Information Management System Policy
1. Introduction, Purpose, Scope, Users.
AVETIUM CONSULT LIMITED, a company duly registered under the Laws of the Federal Republic of Nigeria, having its registered address at 3rd Floor, Sunny Motors Building, 3, Otunba Adedoyin Ogungbe Crescent Lekki-Phase.
Avetium Consult is a Business Process Outsourcing and Technology solution company incorporated in Nigeria. Avetium Consult was licensed in 2016 and began operation Dec 28th, 2016.
The aim of this Policy is to define the purpose, direction, principles and basic rules that must be adhered to when dealing with all Information pertaining to Avetium Consult.
The information created, processed and used by Avetium Consult as well as non-public consumer information entrusted to Avetium Consult by its customers are among the Organization’s most valuable assets. Given the competitive nature of Avetium Consult businesses, along with the significant value of the resources it manages, the business and technology organizations/units must take all steps necessary to protect these assets. A compromise of these information assets could severely impact Avetium Consult ’s customers, constitute a breach of laws and regulations and negatively affect the reputation and financial stability of the Organization and we will continually improve our management system and its objectives to enhance our information security management system, Privacy impact management system and Nigeria data production regulation This Policy will help business and technology organizations address these areas and provide the basis for an effective information security program.
This Policy is applied to the entire (IMS) Integrated Management System (ISO 27001, ISO 27701 and NDPA) Implementation. Users of this document are all people and process that constitutes the organization information securities, the employees of Avetium Consult, contract workers and third parties contracted to provide services for Avetium Consult, as well as all external parties who have a role in the IMS.
information security has many benefits for the business, including:
- Protection of revenue streams and company profitability
- Ensuring the supply of goods and services to customers
- Maintenance and enhancement of shareholder value
- Compliance with legal and regulatory requirements
This policy applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Avetium Consult systems.
The following supporting documents are relevant to this information security and privacy policy and provide additional information about how it is applied:
- ISO/IEC 27001:2022 Standard, clauses 4.2.1 and 5.2, 5.3.
- ISO/IEC 27001:2022 Standard, clauses 4.2.1 and 5.2, 5.3.
- ISO/IEC 27701:2023 Standard, clauses 5.2.4 and 5.4.2.
- IMS Scope Document
- Information Security and Privacy information policy document/manual
- Risk Management Framework
- Incident Management Policy & Procedure
- Cloud Computing Policy
- Mobile Device Policy
- Access Control Policy
- Cryptographic Policy
- Physical Security Policy
- Anti-Malware Policy
- Network Security Policy
- Electronic Messaging Policy
- Data Protection Policy
The table below shows the individual policies within the documentation set and summarizes each policy’s content and the target audience of interested parties
| Policy Title | Areas addressed | Target audience |
| Cloud Computing Policy | Due diligence, signup, setup, management and removal of cloud computing services. | Employees involved in the procurement and management of cloud services |
| Mobile Device Policy | Care and security of mobile devices such as laptops, tablets and smartphones, whether provided by the organization or the individual for business use. | Users of company-provided and BYOD (Bring Your Own Device) mobile devices |
| Access Control Policy | User registration and deregistration, provision of access rights, external access, access reviews, password policy, user responsibilities and system and application access control. | Employees involved in setting up and managing access control |
| Cryptographic Policy | Risk assessment, technique selection, deployment, testing and review of cryptography, and key management | Employees involved in setting up and managing the use of cryptographic technology and techniques |
| Physical Security Policy | Secure areas, paper and equipment security and equipment lifecycle management | All employees |
| Anti-Malware Policy | Firewalls, anti-virus, spam filtering, software installation and scanning, vulnerability management, user awareness training, threat monitoring and alerts, technical reviews and malware incident management. | Employees responsible for protecting the organization’s infrastructure from malware |
| Network Security Policy | Network security design, including network segregation, perimeter security, wireless networks and remote access; network security management, including roles and responsibilities, logging and monitoring and changes. | Employees responsible for designing, implementing and managing networks |
| Electronic Messaging Policy | Sending and receiving electronic messages, monitoring of electronic messaging facilities and use of email. | Users of electronic messaging facilities |
| Records Retention and Protection Policy | Retention period for specific record types, use of cryptography, media selection, record retrieval, destruction and review. | Employees responsible for creation and management of records |
| Data Protection Policy | Applicable data protection legislation, definitions and requirements. | Employees responsible for designing and managing systems using personal data |
| Data Masking Policy | Protecting sensitive data by obscuring or anonymizing data to prevent unauthorized access. | Information Security Team, Data Processors, solution delivery product management |
| Threat Intelligence Policy | Gathering, analyzing, and responding to emerging cyber threats to mitigate potential risks. | Information Security Team, Data Processors, solution delivery product management |
| Data Leakage Prevention Policy | Preventing unauthorized transfer of data outside the organization. | Information Security Team, Data Processors, solution delivery product management All Employees, Data Handlers |
| Monitoring of Activities Policy | Tracking and monitoring user activities to detect suspicious behavior or policy violations. | Information Security Team, Data Processors, solution delivery product management, Compliance |
| Web Filtering Policy | Restricting access to unauthorized or harmful websites to ensure secure web usage. | Information Security Team, Data Processors, solution delivery product management All Employees |
| Information Deletion Policy | Guidelines for secure deletion of sensitive or obsolete data in compliance with legal and regulatory requirements. | Information Security Team, Data Processors, solution delivery product management Data Managers, Compliance |
| Configuration Management Policy | Managing and maintaining secure configurations of IT systems to prevent vulnerabilities. | Information Security Team, Data Processors, solution delivery product management |
2. Basic Information Security and privacy Terminology
- Confidentiality – the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
- Integrity – the property of safeguarding the accuracy and completeness of assets.
- Availability – the property of being accessible and usable upon demand by an authorized entity.
- Information security – preservation of confidentiality, integrity and availability of information
- Information Security Management System – that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security.
- Personal Identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for deanonymizing previously anonymous data can be considered PII
- Data subjectrefers to any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity.
- The data controllerdetermines the purposes for which and the means by which personal data is processed. So, if your company/organisation decides ‘why’ and ‘how’ the personal data should be processed it is the data controller. Employees processing personal data within your organisation do so to fulfil your tasks as data controller.
- The data processorprocesses personal data only on behalf of the controller. The data processor is usually a third party external to the company.
3. Integrated Management System Objective Framework
Avetium Consult ensures they are aligned with its integrated management system policy and measurable wherever possible. Objectives are set based on applicable security requirements, results from risk assessments, and risk treatment plans.
Avetium Consult then plans how to achieve these objectives by determining what actions will be taken, the resources required, who will be responsible, and the timeline for completion. Progress is monitored and results evaluated regularly, with objectives being communicated to relevant stakeholders.
Documented information on the objectives is retained, and updates are made as necessary based on evolving risks.
Refer to the following documents for details
- Integrated Management System objectives and
- IMS Monitoring and Measurement Metrics and Evaluation report.
4. Information Security and privacy Policy
Our Policy Statement
Avetium Consult establishes this policy to ensure that protect its customers, employees and company information are protected against unauthorized access or unauthorized modification, fraud; failure and unavailability, disclosure; accidental or deliberate physical damage; by maintaining Confidentiality, Integrity, Availability.
Avetium Consult shall establish a comprehensive information security programme that will be in compliance to the Regulatory and legislative obligations.
Avetium Consult in its determination to guarantee effectiveness of the information security programme further commits to a continual process improvement of the same and undertakes to communicate and make available the policies to its internal and external stakeholders.
4.1 Goals and objectives
The main goal for Information security and privacy is to have a program that will ensure that Avetium Consult meets its statutory functions which are safekeeping of customer’s information in its system thereby creating a better market image and reducing the damage caused by potential incidents. In accordance with its vision, mission, core values driven by the corporate strategy, Information security objectives seeks to:
3.1.1. IMS Objective
- To ensure Communication of Acceptable Use of Information Assets Policy
- Confidentiality & non-disclosure agreements, Code of conduct and confidentiality undertaken to be signed
- Restricted Access to data based on roles and rules
- Backup of all critical data
- Compliance with applicable regulatory requirement
- Ensure all asset are tagged
- Assets maintained in inventory to be owned
- Ensure proper incident Management and breach of data reporting
- Protect data in transit
- Review of user access rights
- Protection of Avetium Records
- Secure disposal of information asset (employee, customers PII, IT Assets)
- Regular integrated full scope Internal audit for Compliance
- Screening for all intakes
- Use of contractual agreements for all Contract with employees, customers, third parties.
- Ensure Integrated Management System awareness for all new intakes during induction
- Secure Area for critical systems
- Encryption Keys are adequately protected
- Conduct Vulnerability Assessment and Penetration Testing
- Effective response to security incidents
- Determine and securely maintain the necessary records in support of its obligations for the processing of PII.
- Obtaining consent (modification/ withdrawal process)
- PII minimization
- Establish Privacy Impact Assessment
- Ensure security of offsite Storage and Backups of PII
- Ensure disciplinary process/termination of employment is in place when Privacy breach is committed
- Privacy Information security continuity to be embedded in organization’s business continuity management Plan.
- Establishing and maintaining effective processes for responding to data subject requests, including access, rectification, and erasure requests
- To Identify 99% of cloud assets and conduct risk assessments to understand vulnerabilities and threats.
Information security and privacy objectives will be documented for an agreed time period, together with details of how they will be achieved. These will be evaluated and monitored as part of management reviews to ensure that they remain valid. If amendments are required, these will be managed through the change management process.
Information security controls will be adopted where appropriate by Avetium Consult. These will be reviewed on a regular basis in the light of the outcome from risk assessments and in line with Information security and privacy security risk treatment plans.
5. Information Security and privacy Requirements
A clear definition of the requirements for information security and privacy within Avetium Consult will be agreed and maintained with the internal business and interested parties so that all information security and privacy activity is focused on the fulfilment of those requirements. Statutory, regulatory and contractual requirements will also be documented and input to the planning process. Specific requirements with regard to the security of new or changed systems or services will be captured as part of the design stage of each project.
It is a fundamental principle of the Avetium Consult information security and privacy programme that the controls implemented are driven by business needs and this will be regularly communicated to all staff through team meetings and briefing documents.
This Policy and the entire IMS must be in line with legal and regulatory requirements relevant to the organization in the field of information security, data secrecy, business continuity, personal data protection as well as with contractual obligations.
6. Risk Management
Information and privacy risk management shall be incorporated into the enterprise risk management, in line with the organization’s strategic plans and the enterprise risk management framework. Risk evaluation criteria are described in more detail by the management in the Risk Assessment and Risk Treatment Methodology.
Business continuity management shall be integrated to the organisation Business Continuity Management system. See the IMS scope document for more detail.
7. Continual Improvement of the IMS
Avetium Consult policy with regard to continual improvement is to:
- Continually improve the effectiveness of the ISMS and PIMS
- Enhance current processes to bring them into line with good practice as defined within ISO/IEC 27001, ISO 27701 and related standards
- Achieve ISO/IEC 27001 and ISO 27701 certification and maintain it on an on-going basis
- Increase the level of proactivity (and the stakeholder perception of proactivity) with regard to information security
- Make information security processes and controls more measurable in order to provide a sound basis for informed decisions
- Review relevant metrics on an annual basis to assess whether it is appropriate to change them, based on collected historical data
- Obtain ideas for improvement via regular meetings and other forms of communication with interested parties.
- Review ideas for improvement at regular management meetings in order to prioritise and assess timescales and benefits
Ideas for improvements may be obtained from any source including employees, customers, suppliers, IT staff, risk assessments and service reports. Once identified they will be recorded and evaluated as part of management reviews.
8. Responsibility
MD/CEO: The sets the tone for IMS through its committee on audit and risk
The entire management is responsible for ensuring that the IMS is implemented according to this Policy, and for ensuring all necessary resources required for its success. Management reviews all information security risk assessment reports.
MD/CEO: Reviews IMS policies and procedures as well as departmental information security issues.
Heads of Department: The Heads of department and unit of the company are responsible for ensuring that all staff and managers are aware of security policies and that they are observed.
Data Protection Officer: Data Protection Officer shall ensure Avetium compliance with Information Security data protection laws and regulations while safeguarding the privacy of individuals’ personal information.
IMS Team: This team ensures that information security and privacy risk management and assessment processes are established and entrenched. It also ensures that staff have been made aware of their responsibilities toward information security through regular awareness programs in collaboration Human Resource team. breaches and incidents and. The team also ensures that this and all information security and Privacy policies and relevant procedures are continually relevant to business need in response to feedbacks and All designated owners of systems and information Need to ensure they uphold the information security and privacy policies and procedure.
The IT Security Team are designated custodians of systems and they have responsibility for the management of ICT systems and inherent information. They shall ensure that all systems driven controls that will enforce this policy and its relevant procedures are implemented strictly. This team also monitors breaches and incidents activate sanction process when the need arises in line with limits
Database Administrator(s) – It is the responsibility of system administrators to maintain with utmost care and ethics the confidentiality, integrity and availability of information systems under their custody.
9. Support for IMS implementation
The management declares that all phases in IMS implementation will be supported with adequate resources in order to achieve all goals and objectives set in this Policy.
10. Policy Review
This policy shall be reviewed at least every (2) years to ensure effectiveness and continual application and relevance to the Company’s business or as may be required.
11.Escalation
Anyone breaching information security and privacy policy may be subject to disciplinary action. If a criminal offence has been committed further action may be taken to assist in the prosecution of the offender(s). All policy breaches shall be escalated to the Information Technology/DPO for action.
12. Sanction for Breaches
Breaches of this policy and/or security and incidents can be defined as events which could have, or have resulted in, loss or damage to Avetium Consult ’s assets, or an event which is in breach of Avetium Consult security procedures and policies.
All Avetium Consult employees, operators in the capital market, partners, third Parties and vendors have a responsibility to report security incidents and breaches of this policy as quickly as possible through an established Incident Reporting Procedure. This obligation also extends to any external organization contracted to support or access the Information Systems Avetium Consult
Avetium Consult shall ensure that appropriate measures to remedy any Security breach of the policy and its associated procedures and guidelines through the relevant frameworks are in place. In the case of an employee then the matter may be dealt with under the disciplinary procedures.
13. Policy Exceptions & Retention
All exceptions must be approved by the MD/CEO of Avetium Consult. All documentation shall be maintained in accordance with Avetium Consult policy for Retention of Documents and Records or as regulation requires.
