Information Security Risk Management Framework

FirstBank has adopted an integrated approach to Information Security Risk Management in line with ISO27001 standard. Its fundamental objective is to ensure the confidentiality, integrity and availability of its information assets.

Information assets are viewed as a very critical asset of the Bank and shall therefore be adequately protected. The protection of FirstBank's information assets is critical to the Bank's business continuity and its ability to meet business objectives. Accordingly, Information Security Management Department (ISMD) has been assigned the responsibility of ensuring that the Bank's information assets are adequately protected at all times. This responsibility is shared by both management and employees of FirstBank, irrespective of designation or function.

The diagram below depicts the various stakeholders within the FirstBank information security organogram.

Information Security Roles and Responsibilities

Final authority and responsibility for safeguarding FirstBank's information assets rests with the Board of Directors. Key responsibilities of the Board with respect to information security are detailed below:

1. Approve the Bank's overall Information Security Framework and policy;
2. Ensure that the Bank's information security posture is maintained in line with its risk appetite and commensurate with the risks associated with information asset.

FirstBank, through its information security management, is continually putting in place structures to help protect its information assets and create assurance for investors. As part of its responsibility, ISMD monitors risk indicators such as information security-related incidents supplemented by trend analysis which highlights high-risk or emerging issues so that prompt action can be taken to address them.

Information Security Risk Mitigation

In the light of recent rising incidents of information insecurity and compromise resulting from identity theft and social engineering attacks on financial institutions globally, FirstBank has taken a number of proactive measures to ensure that its systems are not vulnerable to these attacks.

These include:

1. Information security controls being built into all existing processes and procedures while security procedures have been developed to bridge the gaps in identified areas;
2. The Bank carried out a comprehensive classification of all its information assets with priorities/custodians allocated to the asset to ensure that the right amount of security level is assigned based on criticality;
3. The Bank engaged the services of an independent company to carry out a bank-wide security risk assessment, to determine the security posture of the Bank and allocate appropriate safeguards to the asset.

FirstBank has developed a robust information security framework that addresses its immediate and future needs to ensure a safe and secure operating environment for its customers and staff. The Bank would continue to improve on its information security drive through programmes aimed at enhancing staff knowledge and customer protection against password compromise, social engineering attacks and use of keylogging devices as hacking tools.