Security Hardening
Security Hardening is the production-readiness layer — MFA enforcement, audit log, rate-limit, SIEM forwarding, encryption-at-rest, IP whitelist, consent capture, retention policy, DSAR, right-to-erasure, cyber-incident workflow.



How a member exercises the right to erasure
Under KDPA / GDPR, members can request deletion of their personal data. The wizard handles the "right to be forgotten" while preserving the regulatory minimum (e.g. AML records).
- Member submits the request via iBANK /ibank/profile → Right to be forgotten.
- Compliance reviews — open Members → Compliance → Erasure requests.
- Approve. The wizard anonymises personal fields (name, ID, phone, email) while preserving regulatory data (AML, audit log).
- A signed erasure certificate is emailed to the member.
How a cyber-incident notification fires
CBK requires notification within 24 hours of detection. The cyber-incident model captures the event and queues the notification email automatically.
- Operations Officer opens Security → Cyber Incidents → New.
- Capture type, time, scope, initial classification.
- Suite computes the 24-hour deadline and emails CBK the initial notice.
- As the investigation progresses, post-incident updates feed the same record; final report fires at close.
Reference
Feature checklist
- MFA enforced on backend login
- Consent capture on member create
- Data-retention policy + auto-purge cron
- DSAR self-service for members
- Right-to-erasure wizard
- Cyber-incident model + CBK 24-hour notification
- Centralized log forwarding
- Rate-limit per IP + per user
- IP whitelist for admin endpoints
Configuration reference
| Where | What to set |
|---|---|
| MFA policy | Enforced / opt-in / disabled |
| Retention | Per-model days + sweep cron |
| SIEM | Endpoint + token |
| Rate limits | Per-IP and per-user windows |
Roles & permissions
| Group | Capability |
|---|---|
| mfi_security_hardening.group_security_admin | Configure, view SIEM |
Accounting integration
None.Tip. KDPA / ODPC registration pack ships with the module — see /opt/staging/docs for the templates.
Was this page helpful?

