Information Security Policy

Infoprive Service Limited Information Security Summary Card

This page informs you of our policies regarding all aspects of information management, such as all requirements and objectives for information security in the company, information custody ownership and usage, classification of information and information management principles, physical and environmental security issues, as well as sanctions applied in case of violation of information security policies.

Roles and Responsibilities

The table below lists the roles with the overall responsibility for information security:

Role Responsibilities
IMS Manager The IMS Manager is responsible for the maintenance, update, review and monitoring of compliance with requirements of this policy. The IMS Manager has authority over the information security initiatives and also reports to the CEO of the company.
Top Management The top management must support the work of the IMS Manager by deciding upon the issues elevated to it by the IMS Manager and making sure that all intentions of the Information Security Policy are fully met.
IMS Board The Board is responsible for overseeing that all IT related services, remains compliance with the Information Security Policy. Hence, the IMS Manager is participating in all IMS Board meetings.
System Administrator The role of the System Administrator is to provide the necessary resources to enable secure, reliable and controlled data processing services. It manages the implementation, control and maintenance of all facilities necessary to enable high standards of IT services the company requires.
S/N Strategic Objectives Information Security Objectives
1. To provide cost effective security services to our clients   Provide 95% assurance of information systems resilience
2. To become the leading provider of Cybersecurity services in Nigeria and West Africa   Provide 95% assurance of information systems resilience   Protect 100% of client confidential information   Protect 90% critical information assets and critical business processes relative to Esentry’s core business.
3. To establish an end-to-end product and service portfolio that enable it offer premium services at cost-friendly prices to its clients Provide 95% assurance of information system resilience   Protect 90% critical information assets and critical business processes relative to Esentry’s core business.
4 To consistently develop new medium to high value client relationships while deepening existing relationships   Protect 100% of client confidential information   Provide 95% assurance of information systems resilience
5 Innovate by offering unique services and solution proprietary or exclusive to the company   Improve 90% security-awareness culture.  
6 To attract, develop and retain the talent required to satisfy product needs of the Group’s existing and potential markets Improve 90% security-awareness culture.  

Use of Passwords 

The security of some of our data is only as strong as the password used to protect it. When creating a password try to make it as strong and un-guessable as possible. In particular:

• Make it at least 8 characters long
• Must contain at least one capital letter, number and symbol
• Don’t use publicly-available information associated to you e.g. your name, children’s names, date of birth
• Change your password at least every 30 days and more often if you think it has been compromised
• Never share your password with anyone else including staff, third parties or even the IT Service Desk
• Don’t write your password down
• Use different passwords for different key systems where possible
• See Esentry ISMSA.901 Access Control Policy for more.

Clear Desk and Clear Screen 

• Sensitive or critical business information, e.g. on paper or on electronic storage media, shall be locked away (ideally in a safe cabinet or other forms of security furniture) when not required, especially when the office is vacated.
• Computers and terminals shall be logged off when unattended and should be protected when not in use.
• Media containing sensitive or classified information shall be removed from printers immediately.

• See Esentry ISMSA.801 Acceptable Use Policy for more.

Physical Security 

When locating computers and other hardware, suitable precautions are to be taken to guard against the environmental threats of fire, flood and excessive ambient temperature / humidity.

All employees are to be aware of the need to challenge strangers on the organization’s premises.

Due consideration must be given to the secure storage of paper documentation containing sensitive or confidential information e.g. tenant files.

See Esentry ISMSA.1101 Physical Security Policy

Mobile Device Policy 

• Only mobile devices provided by Esentry should be used to hold or process classified information on behalf of the organization.
• You must ensure that the device is transported in a protective case when possible and is not exposed to situations in which it may become damaged.
• Do not leave the device unattended in public view, such as in the back of a car or in a meeting room or hotel lobby.
• Faults with the device must be logged with the IT Security.
• Passwords used should be strong and difficult to guess.
• You should not install any unauthorized software on the device without consulting the IT Security first.
• You will not change the configuration or setup of the device without consulting the IT Security first.
• Where possible, the device will be secured so that all of the data on it is encrypted and so is only accessible if the password is known.
• Changes to files held on the device may not be backed up on a regular basis if it is not connected to the corporate network for a period of time. Try to schedule some time in to achieve this on a regular basis.
• Where applicable, virus protection will be installed on the device by the organization.
• The device should not be connected to non-corporate networks such as wireless or the Internet unless a VPN (Virtual Private Network) is used.

See Esentry ISMSA.601 Mobile Device Policy for more.


Acceptable Use of Emails 

Each employee shall be assigned a unique email address that is to be used while conducting company business via email
Employees shall not send or receive:

• Information that violates state or Federal laws or the company’s policies.
• Information designated as confidential or sensitive unless encrypted according to the company’s standards.
• Unsolicited commercial announcements or advertising material.
• Any material that may defame, libel, abuse, embarrass, tarnish, present a bad image of, or portray in false light, the company, the recipient, the sender, or any other person.
• Pornographic, sexually explicit, or sexually oriented material.
• Racist, hate-based, or offensive material.
• Viruses or malicious code.
• Chain letters unauthorized mass mailings, or any unauthorized request that asks the recipient to forward the message to other people.
• Circulating, spreading or disseminating information to email groups which the user has not been designated or authorized to communicate.

See Esentry ISMSA.801 Acceptable Use Policy for more.

Information Classification Policy 

The following scheme shall be used throughout the ESENTRY in classifying information: PUBLIC, GENERAL INTERNAL USE, RESTRICTED and CONFIDENTIAL.

PUBLIC: Information authorized for public disclosure and disseminated to the public via authorized channels e.g. Press Releases.

GENERAL INTERNAL USE: Information which is widely accessible to employees but is not intended for outsiders e.g. Internal Policies.

RESTRICTED: Information of importance for the success and the continued existence of business units or company as a whole, extremely sensitive in nature and requires specific individual “need to know” verification prior to access. Compromise of information would result in adverse financial, legal, regulatory, or reputation damage to Esentry, its employees and or clients e.g. Employee files and records.

CONFIDENTIAL: Information of importance for the overall success of the company, extremely sensitive in nature and requires specific individual “need to know” verification prior to access. Compromise of information would result in severe financial, legal, regulatory, or reputation damage to Esentry, its employees and or clients e.g. Trade Secrets.

See Esentry ISMSA.802 Information Asset Classification and Management Policy for more.

Change Management Policy 

• All change requests shall be logged whether approved or rejected on a standardized and central system
• A risk assessment shall be performed for all changes and dependent on the outcome, an impact assessment should be performed
• Changes shall be tested in an isolated, controlled, and representative environment (where such an environment is feasible) prior to implementation
• Any software change and/or update shall be controlled with version control
• Procedures for aborting and recovering from unsuccessful changes shall be documented
• Specific procedures to ensure the proper control, authorization, and documentation of emergency changes shall be in place

See Esentry ISMSA.1201 Change Management Policy for more.


Acceptable Use of Internet 

Access to the Internet shall be made available only to employees, contractors, subcontractors, and business partners whose duties require access to conduct the company’s business, subject to approval.
Prohibited activities when using the Internet include, but are not limited to:

• Browsing explicit pornographic or hate-based web sites, hacker or cracker sites, or other sites that the company has determined to be off limits.
• Posting, sending, or acquiring sexually explicit or sexually oriented material, hate-based material, hacker-related material, or other material determined to be off limits by the company.
• Posting or sending classified company’s information outside of the company’s network without management authorization.
• Hacking or other unauthorized use of services available on the Internet.
• Posting unauthorized commercial announcements or advertising material.
• Promoting or maintaining a personal or private business via the company’s internet connection.
• Receiving news feeds and push data updates, unless the material is required for company’s business.
• Using unauthorized and unapproved applications or software that occupy or use workstation idle cycles or network processing time (e.g., processing in conjunction with screen savers).
See Esentry ISMSA.801 Acceptable Use Policy for more.


Staying Secure When Offsite 

Employees travelling on business are responsible for the security of information in their custody.

Employees should not take confidential data offsite unless there is a valid reason to do so.

Whilst offsite:

• Don’t leave laptops or other portable IT equipment in an unattended vehicle
• Don’t advertise the fact that you have a device in your possession
• Ensure devices are protected from unauthorized access e.g. password protected as a minimum

See Esentry ISMSA.601 Mobile Device Policy and Esentry ISMSA.602 Teleworking Policy for more.


Software Policy 

• All computer software to be used within the organization must be purchased through the IT Security
• All software in use within Esentry must be correctly licensed
• All installed software programs will be registered in the name of the organization, not the individual
• Under no circumstances will corporate software be copied (other than for backups) or installed for use on non-corporate machines, such as at home
• Changes to in-house developed software must not be made without following the change management process.

See Esentry ISMSA.1205 Software Policy for more.


Transferring Data Outside Esentry 

Where appropriate, sensitive or confidential information or data should always be transmitted in encrypted form.

Prior to sending information to third parties, not only must the intended recipient be authorized to receive such information, but the procedures and Information Security measures adopted by the third party must be seen to continue to assure the confidentiality and integrity of the information.

If in doubt, please contact the IT Service Desk for advice.

See Esentry ISMSA.1301 Information Transfer Procedures for more

Reporting an Incident

All suspected incidents must be reported promptly to the System Administrator Team via

Please provide the following information as a minimum when logging an incident:
• Name
• Department
• Contact Number
• Nature of the incident
• Location of the incident
• Current and/or potential impact
e.g. number of staff affected

Above all please think about what you are going to say,
how will you explain your problem etc.

It is the responsibility of the user to:

• report immediately any actual or potential breach of security
• record any information which may assist in the
investigation of the incident (e.g. error messages)
• adhere to procedures when logging an incident
• remain courteous to the officers dealing with the incident
• request escalation if required by following the
appropriate procedure
• adhere to policies and procedures relating to IT use, equipment maintenance and security
• Log out of the network and /or specific systems
promptly when requested to do so

See Esentry IFPG-A.0501 IT Policy