Information Security Policy

1.2.2 Risk Appetite Statement

We maintain information security controls to prevent and mitigate current cyber and information security threats.

• Our controls are validated against recognised external standards to our target maturity.
• System vulnerabilities are proactively identified and any disruption resolved within agreed timeframes aligned to business requirements.
• We maintain an effective Cyber Incident Response Capability to promptly detect new risks, and identify, contain and eradicate cyber incidents.
• Colleagues make informed risk decisions when faced with attempted cyber-attacks like social engineering and phishing.

1.3 Legal & Regulatory Obligations

BBB is obliged to abide by all applicable UK law. The principal legislation to which this policy, and its associated policies and procedures, relate to is set out below.

• The Data Protection Act 2018
• the UK General Data Protection Regulation (UK GDPR)
• Computer Misuse Act 1990
• Human Rights Act 1998
• Regulation of Investigatory Powers Act 2000
• Freedom of Information Act 2000
• Intellectual Property Act 2014

In addition to meeting its legal obligations, the BBB as an Arm’s Length Body (ALB) is required to meet the Government Functional Standards (GFS) where applicable. Obligations relating to Government Functional Standard (GFS007) – Security are contained and prescribed through this policy and associated standards. We provide cyber resilience assurance to Government via the GovAssure programme.

2. Scope

This Policy applies to all the Bank’s entities, operations, subsidiaries and Colleagues.

3. Key Requirements

The Bank will monitor the use of and access to its systems, including personal use and access to the Internet. The Bank will limit access to its systems based on the principles of least privilege and need-to-know.

3.1 Colleague Behaviours

Colleagues will understand their information security responsibilities. Colleagues are expected to take all reasonable steps to protect the confidentiality, availability and integrity of our systems and data. This includes, but is not limited to, the following behaviours:

• 3.1.1 Do not use The Bank’s property to transmit, receive, or store any information that is discriminatory, harassing, or defamatory.
• 3.1.2 Do not access or attempt to access the Bank’s systems or data using an unauthorised device.
• 3.1.3 Do not access the Bank’s systems without authorisation from the system owner.
• 3.1.4 Do not transfer the Bank’s data to unauthorised personnel or systems³ .
• 3.1.5 Keep passwords, tokens, PINs and other authentication and authorisation data confidential and ensure they meet our requirements as defined in the Access and Authentication standard. Passwords, passcodes or PINs do not imply any right of privacy, they prevent unauthorised access.
• 3.1.6 Lock your screen when your device is unattended.
• 3.1.7 Where documents are encrypted, ensure the right people have access to the encryption keys. Ensure that should you leave the bank, that access will continue.
• 3.1.8 Take all necessary steps to prevent unauthorised access to data under your control, wherever you are working. Always think, what is the worst-case scenario if this data ends up in the wrong place, and am I doing all I could reasonably do to prevent this?⁴
• 3.1.9 Consider whether your conversations can be overheard, and by whom. Take all reasonable steps to prevent unauthorised disclosure of sensitive information this way, whether working remotely or at the Bank’s premises.
• 3.1.10 Only disclose the Bank’s information to third parties in the proper exercise of your contractual duties using the appropriate channels, and with the permission of any second party if relevant.
• 3.1.11 Only disclose Official Sensitive information on a need-to-know basis and only if the recipient is bound by an obligation of confidentiality in favour of BBB, such as with Non-Disclosure agreements (NDA).
• 3.1.12 If you have any doubt consult your line manager or the Information Governance team.

3.2 Maintain Information Security Controls

We maintain the minimum set of information security controls to prevent and mitigate current cyber and information security threats.

• 3.2.1 Colleagues will support Information Security and bank-wide efforts to maintain our controls under the ORMF.
• 3.2.2 Colleagues are expected to diligently utilise and maintain controls, taking necessary steps to ensure their effectiveness. This includes following relevant standards and procedures, such as the Risk and Control Self-Assessment (RCSA) Procedure. Colleagues will propose control improvement actions, addition or removal as identified - particularly after incidents, control failures, or where the controls are not cost- effective.
• 3.2.3 Colleagues must not try to disable or bypass controls and will promptly report any incidents of control failure or attempted bypassing following the risk incident process.
• 3.2.4 Colleagues will only access - or provide access to - authorised physical locations. Physical access to the Bank’s premises will follow the principle of least privilege, with appropriate physical access control for secure areas such as data centres or logistics loading bays.
• 3.2.5 Active equipment will be comprised of modern, manufacturer supported hardware, reside in environments in line with manufacturer recommendations and industry best practice, and with current maintenance and support contracts.
• 3.2.6 The Information Security team will provide technical guidance supporting effective control selection, operation, and validation.
• 3.2.7 The Risk and Compliance team will support this through triage and assessment of Risk Incidents, the RCSA Procedure, and with ad-hoc engagement as required.
• 3.2.8 Risk Champions provide an effective bridge between system owners and end-users, and the Information Security and Risk teams. They will ensure concerns are escalated and necessary local actions taken.
• 3.2.9 Information Security Controls prevent incidents or realised risk. They align with our board risk appetite statement; colleagues must be familiar with this.
• 3.2.10 Controls are maintained in the Bank’s risk management system, as part of the RCSA procedure. Colleagues must take all reasonable action to verify controls are effective and appropriate, and report when they are not. Colleagues follow the procedures under the ORMF, such as using control improvement actions. Information Security will use the RCSA procedure and Risk Incidents to validate and improve controls.
• 3.2.11 The Bank’s Commercial Operations will ensure Information Security standards are made available to suppliers with sufficient time for the supplier to provide a full and comprehensive response, and for this to be reviewed by Information Security. Procured systems that do not meet our standards will have Risks logged in the Bank’s risk management system, associated with the relevant business unit.
• 3.2.12 Information Security will validate their compliance through their accreditation against relevant standards and by completing due diligence checks.
• 3.2.13 Suppliers must meet the requirements of our due diligence checks - or be granted an exception by logging a Risk in the risk management system associated with the relevant business unit - prior to contract commencement or renewal.
• 3.2.14 All exceptions to be approved by the Information Security Director or an appropriate member of Senior Leadership Team with no conflict of interest.
• 3.2.15 Where exceptions to this are granted, these will be recorded as a Risk under the ORMF and managed through the RCSA procedure.

3.3 Validate Information Security Controls against recognised external standards

Our controls are validated against recognised external standards to our target maturity.

• 3.3.1 The Bank will maintain an Information Security Management System (ISMS), aligned with the requirements of ISO 27001, an international standard for Information Security.
• 3.3.2 The ISMS will be documented in an “ISMS Manual” and made available to all relevant employees.
• 3.3.3 ISMS maintenance will be governed by The Information Security Forum (ISF), a sub-committee of the Enterprise Risk Committee (ERC).
• 3.3.4 The Bank will meet the requirements for security as set out by the UK Government.
• 3.3.5 The Bank will maintain Cyber Essentials Plus accreditation or equivalent, to be recertified annually.
• 3.3.6 Information Security Governance follows the Bank’s Operational Risk Management Framework ORMF, see section 2.
• 3.3.7 Information Security will maintain awareness of relevant standards as they evolve, provide timely and accurate reporting to stakeholders, and drive any initiatives required to maintain standards alignment.

3.4 Resolve System Vulnerabilities

System vulnerabilities are proactively identified, and any disruption resolved within agreed timeframes aligned to business requirements.

• 3.4.1 Colleagues will support the IT Service Desk in maintaining their devices by responding to reboot requests and reporting unusual activity promptly.
• 3.4.2 The Bank will maintain and operate a Vulnerability Management Framework (VMF),
• 3.4.3 This defines roles, responsibilities, and timescales across the vulnerability management lifecycle. It predominantly applies to roles with service responsibilities, which includes but is not limited to IT.
• 3.4.4 Roles with service responsibilities, such as Service Owners, Data Owners, Data Custodians will be defined and maintained in the Bank’s Service Catalogue.
• 3.4.5 The Executive Committee representative of a function is ultimately accountable to the Board for resolving system vulnerabilities owned by their function.
• 3.4.6 Service Owners are responsible for resolving system vulnerabilities within their services.
• 3.4.7 Information Security will validate the vulnerability level of our systems and services using vulnerability scanning, penetration tests, or other appropriate means.
• 3.4.8 Internal Audit will validate the effectiveness of Vulnerability Management across the bank.
• 3.4.9 A Risk Incident will be raised if remediation timescales are breached.

3.5 Maintain Effective Cyber Incident Response

We promptly detect new risks, and identify, contain, and eradicate cyber incidents.

• 3.5.1 Colleagues will call the IT Service Desk immediately on Content Removed if they suspect system compromise, for example having entered their credentials after following a link in a phishing email.
• 3.5.2 Colleagues will report Cyber Incidents via the Risk Incident Portal.
• 3.5.3 Any data breach identified through cyber incident response will be escalated to the IT Major Incident
• 3.5.4 The Bank will maintain an effective Security Operations Centre (SOC) and Cyber Incident Response Team (CIRT) with 24x7x365 cover.
• 3.5.5 Information Security will maintain a cyber incident response plan. This will be validated on each major incident, or at least annually.
• 3.5.6 IT will maintain hardened systems, both user-facing and back end. The security exposure of Bank systems will be benchmarked externally through appropriate penetration tests, to be reviewed by Information Security with the results reported to ERC.
• 3.5.7 System logs will be collected and analysed proactively to prevent or stop incidents, and reactively for root cause analysis. Lessons learned from incidents will be logged and applied.

3.6 Make Informed Risk Decisions

Colleagues make informed risk decisions when faced with attempted cyber-attacks like social engineering and phishing and when carrying out their duties in support of the Bank’s objectives.

• 3.6.1 Colleagues will complete all mandatory learning and development in line with the Learning & Development Policy
• 3.6.2 Information Security will ensure the content of the Information Security learning modules are relevant, proportionate to our risk and up to date.
• 3.6.3 Our ability to make informed risk decisions will be validated using cyber awareness activities such as ethical phishing, smishing or, vishing.

4. Non-Compliance

All identified breaches of this policy must be reported via the Risk Incident Portal on the Bank’s Intranet. Breaches will be assessed by the Policy Owner to determine the further action required and may include disciplinary action in accordance with the Bank’s Disciplinary Policy.

5. Policy Controls

The infosec controls are visible here: Information Security Controls - Power BI

6. Appendix 1: Aligned Frameworks, Policies, Standards, and Procedures

6.1 Supporting Standards

• Access and Authentication Security Standard
• Privileged Access Standard (due 19 December 2023)
• Cryptography Standard
• Network and Infrastructure Security (due 31 January 2024)
• Data Storage and Transfer (due 19 December 2023)
• Secure Software Development (due 31 January 2024)
• Secure Asset Disposal (due 31 January 2024)
• Third Party Requirements Standard

6.2 Aligned British Business Bank Standards

• Data Governance Standard
• Data Protection Rights Standard
• Information Classification and Handling
• IT Outsourcing
• Records Retention Schedule
• Risk and Control Self-Assessment Procedure
• Standards of Conduct

6.3 Aligned Frameworks

• Operational Risk Management Framework (ORMF)
• Vulnerability Management Framework (work in progress)

6.4 Aligned Policies

• Business Resilience Policy
• Data Protection Policy
• IT Acceptable Use Policy
• IT Asset Management Policy
• IT Disaster Recovery Policy
• RM01-Records-Management-Policy
• Supplier Management Policy
• Learning and Development Policy

6.5 Aligned Information Security Procedures

• Cyber Incident Response (work in progress)
• Major Incident Management (MIM)
• Supplier Due Diligence (due 2023-11-01)

6.6 Aligned British Business Bank Procedures

• Freedom of Information Procedure
• Strategic Recovery and Incident Management Plan
• System Delivery Lifecycle

7. Appendix 2: Definition of Terms

7.1 CIRT (Cyber Incident Response Team)

The Bank’s CIRT is focused on incident response and management after a security incident has occurred. Our CIRT has an incident confidentiality clause; details of cyber incidents are strictly need-to-know. A CIRT is a specialised team that focuses on responding to and managing cybersecurity incidents and breaches. It is responsible for investigating and containing security incidents, coordinating the response efforts, and ensuring the organisation can recover from the incident effectively. The CIRT works closely with various stakeholders, such as IT teams, legal departments, and law enforcement, to gather evidence, perform forensic analysis, and implement necessary remediation measures. The CIRT also plays a role in incident reporting and communication, ensuring that the incident is appropriately addressed, and the necessary actions are taken to prevent future occurrences.

7.2 ISMS (Information Security Management System)

The ISMS establishes and documents requirements for managing Information Security risks, monitoring the security control effectiveness, and measuring the Bank’s cyber security maturity. The Bank’s ISMS is aligned with ISO 27001 and the NIST Cyber Security Framework.

7.3 Need to know

"Need to know" is a principle or concept that limits access to information or resources only to those individuals who require that specific information to perform their duties or tasks effectively.

7.4 Non-Disclosure Agreement

An NDA, or Non-Disclosure Agreement, is a legally binding contract between two or more parties that outlines confidential information they wish to share with each other. The purpose of an NDA is to protect sensitive or proprietary information from being disclosed to unauthorised individuals or parties.

7.5 Phishing

Phishing is a type of cyberattack and social engineering technique in which an attacker attempts to deceive individuals into divulging sensitive information, such as login credentials, passwords, financial details, or personal identification information. The term "phishing" is a play on the word "fishing," as the attacker "fishes" for victims by posing as a legitimate and trustworthy entity in electronic communications.

7.6 Red, Blue, and Purple Team Exercises

A Red Team evaluates, Blue Team defends, and Purple Team combines efforts to strengthen an organisation's cybersecurity defences.

Red Team: An external group of skilled security experts that mimic cyber attackers by attempting to breach defences and identify vulnerabilities. Their goal is to uncover weaknesses and improve overall security.

Blue Team: Our internal defensive SOC responsible for monitoring and safeguarding our network and systems. The SOC are not informed that the exercise is taking place and during an exercise, they respond to the Red Team's attacks, detect breaches, and mitigate threats.

Purple Team: A collaborative exercise that brings the Red and Blue Teams together. The objective is to facilitate knowledge sharing and enhance the overall cybersecurity capabilities. The teams work jointly to evaluate and improve defence strategies based on the Red Team's attack tactics and the Blue Team's response effectiveness.

7.7 Service

An IT Service used by colleagues, delivery partners, or customers. Examples include the Bank’s Laptops, SharePoint, the Guarantees and Wholesale Portal, and MyHR.

7.8 Service Catalogue

A service catalogue is a structured listing of IT services provided by an organisation, making it easy for colleagues to access and understand available services and any associated service responsibilities. It includes service descriptions and levels, helping colleagues make informed decisions. A service catalogue can have different views, for example a view for service consumers might list available service and links to documentation. A view for those responsible for delivering or supporting the services might include roles and responsibilities, and links to technical documentation, related contracts, costs and renewal dates. The catalogue streamlines service delivery, enhances communication, and aids resource allocation, resulting in improved colleague satisfaction.

7.9 Smishing

Smishing (SMS phishing or SMSing) is a type of social engineering cyberattack that involves sending fraudulent text messages (SMS) to deceive and manipulate individuals into revealing sensitive information or performing certain actions. The term "smishing" is a combination of "SMS" (Short Message Service) and "phishing," which is the practice of attempting to obtain sensitive information, such as passwords, financial details, or personal identification, by masquerading as a trustworthy entity in electronic communications.

7.10 SOC (Security Operations Centre)

The Bank’s SOC is our first line of defence, focused on proactive monitoring, detection, and prevention of security incidents. A SOC is responsible for monitoring, detecting, and responding to security incidents within an organization's networks, systems, and applications. It is a centralised team or facility that actively monitors and analyses security events and alerts in real-time. The SOC typically employs various security technologies and tools, such as SIEM (Security Information and Event Management) systems, intrusion detection systems, and vulnerability scanning tools. Its primary goal is to maintain the security and integrity of the organisation's infrastructure by identifying and mitigating threats promptly. The SOC may also engage in proactive threat hunting and vulnerability management activities.

7.11 System

A component or components making up a Service. Examples include storage, compute or networking infrastructure, servers, databases, and applications.

7.12 Vishing

The term "vishing" is a combination of "voice" and "phishing". It is a type of social engineering cyberattack that relies on voice communication, typically over the phone, to deceive and manipulate individuals into revealing sensitive information or performing certain actions.

7.13 Vulnerabilities

Vulnerabilities include exploitable or potentially exploitable weaknesses in software, hardware, and configuration, but also the processes underpinning operation of the Bank’s systems and services.

Appendix 3: Version Control

• 3

  For example, do not store Bank passwords in third party accounts such as Google Password Manager

• 4

  Examples include being mindful of whom you are sharing documents or otherwise communicating with and what you are sharing with them, whether your screen or documents are visible to others, leaving your desk clear, securely disposing of documents, locking your screen, using a screen filter, following our Data Protection Policy and being mindful whom you bring onto BBB premises.