Security
Security is a top priority for RBAL. Data from customers and partners are handled with the utmost care. In order to further strengthen confidence in the security of the data entrusted to us, RBAL has implemented an Information Security Management System (ISMS) in line with the International Security Standards. and has officially been certified according to ISO 27001:2013 security certificate. This standard defines the requirements for an ISMS based on internationally recognized best practice and serve as a key component of RBAL and RBI Group overall Information & Cyber Security strategy and management.
The operation of the ISMS has many benefits for the business, including:
- Protection of revenue streams and company profitability
- Ensuring the supply of quality services to customers
- Maintenance and enhancement of shareholder value
- Compliance with legal and regulatory requirements
Scope
The scope of ISMS applies to the provision of Banking Services in RBAL. The scope of the ISMS applies to the provision hosted Information Technology services to our customers, as well as to internal departments and network branches. It covers the management of information and business processes conducted by the Information Technology department that support these services
This includes:
Organizational Context: All organization functions, departments, and physical locations that ISMS applies to.
Information Assets: All information assets to be protected, including data, databases, and systems.
Processes and Services: All relevant processes, services, and activities involved in information handling.
Legal and Regulatory Requirements: All applicable legal, regulatory, and contractual obligations related to information security.
Stakeholders: All interested parties affected by the ISMS, such as employees, customers, and partners.
ISMS Objectives
RRBAL regards information as one of its most valuable business assets. An effective RBAL Information & Cyber Security governance to protect these information assets is essential to the long-term existence of RBAL. By adopting a high standard of Information & Cyber Security, RBAL can conduct business and be competitive.
The "Raiffeisen Bank Albania Code of Conduct (RBAL CoC)" sets out the principles and practices that are binding for all RBAL employees to follow unreservedly both in letter and in spirit. The CoC states RBAL's commitment to act responsibly towards RBAL customers, employees and shareholders: “The RBAL Code of Conduct defines the basic values and forms the foundation of a corporate culture which embraces the spirit of integrity. The Code is meant to ensure that our behaviour in business dealings and ethical matters is compliant with our high standards”.
RBAL adheres to the highest standards of ISMS. It is committed to treating customer information responsibly. RBAL maintains the confidentiality of any entrusted information, except when disclosure is authorized by the customer or required by applicable laws, rules or regulations. Information is shared internally with appropriate discretion.
The objectives of RBAL ISMS are to preserve:
- Confidentiality – Access to data and information assets must be confined to those with appropriate authority and not be disclosed to others. The decision process for employees to gain access to data must be based on the need-to-know and need-to-have principle, which means that access to covered data must be necessary for conducting the job function.
- Integrity – Data must be complete, intact and accurate. All systems, assets and networks need to operate correctly, according to specification. A modification of data must not be possible without having the required permissions. All changes to important data sets must be tracked at any given time.
- Availability – Data must be available and delivered to the right employee, customer, 3rd party or system at the time when it is needed.
- Compliance – All employees or 3rd parties must be aware of and comply with relevant internal or external specifications, policies, standards and/or laws.
- Risk Management: Identifying, assessing, and mitigating information security risks to acceptable levels.
- Incident Response: Establishing processes for detecting, responding to, and recovering from information security incidents.
- User Awareness and Training: Educating and training users to understand their roles and responsibilities related to information security.
- Stakeholder Confidence: Building and maintaining trust with stakeholders, including customers, partners, and regulatory bodies.
- Business Continuity: Ensuring that information security measures support the ongoing operation and resilience of the organization.
- Continual Improvement: Consistently enhancing the ISMS to respond to evolving threats and business requirements.