Information Security Policy

Effective Date:
Review Cycle: Annually or upon material change

1. Purpose

This Information Security Policy establishes the principles, controls, and responsibilities for protecting the confidentiality, integrity, and availability of information assets belonging to Savvy Bee Ltd. The Policy is designed to safeguard customer, partner, employee, and corporate information and to ensure compliance with applicable laws, regulations, and industry best practices.

2. Scope

This Policy applies to:

• All employees, directors, contractors, consultants, and third parties acting on behalf of Savvy Bee Ltd;
• All information assets, including electronic data, physical records, systems, networks, applications, cloud services, and infrastructure;
• All locations and environments where Savvy Bee Ltd information is created, processed, stored, transmitted, or disposed of.

3. Regulatory and Standards Framework

This Policy is aligned with:

• Nigeria Data Protection Act (NDPA) 2023;
• Nigeria Data Protection Regulation (NDPR);
• Guidelines issued by the Nigeria Data Protection Commission (NDPC);
• Central Bank of Nigeria (CBN) cybersecurity and risk management expectations (where applicable);
• ISO/IEC 27001 and ISO/IEC 27002 information security standards.

4. Information Security Objectives

Savvy Bee Ltd’s information security objectives are to:

• Protect information against unauthorized access, disclosure, alteration, or destruction;
• Ensure information is accurate, complete, and reliable;
• Maintain availability of systems and services;
• Support regulatory compliance and business continuity;
• Foster a culture of security awareness across the organization.

5. Information Security Principles

Savvy Bee Ltd adopts the following core principles:

• Confidentiality: Information is accessible only to authorized persons;
• Integrity: Information is protected from unauthorized modification;
• Availability: Information and systems are accessible when required.

6. Governance and Responsibilities

6.1 Board and Management

• Provide oversight and approve the Information Security Policy;
• Ensure adequate resources are allocated to information security.

6.2 Information Security Function

• Develop and maintain security controls and procedures;
• Monitor threats, vulnerabilities, and incidents;
• Coordinate security risk assessments and reporting.

6.3 Data Protection Officer (DPO)

• Ensure alignment with data protection requirements;
• Support incident handling involving personal data.

6.4 Employees and Contractors

• Comply with this Policy and related procedures;
• Protect access credentials and report security incidents promptly.

7. Asset Management

All information assets shall be identified, classified, and managed according to their sensitivity and criticality. Asset owners shall be designated and responsible for appropriate protection.

8. Access Control

• Access to information systems shall be granted on a least-privilege and need-to-know basis;
• Role-based access controls shall be implemented;
• Privileged access shall be strictly controlled and monitored;
• User access rights shall be reviewed periodically.

9. Authentication and Password Management

• Strong authentication mechanisms shall be enforced;
• Passwords and credentials shall meet defined complexity requirements;
• Multi-factor authentication shall be implemented where appropriate.

10. Cryptography and Encryption

• Sensitive data shall be encrypted at rest and in transit;
• Cryptographic keys shall be securely generated, stored, rotated, and revoked;
• Approved encryption standards shall be used.

11. Network and Infrastructure Security

• Networks shall be protected using firewalls, intrusion detection/prevention systems, and segmentation;
• Secure configurations shall be maintained for servers, endpoints, and cloud resources;
• Regular vulnerability assessments and penetration testing shall be conducted.

12. Secure Development and Change Management

• Secure software development practices shall be followed;
• Changes to systems shall be authorized, tested, and documented;
• Security shall be considered throughout the system development lifecycle.

13. Logging, Monitoring, and Audit Trails

• Security events and system activities shall be logged;
• Logs shall be protected from unauthorized access or alteration;
• Logs shall be reviewed regularly to detect suspicious activities.

14. Incident Management

Information security incidents shall be reported, investigated, and managed in accordance with the Incident Response and Breach Notification Policy. Where personal data is involved, regulatory notification obligations shall be observed.

15. Physical and Environmental Security

• Physical access to offices, data centers, and sensitive areas shall be controlled;
• Environmental controls shall protect against fire, flooding, and other hazards.

16. Third-Party and Outsourced Security

Third parties with access to Savvy Bee Ltd information must comply with equivalent security standards. Security obligations shall be documented in contracts and Data Processing Agreements.

17. Business Continuity and Backup

• Information assets shall be backed up regularly;
• Backup data shall be securely stored and tested;
• Security controls shall support business continuity and disaster recovery objectives.

18. Training and Awareness

All personnel shall receive periodic information security awareness and training appropriate to their roles.

19. Monitoring, Compliance, and Enforcement

Compliance with this Policy shall be monitored through audits and reviews. Violations may result in disciplinary action and legal consequences.

20. Policy Review and Updates

This Policy shall be reviewed at least annually or upon significant changes to the threat landscape, business operations, or regulatory requirements.

21. Approval

This Information Security Policy is approved by management and the Board of Savvy Bee Ltd.