ICT POLICY FOR RURAL AND COMMUNITY BANKS (JUNE 2018)

ICT POLICY FOR RURAL AND COMMUNITY BANKS (JUNE 2018) FINANCING GHANAIAN AGRICULTURE PROJECT (USAID FinGAP)

JUNE 2018

This publication was produced for review by the United States Agency for International Development/Ghana mission by The Palladium Group.

FINANCING GHANAIAN AGRICULTURE PROJECT (USAID FinGAP) ICT POLICY FOR RURAL AND COMMUNITY BANKS, JUNE 2018

ICT POLICY FOR RURAL AND COMMUNITY BANKS

(JUNE 2018)

DISCLAIMER

This report is made possible by the generous support of the American people through the United States Agency for International Development (USAID). The contents are the responsibility of The Palladium Group and do not necessarily reflect the views of USAID or the United States Government.


CONTENTS ACRONYMS & ABBREVIATIONS 3

INTRODUCTION 4

1.0. INFORMATION COMMUNICATION TECHNOLOGY (ICT) INFRASTRUCTURE 6

2.0. INFORMATION MANAGEMENT (IM) 23

3.0. IT SECURITY 27

4.0. COPYRIGHT AND LICENSE AGREEMENTS 35

5.0. SERVICE LEVEL AGREEMENT (SLA) 36

GLOSSARY 37

APPENDICES 40

Appendix II: Guidelines for Managing The Institution’s Website 41

Appendix III: Guidelines and Rules for Users of ICT Resource 42

Appendix IV: International Standards Organizations (ISO) 43

Appendix V: Sample Consent Form 45

Appendix VI: Policy Enforcement and Compliance 46

2 | P a g e


ACRONYMS & ABBREVIATIONS BCP Business Continuity Plan

ICT Information and Communication Technology

LAN Local Area Network (LAN)

MIS Management Information System

MMS Multimedia Messaging Service

PIN Personal Identification Number

RCBs Rural and Community Banks

SLA Service Level Agreement

SMS Short Message Service

WAN Wide Area Network

WLAN Wireless Local Area Network

3 | P a g e


INTRODUCTION The Information and Communication Technologies (ICT) Policy document for the RCBs has been developed to serve as a broad guideline in the implementation of all aspects of Information and Communication Technologies. This policy seeks to ensure value addition to the business processes, meet the expectations of stakeholders and optimize returns from investment. Effective implementation of Information and Communication Technology (ICT) to achieve corporate mission and objectives requires well thought out policies, supported by the appropriate behavioral change interventions. Management must ensure that staff read, understand, sign, and comply with this policy document and all other related documents. Management must also ensure that the necessary specific procedures or protocols that should accompany this broad policy are developed and put into effect. The purpose of this ICT policy is to guide staff, management, and Board on the acquisition and use of the RCB’s ICT infrastructure to leverage on technology for operational efficiency, reliable Management Information Systems (MIS), improve communication with stakeholders, and enhance financial inclusion. This policy document covers all aspects of Information and Communication Technology solutions including but not limited to Hardware, Software, Information Management, Application Development, Acquisition, Installation, Security, Networking, E-applications (Digital Financial Inclusion), Maintenance and Usage. It also covers user behavior and responsibility, systems access and control, and shall be applicable in all offices of the RCB. Furthermore, this document also covers all forms of information management and business continuity issues as well as copyright and licensing and Service Level Agreements. Various committees and support centers with specific responsibilities shall be formed to complement and facilitate the implementation of this ICT Policy document. These may include, but are not limited to:

• ICT Steering Committee • Change Control Committee • Policy Enforcement and Compliance Committee • Help Desk and Customer Support Center • Website Content Management Committee • Policy Review Committee

Additionally, procedure manuals and strategies should be developed to serve as guidelines for the implementation of this ICT Policy. These include, but are not limited to:

• Business Continuity Strategy • Security Strategy • ICT Training Strategy

4 | P a g e


• Backup Procedures • Software and Hardware Installation • Maintenance Procedures

Finally, the RCB shall adhere to all laws that are relevant to the implementation of the ICT Policy such as laws on Data Protection Act (Act 843), Copyright, Procurement, and Human Rights, among others.

5 | P a g e


1.0. INFORMATION COMMUNICATION TECHNOLOGY (ICT) INFRASTRUCTURE

1.1 INTRODUCTION TO ICT INFRASTRUCTURE

Many Institutions have in the last decade witnessed a rapid development of their ICT infrastructure, although they are in different stages of development. This trend has been spurred in most cases by technological reforms and in a few cases, through corporate strategy to improve the infrastructure. Perhaps the most significant of this growing trend is the rapid expansion of networks, which have provided some advantages including an increase in data transfer densities and extension of services to link various offices.

RCB ICT infrastructure typically has several hundreds of interconnected technology components. However, the four key categories of ICT infrastructure are: access devices, network infrastructure, application software, and support resources.

1.1.1 ACCESS DEVICES

Access devices are the items of ICT equipment (including the associated operating software) that are directly used by users (board, management, staff, agents, and other stakeholders). The following are types of access devices: desktop computers, iPads, laptops, mobile phones, and CCTV. Other access devices for banking activities include switches, VSat Dishes, Card Readers, projectors, digital cameras, printers and scanners (image and figure prints), photocopies and POS.

1.1.2 NETWORK INFRASTRUCTURE

Network infrastructure connects the access devices to the required tools, services, and digital resources. Many of these tools, services, and digital resources are external to the RCB. The networks are connected with shared components, including common telecommunications services.

Network Infrastructure Components

The network infrastructure components include: Internal communications services, cabling and equipment; Telecommunications services; Server computers and associated storage devices; Environmental management equipment; Operating software for server computers, communications equipment and related hardware; mobile phones, POS, ATMs, Card Readers, providing tools and services that are primarily for financial transactions; and Administration networks that provide tools and services used primarily for administration.

6 | P a g e


1.1.3 APPLICATION SOFTWARE

Application software provides specific functionality for banking, reporting and administrative services. The application software required by RCBs includes: i-Trans, Passport (CCC/ACH), T-24, Check Requisition/Microchip Code, Dwarft (Money Gram), SysAid (escalating issues between IT Department and Apex Bank), NLA (Load Credit to Lotto Agents and Pay of Cash to Winners), eFass (submission of Prudential Returns to BoG), Resci (GHIPSS-issuing of ezwich cards), Gvive (verification of images), Wupos (Western Union), Money Market, Collateral Register, OFS (Bulk Transactions), U-connect (Mobile up), e-susu, Indigo systems (Issuing ATM Cards) Bynar (Connecting all Cashiers to 1 License user), Ms Office suites. The application software can be accessed through the network infrastructure from many different computers. The application software is hosted on the RCB’s server computers located within the bank and ARB Apex Bank (if connected to T-24 and U-connect).

1.1.4 SUPPORT RESOURCES

The resources that support ICT infrastructure are people and skills, processes, externally-provided services, and financial resources. Consequently, the purpose of this policy is to guide users of the RCB on the acquisition and effective use of ICT infrastructure to improve operational efficiency and MIS reporting and enhance digital financial services.

This section of the ICT policy document covers computer hardware and software, networking, internet and email, banking software, telecommunications, help desk, customer service, and information system governance.

1.2 HARDWARE

For this policy, hardware refers to physical components of computers, peripherals and communication devices. Hardware shall include (but is not limited to) personal computers (PCs), servers, laptops, notebooks, mobile phones, mobile computers, smartphones, printers, scanners, storage devices, Card Readers, POS, photocopiers, and communication devices (VSat dishes, switches, routers, etc.). The purpose of the hardware policy is to safeguard their acquisition, installation, use, maintenance, and disposal. Hardware components are very significant for the operation and business continuation of RCBs and therefore need to be well-protected. The following policy statements are meant to protect all hardware owned and/or used by the RCB.

| Hardware

Hardware refers to: Servers, Desktop Computers, Photocopiers, Switches, Radio Devices, Antennas, Laptops, Notebooks, Printers, IPADs, Handsets, Modems, Mobile Phones, Routers, Scanners, Storage Devices, Card Readers, Rack, Cameras, POS, VSat Dishes, Projector, etc.

7 | P a g e


All hardware devices acquired or developed by the RCB will at all times remain the RCB’s property. All such hardware devices shall be used in compliance with applicable licenses, notices, contracts, maintenance, and agreements. 1.2.1 HARDWARE ACQUISITION As a general policy, all hardware devices acquired or developed shall be centralized within the ICT Department to ensure that all equipment conforms to corporate hardware standards. Policy Statement

i. Acquisition of all ICT hardware shall be in accordance with the Public Procurement Act (ACT 663). The ICT Department shall be responsible for the acquisition of all hardware components.

ii. For ease of connectivity to existing systems, all hardware to be acquired shall be compatible with the existing computer and network systems.

iii. The ICT Department shall ensure that suppliers of hardware components meet international and industry standards.

iv. The Bank shall maintain a list of pre-qualified manufacturers and distributors of ICT infrastructure. This list shall be continuously updated to reflect changes in the industry.

v. Requests for any ICT hardware device for use in the bank shall be submitted to the General Manager through the Head of ICT Department for consideration before budget approval. Each request shall be evaluated on a case-by-case basis.

vi. Acquisition of all ICT hardware shall be maintained and supported through a Service Level Agreement (SLA) with the Supplier/Developer of such hardware.

vii. The ICT and Finance departments shall be jointly responsible for the maintenance of the ICT hardware Assets Register to ensure full tracking of equipment.

1.2.2 HARDWARE INSTALLATION & SUPPORT POLICY Policy Statement

i. The installation, configuration, and maintenance of all ICT hardware shall be the responsibility of the ICT Department in collaboration with the supplier, where appropriate.

ii. The deployment of new ICT hardware equipment or redeployment of existing ICT hardware equipment shall be the responsibility of the ICT Department.

iii. All problems that relate to ICT hardware shall be reported to the ICT Department by established procedures.

iv. All newly acquired hardware under warranty shall be installed and maintained by the Supplier for the period as agreed by the bank and the Supplier, where applicable.

1.2.3 HARDWARE IDENTIFICATION POLICY 8 | P a g e


Policy Statement i. The Bank shall develop an asset identification standard. ii. All hardware components shall be properly labeled and documented in the Bank’s Asset Register. iii. The ICT Department shall be responsible for the maintenance of the Hardware Asset Register for

the ease of tracking the devices. 1.2.4 HARDWARE DISPOSAL POLICY Policy Statement

i. The ICT Department shall have responsibility for recommending to the General Manager for approval the disposal (selling, cannibalizing, donating, trashing, etc.) of any ICT Hardware by the Public Procurement Act (Act 663) if necessary and Disposal Procedures (attached as Appendix I).

ii. Disposal of all ICT Hardware shall conform to the bank's Hardware Replacement Lifecycle (three years after acquisition).

iii. The ICT Department and Finance Department shall be jointly responsible for recommending appropriate methods for disposal of obsolete ICT hardware assets to minimize unnecessary technology inventory, but ensure appropriate oversight and accountability of disposed assets.

iv. Depending on the status, recommended hardware may be disposed of through selling, trade-in, donating, or scrapping.

A department may possess hardware that is no longer required for use for various reasons: exceeded useful lifespan, obsolescence, wear and tear or deterioration, excessive cost of maintenance, etc. The common factor underlying these reasons for disposal being that the hardware is considered surplus to the requirements of that department.

An overriding consideration in any move, sale, or disposal of ICT hardware must be to ensure that any data and software licenses are properly removed. It must also be understood that any data from the RCB that is discovered by a later owner may cause a breach of confidentiality, controversy, and adverse publicity to the RCB. Ensuring adequate destruction of data is the responsibility of the ICT Department and the data owner in a particular department that owns the equipment.

1.2.4 HARDWARE SERVICING POLICY Policy Statement

i. ONLY purchased and inventoried computers will be repaired or upgraded by the ICT Department. ii. Used, donated, surplus, or personally owned equipment utilized at the office will not be maintained. iii. Repairs of desktop computers, monitors, and laser printers shall be made if the repair cost (parts

only) is below 50% of replacement cost and replacement parts are available. iv. Desktop computer and monitor replacements are the responsibility of the ICT Department.

1.3 SOFTWARE

Computer software is a collection of computer programs and related data that provides the instructions for telling a computer what to do and how to do it. Software refers to one or more computer programs and data held in the storage of the computer for some purposes.

9 | P a g e


The Policy shall ensure that all software programs acquired by the RCB meet the required standards and promote seamless integration with existing systems. The policy shall also protect the RCB against illegal and unethical acquisition and use of software products. 1.3.1 SOFTWARE ACQUISITION POLICY Policy Statement

i. Generally, all software acquired for or on behalf of the RCB or developed by staff on behalf of the RCB will remain the RCB’s property at all times. All such software shall comply with this Policy and applicable licenses, as well as Service Level Agreements and Contracts. Acquisition of all software shall abide by the Public Procurement Act (ACT 663).

ii. Acquisition and development of all RCB software shall be centralized within the ICT Department to ensure consistency and conformity to corporate software standards.

iii. Requests for any software for use in the RCB shall be submitted to the CEO through the ICT Department for consideration before budget approval.

iv. Acquisition and development of all software shall be maintained and supported through a Service Level Agreement (SLA) with the Supplier/Developer of such software.

v. Vendors/Developers of all software shall offer continuous professional training to users of the software. 1.3.2 SOFTWARE LICENSING POLICY Policy Statement i. The Operations and ICT departments shall jointly be responsible for reading, understanding, and

following all applicable licenses, notices, contracts and agreements for software that is used or intended to be used on the bank's computers.

ii. Unless otherwise provided in the applicable license, notice, contract, or agreement, any duplication of copyrighted software (except for backup and archival purposes) shall violate this policy.

1.3.3 STANDARD SOFTWARE POLICY Policy Statement

i. All software acquired by the Bank shall remain its property and shall be used to promote its vision and objectives

ii. All software shall be used in accordance with Ghana’s Copyright Law (Act 690, 2005). In line with this, no pirated software shall be used on the Bank’s computer system or any ICT infrastructure.

iii. Under no circumstances may anyone use the Bank’s ICT resources in ways that are illegal (e.g., copyright violations).

1.3.4 SOFTWARE INSTALLATION POLICY Policy Statement The ICT Department shall be exclusively responsible for the installation and support of all software on the institution’s computers (including but not limited to office desktop computers, notebooks, laptops, and all other similar devices). 10 | P a g e


1.3.5 OPERATING SYSTEM POLICY Policy Statement i. To ensure system integration, all system software acquired shall be compatible with the existing

operating and network environment. ii. The Bank shall maintain a recommended list of operating systems for PCs and Servers. This list shall

be updated in accordance with internal policies and industry standards. 1.3.6 APPLICATION SOFTWARE POLICY Policy Statement

i. The ICT Department shall maintain a register of all application software acquired by the Bank, detailing their status, licensing, and maintenance agreements at regular periods.

ii. The ICT Manager is responsible for maintaining the register of software applications acquired and used by the bank.

iii. The development and acquisition of application software shall follow the Standard System Development Life Cycle (SDLC). The phases to be applied shall depend on the nature of the development or acquisition of the software.

1.3.7 SOFTWARE USAGE POLICY The Bank shall conduct an annual review of existing application software against its mission, objectives, and operations as well as industry trends and standards to acquire new applications or update existing ones to effectively leverage on new developments in the ICT industry. Policy Statement

i. All software acquired by the Bank shall remain its property and shall be used to promote its core mission of responsible lending, digital financial inclusion, and retaining a high value for shareholders.

ii. All software shall be used in accordance with Ghana’s Copyright Law (Act 690, 2005). In line with this, no pirated software shall be used on the Bank’s computer system or any ICT infrastructure.

iii. Under no circumstances may anyone use the bank’s ICT resources in ways that are illegal (e.g., copyright violations).

1.3.8 SOFTWARE UPGRADE POLICY Policy Statement

i. The ICT Department shall maintain a register of all application software acquired by the Bank, detailing their status, licensing, and maintenance agreements at regular periods.

ii. The ICT Manager is responsible for maintaining the register of software applications acquired and used by the Bank.

iii. The development and acquisition of application software shall follow the Standard System Development Life Cycle (SDLC). The phases to be applied shall depend on the nature of the development or acquisition of the software.

11 | P a g e


1.4 NETWORKING

In the world of computers, networking is the practice of linking two or more computing devices together to share data. Networks are built with a mix of computer hardware and computer software. Computer networks also differ in their design. The two types of high-level network designs are known as client-server and peer-to-peer networks. Client-server networks feature centralized-server computers that store email, web pages, files, and/or applications. On a peer-to-peer network, conversely, all computers tend to support the same functions. Client-server networks are much more common in businesses while peer-to-peer networks are much more common in personal use. 1.4.1 NETWORK MANAGEMENT POLICY The ICT Department shall be solely responsible for the management and maintenance of the bank’s Network systems. The following policies shall guide the use of all networks. 1.4.2 FIREWALL POLICY Policy Applicability: All firewalls at the bank must follow this Policy. Departures from this policy will be permitted only if approved in advance and in writing by the ICT Manager or his designee. Regular Auditing: Because firewalls provide such an essential barrier to unauthorized access to the bank networks, they must be audited on a regular basis. At a minimum, this audit process must include consideration of defined configuration parameters, enabled services, permitted connectivity, current administrative practices, and adequacy of the deployed security measures. These audits must also include the regular execution of vulnerability identification software. These audits shall be performed by the ICT Manager or his designee. External Connections: All in-bound real-time internet connections to the bank’s internal networks and/or multi-user computer systems must pass through a firewall before users can reach a login banner. Aside from personal computers which access the internet on a single-user session-by-session basis, no computer system may be attached to the internet unless a firewall protects it. Such computer systems include Domain Controllers, Web Servers, Database Management Servers, Electronic Commerce Servers, and Mail servers. This means that all personal computers with connectivity to the bank’s network must employ a firewall approved by the ICT Manager or his designee. Wherever a firewall supports it, log-in screens must have a notice indicating that: (1) the system may only be accessed by authorized users, (2) users who log in represent that they are authorized to do so, (3) unauthorized system usage or abuse is subject to disciplinary action including criminal prosecution, and (4) system usage will be monitored and logged.

| The Bank’s Networks

The bank’s network design is built on the client-server topology. The networks work in both wired and wireless networks. Networks with Ethernet cables predominated in businesses, schools, and homes for several decades. Recently, however, wireless networking alternatives have emerged as the premier technology for building new computer networks.

12 | P a g e


Extended User Authentication: Inbound traffic (except internet electronic mail, regular news distributions, and push broadcasts previously approved by the ICT Department) making access to the bank’s networks through a firewall must in all instances involve extended user authentication measures approved by the General Manager or his designee. Extended user authentication involves a technology more secure than fixed passwords and user IDs. Virtual Private Networks: To prevent unauthorized disclosure of sensitive and valuable information, all inbound traffic (except internet mail and push broadcasts) making access to the bank’s networks must be encrypted with the products approved by the ICT Manager or his designee. These connections are often called virtual private networks or VPNs. Many VPNs combine extended user authentication functionality with encryption functionality. Firewall Physical Security: All of the bank’s firewalls must be located in locked rooms (e.g., the Server Room) accessible only to those who must have physical access to such firewalls to perform the tasks assigned by management. The placement of firewalls in the open area within a general purpose data processing center is prohibited, although placement within separately locked rooms or areas which themselves are within a general data processing center is acceptable. These rooms must have burglar alarms as well as an automated log of all who gain entry to the room. 1.5 INTERNET & EMAIL

Policy Statement i. The bank’s email should not be used for political, business, or individual commercial gains. ii. The bank’s email should not be used to send illegal or inappropriate contents like obscene/vulgar

photographs and videos or jokes that violate morals and ethics and cause harassment, among others. iii. The Bank and other email users should avoid inappropriate global distribution (spamming) to

multiple accounts. iv. Users shall minimize the number of messages in their inboxes to ensure efficiency in the

management of the bank’s email system and mail server space. v. When users send out confidential information, they must mark it as such. vi. Misuse of email services (i.e., hacking, broadcasting unsolicited messages, personal, political, social,

religious, and other non-bank related matters) can result in disciplinary action. vii. The ICT steering committee will develop, maintain, and review rules (protocols) about the use of

emails on web-based forums to ensure that staff, management, and board understand them. The presence of the bank on the internet through its website is to provide information about the bank to the world at large. In this electronic age, the website is the primary gateway into the world. It is the electronic home of the bank and the first point of call for visitors who desire information about the bank. The home page and everything posted on it, therefore, reflect its image. The total content of the

13 | P a g e


website must, therefore, be treated in a way that conforms to and is consistent with the avowed image the bank has determined to maintain as its posture to the world at large. The bank provides internet, intranet, and email services for the benefit of its staff, management, and board. The service is a privilege that must be used responsibly and productively. Its use should not be in contravention of the bank’s strategic direction and image. The following policies are to be followed in the use of these services. 1.5.1 INTERNET POLICY The bank provides access to the internet as a privilege and demands that time spent on it be used exclusively for educational purposes. The bank, therefore, requires that the resource is used appropriately.

1.5.2 E-MAIL POLICY For core banking and business application, the bank’s email system should not be used for purposes that are not related to bank’s goals. The ICT Department will ensure that there is no abuse of these privileges. Users shall consent to the policy on email by signing a consent form (Attached as Appendix V) before opening an email account. The bank shall reserve the right to access and view sent and received messages if it becomes evident that its policy is being violated. 1.5.3 SOCIAL NETWORKING POLICY Policy Statement A Website Content Management Committee shall regulate the social networking services provided by the RCB website.

A social networking service is an online service, platform or site that focuses on building and reflecting on social networks or social relations among people, who, for example, share interests and/or activities. A social network service consists of a representation of each user (often a profile), his/her social links, and a variety of additional services. The bank should take advantage of social networking to market its products and services. 1.5.4 WEB POSTING AND CONTENT MANAGEMENT POLICY Everybody can access the bank’s website. However, resources will be made available to staff, management, and board as defined by the ICT Steering Committee.

| Social Networking

Most social network services are web-based and provide means for users to interact over the Internet. Social networking sites allow users to share ideas, activities, events and interests within their individual networks.

14 | P a g e


Policy Statement

i. The institution’s homepage shall be updated regularly by a Website Content Management Committee whose Terms of Reference is attached as Appendix II.

ii. Access to resources will be granted through authentication of Password and Username. iii. Group Web Pages: Individuals, departments/units, and employees may develop and maintain web

pages within the institution domain name. These web pages must conform to best practice standards as defined by WCMC.

iv. The use of the institution’s logo on the websites must conform to the corporate colors v. All images posted should reflect what the institution stands for. Large size j-peg files that take a

long time to upload onto the website should be avoided. vi. Web posting & publishing: The Content Management Committee shall be responsible for

posting, updating and publishing all materials on the website. vii. A feedback mechanism will be incorporated to keep track of the number of visitors to the site,

and to collect and respond to the comments they leave behind. viii. Links are to be monitored regularly and non-functioning links removed or repaired promptly. ix. The page layout of the institution’s home page should conform to best practice standards. The

website must be easy to navigate. It must also include a search feature that will aid easy location of information.

1.6 TELECOMMUNICATION

Telephone communication is an essential part of the day-to-day operations of the bank. The telecommunication usage at the bank shall conform to internally acceptable procedures. All users of bank’s telephone and voice mail system shall adhere to the following policies: 1.6.1 TELEPHONE SERVICE POLICY The telephone system of the bank is considered an information resource and will be guarded accordingly. The telephone reception is a major gateway into the bank. The receptionists who answer telephone calls act as the voice and ears of the bank at the point of call reception. Policy Statement

i. The Institution shall limit the number and duration of telephone calls made from its system. It shall limit the making of personal calls that exceed a reasonable amount of time without the permission of a supervisor. The level of personnel will determine who requires direct dedicated lines and those who will be assigned extensions.

ii. Misuse of telephone services can result in disciplinary actions including termination of appointment.

15 | P a g e


iii. The institution reserves the right to monitor telephone use (e.g., to check for customer care quality, excessive personal usage, retrieve lost messages, comply with investigations or wrongful acts, recover from system failure, etc.).

iv. Telephone Procedures: All telephone users will receive a manual (to be developed by the ICT and HR Department) on how to operate the telephone.

1.6.2 VOICE MAIL SERVICE POLICY The voicemail system of the bank is considered an information resource and will be guarded accordingly. Policy Statement

i. Each user of the Institution voicemail system shall record an appropriate greeting. ii. Voicemail is to be used as backup to receive telephone calls in the absence of the personnel and

as a way to present the institution appropriately to callers. iii. Users are required to respond to voicemail messages in a timely manner. iv. Each voicemail box will have a PIN number (Personal Identification Number). The number must

be changed at least once every year to aid in the maintenance of mailbox security. The user shall maintain confidentiality and not share the PIN with any other person.

v. The institution’s voicemail system should not be used to transmit obscene, offensive, and inappropriate messages. It should also not be used as an avenue for harassment.

vi. Misuse of voicemail services (e.g., breaking into a voicemail box with an unauthorized password, creating and transmitting an intimidating hostile message, broadcasting messages on personal, political, social, religious and other non-related matters) can result in disciplinary action including termination of appointment.

vii. The institution reserves the right to monitor voicemail messages (e.g., to retrieve lost messages, comply with investigations or wrongful acts, recover from system failure, etc.).

viii. Voicemail Procedures: All employees with voicemail access will receive a manual on how to set up and operate voicemail. If they encounter difficulties, they are to contact the IT Department for assistance.

1.6.3 SHORT MESSAGE SERVICE (SMS) AND MULTIMEDIA MESSAGING SERVICE (MMS) POLICY SMS (Short Message Service) is a service that most mobile devices provide. It allows mobile device users to communicate with their friends and family via text messages. SMS is also used to send pictures and videos and may be able to process other phone files such as emoticons and audio files. Unlike other communication methods such as Bluetooth and internet access, SMS uses standard radio transmissions between cell phones and cell phone towers, much like regular cell phone calls, in order to send text messages, videos, pictures, audio files and emoticons from one cell phone subscriber to another. Policy Statement

16 | P a g e


The management of SMS and MMS shall conform to the Institution’s work culture, ethics, corporate values and principles.

1.7 INFORMATION SYSTEM GOVERNANCE AND ORGANIZATION

The following policy guidelines are expected to enhance enforcement to ensure that Information and Communication Technology (ICT) is being used only for the bank’s support and activities. 1.7.1 FRAMEWORK GOVERNING THE USE OF ICT RESOURCES The governance structure for the management of ICT resources are as follows:

1. ICT Steering Committee 2. Systems Manager 3. Systems Officer 4. Users

a. Supper Users b. Authorizers c. Operators/Tellers

Policy governing the use of ICT Resources Policy Statement

i. ICT services administered within the institution, shall be used only by staff as well as other authorized persons. The authorization shall be done by either General Manager, Head of the ICT Department, or the Head of the Department requiring the computer facility.

ii. ICT facilities available for use within the Institution may be used only for transactions, teaching and learning, research, personal educational development, administration and management of the business, development and communication work.

iii. The institution reserves the right to monitor all communications and other use of ICT systems in order to ensure compliance with these rules.

ICT Steering Commitee

Systems Officer/IT Officer

Users

Supper Users

Authorizers

Operators/Tellers

Systems Manager/ICT Manager

17 | P a g e


iv. Access gained through permitted use of the institution’s ICT resources to other computing centres and facilities linked shall be governed by ICT department.

v. Usernames and other allocated resources shall be used only by the registered holder (user). Users shall maintain a secure password to control access to their usernames and accounts. Users shall ensure that passwords are not stored in locations that can easily be accessed by anyone other than the authorized password holder. Use shall not be made of computing resources allocated to another person unless such use has been specifically authorized by the ICT Department.

vi. No person shall by any deliberate act or omission or by failure to act with due and reasonable care jeopardize the integrity of any ICT equipment, facilities or resources, whether within the institution or in other computing locations to which the facilities at the institution allow connection. Such acts include (but are not limited to):

a. The use of tools to alter the behavior of network devices; b. The scanning of ports on external computers; c. Circumvention of Network Access Control; d. Monitoring or interception of network traffic; e. Associating any device to network access points, including wireless, to which the user is

not authorized; f. The copying, downloading, distribution or storage of music, video, film or other material

for which one does not hold a valid license or other valid permission from the copyright holder;

g. The distribution, copying, or storage by any means of pirated or unlicensed software or music;

h. The use of mailing lists for non-transaction purposes; or i. The unauthorised use of programs on central servers, which consume such resources as

to reduce significantly the server's performance for other users. 1.7.2 OUTSOURCING POLICY Servicing of equipment (Generator, VSAT Dishes, Photocopier, Network Cabling, POS, CCTV, PABX) Policy Statement Outsourcing may be considered only under the following circumstances:

i. Accelerated reengineering benefits – achieve dramatic improvements in critical performance measures such as cost, quality, service, and speed.

ii. Access to world class capabilities – continue to make extensive investments in technology, methodologies, and people.

iii. Free up resources for other purposes – redirect resources, most often people, towards more profitable and productive activities.

iv. Improved focus – increased focus on core business because operational functions are handled by an outside expert.

v. Reduced operating costs and increased competitiveness – save on research, development, marketing, and deployment expenses.

vi. Reduced risk – investments are based on many clients, which means any risks are shared across the client base.

vii. Gain resources that are not available internally – a viable alternative to attempting to build that capability for the institution.

18 | P a g e


1.7.3 TROUBLESHOOTING POLICY Policy Statement The institution shall adopt the following 10 step Universal Troubleshooting Process:

i. Prepare for troubleshooting through situation assessment ii. Prepare damage control plan iii. Get a complete and accurate symptom description iv. Reproduce the symptom v. Do the appropriate corrective maintenance vi. Narrow down to the root cause vii. Repair or replace the defective component viii. Test ix. Discover the solution x. Prevent future occurrence of this problem

1.7.4 MAINTENANCE AND REPAIRS POLICY When to carry out ICT Maintenance ICT Maintenance can be carried out as follows:

a) Preventive, which aims at retaining the system’s capabilities before the occurrence of any problem (e.g., system failure).

b) Corrective, which aims at restoring the defective item(s) to the required state. c) Adaptive, which focuses on adjusting a software product to interface with a changing

environment properly. d) Perfective, which refers to enhancements to the product to either add new capabilities or

modify existing functions. Policy Statement The policies for maintenance and repairs shall be as follows:

i. Electronic devices (e.g., PCs, monitors, laptops, printers, etc.) should not be placed directly near a heating or cooling source, such as heating vents or air conditioners.

ii. The institution shall develop best practices and guidelines for scheduling and performing maintenance operations on its ICT infrastructure.

iii. Power sources should not be connected directly into wall outlets but should rather be connected first to some form of surge protector.

iv. All ICT equipment should be covered with dust covers. v. Care should be taken when moving a PC from one location to another. vi. Data files should not be stored in the same directory as the software to eliminate the possibility of

accidentally erasing or overwriting a software file. vii. A set of backup rescue disks should be kept for the operating system. viii. Backup copies of original software should be kept either on an external drive or disk. ix. Records of applications installed and the procedures followed to install them should be kept. All

documentation that comes with a computer and its components must be kept. The document serves as a reference if something goes wrong.

19 | P a g e


x. Hard drive should not be compressed. Compressed hard drives are more likely to become corrupted than those that have not been compressed.

xi. A virus scan program should be installed automatically to scan for viruses when the system boots. Users should not download any files from the internet unless one is certain the source is not transmitting a virus.

xii. Users should not use any storage media that has been used in another computer unless one is certain the other computer is free of viruses and will not pass the virus onto their system.

1.8 PRINTING POLICY

Printing is a high-expenditure cost center of every organization including the bank. It is, therefore, necessary to promote responsible use of the bank’s printing resources and to bring down printing cost by preventing the wastage of paper and toner ink by staff. Policy Statement The following policies will be enforced:

i. The institution’s printers will only be used to print documents that are relevant to the day-to-day conduct of business and not be used to print personal documents.

ii. The printers should not be used to print multiple copies of documents. After printing the first copy, subsequent copies should be photocopied.

iii. To use paper judiciously, use duplex printing (i.e., double-sided printing) feature of printers. iv. Limit toner use by selecting lighter toner settings/options. v. Avoid printing email messages unless required. vi. Color printing is discouraged especially where black-and-white is what is needed. vii. The ICT Department will be responsible for assisting users to solve problems of paper jams,

empty toner, printer malfunctioning, etc. viii. All printing and photocopies of Bank’s documents should be done internally.

1.9 IT AUDITING POLICY

Purpose To periodically conduct a Security Audit on any system of the bank. Audits may be conducted to:

• Ensure integrity, confidentiality, and availability of information and resources; • Investigate possible Security/Audit incidents and ensure conformance to the bank’s Security

Audit policies; • Monitor user or system activity where appropriate.

Scope

20 | P a g e


This Policy covers all computer and communication devices owned or operated by the bank. This Policy also covers any computer and communications device that are present on the bank premises (Head Office and all Agencies), but which may not be owned or operated by the bank. Policy When requested, and for the purpose of performing an audit, any system or network access needed will be provided to the IT Audit Team. This access may include:

• User level and/or system level access to any computing or communications device; • Access to information (electronic, hardcopy, etc.) that may be produced, transmitted, or stored

on bank equipment or premises; • Access to work areas (server rooms, offices, reading rooms, storage areas, etc.); or • Access to interactively monitor and log traffic on the bank network.

Scope of IT Auditing

• IT Policies and Procedures • Back-up • Business Continuity Plan • Disaster Recovery Plan • Maintenance Schedule • User Access • Hardware Register

1.9.1 SUMMARY OF THE AUDIT PROCESS The IT Audit Process is summarized as follows:

1. Pre-Engagement Activities a) Acceptance of client. b) Obtain a preliminary understanding of client’s business and assess risk/benefit of acceptance. c) Prepare Audit Engagement Letter and/or contract.

2. Audit Planning Activities

a) Obtain in-depth understanding of client’s business and internal control structure. b) Perform evaluation of control and inherent risk. c) Determine materiality limits. d) Determine the audit approach. e) Design substantive tests. f) Assign audit personnel and prepare a time budget for audit work.

3. Audit Fieldwork Activities

21 | P a g e


a) Perform analytical procedures and substantive testing. b) Document audit procedures performed and conclusions reached.

4. Finalizing the Audit

a) Review audit working papers at appropriate levels (in accordance with firm policy). b) Evaluate audit differences. c) Obtain and review financial statements prepared by the client (or assist the client in

preparing). d) Perform audit conclusion procedures: Review subsequent events and contingencies.

Consider going concern assumption. Obtain Management Representation Letter and Legal Representation Letter. Perform final Review and Approval.

e) Issue the Audit Report.

22 | P a g e


2.0. INFORMATION MANAGEMENT (IM)

2.1 INTRODUCTION

The Bank receives a large quantity of data and generates an enormous amount of information to satisfy the information needs of its stakeholders. It is therefore important that data and information are managed efficiently, effectively and coherently. For this reason, the Bank recognizes its data and information as a corporate asset, similar to other important assets such as buildings, vehicles, and finance. Information must therefore be properly managed like any of these assets. This information management policy seeks to ensure proper management of the Bank’s information in the form of files, documents, and records storage. Through the implementation of this policy, the Bank will establish an efficient and effective system to enhance the processing, capturing, retrieval and sharing of data to meet the information needs of the key stakeholders. 2.1.1 SCOPE This section of the policy is binding on the entire Bank including its offices located in various parts of the regions. It also applies to staff, management, and Board. All key recorded information regardless of the medium (electronic or paper) are covered in this policy. The information management policy establishes the framework for developing specific procedures and guidance for data and information. Therefore all other information products and procedures must be subject to this policy. 2.1.2 REGULATORY FRAMEWORK As a Bank established under the Company’s Code, the Bank is subject to all regulatory framework related to data and information management in Ghana. This policy commits to all relevant regulation related to data and information in Ghana. Currently, such legal frameworks include:

i. The IT Security Policy ii. The Data Protection Act iii. The Copyright Law iv. Public Procurement Act (Act 663) v. The Right to Information Bill (when it is promulgated into law)

| IM Policy objectives

The policy objectives are to ensure that:

i. Adequate records of the Bank are created and maintained.

ii. Each data element is captured only once to avoid duplication.

iii. Information and records are coherent and consistent across the bank.

iv. All data and information are accessible to authorized users.

v. All data and Information are safe and secure.

vi. Data and information management meets appropriate legal and standard requirements.

23 | P a g e


| Records and Non-records

According to the International Standards Organization – ISO 15489 (Appendix V), a record is: “Information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of businesses.” A non-record is an item of information that is of immediate use only and has no subsequent value. An example may be an email response to a staff’s inquiry.

Any other law that comes into force shall be binding on the Bank regarding its data and information management. 2.2 GENERAL INFORMATION MANAGEMENT POLICY GUIDELINES

The Bank recognizes the value of its data and information and expects them to be managed effectively and efficiently by the following general policy guidelines. 2.3 RECORDS MANAGEMENT

The success of the bank depends on the effective and efficient management of its records. The bank adopts this information and records management policy to ensure that data is captured, processed, and maintained effectively and efficiently to satisfy the information needs of its stakeholders.

2.3.1 RECORDS AND NON-RECORDS POLICY In this policy, a distinction is made between records and non-records. Records are vital for generating information for internal decision-making and external reporting. This section states the general policies of the bank on maintaining and managing records of its applicants, clients, group members, vendors, finances, and assets. Mainly, all records generated within the bank or received from outside must be well-managed and preserved. Policy Statement i. The bank shall maintain a register of record types on what qualifies as a record. The register shall

define for each record type, the source, the responsible manager, and who can access the records. ii. The bank shall maintain a database (electronic and paper) for all records generated within or

received from stakeholders. The bank’s record types shall include Applicant records, Client records, Loan records, Group membership records, Transaction records, Asset records and Financial records, etc.

iii. The bank shall maintain an electronic database for each of the above record types. iv. The responsible manager for each record type shall also be responsible for developing and

maintaining procedure manuals to enhance the efficiency and effectiveness of data captured and processed.

2.3.2 CLIENTS’ RECORDS POLICY Clients are important stakeholders of the bank and must, therefore, be treated as critical inputs of the bank’s processes. The bank gathers so much data from client from the time they apply to become account holders until they discontinue doing business with the bank. It is therefore imperative that the bank maintains effective and efficient procedures for managing clients’ records.

24 | P a g e


Policy Statement i. The Bank shall maintain an electronic database on all clients at all times. ii. To ensure effective audit trail, a relationship shall be maintained between clients’ records and their

transaction records. iii. The head of ICT Department shall be responsible for the accuracy and maintenance of clients’

records. iv. The ICT Head develops procedure manuals for capturing, handling, and managing client records. v. Client shall be responsible for providing updates and accuracy of their personal data. vi. Principles of data protection and privacy as noted in the Data Protection Act shall apply to the

management of client records. 2.3.3 STAFF RECORDS POLICY Staff of the Bank constitute an essential stakeholder group. It is therefore essential that the bank maintains accurate records on management and officers to provide information for internal as well as external reporting. Policy Statement i. The bank shall maintain an electronic database on all staff. ii. The head of HR shall be responsible for the accuracy and maintenance of staff records. iii. The HR head shall develop procedure manuals for capturing, handling and managing staff records. iv. Principles of data protection and privacy as noted in the Data Protection Act shall apply to the

management of staff records. v. Both technical and administrative measures shall be applied to protect the integrity of the bank

regarding private and confidential records. vi. Staff are responsible for the accuracy of their data. vii. Staff shall have electronic access to their records as and when is required by the head of HR. 2.3.4 VENDOR FIRMS RECORDS POLICY The bank shall keep records of all vendors it deals with to ensure easy access to accurate information on the firms and for procurement purposes. Policy Statement

i. The bank shall maintain an electronic database on all vendor firms in Ghana, indicating their standing and licensing status.

ii. The head of ICT shall be responsible for the accuracy and updates the firms’ records. iii. The ICT head shall develop a procedure manual for managing records on vendor firms. iv. The firms are responsible for the accuracy of their basic data.

The bank shall keep records of all vendors it deals with to ensure easy access to accurate information on the firms and for procurement purposes. Policy Statement

25 | P a g e


v. The bank shall maintain an electronic database on all vendor firms in Ghana, indicating their standing and licensing status.

vi. The head of ICT shall be responsible for the accuracy and updates the firms’ records. vii. The ICT head shall develop a procedure manual for managing records on vendor firms. viii. The firms are responsible for the accuracy of their basic data.

2.3.5 ASSETS RECORDS POLICY The Bank owns some assets, and it should be easier to trace them. As a result, the following policy guidelines will apply. Policy Statement i. The bank shall maintain an electronic database on all assets including fixed and financial assets. ii. The bank shall appoint an Assets Record Manager who will be responsible for maintaining

accurate information on all assets owned and/or used by the bank. iii. The bank shall develop asset classification codes for all fixed assets. iv. Electronic records shall be maintained of files and folders belonging to the bank. 2.3.6 ACCESS TO RECORDS POLICY Records are vital to the bank and must therefore be highly protected. Policy Statement i. All electronic records must be password protected, allowing only legitimate users to access the

data. ii. All physical records shall be well-protected in file cabinets and secured against theft and possible

natural disasters such as fire and flood. iii. Applicants, clients, group members, and vendor firms shall have secure access to information about

themselves. 2.3.7 ARCHIVING AND DISPOSAL OF DATA The bank shall maintain archives for both electronic and paper records. Policy Statement i. Information that has outlived operational usefulness but may have historical usefulness must be sent

for archival storage. ii. If information is not required for archiving and has outlived its usefulness, it shall be destroyed. iii. The ICT manager shall work with the relevant units to develop a procedure manual for archiving

and disposal of data.

26 | P a g e


3.0. IT SECURITY

3.1 SECURITY POLICY

This policy applies to all ICT hardware, software, data, and documentation and must be adhered to by all staff, board members, and other key stakeholders. Policy Statement To be in a state of preparedness, the bank shall: i. Identify all vital resources including ICT resources that are at risk. ii. Have a Business Continuity Plan (BCP) that identifies and minimizes risks, especially for critical

systems and sensitive information in the event of a disaster. iii. Develop, implement, and periodically test its Business Continuity plans at least once a year. iv. Correct any deficiencies revealed by the test. v. Train employees to execute the recovery plan. vi. Annually certify the updating and testing of the Business Continuity Plan. 3.1.1 PHYSICAL SECURITY POLICY Policy Statement i. It shall be a policy of the bank to protect ICT hardware, software, data, and documentation from

misuse, theft, unauthorized access, and environmental hazards. ii. The confidentiality and integrity of data stored on the bank's ICT systems shall be protected by

access controls to ensure that only authorized users have access. This access shall be restricted to the functions that apply to the users.

3.1.2 USER ACCOUNT POLICY This policy shall apply to the ICT Department and Users in the following manner: Policy Statement i. The ICT Department shall:

a. Be responsible for the administration of access to the bank's ICT system. b. Retain and maintain a record of all access codes used. c. Ensure that Contractors/Consultants on Projects have restricted access to the bank’s ICT systems. d. Undertake periodic audits.

ii. The Heads of Departments shall notify the ICT Department promptly of new users in advance to allow the creation of user access credentials, email accounts, applications, and system permissions.

27 | P a g e


iii. The Heads of Department shall notify the ICT Department promptly whenever a user is disengaged from the bank or transferred to another office so that his/her access credentials can be revoked and/or changed and all ICT resources retrieved where necessary.

All users shall ensure that: i. CDs, disks, pen drives and other magnetic storage devices are out of sight when not in use. i. Storage devices, PCs, laptops, printers, and other ICT hardware devices are kept away from

environmental hazards such as food, smoke, liquids, high or low humidity, heat, direct sunlight, and magnetic fields.

ii. All ICT equipment such as PCs, PABX, notebooks, and file servers, are protected by an uninterruptible power supply (UPS) and surge/voltage protectors.

iii. They do not take shared portable equipment such as computer notebooks, iPads, and pen drives, which are property of the bank, out of the offices without the informed consent of the Departmental/Unit Head of the respective user.

iv. They safeguard the bank’s valuable electronic equipment assigned to them against loss and damage. Users who neglect this duty may be accountable for any loss or damage that may result.

The ICT Department shall ensure that: v. ONLY authorized users have physical access to the Data Center. vi. Contractors/Consultants on projects have restricted access to physical ICT infrastructure. vii. All ICT documentation (both in hard copy and soft copy) shall be stored in a fire-proof safe. viii. Notebooks, laptops, iPads, and other portable devices shall be carried and stored in appropriate

bags at all times. ix. Computers, notebooks, laptops, iPads and other similar devices shall be protected by passwords. x. The bank shall establish a surveillance system to monitor facilities and installations. 3.1.3 PASSWORD POLICY Overview Passwords are an essential aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of the Bank’s entire corporate network. As such, all employees (including contractors and vendors with access to the bank’s systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. Purpose The purpose of this Policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change. Additionally, all users’ PCs must be password-protected. Scope The scope of this Policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any agency/branch. 28 | P a g e


Policy Statement

i. The ICT Department shall ensure that password creation is part of the Security Strategy document.

ii. Users shall be compelled to change their passwords periodically. iii. Users shall be responsible for the protection of their passwords and shall NOT disclose or

share their passwords with others or be recorded or stored where they may be easily obtained.

iv. Users shall be responsible for all computer transactions that are made with their User Accounts and/or Passwords.

v. Users’ Passwords shall conform to institution's Security Strategy. General Password Construction Guidelines General Policy

• To ensure that all data remains confidential or securely viewed, all PCs must be configured with a screensaver password that locks without user intervention after a minimum of 15 minutes. Screensaver passwords are not required on test or server room computers.

• All system-level passwords (e.g., root, enable, administrator, application administration accounts, etc.) must be changed on at least a quarterly basis.

• All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every three months.

• With the establishment of Active Directory infrastructure, “complexity” will be activated which will require that 3 of the 4 requirements be met: alpha, numeric, upper case, and/or a symbol.

• User accounts that have system-level privileges granted through group memberships must have a unique password from all other accounts held by that user.

• Passwords must not be inserted into email messages or other forms of electronic communication.

• Where Simple Network Management Protocol (SNMP) is used, the community strings must be defined as something other than the standard defaults of "public," "private," and "system" and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2).

• All user-level and system-level passwords must conform to the guidelines described below. Passwords are used for various purposes. Some of the more common uses include user level accounts, web accounts, email accounts, screen saver protection, voicemail password, and local router logins. Poor, weak passwords have the following characteristics:

29 | P a g e


• The password contains less than six characters • The password is a word found in a dictionary (English or foreign) • The password is a common usage word such as:

o Names of family, pets, friends, co-workers, fantasy characters, etc. o Computer terms and names, commands, sites, companies, hardware, software. o Birthdays and other personal information such as addresses and phone numbers. o Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc. o Any of the above spelled backward. o Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

Strong passwords have the following characteristics:

• Contain both upper and lower case characters (e.g., a-z, A-Z) • Have digits and punctuation characters as well as letters (e.g., 0-9, !@#$%^&*()_+|~-

=\`{}[]:";'<>?,./) • Are at least six alphanumeric characters. • Does not contain a word in any language, slang, dialect, jargon, etc. • Are not based on personal information, names of family members, etc. • Passwords should never be written down or stored online. Try to create passwords that

can be easily remembered. One way to do this creates a password based on a song title, affirmation, or another phrase. For example, the phrase might be: "This May Be One Way To Remember," and the password could be: "TmB1w2R!" or some other variation.

Password Protection Policy Do not use the same password for different accounts (e.g., personal ISP account, option trading, banking, benefits, etc.). Where possible, don't use the same password for various access needs. For example, select one password for email and separate passwords for other IT systems. Do not share the passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential information. Here is a list of actions to avoid to keep your password protected:

• Don't reveal a password over the phone to anyone • Don't reveal a password in an email message • Don't reveal a password to the boss • Don't talk about a password in front of others • Don't hint at the format of a password (e.g., "my family name") • Don't reveal a password on questionnaires or security forms • Don't share a password with a family member • Don't reveal a password to co-workers while on vacation

If someone demands a password, refer them to this document or have them call someone in the ICT Department.

30 | P a g e


Do not use the "Remember Password" feature of applications.

Again, do not write passwords down and store them anywhere in your office. Do not store passwords in a file on any computer system (including phones or similar devices) without encryption.

Change passwords every three months (except system-level/server passwords which must be changed quarterly). The recommended change interval is every four months.

If an account or password is suspected to have been compromised, report the incident to the ICT Manager and change all passwords. Password cracking or guessing may be performed on a periodic or random basis by ICT Manager or his delegates. If a password is guessed or cracked correctly during one of these scans, the user will be required to change it. 3.1.4 SYSTEM USAGE POLICY Policy Statement

i. Users shall ensure that computers and other accessories such as UPS are fully shut down and turned off at the end of each working day.

ii. The ICT Department shall ensure that computers that are left unattended to are shut down. 3.1.5 POLICY ON VIRUS, WORMS, HACKING AND OTHER HARMFUL PROGRAMS Computer viruses and worms are programs designed to make unauthorized changes to programs and data. Viruses and worms can cause the destruction of or damage to corporate property. Policy Statement i. The ICT Department shall be responsible for the implementation of an effective virus security

strategy. ii. All ICT systems of the Institution shall have up-to-date anti-virus protection. iii. Users of notebooks, laptops, iPads and similar devices shall ensure that they have up-to-date

anti-virus protection. iv. Users shall ensure that all storage media (including pen drives, zip disks, and CDs) they

attach/load to their ICT systems are free from viruses. v. Under no circumstances shall users attempt to disable or interfere with the virus scanning

software. vi. No user shall knowingly introduce a computer virus or worms into the institution's ICT

systems. vii. Only authorized pen drives or CD's (or similar devices) with safe files that pertain to the

institution’s activities shall be used on the institution’s ICT systems. 31 | P a g e


viii. Any user who suspects that his/her PC or workstation has been infected with a virus shall IMMEDIATELY shut down such system and inform the ICT Department Help Desk.

ix. Users shall not download, install, or play games on the institution’s computer systems. x. It shall be the responsibility of the ICT Department to develop a strategy to prevent hacking.

3.1.6 NETWORK SECURITY POLICY This policy establishes responsibility and authority for the security of the bank’s data, voice, video, audio, and image network.

Policy Statement The ICT Department shall:

i. Employ best practices and guidelines to protect the communication network and ICT systems. ii. Prepare and publish security alerts, notices, recommendations, and guidelines for network and

system administration. iii. Monitor backbone network traffic as necessary and appropriate for the detection of unauthorized

activity and intrusion attempts. iv. Carry out and review the results of automated network-based security scans of the systems and

devices on the institution's networks in order to detect known vulnerabilities or compromised hosts.

v. Coordinate investigations into any alleged computer or network security compromises, incidents and/or problems.

3.1.7 RELEASE OF INFORMATION TO THE PUBLIC The bank operates within the banking sector and confidentiality of information about clients, staff and stakeholders must be protected. Some key information kept by the bank about staffs and customers is not for public consumption. Policy Statement

i. Information about clients and staff of the institution shall not be released or disclosed to a third party. If its use is abused, the institution stands the risk of being held liable and may be unable to escape blame.

ii. Information about clients or staff shall however be disclosed to a third party under the following circumstances:

a. When requested by a regulator body, b. When the client or staff gives express consent, or c. When a legally-mandated body requires it.

3.2 ANTIVIRUS POLICY

Policy Statement i. All computers used in the institution must have the institution’s standard antivirus software

installed. It is the responsibility of all users to avail their machines for the installation of the

32 | P a g e


antivirus software. This should normally be done during the setup of the PCs or laptops for network access.

ii. For computers not connected to the network, the officer in charge at the Department should liaise with the ICT Department to have the updates done regularly.

iii. Any software or data received from any external source, including the original manufacturer and on the internet, must be treated as suspect and not installed, executed or used in any other fashion until it has been scanned for viruses using the institution’s standard virus detection software.

iv. Users should call the attention of the ICT Department immediately for assistance if a virus incident or similar activity is noticed and cannot be cleaned by the user. Report should be made to the ICT Department if the problem persists.

3.3 BACKUP POLICY

The purpose of backups is to restore a system to its current state in case of system failure or to restore individual files inadvertently deleted or lost to ensure business continuity. Policy Statement

i. The ICT Department shall be responsible for ensuring that data and software under its control are adequately protected from loss due to equipment failure, malicious intent, disasters, etc.

ii. The ICT Department shall be responsible for establishing and maintaining a process which ensures: a) The reliability of data and software b) That data and software are recoverable c) That adequate and secure on-site and off-site storage is provided d) That the institution’s business is uninterrupted

iii. All strategic computers shall be backed-up on a daily, weekly, monthly, and yearly basis. iv. All backup procedures and equipment shall adhere to the guidelines and procedures set by the ICT

Department. v. Backup verification shall be undertaken to ensure that backup copies can be retrieved for use in an

emergency. vi. Information such as system logs and usage logs shall be stored for a period so as to provide

sufficient data for usage analysis and to help investigate security incidents. vii. All backup devices, servers and storage media shall be stored in a secure area with limited access. viii. Copies of the backup media, together with the backup record, shall be stored safely in a remote

location at a sufficient distance away to escape any damage from a disaster at the main site. 3.3.1 OFF-SITE STORAGE & IN-HOUSE STORAGE Regardless of the size of the organization, there is an equal requirement to protect data. Policy Statement Depending on the nature and confidentiality of data and information, off-site or in-house storage strategies will be adopted by the institution.

33 | P a g e


3.4 STAFF ICT DEVELOPMENT POLICY

User training has become even more important in these days of rapid technological advancement and global computer insecurity that is characterized by rampant attacks on the IT systems and web browsers of corporate entities. It will therefore be necessary for the bank to develop its staff to equip them to adequately protect the bank’s system from various security threats and fast-changing methods of attack. 3.4.1 TRAINING POLICY Research suggests that when users are trained about computer use and security threats, they work more efficiently and are better able to protect organizational resources from unauthorized intrusion or data compromise. This policy recognizes the need to protect the bank’s resources on the network and to enhance employee efficiency. Specialized training will, therefore, be given to employees with access to sensitive or regulated data and to all front-line users who interact with users. 3.4.2 SHORT COURSES Policy Statement i. All staff of the ICT Department shall receive continuous professional training to equip them to

provide the requisite services to the staff of the bank. ii. The training will be in the form of short courses organized both within the bank and off-site. 3.4.3 COACHING Policy Statement i. To support the training in ICT-related issues, one-on-one on-the-job coaching and mentoring will be

encouraged between staff who are skilled in ICT and staff who lack the relevant skills. ii. The bank will seek to create a healthy coaching environment that can bring about team learning

while promoting the development of individual expertise.

| Staff development

The implementation of this ICT Policy will be supported by a well-thought out human resource strategy that will seek to address the training and development needs that can affect a culture change for information sharing and system protection within the bank.

| Training policy

ICT usage and the need for information to make sound decisions require that employees are properly trained and informed on the policies and procedures endorsed by the bank with regard to end-user computing.

34 | P a g e


4.0. COPYRIGHT AND LICENSE AGREEMENTS

4.1 COPYRIGHT AND LICENSE AGREEMENTS

The bank and its staff are legally bound to comply with the Copyright Act (Act 690) and all proprietary license agreements. Non-compliance can expose the bank and/or responsible staff to civil and criminal penalties. 4.1.1 COPYRIGHT AND LICENSE POLICY This policy applies to all software that are owned by the bank, licensed to the bank, or developed using the bank's resources. Policy Statement i. The ICT Department shall:

a. Maintain records of all software licenses owned by the bank. b. Periodically (at least annually) scan all ICT equipment to verify that only authorized software is

installed. ii. Bank staff shall not:

a. Install software unless authorized by the GM or head of the ICT Department. The only software that is licensed to or developed by the bank shall be installed on the bank's ICT systems.

b. Copy software without authorization by the GM or ICT Department. c. Download software without the authorization by the GM or ICT Department.

iii. The Bank's Service Level Agreement (SLA) shall include but not limited to the following:

a. Full warranty of equipment, infrastructure, and workmanship. b. Transportation and lodging at no cost to the bank c. Preventive maintenance. d. Corrective maintenance. e. Replacement of worn-out or unserviceable parts.

35 | P a g e


5.0. SERVICE LEVEL AGREEMENT (SLA)

5.1 SERVICE LEVEL AGREEMENTS (SLA) POLICY

5.1.1 CONTRACT MANAGEMENT POLICY Policy Statement The ICT Department shall manage the SLA to ensure technical and contractual compliance. 5.1.2 SLA MANAGEMENT AND REPORTING POLICY Policy Statement i. The bank or its stakeholders shall not acquire any ICT solution without an SLA. ii. This Service Level Agreement Policy shall apply to all of the bank’s ICT solution acquisitions. iii. The ICT Department, by the bank’s strategic direction of providing superior stakeholder support,

shall require all suppliers of ICT solutions to provide a Service Level Agreement (SLA). This means a three-year full warranty to cover parts, labor, expertise, and transportation for all products supplied. The goal is to guarantee uninterruptible business operation for all staff of the bank.

iv. The Vendor shall manage, adhere to, and report against the agreed terms with the bank. v. Service Level Reporting shall commence with the bank's acceptance of the system. 5.1.3 QUALITY AND STANDARDS Policy Statement The ICT Department shall ensure that the following areas are balanced to secure high quality and standards of SLAs: a) Performance: Service Level Agreements made have to be met. The agreements must be measured

and reported. b) Processes: The Service Provider has to be organized in a manner that turns the performance into a

manageable and influential activity. c) Perception: The performance has to be tested continuously against expectations and needs of the

receiver

36 | P a g e


GLOSSARY The following definitions of terms used in the Policy are provided for clarification and easy understanding. Agreement is a negotiated and usually legally enforceable understanding between two or

more legally competent parties. Application Software also known as an application or an app, is computer software designed to

help the user to perform specific tasks. Examples include i-Trans, Passport (CCC/ACH), T-24, Cheque Requisition/Micr Cheque Code, Dwarft (Money Gram), SysAid (escalating issues between IT Department and Apex Bank), NLA (Load Credit to Lotto Agents and Pay of Cash to Winners), eFass (submission of Prudential Returns to BoG), Resci (GHIPSS-issuing of ezwich cards), Gvive (verification of images), Wupos (Western Union), Money Market, Collateral Register, OFS (Bulk Transactions), U-connect (Mobile up), e-susu, Indigo systems (Issuing ATM Cards) Bynar (Connecting all Cashiers to 1 License user) and Ms Office Suite.

Audio is an electrical or other representation of sound. Archive is a collection of records stored for longer than their useful lifetime for

historical purposes. Backup refers to the copying and archiving of computer data so it may be used

to restore the original after a data loss event. CD-ROM an acronym of Compact Disc Read-only memory is a pre-pressed compact

disc that contains data accessible to, but not writable by, a computer for data storage and music playback.

Computer is a general purpose device that can be programmed to carry out a finite set of

arithmetic or logical operations. Computer Network is a collection of computers and other hardware components interconnected by

communication channels that allow sharing of resources and information. Confidentiality is an ethical principle of discretion associated with a profession, such as

Accountancy, law and medicine. Contract a contract is an agreement entered into voluntarily by two or

more parties with the intention of creating a legal obligation, which may have

37 | P a g e


elements in writing, though contracts can be made orally. The remedy for breach of contract can be "damages" or compensation of money.

Data technically refers to ‘raw facts’ or ‘figures’’. However, what constitutes data or

information depends on the user and therefore may not be pre-defined. For the purpose of this Policy, data and information are used interchangeably.

Database is a collection of structured information held in electronic form. Document refers to information stored as a single unit on a medium. A document may be

texts, images, audio or video. The medium can be electronic (e.g. hard disks, flash Disks, CDs, DVDs, etc.) or paper (e.g. folders and cabinets). A document can also refer to database as defined above.

Extranet a computer network that allows controlled access from the outside, for specific business or educational purposes.

ICT often used as an extended synonym for Information Technology (IT), but is a

more specific term that stresses the role of unified communications and the integration of telecommunications (telephone lines and wireless signals), computers as well as necessary enterprise software, middleware, storage and audio-visual systems, which enable users to access, store, transmit, and manipulate information.

Intranet a computer network that uses Internet Protocol technology to share

information, operational systems, or computing services within an organization. The term is used in contrast to Internet, a network between organizations, and instead refers to a network within an organization.

LAN Local Area Network (LAN) connects networking devices within a short

span of area, i.e. small offices. License refers to permission as well as to the document recording that permission. Non-Record is an item of information that is of immediate use only and has no subsequent

value. An example may be an e-mail response to an applicant’s inquiry. Notice is the legal concept in which a party is made aware of a legal process affecting

their rights, obligations or duties. There are several types of notice: public notice (or legal notice), actual notice, constructive notice, and implied notice.

Policy typically describes a principle or rule to guide decisions and achieve rational

outcomes.

38 | P a g e


PIN Personal Identification Number (PIN) is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token (the user ID) and a confidential PIN to gain access to a system.

Record refers to a document that has clear content, context and structure and can

serve as evidence of a transaction and/or an activity. Records may originate from within the organization or from outside and are categorized according to types (e.g. client records, staff records, management records, Board records, etc.).

Record Type refers to a classification of records held by the RCB. Examples of record types

are applicants and RCB records. Staff are employees of the bank, including management. System Software computer software designed to operate and control the computer

hardware and to provide a platform for running application software. Voicemail is a computer-based system that allows users and subscribers to exchange

personal voice messages; to select and deliver voice information; and to process transactions relating to individuals, organizations, products and services using an ordinary telephone.

Video is the technology of electronically capturing, recording, processing, storing,

transmitting and reconstructing a sequence of still images representing scenes in motion.

WAN Wide Area Network (WAN), as the word ‘Wide’ implies, covers large

distances for communication between computers. WLAN Wireless Local Area Network (WLAN) is based on wireless network

technology and is mostly referred to as Wi-Fi. Unlike LAN, in WLAN no wires are used, but radio signals are the medium for communication.

39 | P a g e


APPENDICES

APPENDIX I: PROCEDURE FOR DISPOSAL OF ICT HARDWARE

Procedures for disposal of ICT equipment will be as follows:

i. The department with surplus hardware will notify the ICT Department. ii. The ICT department will assess the condition of the hardware at the departmental location and

determine the means of disposal. Based on the assessment of the hardware, the department will: • Coordinate the transfer of the hardware with the Finance Department, and • Arrange the transfer of the hardware to the bank’s storeroom pending periodic disposal

or stored and redistributed to another location if necessary. iii. If the hardware cannot be reused, then it should be recycled or disposed of in an environmentally-

friendly manner and in compliance with Ghana’s waste management laws. iv. Refer to Major Policies under fixed assets. v. All data and information removed prior to disposal

DISPOSAL OPTIONS

Re-deploy: Hardware that are not capable of performing complex tasks may still be capable of performing simpler tasks and thus may be used either within their own or another department. Such hardware must be re-deployed within the Bank. Donate: Obsolete hardware that is still operational (but no longer of use to the bank) may be donated to non-profit organizations. Hardware donation should be done based on the ultimate use or purposes (education, research, and community service). Sale: Obsolete hardware that is still operational (but no longer of use to the bank) may be sold at fair market value to individuals, non-profit organizations, or for-profit entities. This option is subject to strict rules governing the determination of fair market value, as well as adherence to tax laws and regulations and documentation of the transaction. If computers are to be sold, they must be priced at fair market value only. If the computers were purchased with funds from a grant or a contract, they cannot be sold from one department to the other within the bank. Recycle: Hardware may be of such age or condition that they cannot be used for their intended purposes. Such hardware should be recycled. All electronic materials to be recycled should be referred to the Environmental Protection Agency for advice on environmentally-acceptable practices.

40 | P a g e


APPENDIX II: GUIDELINES FOR MANAGING THE INSTITUTION’S WEBSITE

i. There should be a Content Management Committee. ii. The membership of the Committee should include the website administrator. iii. Membership qualification of the Committee: Persons should be known to have demonstrated

the following attributes: o Analytical o Dynamic and current o Resourceful o Good in communication skills o Basic knowledge of IT o Good interpersonal relationships o Team player o Should be prepared to work extra hours

iv. The Committee shall be headed by the Director of Marketing/Public Relations/Communications. v. The Committee shall be responsible for:

o Collecting, analysing and approving materials to be posted on the site. o Ensuring that the site is updated at least every 24 hours. o Deciding when information should be archived. o Presenting monthly reports to management.

vi. The Committee should be empowered to have access to any information it deems relevant to its work.

vii. Any department, section, unit, or staff that wants an event posted or advertised on the website, should submit information on the event to the Committee at least five working days prior to the due date.

viii. Any information requested by the Committee should be made available within 24 hours.

41 | P a g e


APPENDIX III: GUIDELINES AND RULES FOR USERS OF ICT RESOURCE GUIDELINES

Users of the ICT Resources: i. Must be a staff/management personnel or board member ii. Sign the log book iii. Wait for the administrators to assign a computer to use iv. Log in with user account details v. Put all mobile phones on silent vi. Seek assistance from the administrator in case of difficulty RULES i. Non-staff are not allowed ii. Food and drinks are not allowed iii. External media (pen/flash/external hard drives and laptops) are not allowed iv. Viewing of video/movies is not allowed v. Listening to radio (online, mobile, or wireless) is not allowed vi. Viewing of pornographic sites is prohibited vii. Moving of chairs around is not allowed viii. Do not write on the furniture, wall, or machines ix. All gadgets are under the sole control of the administrators x. Sleeping is not allowed

42 | P a g e


APPENDIX IV: INTERNATIONAL STANDARDS ORGANIZATIONS (ISO) The ISO 15489-1: 2001 defines records management as "[the] field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records". The ISO 15489-1:2001 defines records as "information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business". The International Council on Archives (ICA) Committee on Electronic Records defines a records as "recorded information produced or received in the initiation, conduct or completion of an institutional or individual activity and that comprises content, context and structure sufficient to provide evidence of the activity." While there are many purposes of and benefits to records management as both these definitions highlight, a key feature of records is their ability to serve as evidence of an event. Proper records management can therefore help preserve this feature of records. A Records Manager is someone who is responsible for records management in an organization. Section 4 of the ISO 15489-1:2001 states that records management includes:

i. setting policies and standards; ii. assigning responsibilities and authorities; iii. establishing and promulgating procedures and guidelines; iv. providing a range of services relating to the management and use of records; v. designing, implementing and administering specialized systems for managing records; and vi. integrating records management into business systems and processes.

Thus, the practice of records management may involve:

i. planning the information needs of an organization ii. identifying information that requires capture iii. creating, approving, and enforcing policies and practices regarding records, including their

organization and disposal iv. developing a records storage plan, which includes the short- and long-term housing of physical

records and digital information v. identifying, classifying, and storing records vi. coordinating access to records internally and outside of the organization as well as balancing the

requirements of business confidentiality, data privacy, and public access. vii. executing a retention policy on the disposal of records which are no longer required for

operational reasons. According to organizational policies, statutory requirements, and other regulations this may involve either their destruction or permanent preservation in an archive.

Records management principles and automated records management systems aid in the capture, classification, and on-going management of records throughout their lifecycle. Such a system may be

43 | P a g e


paper-based (such as index cards as used in an office), or may be a computer system, such as an electronic records management application.

44 | P a g e


APPENDIX V: SAMPLE CONSENT FORM Bank ICT Resources Access Consent Form - Users This Consent Form must be signed and returned prior to being granted access to the internet and other Information and Communication Technology resources of the bank. By signing this Consent Form, users are agreeing to the terms of access as set out in the guidelines of Use of Bank’s ICT Resources and Terms of Conditions and acknowledge that they will be responsible in the event of any breach and that appropriate disciplinary steps may result. User Acceptance I, the user named below hereby agree to comply with all requirements as set out in the guidelines of Use of Bank’s ICT Resources and Terms of Conditions and all other relevant laws and restrictions in my access to the various information and communication technology resources through the bank’s website, Laptops and Network. Signature:…………………………………………………………………………………………………

Name:………………………………………………………………………………..……………………

Date:………………………………………………………………………………………………………

Level/Part:…………………………………………………………………………………………………

Terms of Condition We use the bank’s website, network, computers and Internet connection for learning and official correspondence. These rules will therefore help us to be fair to others and keep everyone safe.

• I will access any web resources with my username and password. • On a network, I will use only my own login and password, which I will keep secret. • I will not access, change or delete other people's files. • I will not bring storage media (e.g. USB devices, floppy disks, R/W CDROMS etc.) to use in the

Bank’s ICT Resource. • I will only use the computers for learning. • I will only e-mail people I know, or and as approved. • Any messages I send will be polite and sensible. • I make sure to scan all email attachment before opening. • I will not use Internet chat with the Bank’s ICT Resource. • I know that the Web Administrator may check my computer files and monitor the Internet sites

I visit. • I understand that if I deliberately break these rules, I could be stopped from using the Internet

or computers.

45 | P a g e


APPENDIX VI: POLICY ENFORCEMENT AND COMPLIANCE The principal purpose of enforcement and compliance is to change behaviour, stop actions that are contrary to law and regulation, and change future behaviour. VI.1 Change Initiation Policy Policy Statement i. A Policy Enforcement and Compliance Committee, in consultation with the Human Resource

Department and the ICT Department, will ensure that training for organizational change and training to raise awareness of the content of the ICT Policy are conducted.

ii. The Policy Enforcement and Compliance Committee will ensure that all service areas (e.g. Operations, Finance, Administration, ICT, Marketing, Microfinance, Risk and Compliance, Internal Audit) are aware of their with responsibilities regard to the policy, its guidelines and its implementation

VI.2 Version Control Policy Policy Statement i. The Policy Enforcement and Compliance Committee shall track the changes and place the date of

the reviewed policy on every page of the policy. ii. New versions of the policy, indicating its date of review, must be well circulated/disseminated to

replace the previous version.

46 | P a g e

ICT POLICY FOR RURAL AND COMMUNITY BANKS (JUNE 2018)

Documents

Transcript of ICT POLICY FOR RURAL AND COMMUNITY BANKS (JUNE 2018)