1.1. This Policy on Use of Sim Korpor Facilities (the “Policy”) describes the principles underlying the
acceptable use of Sim Korpor facilities (described in paragraph 2.1, below) and summarises the
main responsibilities and obligations associated with that use. This Policy is effective upon the
completion and adoption of all the Sim Korpor system deliverables.
1.2. This Policy is written in accordance with the Information Technology (I.T.) Security Policy and
applies to all persons using Sim Korpor facilities (the “Users”).
1.3. The Head of the Sim Korpor Project is responsible for reviewing this Policy biannually and,
where necessary, recommending updates to this Policy.
1.4. The Head of the Sim Korpor Project is responsible for ensuring that all Users are aware of this
Policy and receive appropriate information on IT security.
1.5. This Policy does not affect or in any way abrogate the principles set forth in or the applicability of (i) the Code of Conduct for RCB Personnel (ii) The RCB IT Policy.
1.6. Additional controls, procedures and technical responsibilities carried out by the IT Department
on behalf of the Bank are detailed in the IT Controls Procedures .
2. Use of Sim Korpor Facilities
2.1. Reference to Sim Korpor facilities includes hardware and software (including, but not limited to
networks, servers, switches, cabling, computers, storage media and devices (fixed, portable,
removable or otherwise), access control devices and mobile and fixed telephony apparatus)
owned, leased, hired or licensed by or to the Bank.
2.2. Sim Korpor facilities and data that resides on the Bank’s IT facilities shall be used primarily for Bank purposes as provided for in this Policy
2.3. Information, data and applications held or created in Sim Korpor facilities, systems and devices
are the property of the Bank and Users are responsible for ensuring that all Bank data,
information and systems under their control are protected against unauthorised access,
disclosure and modification.
2.4. The IT Department is authorised to identify instances of excessive volumes of material stored
on the Bank’s network and which is believed by IT to be non business-related after giving due
notice to the owner of such files and allowing the owner to make a business case to the IT
and relevant line manager for their retention, the IT Department will remove such files if
retention is not approved.
2.5. Users must not use or access or attempt to use or access data or software stored in Sim
Korpor facilities for which they are not authorised.
2.6. Users who print, photocopy or transfer any Bank data (e.g. onto laptops, disks, memory sticks
or any other removable media are responsible for ensuring that such information on these
materials, media or devices is protected from unauthorised access. Such materials must be
destroyed and such Bank data deleted once no longer required. Refer to the IT Controls
Procedures for additional information on secure deletion of Bank data.
2.7. Sim Korpor equipment, including removable storage media, are the responsibility of the
Department or Resident or Regional Office to which they have been allocated (the “User
Department/Office”). Sim Korpor equipment, and in particular devices capable of data storage,
must be secured from theft and unauthorised use. If IT equipment is lost, stolen or damaged,
the User Department/Office must inform relevant authorities immediately. The User must also
notify the owner of any Bank data retained on the device so as to consider potential data
leakage. The User Department/Office is responsible for the replacement cost of any lost, stolen,
or damaged Sim Korpor IT equipment
2.8. Only software approved for use by the relevant authorities and acquired through and to the
extent authorised under vendor/licensing agreements via such authorities may be used on Sim
Korpor facilities. Only individuals authorised by the same may install software on Sim Korpor
facilities. Downloading, installing, copying or using of non-Bank authorised software on Sim
Korpor facilities is prohibited as is unauthorised copying and/or use of Bank authorised
2.9. Computers or devices that are not approved by the relevant authorities must not be directly
physically connected to Bank’s computers and the Bank’s computer networks.
2.10. Users will not be granted additional privileges, such as local administrator rights to his or her
account or workstation, unless the request is supported by the Head of the relevant User
Department/Office and approved by the relevant authority
2.11. Technical information regarding the Sim Korpor facilities must not be shared with third parties,
verbally, in hard copy or electronically unless with the prior written consent of the Head of the
Sim Korpor. This information includes, without limitation, how systems operate, system
documentation, access control and account information.
2.12. Fixed equipment or components, e.g. workstations, servers, switches, routers etc., must not
be removed from Bank premises unless their removal has been authorised by the relevant
2.13. Any Sim Korpor IT equipment to be disposed of must first be checked by the IT Department
and data must be permanently removed to ensure that it does not contain Bank information.
Refer to the IT Controls Procedures for information on the secure deletion of electronic data.
2.14. Users of Bank laptops shall connect their laptops to the Bank’s network at least once a month
to enable the latest security patches and software updates to be applied. Non-compliant laptops
may be denied access to Bank networks.
3. Usage Monitoring
3.1. The Bank automatically monitors the use of Sim Korpor facilities.
3.2. The Bank shall only permit the routine inspection and monitoring of operational logs generated
by automated monitoring tools by Users performing their normal authorised duties within the
Bank. Disclosure of information from such logs, or other electronic media, shall only occur in
accordance with the Bank’s Codes of Conduct. Investigation of data on the Sim Korpor facilities
shall only be undertaken within the limits and subject to the procedures set out in the Bank’s
Codes of Conduct and may additionally include IT providing information stored on Sim Korpor
4. Use of Passwords and Secure Access
4.1. Users must treat their passwords as sensitive, confidential Bank information
4.2. Each User is responsible for protecting his/her password(s) and SecurID token from
unauthorised use whether working on Bank premises or from home or other non-Bank
locations. Users are to take due care when using their passwords and SecurID tokens whilst in
4.3. User network log-on passwords must be at least eight characters and contain at least three of
the following four character types; uppercase, lowercase, numeric and special (!”£$%^&*())
characters. Network log-on passwords must be changed every thirty days and the same
password cannot be repeated within a twelve months period. Application passwords should,
where possible, conform to these minimum standards of strength and frequency of change.
4.4. Users should not use Sim Korpor passwords for non-Sim Korpor accounts. Sim Korpor related and
non- Sim Korpor related passwords should differ from one another.
4.5. Users must not attempt to discover the password of another User
4.6. Users must not share or disclose their passwords under any circumstances. Users must not
display passwords openly, for example on Post-It notes, notepads etc.
4.7. Compromised passwords must be changed immediately and reported to the service provider
Helpdesk without delay.
4.8. Users must not attempt to access the Sim Korpor facilities or any part thereof using someone
else’s User ID and/or password.
4.9. Each User must secure access to his or her computer, via the standard Windows screen saver,
if the computer is to be left unattended.
4.10. Users should as a minimum, log off from the network at the end of each working day as
referenced in section 7.1 below.
5. Information Systems and User Access
5.1. Accounts for new Users will be created by the service providers on receipt of an authority from
the Head of Sim Korpor with the User’s bio details. Users are required to change their
passwords on first log on.
5.2. Users are only authorised to access data that they have been approved to do as part of their
5.3. Access to specific areas of the Sim Korpor applications requires the User to complete the
necessary training as approved by the User’s line supervisor or Head of Department.
5.4. The service provider must be informed by the Head of Department/ Office when a User moves
between User Departments/Offices, changes responsibilities, leaves the Bank, or is absent from
the Bank for more than 30 days. The service provider will disable a User’s network logon
account if it has not been used in a period of 30 days and report this to the relevant Head, Sim
Korpor. If there has been no request by the relevant User to enable access after another 30
days, the account will be deleted. Exceptions to the foregoing shall be authorised by the Head,
5.5. Head of User Departments/Offices responsible for Users of applications that process financial
information are responsible for reviewing, maintaining and approving appropriate User access
rights at least annually as part of the Sim Korpor Internal Controls procedures.
6. Use of and access to e-mail and the Internet
6.1. The use of e-mail is intended primarily for Sim Korpor purposes. The Bank may monitor and
review e- mail use. The Bank reserves the right to withhold delivery and quarantine e-mail that
is deemed non-Bank related.
6.2. Users are responsible for ensuring that the content of e-mail is appropriate for the intended
audience, recognising that an email and its contents can be forwarded beyond the initially
6.3. Users shall not use the Bank’s email system for the creation or distribution of any offensive or
disruptive messages; Users who receive any emails with this content should report the matter to
the IT Helpdesk.
6.4. Access to the Internet is intended primarily for Bank purposes. Users are responsible for their
use of Internet facilities using their usernames and passwords. The Bank reserves the right to
restrict access to certain Internet sites using commercial web filtering software and/or services
6.5. The Bank is not liable for any losses a User encounters through fraud or unauthorised access of
his/her personal User accounts whilst using Sim Korpor Facilities.
6.6. The IT Department will be responsible for providing and installing the required software for
Internet browsing. No other browsing software can be installed and used on Sim Korpor
6.7. Users should not use instant messaging and / or, their personal e-mail accounts (e.g. Google
mail) for Bank purposes and should not download attachments or click on URL links whilst
accessing personal e-mail via Sim Korpor IT facilities.
6.8. If ordinary Users include signature blocks on emails, these should only contain name, position
and contact details.
6.9. Users may not make comments or representations, including in any blogs, Newsgroups,
Usergroups, Bulletin Boards etc., which might be construed as an official comment on behalf of
the Bank without specific prior approval from authorities.
7. Data Backups
7.1. Data held on network will be automatically backed up by the IT Department and the service
provider. Users should log off each night to allow full backups to take place successfully. Data held on the local drives of Bank desktops and laptops is not backed up. It is the responsibility of Users to ensure that all data requiring backing up is stored on the network.
8. Viruses, Malicious Code and Malware
8.1. Users must comply with periodic advice and instructions from the IT Department in order to
ensure that up-to-date virus protection is loaded and maintained on all Sim Korpor facilities.
Users must not attempt to bypass Bank virus protection software or any other system
8.2. Users should contact the IT Helpdesk if they require information or need to report issues related
to viruses, malicious code and malware, for example if they suspect a file or e-mail attachment
contains a virus or inappropriate material.
8.3. Any activities that have the intention of or may result in the creation and/or distribution of
malicious programs into RCB’s networks (e.g., viruses, worms), are prohibited.
9.1. Sim Korpor approved and owned/leased telecommunications devices, for example SIMS,
mobile phones, MoDems and flash drives, should be used for Sim Korpor purposes wherever
9.2. Users of these devices are responsible for personal usage and may be liable for charges
9.3. The Bank may record voice telephony conversations carried out over Sim Korpor facilities. The
Bank routinely records voice telephony conversations of certain staff in support of their business
activities and such staff are made aware of this.
10. Remote Access
10.1. Remote access to the Sim Korpor facilities will only be allowed after the attendance at the
relevant training course and authority granted to do so.
10.2. By remotely connecting to the Bank environment with personal equipment, users must
understand that their machines are in effect an extension of RCB’s network and should take all
reasonable steps to ensure anti-virus software is up to date whenever possible to reduce the
risk of viruses, malicious code and malware.
11. IT Security Incidents
11.1. For the purposes of this Policy, Sim Korpor security incidents are incidents that have occurred
through non-compliance with this Policy. These include, but are not limited to theft or loss of IT
equipment, loss of service or facilities, malfunctions of hardware or software, access violations
or any other breach of this Policy.
11.2. A weakness in Sim Korpor facilities is defined for these purposes as a flaw in a system that
allows a breach of this policy once exploited. Users should report weaknesses in Sim Korpor
facilities to the IT Helpdesk. Users should not attempt to test the weakness as to do so may be
treated as a breach of this policy
11.3. All actual or suspected IT security incidents or weaknesses should be immediately reported
according to the Information Security Incident Management Process.
12. Breaches of this Policy
12.1. Failure of Users to observe the requirements of this Policy may be regarded by the Sim
Korpor as misconduct, subject to the provisions of the Codes of Conduct or as appropriate.