This policy defines how Information Security will be set up, managed, measured, reported and developed within the bank.
The boundaries of the Information Security Management System are defined as follows:
The Information Security Management System (ISMS) covers all applicable elements of the ISO/IEC 27001:2013 standard. It applies to the entire operations, products and services, business functions and their related information, people and technology as documented.
A clear definition of the requirements for information security has been agreed and this is maintained. This ensures that all ISMS activities are focused on the fulfilment of those requirements. Statutory, regulatory, and contractual requirements have been documented and serve as input into planning processes. Specific requirements regarding the security of new or changed systems or services are factored in as part of the design stage of each project.
ISMS controls implemented are driven by business needs.
Commitment to information security extends to senior levels of the organization and is demonstrated through this ISMS Policy and the provision of appropriate resources to provide and develop the ISMS and associated controls.
Top management ensures that a systematic review of performance of the programme is conducted on a regular basis to ensure that quality objectives are being met and quality issues are identified through an appropriate audit programme and management processes.
ISMS objectives are based on a clear understanding of business requirements, informed by management review with stakeholders.
These objectives are as follows:
Business Continuity Management (“BCM”) system ensures that the Bank’s services remain operationally resilient through the preparation of plans, processes, controls and infrastructure to maintain continuity of Important Business Services (IBS) during interruptions and the capability to manage any crisis impact during interruptions. Examples of interruptions include physical/climatic disasters (e.g. earthquake, tsunami, hurricane, typhoon, flooding), civil unrest, technology incidents (e.g. cyber breach, major system outage), utility outage, loss of license or license restrictions, terrorism, and pandemics etc.
The requirements detailed in this Policy apply to all SCB Nigeria Departments and Branches.
Important Business Services (IBS)-The Bank has identified a list of prioritized services for which are built high levels of operational resilience/continuity through the life cycle of the service in anticipation of operational disruption.
Impact tolerance Statements (ITS)- The bank has articulated its tolerance for impact to an IBS to specify the maximum tolerable duration of disruption to an IBS beyond which it could pose intolerable harm to clients, stability of financial markets or firm’s safety and soundness. All processes supporting the delivery of IBSs have identified resilience risks and controls relevant to their remit including risks and controls associated with the underpinning operational assets (i.e. technology, third parties, facilities, people, and information) supporting IBS.
The Chief Executive Officer (CEO) has overall responsibility for ensuring the development and implementation of the Business Continuity Management System and Framework, and defining specific second line control requirements, processes and standards against the framework Management commitment to business continuity is demonstrated through this BCMS Policy and the provision of appropriate resources to enable the BCMS framework implementation. Top management ensures periodic review of BCMS program performance through the Crisis Management Group (CrMG) to ensure that objectives are being met and issues are identified through an appropriate audit program and management processes.
Business Continuity Management System (BCMS) Objectives