Information Technology and Information Security Governance Policy
MauBank Ltd (“Bank”) is committed towards embedding a strong risk culture within the organization and continues to embrace risk management as a core competency that allows the organization to optimize risk-taking through objectivity and transparency.
An Information and Technology Risk Management framework is in place to provide management with explicit and well-informed risk-based guidance on both existing and emerging threats. To support this framework, an Information Technology Security Policy is in place for the guidance of staff members in regard to IT-related risks and ensuring compliance thereto.
2. Overview of information technology and information security policies
The Bank has in place a set of policies such as Information Technology Organisation and Management Policy, Information Security Policy and Data Protection Policy with the objective of maintaining the confidentiality, integrity and availability of information at all time when stored and processed.
These set of policies are regularly updated to adopt evolving best practices and are made available to all staff of the Bank’s through internal server. Regular training and e-learning sessions are conducted by the IT and IT Security Risk Management (ITSRM) teams in liaison with the Bank’s Learning Academy to ensure effective understanding and implementation of the policies.
The Bank has in place the three lines of defense model, whereby at the First Line of Defence (FLOD) the Information Technology function reports to the Chief Information and Digital Officer, whereas at the Second Line of Defence (SLOD) the ITSRM function reports to the Chief Risk Officer and lastly at the Third Line of Defence (TLOD) the Information Technology Audit function report to the Head of Internal Audit. Accordingly, the Internal Audit Team conducts regular audit to test the effectiveness of the policies.
The Bank has also in place an Operational Risk Committee (Composed of Senior Management members) and Board Risk Management Committee (Composed of Board members) where, inter-alia, matters relating to technology risks are escalated for discussion and for the monitoring of agreed action plans.