Skip to content

Information Security

Field Detail
Owner Danish Hamid, CISO
Date 14 April 2026
Status Draft
Classification Confidential
Review Cycle Monthly
CDO Sponsor Daniel O'Reilly, Chief Digital Officer

Executive Summary

This document sets out the Information Security team's 30/60/90-day operational plan for the period April to July 2026. It is structured around three interdependent priorities: satisfying the DFSA Cat 3D licence evidence requirements (critical path), operationalising the Security Operations Centre (SOC) to a production-ready state, and embedding security into the software delivery lifecycle in line with SDLC v2.0's shift-left mandate.

Simpaisa processes in excess of $1 billion in cross-border payment volume annually across six jurisdictions - Pakistan, Bangladesh, Nepal, Canada, UAE, and Iraq. This scale, combined with active regulatory scrutiny from the DFSA and SBP, elevates Information Security from an operational function to a board-level strategic concern. The CDO joined on 14 April 2026 and this plan is written to align with the broader CDO 90-day programme.

The plan assigns clear ownership across three sub-functions (Security Engineering, SOC, NOC), establishes measurable success criteria for each delivery period, and feeds directly into the board-level security metrics framework to be operational by end of June 2026.

Team Overview

The Information Security function comprises three sub-teams, each with a defined scope and a named lead accountable to the CISO.

Sub-Function Lead(s) Scope
Security Engineering Hamza Bari (Lead), Kamran Kashif (Lead) Secure SDLC, threat modelling, Snyk/CI-CD integration, penetration testing programme, vulnerability management
Security Operations Centre (SOC) Rana Muhammad Khubaib (Lead SOC Analyst), Muhammad Zain-ul-Abdeen, Asad Anees, Daniyal Usman, Shahriyar Sarwar 24x7 monitoring, alert triage, incident response, SIEM operations, runbook ownership
Network Operations Centre (NOC) Izhar Ali Network availability, perimeter monitoring, firewall and routing operations, NOC-SOC escalation interface

The CISO (Danish Hamid) holds accountability for the DFSA evidence pack, SBP audit trail obligations, PCI-DSS compliance posture, and executive-level security reporting to the CDO and board.

30-Day Plan: April 14 - May 14 2026

Focus: Audit, Baseline, and Integration

The first 30 days are diagnostic and foundational. The team must establish an accurate picture of the current security posture, close the most critical gaps in the DFSA evidence pack, integrate automated security tooling into CI/CD, and stand up the SOC to a functional baseline.

# Deliverable Owner Success Metric
1 DFSA Cat 3D InfoSec Evidence Audit Danish Hamid Gap analysis document published in Confluence; all required evidence artefacts catalogued with RAG status
2 Threat Model Framework published Hamza Bari Framework document live in Confluence; adopted as mandatory gate in SDLC v2.0 sprint checklist
3 Snyk integrated into all active CI/CD pipelines Kamran Kashif Snyk scanning active on 100% of repositories in scope; first vulnerability report generated
4 SOC baseline operational Rana Muhammad Khubaib SIEM receiving logs from all production environments; alert triage SLA defined and acknowledged by team
5 SBP audit trail requirements mapped Danish Hamid Mapping document completed; gaps identified and assigned to owners with due dates
6 NOC-SOC escalation process defined Izhar Ali / Rana Muhammad Khubaib Written escalation runbook published in Confluence; agreed by both leads

Key Dependency: DFSA evidence audit output (Deliverable 1) gates all subsequent DFSA workstreams and must be completed by end of Week 2.

60-Day Plan: May 15 - June 13 2026

Focus: Compliance Readiness, SOC Operationalisation, and Runbooks

The second period converts baseline capability into documented, repeatable processes. PCI-DSS readiness assessment is conducted, the penetration testing calendar is established, and the SOC publishes all incident response runbooks. Security metrics reporting is activated for the CDO.

# Deliverable Owner Success Metric
1 PCI-DSS readiness assessment completed Hamza Bari Assessment report delivered; scope defined, gaps prioritised, remediation plan owner-assigned
2 Penetration testing schedule established Kamran Kashif Annual calendar published; internal and third-party engagements booked; first test underway or completed
3 All SOC incident response runbooks published Rana Muhammad Khubaib Runbooks for all Tier 1-3 incident categories live in Confluence; reviewed and signed off by CISO
4 Security metrics dashboard activated Danish Hamid Dashboard live; MTTD, MTTR, open critical CVEs, and DFSA evidence coverage % reported to CDO weekly
5 Threat models completed for all active payment flows Hamza Bari / Kamran Kashif Threat model artefact present in Confluence for each live payment product; linked from SDLC v2.0 gate checklist

Incident Response Lifecycle

All SOC runbooks must implement the following incident response lifecycle without exception. This model applies to all security events from Tier 1 (low-severity alert) through to Tier 3 (critical breach).

flowchart LR
    A[Detect] --> B[Triage]
    B --> C[Contain]
    C --> D[Investigate]
    D --> E[Remediate]
    E --> F[Post-Incident Review]
    F --> G[Close]

    style A fill:#d32f2f,color:#fff
    style B fill:#f57c00,color:#fff
    style C fill:#fbc02d,color:#000
    style D fill:#1976d2,color:#fff
    style E fill:#388e3c,color:#fff
    style F fill:#7b1fa2,color:#fff
    style G fill:#455a64,color:#fff

Each stage has a named runbook owner, a maximum time-in-stage SLA, and a defined escalation trigger. The Lead SOC Analyst (Rana Muhammad Khubaib) is accountable for maintaining runbook currency on a monthly review cycle.

90-Day Plan: June 14 - July 13 2026

Focus: Evidence Completion, Board Reporting, and Resilience Validation

The third period is delivery and verification. The DFSA evidence pack is finalised and submitted. Security metrics move to board-level reporting. A full incident response drill validates SOC readiness. The target state is zero unresolved critical vulnerabilities across all production systems.

# Deliverable Owner Success Metric
1 DFSA Cat 3D InfoSec evidence pack complete and submitted Danish Hamid Evidence pack formally submitted to DFSA; all items rated Green in the evidence register
2 Security metrics presented at board level Danish Hamid First board security report delivered; metrics include MTTD, MTTR, vulnerability posture, and DFSA coverage
3 Zero unresolved critical vulnerabilities Hamza Bari / Kamran Kashif Snyk and penetration test reports show 0 open Critical or High CVEs in production; all resolved or formally accepted with risk owner
4 Full incident response drill completed Rana Muhammad Khubaib Tabletop or live drill conducted; post-drill report published; remediation actions assigned
5 PCI-DSS remediation plan execution underway Hamza Bari At least 50% of PCI-DSS gaps from the 60-day assessment are remediated or have a confirmed completion date within 30 days
6 SBP audit trail obligations met Danish Hamid All SBP-required log retention and trail evidence confirmed in place; signed off by CISO

Programme Gantt

gantt
    title InfoSec 90-Day Programme - April to July 2026
    dateFormat  YYYY-MM-DD
    axisFormat  %d %b

    section DFSA
    DFSA Evidence Audit            :crit, dfsa1, 2026-04-14, 14d
    DFSA Evidence Gaps Remediated  :dfsa2, after dfsa1, 30d
    DFSA Evidence Pack Submitted   :crit, dfsa3, 2026-06-14, 28d

    section Security Engineering
    Threat Model Framework         :te1, 2026-04-14, 21d
    Snyk CI-CD Integration         :te2, 2026-04-14, 21d
    Payment Flow Threat Models     :te3, 2026-05-15, 30d
    PCI-DSS Assessment             :te4, 2026-05-15, 21d
    PCI-DSS Remediation            :te5, 2026-06-14, 28d
    Pen Testing Schedule           :te6, 2026-05-15, 30d

    section SOC
    SOC Baseline Operational       :crit, soc1, 2026-04-14, 21d
    Runbooks Published             :soc2, 2026-05-15, 28d
    Incident Response Drill        :soc3, 2026-06-28, 14d

    section NOC
    NOC-SOC Escalation Process     :noc1, 2026-04-14, 14d

    section Metrics and Reporting
    Security Metrics Dashboard     :met1, 2026-05-15, 14d
    CDO Weekly Reporting Active    :met2, 2026-06-01, 42d
    Board Security Report          :crit, met3, 2026-06-28, 14d

    section SBP Compliance
    SBP Audit Trail Mapped         :sbp1, 2026-04-14, 21d
    SBP Obligations Confirmed      :sbp2, 2026-06-14, 28d

Success Metrics

The following metrics are tracked weekly by the CISO and reported to the CDO. From the 90-day point, they form part of the board security pack.

Metric Definition Target (Day 90)
Mean Time to Detect (MTTD) Average time from incident occurrence to SOC alert Less than 15 minutes for Tier 1-2 events
Mean Time to Respond (MTTR) Average time from SOC alert to containment action initiated Less than 1 hour for Tier 1; less than 4 hours for Tier 2
Critical Vulnerabilities Open Count of unresolved Critical or High CVEs in production (Snyk) Zero by Day 90
DFSA Evidence Coverage Percentage of required DFSA Cat 3D InfoSec evidence items rated Green 100% by Day 90
Runbook Coverage Percentage of defined incident categories with a published, CISO-signed runbook 100% by Day 60
Pen Test Cadence Number of penetration tests completed or formally scheduled in the annual calendar At least 2 (1 internal, 1 third-party) by Day 90
Threat Model Coverage Percentage of active payment flows with a current threat model artefact in Confluence 100% by Day 60

Risks and Dependencies

Risk Likelihood Impact Mitigation
DFSA evidence gaps are larger than anticipated Medium High Audit completed in Week 1-2 to maximise remediation runway; CISO escalates to CDO if critical items cannot be met
SOC tooling (SIEM) not receiving all log sources by Day 30 Medium High Izhar Ali (NOC) and Rana Muhammad Khubaib (SOC) jointly own log source onboarding; weekly status reported to CISO
Third-party pen test vendor availability Low Medium Vendor shortlist initiated in Week 1; contract in place by Day 30
PCI-DSS gaps require significant engineering effort Medium Medium Assessment scoped tightly to card processing flows; remediation items fed into product team backlog via SDLC v2.0 process
Snyk integration surfaces large initial vulnerability count High Medium Initial report treated as baseline; triage and prioritisation completed within 5 business days of first report

Classification: Confidential. This document is for internal Simpaisa Holdings use only. Distribution is restricted to the CDO, CISO, and direct reports named herein.