light fiannce logo

Lightway

Microfinance Bank Limited

4B, Sola Oguntade Close, Lekki Phase 1, Lagos.

+234 7069678000, 07071793043

info@lightwaymfb.com

www.lightwaymfb.com
RC: 7472603

Information Security Policy

Effective Date: 29 August, 2025

1. PURPOSE

This Information Security Policy establishes the principles, rules, and responsibilities for protecting the confidentiality, integrity, and availability of our information assets. This policy aims to safeguard company, client, and employee data against unauthorized access, disclosure, alteration, and destruction, while ensuring compliance with statutory, regulatory, and contractual requirements.

2. SCOPE OF THE POLICY

This policy applies to all employees, contractors, franchise holders, temporary staff, and third parties who access, manage, or process information owned or controlled by us. It also applies to all information assets, including physical and digital data, systems, networks, and devices.

3. OBJECTIVE OF THE POLICY

The objective of this policy is to protect and ensure the confidentiality, integrity, and availability of all digital assets, customer information, intellectual property and information security infrastructure managed by Lightway Microfinance Bank Limited:

  1. To effectively manage any identified and relevant information security threats in order to meet our strategic business goals and to maintain its legal, regulatory, and contractual compliance obligations.

  2. To mitigate all information security-related threats, whether external or internal, as well as deliberate or accidental.

  3. To ensure business continuity and minimize business damage by preventing or reducing the likelihood of information security breaches or incidents occurring, and minimizing their impact should they occur.

4. ACCESS CONTROLS

  1. Access to systems and data is granted on a Role Based Access Control (RBAC) basis.

  2. Multi-factor authentication (MFA) is required for administrative and sensitive user accounts.

  3. Regular audits of websites, applications and permissions are to be conducted on a monthly basis.

  4. All access and activity are to be logged and monitored by all users of information systems for proper identification and mitigation of security risks.

5. ACCEPTABLE USE OF INFORMATION SYSTEMS

Users of information systems are responsible for ensuring that the systems are used in an effective, ethical, and lawful manner. Examples of acceptable use include, but is not limited to:

  1. Accessing files or databases.

  2. Using web browsers to obtain business information.

  3. Using email for business communication.

  4. Accessing information on a company-owned mobile device.

6. RESPONSIBILITY OF USERS

Users of information systems must ensure the following:

  1. Be responsible for the content of all data, including text, audio, and images they share internally or externally.

  2. Never share private passwords with those who are not authorized to have them or leave passwords in an accessible place.

  3. Passwords must be changed immediately if it is suspected that they may have become compromised.

  4. Store all shared passwords in a centralized and encrypted password database.

  5. Know and abide by all applicable company policies dealing with security and confidentiality of company records.

  6. Avoid transmission of private or confidential information.

  7. Share and store private or confidential information by adhering to security restrictions.

  8. All systems handling these files must contain updated anti-malware programs that must not be disabled or tampered with.

  9. Run a virus scan on any executable file(s) received through the internet.

  10. If a virus is found (either during a scan or via a check by anti- malware software, the User should power off the system and immediately contact the IT department to notify them of the situation, then take no further action until instructed otherwise.

  11. Never knowingly access, put, or use pirated software, viruses, or other malware on company systems.

  12. Install only software that is company owned and/or authorized for use by the IT department.

  13. Never access, insert, or connect to company systems any disks, USB drives, or other storage media of unknown origin.

  14. Do not take portable equipment such as laptop computers out of the business unless it has been assigned to you for use, or you have the informed consent of their department manager or the IT department.

  15. Never use or access company resources remotely via unsecured wireless networks.

  16. Never permit unauthorized individuals (even family members) to access company-owned systems or devices.

  17. Hand in all company-issued systems or devices upon termination of employment.

  18. Submit any employee-owned systems or devices that have accessed company resources to the IT department for inspection upon termination or when the system/device no longer requires this access.

  19. Notify the IT department of all passwords, as well as the whereabouts of any confidential data and any other details that should be transferred to others upon termination of employment.

7. RESPONSIBILITIES OF THE CHIEF TECHNICAL OFFICER

The Chief Technical Officer is in charge of the information technology department and is responsible for the following:

  1. Equipment installations, disconnections and system modifications.

  2. Work with departmental heads to establish a standard set of access policies for different employees based on their roles and responsibilities.

  3. Administer access controls to all company computer systems and ensure that employees are granted only the access needed to do their jobs.

  4. Process adds, deletions, and changes of user accounts, systems, and devices.

  5. Install and maintain appropriate anti-malware software on all systems where applicable, including workstations, servers, and mobile devices.

  6. Respond to all malware attacks, destroy any detected malware, and document each incident.

  7. Respond to all security breaches, whether suspected or confirmed, as well as assist and comply with any investigations, whether internal or external.

  8. Maintain records of software licenses owned by the company.

  9. Periodically (at least quarterly) scan company computers and systems for vulnerabilities and security threats and verify that only authorized software is installed.

  10. Implement access and security logging on all critical systems and not tamper with or remove these logs.

  11. Enact security systems and controls to ensure compliance with this policy.

  12. Conduct security sweeps to ensure compliance with this policy.

  13. Monitor backups and cloud/remote storage to ensure that confidential information is secured.

  14. Inspect all employee-owned devices that have accessed company resources to be sure that no confidential data exists on these devices once the employee is terminated or access is no longer required.

  15. Keep abreast of the latest security threats, engage in ongoing security training, and develop plans and processes for the organization so it can continue to operate in a secure fashion.

  16. Provide appropriate support and guidance to help employees fulfil their responsibilities under this directive.

  17. Conduct training for employees to keep them aware of current and upcoming security threats or factors.

  18. Develop and maintain written standards and procedures necessary to ensure the implementation of and compliance with this policy.

8. EMPLOYEE ACCESS REVOCATION

Managers and supervisors should notify the Chief Technical Officer promptly whenever an employee leaves the company or transfers to another department so that their access can be revoked or managed. They are to also ensure the following:

  1. That all appropriate personnel are aware of and comply with this policy.

  2. Create appropriate performance standards, control practices, and procedures designed to provide reasonable assurance that all employees observe this policy.

  3. Assist the Chief Technical Officer by complying with any analyses or investigations.

  4. Notify the IT Consultants monthly of new hires, transfers, and employee terminations.

9. POLICY MONITORING AND IMPLEMENTATIONEMPLOYEE ACCESS REVOCATION

  1. The IT department is responsible for the implementation of and adherence to this policy.

  2. The Chief Technical Officer oversees all decisions related to the monitoring and implementation of this policy.

  3. Any changes to this policy must be implemented and approved by the Chief Technical Officer and any related documentation should be updated accordingly.

10. VIOLATIONS AND PENALTIES

Violations of this policy must be immediately reported to the Chief Technical Officer. Violating the policy would result in disciplinary action by the company depending on the type and severity of the violation, whether it causes any liability or loss to the company, and or the presence of any repeated violations.

11.POLICY REVIEW

This policy is reviewed at least annually or as needed to address changes in technology, business processes, or regulatory requirements. Updates are communicated to all relevant stakeholders.

12. COMMITMENT

The company is committed to upholding this Information Security Policy and expects every employee, contractor, and third party to do the same. Security is everyone’s responsibility and essential to our continued success and reputation.

Version Number

2

Date Issued

29/08/2025