Introduction
- 1.1. This Policy on Use of Sim Korpor Facilities (the “Policy”) describes the principles underlying the acceptable use of Sim Korpor facilities (described in paragraph 2.1, below) and summarizes the main responsibilities and obligations associated with that use. This Policy is effective upon the completion and adoption of all the Sim Korpor system deliverables.
- 1.2. This Policy is written in accordance with the Information Technology (I.T.) Security Policy and applies to all persons using Sim Korpor facilities (the “Users”).
- 1.3. The Head of the Sim Korpor Project is responsible for reviewing this Policy biannually and, where necessary, recommending updates to this Policy.
- 1.4. The Head of the Sim Korpor Project is responsible for ensuring that all Users are aware of this Policy and receive appropriate information on IT security.
- 1.5. This Policy does not affect or in any way abrogate the principles set forth in or the applicability of (i) the Code of Conduct for RCB Personnel (ii) The RCB IT Policy.
- 1.6. Additional controls, procedures and technical responsibilities carried out by the IT Department on behalf of the Bank are detailed in the IT Controls Procedures [3].
Use of Sim Korpor Facilities
- 2.1. Reference to Sim Korpor facilities includes hardware and software (including, but not limited to networks, servers, switches, cabling, computers, storage media and devices (fixed, portable, removable or otherwise), access control devices and mobile and fixed telephony apparatus) owned, leased, hired or licensed by or to the Bank.
- 2.2. Sim Korpor facilities and data that resides on the Bank’s IT facilities shall be used primarily for Bank purposes as provided for in this Policy
- 2.3. Information, data and applications held or created in Sim Korpor facilities, systems and devices are the property of the Bank and Users are responsible for ensuring that all Bank data, information and systems under their control are protected against unauthorized access, disclosure and modification.
- 2.4. The IT Department is authorized to identify instances of excessive volumes of material stored on the Bank’s network and which is believed by IT to be non business-related after giving due notice to the owner of such files and allowing the owner to make a business case to the IT and relevant line manager for their retention, the IT Department will remove such files if retention is not approved.
- 2.5. Users must not use or access or attempt to use or access data or software stored in Sim Korpor facilities for which they are not authorized.
- 2.6. Users who print, photocopy or transfer any Bank data (e.g. onto laptops, disks, memory sticks or any other removable media are responsible for ensuring that such information on these materials, media or devices is protected from unauthorized access. Such materials must be destroyed and such Bank data deleted once no longer required. Refer to the IT Controls Procedures for additional information on secure deletion of Bank data.
- 2.7. Sim Korpor equipment, including removable storage media, are the responsibility of the Department or Resident or Regional Office to which they have been allocated (the “User Department/Office”). Sim Korpor equipment, and in particular devices capable of data storage, must be secured from theft and unauthorized use. If IT equipment is lost, stolen or damaged, the User Department/Office must inform relevant authorities immediately. The User must also notify the owner of any Bank data retained on the device so as to consider potential data leakage. The User Department/Office is responsible for the replacement cost of any lost, stolen, or damaged Sim Korpor IT equipment
- 2.8. Only software approved for use by the relevant authorities and acquired through and to the extent authorized under vendor/licensing agreements via such authorities may be used on Sim Korpor facilities. Only individuals authorized by the same may install software on Sim Korpor facilities. Downloading, installing, copying or using of non-Bank authorized software on Sim Korpor facilities is prohibited as is unauthorized copying and/or use of Bank authorized software..
- 2.9. Computers or devices that are not approved by the relevant authorities must not be directly physically connected to Bank’s computers and the Bank’s computer networks.
- 2.10. Users will not be granted additional privileges, such as local administrator rights to his or her account or workstation, unless the request is supported by the Head of the relevant User Department/Office and approved by the relevant authority
- 2.11. Technical information regarding the Sim Korpor facilities must not be shared with third parties, verbally, in hard copy or electronically unless with the prior written consent of the Head of the Sim Korpor. This information includes, without limitation, how systems operate, system documentation, access control and account information.
- 2.12. Fixed equipment or components, e.g. workstations, servers, switches, routers etc., must not be removed from Bank premises unless their removal has been authorized by the relevant authorities.
- 2.13. Any Sim Korpor IT equipment to be disposed of must first be checked by the IT Department and data must be permanently removed to ensure that it does not contain Bank information. Refer to the IT Controls Procedures for information on the secure deletion of electronic data.
- 2.14. Users of Bank laptops shall connect their laptops to the Bank’s network at least once a month to enable the latest security patches and software updates to be applied. Non-compliant laptops may be denied access to Bank networks.
Usage Monitoring
- 3.1. The Bank automatically monitors the use of Sim Korpor facilities.
- 3.2. The Bank shall only permit the routine inspection and monitoring of operational logs generated by automated monitoring tools by Users performing their normal authorised duties within the Bank. Disclosure of information from such logs, or other electronic media, shall only occur in accordance with the Bank’s Codes of Conduct. Investigation of data on the Sim Korpor facilities shall only be undertaken within the limits and subject to the procedures set out in the Bank’s Codes of Conduct and may additionally include IT providing information stored on Sim Korpor facilities.
Use of Passwords and Secure Access
• 4.1. Users must treat their passwords as sensitive, confidential Bank information
• 4.2. Each User is responsible for protecting his/her password(s) and SecurID token from unauthorized use whether working on Bank premises or from home or other non-Bank locations. Users are to take due care when using their passwords and SecurID tokens whilst in public areas.
• 4.3. User network log-on passwords must be at least eight characters and contain at least three of the following four character types; uppercase, lowercase, numeric and special (!”£$%^&*()) characters. Network log-on passwords must be changed every thirty days and the same password cannot be repeated within a twelve months period. Application passwords should, where possible, conform to these minimum standards of strength and frequency of change.
• 4.4. Users should not use Sim Korpor passwords for non-Sim Korpor accounts. Sim Korpor related and non- Sim Korpor related passwords should differ from one another.
• 4.5. Users must not attempt to discover the password of another User
• 4.6. Users must not share or disclose their passwords under any circumstances. Users must not display passwords openly, for example on Post-It notes, notepads etc.
• 4.7. Compromised passwords must be changed immediately and reported to the service provider Helpdesk without delay.
• 4.8. Users must not attempt to access the Sim Korpor facilities or any part thereof using someone else’s User ID and/or password.
• 4.9. Each User must secure access to his or her computer, via the standard Windows screen saver, if the computer is to be left unattended.
• 4.10. Users should as a minimum, log off from the network at the end of each working day as referenced in section 7.1 below.
Information Systems and User Access
- 5.1. Accounts for new Users will be created by the service providers on receipt of an authority from the Head of Sim Korpor with the User’s bio details. Users are required to change their passwords on first log on.
- 5.2. Users are only authorised to access data that they have been approved to do as part of their current role.
- 5.3. Access to specific areas of the Sim Korpor applications requires the User to complete the necessary training as approved by the User’s line supervisor or Head of Department.
- 5.4. The service provider must be informed by the Head of Department/ Office when a User moves between User Departments/Offices, changes responsibilities, leaves the Bank, or is absent from the Bank for more than 30 days. The service provider will disable a User’s network logon account if it has not been used in a period of 30 days and report this to the relevant Head, Sim Korpor. If there has been no request by the relevant User to enable access after another 30 days, the account will be deleted. Exceptions to the foregoing shall be authorised by the Head, Sim Korpor
- 5.5. Head of User Departments/Offices responsible for Users of applications that process financial information are responsible for reviewing, maintaining and approving appropriate User access rights at least annually as part of the Sim Korpor Internal Controls procedures
Use of and access to e-mail and the Internet
- 6.1. The use of e-mail is intended primarily for Sim Korpor purposes. The Bank may monitor and review e- mail use. The Bank reserves the right to withhold delivery and quarantine e-mail that is deemed non-Bank related.
- 6.2. Users are responsible for ensuring that the content of e-mail is appropriate for the intended audience, recognising that an email and its contents can be forwarded beyond the initially intended recipients.
- 6.3. Users shall not use the Bank’s email system for the creation or distribution of any offensive or disruptive messages; Users who receive any emails with this content should report the matter to the IT Helpdesk.
- 6.4. Access to the Internet is intended primarily for Bank purposes. Users are responsible for their use of Internet facilities using their usernames and passwords. The Bank reserves the right to restrict access to certain Internet sites using commercial web filtering software and/or services
- 6.5. The Bank is not liable for any losses a User encounters through fraud or unauthorised access of his/her personal User accounts whilst using Sim Korpor Facilities.
- 6.6. The IT Department will be responsible for providing and installing the required software for Internet browsing. No other browsing software can be installed and used on Sim Korpor Facilities
- 6.7. Users should not use instant messaging and / or, their personal e-mail accounts (e.g. Google mail) for Bank purposes and should not download attachments or click on URL links whilst accessing personal e-mail via Sim Korpor IT facilities.
- 6.8. If ordinary Users include signature blocks on emails, these should only contain name, position and contact details.
- 6.9.
Users may not make comments or representations, including in any blogs,
Newsgroups, Usergroups, Bulletin Boards etc., which might be construed as an
official comment on behalf of the Bank without specific prior approval from
authorities.
Data Backups
- 7.1. Data held on network will be automatically backed up by the IT Department and the service provider. Users should log off each night to allow full backups to take place successfully. Data held on the local drives of Bank desktops and laptops is not backed up. It is the responsibility of Users to ensure that all data requiring backing up is stored on the network.
Viruses, Malicious Code and Malware
- 8.1. Users must comply with periodic advice and instructions from the IT Department in order to ensure that up-to-date virus protection is loaded and maintained on all Sim Korpor facilities. Users must not attempt to bypass Bank virus protection software or any other system safeguards.
- 8.2. Users should contact the IT Helpdesk if they require information or need to report issues related to viruses, malicious code and malware, for example if they suspect a file or e-mail attachment contains a virus or inappropriate material.
- 8.3. Any activities that have the intention of or may result in the creation and/or distribution of malicious programs into RCB’s networks (e.g., viruses, worms), are prohibited.
Telecommunications
- 9.1. Sim Korpor approved and owned/leased telecommunications devices, for example SIMS, mobile phones, MoDems and flash drives, should be used for Sim Korpor purposes wherever possible.
- 9.2. Users of these devices are responsible for personal usage and may be liable for charges incurred
- 9.3. The Bank may record voice telephony conversations carried out over Sim Korpor facilities. The Bank routinely records voice telephony conversations of certain staff in support of their business activities and such staff are made aware of this.
Remote Access
- 10.1. Remote access to the Sim Korpor facilities will only be allowed after the attendance at the relevant training course and authority granted to do so.
- 10.2. By remotely connecting to the Bank environment with personal equipment, users must understand that their machines are in effect an extension of RCB’s network and should take all reasonable steps to ensure anti-virus software is up to date whenever possible to reduce the risk of viruses, malicious code and malware.
IT Security Incidents
- 11.1. For the purposes of this Policy, Sim Korpor security incidents are incidents that have occurred through non-compliance with this Policy. These include, but are not limited to theft or loss of IT equipment, loss of service or facilities, malfunctions of hardware or software, access violations or any other breach of this Policy.
- 11.2. A weakness in Sim Korpor facilities is defined for these purposes as a flaw in a system that allows a breach of this policy once exploited. Users should report weaknesses in Sim Korpor facilities to the IT Helpdesk. Users should not attempt to test the weakness as to do so may be treated as a breach of this policy
- 11.3. All actual or suspected IT security incidents or weaknesses should be immediately reported according to the Information Security Incident Management Process.
Breaches of this Policy
- 12.1. Failure of Users to observe the requirements of this Policy may be regarded by the Sim Korpor as misconduct, subject to the provisions of the Codes of Conduct or as appropriate.
Document Reference
# |
Name of Document |
| Owner |
1. |
Information Technology (I.T.) Policy |
| I.T. Department – RCB |