Security - RASCI View¶
The Security function at Simpaisa is led by the Chief Information Security Officer (CISO) and is responsible for protecting the platform and its customers from security threats. Security holds accountability over sanctions screening technology, security reviews in the change management lifecycle, and security assessment of all third-party vendors. The CISO is a mandatory consulted party across incident management, product development, and new market entry.
Security operates as a second-line control function: it sets standards and reviews compliance, while Technology and Operations execute day-to-day controls.
Primary Processes¶
7.9 Sanctions Screening and Transaction Monitoring¶
The Sanctions Screening team (San.Scr) is Accountable for automated screening execution and hit determination. CISO is Consulted on the automated screening setup and false positive review.
Process Flow
Role Key
| Abbreviation | Full Role |
|---|---|
| COO | Chief Operating Officer |
| CRO | Chief Revenue Officer |
| CISO | Chief Information Security Officer |
| GH-RA | Global Head Regulatory Affairs |
| H-Legal | Head of Legal |
| H-DevOps | Head of DevOps |
| Comp.An | Compliance/Regulatory Analyst |
| San.Scr | Sanctions Screening |
| DevOps.L | DevOps Lead |
| PM | Product Manager |
| Process Step | COO | CRO | CISO | GH-RA | H-Legal | H-DevOps | Comp.An | San.Scr | DevOps.L | PM |
|---|---|---|---|---|---|---|---|---|---|---|
| 1. Screening trigger (transaction / entity) | I | I | I | - | - | I | I | R | A | I |
| 2. Automated screening (Eastnets) | - | I | C | - | - | S | S | R | A | - |
| 3. Hit / no-hit determination | - | I | - | - | - | - | S | A | S | - |
| 4. False positive review | - | C | - | C | - | - | R | A | - | - |
| 5. Escalation to Compliance | I | A | I | C | C | - | R | R | - | - |
| 6. SAR / STR filing (if required) | I | C | - | A | R | - | R | S | - | - |
| 7. Record keeping | I | C | C | C | A | S | R | R | S | - |
7.16 Technology Change Management - Security Review Step¶
Security is Accountable for the security review gate within every technology change. No release may proceed to CAB approval without CISO sign-off on the security review step.
Process Flow
Role Key
| Abbreviation | Full Role |
|---|---|
| CTO | Chief Technology Officer |
| COO | Chief Operating Officer |
| CISO | Chief Information Security Officer |
| CRO | Chief Revenue Officer |
| H-DevOps | Head of DevOps |
| DevOps.L | DevOps Lead |
| Princ.Arch | Principal Architect |
| Int.Lead | Integration Lead |
| SQA | SQA Lead |
| PM | Product Manager |
| PMO | PMO Manager |
| Comp.An | Compliance/Regulatory Analyst |
| Process Step | CTO | COO | CISO | CRO | H-DevOps | DevOps.L | Princ.Arch | Int.Lead | SQA | PM | PMO | Comp.An |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1. Change request | I | I | I | - | I | - | - | S | - | A | R | - |
| 2. Impact assessment | C | I | C | C | S | S | R | S | S | S | A | C |
| 3. Architecture review | C | - | C | - | S | - | A | S | - | C | S | - |
| 4. Development | I | - | - | - | S | R | S | R | S | C | S | - |
| 5. QA / testing | I | - | C | - | S | S | S | S | A | C | S | - |
| 6. Security review | C | - | A | - | S | - | S | - | S | - | S | C |
| 7. CAB approval | A | I | R | I | R | - | R | - | R | R | S | C |
| 8. Deployment | I | I | I | - | A | R | S | S | - | I | S | - |
| 9. Post-deployment monitoring | C | I | C | - | A | R | S | S | R | C | R | - |
7.15 Vendor and Partner Onboarding - Security Assessment Step¶
Security holds Accountable designation for the security assessment of all new vendors and partners. No vendor may go live without CISO approval on the security assessment.
Process Flow
Role Key
| Abbreviation | Full Role |
|---|---|
| COO | Chief Operating Officer |
| CFO | Chief Financial Officer |
| CTO | Chief Technology Officer |
| CISO | Chief Information Security Officer |
| CRO | Chief Revenue Officer |
| H-Legal | Head of Legal |
| H-Treas | Head of Treasury |
| PM | Product Manager |
| Int.Lead | Integration Lead |
| Princ.Arch | Principal Architect |
| Comp.An | Compliance/Regulatory Analyst |
| SQA | SQA Lead |
| PMO | PMO Manager |
| PCP | Payment Channel Partnerships |
| Process Step | COO | CFO | CTO | CISO | CRO | H-Legal | H-Treas | PM | Int.Lead | Princ.Arch | Comp.An | SQA | PMO | PCP |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1. Vendor identification | C | I | C | - | I | - | I | R | S | S | - | - | S | A |
| 2. Due diligence | C | C | C | C | A | S | C | S | - | - | R | - | S | S |
| 3. Commercial negotiation | A | C | I | - | - | S | C | S | - | - | - | - | S | R |
| 4. Legal agreement | C | I | I | C | C | A | - | S | - | - | S | - | S | S |
| 5. Technical integration | I | - | A | C | - | - | - | C | R | R | - | S | S | S |
| 6. Security assessment | - | - | C | A | C | - | - | - | S | S | S | R | S | - |
| 7. Go-live | A | I | C | C | C | I | I | R | S | S | S | S | S | S |
| 8. Performance monitoring | A | C | C | C | C | - | C | R | S | - | S | S | R | S |
Supporting Role Summary¶
Security is Consulted or Informed across all major business processes:
| Process | Domain Owner | Security Role |
|---|---|---|
| 7.2 Merchant Onboarding | Payments | CISO: C on technical integration and go-live approval |
| 7.3 Pay-In Processing | Technology / Operations | CISO: C on transaction processing and channel authorisation |
| 7.4 Pay-Out Processing | Technology / Operations | CISO: C on channel routing and funds transfer |
| 7.5 Remittance Corridor Activation | Payments | CISO: C on compliance setup and go-live |
| 7.6 Crypto Off-Ramp | Technology | CISO: C on AML screening and fiat disbursement |
| 7.7 White-Label Wallet Provisioning | Product | CISO: A on technical setup step |
| 7.8 KYC / KYB | Compliance | CISO: C on identity verification and ongoing monitoring |
| 7.11 Incident Management | Technology | CISO: C on classification, initial response, investigation, post-incident review |
| 7.12 New Market Entry | CEO / Regulatory | CISO: C on market assessment; C on compliance setup |
| 7.13 Product Development | Product | CISO: C on PRD authoring, architecture review, production deployment |