In order to provide high level of continuous operation, RBAL has implemented an Information Security Management System (ISMS) in line with the International Standard for Information Security, ISO/IEC 27001. This standard defines the requirements for an ISMS based on internationally recognized best practice and serve as a key component of RBI Groups overall Information & Cyber Security strategy and management.
The operation of the ISMS has many benefits for the business, including:
• Protection of revenue streams and company profitability
• Ensuring the supply of quality services to customers
• Maintenance and enhancement of shareholder value
• Compliance with legal and regulatory requirements
This includes the head office in Tirana, all network branches, subsidiaries, and connected entities as well as third parties who interact with information held by RBAL and the corresponding information systems used to store and process it.
This includes, but is not limited to:
• Any systems or data attached to the RBAL data or telephone networks,
• All systems managed by RBAL,
• Mobile devices and laptops used to connect to RBAL networks or hold RBAL data,
• Data over which RBAL holds the intellectual property rights or is the data controller or data processor,
• Electronic communications sent to and from RBAL.
2. ISMS Objectives
RBAL regards information as one of its most valuable business assets. An effective RBAL Information & Cyber Security governance to protect these information assets is essential to the long-term existence of RBAL. By adopting a high standard of Information & Cyber Security, RBAL can conduct business and be competitive.
The "Raiffeisen Bank Albania Code of Conduct (RBAL CoC)" sets out the principles and practices that are binding for all RBAL employees to follow unreservedly both in letter and in spirit. The CoC states RBAL's commitment to act responsibly towards RBAL customers, employees and shareholders: “The RBAL Code of Conduct defines the basic values and forms the foundation of a corporate culture which embraces the spirit of integrity. The Code is meant to ensure that our behavior in business dealings and ethical matters is compliant with our high standards”.
RBAL adheres to the highest standards of Information & Cyber Security. It is committed to treating customer information responsibly. RBAL maintains the confidentiality of any entrusted information, except when disclosure is authorized by the customer or required by applicable laws, rules or regulations. Information is shared internally with appropriate discretion.
The objectives of RBAL Information & Cyber Security Policy is to preserve:
• Confidentiality – Access to data and information assets must be confined to those with appropriate authority and not be disclosed to others. The decision process for employees to gain access to data must be based on the need-to-know and need-to-have principle, which means that access to covered data must be necessary for conducting the job function.
• Integrity – Data must be complete, intact and accurate. All systems, assets and networks need to operate correctly, according to specification. A modification of data must not be possible without having the required permissions. All changes to important data sets must be tracked at any given time.
• Availability – Data must be available and delivered to the right employee, customer, 3rd party or system at the time when it is needed.
• Compliance – All employees or 3rd parties must be aware of and comply with relevant internal or external specifications, policies, standards and/or laws.
3. Compliance with internal and external regulations
RBAL is obliged to abide all relevant legislation as well as the specific regulations valid in Albania.
4. Continual Improvement of the ISMS
RBAL policy with regard to continual improvement is to continually improve the effectiveness of the Information security management System