Lumora Security

Essential Security Review

Report date

5 March 2026

NovaPay Financial

Security Gap Remediation & NIST CSF 2.0 Alignment

industry

Fintech / Payments

Employee size

60 users / 65 mailboxes

Workspace

Microsoft 365

Devices

45 corporate + BYOD mobile

Data sensitivity

CRITICAL

Regulatory exposure

UAE CBUAE, DFSA, PCI DSS, GDPR

Findings by severity

5

critical

9

high

6

medium

2

low

Already good at

✓

MFA enforced across all users

Microsoft Entra ID MFA is active and enforced for the full tenant. A solid foundation for identity security.

✓

Microsoft Defender for email

Defender for Office 365 is active and providing baseline phishing and malware protection across mailboxes.

✓

Cloudflare WAF in place

Web application firewall is active on the payment portal, providing solid protection at the perimeter.

✓

Firewall operational

Perimeter firewall is active and managing inbound/outbound traffic with basic rule governance.

✓

Backup in operation

Cloud backup is running for critical systems. Recovery testing needed, but the baseline is in place.

Key improvement areas

1

No SIEM or 24/7 SOC

Zero centralised visibility. Financial threats hitting outside business hours go completely undetected.

2

No data loss prevention

Payment data, card details, and customer financial records leave the environment with no controls in place.

3

No PCI DSS / compliance framework

A fintech handling payments with no formal compliance framework is a regulatory and reputational risk.

4

Admin accounts unvaulted

No PAM in place. Privileged credentials for payment infrastructure and cloud apps are unmonitored.

5

No incident response plan

No documented playbook for financial fraud, ransomware, or data breach. CBUAE notification timelines unmet.

Recommended budget

Estimated total annual investment to close all identified gaps across the full remediation programme. Covers licensing, deployment, and managed services sized for a 60-user fintech.

Estimated annual investment

$28,000 – $42,000

/ year

Covers identity, endpoint, email security uplift, DLP, SIEM, SOC, ZTNA, GRC, and Lumora MSSP services to close all critical, high, and medium gaps.

NIST CSF 2.0 posture by function

Govern

15%

Low

Identify

30%

Low

Protect

40%

Partial

Detect

20%

Low

Respond

10%

Missing

Recover

25%

Partial

Current security tools in place

Microsoft Defender for O365

Email security (active, Plan 1)

Microsoft Entra ID MFA

Enforced, SSO/PAM gaps remain

DMARC / SPF / DKIM

Configured, not at project

Cloudflare WAF

Payment portal protection

Perimeter Firewall

Active, NGFW features unused

Cloud Backup

Active, recovery untested

Endpoint AV

Windows/Mac only, no MDR

Mobile Devices

No MDM or EDR coverage

1

Security gap findings

Finding	Severity	Risk / business impact	Recommendation	Status
No SIEM platform	Critical	No centralised log visibility across payment systems, cloud apps, or endpoints. Financial fraud and unauthorised transactions can go undetected for weeks.	Blusapphire SIEM & SOC (Phase 2)	Missing
No 24/7 SOC / MDR	Critical	Payment fraud and account takeover attacks peak outside business hours. No coverage means extended breach dwell time and regulatory breach notification failures.	Sophos MDR + Lumora 24/7 MSSP monitoring (Phase 1 → Phase 2)	Missing
No data loss prevention	Critical	Customer payment data, card details, and transaction records can leave the environment via email, Teams, or USB with no controls or alerts in place. Direct PCI DSS and CBUAE violation.	Microsoft Purview DLP (Phase 1), Zscaler ZIA CASB (Phase 2)	Missing
No PCI DSS / compliance framework	Critical	A fintech processing payments with no formal compliance framework cannot demonstrate due diligence to payment networks, banking partners, or the CBUAE.	NIST CSF 2.0 + PCI DSS alignment programme (Phase 2)	Missing
No incident response plan	Critical	No playbook for financial fraud, ransomware, or data breach. CBUAE requires notification within 72 hours of a material incident. Without a plan, this timeline is impossible to meet.	IR plan design & tabletop exercise (Phase 2)	Missing
No PAM for admin accounts	High	Admin credentials for payment infrastructure, cloud environments, and banking integrations are unvaulted and unmonitored. Privileged account compromise is the leading entry point in fintech breaches.	BeyondTrust PRA, Privileged Access Management (Phase 1)	Missing
No SSO for cloud apps	High	Staff maintain separate credentials across payment platforms, accounting tools, and SaaS apps. Credential sprawl increases phishing exposure across every application.	Entra ID P2, SSO + Conditional Access (Phase 1)	Missing
No EDR/XDR on mobile devices	High	Staff access payment dashboards and customer data on personal and corporate mobile devices with no endpoint protection. BYOD devices are a common vector for credential theft in fintech environments.	Sophos MDR with ITDR, full device coverage (Phase 1)	Partial
No MDM for device management	High	No central device inventory or compliance enforcement. A lost or stolen device with access to payment systems has no remote wipe capability.	Microsoft Intune MDM, device enrolment (Phase 1)	Missing
No quarterly user access reviews	High	Over-provisioned accounts accumulate as the team grows. Former employees or contractors may retain access to payment systems and customer data.	Entra ID governance + access review automation (Phase 1)	Missing
No ZTNA for device connections	High	No zero-trust posture enforcement. Any device with valid credentials can access payment infrastructure, regardless of device health or location.	Zscaler ZIA ZTNA (Phase 2)	Missing
Backup recovery not tested	High	Cloud backup is running but recovery has never been validated. In a ransomware event against payment systems, untested backups frequently fail at the worst possible moment.	Quarterly DR testing, RPO/RTO definition (Phase 1)	Partial
No brand / domain impersonation monitoring	High	Fintech brands are high-value targets for typosquatting and fake payment portals. No monitoring means customers could be actively defrauded before the company is aware.	iZoologic Brand Protection (Phase 2)	Missing
No MSSP SLA-backed support	High	No contractual security support SLAs or defined escalation path. Security incidents have no guaranteed response time, increasing financial and reputational exposure.	Lumora MSSP Service Agreement (Phase 1)	Missing
Microsoft Defender: Plan 1 only	Medium	Defender for Office 365 Plan 1 provides baseline protection but lacks automated investigation, attack simulation, and advanced threat hunting available in Plan 2. Insufficient for a fintech environment.	Upgrade to Defender for Office 365 Plan 2 (Phase 1)	Partial
DMARC not enforced	Medium	DMARC is configured but not at p=reject. Attackers can spoof the company domain to send fraudulent payment instructions to clients and banking partners.	PowerDMARC managed DMARC enforcement (Phase 1)	Partial
Security awareness: annual only	Medium	Staff trained once per year on a team where everyone has access to payment systems and customer data. Social engineering tactics targeting fintech staff evolve continuously.	Sophos Phish Threat continuous micro-training (Phase 1)	Partial
No phishing simulations	Medium	No baseline measurement of staff susceptibility to targeted phishing. Finance and executive teams are primary BEC targets in payment companies.	Sophos Phish Threat simulations (Phase 1)	Missing
No dark web monitoring	Medium	Staff credentials from third-party breaches appear on dark web markets within hours. No visibility means compromised accounts are only discovered after an incident.	Dark web intelligence monitoring, Lumora MSSP (Phase 2)	Missing
No browser security	Medium	Staff accessing payment dashboards and banking portals via unprotected browsers. Malicious extensions and web-based credential theft remain unchecked.	Fortinet FortiSASE Browser Security (Phase 1)	Missing
Firewall: NGFW features unused	Low	Perimeter firewall is active but IDS/IPS, SSL inspection, and advanced threat prevention features are not configured. Leaves gaps in detecting lateral movement and C2 traffic.	NGFW feature activation and CIS hardening (Phase 2)	Partial
No reactive geo-login blocking	Low	Anomalous login locations are investigated reactively after alerts. No conditional access policies block high-risk geolocations from accessing payment systems proactively.	Entra ID Conditional Access geo-blocking (Phase 1)	Partial
No browser security	Medium	Employees access cloud apps via unprotected browsers. Malicious extensions and credential theft unchecked.	Fortinet FortiSASE Browser Security (Phase 1)	Missing
No brand protection monitoring	Medium	No active monitoring for fraudulent social media profiles, fake websites, or brand impersonation.	iZoologic Brand Protection (Phase 2)	Missing

2

NIST CSF 2.0 compliance gap mapping

Function	Sub-category	Gap finding	Status	Phase
GV (Govern)	GV.OC-01	No formal security governance policy or NIST CSF / PCI DSS alignment	Missing	2
GV (Govern)	GV.RM-01	No risk register or formal risk management process for payment operations	Missing	2
GV (Govern)	GV.SC-01	No MSSP SLA or security supply chain oversight	Missing	1
ID (Identify)	ID.AM-01	No central device asset inventory (MDM not deployed)	Missing	1
ID (Identify)	ID.AM-05	No data flow mapping between payment platform, banking APIs, and SaaS apps	Missing	2
ID (Identify)	ID.RA-01	No formal vulnerability assessment programme for payment infrastructure	Partial	2
PR (Protect)	PR.AA-01	SSO not enabled — credential sprawl across payment and SaaS apps	Missing	1
PR (Protect)	PR.AA-05	No PAM for privileged admin accounts on payment infrastructure	Missing	1
PR (Protect)	PR.AA-06	No ZTNA — device posture not enforced before accessing payment systems	Missing	2
PR (Protect)	PR.AT-01	Security awareness training annual only — insufficient for fintech threat exposure	Partial	1
PR (Protect)	PR.DS-01	No DLP for cloud apps processing payment data and customer PII	Missing	1
PR (Protect)	PR.DS-02	No data flow monitoring between payment platform, accounting, and CRM	Missing	2
PR (Protect)	PR.PS-01	No browser security for staff accessing payment dashboards and banking portals	Missing	1
PR (Protect)	PR.IR-01	Backup recovery not regularly tested — RPO/RTO undefined for payment systems	Partial	1
DE (Detect)	DE.AE-02	No SIEM — no centralised log aggregation across payment infrastructure	Missing	2
DE (Detect)	DE.AE-04	Geo-anomalous login detection reactive only — no proactive blocking	Partial	1
DE (Detect)	DE.CM-01	No 24/7 SOC/MDR monitoring — financial fraud operates around the clock	Missing	1
DE (Detect)	DE.CM-09	No dark web or brand impersonation monitoring for payment domain	Missing	2
DE (Detect)	DE.CM-06	EDR/XDR partial — mobile devices and BYOD not covered	Partial	1
RS (Respond)	RS.MA-01	No documented incident response plan — CBUAE 72-hour notification unachievable	Missing	2
RS (Respond)	RS.CO-02	No defined escalation path for financial fraud or security events	Missing	1
RC (Recover)	RC.RP-01	No tested business continuity / DR runbook for payment operations	Missing	2
RC (Recover)	RC.IM-01	Backup recovery not validated — RPO/RTO undefined	Partial	1

3

Three-vector compliance model

People

Controls that govern how your team authenticates, accesses payment systems, and is trained to recognise threats targeting financial staff.

SSO / Conditional Access
MFA (enforced)
PAM for admin vaulting
User access reviews
Identity threat detection
Security awareness training
Phishing simulations

Device

Controls that govern what devices connect to your payment environment and enforce security posture before granting access.

EDR / XDR (Windows, Mac, Mobile)
MDM via Microsoft Intune
ZTNA device posture
Browser security
Patch & VA automation
Central device visibility
Threat hunting

Application

Controls that protect payment platforms, banking APIs, SaaS tools, and data flows at the software layer.

Microsoft Defender for O365 (Plan 2)
Teams phishing protection
DMARC management
DLP for cloud apps
Encrypted & tested backup
Brand & domain protection
API and app data flow monitoring

4

Remediation roadmap

Essential Implementation

360° protection across people, devices & applications (months 1-12)

People

SSO + Conditional Access for payment apps

People

PAM deployment for payment infrastructure admins

People

Phishing simulations targeting finance & exec team

Device

Full endpoint rollout (Windows/Mac/Mobile)

Device

Device enrolment, compliance, remote wipe

Device

Policy rollout for payment dashboard access

App

Upgrade + AIR configuration

App

DMARC enforcement journey to project

App

Payment data and customer PII classification

App

First quarterly recovery test with RPO/RTO targets

Gov

MSSP service activation: SLA documentation & 24/7 escalation path

Suggested advance implementation

GRC, full NIST CSF 2.0 & PCI DSS alignment (months 13-24)

Detect

Log ingestion from payment systems, Entra ID, Sophos, Cloudflare

Detect

24/7 monitoring with fintech threat detection rules

Protect

ZTNA + CASB + advanced DLP for all cloud and payment app access

Protect

IDS/IPS and SSL inspection activation

Detect

Payment domain and impersonation monitoring

Identify

Vulnerability assessment automation for payment infrastructure

Detect

Credential monitoring for staff and payment domain

Respond

Incident response plan: Financial fraud, ransomware, and CBUAE breach notification playbooks

Govern

GRC programme: risk register, PCI DSS scoping, and NIST CSF control mapping

Recover

DR/BC runbook with full payment systems recovery test and immutable backup evaluation

Govern

NIST CSF 2.0 formal mapping + PCI DSS readiness documentation

all

Quarterly security health checks + DFSA / CBUAE compliance gap review

Disclaimer: This Essential Security Review is based on information provided during the assessment intake and a structured discussion with your team. It is not a formal certification, penetration test, compliance audit, or PCI DSS assessment. Findings and recommendations are indicative and should be validated with a detailed technical assessment before implementation. Budget estimates are approximate and may vary based on scope, licensing, and vendor pricing at the time of procurement. Regulatory guidance in this report references CBUAE, DFSA, and PCI DSS frameworks as applicable to UAE-based fintech organisations; formal compliance determinations require engagement with qualified assessors. This report is confidential and intended solely for the named organisation.