Lumora Security
Essential Security Review
Report date
5 March 2026

NovaPay Financial

Essential Security Gap Assessment & NIST CSF 2.0 Mapping
industry
Fintech / Payments
Employee size
60 users / 65 mailboxes
Workspace
Microsoft 365
Devices
45 corporate + BYOD mobile
Data sensitivity
CRITICAL
Regulatory exposure
UAE CBUAE, DFSA, PCI DSS, GDPR

Essential controls: where things stand

5

Protected

5

Partially covered

7

Not protected

9

high
Already good at
βœ“
MFA enforced across all users
Microsoft Entra ID MFA is active and enforced for the full tenant. A solid foundation for identity security.
βœ“
Microsoft Defender for email
Defender for Office 365 is active and providing baseline phishing and malware protection across mailboxes.
βœ“
Cloudflare WAF in place
Web application firewall is active on the payment portal, providing solid protection at the perimeter.
βœ“
Firewall operational
Perimeter firewall is active and managing inbound/outbound traffic with basic rule governance.
βœ“
Endpoint protection on corporate devices
Antivirus is active on all corporate Windows and Mac machines, covering the core fleet.
Key improvement areas
1
No data loss prevention
Payment data, card details, and customer financial records can leave the environment with no controls or alerts in place.
2
No SSO across cloud apps
Staff hold separate credentials for every payment and SaaS tool, increasing credential sprawl and phishing exposure.
3
No incident response plan
No written playbook for the first 24 hours of a breach or fraud event. CBUAE notification timelines are at risk.
4
Admin accounts not separated
Staff who manage payment infrastructure use the same account for daily email and browsing. One compromise reaches everything.
5
No basic security monitoring
Nobody is watching for signs of intrusion. An attacker could be inside the environment for weeks before anyone notices.
Recommended budget
Estimated total annual investment to close the essential gaps identified in this review. Scoped to a 60-user fintech, covering licensing, deployment, and light managed support β€” no enterprise SOC or compliance build-out included.
Estimated annual investment

$18,000 – $27,000

Β / year
Covers SSO, DLP, Defender upgrade, MDM, DMARC enforcement, phishing training, and Lumora's essential monitoring & support package.

NIST CSF 2.0 posture by function

Govern
15%
Low
Identify
30%
Low
Protect
40%
Partial
Detect
20%
Low
Respond
10%
Missing
Recover
25%
Partial

Current security tools in place

Microsoft Defender for O365
Email security (active, Plan 1)
Microsoft Entra ID MFA
Enforced, SSO not yet configured
DMARC / SPF / DKIM
Configured, not at p=reject
Cloudflare WAF
Payment portal protection
Perimeter Firewall
Active, basic rule set
Cloud Backup
Active, recovery untested
Endpoint Antivirus
Windows/Mac corporate devices
Mobile Devices
No MDM or remote wipe
1

Essential security gap findings

Finding Severity Risk / business impact Recommendation Status
YOUR PEOPLE
Awareness training done, no simulation Medium Staff completed training in the last 12 months, but it has never been tested against a real-looking phishing attempt. Training without testing rarely changes behaviour. Sophos Phish Threat: first simulation campaign Partial
No clear incident reporting process High Staff don't know exactly who to contact if they spot something suspicious. Without a known process, small issues go unreported until they become large ones. Define & communicate a one-line reporting path (who to email/call) Missing
No written security policy Medium No one-page document covering passwords, file sharing, or personal device use. Staff make daily security decisions with no standard to follow. Draft a one-page acceptable-use policy (Lumora template) Missing
Your devices
Mobile devices unmanaged High Staff access payment dashboards on personal and corporate mobile devices with no management or remote wipe. A lost phone is an open door to customer data. Microsoft Intune MDM: enrolment & compliance policies Missing
Patch cadence not clearly owned Medium Updates are applied, but there's no defined two-week target or named owner. Unpatched devices are actively scanned for and exploited by attackers. Assign patch ownership; set a 2-week SLA Partial
Device inventory incomplete Medium No single list of every device touching company systems. Devices you don't know about can't be patched, monitored, or protected. Build & maintain a device inventory via Intune/Entra ID Partial
Your email
Microsoft Defender: Plan 1 only Medium Defender for O365 Plan 1 covers the basics but lacks automated investigation and attack simulation. A fintech handling payment instructions needs the stronger tier. Upgrade to Microsoft Defender for O365 Plan 2 Partial
DMARC not enforced High DMARC is configured but not at project. Anyone can currently send an email that appears to come from the company domain, including fake payment instructions to clients. PowerDMARC: guided enforcement to project Partial
Who can access what
No SSO across cloud apps Critical Staff hold separate logins for the payment platform, accounting tools, and other SaaS apps. Every extra password is another phishing target. Microsoft Entra ID P2: SSO + Conditional Access Missing
Admin accounts not separated High People managing payment infrastructure use the same account for daily email and browsing. If that account is phished, the attacker gets admin-level access too. Issue separate admin logins; no shared use with daily accounts Partial
No vendor access review process Medium External vendors or IT providers may hold ongoing access that's never reviewed. Forgotten vendor access is an entry point nobody is watching. Quarterly vendor/third-party access review Missing
Your data & recovery
Backup recovery never tested High Backups run automatically, but nobody has restored from one. Untested backups routinely fail at the exact moment they're needed most. Quarterly recovery test; document actual RPO/RTO Partial
No data loss prevention Critical Payment data, card details, and customer financial records can leave the environment via email, Teams, or USB with no controls or alerts. Direct PCI DSS exposure. Microsoft Purview DLP: classification & policies for payment data Missing
Uncontrolled data movement Medium Staff can currently move company data to personal USB drives, personal cloud, or WhatsApp without restriction β€” a common cause of data leaks and UAE PDPL exposure. Endpoint DLP policy for copy/paste & removable media Missing
Your security visibility
No basic security monitoring High Nobody is watching for signs of intrusion. Attacks against businesses this size routinely go unnoticed for weeks before surfacing on their own. Lumora essential monitoring & support package Missing
No vulnerability check ever run Medium No independent look at where the actual weaknesses are. You can't fix a gap you've never been shown. Annual light-touch vulnerability scan Missing
No incident response plan Critical No written plan for the first 24 hours of a breach or fraud event. Businesses without a plan take far longer to recover and face higher costs. One-page IR plan + walkthrough with leadership Missing
2

NIST CSF 2.0 compliance mapping

Function Sub-category Gap finding Status
GV (Govern)GV.OC-01No written security policy (passwords, BYOD, file sharing)Missing
ID (Identify)ID.AM-01Device inventory incompletePartial
PR (Protect)PR.AA-01SSO not enabled β€” credential sprawl across cloud appsMissing
PR (Protect)PR.AA-05Admin accounts not separated from daily-use accountsPartial
PR (Protect)PR.AT-01Awareness training done, but never tested with a simulationPartial
PR (Protect)PR.DS-01No DLP for cloud apps processing payment data and customer PIIMissing
PR (Protect)PR.DS-02Uncontrolled data movement (USB, personal cloud, WhatsApp)Missing
PR (Protect)PR.IR-01Backup recovery not regularly testedPartial
DE (Detect)DE.CM-01No basic monitoring for signs of intrusionMissing
RS (Respond)RS.MA-01 No documented incident response planMissing
RS (Respond)RS.CO-02No clear escalation or reporting process for suspicious activityMissing
RC (Recover)RC.IM-01Backup recovery not validated β€” RPO/RTO undefinedPartial
3

Three-vector compliance model

People
Awareness training, phishing simulations, a clear reporting process, and written rules for passwords and devices.
  • Annual awareness training
  • Phishing simulation testing
  • Clear incident reporting process
  • Written acceptable-use policy
Device
Knowing what's connected, keeping it patched, and making sure it's actually managed, not just trusted.
  • Managed endpoint protection
  • Mobile device management (MDM)
  • Patch management within 2 weeks
  • Complete device inventory
Application
Controls that protect payment platforms, banking APIs, SaaS tools, and data flows at the software layer.
  • Microsoft Defender for O365 (Plan 2)
  • DMARC / SPF / DKIM enforcement
  • Anti-phishing & attachment scanning
  • Automated & tested backup
  • Data loss prevention (DLP)
  • Controlled data movement (USB/cloud)
  • Defined recovery time
4

Essential security roadmap

Quick wins

0 - 30 days: no major spend, immediate risk reduction

People
Define & communicate a one-line incident reporting path
Access
Separate admin accounts from daily-use accounts (no new tooling)
Data
Run a backup recovery test; document the real RPO/RTO
Visibility
Draft a one-page incident response plan and walk it through with leadership
Email
PowerDMARC: begin enforcement journey toward project
Device
Policy rollout for payment dashboard access
App
Upgrade + AIR configuration
App
DMARC enforcement journey to project
App
Payment data and customer PII classification
App
First quarterly recovery test with RPO/RTO targets
Gov
MSSP service activation: SLA documentation & 24/7 escalation path
Next 90 days

Deploy the essential tooling stack

Access
Microsoft Entra ID P2:SSO + Conditional Access rollout
Email
Upgrade Microsoft Defender for O365 to Plan 2
Data
Microsoft Purview DLP: classification & policies for payment data
Devices
Microsoft Intune MDM: enrol mobile devices, enforce compliance
People
Sophos Phish Threat: first phishing simulation + ongoing micro-training
Access
Establish a quarterly vendor/third-party access review cadence
Visibility
Activate Lumora essential monitoring & support package
Visibility
Run a first light-touch vulnerability scan
Govern
GRC programme: risk register, PCI DSS scoping, and NIST CSF control mapping
Recover
DR/BC runbook with full payment systems recovery test and immutable backup evaluation
Govern
NIST CSF 2.0 formal mapping + PCI DSS readiness documentation
all
Quarterly security health checks + DFSA / CBUAE compliance gap review
Disclaimer: This Essential Security Review is based on information provided during the assessment intake and a structured discussion with your team. It is not a formal certification, penetration test, or compliance audit. The NIST CSF 2.0 mapping in this report is provided to show how essential controls relate to a recognised framework; it is indicative, not a certified compliance assessment. Findings and recommendations should be validated with a detailed technical assessment before implementation. Budget estimates are approximate and may vary based on scope, licensing, and vendor pricing at the time of procurement. This report is confidential and intended solely for the named organisation.
Book my review slot