IMS-Policy Statement

INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS) POLICY STATEMENT

Globus Bank (“Globus” or “the Bank”) is committed to continually improving the quality of financial services by leveraging Technology and People to deliver exceptional customer experience, as well as applicable legal requirements for our products and services.

As a leading development finance institution, Globus Bank recognizes the need to ensure business operations are performed smoothly and without any interruptions for the benefit of all stakeholders.

The Bank aligns processes to achieve compliance with these commitments by implementing and maintaining an Information Security Management System (“ISMS”), forming an integral part of the Bank’s business strategy, and designed to meet the requirements of ISO 27001 (Information Security Management System), ISO 20000 (IT-Service Management System), and ISO 22301 (Business Continuity Management System).

The Objectives of implementing and maintaining an Information Security Management System (“ISMS”) for the benefit of all stakeholders include:

Ensuring 100% of business information is adequately protected and readily available, and business continuity risks are treated and controlled within the Bank’s risk appetite.
Ensuring 95% of information security risks and cyber threats are reduced to the Bank's acceptable level and areeffectively managed.
Ensuring 80% of Globus Bank's stakeholders are fully aware of their cybersecurity responsibilities.
Ensure 100% compliance with applicable legislation, regulations, and contractual obligations.

Globus Bank’s Executive leadership is committed to proactively:

Implementing the necessary capabilities to ensure the continuity of its critical business functions during serious disruptive incidents or disasters and to ensure the recovery of such critical functions to an operational state within acceptable timeframes.
Developing business continuity capability as a strategic asset comprising adequate resources and capabilities; including approvals of appropriate budget where required to achieve the required Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
Ensuring the Information Security Management System (ISMS) objectives are set, and adequate resources are provided to achieve them. ISMS Objectives must be in alignment with the business requirements, and compatible with the strategic direction of the Bank.
Achieve ISO 27001 certification and maintain them on an ongoing basis.
Obtain ideas for improvement via regular meetings with Customers, and stakeholders, and document them in a Continual Improvement Plan.
Review the continual improvement log at regular management meetings to prioritize and assess timescales and benefits.
Raising the awareness of all our employees and stakeholders to ensure the benefits of meeting the ISMS objectives are understood.
Ensuring all employees are made aware of and understand the ISMS policy, procedures, and supporting documentation, through training and provision of information. Compliance is confirmed as a result of formal internal audits and at management review, which is conducted at least once a year.

To achieve the Information Security objectives, Globus Bank has established Information Security Policies which comprise of:

Mobile Device Policy - This policy aims to set out the controls that must be in place when using mobile devices. It is intended to mitigate the risks of loss or theft of mobile devices, including the data on them.
Cloud Computing Policy - Ensuring rules are established for the selection and management of cloud computing services so that data is appropriately protected according to its business value and classification.
Remote Working Policy – This policy provides management’s directive and operational guidelines for Remote Working Access connection to Globus Bank’s corporate network.
Human Resource Security Policy - The purpose of this policy is to establish management directives for the administrative obligations to be fulfilled when individuals join, work for, or leave the Bank, to ensure the security of corporate information systems and data.
Acceptable Use Policy - The purpose of this document is to outline clear acceptable guidelines for the use of the information systems and other information assets at Globus Bank.
Information and Data Classification Policy - This policy entails information assets within Globus Bank are classified based on classification levels. The classification will determine how the document should be protected and who should be allowed access to it.
Access Control Policy - This policy provides a framework for how user accounts and privileges are created, managed, and deleted.
Password Policy - The policy establishes standards for the creation of strong passwords, the protection of those passwords, and the management process for all bank information systems and services.
Cryptographic Policy – Establishing rules in Globus Bank to protect classified information is the use of cryptographic techniques to “scramble” data so that it cannot be accessed without knowledge of a key.
Physical and Environmental Security Policy - The purpose of this document is to define the guidelines for physical access to various assets - systems, equipment, facilities and information, based on business and security requirements for access.
Clear Desk and Clear Screen Policy – This Policy provides guidelines for the protection of the Bank’s sensitive information, in electronic and paper forms, by ensuring that computer screens are locked/logged off when unattended and other forms of information (document/media) are safely locked out of reach when not in use.
Change Management Policy - The purpose of this policy is to ensure that the delivery of IT and business services are not negatively impacted by systems, data, infrastructure, application, or software changes and that all changes are recorded and carried out in a planned and authorized manner to mitigate associated risks.
Anti-virus and anti-malware Policy - The purpose of this policy is to ensure the safety and security of Globus Bank’s system resources from harm and damages to the invasion of malicious codes to various systems, such as computer code, files, applications, and other relevant information technology platforms and utilities.
Backup Policy - The purpose of this document is to ensure that backup copies are created at defined intervals and regularly tested.
Software Policy - This policy sets out how software will be acquired, registered, installed, and developed within Globus Bank.
Logging and Monitoring Policy - This policy sets out how monitoring of systems and infrastructures must be carried out.
Backup Policy - The purpose of this document is to ensure that backup copies are created at defined intervals and regularly tested.
Technical Vulnerability Management Policy - This document sets out the Globus Bank’s policy on how it will assess and manage technical vulnerabilities within the IT environment, which includes the cloud services it uses.
Network Security Policy - This policy sets out Globus Bank’s rules and standards for network protection and acts as a guide for those who create and maintain our IT infrastructure.
Electronic Messaging and Internet Usage Policy - This policy document tells you how you may use Globus Bank’s internet and electronic messaging facilities, including what you must and must not do. It applies to all users of these facilities whatever the means of access or location of access might be.
System Acquisition, Development, and Maintenance Policy - The purpose of this document is to set out Globus Bank’s policy in the development of software applications and components in a way that maximizes their inherent security.
Information Security Policy for Supplier Relationships - The purpose of this document is to set out the organization’s information security policy around supplier relationships.
IP and Copyright Compliance Policy - The purpose of this policy is to document how intellectual properties and copyright requirements will be identified and complied with.
Data Retention, Archival, and Disposal Policy - The main purpose of this Policy is to create the right environment for the management, retention, archiving, and disposal of information (paper and electronic).
Data Protection and Privacy Policy - This Policy sets out how the Bank will collect, process, and store the personal data of its employees, customers, clients, contractors, vendors, and other third parties. The Policy applies to all personal data that the Bank processes regardless of the format or media on which the data are stored or to whom they relate to.
Patch Management Policy – This policy sets out the framework for conducting patch management and keeping all components that form part of the Globus Bank Information Technology infrastructure up to date with the latest and/or most stable (upon testing and reviews) patches and updates.
API Integration & Security Policy – This policy provides guidelines for Application Programming Interface (API) management and governance.
Bring Your Own Device (BYOD) Policy - The purpose of this policy is to outline clear policies for the use of the BYOD devices within Globus Bank.
Social Media Policy - This policy sets out guidelines for how Globus Bank-controlled social media accounts should be used and offers basic advice for the appropriate use of personal accounts outside of the work environment.
Privileged Access Management Policy - This policy is designed to inform and manage the potential risks to privileged access by ensuring that adequate controls are in place to maintain the confidentiality, integrity, and availability of systems and data.

These established information security policies are publicly available to all interested parties and are reviewed periodically to take account of applicable local, statutory, regulatory, and customer requirements and any changes in business activity.

These policies apply to all Bank employees, its contractors, its consultants, and other individuals affiliated with Third Parties who have access to the Bank’s information or business interests.

Signed:

Elias Igbinakenzua

Managing Director

29th February 2024