.png)
DES IT & Cybersecurity Evaluation Report
This report presents the findings of the Independent IT and Cybersecurity evaluation conducted at DES by Directpath Global Technologies (DGT). The assessment covered identity management, infrastructure, compliance, user practices, vendor governance, and strategic positioning. The evaluation was performed onsite at the head office by the DGT team and reflects observed practices, risks, and opportunities for improvement.
Annex 1 – Active Directory & Domain Management
Key Findings
Why It Matters
-
82% computers off-domain
-
Heavy use of local accounts
-
IT staff no admin rights/forgot AD credentials
-
No GPOs for security controls
-
Users bypass AD due to slow login
-
No audit logs / traceability
-
Security gaps (unmanaged PCs)
-
Non-compliance (RA 10173, SEC IT controls)
-
Weak ops control (passwords, patches, locks)
-
Trust risk – breach with no logs
-
Weak IT governance culture
Action Plan
KPI
-
Immediate (0–14 days): Audit devices, force-join AD, reset admins, deploy baseline GPOs
-
Short-Term (1–3 months): Train IT staff, SSO integration, monthly privileged reviews, end-user guide
-
Long-Term (3–12 months): Endpoint management (Intune), quarterly audits, password less authentication, link compliance to performance
-
100% endpoints on AD (7 days)
-
98% GPO compliance
-
Critical patches (7 days)
-
Zero unauthorized local admins
Annex 2 – Server Room & Physical Security
Key Findings
Why It Matters
-
Hot server room; no calibrated thermometer
-
No temp/humidity sensors or alerts
-
Broken biometric lock; guards adjusting AC
-
Single AC unit (no failover)
-
CCTV gaps; no rack monitoring
-
Fire & water risks; combustibles stored near racks
-
No environmental SOPs or logs
-
Security: weak access control undermines audit logs
-
Compliance: cannot meet BSP/SEC facility standards
-
Operations: single point of failure; delayed detection
-
Reputation: auditors/clients see poor governance
Action Plan
KPI
-
Immediate fix: biometric lock, restrict access, install thermometer, remove combustibles
-
Short-term: add redundant AC, deploy sensors & alerts, expand CCTV, publish SOPs
-
Long-term: fire suppression, water leak detection, integrate monitoring dashboards, quarterly access reviews
-
100% biometric lock uptime
-
Temp 19–22°C ≥98% of time
-
Zero unauthorized AC adjustments
-
Quarterly audit reports to ExCom
Annex 3 – Lunch Break & Workstation Security
Key Findings
Why It Matters
-
Entire pods take lunch at once no coverage
-
Unattended unlocked desktops with live data
-
No auto-lock policy; depends on user habit
-
Paper exposure & no shred bins
-
Visitors present during lunch windows
-
High shoulder-surfing risk at shared desks
-
Security: unlocked sessions enable fraud/data theft
-
Compliance: violates PII handling standards
-
Reputation: a single leak can trigger fines & complaints
-
Culture: signals controls are optional
Action Plan
KPI
-
Immediate: deploy GPO for auto-lock, staggered coverage rosters
-
Week 1: clean-desk policy, shred bins, privacy screens
-
Weeks 1–2: spot checks for unlocked screens/papers
-
1–2 months: micro-learning training, workspace redesign, secure print release
-
3–12 months: tie compliance to Intune & AD, deploy endpoint DLP
-
Unlocked sessions reduced to zero by (Day 7)
-
100% teams with published rosters
-
90% devices secure print release in (60 days)
-
95% audit pass rate; 98% training completion
Annex 4 – Compliance & Governance
Key Findings
Why It Matters
-
Compliance focused only on regulators, not internal enforcement
-
Manager self-reporting masks non-compliance
-
Outdated/incomplete IT/security policies; weak training records
-
No compliance dashboard or metrics
-
Lack of independence – conflict of interest in enforcement
-
Security: IT safeguards unenforced (passwords, encryption, screen locks)
-
Regulatory: NPC/SEC/BSP expect proof of enforcement and attestations
-
Culture: favoritism and weak accountability erode governance
Action Plan
KPI
-
Immediate: centralize compliance register, tie policies to technical controls
-
Short-term: quarterly audits sampling individual staff, compliance dashboard, exceptions management
-
Long-term: align with ISO 27001/COBIT, annual compliance training with testing, annual external audits, link compliance to performance reviews
-
100% staff attestation within (14 days)
-
Quarterly audits closed within (30 days)
-
Compliance dashboard live in (60 days)
-
Reduced audit findings quarter-over-quarter
-
Annual external audit passed
Annex 5 – CRM & Sales Tools (Juakali)
Key Findings
Why It Matters
-
Manual lead entry/duplicate work (Excel + CRM)
-
Missing promised features (geo-fencing, auto-assign)
-
DES acting as unpaid beta tester
-
No Data Processing Agreement; unclear encryption
-
Vendor lock-in risk (no exit/data portability)
-
Low user adoption; parallel shadow processes
-
Security: weak authentication/logging; no DPA
-
Compliance: RA10173/GDPR exposure
-
Operations: slow sales cycles, high error rate
-
Reputation: outdated/underdeveloped system undermines DES
-
Culture: signals convenience over discipline
Action Plan
KPI
-
Immediate: obtain signed DPA, restrict CRM access, document data flows, backup exports
-
Short-term: evaluate alternative CRMs, renegotiate contract, use APIs to reduce Excel dependency, train staff
-
Long-term: deploy re-negotiated or new CRM with AD/SSO, integrate into digital roadmap, eliminate Excel reliance, vendor governance
-
90% leads auto-ingested (6 months)
-
100% CRM users on SSO/MFA
-
Signed DPA/SLA within 30 days
-
System uptime 99%
-
Staff adoption 95%
Annex 6 – Privacy & Data Compliance (Life360)
Key Findings
Why It Matters
-
Personal device tracking via consumer app (Life360)
-
No Data Protection Impact Assessment (DPIA)
-
No informed consent or DPA with vendor
-
No device governance (encryption, patches, remote wipe)
-
Company data mixed with personal data on phones
-
Privacy risk: intrusive continuous tracking without assessment
-
Compliance risk: RA10173/Data Privacy Act violations
-
Security risk: no control over personal devices holding company data
-
Cultural risk: employee tension over privacy
Action Plan
KPI
-
Immediate: suspend Life360 mandate, conduct DPIA, draft consent forms, negotiate DPA
-
Short-term: roll out company-managed devices or secure MDM solution, integrate location tracking with enterprise tools
-
Long-term: build privacy-by-design policy for all staff-facing tech, periodic privacy impact reviews
-
DPIA completed within 30 days
-
100% staff on signed consent or corporate devices
-
DPA signed with vendor within 30 days
-
MDM deployed to all field devices
Annex 7 – IT Ticketing & Service Management
Key Findings
Why It Matters
-
Open-source ticketing tool (no enterprise features)
-
No SLA targets or tracking
-
No knowledge base → duplicate tickets
-
No metrics dashboards (MTTR, backlog)
-
Security gaps: no penetration test, weak access control
-
Culture of workarounds bypassing system
-
Security: sensitive info in tickets may be exposed
-
Compliance: regulators expect structured ITSM with SLAs
-
Operations: delayed resolution, no staffing justification
-
Reputation: looks immature to clients/auditors
-
Culture: normalizes disorder and weak accountability
Action Plan
KPI
-
Immediate: security assessment of tool, define interim SLAs, enforce ticket logging, weekly manual reports
-
Short-term: evaluate enterprise ITSM (Zoho, ServiceNow), SLA automation, knowledge base creation, pilot new ITSM
-
Long-term: full ITSM rollout with AD/SSO, automated dashboards, ITIL alignment, quarterly reviews
-
90% SLA compliance within 6 months
-
25% duplicate ticket reduction
-
Monthly IT service dashboards to ExCom
-
Zero high-severity vulnerabilities after remediation
Annex 8 – Collections Department (Manual Matching)
Key Findings
Why It Matters
-
Manual reconciliation of ~25,000 AFP–CAMS entries
-
Printed records piled unsecured
-
CAMS automation not configured
-
Slow manual error correction
-
High opportunity cost of skilled staff
-
Morale/attrition risk from repetitive work
-
Security: unsecured paper records
-
Compliance: regulators expect automation & auditability
-
Operations: slow, error-prone, fragile if staff absent
-
Reputation: outdated processes harm DES image
Action Plan
KPI
-
Immediate: stop printing, shift to dual monitors, assess CAMS automation, secure disposal bins
-
Short-term: develop/test automation scripts, train staff, pilot AFP matching
-
Long-term: fully automate reconciliation, integrate AFP feed to CAMS, redeploy staff to higher-value work
-
80% reconciliation automated (6 months)
-
0.05% error rate post-automation
-
90% paper reduction by year-end
-
50% staff time reduction on reconciliation
Annex 9 – Technology Purchases & IT Governance
Key Findings
Why It Matters
-
Decentralized purchasing / Shadow IT
-
Security vetting bypassed for tools like Life360, Juakali
-
Overlapping/duplicate tools wasting budget
-
Vendor-driven development with no protection
-
No procurement framework or risk assessments
-
Integration gaps → manual workarounds
-
Security: unvetted tools may lack encryption or MFA
-
Compliance: cannot show accountability (RA 10173, SEC)
-
Operations: fragmented workflows & inefficiency
-
Finance: overpaying for licenses, lost discounts
-
Reputation: disorganized IT maturity
-
Culture: normalizes bypassing IT & weak governance
Action Plan
KPI
-
Immediate: freeze purchases, require IT/Compliance approval, compile inventory, stop duplicate licensing
-
Short-term: form Technology Steering Committee, vendor checklist, consolidate licenses, communicate policy
-
Long-term: adopt COBIT/ISO 38500 governance, quarterly roadmap reviews, vendor SLAs/DPAs, pursue strategic partnerships
-
100% new IT purchases reviewed & approved
-
25% redundant tools reduced in 6 months
-
100% sensitive-data vendors under SLA/DPA
-
15% licensing cost savings via consolidation
Annex 10 – Digital Transformation & DES Digital Proposal
Key Findings
Why It Matters
-
Heavy reliance on manual/paper workflows
-
Fragmented IT landscape (CAMS, Juakali, Excel)
-
Staff resistance to digital tools
-
Missed fintech opportunities
-
Vendors benefit from DES insights, not vice versa
-
No sandbox testing before production
-
Security/Privacy: paper & fragmented systems increase PII risk
-
Compliance: regulators expect digitized auditable workflows
-
Operations: manual processes limit scalability & resilience
-
Reputation: outdated compared to fintech competitors
-
Finance: missed revenue & higher operating costs
-
Culture: resistance signals weak modernization leadership
Action Plan
KPI
-
Immediate: form DES Digital Task Force, identify top 3 processes to digitize, establish sandbox, communicate vision
-
Short-term: phased roadmap for CRM replacement, mobile-first apps, automation; digital literacy training; pilot digital-only workflows
-
Long-term: operationalize DES Digital as fintech arm, migrate legacy operations gradually, expand offerings (digital wallets, consumer lending), embed digital KPIs into performance reviews
-
100% new systems tested in sandbox before production
-
50% paper process reduction in 12 months
-
90% staff complete digital literacy training
Partnering With DGT to Solve These Gaps
If DES engages DGT IT Support Services, the organization will immediately stabilize its IT and cybersecurity operations. All audit findings will be directly remediated with structured roadmaps to guide improvements. IT systems and vendor management will be brought under centralized governance for better control and efficiency. Compliance will be aligned with RA 10173 (Data Privacy Act), SEC regulations, ISO standards, and future BSP readiness requirements. In addition, continuous monitoring, regular reporting, and staff training will be implemented to sustain long-term improvements.
The DGT Advantage
Proven Expertise – Certified cybersecurity professionals with financial institution experience
Global Standards – Frameworks mapped to ISO 27001, SOC 2, COBIT, and RA 10173
End-to-End Support – Identity, infrastructure, compliance, ticketing, automation, and digital transformation
Future-Proofing – DES Digital roadmap to position DES as a fintech competitor, not just a legacy operator
Building DES Digital – Future-Proofing Financial Services
Why DES Digital?
-
Current DES operations are paper-heavy, compliance-limited, and tied to legacy AFP workflows
-
Fintech competitors are rapidly moving into automation, mobile-first, and digital services
-
DES Digital allows modernization without disrupting DES’s existing structure
Regulatory Advantage:
-
Under SEC Circular on Exempt Transactions (Section 10.1), DES Digital can:
-
Raise capital from limited investors without full SEC registration
-
Structure early-stage ownership flexibly to attract strategic partners
-
Accelerate launch without heavy upfront compliance burdens
Strategic Goal:
-
Position DES Digital as a separate fintech arm focused on:
-
Mobile-first lending and digital customer onboarding
-
CRM/ERP automation and paperless operations
-
Regional expansion into untapped consumer markets