). Is the manager going to dig through every single one and
validate each one, does he or she know if every customer is real or not?
In that case, I don't think the manager is going to dig into
that detail and will most likely approve most loans unless they see
something that stands out. As the manager, he or she is still
responsible, but that would be the case whether they were the ones
approving the loans or not. What you are providing in this scenario is
a second set of eyes on a loan application (so it'd be a lot harder to
commit a fraud of taking out 15000 as opposed to a normal 150) and the
audit trail.
No software can guarantee against fraud, it can only help you
fight it. At some level you have to trust people underneath you ;)
(hhhmm, that makes me think of another topical question...). Either
way, providing some assistance on how MFIs will need to change their
processes and procedures is needed, but like I said, its a grey area. ;)
Fair enough - and your numbers are a bit scary! My observation
over the years is that sooner or later someone with access to money or
items of value will convince themselves that they are entitled to help
themselves.
As you say, a lot of it comes down to policies, processes and
procedures, so Mifos needs to maintain a good audit trail to assist
investigation should it be required.
Input from those managing the day-to-day operations in an MFI
would be invaluable.
** realizing of course that almost no software deployment can be
done without some changes to processes and procedures, so the goal here
is to minimize that as much as we can and still be relevant to a large
cross section of MFIs
Regards
Graeme
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<title>Re: [Mifos-functional] Discussion: Recommended IT Policies for MFIs</title>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Apologies for the delay in setting up the users list. I
spoke with Emily and others on the team last week about getting this done and
due to a few other pressing tasks, we decided to wait for a couple weeks until
we had some bandwidth. We’ve decided to set up a new list called \
“Mifos Help” which will be for anyone who is setting up or using Mifos in
production. This will be the place to share information and ask questions
about installing and deploying Mifos, troubleshooting deployment issues,
discussing best practices around the implementation process, \
etc.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Below is a chart we put together describing the different
categories of discussions, which list they used to take place on and where they
should take place once we have the new list set up. If you (or anyone
else) has any final feedback before I set up the new lists this week, let me
know.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Thanks,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Aliya<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0
style='border-collapse:collapse'>
<tr>
<td width=213 valign=top style='width:159.6pt;border:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><b><span \
style='font-family:"Calibri","sans-serif"'>Use/Need<o:p></o:p></span></b></p> </td>
<td width=213 valign=top style='width:159.6pt;border:solid black 1.0pt;
border-left:none;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><b><span style='font-family:"Calibri","sans-serif"'>User
Group<o:p></o:p></span></b></p>
</td>
<td width=213 valign=top style='width:159.6pt;border:solid black 1.0pt;
border-left:none;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><b><span style='font-family:"Calibri","sans-serif"'>Current
List<o:p></o:p></span></b></p>
</td>
<td width=213 valign=top style='width:159.6pt;border:solid black 1.0pt;
border-left:none;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><b><span style='font-family:"Calibri","sans-serif"'>Future
List<o:p></o:p></span></b></p>
</td>
</tr>
<tr>
<td width=213 valign=top style='width:159.6pt;border:solid black 1.0pt;
border-top:none;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>Discussing
code design/development of new features or bug fixes<o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>Software
development teams <o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Developer<o:p></o:p></span></p> </td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Developer<o:p></o:p></span></p> </td>
</tr>
<tr>
<td width=213 valign=top style='width:159.6pt;border:solid black 1.0pt;
border-top:none;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>Patch
review notifications<o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>Software
development teams<o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Developer<o:p></o:p></span></p> </td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Developer<o:p></o:p></span></p> </td>
</tr>
<tr>
<td width=213 valign=top style='width:159.6pt;border:solid black 1.0pt;
border-top:none;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>Discussing
design of new features to be developed <o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>Software
development teams/IT specialists/MFIs<o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Functional<o:p></o:p></span></p> <p \
class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p> </td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Functional<o:p></o:p></span></p> </td>
</tr>
<tr style='height:27.85pt'>
<td width=213 valign=top style='width:159.6pt;border:solid black 1.0pt;
border-top:none;padding:0in 5.4pt 0in 5.4pt;height:27.85pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>Asking
questions about current functionality<o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt;height:27.85pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>IT
Specialists/MFIs<o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt;height:27.85pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Functional<o:p></o:p></span></p> <p \
class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p> </td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt;height:27.85pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Functional<o:p></o:p></span></p> </td>
</tr>
<tr>
<td width=213 valign=top style='width:159.6pt;border:solid black 1.0pt;
border-top:none;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Investigating potential bugs in the \
system from a functional perspective<o:p></o:p></span></p> </td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>IT
Specialists/Software developers<o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Functional/Developer<o:p></o:p></span></p> \
</td> <td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Functional<o:p></o:p></span></p> </td>
</tr>
<tr>
<td width=213 valign=top style='width:159.6pt;border:solid black 1.0pt;
border-top:none;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>Asking
technical questions about how to deploy Mifos in production (software stack,
server set up, etc)<o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>IT
Specialists<o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Developer<o:p></o:p></span></p> </td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Help<o:p></o:p></span></p> </td>
</tr>
<tr>
<td width=213 valign=top style='width:159.6pt;border:solid black 1.0pt;
border-top:none;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>Asking
questions about data migration<o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>IT
Specialists<o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Developer/Functional<o:p></o:p></span></p> \
</td> <td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Help<o:p></o:p></span></p> </td>
</tr>
<tr>
<td width=213 valign=top style='width:159.6pt;border:solid black 1.0pt;
border-top:none;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>Asking
questions about how to create reports<o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>IT
Specialists<o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Developer<o:p></o:p></span></p> </td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Help<o:p></o:p></span></p> </td>
</tr>
<tr>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
solid black 1.0pt;border-bottom:solid windowtext 1.0pt;border-right:solid black \
1.0pt; padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>Asking
questions about deployment process (UAT, training, etc)<o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid windowtext 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>IT
Specialists<o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid windowtext 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Functional/developer<o:p></o:p></span></p> \
</td> <td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid windowtext 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Help<o:p></o:p></span></p> </td>
</tr>
<tr style='height:17.5pt'>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
solid black 1.0pt;border-bottom:solid windowtext 1.0pt;border-right:solid black \
1.0pt; padding:0in 5.4pt 0in 5.4pt;height:17.5pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>Raising
production issues/bugs (e.g. performance issues, logging issues, functional
issues, etc)<o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid windowtext 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt;height:17.5pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>IT
Specialists<o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid windowtext 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt;height:17.5pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Developer<o:p></o:p></span></p> </td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid windowtext 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt;height:17.5pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Help<o:p></o:p></span></p> </td>
</tr>
<tr style='height:17.5pt'>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
solid black 1.0pt;border-bottom:solid windowtext 1.0pt;border-right:solid black \
1.0pt; padding:0in 5.4pt 0in 5.4pt;height:17.5pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>Asking
questions about how to integrate Mifos with other systems<o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid windowtext 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt;height:17.5pt'>
<p class=MsoPlainText><span style='font-family:"Calibri","sans-serif"'>IT
Specialists<o:p></o:p></span></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid windowtext 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt;height:17.5pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Developer<o:p></o:p></span></p> </td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid windowtext 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt;height:17.5pt'>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'>Help<o:p></o:p></span></p> </td>
</tr>
</table>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Graeme Ruthven \
[mailto:graeme@kula.co.nz] <br> <b>Sent:</b> Friday, September 19, 2008 9:11 PM<br>
<b>To:</b> 'Mifos functional discussions'<br>
<b>Subject:</b> Re: [Mifos-functional] Discussion: Recommended IT Policies for
MFIs<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:maroon'>Ryan</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:maroon'>I think that this type of discussion is well worthwhile but, as
you say, we're getting way off-topic for either the developer or functional
lists.</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:maroon'>Perhaps it's time to revisit the earlier threads about setting up
a users list? As you also say, gathering together ideas that will help MFIs
formulate their policies is a great idea and I'm sure that there are many of us
with general IT and business experience who can contribute.</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:maroon'>This discussion is getting a bit messy, with lots of topics being
discussed, with a wide range of general policy stuff and Mifos specifics. Not
to mention confusion from different email formats.</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:maroon'>Can anyone suggest a better way of tracking the items - a wiki
page perhaps?</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<blockquote style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in \
4.0pt; margin-left:3.75pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
<div class=MsoNormal align=center style='text-align:center'>
<hr size=2 width="100%" align=center>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'>
mifos-functional-bounces@lists.sourceforge.net
[mailto:mifos-functional-bounces@lists.sourceforge.net] <b>On Behalf Of </b>Ryan
Whitney<br>
<b>Sent:</b> Friday, 19 September 2008 01:00<br>
<b>To:</b> Mifos functional discussions<br>
<b>Subject:</b> Re: [Mifos-functional] Discussion: Recommended IT Policies for
MFIs</span><o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif"'>On 9/18/08 11:10 AM, "Graeme
Ruthven" <<a href="graeme@kula.co.nz">graeme@kula.co.nz</a>> \
wrote:</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas'>>
* Passwords<br>
> * MFIs should require their employees to create <br>
> strong passwords <br>
<br>
Yes, and this can be enforced by Mifos.</span><o:p></o:p></p>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas;
color:blue'>Are you saying we have this feature in Mifos or its something we
could add? I’m thinking the latter in hopes I’m not that
ignorant about Mifos ;)</span><span \
style='font-size:10.0pt;font-family:"Arial","sans-serif"; \
color:blue'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:maroon'>I don't believe that this is a feature, but it could be
added if required. Google suggests that suitable libraries are \
available. </span><span \
style='font-size:10.0pt;font-family:Consolas;color:blue'> </span><span \
style='font-size:10.0pt;font-family:"Arial","sans-serif";color:blue'> </span><o:p></o:p></p>
</div>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas'>>
* Nobody should be writing passwords down <br>
> anywhere (like on a piece of paper next to the computer ;)) <br>
<br>
Awww... No yellow stickies? :-(</span><o:p></o:p></p>
</div>
</blockquote>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas;
color:blue'>I always figured the answer to this is not to punish anyone who you
find doing that. Just walk around the office once a month and black them
out with sharpie. That out to get people’s attention \
;)</span><o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:10.0pt;
font-family:Consolas'><br>
> * Enforce employees to choose a new password <br>
> every 3,6, or 12 month<br>
<br>
Again, can be enforced by Mifos, best through a configurable \
option.</span><o:p></o:p></p>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas;
color:blue'>Another possible feature request, right? (Scaring me here ;))</span><span
style='font-size:10.0pt;font-family:"Arial","sans-serif";color:blue'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:maroon'>Yep, I believe that would have to be a feature request. I should
have said "could", not "can"! A lot of applications,
together with Windows and Linux, are able to enforce password strength and
expiry, although this isn't always turned on.</span><span style='font-size:
10.0pt;font-family:Consolas;color:blue'><o:p></o:p></span></p>
</div>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas'><br>
> Obviously, some of these can be resolved technically <br>
> (infrastructure setup, feature requests to mifos, possibly <br>
> reports - ie, one reporting the last time people logged in), <br>
> but its still good to have these written down.<br>
<br>
I believe that a MFI should have a good security policy and signing it<br>
should be a condition of employment.<br>
<br>
Where controls can be implemented by the software, this should be \
done.</span><o:p></o:p></p>
</blockquote>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas'><br>
<span style='color:blue'>I agree 100%, which is why I brought this up.
I’m realizing that what we’re doing here is more than just building
MFI software, we’re having to help people run it safely and securely \
;)</span></span><span \
style='font-size:10.0pt;font-family:"Arial","sans-serif";color:blue'> </span><span
style='font-size:10.0pt;font-family:Consolas'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span \
style='font-size:10.0pt;font-family:Consolas'> <o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:maroon'>Hence my comment at the start. I totally agree. Perhaps a wiki
page on security to capture the various thoughts.</span><span
style='font-size:10.0pt;font-family:Consolas'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span \
style='font-size:10.0pt;font-family:Consolas'> <o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:maroon'>We need to be prepared for a wide range of opinions and some healthy
debate.</span><span style='font-size:10.0pt;font-family:Consolas'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas;
color:blue'> <o:p></o:p></span></p>
</div>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas'>All
logon attempts - failed and successful - should be logged. See auth.log<br>
on a Linux system or the Security log on a Windows system. Timestamps should<br>
be accurate to the second (or better) in case they need to be correlated<br>
with other events. Which implies that system clocks in the network should<br>
all be synchronised with a suitable time standard. Simple to implement, but<br>
often overlooked...</span><o:p></o:p></p>
</blockquote>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas;
color:blue'>I’m not sure, but I believe we track that. Can someone
else confirm this?</span><span \
style='font-size:10.0pt;font-family:"Arial","sans-serif"; \
color:blue'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:maroon'>I don't believe so. Table "personnel" has a
"LAST_LOGIN" field for each user, but this only records the date (of
the last logon), which I don't see as fine enough granularity.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:maroon'>I recommend that IP address is logged as well.</span><o:p></o:p></p>
</div>
</blockquote>
<blockquote style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in \
4.0pt; margin-left:3.75pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:maroon'>I would prefer to see a log along the lines of a Linux
auth.log as above. Surely there must be a Java library that supports
syslog-type output? </span><span style='font-size:10.0pt;
font-family:"Arial","sans-serif";color:blue'> </span><span
style='font-size:10.0pt;font-family:Consolas;color:blue'><o:p></o:p></span></p>
</div>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas'>Another
one I think should be addressed is segregation of duties. A person<br>
entering a request for a loan or payment should not be allowed to approve or<br>
disburse it. An entirely separate person must make the approval or payment.<br>
This means that, unless passwords have been shared in violation of policy or<br>
privilege escalation has occurred, the most basic form of fraud requires two<br>
people acting together.</span><o:p></o:p></p>
</blockquote>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas;
color:blue'>I agree and disagree, this is a kind of gray area (and going to
sort of contradict something I said earlier...). The previous points
above are general IT policy questions, but this is more of a procedural issue
(And I’m a tech guy, not a MF expert... Not yet at least).
Certainly its something worth discussing, especially with how Mifos is
involved with the process, but I’d hesitate before I decided on any
absolutes like that.<br>
<br>
<b>I think Mifos’s goals should be to provide the flexibility for
MFI’s to model their processes and procedures as closely as possible**
and provide a detailed audit trail.<br>
</b><br>
And in practice, I’m not sure I agree with your example either.
Take for instance a manager who oversees 50 loan officers, each who are
creating around 10 new loans a day, meaning he or she has somewhere around 500
new loan accounts to approve everyday (a real scenario, actually).
Is the manager going to dig through every single one and validate each
one, does he or she know if every customer is real or not? <br>
<br>
In that case, I don’t think the manager is going to dig into that detail
and will most likely approve most loans unless they see something that stands
out. As the manager, he or she is still responsible, but that would be
the case whether they were the ones approving the loans or not. What you
are providing in this scenario is a second set of eyes on a loan application
(so it’d be a lot harder to commit a fraud of taking out 15000 as opposed
to a normal 150) and the audit trail. <br>
<br>
No software can guarantee against fraud, it can only help you fight it.
At some level you have to trust people underneath you ;) (hhhmm, that
makes me think of another topical question...). Either way, providing
some assistance on how MFIs will need to change their processes and procedures
is needed, but like I said, its a grey area. ;)<br>
</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:maroon'>Fair enough - and your numbers are a bit scary! My observation
over the years is that sooner or later someone with access to money or items of
value will convince themselves that they are entitled to help themselves.<br>
<br>
As you say, a lot of it comes down to policies, processes and procedures, so
Mifos needs to maintain a good audit trail to assist investigation should it be
required.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:maroon'>Input from those managing the day-to-day operations in an MFI
would be invaluable. </span><span style='font-size:10.0pt;
font-family:Consolas;color:blue'> </span><span style='font-size:10.0pt;
font-family:Consolas'><br>
<span style='color:blue'><br>
** realizing of course that almost no software deployment can be done without
some changes to processes and procedures, so the goal here is to minimize that
as much as we can and still be relevant to a large cross section of MFIs<br>
</span><br>
</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:maroon'>Regards</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:maroon'>Graeme</span><span style='font-size:10.0pt;font-family:Consolas;
color:maroon'> </span><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p>
</div>
</blockquote>
</div>
</div>
</body>
</html>
[Attachment #4 (--===============4416781040241290799==)]
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Mifos-functional mailing list
Mifos-functional@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mifos-functional
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic