Information Security Policy

The Bank’s risk appetite level in relation to Information Security (Incl. Cyber) is Low.

1.4 Legal and Regulatory Obligations

The Bank is obliged to abide by all applicable UK law. The principal legislation to which this policy, and its associated policies and procedures, relate to is set out below.

• Computer Misuse Act 1990 – this act defines the use of computers for unlawful purposes, the need to report certain cyber incidents to the authorities, collect evidence and chain of custody information, and the need for proactive controls. You could be personally prosecuted for your use of Bank systems for unlawful purposes eg under the Computer Misuse Act 1990, Investigatory Powers Act 2016. Abiding by this policy, it’s related standards and frameworks, and the IT Acceptable Use Policy ensure we comply with this act. 
• UK General Data Protection Regulation – protection of personal data. Article 5 (1)(f) states it must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” – this policy and its related standards ensure this. You are responsible for Bank data which must be handled to ensure protection against unlawful or unauthorised processing, access, loss, destruction or damage. eg under UK General Data Protection Regulation or Data Protection Act 2018
• Human Rights Act 1998 – our cyber incident response will not breach your rights. For example, under Article 8 (Right to Privacy) any measures we take to investigate or mitigate an incident will be proportionate and justified. 
• Regulation of Investigatory Powers Act 2000 (RIPA) - lawful interception of communications. The Bank may monitor communications and provide information to the authorities or other third parties - such as our cyber insurers - in response to legitimate requests or incident response. Any information you create or transmit using Bank systems should not be considered private.
• Network and Information Systems Regulations 2018 (NIS Regulations) – risk and incident management, incident reporting, and authority compliance requirements. We comply through our Incident Response processes. You should be aware of your local processes and the Bank's wider Incident Response Process. You are responsible for reporting incidents and should be aware of your local processes and the Bank's wider Incident Response Process under the Network and Information Systems Regulations 2018.

In addition to meeting its legal obligations, the BBB as an Arm’s Length Body (ALB) is required to meet the Government Functional Standards (GFS) where applicable. Obligations relating to Government Functional Standard (GFS007) – Security are contained and prescribed through this policy and associated standards. We provide cyber resilience assurance to Government via the GovAssure programme. 

2. Scope, Roles and Responsibilities 

2.1 This Policy applies to all the Bank’s entities, operations and subsidiaries, and all Colleagues (see Appendix 3 for definition). 

2.2 Colleague behaviours in the use of IT systems are covered in the IT Acceptable Use Policy. 

2.3 The Information Security Team is responsible, and Director is accountable for:

1. Security Operations and Posture Management
2. Defining and measuring compliance with our Information Security Standards
3. Measuring our compliance and maturity against relevant external Standards and Frameworks
4. Ensuring corrective action is taken where we are outside of risk appetite through seeking funding, driving through projects, or other means in line with the Bank’s processes. 

2.4 Service Owners - as agreed and documented in the IT Service Catalogue - are responsible, and their Managing Director is accountable, for taking corrective action where the systems underlying their services are outside of compliance as defined in the Vulnerability Management Framework (VMF).

3. Information Security Themes and Requirements

We recognise four level three risks under Information Security (Incl. Cyber), broadly risks related to:

• People - Risk of inadequate Information Security awareness and training
• Process - Risk of Inadequate Information Security processes and procedures
• Technology - Cyber and Technology Risk
• Governance. - Risk of Inadequate Information Security Governance

These themes are reflected from the Board Risk appetite statement in the RMF, through this policy and down to the Risk and Control library. This section details colleague responsibilities and behaviours under these themes.

3.1 Risk of inadequate Information Security awareness and training 

There is a risk that our colleagues, contractors and suppliers weaken the security of the Bank with a lack of understanding of the controls, tools and processes in place. We train and educate employees appropriately on how to respond to information security threats and incidents. We perform due diligence checks against suppliers, significant exposures, and Colleagues.

3.1.1 Employees will complete:

• all generic and targeted mandatory learning and development in line with the Learning & Development Policy.
• any targeted training required due to the risk associated with their role – e.g. accounts payable staff are often targets, or behaviour - for example, serial phishing links clickers.

3.1.2 Information Security will ensure the content of the Information Security learning modules are relevant, proportionate to our risk and up to date.

3.1.3 Our ability to make informed risk decisions will be validated using cyber awareness activities such as ransomware exercises, ethical phishing, smishing or, vishing. 

3.1.4 Colleagues will take all necessary steps to prevent unauthorised access to data under your control, wherever you are working. Always think, what is the worst-case scenario if this data ends up in the wrong place, and am I doing all I could reasonably do to prevent this?"

• Colleagues will consider whether conversations can be overheard, and by whom. They will take all reasonable steps to prevent unauthorised disclosure of sensitive information this way, whether working remotely or at the Bank’s premises.
• Colleagues will only disclose the Bank’s information to third parties in the proper exercise of their contractual duties using the appropriate channels, and with the permission of any second party if relevant. 
• Colleagues will only disclose Official Sensitive information on a need-to-know basis and only if the recipient is bound by an obligation of confidentiality in favour of BBB, such as with Non-Disclosure agreements (NDA).

3.1.5 Prior to contact initiation or renewal: contract owners will ensure cyber security due diligence checks are carried out against the supplier; line managers are responsible for validating that interim workers have appropriate information security training and competence. 

3.2 Cyber and Technology Risk

There is a risk that the Bank’s vulnerability management systems fail to detect and deter a cyber-attack (e.g. Ransomware). We proactively monitor our systems to identify and remediate system vulnerabilities to agreed timeframes aligned to business requirements. Controls are in place to prevent and mitigate current and emerging Cyber and Information Security threats.

Access

3.2.1. System access is role-based, and follows the principles of least privilege and need-to-know. Do not access or attempt to access systems that are not necessary for the fulfilment of your duties or to which you have not been granted access.

3.2.2. Colleagues will only access - or provide access to - authorised physical locations. Physical access to the Bank’s premises will follow the principle of least privilege, with appropriate physical access control for secure areas such as data centres or logistics loading bays.

Posture Management – vulnerability management and standards’ compliance 

3.2.3. The Information Security team will maintain a set of Information Security Standards (see Supporting Standards). These will be reviewed annually at the same time as this policy. 

• New systems, systems critical to the operation of the Bank, or high-risk systems, will be assessed against these standards annually by Information Security. A gap-analysis will be presented to the relevant technical forum during the annual review. 

3.2.4. The Bank’s Commercial Operations will ensure Information Security standards are made available to suppliers with sufficient time for the supplier to provide a full and comprehensive response, and for this to be reviewed by Information Security. 

3.2.5. Information Security will validate their compliance through their accreditation against relevant standards and by completing due diligence checks.

3.2.6. The SOC will maintain and operate a Vulnerability Management Framework (VMF) to enable the Bank to effectively manage vulnerabilities in software, firmware, hardware or configuration. 

• This defines roles, responsibilities, and timescales across the vulnerability management lifecycle. It predominantly applies to roles with service responsibilities, including but not limited to IT. 

3.2.7. Information Security will inform Service Owners of the severity of any system vulnerabilities together with the required remediation timescales as defined in the VMF. They will also inform Service Owners of elements which do not comply with the security standards, and agree remediation timescales.

• Service Owners are responsible for resolving vulnerabilities affecting their services within the timescales detailed in the VMF. Vulnerabilities can be resolved through software patching, configuration changes, hardware or firmware updates, or architectural changes. Service Owners will ensure all systems comply to the information security standards. 
• Information Security will validate the vulnerability level of our systems and services using vulnerability scanning, penetration tests, or other appropriate means.
• Information Security will use the RMF to report breaches in VMF Service Level Agreements (SLA), or lack of compliance with the Information Security Standards. They will produce regular reports for ERC demonstrating the effectiveness of the VMF and critical and high-risk systems’ standards compliance.

3.2.8. Internal Audit will validate the effectiveness of the Bank’s information security framework.  

3.2.9. Suppliers must meet the requirements of our due diligence checks - or be granted an exception - prior to contract commencement or renewal.

3.2.10. All exceptions to standards’ compliance will be logged with the IT Services Desk and approved by the Information Security Director or an appropriate member of Senior Leadership Team with no conflict of interest. They will be tracked and reviewed annually as part of standards’ review. If the exception results in a material risk, these will be recorded as a Risk under the RMF and managed through the RCSA procedure.

3.3 Risk of Inadequate Information Security Governance 

Our controls protect the confidentiality, integrity and availability of our information assets from threats and are benchmarked against external standards

3.3.1. The Bank will meet the requirements for security as set out by the UK Government. Senior Manager Information Security Governance, Risk, and Compliance (GRC) will validate whether this is so and provide path to green recommendations if required. Service owners are accountable for ensuring their services meet UK Government requirements. The Executive Committee representative of a function is ultimately accountable to the Board for the compliance of services run by their function.

3.3.2. The Bank will maintain Cyber Essentials Plus accreditation or equivalent, to be recertified annually. 

3.3.3. The Bank will align and benchmark our controls against the NIST Cyber Security Framework, gaining independent assurance through Internal or External Audit as required. 

3.3.4. Information Security Governance follows the Bank’s Risk Management Framework (RMF).

3.3.5. Key VMF Performance and Risk Indicators will be maintained and published monthly.

3.3.6. Information Security Standards will be reviewed annually and a gap analysis against key systems as identified by Business Impact Analysis completed and reported to Enterprise Risk Committee (ERC).

• We will maintain awareness of relevant standards as they evolve, provide timely and accurate reporting to stakeholders, and drive any initiatives required to maintain standards alignment. 

3.3.7. The Information Security team will provide technical guidance supporting effective control selection, operation, and validation, and the RCSA procedure and Risk Incidents to validate and improve controls.

• Colleagues must take all reasonable action to verify controls are effective and appropriate, and report when they are not. 
• Colleagues are expected to diligently utilise and maintain controls, taking necessary steps to ensure their effectiveness. This includes following relevant standards and procedures. Colleagues will propose control improvement actions, addition or removal as identified - particularly after incidents, control failures, or where the controls are not cost-effective.
• Colleagues must not try to disable or bypass controls and will promptly report any incidents of control failure or attempted bypassing following the risk incident process

3.4 Risk of Inadequate Information Security processes and procedures

There is a risk that security processes do not operate as designed and leave the Bank's security vulnerable. We maintain an effective Cyber Incident Response Capability. We validate policy and procedural effectiveness through regular exercises and ongoing testing and take corrective action where needed.

3.4.1. Any suspected cyber incident will be immediately reported by calling IT service desk on 020 3880 1630. Examples include having entered your credentials after following a link in a phishing email, or if malicious software is suspected on your laptop.

3.4.2. Any data breach identified through cyber incident response will be escalated to the IT Major Incident Management (MIM) Team for escalation to the Bank’s wider Incident Response Team. The Bank will maintain an effective Security Operations Centre (SOC) and Cyber Incident Response Team (CIRT) with 24x7x365 cover.

• In the event of a suspected breach that involves a Colleague, then a report can be made to the Information Security Director or their nominated deputy first, to ensure this colleague’s anonymity.  Failure to report, log, or respond to a notification of a cyber incident will be subject to disciplinary or contractual procedures.

3.4.3.    Information Security will maintain a Cyber Incident Response Plan (CIRP). This will be validated on each major incident, or at least annually using ‘stress test’ exercises.

• The Cyber Incident Response Team (CIRT) Incident Manager will inform all relevant parties of the approved distribution list for each incident. 
• Information relating to an active CIRT incident is classed as Official Sensitive and strictly need-to-know. Do not disclose details of an active cyber incident or forward meeting invites outside of that distribution list. 
• The Security Operations Centre (SOC) will apply manual or automated remediation to suspected compromised systems. Decision-making authority for disruptive action to core services will be agreed in advance with Executive Committee and documented as part of the Cyber Incident Response Plan (CIRP).
• Your Bank device(s) and/ or account may be locked manually or automatically as part of cyber incident response. Access will be restored as quickly as possible, but not before the incident containment and eradication. 
• If requested, you will immediately surrender your Bank device(s) to the SOC. The SOC member will be accompanied by an independent colleague during the request for equipment. 
• Colleagues will provide accurate information in support of chain of custody documentation. 

3.4.4. IT will maintain hardened systems, both user-facing and back end. The security exposure of Bank systems will be ascertained externally through appropriate penetration tests, to be reviewed by Information Security, managed under the VMF, and with the results reported to Executive Risk Committee.

3.4.5. The Security Operations Centre will maintain and validate detailed playbooks for response to common cyber security incidents. These will be automated where possible.

3.4.6. Colleagues with responsibilities under the CIRF will be notified by the CIRT. They will take the time to understand what is expected of them and follow it to the best of their abilities.

3.4.7. System logs will be collected and analysed proactively to prevent or stop incidents, and reactively for root cause analysis. Lessons learned from incidents will be logged and applied. 

4. Policy Controls 

The Information Security controls are split across 14 control themes as follows: