Technology Policy
Purpose
The purpose of this KCB Group Plc Technology Policy is to align Technology services to Group vision, mission, purpose, and values using the following pillars:
- People & Culture
- Operational Excellence & Customer Experience
- Cyber Security
- Digital Transformation and Innovation
- Governance
Policy Statement
This policy highlights KCB Group Technology management framework that shall enable business in a flexible, agile, and sustainable way whilst ensuring security and cost effectiveness through building the right capabilities, technology, and innovation. This shall be achieved by implementing standards, procedures and processes that enable the bank to identify, evaluate and build adequate capacity to manage the Technology function.
Scope
This policy is applicable to the KCB Group Operating Entities and should be observed by all staff, management, agents, consultants and third parties such as contractors and service providers.
Key Principles
Technology Strategic Planning - KCB Group shall ensure that planning for Technology facilities shall be undertaken to translate KCB Group vision, mission, purpose and values into actionable and measurable Technology goals, strategies, initiatives, and programs. The goal of this policy is to provide direction for long, medium, and short-term plans for recommendation, approval, and implementation as per technology governance policy. The strategy plan takes into account demands for capital investment, risk, governance, and human resources. This shall be achieved through the creation of a highly skilled, creative, motivated, and focused technology workforce, investment in Technology that generates business value, investment in Innovation to drive digital transformation to deliver leading customer propositions, strengthen cybersecurity posture and empower ownership of cybersecurity responsibilities and deliver quality digital business products and services to meet and exceed customer expectations.
Enterprise Architecture - This policy shall ensure that Group business strategy is translated into effective enterprise technology by mapping and designing the Group business objectives into key Technology deliverables to facilitate the Group's future state within defined organization risk framework.
Innovation- This policy shall provide a technology framework for business and strategic innovation through People, Processes, Technology and Budget. This shall be achieved within the KCB Group through Innovation Focus teams and or through strategic partnerships. The strategic partnerships shall adhere to all relevant KCB Group policies.
Governance
Governance shall entail the following:
People - Governance of Technology Human Resources shall ensure alignment to business objectives through analysis, planning, investment, and management of human capital.
Processes - KCB Group Technology shall adopt best practices to effectively respond to growing business, regulatory and contractual requirements within the business context, focusing on where their use will provide the most value to the KCB Group. The best practices are aimed at achieving a cost-effective and well controlled Technology delivery.
Technology - KCB Group shall ensure proper governance in technology acquisition, development, operation, maintenance, and retirement.
Budget - Technology Group budget management is a key determinant of the success of Technology initiatives, and as such great emphasis shall be placed on Technology budget creation, spend, monitoring and alignment to business and Technology governance to ensure that requested funding is appropriate and well utilized.
Security
KCB Group shall be guided by ISO/IEC 27001:2013 standard as outlined in the following 14 domains and shall develop adequate standards, procedures, and processes to operationalize the said domains:
Technology Security Policies:This domain shall address controls on how the policies are written and reviewed. KCB shall have a documented and followed Technology Security Program that is based on ISO 27001. KCB shall map its security program to the security framework. The mapping shall show complete adherence to KCB’s security programs.
Organization of Technology Security: This domain shall address controls on how the responsibilities are assigned. Information security responsibilities shall be defined through KCB Group organization structures. At each level, authorization levels shall be properly defined to support business objectives.
Technology Asset Management:This domain shall address controls related to inventory of assets and acceptable use, information classification and media handling.
Human Resources Security: This domain shall address controls prior to employment, during, and after the employment based on Technology and Human Resources controls.
Physical and Environmental Security: This domain shall address controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk, and clear screen policy based on Technology and Group Risk controls.
Communications and Operations Management: This domain shall address controls related to network security, segregation, network services, transfer of information, messaging, management of Technology production: (change management, capacity management, malware, backup, logging, monitoring, installation, and vulnerabilities) based on Technology and Group Communication controls.
Operations Security: This domain shall address controls related to operational procedures and responsibilities, protection from malware, backup, logging and monitoring, technical vulnerability management and information systems audit considerations.
Access Control: This domain shall address controls for access control, user access management, system and application access control, and user responsibilities based on Technology and Group Risk controls.
Cryptography: This domain shall address controls to address policy on the use of cryptographic controls and key management.
Technology Systems Acquisition, Development and Maintenance:This domain shall address controls defining security requirements for Technology Acquisition, development, and Operational processes. Security shall be implemented in all phases of a system lifecycle. Security control requirement shall be identified and enforced through cryptography, integrity, and software development procedures.
Information Security Incident Management:This domain shall address controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence.
Business Continuity Management:This domain shall address controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy based on Information Technology and Group Business Continuity controls.
Supplier Relationships:This domain shall address controls related to information security in supplier relationships and Supplier service delivery management.
Compliance:This domain shall address controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security based on Information Technology and Group Compliance controls.
There shall be relevant standards and procedures to address the following:
- Software Licensing Management: to ensure that there is an effective guideline for managing relevant license assets and legal usage.
- Technology Hardware:to ensure that there is standardization of hardware based on KCB Group Technology standards.
- Configuration Management Database:To ensure asset information is correct and up to date as per KCB Group Technology standards.
- E-Waste:This policy shall ensure adherence to guidelines for lifecycle management of all Technology assets spanning from acquisition to disposal, in a manner conforming to sound environmental norms, KCB Group Sustainability guidelines, conformance to regulatory requirements and KCB Group Technology standards.
- Record and Archival Management:This policy shall ensure adherence to guidelines on the creation and use of electronic records, and standards for classifying, managing, and archiving these records from the time of creation to disposal based on KCB Group and Prudential Guidelines of all countries of operation.
- Technology Change Management:This policy shall ensure adherence to management direction and high-level objectives for change management and control. Implementation of change management and control to mitigate risks and enhance business enablement shall be aligned to this policy.
- Service Availability Management:This policy shall provide a framework to optimize the capability and performance of the Technology infrastructure, services and supporting processes to deliver a cost effective and sustained level of service availability that meets the business requirements. There shall be corresponding standards and procedures including but not limited to Incident Management, Problem Management, Demand/Capacity Management, Service Level Management and Technology Documentation Management.