Compliance
ISO 27001 · Information Security
Fulfilling international standards of security. Implementation-ready controls governing access, cryptography, and operational integrity.
Securing the personal identities, bank accounts, and biometric records of over 65,000 state employees is a critical responsibility. The Anambra State Enterprise Payroll System (ASEPS) has been designed and implemented in alignment with the **ISO/IEC 27001:2022 Information Security Management System (ISMS)** standard.
Achieving official certification is a priority roadmap goal. To facilitate this, the technical and administrative controls of the ISO 27001 Annex A are already coded directly into the core monorepo architecture.
Annex A Security Controls Implementation
Access Controls
Governed by 12 first-party system roles (SYS_ADMIN, CTO_OVERRIDE, AUDITOR, etc.) alongside custom, scope-defined roles. Access is bound tightly to specific MDAs, LGAs, or payroll tiers.
Cryptography Controls
All transmission uses TLS 1.3 minimum. Sensitive data at rest (biometrics, credentials, banking info) uses AES-256 envelope encryption managed via secure Key Management Services (KMS).
Operations Controls
Privileged actions—including payroll cycle execution, manual overrides, and key rotations—require dynamic TOTP Multi-Factor Authentication (MFA). All execution logs are completely immutable.
System Controls
Continuous integration and continuous deployment pipelines (CI/CD) with automatic static analysis, vulnerability scanning, and isolated QA staging prior to staging production bundles.
Threat & Vulnerability Management
ASEPS undergoes bi-annual, independent third-party penetration testing and automated daily vulnerability scanning. Network traffic is monitored continuously by AWS GuardDuty to detect and isolate unauthorized access attempts.
In closing