Professional Documents
Culture Documents
August 5, 2015
Table of Contents
Document Titles
Document Ref.
No.
PPS-DB-001
PPS-DB-002
PPS-DB-003
PPS-DB-004
10
PPS-DB-005
PPS-DB-006
PPS-DB-007
10
PPS-DB-008
10
PPS-DB-009
11
PPS-DB-010
PPS-DB-011
PPS-DB-012
PPS-DB-013
PPS-DB-014
PPS-DB-015
ISF-DB-016
PPS-DB-017
75
Diamond Bank
No. of
Pages
Business Process
Assurance
Page 1 of 176
Subject:
Subject
PPS No.
August 5, 2015
Effective
Date
PPS-DB-001
Review Date
REVISION:
SUBJECT:
SERIAL #. 240-07
COMPLETE__X___
TECHNOLOGY
SUPPORT-
PAGE #24 of 55
PARTIAL_______
AREA CORRECTED:
INTERNET
POLICY
SECURITY
ISSUED DATE:
VARIOUS
OCTOBER
2003
SUPERSEDES/REPLACE
S:
N/A
06,
EFFECTIVE DATE:
OCTOBER
2003
06,
I. AFFECTS:
Diamond Bank
Business Process
Assurance
Page 2 of 176
Subject:
August 5, 2015
III. INTRODUCTION
2)
3)
Diamond Bank
Business Process
Assurance
Page 3 of 176
Subject:
August 5, 2015
4)
5)
6)
7)
8)
9)
10)
Diamond Bank
Business Process
Assurance
Page 4 of 176
Subject:
August 5, 2015
11)
12)
All users must exercise caution in the use of Internetsupplied information for business decision-making purposes.
Some amount of internet information may be outdated,
unreliable and inaccurate, and in some instances even
deliberately misleading. Users are advised to verify the
information by consulting other sources.
13)
14)
15)
Diamond Bank
Business Process
Assurance
Page 5 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 6 of 176
Subject:
August 5, 2015
Subject
Effective
Date
PPS No.
PPS-DB-002
Review Date
REVISION:
SUBJECT:
COMPLETE__X___
TECHNOLOGY
SUPPORT-
PARTIAL_______
AREA CORRECTED:
VIRTUAL
NETWORK
SERIAL #. 24008
PRIVATE
ISSUED DATE:
VARIOUS
SUPERSEDES/REPLACE
S:
N/A
PAGE #28 of 55
OCTOBER
2007
FORM NUMBER: 240-008
04,
EFFECTIVE
DATE:
OCTOBER
2007
04,
I. AFFECTS:
All staff
II. PURPOSE
This document provides a set of guidelines for Remote Access
Virtual Private Network (VPN) connections to the Diamond bank
trusted corporate network.
III. INTRODUCTION
The rapid transformation in Information Technology and
Telecommunication
has
broken
the
barrier
between
geographically dispersed locations by typically leveraging on the
public internet to securely extend the computing capabilities of
a business home network and allow users share information
privately between remote locations, or between a remote
Diamond Bank
Business Process
Assurance
Page 7 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 8 of 176
Subject:
August 5, 2015
VI. POLICIES
1. AGMs and above shall have automatic access to the VPN
service. All other staff whose job functions require such access
(except staff of IT Services), shall require their Divisional Head
approval. In addition, the approval of the Head, Customer
Services and Technology shall be required to maintain staff
profile in the system.
2. Staff of IT Services that require remote access connection to
exercise his/her duties shall be granted access to VPN service
upon the singular approval of the Head, IT Services.
3. VPN gateways will be set up and managed by IT services
4. .It is the responsibility of the users with VPN privileges to
ensure that unauthorized persons are not allowed access to DB
plc network.
5. VPN use shall be controlled using either a one-time password
authentication such as a token device or a public/private key
system with a strong passphrase.
6. When actively connected to the corporate network, VPNs will
force all traffic to and from the PC over the VPN tunnel: all
other traffic will be dropped.
7. Dual (split) tunnelling is NOT permitted; only one network
connection per user is allowed.
8. All computers connected to the banks internal networks via
VPN or any other technology must use the most up-to-date antivirus software that is of the banks standard; this includes
personal computers.
9. VPN users shall be automatically disconnected from DB plc's
network after ten minutes of inactivity or a total connection time
of 8 hours per user in one session. The user must then logon
again to reconnect to the network. Pings or other artificial
network processes are not to be used to keep the connection
open.
10.
Only VPN client software that is approved by and/or
distributed by the Head, IT services shall be used to connect to
the banks VPN concentrators.
Diamond Bank
Business Process
Assurance
Page 9 of 176
Subject:
August 5, 2015
11.
Approved users laptops will be configured with the VPN
client software by designated personnel at IT services.
12.
Users of computers that are not owned by the bank must
have their equipment configured by IT services personnel to
comply with the bank's VPN and Network policies.
13.
Use of the VPN signifies your acceptance of and
compliance with all other related policies of the bank.
14.
By using VPN technology with personal equipment, users
must understand that their machines are a de facto extension of
the bank's network, and as such are subject to the same rules
and regulations that apply to the bank-owned equipment, i.e.,
their machines must be configured to comply with the banks
Information Security as well as other IT Policies.
15.
Theft or loss of any computer with a VPN client configured
on it must be reported immediately to the IT Services via
Service Desk.
16.
The VPN may be used only for official, bank related work.
You must disconnect the VPN before attempting any non-bank
related activities from your computer.
ENFORCEMENT
17.
Any user found to have violated this policy may be subject
to loss of privileges or services, including but not necessarily
limited to loss of VPN services.
Subject
PPS No.
Effective
Date
PPS-DB-003
Review Date
REVISION:
Diamond Bank
SUBJECT:
SERIAL #. 240-06
Business Process
Assurance
Page 10 of 176
Subject:
COMPLETE__X___
PARTIAL_______
AREA CORRECTED:
August 5, 2015
PAGE #18 of 19
TECHNOLOGY
SUPPORTE-MAIL
POLICY
SECURITY
ISSUED DATE:
VARIOUS
OCTOBER
2003
SUPERSEDES/REPLACE
S:
N/A
06,
EFFECTIVE DATE:
OCTOBER
2003
06,
I. AFFECTS:
All staff of Diamond Bank
II. PURPOSE
The purposes of the Policy statements are:
i. To provide specific instructions on the ways to secure
electronic mail resident on personal computers and
servers.
ii. To ensure that staff trust the integrity of mails
iii. To ensure that disruptions of e-mail and other services and
activities are minimized and;
iv. To inform users of e-mail services on how concepts of
privacy and security policy apply to e-mail
III. INTRODUCTION
The E-Mail (electronic mail) is simply put, the transmission of
computer-based messages over telecommunication technology.
This can be by communication within DB network or with others
outside DB network.
The e-mail security policies apply to all DB employees and in
some instances the Banks vendors who use e-mail located on
Diamond Bank
Business Process
Assurance
Page 11 of 176
Subject:
August 5, 2015
IV. POLICIES
a) All DB staff shall be created on the Banks network and by
extension will have an e-mail account. However, the ability to
use e-mail for communication with parties outside DB
network shall be restricted to staffs on the grade of Assistant
Manager (AM) and above. Employees below the AM grade
but with proven legitimate business needs for such access
may be so created, subject to the joint approval of the staffs
Divisional Head and Head ITG.
Diamond Bank
Business Process
Assurance
Page 12 of 176
Subject:
August 5, 2015
to
the
System
Diamond Bank
Business Process
Assurance
Page 13 of 176
Subject:
August 5, 2015
third party is known and trusted. Users must also ensure that
the virus checker on their PC is functional and up to date.
Diamond Bank
Business Process
Assurance
Page 14 of 176
Subject:
August 5, 2015
V.
Diamond Bank
Business Process
Assurance
Page 15 of 176
Subject:
August 5, 2015
i.
ii.
iii.
iv.
Anti-virus
administrator
shall
send
out
information whenever there is an anti-virus
update in line with the DB anti-virus policy
administered by ITG.
v.
vi.
Diamond Bank
Business Process
Assurance
Page 16 of 176
Subject:
August 5, 2015
2.
3.
4.
Diamond Bank
Business Process
Assurance
Page 17 of 176
Subject:
Subject
Business Application
Support-Back up Policy
Effective
Date
PPS No.
PPS-DB-004
Review Date
REVISION:
August 5, 2015
SUBJECT:
COMPLETE_____
PARTIAL_______
AREA CORRECTED:
N/A
SUPERCEDES/REPLACES:
N/A
ISSUED DATE:
31 AUGUST
2009
REVISION
DATE:
31 AUGUST
2009
I. AFFECTS
All staff on Diamond Bank Plc and its subsidiaries.
II. PURPOSE
Diamond Bank
Business Process
Assurance
Page 18 of 176
Subject:
1.
2.
3.
4.
5.
6.
August 5, 2015
V. GENERAL PROCEDURES
1.
Backup Type:
Diamond Bank
Business Process
Assurance
Page 19 of 176
Subject:
2.
August 5, 2015
Backup Frequency:
Diamond Bank
Business Process
Assurance
Page 20 of 176
Subject:
3.
August 5, 2015
BACKUP TITLE
BACKUP TYPE
BACKUP DATE
BACKUP SET
BACKUP SEQUENCE
BAR CODE
a. Where DDS, DAT or DLT are used, the DBA or Application Administrator
shall label the tape using the format below
1. BACKUP TITLE (e.g. FCAT_DB, ECPIX, SWIFT, etc).
2. BACKUP TYPE:
FULL SYSTEM BACKUP abbreviated to FSBK
APPLICATION BACKUP abbreviated to ABK
DATABASE BACKUP abbreviated to DBBK
3. BACKUP DATE: DD/MM/YY
4. BACKUP SET ( SET1 for On-site and SET 2 for Off-site)
5. BACKUP SEQUENCE is either 1 of X; 2 of X (where X is the total
number of tapes used)
b. Where Snapshot or RMAN backups are taken using the Data Protector,
the System Administrator shall append the bar code label to the Ultrium
Tape media before loading the Tape library, which can also to generate
catalogue. This shall be scanned by the System and a log of the contents
saved.
4.
Backup Logs:
Each Application Administrator shall maintain a logbook for logging all
application backups under their custody and these shall be kept with the
librarian. Any backup taken must be registered in the appropriate backup
logbook by the Application Administrator or his designate and submitted to the
librarian same day.
These logbooks shall be kept in the transit safe in IT
Services and shall be reviewed by the Librarian daily. The Librarian shall
prepare an exception report of any missing application backup and this shall
be reviewed by the Strategic and Security Controls personnel before notifying
the affected unit.
The log must capture the following details:
Backup Title
Backup Type
Backup Date
Backup Administrator
Signature
Backup checked/verified by
Remark
Diamond Bank
Business Process
Assurance
Page 21 of 176
Subject:
August 5, 2015
The System Administrator shall generate the backup logs for all Snapshot and
RMAN backups taken on the Data Protector Cell Manager. This will be
reviewed and filed by the Librarian daily.
5.
6.
7.
8.
Date Borrowed
Description
Quantity
Borrower
Unit/Department
Signature
Date Returned
Librarians Remark
Borrowers Sign-off
Librarians Sign-off
Staff requesting for blank CDs, Tapes, etc. shall obtain due
approval from their supervisor and forward to the Librarian for
action. The librarian shall escalate this request to the Head BAS
Diamond Bank
Business Process
Assurance
Page 22 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 23 of 176
Subject:
i.
ii.
August 5, 2015
The Backup Administrators shall ensure that all backups relating to their job
functions are duly completed in line with the backup plan.
The Librarian shall perform daily review of backup register to ensure
completeness and accuracy of backup.
iii.
The librarian shall perform daily review of backup tapes stored onsite and
off-site (i.e. Daily backup tapes) to ensure appropriate labelling and
completeness of contents.
iv.
The librarian shall ensure that all tape movements in and out of the onsite/off-site media storage are properly logged in the on-site/off-site tape
movement log.
v.
vi.
vii.
Diamond Bank
Business Process
Assurance
Page 24 of 176
Subject:
August 5, 2015
PPLICATION
NTERNET BANKING
PPLICATION (FCAT_APP)
NTERNET BANKING
ATABASE (FCAT_DB)
NTERNET BANKING WEB
ERVER (FCAT_WEB)
C/TELE-BANKING
C/TELE-BANKING SERVER
MOBILE BANKING SERVER
MOBILE BANKING
WESTERN UNION SERVER
WESTERN UNION
TM
ARDWORLD
PAY
LEXCUBE DATABASE
LEXCUBE DATABASE
ARCHIVELOG)
WIFT
CPIX SERVER
D SERVER
CEED
Diamond Bank
BACKUP TITLE
FREQUENCY
RETENTIO
N
Full System
Snapshot /
RMAN
FCAT_APP
Bi-Monthly
Yearly
FCAT_DB
Daily
Bi-Monthly
Full System
Database
Full System
Full System
Database
Full System
Database
Database
Database
Database
Snapshot /
RMAN
FCAT_WEB
PCTEL_DB
PCTEL_APP
SMSBNK_APP
SMSBNK_DB
WU_APP
WU_DB
ATM
CARDSOFT
CARDPRO
Bi-Monthly
Weekly
Bi-Monthly
Bi-Monthly
Weekly
Quarterly
Weekly
Daily
Daily
Daily
Yearly
Quarterly
Yearly
Yearly
Quarterly
Yearly
Quarterly
Weekly
Monthly
Monthly
FCR / FCC
FCR_ARCH/FCC_ARCH/FCAT_A
RCH
SWIFT
Daily
Bi-Monthly
Daily
Daily
Bi-Annual
Weekly
ECPIX
Daily
Monthly
Archive log
Database
Full
System/Data
base
Full
System/Data
base
Database
Full
System/Data
base
Full System
Database
Full System
Database
Database
Database
Database
File System
RESPO
IT Ope
IT Ope
IT Ope
IT
IT
IT
IT
IT
IT
IT
IT
IT
IT
Ope
Ope
Ope
Ope
Ope
Ope
Ope
Ope
Ope
Ope
IT Ope
IT Ope
IT Ope
IT Ope
KD
XCEED
Daily
Daily
Monthly
Monthly
FIXED_ASSET
ZYIMAGE
SDESK
ECALL
EFASS
TRADETRACK
RTGS
BR016_DB
DIAM X
Weekly
Weekly
Daily
Daily
Daily/Weekly
Daily
Weekly
Daily
Weekly
Monthly
Monthly
Weekly
Monthly
Monthly
Monthly
Monthly
Monthly
2 Weeks
Full Online
XCHANGESVR01
Daily
Quarterly
Full Online
XCHANGESVR02
Daily
Monthly
Full Online
System State
XCHANGESVR02
DC
Daily
Quarterly
Monthly
Quarterly
Business Process
Assurance
Page 25 of 176
IT Ope
IT Ope
IT
IT
IT
IT
IT
IT
IT
IT
IT
Ope
Ope
Ope
Ope
Ope
Ope
Ope
Ope
Ope
IT Ope
IT Ope
IT Ope
Subject:
August 5, 2015
ONTROLLER)
System
State/Databa
se
System
State/Databa
se
PO
HAREPOINT PORTAL
ISCO ROUTERS AND
WITCHES
IT Ope
EPO
Quarterly
Quarterly
IT Ope
SHAREPOINT
Daily
Weekly
Application
CISCO
Monthly
Yearly
Database
Database
Database
Database
Database
Database
Database
Database
Database
DBPOOL
DBSERVICEDESK
MSME
DBAPPRAISE
DB CALL CARD
CP ONLINE
DB VISA
VPAY CARD PRO
DBPOOL
Weekly
Weekly
Weekly
Weekly
Weekly
Weekly
Weekly
Weekly
Weekly
Monthly
Monthly
Monthly
Monthly
Monthly
Monthly
Monthly
Monthly
Monthly
IT Ope
BPOOL
BSERVICEDESK
MSME
BAPPRAISE
B CALL CARD
P ONLINE
B VISA
PAY CARD PRO
B TOD
Tech
Tech
Tech
Tech
Tech
Tech
Tech
Tech
Tech
S
S
S
S
S
S
S
S
S
RESTORATION SCHEDULE
PPLICATION
NTERNET BANKING
PPLICATION
FCAT_APP)
NTERNET BANKING
ATABASE (FCAT_DB)
NTERNET BANKING
WEB SERVER
FCAT_WEB)
C/TELE-BANKING
C/TELE-BANKING
ERVER
MOBILE BANKING
ERVER
MOBILE BANKING
WESTERN UNION
ERVER
WESTERN UNION
TYPE OF
BACKUP
Full System
Snapshot /
RMAN
BACKUP TITLE
FREQUENC
Y
RETENTION
RESPONS
FCAT_APP
Bi-Monthly
Yearly
FCAT_DB
Daily
Bi-Monthly
IT Operatio
IT Operatio
IT Operatio
Full System
Database
FCAT_WEB
PCTEL_DB
Bi-Monthly
Weekly
Yearly
Quarterly
Full System
PCTEL_APP
Bi-Monthly
Yearly
Full System
Database
SMSBNK_APP
SMSBNK_DB
Bi-Monthly
Weekly
Yearly
Quarterly
Full System
Database
WU_APP
WU_DB
Quarterly
Weekly
Yearly
Quarterly
Diamond Bank
Business Process
Assurance
Page 26 of 176
IT Operatio
IT Operatio
IT Operatio
IT Operatio
IT Operatio
IT Operatio
Subject:
TM
ARDWORLD
PAY
LEXCUBE DATABASE
LEXCUBE DATABASE
ARCHIVELOG)
WIFT
CPIX SERVER
D SERVER
CEED
IXED ASSET /
NVENTORY
YIMAGE
ERVICE DESK
CALLOVER
FASS APPLICATION
RADETRACKER
TGS
ERVER-016
P UNIX SERVER
CHANGESVR01
EXCHANGE SERVER)
CHANGESVR02
EXCHANGE SERVER)
CHANGESVR03
EXCHANGE SERVER)
IAM21 (PRIMARY
OMAIN CONTROLLER)
PO
HAREPOINT PORTAL
ISCO ROUTERS AND
WITCHES
BPOOL
BSERVICEDESK
MSME
BAPPRAISE
B CALL CARD
P ONLINE
B VISA
Database
Database
Database
Snapshot /
RMAN
Archive log
Database
Full
System/Data
base
Full
System/Data
base
Database
Full
System/Data
base
Full System
Database
Full System
Database
Database
Database
Database
File System
August 5, 2015
ATM
CARDSOFT
CARDPRO
Daily
Daily
Daily
Weekly
Monthly
Monthly
FCR / FCC
FCR_ARCH/FCC_ARCH/FCAT_A
RCH
SWIFT
Daily
Bi-Monthly
Daily
Daily
Bi-Annual
Weekly
ECPIX
Daily
Monthly
Operatio
Operatio
Operatio
Operatio
IT Operatio
IT Operatio
IT Operatio
IT Operatio
KD
XCEED
Daily
Daily
Monthly
Monthly
FIXED_ASSET
ZYIMAGE
SDESK
ECALL
EFASS
TRADETRACK
RTGS
BR016_DB
DIAM X
Weekly
Weekly
Daily
Daily
Daily/Weekly
Daily
Weekly
Daily
Weekly
Monthly
Monthly
Weekly
Monthly
Monthly
Monthly
Monthly
Monthly
2 Weeks
Full Online
XCHANGESVR01
Daily
Quarterly
Full Online
XCHANGESVR02
Daily
Monthly
Full Online
XCHANGESVR02
Daily
Monthly
System State
System
State/Databa
se
System
State/Databa
se
DC
Quarterly
Quarterly
SHAREPOINT
Daily
Weekly
Application
CISCO
Monthly
Yearly
Database
Database
Database
Database
Database
Database
Database
DBPOOL
DBSERVICEDESK
MSME
DBAPPRAISE
DB CALL CARD
CP ONLINE
DB VISA
Weekly
Weekly
Weekly
Weekly
Weekly
Weekly
Weekly
Monthly
Monthly
Monthly
Monthly
Monthly
Monthly
Monthly
Diamond Bank
IT
IT
IT
IT
IT Operatio
IT Operatio
IT
IT
IT
IT
IT
IT
IT
IT
IT
Operatio
Operatio
Operatio
Operatio
Operatio
Operatio
Operatio
Operatio
Operatio
IT Operatio
IT Operatio
IT Operatio
IT Operatio
EPO
Quarterly
Quarterly
IT Operatio
Business Process
Assurance
Page 27 of 176
IT Operatio
Tech
Tech
Tech
Tech
Tech
Tech
Tech
Solut
Solut
Solut
Solut
Solut
Solut
Solut
Subject:
Database
Database
August 5, 2015
Weekly
Weekly
Monthly
Monthly
Sign-Of
Date _____________________
Date _____________________
Date _____________________
Diamond Bank
Business Process
Assurance
Page 28 of 176
Tech Solut
Tech Solut
Subject:
Subject
PPS No.
August 5, 2015
Effective
Date
PPS-DB-005
Review Date
REVISION:
SUBJECT:
COMPLETE__X___
TECHNOLOGY
SUPPORT-
PARTIAL_______
AREA CORRECTED:
SERIAL #. 24005
PAGE #15 of 17
NETWORK OPERATING
SYSTEMS
ISSUED DATE:
MAINTENANCE
VARIOUS
SUPERSEDES/REPLACE
S:
N/A
Diamond Bank
OCTOBER
2005
FORM NUMBER: 240-005
31,
EFFECTIVE
DATE:
OCTOBER
2005
31,
Business Process
Assurance
Page 29 of 176
Subject:
August 5, 2015
I. AFFECTS
All staff.
II. INTRODUCTION
This section deals with the policies for purchasing, maintaining, tracking and
ensuring physical security of hardware.
Technical Support unit staf are advised to consult the units desk manual for
other technical details relating to the final details of steps involved in
performing the specific functions described in this document.
III. OBJECTIVE
i. To define procedures for tracking and maintaining physical inventory and
movement of hardware assets
ii. To define the procedures that will ensure physical security for hardware
iii. To define procedures for administering Internet access
iv. To define procedures for backup and restore operations.
IV. DESKTOP COMPLIANCE POLICY
i. The desktop PC provided to each user will have a set of standard software
installed. Users will be required to submit a written request or mail
approval to the Head, Operations & Technology for any additional software
installation on their systems.
ii. A mail and domain id will also be created when a person joins the
organisation via an approval mail from his/her Supervisor. The domain ids
will be in the form: first name initial+ last name. Mail ids will normally be of
the form first name initial. Last name @ diamondbank.com. The individual
will retain these mail ids until he/she leaves the bank.
iii. Domain ids get locked after a preset number of wrong tries for security
reasons. Guest logins will be disabled on all PCs to prevent any anonymous
access. In cases where specific software demands Local Admin Rights, the
same will have to be approved and authorised by the Head, Operations &
Technology
iv. Users will be advised to protect important files with a password. Password
protection will be the first level of security for any file. The Diamond Bank
security implementations will be based on existing Information Security
guidelines. Current implementations at Diamond Bank include policy
guidelines for NT servers and NT workstations. The implementation of
Diamond Bank
Business Process
Assurance
Page 30 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 31 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 32 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 33 of 176
Subject:
August 5, 2015
Subject
Technology Support
-Documents Rights
Management
Effective
Date
PPS No.
PPS-DB-006
Review Date
REVISION:
SUBJECT:
SERIAL #. 240-011
COMPLETE__X___
TECHNOLOGY
SUPPORT-
PAGE #48 of 55
PARTIAL_______
AREA CORRECTED:
DOCUMENTS RIGHTS
MANAGEMENT
VARIOUS
SUPERSEDES/REPLACE
S:
ISSUED DATE:
21 OCTOBER 2008
EFFECTIVE DATE:
21 OCTOBER 2008
N/A
I. AFFECTS:
All staff.
II. PURPOSE
To define guidelines for protecting the Banks valuable and classified
information from unauthorized usage and circulation.
III. INTRODUCTION
The need to protect the Banks information assets from abuse and mishandling resulted in the implementation of E-mail and Internet Security
Policies in 2003. However with growing concerns about information
theft, the need to devise better information security management cannot
be over-emphasized.
To address this need, Management has approved the introduction of
Microsoft Windows Rights Management Services (RMS) to help
Diamond Bank
Business Process
Assurance
Page 34 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 35 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 36 of 176
Subject:
August 5, 2015
Corporate Audit
System Audit staff shall be responsible for:
i.
All Staff
Staff of the bank shall be responsible for:
i.
Diamond Bank
Business Process
Assurance
Page 37 of 176
Subject:
August 5, 2015
Appendix
Using Rights Management to create a Protected Document
To assign RM permissions to a document created in an Office program, click
File | Permission. As shown in figure A, the default is Unrestricted Access.
FIGURE A
If you want to allow a user to view the document, but you dont want him/her
to be able to distribute it to others, select Do Not Distribute from the menu.
This will display the Permission dialog box that is shown in Figure B.
Diamond Bank
Business Process
Assurance
Page 38 of 176
Subject:
August 5, 2015
FIGURE B
As you can see, you can enter users email addresses or select them from the
Address Book. If you want the users to be able to read the document but do
nothing to it, enter them in the Read text box. If you want them to be able to
edit the document, but want to keep them from copying or printing it, enter
them in the Change text box.
You can set permissions more granularly, or cause the users access to the
document to expire completely on a specified date, by clicking the More
Options button. This will display the dialog box shown in Figure C.
Diamond Bank
Business Process
Assurance
Page 39 of 176
Subject:
August 5, 2015
FIGURE C
Remember that any users who are assigned rights with IRM will need to have
certificates from an RM server. To open the document, they might have to
install the client update software if this is the first time theyve opened an RM
protected document. If they dont already have Passport accounts, theyll need
to create them. Finally, theyll have to download RM certificates.
To assign RM permissions to an email in outlook.
Click on New mail message, on the new mail message, click on file, and then
click on permissions. You can now select do not forward to prevent your mails
from being forward to another recipient.
Diamond Bank
Business Process
Assurance
Page 40 of 176
Subject:
Diamond Bank
August 5, 2015
Business Process
Assurance
Page 41 of 176
Subject:
August 5, 2015
Subject
Business Application
Support-Database Policy
Effective
Date
PPS No.
PPS-DB-007
Review Date
REVISION:
SUBJECT:
COMPLETE__X___
BUSINESS
APPLICATION SUPPORT PAGE #31 of 129
DATABASE POLICY
PARTIAL_______
SERIAL #. 270-06
AREA CORRECTED:
ISSUED DATE:
VARIOUS
14
2005
SUPERSEDES/REPLA
CES:
N/A
SEPTEMBER
EFFECTIVE DATE:
14
2005
SEPTEMBER
VII. AFFECTS
All staff on DB Network (i.e. Diamond Bank Plc and its subsidiaries)
Database(s)
VIII. PURPOSE
This policy document aims at:
1. Providing specific instructions on the roles and responsibilities of the
Database Administrator(s) in DB Network Databases
2. Ensuring that the integrity of the Database(s) is/are maintained
3. Ensuring that only authorized users/applications are granted access to the
database
4. Ensuring that data are safeguarded from corruption and unauthorized
access.
5. Defining database procedures for continuity of business and disaster
recovery
6. Ensuring database availability at all times
Diamond Bank
Business Process
Assurance
Page 42 of 176
Subject:
August 5, 2015
IX. INTRODUCTION
A database, simply put, is an organized collection of information or data. It is
a store of data that describes entities and the relationships between the
entities.. A database management system (e.g. Oracle, MSSQL) on the other
hand, is the software mechanism for managing the data.
Databases can be classified into the following types viz;
Analytic Databases
Operational Databases
Hierarchical Databases
Network Databases
Relational Databases
Client/Server Databases
In a relational database management system (e.g. Oracle, MSSQL), data is
stored in a tabular form and identified by rows and columns.
These database policies shall apply to DB Network employees and in some
instances vendors who support various applications running or interfacing
with database(s) located on personal computers and servers under the
jurisdiction and or ownership of DB Network.
X. POLICIES
The administration and management of Database(s) under the DB Network
shall be under the responsibility of the Database Administrator(s).
XI. PROCEDURES
System Security
Data Security
Password Management
Purging
Backup & Recovery
Database Audit
a) System Security
This describes the aspects of the database in relation to system security
and consists of:
User Management, User Access and Operating System Security.
Diamond Bank
Business Process
Assurance
Page 43 of 176
Subject:
August 5, 2015
i. User Management
Database users are the access paths to the information in a database.
Therefore, adequate security measures shall be maintained for the
management of database users. The database administrator(s) shall be the
only user with the privileges required to create, alter, or drop users in the
database(s).
ii. User Access
Every user in the Network requesting database access shall complete a
Database Authorisation form (see appendix) duly signed by his/her
supervisor and endorsed by Head, Operations & Technology Services and
Head, Compliance and Controls (CC). This user shall be uniquely identified
according to the details as specified in the database authorisation form.
This authorisation form will among others capture the following details,
User Name
User Department/Branch
Database Access rights or privilege
Reason for access
However, a generic group user ID shall be defined for all user groups of DB
Network whose activities are limited to only querying or retrieving
information from the database (e.g. Service Desk, Inspection). This group
user ID shall be created by the database administrator after necessary
approvals are obtained.
iii. Operating System Security
Only Database administrators shall have the operating system privileges
to create and delete files related to the database and such privileges shall
however, not be extended to any other database user. Database log files in
the operating system shall be read-only and this shall be purged
periodically by the database administrator after proper approvals have
been obtained and backups taken.
b) Data Security
Data security includes the mechanisms that control the access and use of
the database at the object (data) level. User access to objects or actions on
specific schema (profile) objects shall be defined by the database
administrator according to the details supplied in the user request form
and shall be authorised by the Head, O& TS.
Diamond Bank
Business Process
Assurance
Page 44 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 45 of 176
Subject:
August 5, 2015
This process shall involve moving purged data from designated tables on
the live database to archive tables in the same location.
The Database administration team shall be responsible for this process
after obtaining approval from Head, O&TS. The data in the archive tables
of the live database shall have a retention period of 18 months after which,
it shall be backed up to tape and purged.
The purging process is classified into two broad categories viz;
Category 1
This simply involves the truncation of data in temporary tables used for
reporting and moving such data to the archive database.
Such tables include TD_TMP_C503 (term deposit information),
CH_TMP_RCH169 (interest calculations), RPT_BA_C101 (temporary
report table) , RPT_CH_C008 and RPT_CI_C001 which are required
during report generation in End of Day process etc.
Category 2
In the second category, data are purged from the live database into the
archive database and a consolidated row is inserted in the former to
ensure accuracy of debit and credit balances.
Since some of the tables are used for enquiry, deleting the rows will not
suffice. The purging process for such tables will therefore move the data
from the live database to an archive database so as to retain the net
financial value of the data.
The retrievable data will be in a table of the same name as the main table
appended by _hist in Flexcube Retail and _purge in Flexcube
Corporate.
For example the table ch_nobook in live database will have a
corresponding table ch_nobook_hist, in the archive database.
Methodology
Flexcube Corporate:
The purge of this database will involve moving transactions of all contracts
that are already matured or closed for which the transaction date is earlier
than the retention period. The following transaction tables will be affected,
viz;
ACTB_HISTORY,
CSTB_ADDL_TEXT,
and
MITB_CLASS_MAPPING. This exercise would be undertaken in line with
the procedure given by the application vendor (Iflex)
Diamond Bank
Business Process
Assurance
Page 46 of 176
Subject:
August 5, 2015
Flexcube Retail:
Using the procedure provided by the application vendor (Iflex), the
following tables will be purged in Flexcube Retail database:
ch_acct_cust_xref
This is cross-reference table for customer accounts that shows details of
an account holders relationship in Flexcube. The enquiry module that
uses this table is Customer Account Cross-Xref Mnt.
ch_acct_od_hist
This shows the account numbers which are in OD (overdraft along with
limit and drawing power).
ch_clg_acct_xref
This shows the accounts with their corresponding clearing accounts codes
and sector codes.
ch_tmp_rch_interest
This shows the accounts with effective interest rate and the corresponding
effective date of the interest date.
ch_nobook & ch_acct_ledg
These are tables in which all casa account transactions are stored. From
these tables data are deleted and moved to archive database. These tables
are also used for transaction history inquiries. During purging, a
consolidated row for each account moved to the archive database, is
inserted into live database.
cs_ho_custacctxref
This contains the cross-reference information for customer accounts. The
accounts, which are in ch_purge_table, are deleted from this table.
td_renewal_history
This table maintains the renewal history for Time deposit accounts.
td_int_payment_history
This table maintains the interest payment history for Time deposit
accounts.
td_audit_trail & td_acct_ledg
All term deposit transactions are stored in these tables. Data stored in this
table shall be deleted and moved to the archive database and a
consolidated row inserted in the live database for each term deposit
account.
Diamond Bank
Business Process
Assurance
Page 47 of 176
Subject:
August 5, 2015
ln_daily_txnlog_hist
This is a transaction log table for loan accounts. All transactions done on
loan accounts are stored in this table. Data stored in this table shall be
deleted and moved to the history area. Also as this is used for transaction
history inquiry, a consolidated row for each account purged will inserted
into live database.
st_clrreg
This table stores all cheque transaction details. Depending on purge date,
cheques for which full credit has been redeemed are deleted and moved to
archive database.
st_instr_issued
This table stores the record of cheques issued and their status. Depending
on purge date, cheques for which cheque status is paid, are deleted and
moved to archive database.
st_micr_files
This contains the information of all uploaded cheque files. Data are moved
to the archive database if the status of the instrument is processed.
gl_txnhist
Contains all the transactions performed on all GL accounts. Depending on
purge
date,
transactions
for
which
the
mnemonic
is
not
PURGE_TXN_MNEMONIC (999), are deleted and moved to the archive
database. In addition, a GL-wise consolidated row is inserted into the live
database for each purged GL account.
ol_bots_bcl & ol_batch_info
This contains all the batch history (history of open, close of branches).
Depending on the purge date, data up to that date is deleted.
ba_eod_history
This contains the history of EODs. Time taken by each shell at EOD is
maintained in this table. Depending on the purge date, data up to that
date is deleted.
ba_tds_remit
This contains information on tax deducted at source. Depending on the
purge date, data up to that date is deleted.
These tables are subject to review from time to time.
Diamond Bank
Business Process
Assurance
Page 48 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 49 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 50 of 176
Subject:
August 5, 2015
APPENDIX 1
DIAMOND BANK PLC
1.1.1.1
DATABASE ACCESS AUTHORIZATION FORM
To:
Date:
Please tick as appropriate:
Roles
i.
ii.
Modify a User
iii.
Delete a User
iv.
Disable a User
iv. Delete
Enable a User
v. Connect
v.
vi.
Add Role(s)
vii.
Delete Role(s)
i. Select
ii. Update
iii. Insert
vi. Create
vii. Alter
viii Drop
Name: ________________________________________________________________________
1.1.2 User
ID:______________________________________________________________
_________
Job Description:_________________________________Branch/Unit: ________________________
Specify
Role(s)
__________________________________________________________________
Diamond Bank
Business Process
Assurance
Page 51 of 176
Required:
Subject:
August 5, 2015
Reason
for
Request_______________________________________________________________
____________________________________________________________________________
_______________________________
Departmental/Unit Head
_________________________________
Head, BAS
___________________________________
____________________________________
1.2
Head, Operations & Technology Services
Head,
Compliance & Controls
2
_____________________________
Database Administrator
Diamond Bank
Business Process
Assurance
Page 52 of 176
Subject:
Subject
PPS No.
August 5, 2015
Business Information
System-System
Development Life Cycle
Effective
Date
PPS-DB-008
Review Date
REVISION:
SUBJECT:
COMPLETE_____
PARTIAL_______
AREA CORRECTED:
N/A
SUPERCEDES/REPLACES:
N/A
BUSINESS
INFORMATION
SYSTEM
SYSTEM
DEVELOPMENT
CYCLE
PAGE #1 of 11
ISSUED DATE:
EFFECTIVE DATE:
FEBRUARY 19, 2009
VI. AFFECTS:
All staff.
VII. PURPOSE
To define the operational guidelines for the development of software
applications in the bank.
VIII. INTRODUCTION
Diamond Bank
Business Process
Assurance
Page 53 of 176
Subject:
August 5, 2015
The need for safe, secure, and reliable system solutions is heightened by the increasing
dependence on computer systems and technology to provide services and develop
products, administer daily activities, and perform short- and long-term management
functions. There is also a need to ensure privacy and security when developing
information systems, to establish uniform privacy and protection practices, and to
develop acceptable implementation strategies for these practices. The increasing
automation of our processes therefore requires that applications are standardized, costeffective, and efficient, but above all meet user expectations. To achieve this, a software
application must pass through the Systems Development Life Cycle (SDLC) or
Outsourcing Software Development as the case may be.
Systems Development Life Cycle is defined as a software development method that
follows standard phases and processes. It requires the banks IT specialist to develop
software application for the banks products and services by following the standard
cycle of software development.
The SDLC phases provide an excellent opportunity to control, monitor, and audit the
systems development process, and ensure customer and user satisfaction. It consists of
the following:
i.
ii.
iii.
iv.
v.
vi.
vii.
viii.
ix.
Initiation Phase
System Concept Development Phase
Planning Phase
Requirements Analysis Phase
Design Phase
Development Phase
Integration and Test Phase
Implementation Phase
Operations and Maintenance Phase
IX. POLICIES
In-house Software Development.
1. All Software Development projects to be embarked upon shall pass through the IT
Steering Committee (ITSC) and Executive Committee (EXCO) for approval.
2. All business units shall prepare a list of products or services requiring automation at
the beginning of the new financial year including their estimated costs. This shall be
submitted to the ITSC for approval and a tracking code issued in line with the
Project Management policy.
Diamond Bank
Business Process
Assurance
Page 54 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 55 of 176
Subject:
August 5, 2015
6. Based on the quotation submitted by the vendor, the Project Manager shall seek
approval to initiate the project and subsequently notify the Cost Management
Committee (CMC) through the Head Administration to commence price
negotiations.
7. Payment terms shall be agreed with the vendor, however the bank (through the
CMC) shall as much as possible negotiate or insist on:
a. 50% payment on order
b. 20% on delivery and UAT
c. 30% on live rollout after 60days
8. The initial payment to the vendor shall be backed by an Advanced payment
Guarantee to be followed by the issuance of the Purchase Order by Head,
Administration
9. The vendor shall submit an implementation plan including deliverables to be signed
off jointly by the vendor and the bank, this plan shall be monitored by the Project
Manager
10. The responsibility of supporting all applications after live deployment shall rest with
the Divisional Head, IT Services.
11. The vendor shall prepare a standard Support and Administration guide or document
including a continuity of business plan for the application. This document shall be
reviewed jointly by the Head Business Process Assurance and Project Manager for
completeness and approved in line with policy
12. The vendor shall submit a softcopy of the source code in a CD or any other storage
media for safekeeping by the Software Librarian once live deployment is completed.
Diamond Bank
Business Process
Assurance
Page 56 of 176
Subject:
August 5, 2015
13. Application upgrades shall follow a clearly defined review process involving the
vendor, the Project Sponsor, Head Projects, Divisional Head, IT Services and ED
CS&T. During this period all relevant requirements which cannot be met by the
existing version of the application at that time would be collated and incorporated
into the design of the upgrade version.
X. GENERAL PROCEDURES
A.
SYSTEMS DEVELOPMENT
software Development)
LIFE
CYCLE
(In-house
The following tasks and activities shall be carried out at different phases of the System
Development Life Cycle:
1. PROJECT DEFINITION
Diamond Bank
Business Process
Assurance
Page 57 of 176
Subject:
August 5, 2015
At this stage, the Software Development Team shall define the system
requirements by merging user processes and requirements in a way that
allows the system to support many different users or functions in similar
areas. .The Software Development Team shall establish and analyse the
intended technical requirements and data requirements. . The Software
Development Team shall consolidate and affirm the business needs,
analyze the intended use of the system and specify the functional and
data requirements. Define functional and system requirements that are
not easily expressed in data and process models. Refine the high level
architecture and logical design to support the system and functional
requirements
The key output of this phase is a summary document that explains the
system architecture, data processing structure, and technical or support
requirements. In addition, security and internal control requirements are
also developed as appropriate to the scope of the project.
4. ANALYSIS AND DESIGN
Diamond Bank
Business Process
Assurance
Page 58 of 176
Subject:
August 5, 2015
The system build phase is the execution of the approved design and in
some cases may overlap into the implementation phase. This phase
involves the setup of a small-scale proof-of-concept validation system
prior to live deployment to ensure that user requirements/expectations
have been satisfied. This phase may also involve creation of a support
process and move directly to implementation. Where a COTS option is
preferred, Procurement activity begins in this phase and may be
expanded with deployment during implementation. The validation,
verification, and testing plan should drive the system testing and be
conducted against the system/data and technical requirements to ensure
the system are built to specification. System testing should also be
conducted against the user requirements (User Acceptance Test) to
ensure the system is operationally satisfactory. The prototype or pilot
concept also allows for refinements or adjustments based on user
feedback prior to a live implementation. The key output of this phase is
validation of the design prior to deployment.
6. IMPLEMENTATION AND TRAINING
Diamond Bank
Business Process
Assurance
Page 59 of 176
Subject:
August 5, 2015
2.1.1.1
Identify Systems Operations
Operations support is an integral part of the day to day operations
of a system. In small systems, all or part of each task may be done
by the same person. But in large systems, each function may be
done by separate individuals or even separate areas. The
Operations Manual is developed in previous SDLC phases. This
document defines tasks, activities and responsible parties and will
need to be updated as changes occur. Systems operations activities
and tasks need to be scheduled, on a recurring basis, to ensure
that the production environment is fully functional and is
performing as specified. See appendix for checklist.
Maintain Data / Software Administration
Data / Software Administration is needed to ensure that input data
and output data and databases are correct and continually checked
for accuracy and completeness. This includes insuring that any
regularly scheduled jobs are submitted and completed correctly.
Software and databases should be maintained at (or near) the
current maintenance level. The backup and recovery processes for
databases are normally different than the day-to-day DASD volume
Diamond Bank
Business Process
Assurance
Page 60 of 176
Subject:
August 5, 2015
B.
Diamond Bank
Business Process
Assurance
Page 61 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 62 of 176
Subject:
August 5, 2015
APPENDIX
Operations and maintenance checklist
Ensure that systems and networks are running and available during the defined hours
of Operations;
Implement non-emergency requests during scheduled Outages, as prescribed in the
Operations Manual;
Ensure all processes, manual and automated, are documented in the operating
procedures. These processes should comply with the system documentation;
Acquisition and storage of supplies (i.e. paper, toner, tapes, removable disk);
Perform backups (day-to-day protection, contingency);
Perform the physical security functions including ensuring adequate UPS, Personnel
have proper security clearances and proper access privileges etc.;
Ensure contingency planning for disaster recovery is current and tested ;
Ensure users are trained on current processes and new processes;
Ensure that service level objectives are kept accurate and are monitored;
Maintain performance measurements, statistics, and system logs. Examples of
performance measures include volume and frequency of data to be processed in each
mode, order and type of operations;
Monitor the performance statistics, report the results and escalate problems when they
occur.
Diamond Bank
Business Process
Assurance
Page 63 of 176
Subject:
August 5, 2015
Subject
IT Change Management
Procedures
Effective
Date
PPS No.
PPS-DB-009
Review Date
Diamond Bank
Business Process
Assurance
Page 64 of 176
Subject:
August 5, 2015
AFFECTS:
2.2
II.
This document provides guidelines on the operation of the IT Change Advisory Board (ITCAB) and
procedures for implementing any change to existing IT and technical architecture in the bank. In addition, it
describes the roles and responsibilities of all parties involved in change process, requirements for change
request approval by IT Change Advisory Board and approval process prior to implementation.
III.
INTRODUCTION
The bank deploys new solutions or makes enhancements and modifications to its existing IT and technical
infrastructure to address strategic, tactical, operational or regulatory needs and accommodate changes in
business models through a framework known as Change Management. IT Change Management is the
process of defining, implementing and monitoring changes made to technical architecture (software &
Hardware) to achieve a pre-defined target.
A request for change may originate from problem management where an issue is identified and a mitigating
change is necessary to prevent (or minimize) future effects. A request for change may also be necessary as
a result of a business decision or due to outside influences from regulatory authorities (e.g. CBN regulations)
that may require modification to existing software or hardware Infrastructure
Diamond Bank
Business Process
Assurance
Page 65 of 176
Subject:
f)
August 5, 2015
However, the organisation and operations of the IT Change Advisory Board (ITCAB) is managed by a
Secretariat. This Secretariat is also saddled with the responsibility for conveying emergency change
assessment meetings for review emergency changes. As such the Secretariat is also called the Emergency
Change Advisory Board (E-CAB). Its membership is made up of:
a) Chairman- Change Advisory Board
b) Team Lead, IT Policy, Standards and Governance
c) Head, CIO Office/IT Finance & Planning.
d) Representative of Service Delivery Management Group
e) Representative of System Engineering Group.
VI.
Diamond Bank
Business Process
Assurance
Page 66 of 176
Subject:
August 5, 2015
c) The Change Manager shall be the Team Lead, Governance, Standards & Policy or any person acting in
the capacity of Team Lead, Governance, Standards & Policy
4. THE CHANGE OWNER
The Change Owner shall be responsible for:
a) Verifying that all tests have been completed successfully
b) Obtaining approval for change to be rolled into production environment.
c) Monitoring change execution
d)
Performing the initial technical and business assessment of the requested change to the system
e) Ensuring that changes to be implemented are tested against compliance with the requirements of the
business
f)
Sending status feedback to the IT Change Advisory Board on the outcome of the change.
g) The Change Owner shall be the unit Head of the initiating unit
5. INTERNAL CONTROL
Internal Control shall be responsible for:
a) Participating in User Acceptance Test
b) Ensuring adherence to laid down policies and procedures
c) Raising exceptions for non-compliance to policies and procedures
d) Authorizing by a signature on the program change form.
6. ITCAB REPRESENTAIVES
ITCAB representatives shall be a member of the IT Change Advisory Board and shall be responsible for:
a) Monitoring ITCAB assigned e-mail account for incoming messages
b) Distribute any messages to the ITCAB Secretariat and /or membership accordingly
c) Coordinate the awareness campaign on behalf of ITCAB
7. OPERATIONAL RISK MANAGEMENT
a) Participating in User Acceptance Test
b) Ensuring that changes do not compromise system security
c) Authorizing by a signature on the program change form.
VII.
Diamond Bank
Business Process
Assurance
Page 67 of 176
Subject:
August 5, 2015
Official ITCAB communications will be delivered from these e-mail accounts. The ITCAB representative shall
monitor ITCAB assigned e-mail for incoming messages and distribute any messages to the ITCAB Secretariat
and/or membership accordingly.
VIII.
IX.
A.
Change Initiation
Change request may be initiated by process owner, Diamond Bank vendor, or IT Service staff and such
individual shall be designated as Change Initiator The following procedures shall apply to change request
initiation
a) The Change Initiator completes the Change Request Form (hosted in IT Services SharePoint portal) and
sends the request to the Change Owner for change evaluation and assessment
Diamond Bank
Business Process
Assurance
Page 68 of 176
Subject:
B.
August 5, 2015
i.
ii.
The effect on SLAs, capacity, performance, reliability, resilience, contingency plans and security.
iii.
iv.
v.
vi.
vii.
a) On receipt of the request, the IT Change Advisory Board reviews the Change request to identify if the
request is practicable, desirable and complete and to determine whether to proceed, reject, or defer the
request
b) For the purpose of ensuring that a change must not affect or be affected by other changes, the IT
Change Advisory Board must review all changes using the Service Architecture & Technology document.
Diamond Bank
Business Process
Assurance
Page 69 of 176
Subject:
August 5, 2015
c) The Service Architecture & Technology document shall contain the list of all live services currently
running in the production environment, the configuration items that support them, dependencies with
other services and the software/operating system of the configuration items
d) The Service Architecture & Technology documentation shall be managed by Service Delivery
Management group and must be updated as services/changes are deployed to the production
environment.
e) In reviewing the request, the board shall consider the following details:
The impact on the customers business
The effect on SLAs, capacity, performance, reliability, resilience, contingency plans and security.
The impact on other services
The impact on Non-IT infrastructure
The effect of not implementing the change
IT, business and other resource required
Any additional ongoing resources required after change
f) The IT Change Advisory Board shall allocate initial priority to the request (Appendix 1).
g) Where the outcome of the review is not satisfactory, the IT Change Advisory Board shall reject the
request and communicate the Change Initiator via e-mail stating reasons for rejection.
h) The Change Initiator has the right of appeal against rejection and such cases shall be referred to the
Head, IT Services or any person acting in the capacity of the Head, IT Services for consideration
i) Where the outcome of the review is satisfactory, the IT Change Advisory Board approves the request
and shall communicate the Change Initiator via email notification stating the change reference number
j) The Change Initiator completes the Program Change Form (hosted in IT Services SharePoint portal) and
obtains the approval of his/her line supervisor.
Head, IT Services
Head, Customer Service & Technology or any other person acting in the capacity of Head,
Customer Service & Technology
C.
Change Implementation
Diamond Bank
Business Process
Assurance
Page 70 of 176
Subject:
August 5, 2015
a) Change owner shall submit the master copies of all software media (for all vendor related change
implementation in production environment. These software must be stored in the physical store of the
definitive media library(DML)
b) The logical store of the definitive media library shall contain index of all software and releases, versions
and shall highlight where the physical media can be located. The definitive media library shall be
managed by the Team Lead, Policy, Standard &Governance.
c) All software developed within Diamond Bank shall be stored in the logical store and from there its control
and release is managed.
d) All releases to the production environment for all applications developed within diamond bank shall be
versioned and subsequent enhancements must be controlled and versioned before deployment to
production environment.
e) IT CAB shall ensure that technical documentations inclusive of requisite data dictionaries for all
applications developed in-house are available before approval for implementation of change to
production environment.
f) The software copies of these technical documentation inclusive of configuration item settings shall be
stored in the logical store of the definitive media library by Team Lead, Policy, Standard & Governance
g) Changes that have business impact classification other than v (see appendix 2-v) shall be
communicated to users via Service Desk or ITCAB.
h) Test environment shall be used for developing the changes before releasing them to production
environment
Change Notification
Diamond Bank
Business Process
Assurance
Page 71 of 176
Subject:
August 5, 2015
One of the more critical elements of the Change Management Process is keeping all affected stakeholders
advised of the status of the change. The Change Manager shall be responsible for notifying relevant
stakeholders. The Change Manager shall carry out the following to ensure appropriate change notification:
a) E-mail advice to be sent to the Change Owner, Change Initiator, users and other stakeholders
b) Notifications to be sent where appropriate to Nominated Clients and Users through ITCAB or Service
Desk Bulletin
Transition of Change to Production
The purpose of the Change Transition is to manage and monitor the transition of changes into the preproduction and / or production environment(s). The use of the pre-production environment is specific to the
core banking application or other third party applications used in the Bank. Pre-production transition involves
migrations of changes from test environment to back-up and then to the production environment while
production transition involves migration of changes from the test to production environment.
Note: Where a change involves a product that has a Nominated Client (Third party or vendors whose
products directly impact on the banks service delivery.), appropriate notices and consultation with Users shall
be facilitated before such changes are developed or implemented.
The objective is to monitor the implementation status to ensure that the implementation is being executed in
accordance with the plan and the schedule.
D.
E.
Diamond Bank
Business Process
Assurance
Page 72 of 176
Subject:
August 5, 2015
Any change required within 24 hours of the event to correct a Priority 1 or 2 incidents as a result of an
unplanned event is considered an Emergency change.
Executive Management decision which needs immediate action.
For the sake of clarity, the following will not be considered as an emergency change:
o
Any change for which a formal approval had previously been obtained to implement in the test
environment
Any change required to conform to decisions/mandates given by regulatory authorities for which
at least 7 business days had been given to the Bank
Any change requested by the business to meet short deadlines (72 hours or less) not previously
communicated to IT Services. This is to ensure that the inability of a project team to plan does not
constitute an emergency on the part of IT Services as regards implementation.
Emergency changes can be implemented prior to the creation and submission of the change
request.
A change request describing the Emergency change must be submitted within 1 business day
after the implementation
c) Upon notification of emergency change by Change Initiator or Change Owner, the Change Manager or
the Chairman IT Change Advisory Board shall convene a virtual meeting for all the Emergency IT Change
Advisory Board members to review and approve the change.
d) ECAB assesses the business impact; resources required and confirm its the level of urgency upon
satisfactory assessment.
e) If the Change is approved, the Change Manager shall notify the Change Owner to implement the change.
f)
Diamond Bank
Business Process
Assurance
Page 73 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 74 of 176
Subject:
August 5, 2015
Subject
IT Services Document
Managment Procedures
Effective
Date
PPS No.
PPS-DB-010
Review Date
AFFECTS:
2.3
XI.
This document provides guidelines for the management (filling, storage and retrieval) of
documents within IT Services division.
XII.
INTRODUCTION
Diamond Bank
Business Process
Assurance
Page 75 of 176
Subject:
August 5, 2015
Documents play a critical role in IT Services division and as such, a definitive and standardized
process for its management is critical to ensure its continuous availability, integrity and its
usability.
This procedure guideline is in place for the management of Divisions/Banks documents. This
includes SLA documents, application documentations, Vendor documents etc.
XIII.
OWNERSHIP
The CIO Office shall be the custodian off all documents as they are required for the continuous
running of the division.
XIV.
PRINCIPLES
a)
b)
c)
d)
e)
f)
g)
The file cabinet shall be demarcated into four sections according to the
respective groups in IT Services; Technology & Business Solution,
System Engineering, Service Delivery Management & IT Operations
h)
As a standard, files shall be opened per vendor and each file shall be
demarcated into two sections by a separator and the first section shall
contain correspondence with vendor while the second section shall
contain application documentations respectively
i)
Only the CIO Office shall have custody of the key or access to the file
cabinets and should be locked at all times
Diamond Bank
Business Process
Assurance
Page 76 of 176
Subject:
August 5, 2015
j)
The CIO Office shall be held accountable for the day to day management
of the filling system
k)
The CIO Office should flag any document taken and not return after one
month.
l)
m)
n)
XV.
be
grouped
and
their
PROCEDURES
a. All requests for creation of new files must be made to the CIO Office.
b. Upon receipt, the Team Lead, IT Policy, Standard & Governance creates
new file and labels it and updates his inventory register accordingly.
c. Parties requiring filing of their documents are to submit their document to
Team Lead, IT Policy, Standard & Governance who upon receipts logs the
document and both parties sign off accordingly.
d. Team Lead, IT Policy, Standard & Governance inserts the document in the
respective file and updates the file numbering by appending respective page
numbers to the new documents inserted.
e. The staff request for the required file (document) from the Team Lead, IT
Policy, Standard & Governance who is to provide staff with request.
However, before release of the document, the Team Lead, IT Policy,
Standard & Governance must ensure the request is logged appropriately in
the respective register.
f. Upon return of the document collected, the staff signoffs the collection
register accordingly while the Team Lead, IT Policy, Standard & Governance
takes the document and inserts back into the respective file paying
cognisance of the page numbers during insertion.
XVI.
8. IT STAFF
1. All requests/returns are to be made following the laid out procedure above.
2. Ensure proper execution of the respective sign off registers to enable tracking and
provide for non-repudiation.
9. THE CIO OFFICE
Diamond Bank
Business Process
Assurance
Page 77 of 176
Subject:
August 5, 2015
1. The CIO Office shall own the file management process and shall be responsible for the
management of all documents for the IT Services division.
2. Ensure compliance of the approved procedure.
3. Review the efficiency and effectiveness of the process and advise changes where
necessary.
Subject
Uninterruptible Power
Supply (UPS) Usage Policy
Diamond Bank
Effective
Date
Business Process
Assurance
Page 78 of 176
Subject:
PPM No.
PPM-CSD-011
August 5, 2015
Review Date
Diamond Bank
Business Process
Assurance
Page 79 of 176
Subject:
August 5, 2015
Subject
Effective
Date
PPM No.
PPM-CSD-012
Review Date
Diamond Bank
Business Process
Assurance
Page 80 of 176
Subject:
August 5, 2015
Subject
Effective
Date
PPS No.
PPS-DB-013
Review Date
Diamond Bank
Business Process
Assurance
Page 81 of 176
Subject:
August 5, 2015
Subject
Effective
Date
PPS No.
PPS-DB-014
Review Date
Diamond Bank
Business Process
Assurance
Page 82 of 176
Subject:
Subject
PPM No.
August 5, 2015
Effective
Date
PPM-CSD-015
Review Date
Diamond Bank
Business Process
Assurance
Page 83 of 176
Subject:
August 5, 2015
Subject
Information Security
Framework
Effective
Date
PPM No.
PPM-CSD-016
Review Date
Diamond Bank
Business Process
Assurance
Page 84 of 176
Subject:
Subject
Business
Planning
PPM No.
PPM-CSD-017
August 5, 2015
Continuity Effective
Date
Review Date
REVISION:
SUBJECT:
SERIAL #. 270-07
COMPLETE__X___
BUSINESS
APPLICATION
PARTIAL_______
AREA CORRECTED:
BUSINESS
PLANNING
CONTINUITY
ISSUED DATE:
VARIOUS
SUPERSEDES/REPLA
CES:
JUNE 1, 2007
FORM NUMBER: 270-008
EFFECTIVE DATE:
JUNE 1, 2007
N/A
I. AFFECTS:
Diamond Bank
Business Process
Assurance
Page 85 of 176
Subject:
August 5, 2015
All staff.
II. PURPOSE
The objectives of a Business Continuity Plan (BCP) are to minimize
financial loss to the bank; continue to serve customers and mitigate the
negative effects disruptions can have on the bank's strategic plans,
reputation, operations, liquidity, credit quality, market position, and
ability to remain in compliance with applicable laws and regulations.
III. INTRODUCTION
Business continuity planning is the process whereby the bank ensures
the maintenance or recovery of operations, including services to
customers, when confronted with adverse events such as natural
disasters, technological failures, human error, or terrorism.
This BCP document is set out in two (2) parts. The first part provides
general framework containing policies guiding the business continuity
process, while the second part provides specific procedures for handling
business continuity issues in the bank.
PART ONE GENERAL POLICY STATEMENTS:
Diamond Bank shall adopt a process-oriented approach to business
continuity planning that involves:
1 Business impact analysis (BIA);
2 Risk assessment;
3 Risk management; and
4 Risk monitoring.
BUSINESS IMPACT ANALYSIS
The banks Business Impact Analysis (BIA) shall include:
Identification of the potential impact of uncontrolled, non-specific
events on the bank's
business processes and its customers;
Consideration of all departments and business functions, not just data
processing; and
Estimation of maximum allowable downtime and acceptable levels of
data, operations, and financial losses.
The BIA phase identifies the potential impact of uncontrolled, nonspecific events on the bank's business processes. The BIA phase also
shall determine what and how much is at risk by identifying critical
Diamond Bank
Business Process
Assurance
Page 86 of 176
Subject:
August 5, 2015
RISK ASSESSMENT
The risk assessment shall include:
Diamond Bank
Business Process
Assurance
Page 87 of 176
Subject:
August 5, 2015
During the risk assessment step, the bank shall develop realistic threat
scenarios that may potentially disrupt its business processes and ability
to meet clients expectations (internal, business partners, or customers).
Threats can take many forms, including malicious activity as well as
natural and technical disasters. Where possible, the bank shall analyze a
threat by focusing on its impact on the bank, not the nature of the threat.
For example, the effects of certain threat scenarios can be reduced to
business disruptions that affect only specific work areas, systems,
facilities (i.e., buildings), or geographic areas. Additionally, the
magnitude of the business disruption shall consider a wide variety of
threat scenarios based upon practical experiences and potential
circumstances and events.
The risk assessment considers:
The impact of various business disruption scenarios on both the bank
and its customers;
The probability of occurrence based, for example, on a rating system
of high, medium, and low;
The loss impact on information services, technology, personnel,
facilities, and service providers from both internal and external sources;
The safety of critical processing documents and vital records; and
A broad range of possible business disruptions, including natural,
technical, and human threats.
When assessing the probability of a specific event occurring, the bank
and its technology service providers shall consider the geographic
location of facilities and their susceptibility to natural threats (e.g.,
location in a flood plain), and the proximity to critical infrastructures
(e.g., power sources, nuclear power plants, airports, points of interest,
major highways, railroads).
The risk assessment shall include the entire bank or service provider's
locations and facilities. Worst-case scenarios, such as destruction of the
facilities and loss of life, shall be considered. At the conclusion of this
phase, the bank will have prioritized business processes and estimated
how they may be disrupted under various threat scenarios.
RISK MANAGEMENT
Diamond Bank
Business Process
Assurance
Page 88 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 89 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 90 of 176
Subject:
August 5, 2015
business units are not synchronized, there is the likely possibility that
recovery at the back-up location could encounter significant problems.
Proper change control, information back up, and adequate testing can
help avoid this situation. In addition, management shall ensure the backup facility has adequate capacity to process transactions in a timely
manner in the event of a disruption at the primary location.
EMPLOYEE TRAINING AND COMMUNICATION PLANNING
Management shall provide business continuity training for personnel to
ensure all parties are aware of their responsibilities should a disaster
occur. Key employees shall be involved in the business continuity
development process, as well as periodic training exercises. The training
program shall incorporate enterprise-wide training as well as specific
training for individual business units. Employees shall be aware of which
conditions call for implementing all or parts of the BCP, who is
responsible for implementing BCPs for business units and the bank, and
what to do if these key employees are not available at the time of a
disaster.
Cross training shall be utilized to anticipate restoring
operations in the absence of key employees. Employee training shall be
regularly scheduled and updated to address changes to the BCP.
Communication planning shall identify alternate communication
channels to utilize during a disaster, such as cell phones, e-mail, or twoway radios. An emergency telephone number, e-mail address, and
physical address list shall be provided to employees to assist in
communication efforts during a disaster. The list shall provide all
alternate numbers since one or more telecommunications systems could
be unavailable. Additionally, the phone list shall provide numbers for
vendors, emergency services, transportation, and regulatory agencies.
Further, the bank shall establish reporting or calling locations to assist
them in accounting for all personnel following a disaster.
The bank shall consider developing an awareness program to let
customers, service providers, and regulators know how to contact the
bank if normal communication channels are not in operation. The plan
shall also designate personnel who will communicate with the media,
government, vendors, and other companies and provide for the type of
information to be communicated.
INSURANCE
Insurance is commonly used to recoup losses from risks that cannot be
completely prevented. Generally, insurance coverage is obtained for risks
that cannot be entirely controlled, yet could represent a significant
potential for financial loss or other disastrous consequences. The
decision to obtain insurance shall be based on the probability and degree
of loss identified during the BIA. The bank shall determine potential
Diamond Bank
Business Process
Assurance
Page 91 of 176
Subject:
August 5, 2015
exposure for various types of disasters and review the insurance options
available to ensure appropriate insurance coverage is provided.
Management shall know the limits and coverage detailed in insurance
policies to make sure coverage is appropriate given the risk profile of the
bank. The bank shall perform an annual insurance review to ensure the
level and types of coverage are commercially reasonable, and consistent
with any legal, management, and board requirements. Also, the bank
shall create and retain a comprehensive hardware and software
inventory list in a secure off-site location in order to facilitate the claims
process.
Nevertheless, the bank shall be aware of the limitations of insurance.
Insurance can reimburse the bank for some or all of the financial losses
incurred as the result of a disaster or other significant event. However,
insurance is by no means a substitute for an effective BCP, since its
primary objective is not the recovery of the business. For example,
insurance cannot reimburse the bank for damage to its reputation.
.
GOVERNMENT AND COMMUNITY
The bank may need to coordinate with community and government
officials and the news media to ensure the successful implementation of
the BCP. Ideally, these relationships shall be established during the
planning or testing phases of business continuity planning. This
establishes proper protocol in case a city-wide or region-wide event
impacts the banks operations.
RISK MONITORING
Risk monitoring is the final step in business continuity planning. It shall
ensure that the bank's BCP is viable through:
Testing the BCP at least annually;
Subjecting the BCP to independent audit and review; and
Updating the BCP based upon changes to personnel and the internal
and external environments.
OVERALL TESTING STRATEGY
The development of testing strategies requires a business decision
regarding the level and frequency of testing needed to ensure recovery
objectives can be achieved during a business interruption or disaster.
The frequency and complexity of testing is based on the risks to the
bank. Unmanned recovery testing, where back-up tapes are sent to the
recovery site to be run by service provider employees, is not a sufficient
test of the bank's BCP. Additional testing of other aspects of the BCP
shall be performed to the extent feasible.
Testing strategies shall detail the conditions and frequency for testing
applications and business functions, including the supporting information
Diamond Bank
Business Process
Assurance
Page 92 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 93 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 94 of 176
Subject:
August 5, 2015
TESTING METHODS
Testing methods vary from minimum preparation and resources to the
most complex. Each bears its own characteristics, objectives, and
benefits. The type of testing employed by the bank shall include:
Orientation/Walk-through
An orientation/walk-through is the most basic type of test. Its primary
objective is to ensure that critical personnel from all areas are familiar
with the BCP. It is characterized by:
Discussion about the BCP in a conference room or small group
setting;
Individual and team training; and
Clarification and highlighting of critical plan elements.
Tabletop/Mini-drill
A tabletop/mini-drill is somewhat more involved than an orientation/walkthrough because the participants choose a specific event scenario and
apply the BCP to it. It includes:
o Practice and validation of specific functional response capability;
o Focus on demonstration of knowledge and skills, as well as team
interaction and decision-making capability;
o
Role
playing
with
simulated
response
at
alternate
locations/facilities to act out critical steps, recognize difficulties, and
resolve problems in a non-threatening environment;
o
Mobilization of all or some of the crisis management/response
team to practice proper coordination; and
o Varying degrees of actual, as opposed to simulated, notification and
resource mobilization to reinforce the content and logic of the plan.
Functional Testing
Functional testing is the first type that involves the actual mobilization of
personnel at other sites in an attempt to establish communications and
coordination as set forth in the BCP. It includes:
Diamond Bank
Business Process
Assurance
Page 95 of 176
Subject:
August 5, 2015
Full-scale Testing
Full-scale testing is the most comprehensive type of test. In a full-scale
test, the bank implements all or portions of its BCP by processing data
and transactions using back-up media at the recovery site. It involves:
o Validation of crisis response functions;
o Demonstration of knowledge and skills, as well as management
response and decision-making capability;
o On-the-scene execution of coordination and decision-making roles;
o
Actual, as opposed to simulated, notifications, mobilization of
resources, and communication of decisions;
o Activities conducted at actual response locations or facilities;
o
Enterprise-wide participation and interaction of internal and
external management response teams with full involvement of
external organizations;
o Actual processing of data utilizing back-up media; and
o Exercises generally extending over a longer period of time to allow
issues to fully evolve as they would in a crisis, and allow realistic roleplay of all the involved groups.
CONDUCTING A TEST
Testing requires some centralized coordination, usually by the BCP
coordinator or team. The team or coordinator shall be responsible for
overseeing the accomplishment of targeted objectives and following up
with the appropriate areas on the results of the test.
Generally, the maximum number of personnel that will be involved in
implementing the BCP shall also participate in the test. In addition,
personnel involved in testing shall be rotated in order to prepare for the
loss of key individuals, both during a disaster and as a result of
retirements, promotions, terminations, resignations, or re-assignment of
responsibilities. The involvement and oversight of independent staff
such as auditors will help to ensure the validity of the testing process
and the accuracy of the reporting.
ANALYZING AND REPORTING TEST RESULTS
Management shall report the test results and the resolution of any
problems to the board. Management reports shall consider all the test
results. Test analyses shall include:
Diamond Bank
Business Process
Assurance
Page 96 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 97 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 98 of 176
Subject:
August 5, 2015
NATURAL DISASTERS
FIRE
A fire can result in loss of life, equipment, and data. Data center
personnel must know what to do in the event of a fire to minimize these
risks. Instructions and evacuation plans shall be posted in prominent
locations, and shall include the designation of an outside meeting place
so personnel can be accounted for in an emergency, and guidelines for
securing or removing media, if time permits.
Fire drills shall be
periodically conducted to ensure personnel understand their
responsibilities. Fire alarm boxes and emergency power switches shall
be clearly visible and unobstructed.
All primary and back-up facilities shall be equipped with heat or smoke
detectors. Ideally, these detectors shall be located in the ceiling, in
exhaust ducts, and under raised flooring. Detectors situated near air
conditioning or intake ducts that hinder the build up of smoke may not
trigger the alarm. The emergency power shutdown shall deactivate the
air conditioning system. Walls, doors, partitions, and floors shall be fireresistant. Also, the building and equipment shall be grounded correctly
to protect against electrical hazards. Lightning can cause building fires,
so lightning rods shall be installed as appropriate. Local fire inspections
can help in preparation and training.
Personnel shall know how to respond to automatic suppression systems,
as well as the location and operation of power and other shut-off valves.
Waterproof covers shall be located near sensitive equipment in the event
that the sprinklers are activated. Hand extinguishers and floor tile
pullers shall be placed in easily accessible and clearly marked locations.
The extent of fire protection required depends on the degree of risk the
bank is willing to accept and local fire codes or regulations.
FLOODS AND OTHER WATER DAMAGE
Locating an installation in or near a flood plain exposes the bank to
increased risk. Management shall therefore take the necessary actions to
manage that level of exposure. As water seeks the lowest level, critical
records and equipment shall be located on upper floors, if possible, to
mitigate this risk. Raised flooring or elevating the wiring and servers
several inches off the floor can prevent or limit the amount of water
damage. In addition, the bank shall be aware that water damage could
occur from other sources such as broken water mains, windows, or
sprinkler systems. If there is a floor above the computer or equipment
room, the ceiling shall be sealed to prevent water damage. Water
detectors shall be considered as a way to provide notification of a
problem.
Diamond Bank
Business Process
Assurance
Page 99 of 176
Subject:
August 5, 2015
SEVERE WEATHER
A disaster resulting from an earthquake, hurricane, tornado, or other
severe weather typically would have its probability of occurrence defined
by geographic location. Given the random nature of these natural
disasters, branches located in an area that experiences any of these
events shall consider including appropriate scenarios in their business
continuity planning process. In instances where early warning systems
are available, management shall provide procedures to be implemented
prior to the disaster to minimize losses.
AIR CONTAMINANTS
Some disasters produce a secondary problem by polluting the air for a
wide geographic area. Natural disasters such as flooding can also result
in significant mould or other contamination after the water has receded.
The severity of these contaminants can impact air quality at the bank and
even result in evacuation for an extended period of time. Business
continuity planning shall consider the possibility of air contamination and
provide for evacuation plans to minimize the risks caused by the
contamination. Additionally, consideration shall be given to the length of
time the affected facility could be inoperable or inaccessible.
HAZARDOUS CHEMICAL SPILL
Locating branches close to chemical plants, railroad tracks, or major
highways used to transport hazardous chemicals pose significant risks.
A leak or spill can result in air contamination, as described above,
chemical fires, as well as other health risks. Management shall therefore
make reasonable efforts to determine the types of chemicals being
produced or transported nearby, obtain information about the risks each
may pose, and take steps to mitigate such risks.
TECHNICAL DISASTERS
COMMUNICATIONS FAILURE
The distributed processing environment has resulted in an increased
reliance on telecommunications networks for both voice and data
communications to customers, third parties, and back-up sites. The bank
may be susceptible to single points of failure in the event a disaster
affects one or more of these critical systems.
Management shall therefore make efforts to identify and document
potential single points of failure within the banks internal and external
communications systems.
If arrangements are made with multiple
Diamond Bank
Business Process
Assurance
Page 100 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 101 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 102 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 103 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 104 of 176
Subject:
August 5, 2015
BCP COMPONENTS
PERSONNEL
Diamond Bank
Business Process
Assurance
Page 105 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 106 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 107 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 108 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 109 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 110 of 176
Subject:
August 5, 2015
SOFTWARE BACK UP
Software back up for all hardware platforms consists of three basic
areas: operating system software, application software, and utility
software. All software and related documentation shall have adequate
off-premises storage. Even when using a standard software package
from one vendor, the software can vary from one location to another.
Differences may include parameter settings and modifications, security
profiles, reporting options, account information, or other options chosen
by the bank during or subsequent to system implementation. Therefore,
comprehensive back up of all critical software is essential.
The operating system software shall be backed up with at least two
copies of the current version. One copy shall be stored in the tape and
disk library for immediate availability in the event the original is
impaired; the other copy shall be stored in a secure, off-premises
location. Duplicate copies shall be tested periodically and recreated
whenever there is a change to the operating system.
Application software, which includes both source (if the bank has it in its
possession) and object versions of all application programs, shall be
maintained in the same manner as the operating system software. Backup copies of the programs shall be updated as program changes are
made.
Given the increased reliance on the distributed processing environment,
the importance of adequate back-up resources and procedures for local
area networks and wide area networks is important. Management shall
ensure that all appropriate programs and information are backed up.
Depending on the size of the bank and the nature of anticipated risks and
exposures, the time spent backing up data is minimal compared with the
time and effort necessary for restoration. Files that can be backed up
within a short period of time may require days, weeks, or months to
recreate from hardcopy records, assuming hardcopy records are
available. Comprehensive and clear procedures are necessary to recover
critical networks and systems. Procedures shall, at a minimum, include:
Frequency of update and retention cycles for back-up software and
data;
Periodic review of software and hardware for compatibility with backup resources;
Periodic testing of back-up procedures for effectiveness in restoring
normal operations;
Guidelines for the labelling, listing, transportation and storage of
media;
Maintenance of data file listings, their contents, and locations;
Hardware, software, and network configuration documentation;
Diamond Bank
Business Process
Assurance
Page 111 of 176
Subject:
August 5, 2015
OFF-SITE STORAGE
The off-site storage location shall be environmentally controlled and
secure, with procedures for restricting physical access to authorized
personnel. Moreover, the off-site premises shall be an adequate distance
from the computer operations location so that both locations will not be
impacted by the same event. Beyond a copy of the BCP, duplicate copies
of all necessary procedures, including end of day, end of month, end of
quarter, and procedures covering relatively rare and unique issues shall
be stored at the offsite locations. Another alternative to consider would
be to place the critical information on a secure shared network drive,
with the data backed up during regularly scheduled network back-up.
However, this shared drive shall be in a different physical location that
would not be affected by the same disruption. Management needs to
maintain a certain level of non-networked (e.g., hardcopy) material in the
event that the network environment is not available for a period of time.
Reserve supplies, such as forms, manuals, letterhead, etc., shall also be
maintained in appropriate quantities at an off-site location and
management shall maintain a current inventory of what is held in the
reserve supply.
FACILITIES
The BCP shall address site relocation for short-, medium- and long-term
disaster and disruption scenarios. Continuity planning for recovery
facilities shall consider location, size, capacity (computer and
telecommunications), and required amenities necessary to recover the
level of service required by the critical business functions. This includes
planning for workspace, telephones, workstations, network connectivity,
etc. When determining an alternate processing site, management shall
consider scalability, in the event a long-term disaster becomes a reality.
Additionally, during the recovery period, the BCP shall be reassessed to
determine if tertiary plans are warranted. Procedures to utilize at the
recovery location shall be developed. In addition, any files, input work,
or specific forms, etc., needed at the back-up site shall be specified in the
written plan.
The plan shall include logistical procedures for moving personnel to the
recovery location, in addition to steps to obtain the materials (media,
documentation, supplies, etc.) from the off-site storage location. Plans
for lodging, meals, and family considerations may be necessary.
Diamond Bank
Business Process
Assurance
Page 112 of 176
Subject:
August 5, 2015
COMMUNICATION
Communication is a critical aspect of a BCP and shall include
communication with emergency personnel, employees, directors,
regulators, vendors/suppliers (detailed contact information), customers
(notification
procedures),
and
the
media
(designated
media
spokesperson). Alternate communication channels shall be considered
such as cellular telephones, pagers, satellite telephones, and Internet
based communications such as e-mail or instant messaging.
PART TWO (2) SPECIFIC PROCEDURES
IV. PROCEDURES
The business continuity planning manual covers all aspects of IT
Operations including but not limited to the following:
a.
Business Application Support
b.
Technical Support
c.
E-Business Support
It focuses mainly on processes and applications managed by IT Group of
the bank. The procedures guiding the execution of BCP are detailed
below:
Business Impact Analysis
The business impact analysis shall assist the IT group in analyzing all its
business functions and the effect a disaster may have upon them.
Risks arising out of the following potential business interruptions are
considered below:
i.
ii.
iii.
iv.
v.
Natural events
Technical and environmental events
Human Causes
Other failures
Outage duration scenarios
Diamond Bank
Business Process
Assurance
Page 113 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 114 of 176
Subject:
1.
August 5, 2015
ii.
iii.
Internal requirements
The impact of any outage on internal requirements will primarily
be the day-to-day operations of the branches; consolidation of the
reports sent by the branches and the on going project teams
requirements. Also, the following activities may suffer due to the
outage.
Payroll processing
iv.
External Requirements
The impact of any outage on the banks external customers may
include but is not limited to the following:
Risk Assessment
The risk assessment is the second step in developing a business
continuity plan. It is critical and has significant bearing on whether
business continuity planning efforts will be successful or not.
The following risk areas are considered under risk assessment:
i.
Physical Security
The physical security of all IT resources against losses or damage
arising from natural or man-made sources cannot be
overemphasized. Physical security covers the following:
Diamond Bank
Business Process
Assurance
Page 115 of 176
Subject:
August 5, 2015
Backup Systems
Each live application and database server has a redundant backup
currently located in the Head Office Systems room.
In order to ensure that there is no loss or interruption to business
arising from destruction to these equipment, all redundant backup
to the live servers must be re-located to the remote Disaster
Recovery hot site of the bank and connected via a high speed
fibre-optic channel or microwave link for online replication. This
ensures that the backup systems are updated instantly, while
restoration of Tape media is manually done.
In addition to the online backup, offline backup must equally be
maintained as a fallback when all else fails. Based on DBs backup
policy, all applications and database servers are backed up daily
unto 24GB/40GB/72GB DAT cartridges and 800GB Ultrium Tapes.
For redundancy, 2 sets of the backups are taken, one copy kept in
the media safe in Head office while the second copy kept in the
Offsite safe at Marina Branch. These backups shall be periodically
restored at periods to be determined by the BCP team for
consistency checks.
Diamond Bank
Business Process
Assurance
Page 116 of 176
Subject:
August 5, 2015
iii.
Data Security
The importance of data security in any organisation cannot be
over-emphasized. Therefore, the way and manner in which data is
maintained or managed can make or mar any organisation.
In order to ensure that data is protected from unauthorized access,
DB plc must put in place adequate security measures to safeguard
sensitive data.
Creating user profiles with login passwords is a way of enforcing
this security. The Bank must ensure that no single individual is the
sole administrator for an application by segregating functions.
After daily backups are taken, the tape media are stored in a fireproof data safe and periodically restored at the hot-site to ensure
data integrity at periods to be determined by the BCP team.
iv.
Personnel
These are the skilled individuals that manage the applications and
databases to ensure Business continuity at all times.
DB plc must as a matter of policy ensure that its IT personnel are
adequately equipped to manage the various processes and
activities involved in the operations of the bank. Regular training of
its IT personnel must be undertaken continuously.
IT Staff must be properly trained and backups for each specialized
function must exist as a contingency measure. The BCP team must
be made up of members drawn from each arm of the IT group (i.e.
BAS, TS, & E-Business Support).
v.
Exposures
In order to adequately respond to any disaster that may affect
business continuity, it is necessary that the BCP team identify
aspects of its operations that are most vulnerable to attacks and
take steps to mitigate such exposures.
Such areas include the Communication Networks, databases,
file/application servers, etc. There should be adequate backups for
these located at the hot-site. The responsibility of ensuring that
this is in place falls on the Head IT services.
2.
Initiation of BCP
Various activities are required to be performed before initiation of the
BCP can begin. These activities can be classified into the following
areas:
i.
Diamond Bank
Subject:
August 5, 2015
iii.
Education Strategy
The following is the strategy for education of all employees of
Diamond Bank Plc about the BCP plan and its ramifications:
Copies of the BCP plan will be made available in all branches
and the head office.
Copies of the BCP plan will be made available to all the
employees on the LAN in a sharable folder or on the Intranet.
iv.
Diamond Bank
Subject:
August 5, 2015
The team will ensure that the BCP plan is maintained and updated
to reflect changes in the environment and other factors that affect
the plans viability with specific emphasis to the banks chosen IT
strategies.
3.
Containment Strategy
Containment refers to the measures adopted by
averting if possible or mitigating the impact of a
team shall evaluate the situation following
consequently which contingency measure shall be
the effects of the disaster.
i.
1.
2.
3.
4.
Response to fire
The bank currently has an FM200 automatic fire retardant
system installed in the Systems room in Head office and at the
hot-site in (Adeola Hopewell Branch) VI1. It is configured to
discharge in event of fire outbreak.
A mobile fire extinguisher is available in the Systems room for
handling fire of a lesser magnitude.
Where any equipment is damaged, the BCP response team shall
assess the damage, and determine its impact on the continuity
of the business.
Where replacements are required, the BCP team shall seek
management approval to replace.
ii.
iii.
Diamond Bank
Business Process
Assurance
Page 119 of 176
Subject:
August 5, 2015
Power down
In the event of a planned power outage wherein there is prior
intimation by the electricity authorities, the Head Administration
Department will ensure that all the generator units are operational
and inform the IT personnel who may shutdown some of the
Servers if required to conserve UPS power. Only the critically
needed servers will be kept on. In the event that the outage is
unplanned, the Head of the Administration Department will liaise
with the Electricity personnel to get the power supply restored as
soon as possible.
The bank currently has 3 diesel generators of varying KVA
capacities to provide for power when there is a failure in supply
and the Data Center has a dedicated generator that is connected to
the UPS. If for any reason the power outage continues for a longer
period, additional generator units can be hired.
The hot-site must have a standby power supply system to act as
backup in the event of power loss or interruptions. In addition a
standby UPS must be located at the hot-site.
v.
Diamond Bank
Business Process
Assurance
Page 120 of 176
Subject:
August 5, 2015
Internet Banking
Diamondonline is a fully functional Internet banking application
where prospective and regular customers can request for specific
financial services offered by the bank via the internet. In order to
minimize failure and ensure that the application is up 24/7, three
servers (Web, Application and Database servers) have been
identified as critical for the continuous functioning of this service.
These Servers act as the live systems with two servers as backup.
One server backs up the database while the other server backs up
web and application servers..
Any of these servers could be swapped from live to backup within a
short space of time if and when necessary to reduce service
downtime in times of crisis.
The Database server which hosts the details of customers created
for this service also doubles as the Microsoft Message Queuing
(MSMQ) server and Primary Domain Controller. The backup
database server with similar configurations as the live is provided
for BCP.
The dbonline domain having the database server as its primary
domain controller, hosts the Internet banking servers. This domain
has a trust relationship with diamondbank domain, which is
necessary for connectivity to the main Flexcube host database. The
web server has two gateways, one internal for local networking
and the other external for internet access
21st Century Technologies acts as the Banks Internet service
providers by providing the primary links between our customers
and the Internet banking application. GS Telecoms on the other
hand provides a backup link to the application.
The BCP plan includes continuous testing of the critical systems to
ensure that the services work as planned under contingency
situation.
The quarterly backup from the live servers are restored on the
backup server at the beginning of a new quarter. There is also a
Diamond Bank
Business Process
Assurance
Page 121 of 176
Subject:
August 5, 2015
ATM
The Automated Teller Machine (ATM) (branded as Any Time
Money in DB PLC.), enables any internal or external customer of
the bank to cash money and also carry out other basic banking
activities, outside the banking halls and beyond banking hours.
As an extension of the Banks network, the ATM serves to reduce
queues in the banking halls and on the long run minimize the cost
of servicing customers.
In order to ensure high availability of the ATM service, a
contingency plan that will reduce to the barest minimum, service
failures, is considered.
The contingency plan has as its goal to ensure that all ATMs at DB
plc branches connect to the Head Office Servers through any of the
following media; LAN, ISDN or VSAT.
Each ATM room has two network points which are connected to the
branch switches.
Where a point experiences failure, the ATM shall automatically be
switched to the backup point. Spare network cables also exist in
the ATM room to replace any defective one.
VSAT or ISDN links connect ATMs at customer locations to the
Head Office Servers. At present, the links are fully dependent on
the Service Providers, so the contingency plans for the link
depends on them. However, the Bank has established Service Level
Agreement with the link providers to ensure minimal downtime.
Four systems form the core of ATM operations. These are ATM
Controller, Channel Manager, Card-World Producer and ATM
Distributor.
Diamond Bank
Business Process
Assurance
Page 122 of 176
Subject:
August 5, 2015
PC Banking
The PC banking application provides access to customers account
via dial-up access. It offers: balance enquiry, term deposit, fx-rate
enquiry, Interest rate enquiry, mini statement, cheque book
request, stop cheque, statement request via e-mail, fund transfers
between accounts and bill payment. The application is hosted on
HP Proliant Live and Backup Servers situated in the Server room
at the Head Office complex.
The detailed business impact analysis can be found in Appendix K.
iv.
Tele Banking
The Tele banking application of the bank is an avenue that provides
telephone calling access enquiry to customer. Accounts balances
amidst other services could be verified via this medium. The
application is hosted on HP Proliant Live and Backup Servers
situated in the Server room at the Head Office complex. The
detailed business impact analysis can be found in Appendix K
v.
Diamond Bank
Business Process
Assurance
Page 123 of 176
Subject:
August 5, 2015
Valucard
The bank is a member of the consortium of banks offering Valucard
in the country. The Valucard servers are located in the server room
along with the back up servers. The detailed business impact
analysis can be found in Appendix K
vii.
Debit cards / ATM
The evolution of electronic banking coupled with the banks focus
on electronic services has made Debit cards/ ATM application a key
selling tool to the bank. The ATM servers are also located in the
server room with the back up servers.
The backup servers are swapped quarterly for live test to ensure
viability. The backup procedure for these servers is as detailed in
the Standards and Procedure document. The detailed business
impact analysis can be found in Appendix K
viii.
Goldcard
The Savings Goldcard is a secure and convenient means of
identifying DB Plc Savings account holders. The card contains
relevant customers information such as customers name,
photograph, signature, branch code, account number and other
mandate details. The use of the card is open to all savings account
holders.
With this card, account holders can conveniently withdraw cash
from DB branches other than the branch where their accounts are
domiciled.
In order to enhance the services of Savings Goldcard product, a
user friendly and multi-user interface application known as Card
Soft has been introduced by the Bank. The introduction of the
multi-user interface is required to decentralize the process of data
capture from Head Office to the branches. The database resides on
the Mobile banking Server in the Head Office Systems room. The
detailed business impact analysis can be found in Appendix K
ix.
MessengeX
This is a new service offered by the bank to customers leveraging
on the bulk short message service feature of the GSM technology.
This would facilitate dissemination of information and retrievals
leveraging on Bulk SMS technology to the banks Internal and
Diamond Bank
Business Process
Assurance
Page 124 of 176
Subject:
August 5, 2015
Credit cards
The Credit card / ATM application of the bank is in the design
stages and is expected to be operational soon and will be included
in the BCP plan at a later date. The detailed business impact
analysis can be found in Appendix K
xi.
Diamond Bank
Business Process
Assurance
Page 125 of 176
Subject:
August 5, 2015
xiii.
Flexcube Retail
2.4 This is an integrated banking Solution used for processing of all
Retail Banking transactions. The application is hosted on a HP
Proliant server at the Head Ofice. BAS staf shall be responsible
for the administration of the application in DB plc while IflexSolutions Ltd, India are the application vendors. Two sets of Tape
backups are done daily and the detailed business impact analysis
can be found in Appendix I
xiv.
xv.
Diamond Bank
Subject:
August 5, 2015
xvii.
Fixed Assets
This application is used by Financial Control and Admin Units to
monitor and maintain the banks Fixed Asset and Inventory items.
The application is hosted on a HP proliant server in Head Office
and updated regularly following which a handoff file is generated
and uploaded to the banking application (Flexcube). Backup is
done daily to Tape. The detailed business impact analysis can be
found in Appendix I
3
xviii.
Microsoft Exchange Server 2003
This is the bank's Enterprise Messaging Application which is
hosted on two HP Proliant Servers in the Head office. It is
managed by two administrators drawn from TSU. The
application runs on the Windows 2003 server operating
system.
Tape Backups are done daily. The detailed business impact
analysis can be found in Appendix I
xix.
Diamond Bank
Subject:
August 5, 2015
This application acts both as the Firewall and Web proxy. The
application is hosted on a HP Proliant server in Head office and
managed by two administrators from TSU. Backups are done
monthly. The detailed business impact analysis can be found in
Appendix J
xx.
Windows XP/2000/2003
Three Operating System platforms exist in Diamond bank plc, viz;
Windows XP, 2000,2003. The Domain Controllers are hosted on
Windows 2000/2003 servers in Head office and managed by two
administrators from TSU. The flexible structure allows redundancy
for all authentications in DB plc domain. The servers have backups
located in Head Office server room. The detailed business impact
analysis can be found in Appendix J
xxi.
HP-Unix 11.11 OS
The HP-Unix Operating System hosts the banks Oracle database
application. It is resident on two HP RX8640 Servers located in
Head office and at the hot-site at Victoria Island branch. It is
managed by two administrators drawn from TSU. The servers are
regularly failed over to test the Disaster Recovery readiness. The
detailed business impact analysis can be found in Appendix J
xxii.
EPO
This is the E-Policy Orchestrator Application from Network
Associates. It is the Antivirus Management Console and is used for
the deployment of enterprise-wide Anti-virus Solutions in DB plc.
The application is hosted on a HP Proliant Server and managed by
an administrator from TSU. Tape backups are done on a quarterly
basis. The detailed business impact analysis can be found in
Appendix J
xxiii.
Windows 2000 Active Directory
This application is used for Domain user administration.
Authentication of all network objects in diamondbank.com
domain is done using this application. It resides on HP Proliant
Servers in the Head Office. The detailed business impact analysis
can be found in Appendix J
xxiv.
Diamond Bank
Business Process
Assurance
Page 128 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 129 of 176
Subject:
August 5, 2015
Recovery Strategy
4.1
i.
Diamond Bank
Business Process
Assurance
Page 130 of 176
Subject:
August 5, 2015
6.
Testing Strategy
i.
ii.
Methodology
The IT department tests the areas described above in a systematic
manner. The component(s) in each area are tested and the test
results documented. Testing involves verification as to whether
each component is working when subjected to a situation close to
or duplicating that which is expected in terms of a business
contingency situation.
iii.
Frequency
Testing is carried out at the head office and a sample branch
location at least once per year. The Head- IT Service determines as
to whether the tests need to be run as well as the frequency of
testing if required beyond once. Each test is run at least once and
repeated if there is a failure.
Diamond Bank
Business Process
Assurance
Page 131 of 176
Subject:
iv.
August 5, 2015
Coverage
There are seven areas that are identified for inclusion in the testing
strategy.
These are as follows:
1. Critical services
2. Hardware
3. UPS
4. EPABX
5. Media
6. Communication Links
7. People
Each of these services is described in detail in the section below.
The scope of this strategy refers in particular to the Head office.
Critical Services
Services that have been termed as critical include the Flexcube,
NACS, MS-Exchange, SWIFT, ATMs.
The Core banking application database works on two HP-RX8640
Servers. The hot site which is also hosts a replica connected via a
high-speed fibre-optic backbone for online replication. The detail
back up procedure for these servers is in the Standards and
Procedure document.
Uninterruptible Power Supply (UPS)
The UPS is indispensable equipment required for supplying power
especially when regular power from the electricity provider is not
available, or is cut due to emergency measures.
All UPS units at the bank have been elaborately designed and have
a built in capacity to handle extra power requirements.
Such
power requirements have been analyzed and projected at the
procurement stage itself and there would normally be no
modification to the existing units to handle extra power
requirements.
EPABX
In line with planning for business contingency, the EPABX at the
hot site/offsite location has been planned and ordered with extra
capacity.
In addition to this, basic communication services for key people are
ensured through the use of multiple direct lines as well as mobile
phones that have been issued to these key people. Customers may
Diamond Bank
Business Process
Assurance
Page 132 of 176
Subject:
August 5, 2015
contact the bank through the direct lines as well as mobile phones
that have been issued.
The list of direct lines as well as mobile phone numbers are
available through the Administration department and are regularly
updated and communicated to all employees at the bank.
Media
IT department underscores the need to have the same media
available at both on-site and hot site/off-site locations to ensure
effective business continuity. In this regard, the Head-IT Services
ensures that all critical media is stored at both locations and
maintains an inventory of these. Hence the downtime is reduced.
Communication Links availability of redundant links
The bank currently uses multiple technologies and vendors to
establish connectivity to its various branches; it uses microwave
links to connect to its service providers from its head office and the
branches and is in the process of ensuring that these lines have an
effective backup/redundant link. The ATMs are also connected to
the existing network.
In order to ensure business contingency, these links have been
configured to provide redundancy at any location.
The performances of these links are tested from time to time
according to procedures and checks as described in the Standards
and Procedures document.
Routers will be configured in a specific manner so that packets that
are generated will automatically flow from the redundant link if
any one link goes down.
People
The IT department has duplicity of skills. Thus, in any situation
requiring business contingency, it can deploy the necessary people
to the hot site/off site location having the same skills as in the onsite location. These personnel regularly undergo skills update
giving the bank the ability to deploy them quickly at any location.
7.
Testing Plan
The bank tests critical services at least once per year. The
following is a detailed explanation on the procedures used to
check each service. Multiple checklists are provided to ensure
that tests are documented. A sample of the testing checklist is
shown in Appendix J of this document.
Diamond Bank
Business Process
Assurance
Page 133 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 134 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 135 of 176
Subject:
August 5, 2015
3. EPABX
EPABX testing must ensure that during a business contingency
basic phone access to and from the bank is possible. The aim of the
test process is to ensure that capacity is available and working at
the hot site EPABX.
The testing process is as follows:
1. Check at least 2 extensions in each group by dialling internally,
externally, access the voice mailbox, and use p-codes provided.
2. Disconnect at least 5 lines from the PABX (one should be the
hunting number) and reconnect to direct lines. Ensure that all
are working properly, and can receive / dial out.
3. Ensure the software license codes for PABX are available.
4. Ensure additional equipment capacity (such as instruments,
extensions,) is available.
5. Ensure key people are reachable by mobile phones.
4. Fire Prevention Equipment
Fire prevention equipment must be tested and working at all times.
Testing of the fire alarm system is done at least once during the
testing period.
The testing process can be detailed as follows:
Diamond Bank
Business Process
Assurance
Page 136 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 137 of 176
Subject:
v.
3.
August 5, 2015
ELECTRICAL WARDEN
Electrical Warden (a designated staff under Administration Unit) shall
be responsible for:
i.
5.
INTERNAL CONTROL/INSPECTION
Internal Control Group in conjunction with Inspection shall be
responsible for:
i.
Diamond Bank
Business Process
Assurance
Page 138 of 176
Subject:
August 5, 2015
Allocating
sufficient
resources
and
competent
personnel to develop the business continuity plan.
ii.
Setting out policy on how the bank will manage and
control identified risk.
iii.
Reviewing business continuity test results and
approving the plan on an annual basis.
iv.
Ensuring that BCP is kept up-to-date and employees of
the bank are trained and are conversant with their roles and
responsibilities in the implementation.
Diamond Bank
Business Process
Assurance
Page 139 of 176
Subject:
August 5, 2015
Appendices
Appendix A - Members of the Fire Team
Designation
Head Office
Branches
Safety Officer
Deputy Safety Officer
Fire Fighting Warden
Alternate Fire Fighting Warden
Electrical Warden
Alternate Electrical Warden
First Aid Warden
Alternate First Aid Warden
N:B List shall be populated as appropriate on regular basis by the Chief
Security Officer.
Diamond Bank
Business Process
Assurance
Page 140 of 176
Subject:
August 5, 2015
Diamond Bank
Business Process
Assurance
Page 141 of 176
Subject:
August 5, 2015
Head BAS
Head TSU
Head E-business support
Head IT Services
ED Customer Services & Technology
Diamond Bank
Business Process
Assurance
Page 142 of 176
Subject:
August 5, 2015
Central Bank
Branch Managers
Courier Companies
Families of Employees
Fire Brigade
Insurance Company
Legal Authorities
Police
Telephone Authorities
Vendors / Maintenance People
Hot site /off site location
Diamond Bank
Business Process
Assurance
Page 143 of 176
Subject:
August 5, 2015
Diamond Bank
# Copies
1 Hardcopy
1 Hardcopy
1 Hardcopy
1 Hardcopy
1 Hardcopy
1
1
1
1
Hardcopy
Hardcopy
Hardcopy
Hardcopy
Business Process
Assurance
Page 144 of 176
Subject:
August 5, 2015
Telephone Number
08033019205
08022230369
08023236502
08033068399
08033237065
FIRE BRIGADE
999
08034422368, 08023197775,
08023150139
01-2633355
POLICE
997
08023127350, 08033137432
01-4978899
AMBULANCE
(LASAMBUS)
4979844, 49798766
08073051915, 08033013802
01 -2637853, 2637854
LASTMA
Diamond Bank
08023266303
Business Process
Assurance
Page 145 of 176
Subject:
August 5, 2015
Date
of
Activit
y
Activity
Status
Ye
s
A
A.1
Diamond Bank
Remar
ks
Name of Signat
Person
ure
Performi
ng Test
No
Business Process
Assurance
Page 146 of 176
Subject:
August 5, 2015
Hardware Availability
Is server available at
offsite location?
Configuration matches
on-site location? If not
enter exact
configuration in
remarks column.
A.3
Communication Links
Test 1: Ping from hot
site to mail server
from DOS command
prompt.
Test 2: Ping from hot
site to branches from
DOS command
prompt.
Test 3: Tracert from
hot site to Head office
server from DOS
command prompt.
Test 4: Tracert from
hot site to branches
from DOS command
prompt.
Test 5: Perform a loop
test
B.
UPS
Diamond Bank
Business Process
Assurance
Page 147 of 176
Subject:
August 5, 2015
Diamond Bank
EPABX
Test 1: Dial at least 2
extensions internally?
Test 2: Dial at least 2
numbers externally?
Test 3: Verify at least 2
p-codes exist and are
functional.
Test 4: Disconnect 5
lines and reconnect to
direct lines. Ensure all
5 lines are reachable
and can dial out as
well.
Ensure buffer of
software license codes
have been maintained.
Ensure at least 10
additional phone
instruments and
provisions for the
same number of
extensions in the
EPABX is available.
Dial at least 2 key
people using their
mobile phone
numbers.
Business Process
Assurance
Page 148 of 176
Subject:
D.
August 5, 2015
Fire Prevention
Equipment
Test 1: Are all fire
alarms and controls
situated at strategic
locations?
Test 2:Are test
certificates available
from the vendor
Test 3: Test the fire
alarm control panel by
triggering an alarm.
Does the panel show
the correct location of
the alarm that has
been triggered?
Has fire training been
done at least once a
year at each location?
Do training records
exist for each session?
Approved:
Head IT Services
Diamond Bank
Business Process
Assurance
Page 149 of 176
Subject:
FUNCTION
ADMIN
ADMIN
PHONE
VENDOR
VENDOR
PHONE
HARDWARE
Flexcube
Corporate
Booking of
Loans &
Money market
Transactions
Barth
080330192
05
IFLEX
2613764
Flexcube
Retail
Retail Banking
Barth
080330192
05
IFLEX
2613764
ECPIX/KD
Automated
Clearing
Software
HR and payroll
Barth
080330192
05
NIBSS
(Obed,Niyi)
26022024
Chinedu
080540768
64
27033412
HP Proliant Server
FIXED ASSET
Fixed Asset
Mgt.
Tolu
080347532
81
ALLIED
SOFT
(Duke Obasi)
SYSTEM
SPECS
2633900,
2633786
HP Proliant Server
ZYIMAGE
Document
Imaging
Application
George
080232029
92
DPMS
(Niran)
7939750,
4612275
HP Proliant Server
SERVICE
DESK
APPLICATION
Logging of
User
complaints and
Resolution log
Electronic
Interbank
transactions
Chinedu
080540768
64
BAS/Ebiz
Support
Ext
343/339
HP Proliant & HP
wkstn
Tolu/
Blessing
080340958
50,
080347532
81
SWIFT
WORLDWID
E
+3171582
2822
HP Proliant Server
XCEED
SWIFT
HP RX8640
server,
HP Blades
Servers
HP RX8640
server,
HP Blades
Servers
HP Proliant & HP
wkstn
FUNCTION
ADMIN
ADMIN
PHONE
VENDOR
VENDOR
PHONE
HWARE
OS
CL
AT
MS
Exchange
server 2003
Internet
Security
Acceleration
server ISA
Mail Server
Emma/
Aderemi/
Nsikak
Emma/
Aderemi/
Nsikak
08023531540
,0802314090
2
08023531540
,0802314090
2
Allied
Technologies
2703341-2
HP Proliant
Win2000
server
Allied
Technologies
2703341-2
HP Proliant
Win2000
server
Firewall, and
web Proxy
Diamond Bank
Subject:
2000
Windows
NT/2000/200
3 OS
Hp-Unix
11.11 OS
Operating
System
Emma/
Aderemi/
Nsikak
Emma/
Aderemi/
Nsikak
Emma/
Aderemi/
Nsikak
08023531540
,0802314090
2
08023531540
,0802314090
2
08023531540
,0802314090
2
EPO
Antivirus
Mgt Console
Win 2000
Active
directory
Ms Outlook
2000, XP,
2003
Domain user
administratio
n
Mail Client
Emma/
Aderemi/
Nsikak
Emma/
Aderemi/
Nsikak
08023531540
,0802314090
2
08023531540
,0802314090
2
Cisco Core
Router
Interconnect
ivity device
Gilbert
08026816275
Cisco
Cisco 7204
Cisco Core
Router
Interconnect
ivity device
Gilbert
08026816275
Cisco
Cisco 3640
Catalyst
Switch
Interconnect
ivity device
Gilbert
08026816275
Cisco
Catalyst
series 4000
Catalyst
Switch
Interconnect
s the backup
site
Interconnect
the Internet
via 21st
Century
Tech.
Interconnect
the Internet
via GST.
Connects
external
internet
routers
Connects
Security
equipment
Internet
firewall
Gilbert
08026816275
Cisco
Catalyst
series 4000
Gilbert
08026816275
Cisco
2600 Series
router
Gilbert
08026816275
Cisco
2600 Series
router
Gilbert
08026816275
Cisco
Gilbert
08026816275
Gilbert
UPS
Uninterruptible
Power Supply
PABX
Intercom
facility
Cisco Router
(Internet
router)
Cisco Router
(Internet
router)
Catalyst
Switch
(External)
Catalyst
Switch
(External)
PIX
Operating
System
Diamond Bank
Allied
Technologies
2703341-2
Hp Servers
Windows
NT/2000/
2003 OS
Hp-Unix
11.11
HP (Demola)
2706942
Hp rp8400
Servers
Soft
Solutions
Limited
(Ezekiel/Vict
or)
Allied
Technologies
7736045
Hp Servers
Win2000
server
2703341-2
Hp Servers
Windows
2000
Allied
Technologies
2703341-2
Hp
Computers
Windows
NT/2000/
Xp /2003
OS
Version
12.1(9)E
3
Version
12.1(5)T
7
Version
NMPSW
6.3(5)
Version
NMPSW
6.3(5)
Ver.
12.1(5)T
7
Catalyst
2820 Series
Ver.
12.0(2)
XC2
Ver.
V9.00.04
Cisco
Catalyst
1900 Series
Ver.
V9.00.04
08026816275
Cisco
PIX520
Ver.
5.2(5)
Patrison
08033261565
IPBC
N/A
N/A
Gilbert
08026816275
Siemens
Hicom
300E
2629991-5,
08043201246,
08032194914,
08033081757,
7763599
C
C
C
C
C
Subject:
FUNCTION
ADMIN
ADMIN
PHONE
VENDO
R
VENDOR
PHONE
HWAR
E
SOFTWARE
INSTALLED
Bank-World
Controller
ATM
Administration
Daniel/
Uche
CR2
+9180566470
03
Card-World
Producer
Card Production
Daniel/
Uche
0803344963
7
0802318190
4
0803344963
7,080231819
04
CR2
+9180566470
03
Win2000
Server,
BankWorld
Controller
Win2000
Server, Card
World Producer
Channel
Manager
ATM
Administration
Daniel/
Uche
0803344963
7,080231819
04
CR2
+9180566470
03
MessengeX
(SMS)
Bulk Messaging
Kayode/
Olamide/
Debo
GIL
017223419
08052381705
CB2000/
Valucard
(ValuServer
2)
CardSoft
Valu-card
Transaction
Processing
0802302094
5,080237067
97
0802323650
2
0802300622
0,080230209
45
HP/
Compa
q ML
370
HP/
Compa
q ML
370
HP/
Compa
q ML
370
HP
Deskto
p EVO
ValuCard
012703021
Win2000
Server, Card
Base 2000
0802300622
0,080230209
45
Lubred
08037402891
08023190766
0802302094
5,080237067
97
0802323650
2
0802302094
5,080237067
97
0802323650
2
0802302094
5,080237067
97
0802323650
2
0802302094
5,080237067
97
0802323650
2
0802302094
5,080237067
97
0802323650
2
0802302094
5,080237067
97
0802323650
IFLEX
+9122566853
25
HP/
Compa
q ML
370
HP/
Compa
q ML
370
HP/
Compa
q ML
370
IFLEX
+9122566853
25
HP/
Compa
q ML
370
Windows 2000
Server
IFLEX
+9122566853
25
HP/
Compa
q ML
370
Windows 2000
Sever
Creative
014614241
08033801880
HP/
Compa
q ML
370
Windows NT,
Bank Response
2000, MS-SQL
Lubred
08037402891
08023190766
HP/
Compa
q ML
370
Windows 2000
Server, MS-SQL,
Oracle, Mobile
Banker PRO
Creative
014614241
08033801880
HP/
Compa
q ML
370
Windows 2000
Server, RAS, IIS,
MS-SQL, Oracle
Savings/
Gold-card
Production
Seyi/
Wale
Seyi/Wal
e
Diamond
Online
(FlexAt
App)
Internet Banking
Application
Diamond
Online
(FlexAt DB)
Internet Banking
Database
Kayode/
Olamide/
Debo
Diamond
Online
(FlexAt
Web)
Internet Banking
Web Server
Kayode/
Olamide/
Debo
TeleBank2
Telephone
Banking
Kayode/
Olamide/
Debo
Diamond
Mobile
(SMSBanki
ng)
SMS/ Mobile
Banking
Kayode/
Olamide/
Debo
Diamond
Connect
(PCBank)
PC Banking
Olamide/
Debo/
Kayode
Diamond Bank
Kayode/
Olamide/
Debo
Win2000
Server, Channel
Manager
Win2000
Server,
MessengeX,
Oracle
Windows 2000
Server, MS-SQL,
Oracle, Mobile
Banker PRO
Windows 2000
Server
Subject:
2
PayDirect
(AL_CSU_51
)
PayDirect
Olamide
/ Kayode
0802302094
5,
0802323650
2
Interswit
ch
014616300
014610161
HP
Vectra
420
Windows 2000
Server, IIS, ISA
2000
Note:
Classification of impact to BCP (C-CRITICAL (<1 day), E-ESSENTIAL(2-4
days), N-NECESSARY(5-7 days), D-DESIRABLE(>10 days))
Backup Frequency (DLY-DAILY,WKL-WEEKLY, MTH-MONTHLY,QTRQUARTERLY)
Backup Type (T-TAPE, D-DISK, DB-DATABASE, R-REGISTRY,F-FILE, SSYSTEM)
MTTR-(Mean-Time-To-Recover) i.e minimum recovery period
CONTAINMENT & RECOVERY STRATEGIES
S/N
FLEXCUBE
1.0 PRECAUTIONARY & CONTAINMENT
Ensure that the two(2) Application Servers are up to date
with the latest Windows security patches and software
Timing
Responsibility
Weekly
Head, BAS
Weekly
Database Administra
Weekly
ICU/Inspection
Quarterly
Database Administra
Monthly
Head, BAS
Daily
Database Administra
Daily
Database Administra
Diamond Bank
Subject:
Diamond Bank
Daily
Database Administra
weekly
Database Administra
Daily
Database Administra
weekly/monthly
Head, BAS
weekly
Head, BAS
weekly
Head, BAS
daily
System Administrato
Daily
Head, BAS
After successful
testing on the
UAT
environment
Head, BAS
Subject:
Should be
scheduled to run
daily after
banking hours
Head, BAS
Immediat
ely
H-BAS,DBA
<=1day
Head BAS
<=1day
H-TS
1-3 days
H-BAS
1-3days
H-BAS
Timing
Responsibility
Hardware failure
Software failure
S/N
Diamond Bank
Subject:
2.0
Daily
NACS Administrator (B
Daily
NACS Administrator (B
Daily
NACS Administrator (B
Daily
NACS Administrator (B
Daily
NACS Administrator(BA
Daily
NACS Administrator(BA
Daily
NACS Administrator(BA
Subject:
Each day after the last clearing session, the ECPIX server is
supposed to be shut down for a two -hour maintenance. To
maintain the system do the following:
Stop the NACS application (The EBS and JRUN
services)
Perform an offline system backup
Clean the file system
Start the NACS application
Daily
NACS Administrator(BA
Daily
NACS Administrator(BA
Immediat
ely
H-BAS,DBA
Immediat
ely
NACS Administrator (B
Immediat
ely
NACS Administrator (B
Diamond Bank
Subject:
Immediat
ely
Administrator (BAS)
Immediat
ely
Administrator (BAS)
Immediat
ely
Administrator (BAS)
Immediat
ely
Administrator (BAS)
Immediat
ely
Administrator (BAS)
Immediat
ely
Administrator (BAS)
Diamond Bank
Immediat
ely
Immediat
ely
Responsibility
Weekly
Administrator
daily
Administrator
daily
administrator
Subject:
daily
administrator
daily
daily
administrator
administrator
Immediat
ely
H-BAS, Administrator
Immediat
ely
Administrator, H-BAS
<=1day
H-TS
<=1day
H-TS
<=2
days
Administrator, H-BAS,H
eBiz
Timing
Responsibility
weekly
Administrator(BAS)
daily
Administrator(BAS)
monthly
Administrator(BAS)
S/N ZYIMAGE
4.0
Diamond Bank
Subject:
Immediat
ely
H-BAS, Administrator(BAS)
Immediat
ely
H-TSU,H-ITS,
Administrator(BAS)
1-3 days
H-TSU, H-ITS,
Administrator(BAS)
1-2days
Administrator(BAS)
Timing
Responsibility
Network Administrator
Network Administrator
Monthly
Upon
exit/leav
e of
Administ
rator
Quarterl
y
Quarterl
y
Daily
Weekly
Network Administrator
Monthly
Network Administrator
Hardware failure
In case where the Scan Station hardware is faulty or
bad,
Notify the TS engineer where this requires expert
intervention
Request for a Stop-gap PC
Re-install the Operating System
Re-install the ZyScan client application on the
Scan Station
In case where the Data Server hardware is faulty or
bad,
Notify the TS engineer where this requires expert
intervention
Request for a Stop-gap
Re-install the Operating System
Re-install the ZyImage application
Restore all backed up Images
Software failure
If the Operating System is affected
Format the C: drive and re-install the OS
Re-install the ZyScan/ZyImage application plus Scanner
drivers
Restore the application files
S/N
NETWORKS
5.0 PRECAUTIONARY & CONTAINMENT
Backup of routers/switches configurations
Password Changes
Diamond Bank
Network Administrator
Network Administrator
Network Administrator
Subject:
Daily
MessengeX
Network Administrator
Timing
Responsibili
Weekly
Head, eBiz
Support
Weekly
MessengeX
Administrator
ICU/Inspectio
Weekly
Quarterly
MessengeX
Administrator
Weekly
MessengeX
Administrator
Weekly
MessengeX
Administrator
weekly
MessengeX
Administrator
MessengeX
Administrator
Head, eBiz
Support
As Required
After successful testing
on the UAT
environment
Weekly
MessengeX
Administrator
Immediately
Hardware failure
Diamond Bank
Head, eBiz
Support;
MessengeX A
Subject:
Immediately
H-eBiz Suppo
<=1day
H-TS
<=1day
H-TS
2 days
H-eBiz Sup
1-2days
H-eBiz Sup
Timing
Responsibili
Software failure
S/N
Weekly
H-eBiz Suppo
Weekly
SMS Banking
Administrator
ICU/Inspectio
Diamond Bank
Weekly
Quarterly
SMS Banking
Administrator
Subject:
Weekly
SMS Banking
Administrator
Weekly
SMS Banking
Administrator
Daily
SMS Banking
Administrator
Weekly
SMS Banking
Administrator
As Required
SMS Banking
Administrator
H-EBiz Suppo
SMS Banking
Administrator
H-EBiz Suppo
SMS Banking
Administrator
Immediately
H-EBiz Suppo
SMS Banking
Administrator
Immediately
H-eBiz Suppo
Hardware failure
Diamond Bank
Subject:
<=1day
H-TS
<=1day
H-TS
1-3 days
H-eBiz Suppo
1-3days
H-eBiz Suppo
Timing
Responsibili
Software failure
S/N
Weekly
H-eBiz Suppo
Weekly
Diamond Onli
Administrator
ICU/Inspectio
Weekly/ As required
Diamond Onli
Administrator
Weekly
Diamond Onli
Administrator
Diamond Bank
Weekly
Subject:
Event logs
The log file needs to be regularly deleted, after
retaining one previous backup copy. Before being
deleted, they are to be saved for backup purposes.
Databases FCAT Corporate, FCAT Infra & FCAT
Retail
Diamond Online Admin needs to ensure sufficient
space exists on the disks for the Databases where logs
are being generated.CPU Utilization on the database
server (FLEXAT_DB) should be monitored at regular
intervals to ensure that it is within acceptable limits.
MxtUserKeyMap Table in the FCAT Infra Database it
keeps a list of Locked Out users. This should be
checked regularly in order to prevent users from
being denied access to DiamondOnline after the
maximum threshold is reached.
The application logs some informational and error
messages in the Event viewer. The Event viewer on
the servers should configured to overwrite events
after a predefined maximum log size is reached
Re-booting of the application server to clear all locks
and idle system processes
Regular Application of Security Patches and Service
Packs to the host servers
Weekly
Diamond Onli
Administrator
Weekly
Diamond Onli
Administrator
Weekly
Diamond Onli
Administrator
Weekly
Head, eBiz
Support
Diamond Onli
Administrator
Rarely
When Required
Diamond Onli
Administrator
Head, eBiz
Support
Diamond Onli
Administrator
Head, eBiz
Support
Diamond Onli
Administrator
Immediately
Hardware failure
Diamond Bank
Head, eBiz
Support; Diam
Online
Administrator
Subject:
Escalate to Iflex
Re-install all FLEXAT Applications running on the servers
as well as the COM+ Components
Restore the database
Conduct UAT
Relocate to the hot-site as backup server
Immediately
Head, eBiz
Support
<=1day
H-TS
<=1day
H-TS
1-3 days
Head, eBiz
Support
1-3days
Head eBiz
Support
Software failure
S/N
Timing
Responsibili
Daily
System
Administrator
System
Administrator
ICU/Inspectio
Daily
Weekly
Weekly
Weekly
Diamond Bank
System
Administrator
System
Administrator
Subject:
Immediately
Systems
Administrator
Immediately
Systems
Administrator
<=1day
Systems
Administrator
<=1day
Hardware
Vendor
1-3 days
Systems
Administrat
1-3days
Systems
Administrat
Timing
Responsib
Hardware failure
S/N
10.0
Diamond Bank
Subject:
Daily
Systems
Administrat
Examine the ISA server event logs and note any application
or system errors
Choose start>settings>control panel>administrative
tools>event viewer
Monitor ISA Server Activity by viewing performance
counters
Go to Start > Programs > MS ISA Server > ISA
Server Performance Monitor
View ISA Server Alerts by pointing to Internet
Security and Acceleration Server > Server and
Arrays > Name > Monitoring > Sessions
Daily
Systems
Administrat
Daily
Systems
Administrat
Daily
Systems
Administrat
Immediately
Systems
Administrator
Immediately
Systems
Administrator
1-2days
Systems
Administrator
<=1day
Hardware
Vendor
Diamond Bank
Subject:
1-3 days
Systems
Administrat
Timing
Responsibili
Daily
System
Administrator
Daily
System
Administrator
System
Administrator
ICU/Inspectio
Monthly
System
Administrator
Immediately
Systems
Administrator
Immediately
Systems
Administrator
S/N
Daily
Weekly
Diamond Bank
Subject:
S/N
1-2days
Systems
Administrator
<=1day
Hardware
Vendor
Systems
Administrat
1-3 days
Timing
Responsibili
Daily
System
Administrator
Weekly
System
Administrator
System
Administrator
ICU/Inspectio
Daily
Weekly
Immediately
Systems
Administrator
Immediately
Systems
Administrator
Hardware failure
Diamond Bank
Subject:
S/N
HP-UNIX 11.23
1-2days
Systems
Administrator
Solutions
<=1day
Hardware
Vendor
1-3 days
Systems
Administrat
Soft solutio
Timing
Responsibili
Daily
System
Administrator
System
Administrator
System
Administrator
ICU/Inspectio
Daily
Daily
Weekly
Quarterly
System
Administrator
Immediately
Systems
Administrator
Immediately
Systems
Administrator
Hardware Ven
1-2days
Systems
Administrator
Hardware Ven
Subject:
S/N
<=1day
Hardware
Vendor
HP-UNIX 11.11
Timing
Responsibili
Daily
System
Administrator
System
Administrator
System
Administrator
ICU/Inspectio
Daily
Daily
Weekly
Weekly
System
Administrator
Immediately
Systems
Administrator
Immediately
Systems
Administrator
1-2days
Systems
Administrator
<=1day
HP
1-3 days
HP
Timing
Responsibili
S/N
SWIFTAlliance Entry
14.0 PRECAUTIONARY & CONTAINMENT
Diamond Bank
Subject:
Quarterly
SWIFT
Administrator
Daily
SWIFT
Administrator
SWIFT
administrator
Weekly
Fortnightly
SWIFT
Administrator
Immediately
SWIFT
Administrator
Head, BAS
1 day
H-BAS/ SW
Administrat
Timing
Responsib
Daily
Administrat
Regularly
Administrat
Diamond Bank
Subject:
Regularly
Administrat
Regularly
Ensure that the Xceed application files and folders are backed
up on tape/disk
Ensure that the Xceed database is backed up to tape/disk
Daily
Administrat
Administrat
Daily
Administrat
At Logon
Xceed User
Administrat
At least once a
year
Head, ITS/
Contingenc
Response T
Head, ITS/
Contingenc
Response T
Contingenc
Response T
Timing
Responsib
ii)
iii)
Diamond Bank
Subject:
Daily
Branch CSM
Daily
Branch CSM
3. Ensure that the Server room has adequate cooling and is secure
Daily/Quarterly
4. Ensure that the branch server is powered up in the morning and Daily
Branch
CSM/Regio
IT Engineer
Branch CSM
5. Ensure that Branch UPS are working well and Backup power
Weekly
Branch CSM
Bi-weekly
7. Ensure that the UPS and generators are functional and working
Bi-Weekly
Immediately
Regional IT
Engineer
CSM /Regio
Engineer
CSM
Daily
Branch CSM
Immediately
Branch CSM
Immediately or
ASAP
Branch CSM
Immediately or
ASAP
Branch CSM
Immediately or
2days max
2-4hours
CSM/Regio
IT Engineer
Regional IT
Engineer
6.
Immediately or
ASAP
1.
the LAN address of the new location and test connection to the
Host database
Release 2-3 workstations to be configured for the affected
branch Tellers where there is a shortage of PCs
Diamond Bank
2-3hrs
CSM/BM of
new branch
location
Regional IT
Engineer
Subject:
Immediately
Branch CSM
Immediately
Branch CSM
1-2 Days
1-2Days
Regional IT
Engineer
Regional IT
Engineer/C
Immediately
Branch CSM
1-2days
Once notified
Regional IT
Engineer/C
Head IT
Services
4.
5.
Once notified
Head IT
Services
Head
BAS/Head T
1 day
Regional IT
Engineer
Diamond Bank
Head TS