IT Policies, Procedures and Standards v1

Subject:
IT Policies, Procedures & Standards
August 5, 2015
Table of Contents
Document Titles
Document Ref.
No.
Internet Security Policy
PPS-DB-001
Technology Support-Virtual Private Network
PPS-DB-002
E-mail Security Policy
PPS-DB-003
Business Application Support-Back up

Policy
PPS-DB-004
10
Technology Support-Network Operating

System Maintenance
PPS-DB-005
Technology Support -Documents Rights

Management
PPS-DB-006
Business Application Support-Database

Policy
PPS-DB-007
10
Business Information System-System

Development Life Cycle
PPS-DB-008
10
IT Change Management Procedures
PPS-DB-009
11
IT Services Document Managment

Procedures
PPS-DB-010
Uninterruptible Power Supply (UPS) Usage

Policy
PPS-DB-011
Software: Acceptable Use Policy
PPS-DB-012
Acceptable Use of Diamond Bank Systems

Policy
PPS-DB-013
Data Center Policy and Procedures
PPS-DB-014
Information Security Policies
PPS-DB-015
Information Security Framework
ISF-DB-016
Business Continuity Planning
PPS-DB-017
75
Diamond Bank
No. of
Pages
Business Process
Assurance
Page 1 of 176
Subject:
Subject
PPS No.
August 5, 2015
Internet Security Policy
Effective
Date
PPS-DB-001
Review Date
REVISION:
SUBJECT:
SERIAL #. 240-07
COMPLETE__X___
TECHNOLOGY
SUPPORT-
PAGE #24 of 55
PARTIAL_______
AREA CORRECTED:
INTERNET
POLICY
SECURITY
ISSUED DATE:
VARIOUS
OCTOBER
2003
SUPERSEDES/REPLACE
S:
FORM NUMBER: 240-007
N/A
06,
EFFECTIVE DATE:
OCTOBER
2003
06,
I. AFFECTS:
All staff of Diamond Bank.

II. PURPOSE
The purposes of the Policy statements are:
To enlighten DB staff on the inherent risk involved in surfing

web pages on the internet.
To define access level to Internet resources amongst all
Diamond Bank Limited employees.
To define security standards for all equipment connected to
Diamond Bank Limited Internet Services
Diamond Bank
Business Process
Assurance
Page 2 of 176
Subject:
August 5, 2015
To provide operational guidelines for usage of Internet

Services
III. INTRODUCTION
The Internet is a worldwide collection of computer networks

connecting
academic,
governmental,
commercial,
and
organizational sites. It provides access to communication
services and information resources to millions of users around
the globe. Internet services include direct communication (email, chat), online conferencing (Usenet News, e-mail discussion
lists), distributed information resources (World Wide Web,
Gopher), remote login and file transfer (telnet, ftp), and many
other valuable tools and resources. In view of the wide use of
the internet and the attendant risks, the policies and procedures
in the succeeding sections shall guide the use of the internet in
the Bank.
The internet security policies apply to all DB employees, the
Banks vendors who use the internet with DB computing or
networking resources as well as those who represent
themselves as being connected in one way or another with DB.
IV. POLICIES
1)
All DB staff shall have access to the internet between

6:00p.m and 8:00p.m on all working week days only. However,
unlimited access shall be granted to all Divisional Heads and
Executive Committee members. Other employees with proven
legitimate business needs may be granted similar access,
subject to resource availability and the joint approval of the
Divisional Head and the Head, Information Technology Group.
2)
All non-text files (databases, software object code,

spreadsheets, formatted word processing package files, etc.)
downloaded from non-DB sources via the Internet must be
screened with virus detection software prior to it being used.
Downloaded software shall be tested on a standalone server
before deployment.
3)
Automatic updating of software or information whereby

any vendor or third party is granted access to remotely
administer any database or application codes on DB computers
otherwise known as "push Internet technology is prohibited.
Diamond Bank
Business Process
Assurance
Page 3 of 176
Subject:
August 5, 2015
4)
DB software, documentation, and all other types of

internal information must not be sold or otherwise transferred
to any non-DB party for any purposes.
5)
Firewalls have been established to routinely prevent users

from accessing certain non-business and offensive web sites. All
employees who discover they have connected or linked to sites
that contain sexually explicit, racist, violent or other potentially
offensive material must immediately disconnect from such sites.
As a guiding rule, users must not go to any site that they would
not walk into physically and lay their business cards on the
table.
6)
To avoid libel, defamation of character, and other legal

issues, all Internet messages intended to harass, annoy, or alarm
another person are prohibited.
7)
All users must realise that communications on the internet

are not automatically protected from viewing by 3 rd parties;
hence caution is prescribed during internet usage.
8)
The Bank is committed to respecting user privacy.

However, for regulatory requirement, auditing, security, and
investigating activities, the Administrator or a designated
Inspectorate Division staff, as approved by Executive Committee
member reserves the right to examine electronic mail messages,
files on personal computers, web browser cache files, web
browser bookmarks, logs of web sites visited, and other
information stored on or passing through DB computers.
9)
DB employees in receipt of information about system

vulnerabilities must not personally redistribute such which
most times come in form of hoax chain letters requesting that
the receiving party send the message to other people -, rather
they should be forwarded to ITG Helpdesk where an appropriate
action shall be taken.
To prevent unauthorised access, users must not save
passwords in their web browsers or electronic mail clients (i.e
automatic log-on), rather such passwords must be provided each
time a browser or electronic mail is invoked. It should be noted
that where this is violated, anyone with physical access to the
workstations would be able to access the internet with their
identities as well as read and send e-mails.
10)
Diamond Bank
Business Process
Assurance
Page 4 of 176
Subject:
August 5, 2015
All new internet web pages dealing with the Banks

business, and or modification to the authorised DB web pages
by the Administrator or any other designated employee, must
pass through the change management process. Such changes
must be approved by the Divisional Head, e-Business &
Consumer Product, Heads ITG, ICU and the Divisional or Group
Head of the change originating Unit if different from the above.
11)
The internet user must notify ITG Helpdesk once it is

believed that sensitive DB information is lost, or suspected of
being lost or disclosed to unauthorised parties. In addition,
unauthorised use of DB system, lost or stolen or disclosed
passwords or other system access control mechanism, unusual
system behaviour such as missing files, frequent system
crashes, misrouted messages must be immediately reported to
ITG Helpdesk. The specifics of such security problems should
not be discussed widely but should instead be shared on a needto-know basis.
12)
All users must exercise caution in the use of Internetsupplied information for business decision-making purposes.
Some amount of internet information may be outdated,
unreliable and inaccurate, and in some instances even
deliberately misleading. Users are advised to verify the
information by consulting other sources.
13)
Only designated spokesperson(s) of the Bank are allowed

to disclose their affiliation with the Bank over the internet.
Where non-designated staffs choose to do so however, they must
ensure that whatever opinions expressed are clearly shown to
be their personal opinions.
14)
All staff, contractors or 3rd party employees given

permission to use the DB internet are required to comply fully
with the policies contained here-in. Violation of any part of these
policies will result in disciplinary action up to and including
termination of employment (in the case of staff) and review of
relationships (in the case of 3rd parties).
15)
V. ROLES AND RESPONSIBILITIES
Information Technology Group

ITG shall be responsible for the following functions:
Diamond Bank
Business Process
Assurance
Page 5 of 176
Subject:
August 5, 2015
a. Provide technical guidance on internet use and security to

all DB staff.
b. Provide administrative support and technical guidance to
management on matters related to Internet Security.
c. System administrator shall routinely log web sites visited,
files downloaded, time spent on the internet and such
related information.
d. Internet Administrator shall install a protective shield
(capable of scanning all traffic between the Banks
network and the internet) at the proxy server to scan all
web page, e-mails and attachments into the Bank network.
e. Internet Administrator shall install Verisign 128 bit secure
socket layer on the web server to secure the web.
f. Internet Administrator shall investigate all reported cases
of usage problems such as loss of sensitive DB
information,
disclosure
to
unauthorised
parties,
unauthorised use of DB system, lost or stolen or disclosed
passwords or other system access control mechanism,
missing files, frequent system crashes, misrouted
messages etc
g. Internet Administrator shall administer these policies,
hence questions about the policies may be directed to the
Administrator
Diamond Bank
Business Process
Assurance
Page 6 of 176
Subject:
August 5, 2015
Subject
Technology SupportVirtual Private Network
Effective
Date
PPS No.
PPS-DB-002
Review Date
REVISION:
SUBJECT:
COMPLETE__X___
TECHNOLOGY
SUPPORT-
PARTIAL_______
AREA CORRECTED:
VIRTUAL
NETWORK
SERIAL #. 24008
PRIVATE
ISSUED DATE:
VARIOUS
SUPERSEDES/REPLACE
S:
N/A
PAGE #28 of 55
OCTOBER
2007
04,
EFFECTIVE
DATE:
OCTOBER
2007
04,
I. AFFECTS:
All staff
II. PURPOSE
This document provides a set of guidelines for Remote Access
Virtual Private Network (VPN) connections to the Diamond bank
trusted corporate network.
III. INTRODUCTION
The rapid transformation in Information Technology and
Telecommunication
has
broken
the
barrier
between
geographically dispersed locations by typically leveraging on the
public internet to securely extend the computing capabilities of
a business home network and allow users share information
privately between remote locations, or between a remote
Diamond Bank
Business Process
Assurance
Page 7 of 176
Subject:
August 5, 2015
location and the business home network. In order to tap into

this revolution, Diamond Bank is providing remote access
Virtual Private Network (VPN) service to allow authorized users
of this service conducted their official duties from anywhere in
the world.
The VPN is a channel that provides secure information transport
by authenticating users, and an encrypted data connection
access to the banks trusted network. It is worthy of note that
VPN does not by itself provide Internet connectivity. Users are
responsible for providing their own Internet service in order to
use the VPN service. The policies detailed in this document shall
serve as standard guideline in the implementation of the
service.
IV. SCOPE
This policy applies to all employees, contractors, consultants,
temporaries, and other workers including all personnel affiliated
with third parties utilizing VPN access to the banks network.
This Policy applies to implementations of all VPN that are
directed through any type VPN Concentrator.
V. OVERVIEW
The VPN allows users at remote locations to access services and
applications available only on the Diamond bank network. By
accessing the banks network through VPN, the user bypasses
security measures designed to protect the network from viruses,
hackers and other threats on the Internet. Therefore, users who
require a VPN must accept the responsibility of assuring that
the computer they will use is secure.
Approved employees of the bank as well as authorized third
parties (including but not limited to contractors/vendors,
consultants, associate staff, temporaries, and other workers
including all personnel affiliated with third parties etc.) may
utilize the benefits of VPNs, which are a "user managed"
service. This means that the user is responsible for selecting an
Internet Service Provider (ISP), coordinating installation,
installing any required software, and paying associated fees.
Further details may be found in the Remote Access Policy.
Diamond Bank
Business Process
Assurance
Page 8 of 176
Subject:
August 5, 2015
VI. POLICIES
1. AGMs and above shall have automatic access to the VPN
service. All other staff whose job functions require such access
(except staff of IT Services), shall require their Divisional Head
approval. In addition, the approval of the Head, Customer
Services and Technology shall be required to maintain staff
profile in the system.
2. Staff of IT Services that require remote access connection to
exercise his/her duties shall be granted access to VPN service
upon the singular approval of the Head, IT Services.
3. VPN gateways will be set up and managed by IT services
4. .It is the responsibility of the users with VPN privileges to
ensure that unauthorized persons are not allowed access to DB
plc network.
5. VPN use shall be controlled using either a one-time password
authentication such as a token device or a public/private key
system with a strong passphrase.
6. When actively connected to the corporate network, VPNs will
force all traffic to and from the PC over the VPN tunnel: all
other traffic will be dropped.
7. Dual (split) tunnelling is NOT permitted; only one network
connection per user is allowed.
8. All computers connected to the banks internal networks via
VPN or any other technology must use the most up-to-date antivirus software that is of the banks standard; this includes
personal computers.
9. VPN users shall be automatically disconnected from DB plc's
network after ten minutes of inactivity or a total connection time
of 8 hours per user in one session. The user must then logon
again to reconnect to the network. Pings or other artificial
network processes are not to be used to keep the connection
open.
10.
Only VPN client software that is approved by and/or
distributed by the Head, IT services shall be used to connect to
the banks VPN concentrators.
Diamond Bank
Business Process
Assurance
Page 9 of 176
Subject:
August 5, 2015
11.
Approved users laptops will be configured with the VPN
client software by designated personnel at IT services.
12.
Users of computers that are not owned by the bank must
have their equipment configured by IT services personnel to
comply with the bank's VPN and Network policies.
13.
Use of the VPN signifies your acceptance of and
compliance with all other related policies of the bank.
14.
By using VPN technology with personal equipment, users
must understand that their machines are a de facto extension of
the bank's network, and as such are subject to the same rules
and regulations that apply to the bank-owned equipment, i.e.,
their machines must be configured to comply with the banks
Information Security as well as other IT Policies.
15.
Theft or loss of any computer with a VPN client configured
on it must be reported immediately to the IT Services via
Service Desk.
16.
The VPN may be used only for official, bank related work.
You must disconnect the VPN before attempting any non-bank
related activities from your computer.
ENFORCEMENT
17.
Any user found to have violated this policy may be subject
to loss of privileges or services, including but not necessarily
limited to loss of VPN services.
Subject
PPS No.
E-mail Security Policy
Effective
Date
PPS-DB-003
Review Date
REVISION:
Diamond Bank
SUBJECT:
SERIAL #. 240-06
Business Process
Assurance
Page 10 of 176
Subject:
COMPLETE__X___
PARTIAL_______
AREA CORRECTED:
August 5, 2015
PAGE #18 of 19
TECHNOLOGY
SUPPORTE-MAIL
POLICY
SECURITY
ISSUED DATE:
VARIOUS
OCTOBER
2003
SUPERSEDES/REPLACE
S:
N/A
06,
EFFECTIVE DATE:
OCTOBER
2003
06,
I. AFFECTS:
All staff of Diamond Bank
II. PURPOSE
The purposes of the Policy statements are:
i. To provide specific instructions on the ways to secure
electronic mail resident on personal computers and
servers.
ii. To ensure that staff trust the integrity of mails
iii. To ensure that disruptions of e-mail and other services and
activities are minimized and;
iv. To inform users of e-mail services on how concepts of
privacy and security policy apply to e-mail
III. INTRODUCTION
The E-Mail (electronic mail) is simply put, the transmission of
computer-based messages over telecommunication technology.
This can be by communication within DB network or with others
outside DB network.
The e-mail security policies apply to all DB employees and in
some instances the Banks vendors who use e-mail located on
Diamond Bank
Business Process
Assurance
Page 11 of 176
Subject:
August 5, 2015
personal computers and servers under the jurisdiction and or

ownership of DB.
IV. POLICIES
a) All DB staff shall be created on the Banks network and by
extension will have an e-mail account. However, the ability to
use e-mail for communication with parties outside DB
network shall be restricted to staffs on the grade of Assistant
Manager (AM) and above. Employees below the AM grade
but with proven legitimate business needs for such access
may be so created, subject to the joint approval of the staffs
Divisional Head and Head ITG.
b) Outward bound e-mails through DB network generally must

be used only for business activities. Users are prohibited
from using Diamond Bank Limited e-mail for private business
activities, or amusement/entertainment purposes. However,
where personal use of the e-mail is to be made, the user must
ensure that:
i. It does not consume more than a trivial amount of
resources.
ii.
It does not interfere with his/her
productivity.
iii.
It does not pre-empt any business
activity.
c) Users are responsible and are liable for all messages sent
from their e-mail accounts. E-mail accounts are to be used
only by the authorized owner of the account name. Account
owners shall be held responsible for all activities performed
through their account.
d) Users privileges on e-mail communication systems shall be

assigned to grant only the capabilities necessary to perform a
job. Privilege to send mail, emergencies, regular system
maintenance notices, and broadcast facilities to groups like
All Diamond Bank Limited staff; Divisional Heads; Exec
Diamond Bank
Business Process
Assurance
Page 12 of 176
Subject:
August 5, 2015
Office; ALCO; etc. shall be restricted

Administrator and Divisional Heads.
to
the
System
e) E-mail accounts put to improper use, or not used for sixty

consecutive days will be disabled, while disengaged Staffs email accounts -upon notification from the Human Capital
Management- will be deleted.
f) Users must employ only authorized DB electronic mail

software (diamondbank.com) for official or business
communications. Therefore the use of personal electronic
mail accounts (such as Hotmail; Yahoo; MSN etc.) with an
Internet Service Provider (ISP) or any other third party for
any DB business messages is prohibited.
g) The Bank is committed to respecting user privacy. However,
for regulatory requirement, auditing, security, and
investigating activities, the Administrator or a designated
Inspectorate staff, as approved by Executive Committee
member(s) reserves the right to monitor the use and content
of electronic mail messages. Users are therefore expected to
structure their electronic mail in recognition of this.
h) All users must realise that electronic mails may be

forwarded, intercepted, printed and stored by others
(intended or unintended); hence caution is prescribed during
usage. Similarly, users must note that where information is
intended for specific individuals, it may be inappropriate for
general consumption; therefore messages being forwarded
must be done with utmost care. In addition, all DB sensitive
information must not be forwarded to any party outside DB
without the prior approval of an EXCO member.
i) All e-mail with attachment files should be scanned with an

authorized virus detection software package before opening
and or execution. Unexpected attachments received from
third parties should be viewed with suspicion, even if the
Diamond Bank
Business Process
Assurance
Page 13 of 176
Subject:
August 5, 2015
third party is known and trusted. Users must also ensure that
the virus checker on their PC is functional and up to date.
j) Users must not use obscenities or derogatory remarks in

electronic mail messages discussing employees, customers,
competitors, or others. E-mail system must not be used for
the exercise of the workers' right to free speech, open forum
to discuss DB organizational changes or business policy
matters. Likewise, sexual, ethnic, religious and racial
harassment is strictly prohibited. Any staff who receives
offensive unsolicited material from outside sources must not
forward or redistribute it to either internal or external
parties (unless it is to Human Capital management in order
to assist with the investigation of a complaint). As a matter of
standard business practice, all DB electronic mail
communication must be consistent with conventional
standards of ethical conduct
k) The user must notify ITG Helpdesk once it is believed that

sensitive DB information is lost, or suspected of being lost or
disclosed to unauthorised parties. In addition, unauthorised
use of DB information system, lost or stolen or disclosed
passwords or other system access control mechanism,
unusual system behaviour such as missing files, frequent
system crashes, misrouted messages must be immediately
reported to ITG Helpdesk. The specifics of such security
problems should not be discussed widely but should instead
be shared on a need-to-know basis.
l) Users are prohibited from "mail bombing" to other users
(that is, sending a large number of messages in order to
overload a server or user's electronic mailbox) in retaliation
for any perceived wrong. Unsolicited electronic mail (socalled "Spam") from a particular organisation or e-mail
address or user should be reported to the ITG Helpdesk
immediately for appropriate action.
m) While DB encourages the business use of electronic

communications (voice mail, e-mail, and fax) as a productivity
enhancement tool, e-mail and all messages generated on or
Diamond Bank
Business Process
Assurance
Page 14 of 176
Subject:
August 5, 2015
handled by electronic mail systems, including back-up copies,

are considered to be the property of Diamond Bank Limited,
and are not the property of users of the electronic mail
services.
n) All external contracts or Official documents formed through

electronic mail offer and acceptance messages (fax,
electronic document Imaging and electronic mail etc.) shall
not be binding on DB until such documents have been
formalized, confirmed and signed via paper documents within
two weeks of acceptance. In addition, staff must not employ
scanned versions of hand-rendered signatures to give the
impression that an electronic mail message or other
electronic communications were signed by the sender. This is
to prevent identity theft and other types of fraud.
o) Users must not transmit copyrighted materials without the

permission of an EXCO member.
p) Due to capacity limitations at the mail server, users are

required to create personal folders on their PCs. These
personal folders are to be archived on a monthly basis.
q) All staff, contractors or 3rd party employees given permission

to use the DB e-mail are required to comply fully with the
policies contained here-in. Violation of any part of these
policies will result in disciplinary action up to and including
termination of employment (in the case of staff) and review of
relationships (in the case of 3rd parties).
V.
ROLES AND RESPONSIBILITIES

1.
Information Technology Group

ITG shall be responsible for the following functions:
Diamond Bank
Business Process
Assurance
Page 15 of 176
Subject:
August 5, 2015
i.
ITG shall provide technical guidance on e-mail

security to all DB staff.
ii.
ITG shall also provide administrative support and

technical guidance to management on matters
related to e-mail.
iii.
E-mail administrator shall assign unique user

names to staff to access the e-mail system. The
format for e-mail address shall be the first name
initial and surname; where the e-mail address is
not unique, the middle name initial and surname
shall be used. Job titles shall not be displayed
along with user name.
iv.
Anti-virus
administrator
shall
send
out
information whenever there is an anti-virus
update in line with the DB anti-virus policy
administered by ITG.
v.
E-mail administrator shall investigate all reported

cases of usage problems such as loss of sensitive
DB information, disclosure to unauthorised
parties, unauthorised use of DB system, lost or
stolen or disclosed passwords or other system
access control mechanism, missing files, frequent
system crashes, misrouted messages etc
vi.
The e-mail administrator shall ensure that the

following message is inserted at the foot of all
outbound external e-mails:
The Information contained and transmitted by
this e-mail is proprietary to Diamond Bank
Limited and/or its Customer and is intended for
use only by the individual or entity to which it is
addressed, and may contain information that is
privileged, confidential or exempt from a
disclosure under applicable law. If this is a
forwarded message, the content of this e-mail
may not have been sent with the authority of the
Bank. Diamond Bank Limited shall not be liable
Diamond Bank
Business Process
Assurance
Page 16 of 176
Subject:
August 5, 2015
for any mails sent without due authorisation or

through unauthorised access. If you are not the
intended recipient, an agent of the intended
recipient or a person responsible for delivering
the information to the named recipient, you are
notified that any use, distribution, transmission,
printing, copying or dissemination of this
information in any way or in any manner is
strictly prohibited.
If you have received this communication in error,
please delete this mail and notify us immediately
at info@diamondbank.com
vii.
E-mail Administrator is responsible for the

administration of this
Policy, therefore questions about this policy may
be directed to the e-mail Administrator
2.
DB supervisors shall ensure that employees under their

supervision implement e-mail security measures as
defined in this document.
3.
Corporate Affairs Unit shall be responsible for managing

Info@diamondbank.com e-mail account.
4.
Human Capital Management shall notify ITG of any

change in employees status.
Diamond Bank
Business Process
Assurance
Page 17 of 176
Subject:
Subject
Business Application
Support-Back up Policy
Effective
Date
PPS No.
PPS-DB-004
Review Date
REVISION:
August 5, 2015
SUBJECT:
SERIAL #000 000/01
COMPLETE_____
PARTIAL_______
AREA CORRECTED:
N/A
SUPERCEDES/REPLACES:
BUSINESS APPLICATION PAGE #1 of 11

SUPPORT
BACKUP POLICY
FORM NUMBER:
N/A
ISSUED DATE:
31 AUGUST
2009
REVISION
DATE:
31 AUGUST
2009
I. AFFECTS
All staff on Diamond Bank Plc and its subsidiaries.
II. PURPOSE
To establish guidelines for the backup of IT Services infrastructure

throughout the Bank.
III. INTRODUCTION
The aim of this back-up policy is to ensure that all IT Services infrastructures
acting as hosts to mission-critical applications (i.e. with zero downtime) such as
Flexcube, ATM, DBPool, Diamondonline etc and others alike have up-to-date and
adequate backups to mitigate disasters or recover historical information. These
infrastructures include Operating systems, applications, databases, system
configurations and any other file documents. The main objective of the back-up
procedure is to ensure that files and directories can be recovered in case of
corruption or system failure.
IV. POLICIES
Diamond Bank
Business Process
Assurance
Page 18 of 176
Subject:
1.
2.
3.
4.
5.
6.
August 5, 2015
Only authorized IT Services staff shall be allowed to

backup critical applications.
Any changes to the database or file shall necessitate a
backup of the change by the Database Administrator or the
Application Administrator.
Full system backup of all application and database servers
shall be performed once every quarter by the Database
Administrator or Application Administrator to ensure the bank
has a reference point for recovery when necessary.
Each Application Administrator shall maintain a logbook
for logging all application backups under their custody and these
shall be kept with the librarian.
No backup tape shall be re-used more than 30 times in its
life span
Duplicate copies of all End of Day (EOD) and off-cycle
backups shall be moved to the off-site storage location by the
software librarian the next working day following the backup
date.
V. GENERAL PROCEDURES
1.
Backup Type:
This refers to the target data to be backed-up and a combination

of backup types which may be needed to quickly recover the
system and the operation. The following types of backups shall
be carried out:
Full System Backup: The full system backup makes a copy of
the system files, including the systems software, utilities,
applications software and data. Since this process takes quite
a lot of time to conclude, the operation shall be performed
quarterly or when a major change is made on the system. .
The backup tapes shall then be tested by the application administrator
for readability after each back up.
File System Backup: These are file systems backup.

End of Day Backup: This refers to backup of data, data tables
and files of a database taken at the end of each day. The
backup contains both historic and new data for each day.
Database Backup: This involves using Microsoft SQL or
Oracle backup commands to backup the respective
databases. Database objects are exported to files in an Oracle
database, while Microsoft SQL utilizes the backup scripts in
the application. This may be daily or monthly depending on
the criticality of the application and the frequency of change.
Diamond Bank
Business Process
Assurance
Page 19 of 176
Subject:
2.
August 5, 2015
File/Directory Backup: This refers to the backup of

Application and User-Created Files and/or Directories. They
include Image files, Application files, Reports, etc.
Archive logs: These are proprietary Oracle archive log files
backups
Snapshots: A Snapshot or Business copy as the name implies
is a process where an image of the Oracle database is taken
at preset intervals or manually initiated.
Swap: There shall be a rotation of all critical Servers and
their backups on a weekly basis and according to a schedule
to be approved by the Ag. Div Head, IT Services. The format
of this schedule would be as highlighted in the attached
appendix.
Clone: This refers to process of making copies of an existing
missioncritical application whenever there is a major change
on that system, into a compressed image file that is
restorable.
RMAN: Oracle Recovery Manager (RMAN), a command-line
and Enterprise Manager-based tool, is the Oracle-preferred
method for efficiently backing up and recovering your Oracle
database.
Backup Frequency:
This refers to the number of times the backup will be taken

which will be determined by the frequency of change to the
data, the criticality of the data and the need for retrieval of the
data.
Any changes to the database or file must necessitate a backup of
the change by the Database Administrator or the Application
Administrator as the case may be.
If the changes are application specific then Backups shall be
taken as frequently as the changes, by the Application
Administrator.
Full System Backup of all application and database servers shall
be taken once every quarter by the DBA or Application
Administrator to ensure the bank has a reference point for
recovery when necessary.
All critical servers shall be configured in a load balancing
architecture and the Application Administrator shall ensure that
all servers involved in the load balancing configuration are
always in sync at all times for business continuity.
Please refer to the attached schedule for backup frequency of IT
Infrastructure. This will be updated from time to time.
Diamond Bank
Business Process
Assurance
Page 20 of 176
Subject:
3.
August 5, 2015
Back-up Media Labeling:
The acceptable backup media to be used in the bank include:

Ultrium Tapes, CD-ROM, DDS/DAT Tapes, DLT Tapes, USB drive
and hard drives.
The Backup media should be identified as follows for DDS/DAT
Tapes, DLT Tapes, and CD-ROMs:
BACKUP TITLE
BACKUP TYPE
BACKUP DATE
BACKUP SET
BACKUP SEQUENCE
BAR CODE
a. Where DDS, DAT or DLT are used, the DBA or Application Administrator
shall label the tape using the format below
1. BACKUP TITLE (e.g. FCAT_DB, ECPIX, SWIFT, etc).
2. BACKUP TYPE:
FULL SYSTEM BACKUP abbreviated to FSBK
APPLICATION BACKUP abbreviated to ABK
DATABASE BACKUP abbreviated to DBBK
3. BACKUP DATE: DD/MM/YY
4. BACKUP SET ( SET1 for On-site and SET 2 for Off-site)
5. BACKUP SEQUENCE is either 1 of X; 2 of X (where X is the total
number of tapes used)
b. Where Snapshot or RMAN backups are taken using the Data Protector,
the System Administrator shall append the bar code label to the Ultrium
Tape media before loading the Tape library, which can also to generate
catalogue. This shall be scanned by the System and a log of the contents
saved.
4.
Backup Logs:
Each Application Administrator shall maintain a logbook for logging all
application backups under their custody and these shall be kept with the
librarian. Any backup taken must be registered in the appropriate backup
logbook by the Application Administrator or his designate and submitted to the
librarian same day.
These logbooks shall be kept in the transit safe in IT
Services and shall be reviewed by the Librarian daily. The Librarian shall
prepare an exception report of any missing application backup and this shall
be reviewed by the Strategic and Security Controls personnel before notifying
the affected unit.
The log must capture the following details:
Backup Title
Backup Type
Backup Date
Backup Administrator
Signature
Backup checked/verified by
Remark
Diamond Bank
Business Process
Assurance
Page 21 of 176
Subject:
August 5, 2015
The System Administrator shall generate the backup logs for all Snapshot and
RMAN backups taken on the Data Protector Cell Manager. This will be
reviewed and filed by the Librarian daily.
5.
On-site back-up media storage

The on-site storage location is at the Head Office. The fireproof data safe
located in IT Services office and on the ground floor of the head office, hosts all
backup media and access to it via a manual key lock.
Two sets of backup must be taken as a matter of policy except where a formal
waiver is granted by the Group Head/Ag. Div Head, IT Services in unavoidable
circumstances. A set of the back up media must be received into the library at
the agreed time set out in the schedule attached. The librarian shall ensure
that all Tape movements in and out of the on-site storage are properly logged
in the on-site/offsite tape movement log.
Access to the main on-site safe is via a manual lock key. One of the keys shall
be kept by the librarian while copies shall be kept in a designated location in
line with the banks disaster recovery plan. Only the software librarian or his
backup will have access to this safe unless otherwise authorized by Ag. Div Ag.
Div Head, IT Services.
6.
Transit Media Storage

EOD (including off-cycle) backup tapes and logbooks shall be kept in the
transit fire-proof data safe located in the IT Services main office. This transit
safe shall be under the custody of the Librarian but shall be accessible to any
staff of IT Services for storing and logging any backup taken. These tapes shall
be evacuated daily to either the on-site /off-site storage areas by the librarian.
7.
Application Software CDs

The Librarian shall keep the original copies of all Application CDs in the
secondary on-site safe while duplicates shall be retained at the primary on-site
safe. A CD request logbook shall be maintained by the librarian for logging any
request for such media by IT Services Staff. Only duplicates of the Application
CDs shall be available for borrowing, the originals would be permanently kept
in the secondary on-site safe.
The CD request logbook must capture the following details:
8.
Date Borrowed
Description
Quantity
Borrower
Unit/Department
Signature
Date Returned
Librarians Remark
Borrowers Sign-off
Librarians Sign-off
Requests for Media
Staff requesting for blank CDs, Tapes, etc. shall obtain due
approval from their supervisor and forward to the Librarian for
action. The librarian shall escalate this request to the Head BAS
Diamond Bank
Business Process
Assurance
Page 22 of 176
Subject:
August 5, 2015
or his designate for approval before processing. The Head of BAS

approves request and the staff receive the media not later than an
hour after approval is granted.
The librarian shall on a weekly basis review the re-order level and request for
CDs from Admin Services where necessary.
9.
Off-site back up media storage

Duplicate copies of all EOD and off-cycle backups shall be moved to the off-site
storage location by the software librarian the next working day following the
backup date. Details of these tapes shall be logged in the on-site/offsite tape
movement register by the librarian and kept in the fireproof data safe at the
off-site location. Similarly, the librarian shall retrieve all expired tapes from the
off-site safe for re-use. The backup media shall be transported to the off-site
location in a secure, unmarked and environmentally sound box or bag. The
pool car attached to IT Services shall be used for this purpose. As much as is
practicable the media must not be carried using public transport, however, in
some exceptional circumstances, Ag. Div Head, IT Services could approve the
use of other forms of transportation. Access to the safe is via a manual lock
key. One of the keys is locked up in the on-site safe while copies of it shall be
kept in a designated location in line with the banks disaster recovery plan.
Only the software librarian or his backup will have access to this safe unless
otherwise authorized by Ag. Div Head, IT Services.
10. Backup Tape Retention Period:

To be determined by the frequency of reference or possible need for archived
data. (See attached schedule for the applicable recycle frequency)
No tape should be re-used more than 30 times.
11. Mock Restoration / Server Swap
Mock restoration shall be performed of the backed up data on periodic
intervals. This will ensure that the data backed up is in a readable format in
the media. All servers with a dedicated backup machine will have the tape
restored on the backup machine immediately the backup is taken. At this point
the backup tape is tested. However, the backup server, which must always be
in sync with the live server, will be tested on live situation on a quarterly basis
for one week. In case of servers that do not have a dedicated backup machine,
the verify backup must be checked to enable the tape drive verify what has
been written on the tape. A readability test shall be performed by opening at
least one file upon completion of backup. Where a tape is unreadable, the
backup will be re-performed. The test restoration should be logged in the
backup logbook.
VI. ROLES AND RESPONSIBILITIES
Diamond Bank
Business Process
Assurance
Page 23 of 176
Subject:
i.
ii.
August 5, 2015
The Backup Administrators shall ensure that all backups relating to their job
functions are duly completed in line with the backup plan.
The Librarian shall perform daily review of backup register to ensure
completeness and accuracy of backup.
iii.
The librarian shall perform daily review of backup tapes stored onsite and
off-site (i.e. Daily backup tapes) to ensure appropriate labelling and
completeness of contents.
iv.
The librarian shall ensure that all tape movements in and out of the onsite/off-site media storage are properly logged in the on-site/off-site tape
movement log.
v.
The Policy, Standard Governance personnel shall perform monthly review of

the backup register and system generated backup logs to verify consistent
performance of backup, and sign-off on the register to evidence review.
vi.
The Policy, Standard Governance personnel in conjunction with the System

Administrator(s) shall perform backup restoration test based on the
restoration plan.
vii.
The Policy, Standard Governance personnel shall perform monthly review of

the on-site/off-site tape movement register for propriety.
Diamond Bank
Business Process
Assurance
Page 24 of 176
Subject:
Business Continuity Planning Policy
August 5, 2015
APPENDIX A- BACKUP PLAN

TYPE OF
BACKUP
PPLICATION
NTERNET BANKING
PPLICATION (FCAT_APP)
NTERNET BANKING
ATABASE (FCAT_DB)
NTERNET BANKING WEB
ERVER (FCAT_WEB)
C/TELE-BANKING
C/TELE-BANKING SERVER
MOBILE BANKING SERVER
MOBILE BANKING
WESTERN UNION SERVER
WESTERN UNION
TM
ARDWORLD
PAY
LEXCUBE DATABASE
LEXCUBE DATABASE
ARCHIVELOG)
WIFT
CPIX SERVER
D SERVER
CEED
IXED ASSET / INVENTORY

YIMAGE
ERVICE DESK
CALLOVER
FASS APPLICATION
RADETRACKER
TGS
ERVER-016
P UNIX SERVER
CHANGESVR01 (EXCHANGE
ERVER)
ERVER)
ERVER)
IAM21 (PRIMARY DOMAIN
Diamond Bank
BACKUP TITLE
FREQUENCY
RETENTIO
N
Full System
Snapshot /
RMAN
FCAT_APP
Bi-Monthly
Yearly
FCAT_DB
Daily
Bi-Monthly
Full System
Database
Full System
Full System
Database
Full System
Database
Database
Database
Database
Snapshot /
RMAN
FCAT_WEB
PCTEL_DB
PCTEL_APP
SMSBNK_APP
SMSBNK_DB
WU_APP
WU_DB
ATM
CARDSOFT
CARDPRO
Bi-Monthly
Weekly
Bi-Monthly
Bi-Monthly
Weekly
Quarterly
Weekly
Daily
Daily
Daily
Yearly
Quarterly
Yearly
Yearly
Quarterly
Yearly
Quarterly
Weekly
Monthly
Monthly
FCR / FCC
FCR_ARCH/FCC_ARCH/FCAT_A
RCH
SWIFT
Daily
Bi-Monthly
Daily
Daily
Bi-Annual
Weekly
ECPIX
Daily
Monthly
Archive log
Database
Full
System/Data
base
Full
System/Data
base
Database
Full
System/Data
base
Full System
Database
Full System
Database
Database
Database
Database
File System
RESPO
IT Ope
IT Ope
IT Ope
IT
IT
IT
IT
IT
IT
IT
IT
IT
IT
Ope
Ope
Ope
Ope
Ope
Ope
Ope
Ope
Ope
Ope
IT Ope
IT Ope
IT Ope
IT Ope
KD
XCEED
Daily
Daily
Monthly
Monthly
FIXED_ASSET
ZYIMAGE
SDESK
ECALL
EFASS
TRADETRACK
RTGS
BR016_DB
DIAM X
Weekly
Weekly
Daily
Daily
Daily/Weekly
Daily
Weekly
Daily
Weekly
Monthly
Monthly
Weekly
Monthly
Monthly
Monthly
Monthly
Monthly
2 Weeks
Full Online
XCHANGESVR01
Daily
Quarterly
Full Online
XCHANGESVR02
Daily
Monthly
Full Online
System State
XCHANGESVR02
DC
Daily
Quarterly
Monthly
Quarterly
Business Process
Assurance
Page 25 of 176
IT Ope
IT Ope
IT
IT
IT
IT
IT
IT
IT
IT
IT
Ope
Ope
Ope
Ope
Ope
Ope
Ope
Ope
Ope
IT Ope
IT Ope
IT Ope
Subject:
August 5, 2015
ONTROLLER)
System
State/Databa
se
System
State/Databa
se
PO
HAREPOINT PORTAL
ISCO ROUTERS AND
WITCHES
IT Ope
EPO
Quarterly
Quarterly
IT Ope
SHAREPOINT
Daily
Weekly
Application
CISCO
Monthly
Yearly
Database
Database
Database
Database
Database
Database
Database
Database
Database
DBPOOL
DBSERVICEDESK
MSME
DBAPPRAISE
DB CALL CARD
CP ONLINE
DB VISA
VPAY CARD PRO
DBPOOL
Weekly
Weekly
Weekly
Weekly
Weekly
Weekly
Weekly
Weekly
Weekly
Monthly
Monthly
Monthly
Monthly
Monthly
Monthly
Monthly
Monthly
Monthly
IT Ope
BPOOL
BSERVICEDESK
MSME
BAPPRAISE
B CALL CARD
P ONLINE
B VISA
PAY CARD PRO
B TOD
Tech
Tech
Tech
Tech
Tech
Tech
Tech
Tech
Tech
S
S
S
S
S
S
S
S
S
RESTORATION SCHEDULE
PPLICATION
NTERNET BANKING
PPLICATION
FCAT_APP)
NTERNET BANKING
ATABASE (FCAT_DB)
NTERNET BANKING
WEB SERVER
FCAT_WEB)
C/TELE-BANKING
C/TELE-BANKING
ERVER
MOBILE BANKING
ERVER
MOBILE BANKING
WESTERN UNION
ERVER
WESTERN UNION
TYPE OF
BACKUP
Full System
Snapshot /
RMAN
BACKUP TITLE
FREQUENC
Y
RETENTION
RESPONS
FCAT_APP
Bi-Monthly
Yearly
FCAT_DB
Daily
Bi-Monthly
IT Operatio
IT Operatio
IT Operatio
Full System
Database
FCAT_WEB
PCTEL_DB
Bi-Monthly
Weekly
Yearly
Quarterly
Full System
PCTEL_APP
Bi-Monthly
Yearly
Full System
Database
SMSBNK_APP
SMSBNK_DB
Bi-Monthly
Weekly
Yearly
Quarterly
Full System
Database
WU_APP
WU_DB
Quarterly
Weekly
Yearly
Quarterly
Diamond Bank
Business Process
Assurance
Page 26 of 176
IT Operatio
IT Operatio
IT Operatio
IT Operatio
IT Operatio
IT Operatio
Subject:
TM
ARDWORLD
PAY
LEXCUBE DATABASE
LEXCUBE DATABASE
ARCHIVELOG)
WIFT
CPIX SERVER
D SERVER
CEED
IXED ASSET /
NVENTORY
YIMAGE
ERVICE DESK
CALLOVER
FASS APPLICATION
RADETRACKER
TGS
ERVER-016
P UNIX SERVER
CHANGESVR01
EXCHANGE SERVER)
CHANGESVR02
EXCHANGE SERVER)
CHANGESVR03
EXCHANGE SERVER)
IAM21 (PRIMARY
OMAIN CONTROLLER)
PO
HAREPOINT PORTAL
ISCO ROUTERS AND
WITCHES
BPOOL
BSERVICEDESK
MSME
BAPPRAISE
B CALL CARD
P ONLINE
B VISA
Database
Database
Database
Snapshot /
RMAN
Archive log
Database
Full
System/Data
base
Full
System/Data
base
Database
Full
System/Data
base
Full System
Database
Full System
Database
Database
Database
Database
File System
August 5, 2015
ATM
CARDSOFT
CARDPRO
Daily
Daily
Daily
Weekly
Monthly
Monthly
FCR / FCC
FCR_ARCH/FCC_ARCH/FCAT_A
RCH
SWIFT
Daily
Bi-Monthly
Daily
Daily
Bi-Annual
Weekly
ECPIX
Daily
Monthly
Operatio
Operatio
Operatio
Operatio
IT Operatio
IT Operatio
IT Operatio
IT Operatio
KD
XCEED
Daily
Daily
Monthly
Monthly
FIXED_ASSET
ZYIMAGE
SDESK
ECALL
EFASS
TRADETRACK
RTGS
BR016_DB
DIAM X
Weekly
Weekly
Daily
Daily
Daily/Weekly
Daily
Weekly
Daily
Weekly
Monthly
Monthly
Weekly
Monthly
Monthly
Monthly
Monthly
Monthly
2 Weeks
Full Online
XCHANGESVR01
Daily
Quarterly
Full Online
XCHANGESVR02
Daily
Monthly
Full Online
XCHANGESVR02
Daily
Monthly
System State
System
State/Databa
se
System
State/Databa
se
DC
Quarterly
Quarterly
SHAREPOINT
Daily
Weekly
Application
CISCO
Monthly
Yearly
Database
Database
Database
Database
Database
Database
Database
DBPOOL
DBSERVICEDESK
MSME
DBAPPRAISE
DB CALL CARD
CP ONLINE
DB VISA
Weekly
Weekly
Weekly
Weekly
Weekly
Weekly
Weekly
Monthly
Monthly
Monthly
Monthly
Monthly
Monthly
Monthly
Diamond Bank
IT
IT
IT
IT
IT Operatio
IT Operatio
IT
IT
IT
IT
IT
IT
IT
IT
IT
Operatio
Operatio
Operatio
Operatio
Operatio
Operatio
Operatio
Operatio
Operatio
IT Operatio
IT Operatio
IT Operatio
IT Operatio
EPO
Quarterly
Quarterly
IT Operatio
Business Process
Assurance
Page 27 of 176
IT Operatio
Tech
Tech
Tech
Tech
Tech
Tech
Tech
Solut
Solut
Solut
Solut
Solut
Solut
Solut
Subject:
PAY CARD PRO

B TOD
Database
Database
VPAY CARD PRO

DBPOOL
August 5, 2015
Weekly
Weekly
Monthly
Monthly
Sign-Of
Name & Signature____________________________

Head, Information Technology Operations
Date _____________________
Name & Signature____________________________

Head, Business and Technology Solutions
Date _____________________
Name & Signature____________________________

Ag. Head, System Engineering
Date _____________________
Name & Signature____________________________ Date _____________________

Head, Groupwide Information Technology Services
Name & Signature____________________________ Date _____________________

Executive Director, Customer Services and Technology.
Diamond Bank
Business Process
Assurance
Page 28 of 176
Tech Solut
Tech Solut
Subject:
Subject
PPS No.
August 5, 2015
Technology SupportNetwork Operating

System Maintenance
Effective
Date
PPS-DB-005
Review Date
REVISION:
SUBJECT:
COMPLETE__X___
TECHNOLOGY
SUPPORT-
PARTIAL_______
AREA CORRECTED:
SERIAL #. 24005
PAGE #15 of 17
NETWORK OPERATING
SYSTEMS
ISSUED DATE:
MAINTENANCE
VARIOUS
SUPERSEDES/REPLACE
S:
N/A
Diamond Bank
OCTOBER
2005
31,
EFFECTIVE
DATE:
OCTOBER
2005
31,
Business Process
Assurance
Page 29 of 176
Subject:
August 5, 2015
I. AFFECTS
All staff.
II. INTRODUCTION
This section deals with the policies for purchasing, maintaining, tracking and
ensuring physical security of hardware.
Technical Support unit staf are advised to consult the units desk manual for
other technical details relating to the final details of steps involved in
performing the specific functions described in this document.
III. OBJECTIVE
i. To define procedures for tracking and maintaining physical inventory and
movement of hardware assets
ii. To define the procedures that will ensure physical security for hardware
iii. To define procedures for administering Internet access
iv. To define procedures for backup and restore operations.
IV. DESKTOP COMPLIANCE POLICY
i. The desktop PC provided to each user will have a set of standard software
installed. Users will be required to submit a written request or mail
approval to the Head, Operations & Technology for any additional software
installation on their systems.
ii. A mail and domain id will also be created when a person joins the
organisation via an approval mail from his/her Supervisor. The domain ids
will be in the form: first name initial+ last name. Mail ids will normally be of
the form first name initial. Last name @ diamondbank.com. The individual
will retain these mail ids until he/she leaves the bank.
iii. Domain ids get locked after a preset number of wrong tries for security
reasons. Guest logins will be disabled on all PCs to prevent any anonymous
access. In cases where specific software demands Local Admin Rights, the
same will have to be approved and authorised by the Head, Operations &
Technology
iv. Users will be advised to protect important files with a password. Password
protection will be the first level of security for any file. The Diamond Bank
security implementations will be based on existing Information Security
guidelines. Current implementations at Diamond Bank include policy
guidelines for NT servers and NT workstations. The implementation of
Diamond Bank
Business Process
Assurance
Page 30 of 176
Subject:
August 5, 2015
security policy for NT workstations has been limited to certain identified

individuals within the IT Services based on their roles and job functions.
Some workstations have been excluded from this list due to the specific
nature of their users work, which requires them to have local administrator
rights to their own workstations.
v. Users will be educated through various means about the implications of
using unlicensed software. Additionally, they will be discouraged from
storing games, pornographic material, unauthorised wallpapers and screen
savers. Organisation-wide screen saver parameters have been set for all
users. Users will have to shutdown and power off their systems before they
leave at the end of the day.
V. ASSET MANAGEMENT
Asset Management is the process of tracking and maintaining a physical
inventory of hardware assets procured by IT Services. These assets will
include the desktops, laptops and spares used within the organisational
premises. IT Services will maintain an inventory of these assets. A physical
verification of these assets will be performed on a quarterly basis. Spares,
which will be maintained in storage areas, are also included in the final
inventory list. These will be used in ensuring quick turnaround in the event
of failure.
1. PURCHASE OF HARDWARE
1. Equipment are usually bought in bulk
2. Forward estimate of the number of equipment and equipment specification
to admin (in line with budgetary constraints)
3. Admin sends quotes for specifications to the vendors. Extra budgetary
approvals have to be sought for equipment replacements as they were not
catered for in the budget
4. Vendor supplies equipments (this is usually delivered at the Marina store)
5. Confirm that equipment supplied by vendor is in line with specifications
sent to Admin
6. Assigned TS staff sign off on delivery form.
2. ALLOCATION OF HARDWARE
This process follows after the hardware has been purchase following the
process described in the purchase of hardware above.
1.
2.
3.
4.
5.
6.
Allocate hardware to the user

Assign asset code to the new PC
Inform user of the availability of hardware by e-mail
Fill the equipment movement form
Hardware is moved to the user department/location
User confirms receipt of equipment by mail or an acknowledgement letter.
Diamond Bank
Business Process
Assurance
Page 31 of 176
Subject:
August 5, 2015
In the case of reallocation,

1.
2.
3.
4.
Unit head request for reallocation of hardware via email

Head TS approves request
Assigned TS staff performs reallocation of hardware
TS staff updates the asset register with activity performed.
3. OPERATING SYSTEMS MAINTENANCE

Hardware systems such as the printer, laptops, computers etc have to be in
good working condition and thus, it is necessary for proper maintenance to be
carried out on these systems.
A. FAULT RESOLUTION PROCEDURE
Failed systems are usually sent to the head office by the user/user department.
For offices outside Lagos, the failed systems are usually moved to the Regional
Offices in these locations.
1. User logs fault via email, phone call or the help desk (users are usually
encouraged to use the help desk)
2. TS staff tries to diagnose the nature of problem
3. If it can be resolved immediately via email, phone or help desk, TS staff
resolves fault.
4. On the other hand, if the system has to be moved to the TS unit, TS staff
informs user of the need to send the system to TS
5. User/designate logs faulty system at the reception using the equipment
movement form
6. Receive system from the user/designate
7. Allocate stop gaps to user if available
8. If a stop gap is not available, re-route the affected department to a
department or unit nearer to it ( for printers, fax machines and
photocopiers)
9. For equipment under warranty, send to the vendor for necessary repairs
10. If the faults are minor, resolve faults
11. Send mail to inform user, system has been repaired
12. User fills equipment movement form
13. Handover system to user.
On the other hand, if there is a need to use parts, in addition to processes 1 8
above;
1. Inform Head TSU of the need to request for parts
2. Head TSU approves request for parts
3. Send mail with part details to admin requesting for parts
Diamond Bank
Business Process
Assurance
Page 32 of 176
Subject:
August 5, 2015
4. Sign off on vendor delivery note

5. Head TS appends delivery note
6. Receive parts from Admin
7. Resolve faults
8. Send mail to inform user that the system has been repaired
9. User fills equipment movement form
10. Hand over system to user.
Diamond Bank
Business Process
Assurance
Page 33 of 176
Subject:
August 5, 2015
Subject
Technology Support
-Documents Rights
Management
Effective
Date
PPS No.
PPS-DB-006
Review Date
REVISION:
SUBJECT:
SERIAL #. 240-011
COMPLETE__X___
TECHNOLOGY
SUPPORT-
PAGE #48 of 55
PARTIAL_______
AREA CORRECTED:
DOCUMENTS RIGHTS
MANAGEMENT
VARIOUS
SUPERSEDES/REPLACE
S:
ISSUED DATE:
21 OCTOBER 2008
EFFECTIVE DATE:
21 OCTOBER 2008
N/A
I. AFFECTS:
All staff.
II. PURPOSE
To define guidelines for protecting the Banks valuable and classified
information from unauthorized usage and circulation.
III. INTRODUCTION
The need to protect the Banks information assets from abuse and mishandling resulted in the implementation of E-mail and Internet Security
Policies in 2003. However with growing concerns about information
theft, the need to devise better information security management cannot
be over-emphasized.
To address this need, Management has approved the introduction of
Microsoft Windows Rights Management Services (RMS) to help
Diamond Bank
Business Process
Assurance
Page 34 of 176
Subject:
August 5, 2015
safeguard digital information from unauthorised use- both online and

offline as well as inside and outside of the banks network. RMS enabled
applications protects information by assigning usage rights and
conditions which remain with the information irrespective of where it is
distributed. Windows Right Management addresses the Banks security
needs with respect to information misuse and wrong dissemination. .
The policies and procedures detailed in this manual define the roles and
responsibilities of key stakeholders. The policy shall be read in
conjunction with existing policies on Email and Internet Security.
IV. POLICIES AND PROCEDURES
1. Sensitive digital information shall be right-protected using Microsoft
Windows Rights Management Services (RMS). Technology Support
Group (TSG) shall be responsible for implementing RMS enabled
application bankwide.
2. All emails containing classified and confidential information must be
right-protected by the sender before dissemination to staff. Such mails
shall NOT be distributed or forwarded to external email addresses or
persons outside the banks network domain.
3. Information distributed through the Administrator profile or any of
the designated mailing groups (e.g. Business Process Assurance,
ALCO, Credit Admin etc) must be secured using the Rights
Management Services (RMS). Access to such mails must be limited to
read only while other features such as printing, copying, saving,
forwarding etc shall be deactivated.
4. Proprietary information such as project related documents,
confidential reports, policy documents, new product papers, budget
documents, product programs, approved credit forms etc included as
an attachment to any mail must be protected and access restricted to
only authorised users. Recipients of these mails shall have a read
only access to the attachment unless other permission is granted by
the originator.
5. All sensitive documents on the intranet and public folder (soon to be
migrated to share point) must be protected from unauthorised access
and distribution by user unit. Only users granted read only access
shall be able to view information on these documents.
Diamond Bank
Business Process
Assurance
Page 35 of 176
Subject:
August 5, 2015
6. Confidential and sensitive information on official laptops and other

work tools such as Blackberry must be right protected by assigned
users. Full restriction must be imposed on any document saved on
such work tools.
7. The procedure for applying protection on documents and emails shall
apply as highlighted in the user manual (refer to appendix section).
This shall be the sole responsibility of the staff producing the
documents.
V. BENEFITS OF IMPLEMENTING RMS
1.
2.
3.
4.
5.
RMS helps protect information through consistent adherence to

the set RMS policy
Restricts ability to print, save, copy or forward, secured office
documents and emails - within or outside the banks network.
Ability to selectively grant different permissions to different group
of users.
Helps to safeguard proprietary information within the bank as well
as documents that are distributed to authorised entities.
Ease of implementation i.e RMS is designed to minimize the effort
required to implement rights management.
Diamond Bank
Business Process
Assurance
Page 36 of 176
Subject:
August 5, 2015
VI. ROLES AND RESPONSIBILITIES

1.
Technology Support Group

TSG shall be responsible for:
i.
Managing the RMS environment through centralised

administration..
ii.
Providing technical support to all users of the RMS enabled
applications.
iii.
Send awareness mail on fortnight basis to all staff sensitizing
them on the need to right protect their documents.
2.
Corporate Audit
System Audit staff shall be responsible for:
i.
Performing sample checks on mails forwarded from

Administrator and other mailing groups to ensure compliance with
the policy.
ii.
Investigating any cases of violation of this policy by staff of the
Bank.
3.
All Staff
Staff of the bank shall be responsible for:
i.
Ensuring that all documents containing vital information are

right protected as appropriate.
Diamond Bank
Business Process
Assurance
Page 37 of 176
Subject:
August 5, 2015
Appendix
Using Rights Management to create a Protected Document
To assign RM permissions to a document created in an Office program, click
File | Permission. As shown in figure A, the default is Unrestricted Access.
FIGURE A
If you want to allow a user to view the document, but you dont want him/her
to be able to distribute it to others, select Do Not Distribute from the menu.
This will display the Permission dialog box that is shown in Figure B.
Diamond Bank
Business Process
Assurance
Page 38 of 176
Subject:
August 5, 2015
FIGURE B
As you can see, you can enter users email addresses or select them from the
Address Book. If you want the users to be able to read the document but do
nothing to it, enter them in the Read text box. If you want them to be able to
edit the document, but want to keep them from copying or printing it, enter
them in the Change text box.
You can set permissions more granularly, or cause the users access to the
document to expire completely on a specified date, by clicking the More
Options button. This will display the dialog box shown in Figure C.
Diamond Bank
Business Process
Assurance
Page 39 of 176
Subject:
August 5, 2015
FIGURE C
Remember that any users who are assigned rights with IRM will need to have
certificates from an RM server. To open the document, they might have to
install the client update software if this is the first time theyve opened an RM
protected document. If they dont already have Passport accounts, theyll need
to create them. Finally, theyll have to download RM certificates.
To assign RM permissions to an email in outlook.
Click on New mail message, on the new mail message, click on file, and then
click on permissions. You can now select do not forward to prevent your mails
from being forward to another recipient.
Diamond Bank
Business Process
Assurance
Page 40 of 176
Subject:
Diamond Bank
August 5, 2015
Business Process
Assurance
Page 41 of 176
Subject:
August 5, 2015
Subject
Business Application
Support-Database Policy
Effective
Date
PPS No.
PPS-DB-007
Review Date
REVISION:
SUBJECT:
COMPLETE__X___
BUSINESS
APPLICATION SUPPORT PAGE #31 of 129
DATABASE POLICY
PARTIAL_______
SERIAL #. 270-06
AREA CORRECTED:
ISSUED DATE:
VARIOUS
14
2005
SUPERSEDES/REPLA
CES:
N/A
SEPTEMBER
EFFECTIVE DATE:
14
2005
SEPTEMBER
VII. AFFECTS
All staff on DB Network (i.e. Diamond Bank Plc and its subsidiaries)
Database(s)
VIII. PURPOSE
This policy document aims at:
1. Providing specific instructions on the roles and responsibilities of the
Database Administrator(s) in DB Network Databases
2. Ensuring that the integrity of the Database(s) is/are maintained
3. Ensuring that only authorized users/applications are granted access to the
database
4. Ensuring that data are safeguarded from corruption and unauthorized
access.
5. Defining database procedures for continuity of business and disaster
recovery
6. Ensuring database availability at all times
Diamond Bank
Business Process
Assurance
Page 42 of 176
Subject:
August 5, 2015
IX. INTRODUCTION
A database, simply put, is an organized collection of information or data. It is
a store of data that describes entities and the relationships between the
entities.. A database management system (e.g. Oracle, MSSQL) on the other
hand, is the software mechanism for managing the data.
Databases can be classified into the following types viz;
Analytic Databases
Operational Databases
Hierarchical Databases
Network Databases
Relational Databases
Client/Server Databases
In a relational database management system (e.g. Oracle, MSSQL), data is
stored in a tabular form and identified by rows and columns.
These database policies shall apply to DB Network employees and in some
instances vendors who support various applications running or interfacing
with database(s) located on personal computers and servers under the
jurisdiction and or ownership of DB Network.
X. POLICIES
The administration and management of Database(s) under the DB Network
shall be under the responsibility of the Database Administrator(s).
XI. PROCEDURES
System Security
Data Security
Password Management
Purging
Backup & Recovery
Database Audit
a) System Security
This describes the aspects of the database in relation to system security
and consists of:
User Management, User Access and Operating System Security.
Diamond Bank
Business Process
Assurance
Page 43 of 176
Subject:
August 5, 2015
i. User Management
Database users are the access paths to the information in a database.
Therefore, adequate security measures shall be maintained for the
management of database users. The database administrator(s) shall be the
only user with the privileges required to create, alter, or drop users in the
database(s).
ii. User Access
Every user in the Network requesting database access shall complete a
Database Authorisation form (see appendix) duly signed by his/her
supervisor and endorsed by Head, Operations & Technology Services and
Head, Compliance and Controls (CC). This user shall be uniquely identified
according to the details as specified in the database authorisation form.
This authorisation form will among others capture the following details,
User Name
User Department/Branch
Database Access rights or privilege
Reason for access
However, a generic group user ID shall be defined for all user groups of DB
Network whose activities are limited to only querying or retrieving
information from the database (e.g. Service Desk, Inspection). This group
user ID shall be created by the database administrator after necessary
approvals are obtained.
iii. Operating System Security
Only Database administrators shall have the operating system privileges
to create and delete files related to the database and such privileges shall
however, not be extended to any other database user. Database log files in
the operating system shall be read-only and this shall be purged
periodically by the database administrator after proper approvals have
been obtained and backups taken.
b) Data Security
Data security includes the mechanisms that control the access and use of
the database at the object (data) level. User access to objects or actions on
specific schema (profile) objects shall be defined by the database
administrator according to the details supplied in the user request form
and shall be authorised by the Head, O& TS.
Diamond Bank
Business Process
Assurance
Page 44 of 176
Subject:
August 5, 2015
Users shall be granted only the capabilities necessary to perform a job.

Rights to update, delete or alter data or objects shall be restricted to the
database administrator or designate(s) after obtaining a formal approval
from Head Business Application Support (BAS) and/or Head, Operations &
Technology Services (O&TS) where necessary.
An audit trail of such activities shall be captured and periodically reviewed
by the Head BAS or his designate for consistency and compliance.
All enhancements, upgrades, updates, and fixes to the database shall be
documented and a formal approval obtained from Head, BAS and Head
O&TS before implementation.
c) Password Management
In order to eliminate the possibility of unauthorized database access,
database users (excluding third party application users) shall be required
to change their passwords at intervals not exceeding 30 days from date of
the last change and in line with the password policy of the bank. In
addition, the System shall retain a history of the last 6 password changes
by a user.
All other password management policies shall remain
applicable
The system shall lockout a user after three (3) unsuccessful attempts. The
affected user will be required to complete a user modification form which
shall be approved by his supervisor, Head, O&TS and Head, Compliance
and Control.
The database administrator shall on a monthly basis review the database
password management policy to ascertain vulnerabilities and ensure
greater control over database security.
Note: The database password policy shall apply to only users created as
database objects in Oracle or equivalent databases. For third party
user/application access (e.g. Flexcube), audit of related events would be a
function of the security interface within the application.
d) Purging Flexcube Database
DB Plc runs the Flexcube banking solution hosted on an Oracle Relational
database management system.
To avoid database degradation arising from resource constraints caused
by rapid growth in transaction volume, the Oracle database shall be
purged bi-annually or as needed.
Diamond Bank
Business Process
Assurance
Page 45 of 176
Subject:
August 5, 2015
This process shall involve moving purged data from designated tables on
the live database to archive tables in the same location.
The Database administration team shall be responsible for this process
after obtaining approval from Head, O&TS. The data in the archive tables
of the live database shall have a retention period of 18 months after which,
it shall be backed up to tape and purged.
The purging process is classified into two broad categories viz;
Category 1
This simply involves the truncation of data in temporary tables used for
reporting and moving such data to the archive database.
Such tables include TD_TMP_C503 (term deposit information),
CH_TMP_RCH169 (interest calculations), RPT_BA_C101 (temporary
report table) , RPT_CH_C008 and RPT_CI_C001 which are required
during report generation in End of Day process etc.
Category 2
In the second category, data are purged from the live database into the
archive database and a consolidated row is inserted in the former to
ensure accuracy of debit and credit balances.
Since some of the tables are used for enquiry, deleting the rows will not
suffice. The purging process for such tables will therefore move the data
from the live database to an archive database so as to retain the net
financial value of the data.
The retrievable data will be in a table of the same name as the main table
appended by _hist in Flexcube Retail and _purge in Flexcube
Corporate.
For example the table ch_nobook in live database will have a
corresponding table ch_nobook_hist, in the archive database.
Methodology
Flexcube Corporate:
The purge of this database will involve moving transactions of all contracts
that are already matured or closed for which the transaction date is earlier
than the retention period. The following transaction tables will be affected,
viz;
ACTB_HISTORY,
CSTB_ADDL_TEXT,
and
MITB_CLASS_MAPPING. This exercise would be undertaken in line with
the procedure given by the application vendor (Iflex)
Diamond Bank
Business Process
Assurance
Page 46 of 176
Subject:
August 5, 2015
Flexcube Retail:
Using the procedure provided by the application vendor (Iflex), the
following tables will be purged in Flexcube Retail database:
ch_acct_cust_xref
This is cross-reference table for customer accounts that shows details of
an account holders relationship in Flexcube. The enquiry module that
uses this table is Customer Account Cross-Xref Mnt.
ch_acct_od_hist
This shows the account numbers which are in OD (overdraft along with
limit and drawing power).
ch_clg_acct_xref
This shows the accounts with their corresponding clearing accounts codes
and sector codes.
ch_tmp_rch_interest
This shows the accounts with effective interest rate and the corresponding
effective date of the interest date.
ch_nobook & ch_acct_ledg
These are tables in which all casa account transactions are stored. From
these tables data are deleted and moved to archive database. These tables
are also used for transaction history inquiries. During purging, a
consolidated row for each account moved to the archive database, is
inserted into live database.
cs_ho_custacctxref
This contains the cross-reference information for customer accounts. The
accounts, which are in ch_purge_table, are deleted from this table.
td_renewal_history
This table maintains the renewal history for Time deposit accounts.
td_int_payment_history
This table maintains the interest payment history for Time deposit
accounts.
td_audit_trail & td_acct_ledg
All term deposit transactions are stored in these tables. Data stored in this
table shall be deleted and moved to the archive database and a
consolidated row inserted in the live database for each term deposit
account.
Diamond Bank
Business Process
Assurance
Page 47 of 176
Subject:
August 5, 2015
ln_daily_txnlog_hist
This is a transaction log table for loan accounts. All transactions done on
loan accounts are stored in this table. Data stored in this table shall be
deleted and moved to the history area. Also as this is used for transaction
history inquiry, a consolidated row for each account purged will inserted
into live database.
st_clrreg
This table stores all cheque transaction details. Depending on purge date,
cheques for which full credit has been redeemed are deleted and moved to
archive database.
st_instr_issued
This table stores the record of cheques issued and their status. Depending
on purge date, cheques for which cheque status is paid, are deleted and
moved to archive database.
st_micr_files
This contains the information of all uploaded cheque files. Data are moved
to the archive database if the status of the instrument is processed.
gl_txnhist
Contains all the transactions performed on all GL accounts. Depending on
purge
date,
transactions
for
which
the
mnemonic
is
not
PURGE_TXN_MNEMONIC (999), are deleted and moved to the archive
database. In addition, a GL-wise consolidated row is inserted into the live
database for each purged GL account.
ol_bots_bcl & ol_batch_info
This contains all the batch history (history of open, close of branches).
Depending on the purge date, data up to that date is deleted.
ba_eod_history
This contains the history of EODs. Time taken by each shell at EOD is
maintained in this table. Depending on the purge date, data up to that
date is deleted.
ba_tds_remit
This contains information on tax deducted at source. Depending on the
purge date, data up to that date is deleted.
These tables are subject to review from time to time.
Diamond Bank
Business Process
Assurance
Page 48 of 176
Subject:
August 5, 2015
Viewing of purged data

History lookup by users places a tremendous demand for database
resources and can affect performance if poorly managed. This is because
the history tables will generally contain more data than its live
counterpart.
In view of this, access to historical data will be restricted to users in the
following desks namely BAS, Customer Service Desk, Customer Service
Managers & their regional heads (CSMs), Resident Internal Control staff,
Inspection, Loan Admin, Credit Admin, RCSM, Head Branch Operations
Services, Head Head-office Operations Services and FINCON.
Retention period of data in the purge area
A retention period of three (3) years shall be maintained in the archive
database. Data which have exceeded this limit shall be moved to an offline
media after this period.
Any user request for such data will be made available within two days by
the database administrator.
e) Backup & Recovery
The backup of the Flexcube database is currently undertaken as part of
the End of Day (EOD) process in line with the backup policy of the bank.
However the backup of other third party applications running on the
Oracle database shall be done by the application administrator or
designate.
Furthermore, backup of branch SQL databases shall be performed by the
CSM or designate at the respective branch.
A mock restore of the Flexcube backup shall be carried out on a quarterly
basis to ensure backup data integrity and consistency and also guarantee
business continuity and disaster recovery. This shall be the responsibility
of the database administration team.
f) Database Audit
In order to effectively monitor and control the activities of the database
Administrators and other users in the database, the audit of the following
database objects and use of system privileges will be enabled in Flexcube
Retail and Corporate database.
These privileges include;
Diamond Bank
Business Process
Assurance
Page 49 of 176
Subject:
August 5, 2015
Create, Alter or Drop a Table

This access right(s) enables any privileged user to create, modify or delete
a table and once a table is deleted, automatically, the content on the table
is lost too.
Truncate a Table
This access right enables any privileged user to delete all the contents of a
table without warning.
Create, Alter or Drop a Tablespace
This system privilege allows a user to create a new Tablespace, delete or
modify existing Tablespace.
Create, Alter or Drop a User
This access enables a privileged user to create a new user in the database,
alter a users right or delete a user.
Session
This monitors all logon to the database. The audit of this right will be
enabled on only non application database users.
Insert, Update and Delete
The audit of these rights which enables a user to create or manipulate
data in a table will only be enabled for non third party application
database users. Such activities involving third party application database
users shall be a function of the application.
Review of Audit information
Head BAS or his designate shall review the audit information weekly to
ensure that the entire database activities performed within the week in the
database are in line with the policy.
In addition, while Systems Inspection Staff shall have unrestricted access
to the audit information, Head BAS or his designate shall make the audit
information available to the Internal Control officer during the audit of the
database(s).
Audit Information Archive
Due to the large volume of data generated in the database by the audit
process, the audit
tables shall be periodically purged and moved
to a secondary media after appropriate change request approvals has been
obtained by the database administrator. The retention period of the audit
data in the live database shall be six months.
Diamond Bank
Business Process
Assurance
Page 50 of 176
Subject:
August 5, 2015
APPENDIX 1
DIAMOND BANK PLC
1.1.1.1
DATABASE ACCESS AUTHORIZATION FORM
To:
Database Systems Administrator
Date:
Please tick as appropriate:
Roles
i.
Add a New User
ii.
Modify a User
iii.
Delete a User
iv.
Disable a User
iv. Delete
Enable a User
v. Connect
v.
vi.
Add Role(s)
vii.
Delete Role(s)
i. Select
ii. Update
iii. Insert
vi. Create
vii. Alter
viii Drop
Name: ________________________________________________________________________
1.1.2 User
ID:______________________________________________________________
_________
Job Description:_________________________________Branch/Unit: ________________________
Specify
Role(s)
__________________________________________________________________
Diamond Bank
Business Process
Assurance
Page 51 of 176
Required:
Subject:
August 5, 2015
Reason
for
Request_______________________________________________________________
____________________________________________________________________________
_______________________________
Departmental/Unit Head
_________________________________
Head, BAS
___________________________________
____________________________________
1.2
Head, Operations & Technology Services
Head,
Compliance & Controls
2
For Internal Use Only
_____________________________
Database Administrator
Diamond Bank
Business Process
Assurance
Page 52 of 176
Subject:
Subject
PPS No.
August 5, 2015
Business Information
System-System
Development Life Cycle
Effective
Date
PPS-DB-008
Review Date
REVISION:
SUBJECT:
COMPLETE_____
PARTIAL_______
AREA CORRECTED:
N/A
SUPERCEDES/REPLACES:
N/A
SERIAL #390 - 002
BUSINESS
INFORMATION
SYSTEM
SYSTEM
DEVELOPMENT
CYCLE
PAGE #1 of 11
ISSUED DATE:
LIFE FEBRUARY 19, 2009
FORM NUMBER: 390 - 002
EFFECTIVE DATE:
FEBRUARY 19, 2009
VI. AFFECTS:
All staff.
VII. PURPOSE
To define the operational guidelines for the development of software
applications in the bank.
VIII. INTRODUCTION
Diamond Bank
Business Process
Assurance
Page 53 of 176
Subject:
August 5, 2015
The need for safe, secure, and reliable system solutions is heightened by the increasing
dependence on computer systems and technology to provide services and develop
products, administer daily activities, and perform short- and long-term management
functions. There is also a need to ensure privacy and security when developing
information systems, to establish uniform privacy and protection practices, and to
develop acceptable implementation strategies for these practices. The increasing
automation of our processes therefore requires that applications are standardized, costeffective, and efficient, but above all meet user expectations. To achieve this, a software
application must pass through the Systems Development Life Cycle (SDLC) or
Outsourcing Software Development as the case may be.
Systems Development Life Cycle is defined as a software development method that
follows standard phases and processes. It requires the banks IT specialist to develop
software application for the banks products and services by following the standard
cycle of software development.
The SDLC phases provide an excellent opportunity to control, monitor, and audit the
systems development process, and ensure customer and user satisfaction. It consists of
the following:
i.
ii.
iii.
iv.
v.
vi.
vii.
viii.
ix.
Initiation Phase
System Concept Development Phase
Planning Phase
Requirements Analysis Phase
Design Phase
Development Phase
Integration and Test Phase
Implementation Phase
Operations and Maintenance Phase
Software Outsourcing (Outsource Software development)

Software Outsourcing is defined as having a third party (outside the bank) to develop
software application for the banks product and services. Software outsourcing can
either be by purchasing existing software and paying the publisher to make certain
modification to suit the banks need or by outsourcing the development of an entirely
new system for a particular product or service.
IX. POLICIES
In-house Software Development.
1. All Software Development projects to be embarked upon shall pass through the IT
Steering Committee (ITSC) and Executive Committee (EXCO) for approval.
2. All business units shall prepare a list of products or services requiring automation at
the beginning of the new financial year including their estimated costs. This shall be
submitted to the ITSC for approval and a tracking code issued in line with the
Project Management policy.
Diamond Bank
Business Process
Assurance
Page 54 of 176
Subject:
August 5, 2015
3. Where there is a need to automate a process or develop an application during the

period after the financial year has commenced, the affected business unit shall seek
special approval from the ITSC and this shall be ratified by the EXCO.
4. All Software projects shall adopt the same framework as the Project Management
policy and shall have a project sponsor and project manager. The project manager
shall monitor and report the progress of the project to the IT Steering Committee.
5. Executive Management approval shall be obtained to commence a project based on
the signed-off functional requirements by all stakeholders (comprising all members
of the Software Development Team).
6. Any /All changes or variations to the initial design that may impact the development
process shall be duly authorized and approved by the ITSC before taking effect.
7. The System Development team shall roll out a prototype of the solution which shall
be followed by a User Acceptance Test (UAT) involving all stakeholders to evaluate
the application for correctness and ensure that users' expectations have been
satisfied. This shall be documented and signed-off by all stakeholders comprising IT
Services, Process Owner, Corporate audit. The UAT shall also cover training the
Process Owner and other stakeholders on the functionalities of the application.
8. The Project Manager in conjunction with the System Development team shall
prepare both Operational and Technical documentation of the features of the
application.
9. A pilot run of the solution shall be conducted after the UAT is signed-off involving all
stakeholders.
10. The Project manager shall seek Management approval to go live.
11. The Group Head Business Application Support shall complete a Change process
form to deploy the live system by obtaining the necessary approvals which include
but is not limited to the Divisional Head, IT Services, Head Projects, Process Owner
and ED CS&T as the case may be.
12. The System Development Team shall prepare a standard Support and
Administration guide or document including a continuity of business plan for the
application. This document shall be reviewed jointly by the Head Business Process
Assurance and Project Manager for completeness and approved in line with policy.
13. The System Development Team shall submit a softcopy of the source code in a CD or
any other storage media for safekeeping by the Software Librarian once live
deployment is completed.
14. Application upgrades shall follow a clearly defined review process involving the
System Development Team, the Project Sponsor, Head Projects, Divisional Head, IT
Services and ED CS&T. During this period all relevant requirements which cannot
be met by the existing version of the application at that time would be collated and
incorporated into the design of the upgrade version.
Outsourced Software Development
Diamond Bank
Business Process
Assurance
Page 55 of 176
Subject:
August 5, 2015
1. All Outsourced Software Development projects to be embarked upon shall pass

through the IT Steering Committee (ITSC) and Executive Committee (EXCO) for
approval.
2. All business units shall prepare a list of products or services requiring automation at
the beginning of the new financial year including their estimated costs. This shall be
submitted to the ITSC for approval and a tracking code issued in line with the
Project Management policy.
3. Where there is a need to automate a process or outsource an application during the
period after the financial year has commenced, the affected business unit shall seek
special approval from the ITSC and this shall be ratified by the EXCO.
4. All Outsourced Software projects shall adopt the same framework as the Project
Management policy and shall have a project sponsor and project manager. The
project manager shall monitor and report the progress of the project to the IT
Steering Committee.
5.
Software Outsource Scheme shall identify a minimum of three (3) competent

vendors to be contracted for the solution and circulate the draft Requirements
Specifications to the vendors as the minimum requirements for the application.
6. Based on the quotation submitted by the vendor, the Project Manager shall seek
approval to initiate the project and subsequently notify the Cost Management
Committee (CMC) through the Head Administration to commence price
negotiations.
7. Payment terms shall be agreed with the vendor, however the bank (through the
CMC) shall as much as possible negotiate or insist on:
a. 50% payment on order
b. 20% on delivery and UAT
c. 30% on live rollout after 60days
8. The initial payment to the vendor shall be backed by an Advanced payment
Guarantee to be followed by the issuance of the Purchase Order by Head,
Administration
9. The vendor shall submit an implementation plan including deliverables to be signed
off jointly by the vendor and the bank, this plan shall be monitored by the Project
Manager
10. The responsibility of supporting all applications after live deployment shall rest with
the Divisional Head, IT Services.
11. The vendor shall prepare a standard Support and Administration guide or document
including a continuity of business plan for the application. This document shall be
reviewed jointly by the Head Business Process Assurance and Project Manager for
completeness and approved in line with policy
12. The vendor shall submit a softcopy of the source code in a CD or any other storage
media for safekeeping by the Software Librarian once live deployment is completed.
Diamond Bank
Business Process
Assurance
Page 56 of 176
Subject:
August 5, 2015
13. Application upgrades shall follow a clearly defined review process involving the
vendor, the Project Sponsor, Head Projects, Divisional Head, IT Services and ED
CS&T. During this period all relevant requirements which cannot be met by the
existing version of the application at that time would be collated and incorporated
into the design of the upgrade version.
X. GENERAL PROCEDURES
A.
SYSTEMS DEVELOPMENT
software Development)
LIFE
CYCLE
(In-house
The following tasks and activities shall be carried out at different phases of the System
Development Life Cycle:
1. PROJECT DEFINITION
At this stage the System Development Team shall collects information to

determine if the project warrants the investment of IT personnel
resources or otherwise. The team shall identify the customer, user,
objective and basic operating concept. The team shall also provide a
preliminary investigation of alternatives and risk analysis, and a costbenefit analysis to determine if the project has a favourable return on
investment which is critical to the project approval process. The program
and project manager are identified in this phase as well as projected
costs for training and sustaining efforts after the project is completed.
The key output of this phase is knowing exactly what the scope of the
project is prior to committing funding and resources, including the
project timetable with milestone dates and resource estimates, and a
formalized approval/authorization or disapproval of the project based on
the project definition.
2. USER REQUIREMENT
At this stage, the System Development Team shall define the user requirements based
on the processes that users conduct in their day-to-day activity. The Software
Development Team in conjunction with the process owners shall clearly describes what
part of the user process (activity) should be automated or enhanced, and the expected
capabilities and features. This phase cuts across definition from Business Units,
Operations, Control and IT requirements. Some preliminary tasks that are performed
prior to developing the user requirements include interviews, identification of the
objectives, and definition of operating concepts. The key output of this phase is a
summary document of user requirements that explains what the system is supposed to
do
3. SYSTEM REQUIREMENT DEFINITION
Diamond Bank
Business Process
Assurance
Page 57 of 176
Subject:
August 5, 2015
At this stage, the Software Development Team shall define the system
requirements by merging user processes and requirements in a way that
allows the system to support many different users or functions in similar
areas. .The Software Development Team shall establish and analyse the
intended technical requirements and data requirements. . The Software
Development Team shall consolidate and affirm the business needs,
analyze the intended use of the system and specify the functional and
data requirements. Define functional and system requirements that are
not easily expressed in data and process models. Refine the high level
architecture and logical design to support the system and functional
requirements
The key output of this phase is a summary document that explains the
system architecture, data processing structure, and technical or support
requirements. In addition, security and internal control requirements are
also developed as appropriate to the scope of the project.
4. ANALYSIS AND DESIGN
The analysis and design phase is a complex and critical step in

determining which system design, based on systems engineering and
technology analysis, meets the user and system requirements. For nontechnical solutions, the design may simply be a support process to be
implemented over time. The design may be presented as several options
with trade-off analysis or a specific configuration, and may consist of
Commercial-off-the-shelf (COTS) products or customized development.
Procurement options and cost information should be identified as
determined by resource requirements and the design. The most
significant milestone in this phase is the recommendation of what to do
or buy in order to meet the user and system requirements
Software Development Team shall establish a top-level architecture of
the system and document it. The architecture shall identify items of
hardware, software, and manual-operations. All the system requirements
shall be allocated among the hardware configuration items, software
configuration items, and manual operations.
The team shall transform the requirements for the software item into an
architecture that describes its top-level structure and identifies the
software components. It shall also ensure that all the requirements for
the software item are allocated to its software components and further
refined to facilitate detailed design. The team shall also develop and
document a top-level design for the interfaces external to the software
item and between the software components of the software item
5. SYSTEMS BUILD
Diamond Bank
Business Process
Assurance
Page 58 of 176
Subject:
August 5, 2015
The system build phase is the execution of the approved design and in
some cases may overlap into the implementation phase. This phase
involves the setup of a small-scale proof-of-concept validation system
prior to live deployment to ensure that user requirements/expectations
have been satisfied. This phase may also involve creation of a support
process and move directly to implementation. Where a COTS option is
preferred, Procurement activity begins in this phase and may be
expanded with deployment during implementation. The validation,
verification, and testing plan should drive the system testing and be
conducted against the system/data and technical requirements to ensure
the system are built to specification. System testing should also be
conducted against the user requirements (User Acceptance Test) to
ensure the system is operationally satisfactory. The prototype or pilot
concept also allows for refinements or adjustments based on user
feedback prior to a live implementation. The key output of this phase is
validation of the design prior to deployment.
6. IMPLEMENTATION AND TRAINING
Implementation includes all necessary activity to procure, receive,

configure, and install the Hardware and Software of the new or revised
system. Implementation may also be limited to a new support process
requiring a change in the business process. Training is conducted during
this phase according to the training plan, which would have been
developed in one or more of the previous phases. A transition or cutover plan, including any required data conversion, will also be required
to ensure a smooth transition to the new system without interrupting
services. The development of appropriate documentation, such as
manuals for operations and maintenance, are required for successful
transition. The impact of running old and new systems simultaneously
should also be analyzed to determine if there would be excessive burden
in operating expenses or personnel support. Testing also takes place in
this phase and validates the usability of the system or support process
through reports such as test analysis, security evaluations, and system
accreditation. System accreditation is the formal process for determining
if the system meets user expectations (user acceptance) as outlined by
the user requirements. The key output of this phase is a successful
transition to the new system with uninterrupted service.
2.1.1
7. MAINTENANCE AND SUPPORT

In this phase, a dedicated effort is undertaken to keep the system operating at an
optimum level by conducting maintenance and enhancements as determined by
periodic reviews. It also refers to the continuation of a support process. Changes in the
Diamond Bank
Business Process
Assurance
Page 59 of 176
Subject:
August 5, 2015
environment, customer/user needs or technology may prompt business process

improvement or reengineering initiatives to validate or revise the business process.
Sustainment may also include changes to the system based on technology advancement
and can be addressed through system enhancements or redesign initiatives. Continuous
improvement is a requirement of the sustainment phase and shall be reviewed by
identifying standards and measures of performance, and documented in project status
reviews. Change management and quality assurance is also a requirement in this phase
to ensure proper documentation of the system configuration in a thorough and accurate
manner.
In summary SDLC is a systems approach to problem solving and is

composed of several phases, each comprised of multiple steps:
a) The software concept - identifies and defines a need for the new
system
b) A requirements analysis - analyzes the information needs of the
end users
c) The architectural design - creates a blueprint for the design with
the necessary specifications for the hardware, software, people and
data resources
d) Coding and debugging - creates and programs the final system
e) System testing - evaluates the system's actual functionality in
relation to expected or intended functionality.
f) Training & Implementation
g) Support & Maintenance
8. OPERATIONS AND MAINTENANCE PHASE
2.1.1.1
Identify Systems Operations
Operations support is an integral part of the day to day operations
of a system. In small systems, all or part of each task may be done
by the same person. But in large systems, each function may be
done by separate individuals or even separate areas. The
Operations Manual is developed in previous SDLC phases. This
document defines tasks, activities and responsible parties and will
need to be updated as changes occur. Systems operations activities
and tasks need to be scheduled, on a recurring basis, to ensure
that the production environment is fully functional and is
performing as specified. See appendix for checklist.
Maintain Data / Software Administration
Data / Software Administration is needed to ensure that input data
and output data and databases are correct and continually checked
for accuracy and completeness. This includes insuring that any
regularly scheduled jobs are submitted and completed correctly.
Software and databases should be maintained at (or near) the
current maintenance level. The backup and recovery processes for
databases are normally different than the day-to-day DASD volume
Diamond Bank
Business Process
Assurance
Page 60 of 176
Subject:
August 5, 2015
backups. The backup and recovery process of the data bases

should be done as a Data / Software Administration task by a data
administrator. See appendix for checklist.
Identify Problem and Modification Process
Users need an avenue to suggest change and identified problems.
A User Satisfaction Review which can include a Customer
Satisfaction Survey shall be designed and distributed to obtain
feedback on operational systems to help determine if the systems
are accurate and reliable. Systems administrators and operators
shall make recommendations for upgrade of hardware,
architecture and streamlining processes.
Maintain System / Software
Daily operations of the system /software may necessitate that
maintenance personnel identify potential modifications needed to
ensure that the system continues to operate as intended and
produces quality data. Daily maintenance activities for the system
take place to ensure that any previously undetected errors are
fixed. Maintenance personnel may determine that modifications to
the system and databases are needed to resolve errors or
performance problems. Also modifications may be needed to
provide new capabilities or to take advantage of hardware
upgrades or new releases of system software and application
software used to operate the system. New capabilities may take the
form of routine maintenance or may constitute enhancements to
the system or database as a response to user requests for
new/improved capabilities. New capabilities needs may begin a
new problem modification process described above.
Revise Previous Documentation
B.
OUTSOURCED SOFTWARE DEVELOPMENT

Outsourced software development includes developing entirely new
software and purchasing existing software but subject to modification to
suit the need of the purchaser.
The procedure detailed in this policy provides the phase and process
level to be employed by the bank in outsourcing software:
1. The Business Unit requiring automation shall submit its request to IT

steering committee for approval after necessary endorsement by EXCO.
The IT steering committee shall evaluate the proposed solution to ensure
that it is appropriately defined and addresses the banks need. The
committee shall ensure that that the process to be automated has no
Diamond Bank
Business Process
Assurance
Page 61 of 176
Subject:
August 5, 2015
implicit confidential information that may be exposed to competitors if

outsourced. On satisfactory examination, the IT Steering Committee
approves the project and forwards same to Software Development
committee.
2. The Software Development Team shall review the request and draft a
requirement specification for the application. In drafting the
requirement, the team and process owners shall collaborate to determine
which tasks to undertake to make the system a success. In the same vein,
the team shall evaluate the requirement and determine the
implementation modalities.
3. After establishing the Requirement Specification, the Software
Development Team shall draft a Request for Proposal (RFP) and identify
three (3) competent vendors based on their experience in the industry.
The team shall circulate the requirement specification to the chosen
vendors as the minimum requirement for the application. Note that the
vendors shall respond to the RFP within 2 weeks from the date of
circulation.
4.
On receipt of responses from the vendors, the Software Development

team shall forward the responses to the Project Management team for
evaluation. The Project Manager evaluates the cost - benefit analysis of
the project to determine if the project has a favourable return on
investment.
5. On satisfactory evaluation, the Project Manager invites the vendors to

make presentation based on the requirement specifications. The
presentation shall be attended by the Software Development Team.
6. The Software Development Team shall conduct a rating of the vendors
using the Evaluation Sheet developed based on the requirement
specification. Upon identifying the successful vendor, the Project
Manager seeks the approval of the Project Steering team for the
engagement of the vendor. Note that Project Manager shall draft a time
plan at which the software development shall be concluded and ensure
that the time plan is strictly followed by the vendor
7. On receipt of the software from the vendor, the Software Development
Team shall install the software in the production environment. At the end
of the implementation, a User Acceptance Test (UAT) shall be conducted
involving all stakeholders to evaluate the application for correctness and
ensure that users expectations have been satisfied as agreed in the
requirement specification. The UAT shall also cover training the process
Diamond Bank
Business Process
Assurance
Page 62 of 176
Subject:
August 5, 2015
owner and other stakeholders on the functionalities of the application by

the vendor. Note that the UAT shall be documented and signed-off by all
members of the software Development Team including the vendor.
8. The Group Head Business Application Support shall seek PSC approval
to deploy the software in live environment. In addition, the Group Head
Business Application Support shall monitor the application and keep the
system up to date with changing environment.
APPENDIX
Operations and maintenance checklist
The following is a checklist of systems operations key tasks and activities:
Ensure that systems and networks are running and available during the defined hours
of Operations;
Implement non-emergency requests during scheduled Outages, as prescribed in the
Operations Manual;
Ensure all processes, manual and automated, are documented in the operating
procedures. These processes should comply with the system documentation;
Acquisition and storage of supplies (i.e. paper, toner, tapes, removable disk);
Perform backups (day-to-day protection, contingency);
Perform the physical security functions including ensuring adequate UPS, Personnel
have proper security clearances and proper access privileges etc.;
Ensure contingency planning for disaster recovery is current and tested ;
Ensure users are trained on current processes and new processes;
Ensure that service level objectives are kept accurate and are monitored;
Maintain performance measurements, statistics, and system logs. Examples of
performance measures include volume and frequency of data to be processed in each
mode, order and type of operations;
Monitor the performance statistics, report the results and escalate problems when they
occur.
Data/Software Administration tasks checklist
A checklist of Data / Software Administration tasks and activities are:
Performing a periodic Verification / Validation of data, correct data related problems;

Performing production control and quality control functions (Job submission, checking
and corrections);
Diamond Bank
Business Process
Assurance
Page 63 of 176
Subject:
August 5, 2015
Interfacing with other functional areas for Day-to-day checking / corrections;

Installing, configuring, upgrading and maintaining data base(s). This includes updating
processes, data flows, and objects
Developing and performing data / data base backup and recovery routines for data
integrity and recoverability. Ensure they are documented properly in the Operations
Manual;
Developing and maintaining a performance and tuning plan for online process and data
bases;
Performing configuration/design audits to ensure software, system, parameter
configuration are correct.
Subject
IT Change Management
Procedures
Effective
Date
PPS No.
PPS-DB-009
Review Date
Diamond Bank
Business Process
Assurance
Page 64 of 176
Subject:
August 5, 2015
IT CHANGE MANAGEMENT PROCEDURES

I.
AFFECTS:
2.2
II.
All CHANGES TO EXISTING IT INFRASTRUCTURE

PURPOSE
This document provides guidelines on the operation of the IT Change Advisory Board (ITCAB) and
procedures for implementing any change to existing IT and technical architecture in the bank. In addition, it
describes the roles and responsibilities of all parties involved in change process, requirements for change
request approval by IT Change Advisory Board and approval process prior to implementation.
III.
INTRODUCTION
The bank deploys new solutions or makes enhancements and modifications to its existing IT and technical
infrastructure to address strategic, tactical, operational or regulatory needs and accommodate changes in
business models through a framework known as Change Management. IT Change Management is the
process of defining, implementing and monitoring changes made to technical architecture (software &
Hardware) to achieve a pre-defined target.
A request for change may originate from problem management where an issue is identified and a mitigating
change is necessary to prevent (or minimize) future effects. A request for change may also be necessary as
a result of a business decision or due to outside influences from regulatory authorities (e.g. CBN regulations)
that may require modification to existing software or hardware Infrastructure
IV. IT CHANGE ADVISORY BOARD GOALS

The overall goals of IT Change Management are:
1. Evaluation of a proposed change in terms of its benefit, its cost impact and risk to the systems and the
implications of the change to Diamond Bank
2. Alignment of all IT Changes to overall strategic goals and business requirements
3. Minimize the impact of changes on the quality of services and therefore improved ability to meet agreed
operational level agreement
4. Contribute to cost reduction by measuring the process and identifying sources of problems and how to
mitigate all risks
5. Contribute to value creation by ensuring that strategic changes to the business are realized or not negated
by change.
V.
IT CHANGE ADVISORY BOARD STRUCTURE

The IT Change Advisory Board (ITCAB) consists of representatives from each group in IT Services who have
decision authority on the implementation of changes. ITCAB members should have a clear understanding of
the IT Services business needs, technical development, support functions, and IT environment. These
representatives participate in the scheduled ITCAB meetings and support decisions on presented change
requests. The membership shall include representatives of the following persons, service units/groups:
a) Chairman- IT Change Advisory Board
b) Head, CIO Office/IT Finance & Planning.
c) Team Lead, IT Policy, Standards and Governance
d) Representative of Technology Solutions Unit
e) Representative of Alternative Delivery Channels Solutions
Diamond Bank
Business Process
Assurance
Page 65 of 176
Subject:
f)
August 5, 2015
Representative of Service Delivery Management Group
g) Representative of System Engineering Group

h) Representative of Database Management Unit
i)
Representative of Information Technology Operations Group.
However, the organisation and operations of the IT Change Advisory Board (ITCAB) is managed by a
Secretariat. This Secretariat is also saddled with the responsibility for conveying emergency change
assessment meetings for review emergency changes. As such the Secretariat is also called the Emergency
Change Advisory Board (E-CAB). Its membership is made up of:
a) Chairman- Change Advisory Board
b) Team Lead, IT Policy, Standards and Governance
c) Head, CIO Office/IT Finance & Planning.
d) Representative of Service Delivery Management Group
e) Representative of System Engineering Group.
VI.

1. IT CHANGE ADVISORY BOARD
The Change Advisory Board shall be responsible for:
a) Ensuring a competent evaluation of the change request
b) Specifying criteria or conditions under which progress of the change (through development to
implementation) might be reviewed or halted;
c) Advising the change manager whether the request is approved or not. This is to ensure that there are
no conflicts with on-going changes
d) Carry out the post implementation review
e) Ensuring adherence to laid down policies and procedures
f)
Raising exceptions for non-compliance to policies and procedures
2. THE CHANGE INITIATOR

The Change Initiator shall be responsible for:
a) Initiates the Request for Change (RFC)
b) Completes all mandatory information for Request for Change (RFC)
c) The Change Initiator shall be an IT staff in the initiating unit
3. THE CHANGE MANAGER
The Change Manager shall be responsible for:
a) Coordinating authorization of the change request
b) Notifying relevant stakeholders of the approval or rejection of the change request
Diamond Bank
Business Process
Assurance
Page 66 of 176
Subject:
August 5, 2015
c) The Change Manager shall be the Team Lead, Governance, Standards & Policy or any person acting in
the capacity of Team Lead, Governance, Standards & Policy
4. THE CHANGE OWNER
The Change Owner shall be responsible for:
a) Verifying that all tests have been completed successfully
b) Obtaining approval for change to be rolled into production environment.
c) Monitoring change execution
d)
Performing the initial technical and business assessment of the requested change to the system
e) Ensuring that changes to be implemented are tested against compliance with the requirements of the
business
f)
Sending status feedback to the IT Change Advisory Board on the outcome of the change.
g) The Change Owner shall be the unit Head of the initiating unit
5. INTERNAL CONTROL
Internal Control shall be responsible for:
a) Participating in User Acceptance Test
b) Ensuring adherence to laid down policies and procedures
c) Raising exceptions for non-compliance to policies and procedures
d) Authorizing by a signature on the program change form.
6. ITCAB REPRESENTAIVES
ITCAB representatives shall be a member of the IT Change Advisory Board and shall be responsible for:
a) Monitoring ITCAB assigned e-mail account for incoming messages
b) Distribute any messages to the ITCAB Secretariat and /or membership accordingly
c) Coordinate the awareness campaign on behalf of ITCAB
7. OPERATIONAL RISK MANAGEMENT
a) Participating in User Acceptance Test
b) Ensuring that changes do not compromise system security
c) Authorizing by a signature on the program change form.
VII.
IT CHANGE ADVISORY BOARD COMMUNICATIONS

All change request, current reports, communications, and documents associated with the various ITCAB will
be provided on the SharePoint. The ITCAB will have a unique e-mail for communications relating to their
change activities. E-mail: itcab@diamondbank.com
Diamond Bank
Business Process
Assurance
Page 67 of 176
Subject:
August 5, 2015
Official ITCAB communications will be delivered from these e-mail accounts. The ITCAB representative shall
monitor ITCAB assigned e-mail for incoming messages and distribute any messages to the ITCAB Secretariat
and/or membership accordingly.
VIII.
IT CHANGE ADVISORY BOARD MEETING

a) All requests to ITCAB shall be posted on ITCAB SharePoint 24hrs (Twenty four hours) to the scheduled
ITCAB meeting.
b) The change requests will be used to drive the ITCAB change review meeting and must be in the format
specified on ITCAB SharePoint
c) The change implementation must happen in line with the scheduled weekly change calendar except
emergency changes
d) Any change request that is not stated in the weekly change calendar shall be considered as emergency
change and must fulfil the criteria set for emergency changes before approval by Emergency ITCAB
e) ITCAB shall classify changes in three categories
Normal: Significantly impact and must follow normal change management procedure significant changes
requiring discussion
Emergency: Must be given absolute priority and carried out as soon as possible
Standard: Minimal impact. Not requiring discussion. Questions or concerns with Low.
IX.
CHANGE REQUEST PROCEDURES

For the ITCAB to properly review change requests, the requests should be made using the Change Request
Form
There are four major phases in Change Management Process, namely:
Change Initiation: - involves initiating and logging the change request.
Change Assessment: - involves assessing the business and technical issues from both business and
users point of view
Change Authorization: - involves authorization for the change to be implemented.
Change Implementation: - involves the planning, scheduling and implementing of changes to Diamond
Banks IT infrastructure.
A.
Change Initiation
Change request may be initiated by process owner, Diamond Bank vendor, or IT Service staff and such
individual shall be designated as Change Initiator The following procedures shall apply to change request
initiation
a) The Change Initiator completes the Change Request Form (hosted in IT Services SharePoint portal) and
sends the request to the Change Owner for change evaluation and assessment
b) The Change Request Form shall include the following:
Diamond Bank
Business Process
Assurance
Page 68 of 176
Subject:
B.
August 5, 2015
i.
The impact on the customers business
ii.
The effect on SLAs, capacity, performance, reliability, resilience, contingency plans and security.
iii.
The impact on other services
iv.
The impact on Non-IT infrastructures
v.
The effect of not implementing the change
vi.
IT, business and other resource required
vii.
Any additional ongoing resources required after change

Change Assessment
Change assessment phase is divided into sub-processes as detailed below:

Change Evaluation and Assignment
The Change Owner performs an initial evaluation of the request to confirm the relevance of the request, and
determine whether the change is within the scope of the system. Upon satisfactory evaluation, the Change
Owner shall take responsibility for the technical development of the change.
Change Assessment
a) The Change Owner performs an initial review and evaluation of the change request to determine the
scope and technical feasibility of the request. In performing the evaluation, the Change Owner may liaise
with relevant parties such as the users, business areas, technical areas and external parties (e.g.
customers, vendor, partners etc).
b) A change recommended to Diamond Bank systems by any of the vendor MUST be supported by
documentation from the Service Provider. Such change request shall be reviewed by the concerned unit
and approved for implementation ITCAB.
c) On satisfactory review, the Change Owner shall take responsibility for the technical development of the
change
Change Authorisation
The purpose of the change authorization is for the IT Change Advisory Board to evaluate the change in terms
of cost, benefit and risks to the operation of the bank and to authorize the change to be implemented.
Authorisation shall be performed by the IT Change Advisory Board.
a) On receipt of the request, the IT Change Advisory Board reviews the Change request to identify if the
request is practicable, desirable and complete and to determine whether to proceed, reject, or defer the
request
b) For the purpose of ensuring that a change must not affect or be affected by other changes, the IT
Change Advisory Board must review all changes using the Service Architecture & Technology document.
Diamond Bank
Business Process
Assurance
Page 69 of 176
Subject:
August 5, 2015
c) The Service Architecture & Technology document shall contain the list of all live services currently
running in the production environment, the configuration items that support them, dependencies with
other services and the software/operating system of the configuration items
d) The Service Architecture & Technology documentation shall be managed by Service Delivery
Management group and must be updated as services/changes are deployed to the production
environment.
e) In reviewing the request, the board shall consider the following details:
The impact on the customers business
The effect on SLAs, capacity, performance, reliability, resilience, contingency plans and security.
The impact on other services
The impact on Non-IT infrastructure
The effect of not implementing the change
IT, business and other resource required
Any additional ongoing resources required after change
f) The IT Change Advisory Board shall allocate initial priority to the request (Appendix 1).
g) Where the outcome of the review is not satisfactory, the IT Change Advisory Board shall reject the
request and communicate the Change Initiator via e-mail stating reasons for rejection.
h) The Change Initiator has the right of appeal against rejection and such cases shall be referred to the
Head, IT Services or any person acting in the capacity of the Head, IT Services for consideration
i) Where the outcome of the review is satisfactory, the IT Change Advisory Board approves the request
and shall communicate the Change Initiator via email notification stating the change reference number
j) The Change Initiator completes the Program Change Form (hosted in IT Services SharePoint portal) and
obtains the approval of his/her line supervisor.
k) Change Manager registers the PCF in a dedicated register

l) The Change Initiator/Change Owner shall ensure that the following approval authorities sign off the
Program Change Form before the implementation of the change
m) Group Head, Operational Risk Management
Head, Internal Control
Head, Corporate Audit Group
Head, IT Services
Head, Customer Service & Technology or any other person acting in the capacity of Head,
Customer Service & Technology
C.
Change Implementation
Diamond Bank
Business Process
Assurance
Page 70 of 176
Subject:
August 5, 2015
Change Implementation is divided into sub-processes as detailed below:

Change Build
The purpose of the Change Build is to deploy a duly tested build into production environment.
The objective is to perform and monitor all relevant actions to ensure implementation of the proposed change
is free of defect.
Release Management
The Release Management specifically relates to changes in most cases, which provide additional functionality
or resolve identified issues that have a business Impact (see appendix).
The purpose of the Release Management is to verify that all change details are completed and to adhere to
the scheduled date and time within the Release Plans. The objective is to ensure that the change meets all of
the change management criteria and that there is no schedule conflict.
The change owner shall ensure the following:
a) Change owner shall submit the master copies of all software media (for all vendor related change
implementation in production environment. These software must be stored in the physical store of the
definitive media library(DML)
b) The logical store of the definitive media library shall contain index of all software and releases, versions
and shall highlight where the physical media can be located. The definitive media library shall be
managed by the Team Lead, Policy, Standard &Governance.
c) All software developed within Diamond Bank shall be stored in the logical store and from there its control
and release is managed.
d) All releases to the production environment for all applications developed within diamond bank shall be
versioned and subsequent enhancements must be controlled and versioned before deployment to
production environment.
e) IT CAB shall ensure that technical documentations inclusive of requisite data dictionaries for all
applications developed in-house are available before approval for implementation of change to
f) The software copies of these technical documentation inclusive of configuration item settings shall be
stored in the logical store of the definitive media library by Team Lead, Policy, Standard & Governance
g) Changes that have business impact classification other than v (see appendix 2-v) shall be
communicated to users via Service Desk or ITCAB.
h) Test environment shall be used for developing the changes before releasing them to production
environment
Change Notification
Diamond Bank
Business Process
Assurance
Page 71 of 176
Subject:
August 5, 2015
One of the more critical elements of the Change Management Process is keeping all affected stakeholders
advised of the status of the change. The Change Manager shall be responsible for notifying relevant
stakeholders. The Change Manager shall carry out the following to ensure appropriate change notification:
a) E-mail advice to be sent to the Change Owner, Change Initiator, users and other stakeholders
b) Notifications to be sent where appropriate to Nominated Clients and Users through ITCAB or Service
Desk Bulletin
Transition of Change to Production
The purpose of the Change Transition is to manage and monitor the transition of changes into the preproduction and / or production environment(s). The use of the pre-production environment is specific to the
core banking application or other third party applications used in the Bank. Pre-production transition involves
migrations of changes from test environment to back-up and then to the production environment while
production transition involves migration of changes from the test to production environment.
Note: Where a change involves a product that has a Nominated Client (Third party or vendors whose
products directly impact on the banks service delivery.), appropriate notices and consultation with Users shall
be facilitated before such changes are developed or implemented.
The objective is to monitor the implementation status to ensure that the implementation is being executed in
accordance with the plan and the schedule.
D.
Reviews for Failed Changes

Review of why a change failed shall be carried out by IT Change Advisory Board to determine the following:
a) What was the cause of the failure?
b) Was the implementation plan followed correctly?
c) Was the implementation plan documented correctly?
d) Why was the problem not identified during testing?
e) Did the rollback plan work out correctly?
f) What follow up action is required?
E.
Procedure for handling Urgent (unplanned) Changes

The frequency of urgent change requests shall be minimised as much as possible. This is to ensure that IT
changes provide the target benefit, as urgent changes are usually disruptive and prone to failure. However,
urgent changes are sometimes required to prevent future adverse effects.
a) The Emergency IT Change Advisory Board shall review all emergency change request
b) The Emergency IT Change Advisory Board shall perform the initial prioritization and conclude that a
change is an urgent change. The following criteria shall apply to changes classified to be emergency
changes:
Diamond Bank
Business Process
Assurance
Page 72 of 176
Subject:
August 5, 2015
Any change required within 24 hours of the event to correct a Priority 1 or 2 incidents as a result of an
unplanned event is considered an Emergency change.
Executive Management decision which needs immediate action.
For the sake of clarity, the following will not be considered as an emergency change:
o
Any change for which a formal approval had previously been obtained to implement in the test
environment
Any change required to conform to decisions/mandates given by regulatory authorities for which
at least 7 business days had been given to the Bank
Any change requested by the business to meet short deadlines (72 hours or less) not previously
communicated to IT Services. This is to ensure that the inability of a project team to plan does not
constitute an emergency on the part of IT Services as regards implementation.
Please note the following regarding the emergency change procedure:

o
Emergency changes can be implemented prior to the creation and submission of the change
request.
A change request describing the Emergency change must be submitted within 1 business day
after the implementation
c) Upon notification of emergency change by Change Initiator or Change Owner, the Change Manager or
the Chairman IT Change Advisory Board shall convene a virtual meeting for all the Emergency IT Change
Advisory Board members to review and approve the change.
d) ECAB assesses the business impact; resources required and confirm its the level of urgency upon
satisfactory assessment.
e) If the Change is approved, the Change Manager shall notify the Change Owner to implement the change.
f)
The Change Owner co-ordinates change implementation
g) The Change Owner ensures a well document back-out plan is maintained

h) The Change Owner documents the post implementation impact and sends report to Change Advisory
Board.
Appendix 1
Priority
The term priority is used to indicate an urgency and / or timeframe expected in response to a change request.
Four levels of priority are defined which are:
i. Critical
A severe error in an IT system causing shutdown or service outage, loss in income
ii. High Priority
A serious error in an IT system that interferes with the operation of the system but does not actually
prevent its use or operation
Diamond Bank
Business Process
Assurance
Page 73 of 176
Subject:
August 5, 2015
iii. Medium Priority

An error in an IT system where alternative solutions are available that is acceptable temporarily
iv. Low Priority
Imperfections in the use of IT based screens, Help text, documentation or improvements or suggestions to
IT facilities that have no significant effect on the use or operation of the system.
Appendix 2
Business Impact
The term Business Impact is used to specifically indicate the impact the change has on the IT facilities and
the service delivery. Five categories of Business Impact are defined and these are:
i. Business Impact (Unscheduled Outage)
Fault only: A fault has stopped or will stop a component of the Business systems and no work-around is
available that can be quickly and securely implemented. A fix is required within 24 hours.
ii. Business Impact (Workaround Exists)
Fault or Change: A fault has stopped or will stop a component of the Business systems, or has significant
business implications to the Business, or Diamond Bank has implemented a change that has affected one
or more users, and a workaround is available that can be quickly and securely implemented. The fix is
required within 14 days.
iii. Business Impact (Scheduled Outage / Scheduled Release)
Fault or Change: The request is to fix a system, network or service fault, or to add new functionality. The
request will be implemented in the next planned release.
iv. Business Impact (Not Critical)
Change or Observation only: The issue is not critical and has no significant effect on the use or operation
of the system. A fix may be taken up in a future release.
v. Business Impact None
Change or Observation, which has no impact on the Business
Diamond Bank
Business Process
Assurance
Page 74 of 176
Subject:
August 5, 2015
Subject
IT Services Document
Managment Procedures
Effective
Date
PPS No.
PPS-DB-010
Review Date
IT SERVICES DOCUMENT MANAGEMENT PROCEDURES

X.
AFFECTS:
2.3
XI.
All Staf of IT Services

PURPOSE
This document provides guidelines for the management (filling, storage and retrieval) of
documents within IT Services division.
XII.
INTRODUCTION
Diamond Bank
Business Process
Assurance
Page 75 of 176
Subject:
August 5, 2015
Documents play a critical role in IT Services division and as such, a definitive and standardized
process for its management is critical to ensure its continuous availability, integrity and its
usability.
This procedure guideline is in place for the management of Divisions/Banks documents. This
includes SLA documents, application documentations, Vendor documents etc.
XIII.
OWNERSHIP
The CIO Office shall be the custodian off all documents as they are required for the continuous
running of the division.
XIV.
PRINCIPLES
a)
All documents must be arranged in their respective files and stored in

the provided file cabinets.
b)
All files must be labelled clearly to reflect the filename, type of

documents, version & date
c)
The respective pages of the documents within each file must be

numbered to sequentially (from oldest document to newest). As such, as
newer documents are added, they are inserted numbers accordingly.
d)
A register must be opened to capture an inventory of all files/folders

warehoused in the file cabinet and must be updated accordingly when
new files are opened.
e)
A log must also be maintained for tracking collection and return of

documents or files/folders by requesting parties. This must capture
details of date of collection, title of document/file collected, name
and signature of collector, date and sign off upon return.
f)
A log must be maintained for recording documents submitted by

members of staff to the Team Lead, IT Policy, Standard & Governance for
filing. This log must capture details of date of submission, title of
document submitted, name and signature of staff, sign off by
Team Lead, Policy, Standard & Governance
g)
The file cabinet shall be demarcated into four sections according to the
respective groups in IT Services; Technology & Business Solution,
System Engineering, Service Delivery Management & IT Operations
h)
As a standard, files shall be opened per vendor and each file shall be
demarcated into two sections by a separator and the first section shall
contain correspondence with vendor while the second section shall
contain application documentations respectively
i)
Only the CIO Office shall have custody of the key or access to the file
cabinets and should be locked at all times
Diamond Bank
Business Process
Assurance
Page 76 of 176
Subject:
August 5, 2015
j)
The CIO Office shall be held accountable for the day to day management
of the filling system
k)
The CIO Office should flag any document taken and not return after one
month.
l)
On no account should the entire folder be given out to anybody without

the approval of Team Lead, IT Policy, Standard & Governance
m)
All document requests are to be made to the Team Lead, IT Policy,

Standard & Governance All document in the file must be numbered to
ensure easy tracking of documentation
n)
All in-house developed applications shall

documentations filed as stated in (h) above
XV.
be
grouped
and
their
PROCEDURES
a. All requests for creation of new files must be made to the CIO Office.
b. Upon receipt, the Team Lead, IT Policy, Standard & Governance creates
new file and labels it and updates his inventory register accordingly.
c. Parties requiring filing of their documents are to submit their document to
Team Lead, IT Policy, Standard & Governance who upon receipts logs the
document and both parties sign off accordingly.
d. Team Lead, IT Policy, Standard & Governance inserts the document in the
respective file and updates the file numbering by appending respective page
numbers to the new documents inserted.
e. The staff request for the required file (document) from the Team Lead, IT
Policy, Standard & Governance who is to provide staff with request.
However, before release of the document, the Team Lead, IT Policy,
Standard & Governance must ensure the request is logged appropriately in
the respective register.
f. Upon return of the document collected, the staff signoffs the collection
register accordingly while the Team Lead, IT Policy, Standard & Governance
takes the document and inserts back into the respective file paying
cognisance of the page numbers during insertion.
XVI.
8. IT STAFF
1. All requests/returns are to be made following the laid out procedure above.
2. Ensure proper execution of the respective sign off registers to enable tracking and
provide for non-repudiation.
9. THE CIO OFFICE
Diamond Bank
Business Process
Assurance
Page 77 of 176
Subject:
August 5, 2015
1. The CIO Office shall own the file management process and shall be responsible for the
management of all documents for the IT Services division.
2. Ensure compliance of the approved procedure.
3. Review the efficiency and effectiveness of the process and advise changes where
necessary.
Subject
Uninterruptible Power
Supply (UPS) Usage Policy
Diamond Bank
Effective
Date
Business Process
Assurance
Page 78 of 176
Subject:
PPM No.
PPM-CSD-011
August 5, 2015
Review Date
DRAFT COPY IS BEING REVIEWED BY BPA FOR FINAL

APPROVAL
Diamond Bank
Business Process
Assurance
Page 79 of 176
Subject:
August 5, 2015
Subject
Software: Acceptable Use

Policy
Effective
Date
PPM No.
PPM-CSD-012
Review Date

APPROVAL
Diamond Bank
Business Process
Assurance
Page 80 of 176
Subject:
August 5, 2015
Subject
Acceptable Use of Diamond

Bank Systems Policy
Effective
Date
PPS No.
PPS-DB-013
Review Date

APPROVAL
Diamond Bank
Business Process
Assurance
Page 81 of 176
Subject:
August 5, 2015
Subject
Data Center Policy and

Procedures
Effective
Date
PPS No.
PPS-DB-014
Review Date

APPROVAL
Diamond Bank
Business Process
Assurance
Page 82 of 176
Subject:
Subject
PPM No.
August 5, 2015
Information Security Policies
Effective
Date
PPM-CSD-015
Review Date
BEING DEVELOPED BY OPERATIONAL RISK
Diamond Bank
Business Process
Assurance
Page 83 of 176
Subject:
August 5, 2015
Subject
Information Security
Framework
Effective
Date
PPM No.
PPM-CSD-016
Review Date
DRAFT COPY IS BEING REVIEWED BY THE BUSINESS FOR

FINAL APPROVAL
Diamond Bank
Business Process
Assurance
Page 84 of 176
Subject:
Subject
Business
Planning
PPM No.
PPM-CSD-017
August 5, 2015
Continuity Effective
Date
Review Date
REVISION:
SUBJECT:
SERIAL #. 270-07
COMPLETE__X___
BUSINESS
APPLICATION
PAGE #47 of 129
PARTIAL_______
AREA CORRECTED:
BUSINESS
PLANNING
CONTINUITY
ISSUED DATE:
VARIOUS
SUPERSEDES/REPLA
CES:
JUNE 1, 2007
EFFECTIVE DATE:
JUNE 1, 2007
N/A
I. AFFECTS:
Diamond Bank
Business Process
Assurance
Page 85 of 176
Subject:
August 5, 2015
All staff.
II. PURPOSE
The objectives of a Business Continuity Plan (BCP) are to minimize
financial loss to the bank; continue to serve customers and mitigate the
negative effects disruptions can have on the bank's strategic plans,
reputation, operations, liquidity, credit quality, market position, and
ability to remain in compliance with applicable laws and regulations.
III. INTRODUCTION
Business continuity planning is the process whereby the bank ensures
the maintenance or recovery of operations, including services to
customers, when confronted with adverse events such as natural
disasters, technological failures, human error, or terrorism.
This BCP document is set out in two (2) parts. The first part provides
general framework containing policies guiding the business continuity
process, while the second part provides specific procedures for handling
business continuity issues in the bank.
PART ONE GENERAL POLICY STATEMENTS:
Diamond Bank shall adopt a process-oriented approach to business
continuity planning that involves:
1 Business impact analysis (BIA);
2 Risk assessment;
3 Risk management; and
4 Risk monitoring.
BUSINESS IMPACT ANALYSIS
The banks Business Impact Analysis (BIA) shall include:
Identification of the potential impact of uncontrolled, non-specific
events on the bank's
business processes and its customers;
Consideration of all departments and business functions, not just data
processing; and
Estimation of maximum allowable downtime and acceptable levels of
data, operations, and financial losses.
The BIA phase identifies the potential impact of uncontrolled, nonspecific events on the bank's business processes. The BIA phase also
shall determine what and how much is at risk by identifying critical
Diamond Bank
Business Process
Assurance
Page 86 of 176
Subject:
August 5, 2015
business functions and prioritizing them. It shall estimate the maximum

allowable downtime for critical business processes, recovery point
objectives and backlogged transactions, and the costs associated with
downtime. Management shall establish recovery priorities for business
processes that identify essential personnel, technologies, facilities,
communications systems, vital records, and data. The BIA shall also
consider the impact of legal and regulatory requirements such as the
privacy and availability of customer data and required notifications to the
regulatory authorities and customers when facilities are relocated.
When determining the bank's critical needs, reviews shall be conducted
for all functions, processes, and personnel within each Unit. Each unit
shall document the mission critical functions performed. Units shall
consider the following questions:
What specialized equipment is required and how it is used?
How would the department function if network and/or Internet access
were not available?
What single points of failure exist and how significant are those risks?
What are the critical outsourced relationships and dependencies?
What is the minimum number of staff and space that would be
required at a recovery site?
What special forms or supplies would be needed at a recovery site?
What communication devices would be needed at a recovery site?
What critical operational or security controls require implementation
prior to recovery?
Is there any potential impact from common recovery sites serving
multiple lines of business or departments?
Have employees received cross training and has the department
defined back-up functions/roles employees shall perform if key personnel
are not available?
Are emotional support and family care needs adequately considered?
RISK ASSESSMENT
The risk assessment shall include:
Diamond Bank
Business Process
Assurance
Page 87 of 176
Subject:
August 5, 2015
A prioritizing of potential business disruptions based upon severity

and likelihood of occurrence;
A gap analysis comparing the bank's existing BCP to what is necessary
to achieve recovery time and point objectives; and
An analysis of threats based upon the impact on the bank, its
customers, and the financial markets, not just the nature of the threat.
During the risk assessment step, the bank shall develop realistic threat
scenarios that may potentially disrupt its business processes and ability
to meet clients expectations (internal, business partners, or customers).
Threats can take many forms, including malicious activity as well as
natural and technical disasters. Where possible, the bank shall analyze a
threat by focusing on its impact on the bank, not the nature of the threat.
For example, the effects of certain threat scenarios can be reduced to
business disruptions that affect only specific work areas, systems,
facilities (i.e., buildings), or geographic areas. Additionally, the
magnitude of the business disruption shall consider a wide variety of
threat scenarios based upon practical experiences and potential
circumstances and events.
The risk assessment considers:
The impact of various business disruption scenarios on both the bank
and its customers;
The probability of occurrence based, for example, on a rating system
of high, medium, and low;
The loss impact on information services, technology, personnel,
facilities, and service providers from both internal and external sources;
The safety of critical processing documents and vital records; and
A broad range of possible business disruptions, including natural,
technical, and human threats.
When assessing the probability of a specific event occurring, the bank
and its technology service providers shall consider the geographic
location of facilities and their susceptibility to natural threats (e.g.,
location in a flood plain), and the proximity to critical infrastructures
(e.g., power sources, nuclear power plants, airports, points of interest,
major highways, railroads).
The risk assessment shall include the entire bank or service provider's
locations and facilities. Worst-case scenarios, such as destruction of the
facilities and loss of life, shall be considered. At the conclusion of this
phase, the bank will have prioritized business processes and estimated
how they may be disrupted under various threat scenarios.
RISK MANAGEMENT
Diamond Bank
Business Process
Assurance
Page 88 of 176
Subject:
August 5, 2015
Risk management is the development of a written, enterprise-wide BCP.

The bank shall ensure that the BCP is:
Written and disseminated so that various groups of personnel can
implement it in a timely manner;
Specific regarding what conditions shall prompt implementation of the
plan;
Specific regarding what immediate steps shall be taken during a
disruption;
Flexible to respond to unanticipated threat scenarios and changing
internal conditions;
Focused on how to get the business up and running in the event that a
specific facility or function is disrupted, rather than on the precise nature
of the disruption; and
Effective in minimizing service disruptions and financial loss.
In summary, the BCP (written after the steps highlighted above) shall be
focused on maintaining, resuming, and recovering the bank's operations
after a disruption. Specific scenarios shall include how the bank would
respond if:
Critical personnel are not available;
Critical buildings, facilities, or geographic regions are not accessible;
Equipment malfunctions (hardware, telecommunications, operational
equipment);
Software and data are not accessible or are corrupted;
Vendor assistance or service provider is not available;
Utilities are not available (power, telecommunications); and
Critical documentation and/or records are not available.

The business continuity coordinator or team shall facilitate the
identification of risk and the development of risk mitigation strategies
across business areas. Internal causes of interdependencies can include
line of business dependencies, telecommunication links, and/or shared
resources (i.e., print operations or e-mail systems). External sources of
interdependencies that can negatively impact a business continuity plan
can include telecommunication providers, service providers, customers,
business partners and suppliers.
OTHER ISSUES
In addition to documenting BCPs, other policies, standards and practices
shall address continuity and availability considerations. These include
Diamond Bank
Business Process
Assurance
Page 89 of 176
Subject:
August 5, 2015
Systems Development Life Cycle (SDLC), Change Control, and Data

Synchronization.
SYSTEMS DEVELOPMENT LIFE CYCLE
As part of the SDLC process, the bank shall incorporate business
continuity considerations into project plans.
During the development and acquisition of new systems, SDLC standards
and project plans shall address, at a minimum, issues such as:
Business unit requirements for resumption and recovery alternatives;
Information on back-up and storage;
Hardware and software requirements at recovery locations;
BCP and documentation maintenance;
Disaster recovery testing; and
Staffing and facilities.
CHANGE CONTROL
Change management and control policies and procedures shall
appropriately address changes to the operating environment. Just as all
program changes shall be fully authorized and documented, business
continuity considerations shall be included in the change control process
and implementation phase.
Whenever a change is made to an
application, operating system, or utility that resides in the production
environment, a methodology shall exist to ensure all back-up copies of
those systems are updated to reflect the new environment. In addition, if
a new or changed system is implemented and results in new hardware,
capacity requirements, or other technology changes, management shall
ensure the BCP is updated and the recovery site can support the new
DATA SYNCHRONIZATION
Data synchronization can become a challenge when dealing with an
active/back-up environment. If back-up copies are produced as of the
close of a business day and a disruption occurs relatively late the next
business day, all the transactions that took place after the back-up copies
were made would have to be recreated, perhaps manually, in order to
synchronize the recovery site with the primary site.
Management and testing of contingency arrangements are critical to
ensure the recovery environment is synchronized with the primary work
environment.
This testing includes ensuring software versions are
current, interfaces exist and are tested, and communication equipment is
compatible. If the two locations, underlying systems, and interdependent
Diamond Bank
Business Process
Assurance
Page 90 of 176
Subject:
August 5, 2015
business units are not synchronized, there is the likely possibility that
recovery at the back-up location could encounter significant problems.
Proper change control, information back up, and adequate testing can
help avoid this situation. In addition, management shall ensure the backup facility has adequate capacity to process transactions in a timely
manner in the event of a disruption at the primary location.
EMPLOYEE TRAINING AND COMMUNICATION PLANNING
Management shall provide business continuity training for personnel to
ensure all parties are aware of their responsibilities should a disaster
occur. Key employees shall be involved in the business continuity
development process, as well as periodic training exercises. The training
program shall incorporate enterprise-wide training as well as specific
training for individual business units. Employees shall be aware of which
conditions call for implementing all or parts of the BCP, who is
responsible for implementing BCPs for business units and the bank, and
what to do if these key employees are not available at the time of a
disaster.
Cross training shall be utilized to anticipate restoring
operations in the absence of key employees. Employee training shall be
regularly scheduled and updated to address changes to the BCP.
Communication planning shall identify alternate communication
channels to utilize during a disaster, such as cell phones, e-mail, or twoway radios. An emergency telephone number, e-mail address, and
physical address list shall be provided to employees to assist in
communication efforts during a disaster. The list shall provide all
alternate numbers since one or more telecommunications systems could
be unavailable. Additionally, the phone list shall provide numbers for
vendors, emergency services, transportation, and regulatory agencies.
Further, the bank shall establish reporting or calling locations to assist
them in accounting for all personnel following a disaster.
The bank shall consider developing an awareness program to let
customers, service providers, and regulators know how to contact the
bank if normal communication channels are not in operation. The plan
shall also designate personnel who will communicate with the media,
government, vendors, and other companies and provide for the type of
information to be communicated.
INSURANCE
Insurance is commonly used to recoup losses from risks that cannot be
completely prevented. Generally, insurance coverage is obtained for risks
that cannot be entirely controlled, yet could represent a significant
potential for financial loss or other disastrous consequences. The
decision to obtain insurance shall be based on the probability and degree
of loss identified during the BIA. The bank shall determine potential
Diamond Bank
Business Process
Assurance
Page 91 of 176
Subject:
August 5, 2015
exposure for various types of disasters and review the insurance options
available to ensure appropriate insurance coverage is provided.
Management shall know the limits and coverage detailed in insurance
policies to make sure coverage is appropriate given the risk profile of the
bank. The bank shall perform an annual insurance review to ensure the
level and types of coverage are commercially reasonable, and consistent
with any legal, management, and board requirements. Also, the bank
shall create and retain a comprehensive hardware and software
inventory list in a secure off-site location in order to facilitate the claims
process.
Nevertheless, the bank shall be aware of the limitations of insurance.
Insurance can reimburse the bank for some or all of the financial losses
incurred as the result of a disaster or other significant event. However,
insurance is by no means a substitute for an effective BCP, since its
primary objective is not the recovery of the business. For example,
insurance cannot reimburse the bank for damage to its reputation.
.
GOVERNMENT AND COMMUNITY
The bank may need to coordinate with community and government
officials and the news media to ensure the successful implementation of
the BCP. Ideally, these relationships shall be established during the
planning or testing phases of business continuity planning. This
establishes proper protocol in case a city-wide or region-wide event
impacts the banks operations.
RISK MONITORING
Risk monitoring is the final step in business continuity planning. It shall
ensure that the bank's BCP is viable through:
Testing the BCP at least annually;
Subjecting the BCP to independent audit and review; and
Updating the BCP based upon changes to personnel and the internal
and external environments.
OVERALL TESTING STRATEGY
The development of testing strategies requires a business decision
regarding the level and frequency of testing needed to ensure recovery
objectives can be achieved during a business interruption or disaster.
The frequency and complexity of testing is based on the risks to the
bank. Unmanned recovery testing, where back-up tapes are sent to the
recovery site to be run by service provider employees, is not a sufficient
test of the bank's BCP. Additional testing of other aspects of the BCP
shall be performed to the extent feasible.
Testing strategies shall detail the conditions and frequency for testing
applications and business functions, including the supporting information
Diamond Bank
Business Process
Assurance
Page 92 of 176
Subject:
August 5, 2015
processing. The strategy shall include test objectives, scripts, and

schedules, as well as provide for review and reporting of test results.
Management shall ensure recovery testing is conducted at least annually,
or more frequently, depending on the operating environment and
criticality of the applications and business functions.
Management shall evaluate the risks and merits of various types of
testing and develop strategies based on identified resumption and
recovery needs. The business continuity planning process shall evaluate
whether the bank is anticipating operating at full or reduced capacity.
The process shall also evaluate the necessity for enterprise-wide, service
provider, and key market participants testing, rather than relying solely
on isolated business unit testing. Comprehensive testing requires
evaluating interdependencies between critical business functions and
systems, and evaluating the criticality of testing those systems in
tandem. Management shall test its ability to recover current data from
back-up media. The Bank shall include security measures and procedures
within the scope of the test, including ensuring secure copies of the
back-up media remain available in the event of an actual problem during
testing.
TESTING SCOPE AND OBJECTIVES
Management shall clearly define what functions, systems, or processes
are going to be tested and what will constitute a successful test. The
objective of a testing program is to ensure that the BCP remains
accurate, relevant, and operable under adverse conditions. Testing shall
include applications and business functions that were identified during
the impact analysis.
The business impact analysis determines the
recovery point objectives and recovery time objectives, which then help
determine the appropriate recovery strategy.
Testing objectives shall start small, and gradually increase in complexity
and scope. The scope of individual tests can be continually expanded to
eventually encompass enterprise-wide testing, including vendors and key
market participants.
Achieving the following objectives provides
progressive levels of assurance and confidence in the plan. At a
minimum, a clearly stated testing plan shall:
Not jeopardize normal business operations;
Gradually increase the complexity, level of participation, functions,
and physical locations involved;
Demonstrate a variety of management and response proficiencies,
under simulated crisis conditions, progressively involving more resources
and participants;
Uncover inadequacies, so that configurations and procedures can be
corrected; and
Diamond Bank
Business Process
Assurance
Page 93 of 176
Subject:
August 5, 2015
Consider deviating from the test script to interject unplanned events,

such as the loss of key individuals or services.
SPECIFIC TEST PLANS

Management shall develop a test plan for each BCP testing method used.
The test plan shall identify quantifiable measurements of each test
objective. The test plan shall be reviewed prior to the test to ensure it
can be implemented as designed without endangering the production
environment.
TEST PLAN REVIEW
Management shall prepare and review a script for each test prior to
testing to identify weaknesses that could lead to unsatisfactory or invalid
tests. As part of the review process, the testing plan shall be revised to
account for any changes to key personnel, policies, procedures, facilities,
equipment, outsourcing relationships, vendors, or other components that
impact a critical business function.
VALIDATION OF ASSUMPTIONS
The testing plans assumptions shall be validated to ensure they are
appropriate for business continuity requirements.
This validation
requires the participation of appropriate business development,
operations, and technology staff. Plan assumptions requiring validation
include:
Criticality of services;
Volume of transactions;
Interrelationships among business functions;
Selecting the business continuity planning strategy related to use of
facilities and other outages; and
Availability and adequacy of resources required to provide the
planned service level, such as the time required to establish facilities,
obtain back-up files, or reconstruct documents.
ACCURACY OF INFORMATION
All documented data and lists in the BCP shall be checked periodically
for accuracy, including furniture, equipment, telecommunications
connections, applications, and operating systems at both the primary and
alternate sites. Version numbers of applications and operating systems
shall be specified on this list.
COMPLETENESS OF PROCEDURES
The test procedures shall be checked periodically to make sure they
include:
Diamond Bank
Business Process
Assurance
Page 94 of 176
Subject:
August 5, 2015
Emergency response procedures, including escalation and notification

processes;
Alternate processing procedures, including security procedures at an
alternate site; and
Full recovery procedures, including returning to normal processing.
TESTING METHODS
Testing methods vary from minimum preparation and resources to the
most complex. Each bears its own characteristics, objectives, and
benefits. The type of testing employed by the bank shall include:
Orientation/Walk-through
An orientation/walk-through is the most basic type of test. Its primary
objective is to ensure that critical personnel from all areas are familiar
with the BCP. It is characterized by:
Discussion about the BCP in a conference room or small group
setting;
Individual and team training; and
Clarification and highlighting of critical plan elements.
Tabletop/Mini-drill
A tabletop/mini-drill is somewhat more involved than an orientation/walkthrough because the participants choose a specific event scenario and
apply the BCP to it. It includes:
o Practice and validation of specific functional response capability;
o Focus on demonstration of knowledge and skills, as well as team
interaction and decision-making capability;
o
Role
playing
with
simulated
response
at
alternate
locations/facilities to act out critical steps, recognize difficulties, and
resolve problems in a non-threatening environment;
o
Mobilization of all or some of the crisis management/response
team to practice proper coordination; and
o Varying degrees of actual, as opposed to simulated, notification and
resource mobilization to reinforce the content and logic of the plan.
Functional Testing
Functional testing is the first type that involves the actual mobilization of
personnel at other sites in an attempt to establish communications and
coordination as set forth in the BCP. It includes:
Demonstration of emergency management capabilities of

several groups practicing a series of interactive functions, such as
direction, control, assessment, operations, and planning;
Actual or simulated response to alternate locations or facilities

using actual communications capabilities;
Diamond Bank
Business Process
Assurance
Page 95 of 176
Subject:
August 5, 2015
Mobilization of personnel and resources at varied geographical

sites; and
Varying degrees of actual, as opposed to simulated, notification

and resource mobilization.
Full-scale Testing
Full-scale testing is the most comprehensive type of test. In a full-scale
test, the bank implements all or portions of its BCP by processing data
and transactions using back-up media at the recovery site. It involves:
o Validation of crisis response functions;
o Demonstration of knowledge and skills, as well as management
response and decision-making capability;
o On-the-scene execution of coordination and decision-making roles;
o
Actual, as opposed to simulated, notifications, mobilization of
resources, and communication of decisions;
o Activities conducted at actual response locations or facilities;
o
Enterprise-wide participation and interaction of internal and
external management response teams with full involvement of
external organizations;
o Actual processing of data utilizing back-up media; and
o Exercises generally extending over a longer period of time to allow
issues to fully evolve as they would in a crisis, and allow realistic roleplay of all the involved groups.
CONDUCTING A TEST
Testing requires some centralized coordination, usually by the BCP
coordinator or team. The team or coordinator shall be responsible for
overseeing the accomplishment of targeted objectives and following up
with the appropriate areas on the results of the test.
Generally, the maximum number of personnel that will be involved in
implementing the BCP shall also participate in the test. In addition,
personnel involved in testing shall be rotated in order to prepare for the
loss of key individuals, both during a disaster and as a result of
retirements, promotions, terminations, resignations, or re-assignment of
responsibilities. The involvement and oversight of independent staff
such as auditors will help to ensure the validity of the testing process
and the accuracy of the reporting.
ANALYZING AND REPORTING TEST RESULTS
Management shall report the test results and the resolution of any
problems to the board. Management reports shall consider all the test
results. Test analyses shall include:
An assessment of whether the test objectives were completed;
Diamond Bank
Business Process
Assurance
Page 96 of 176
Subject:
August 5, 2015
An assessment of the validity of test data processed;

Corrective action plans to address problems encountered;
A description of any gaps between the BCP and actual test results;
Proposed modifications to the BCP; and
Recommendations for future tests.
UPDATING A BUSINESS CONTINUITY PLAN

A BCP is a living document; changing in concert with changes in the
business activities it supports. The plan shall be reviewed by senior
management, the planning team or coordinator, team members, internal
control/inspection, and the board of directors at least annually. As part of
that review process, the team, or coordinator shall contact business unit
managers throughout the bank at regular intervals to assess the nature
and scope of any changes to the banks business, structure, systems,
software, hardware, personnel, or facilities. It is to be expected that
some changes will have occurred since the last plan update. All such
organizational changes shall be analyzed to determine how they may
affect the existing continuity plan, and what revisions to the plan may be
necessary to accommodate these changes. Lastly, management shall
ensure the revised BCP is distributed throughout the organization.
AUDIT AND INDEPENDENT REVIEWS
The Inspection Unit or other qualified, independent party shall review
the adequacy of the business continuity process to ensure the board's
expectations are met. This review shall include assessing the adequacy
of business process identification, threat scenario development, business
impact analysis and risk assessments, the written plan, testing scenarios
and schedules, and communication of test results and recommendations
to the board. In order to discharge these responsibilities, the inspection
unit or other independent party shall directly observe tests of the BCP.
The board shall receive and carefully review audit reports on the
effectiveness of the bank's process that identify any areas of weakness.
INTERNAL AND EXTERNAL THREATS
While a BCP shall be focused on restoring the bank's ability to do
business, regardless of the nature of the disruption, different types of
disruptions may require a variety of responses in order to resume
business. Many types of disasters impact not only the bank but also the
surrounding community. The human element can be unpredictable in a
crisis situation, and shall not be overlooked when developing a BCP.
Employees and their families could be affected as significantly as, or
more significantly than, the bank. Therefore, management shall consider
the impact such a disruption would have on personnel the bank would
Diamond Bank
Business Process
Assurance
Page 97 of 176
Subject:
August 5, 2015
rely on during such a disaster. For example, providing accommodation

and services to family members of employees or ensuring that alternate
work facilities are in close proximity to employee residences may make it
easier for employees to implement the bank's BCP. Also, cross-training
of personnel and succession planning may be just as essential as back-up
procedures addressing equipment, data, operating systems, and
application software.
PRIMARY CATEGORIES OF INTERNAL AND EXTERNAL THREATS
MALICIOUS ACTIVITY
FRAUD, THEFT, OR BLACKMAIL
Since fraud, theft, or blackmail may be perpetrated more easily by
insiders, implementation of employee awareness programs and computer
security policies is essential. These threats can cause the loss,
corruption, or unavailability of information, resulting in a disruption of
service to customers. Restricting access to information that may be
altered or misappropriated reduces exposure. The bank may be held
liable for release of sensitive or confidential information pertaining to its
customers; therefore, appropriate procedures to safeguard information
are warranted.
SABOTAGE
Personnel shall know how to handle intruders, bomb threats, and other
disturbances. The locations of critical operation centers shall not be
publicized and the facilities shall be inconspicuous. A disgruntled
employee may try to sabotage facilities, equipment, or files. Therefore,
personnel policies shall require the immediate removal from the premise
of any employee reasonably considered a threat, and the immediate
revocation of their computer and facility access privileges. Locked
doors, motion detectors, guards, and other controls that restrict physical
access are important preventive measures.
TERRORISM
The risk of terrorism is real and adequate business continuity planning is
critical for the bank in the event a terrorist attack occurs. Some forms of
terrorism (e.g., chemical or biological contamination) may leave facilities
intact but inaccessible for extended periods of time. The earlier an attack
is detected the better the opportunity for successful treatment and
recovery. Active monitoring of emergency warning systems shall be
considered.
Diamond Bank
Business Process
Assurance
Page 98 of 176
Subject:
August 5, 2015
NATURAL DISASTERS
FIRE
A fire can result in loss of life, equipment, and data. Data center
personnel must know what to do in the event of a fire to minimize these
risks. Instructions and evacuation plans shall be posted in prominent
locations, and shall include the designation of an outside meeting place
so personnel can be accounted for in an emergency, and guidelines for
securing or removing media, if time permits.
Fire drills shall be
periodically conducted to ensure personnel understand their
responsibilities. Fire alarm boxes and emergency power switches shall
be clearly visible and unobstructed.
All primary and back-up facilities shall be equipped with heat or smoke
detectors. Ideally, these detectors shall be located in the ceiling, in
exhaust ducts, and under raised flooring. Detectors situated near air
conditioning or intake ducts that hinder the build up of smoke may not
trigger the alarm. The emergency power shutdown shall deactivate the
air conditioning system. Walls, doors, partitions, and floors shall be fireresistant. Also, the building and equipment shall be grounded correctly
to protect against electrical hazards. Lightning can cause building fires,
so lightning rods shall be installed as appropriate. Local fire inspections
can help in preparation and training.
Personnel shall know how to respond to automatic suppression systems,
as well as the location and operation of power and other shut-off valves.
Waterproof covers shall be located near sensitive equipment in the event
that the sprinklers are activated. Hand extinguishers and floor tile
pullers shall be placed in easily accessible and clearly marked locations.
The extent of fire protection required depends on the degree of risk the
bank is willing to accept and local fire codes or regulations.
FLOODS AND OTHER WATER DAMAGE
Locating an installation in or near a flood plain exposes the bank to
increased risk. Management shall therefore take the necessary actions to
manage that level of exposure. As water seeks the lowest level, critical
records and equipment shall be located on upper floors, if possible, to
mitigate this risk. Raised flooring or elevating the wiring and servers
several inches off the floor can prevent or limit the amount of water
damage. In addition, the bank shall be aware that water damage could
occur from other sources such as broken water mains, windows, or
sprinkler systems. If there is a floor above the computer or equipment
room, the ceiling shall be sealed to prevent water damage. Water
detectors shall be considered as a way to provide notification of a
problem.
Diamond Bank
Business Process
Assurance
Page 99 of 176
Subject:
August 5, 2015
SEVERE WEATHER
A disaster resulting from an earthquake, hurricane, tornado, or other
severe weather typically would have its probability of occurrence defined
by geographic location. Given the random nature of these natural
disasters, branches located in an area that experiences any of these
events shall consider including appropriate scenarios in their business
continuity planning process. In instances where early warning systems
are available, management shall provide procedures to be implemented
prior to the disaster to minimize losses.
AIR CONTAMINANTS
Some disasters produce a secondary problem by polluting the air for a
wide geographic area. Natural disasters such as flooding can also result
in significant mould or other contamination after the water has receded.
The severity of these contaminants can impact air quality at the bank and
even result in evacuation for an extended period of time. Business
continuity planning shall consider the possibility of air contamination and
provide for evacuation plans to minimize the risks caused by the
contamination. Additionally, consideration shall be given to the length of
time the affected facility could be inoperable or inaccessible.
HAZARDOUS CHEMICAL SPILL
Locating branches close to chemical plants, railroad tracks, or major
highways used to transport hazardous chemicals pose significant risks.
A leak or spill can result in air contamination, as described above,
chemical fires, as well as other health risks. Management shall therefore
make reasonable efforts to determine the types of chemicals being
produced or transported nearby, obtain information about the risks each
may pose, and take steps to mitigate such risks.
TECHNICAL DISASTERS
COMMUNICATIONS FAILURE
The distributed processing environment has resulted in an increased
reliance on telecommunications networks for both voice and data
communications to customers, third parties, and back-up sites. The bank
may be susceptible to single points of failure in the event a disaster
affects one or more of these critical systems.
Management shall therefore make efforts to identify and document
potential single points of failure within the banks internal and external
communications systems.
If arrangements are made with multiple
Diamond Bank
Business Process
Assurance
Page 100 of 176
Subject:
August 5, 2015
telecommunications providers for diverse routing to achieve redundant

systems in an attempt to mitigate this risk, management shall, to the
extent possible, identify common points of failure within these systems.
One technique is to perform an end-to-end trace of all critical or sensitive
circuits to search for single points of failure such as a common switch,
router, PBX, or telephone central office.
In addition to restoring data communication lines with affiliates and
vendors, restoration of communications with employees will be critical to
any BCP. As an alternative to voice landlines, the bank shall consider cell
phones, two-way radios, text-based pagers, corporate and public e-mail
systems, and Internet-based instant messaging. Another alternative
would be to register and establish a standby World Wide Web home page
that is activated during a disaster and is used to communicate
information and instructions to employees, customers, and/or affiliates.
Finally, depending upon individual requirements, satellite phones may be
useful for communicating with key personnel.
POWER FAILURE
The loss of power can occur for a variety of reasons, including storms,
fires, malicious acts, brownouts, and blackouts. A power failure could
result in the loss of computer systems, lighting, heating and cooling
systems, and security and protection systems. Additionally, power surges
can occur as power is restored, and without proper planning, can cause
damage to equipment. As a means to control this risk, voltage entering
the computer room shall be monitored by a recording voltmeter and
regulated to prevent power fluctuations. In the event of power failure,
the bank shall use an alternative power source, such as uninterruptible
power supplies (UPS), or diesel generators. A UPS is essentially a
collection of standby batteries that provide power for a short period of
time. When selecting a UPS, the bank shall make sure that it has
sufficient capacity to provide ample time to shut down the system in an
orderly fashion to ensure no data is lost or corrupted. Some UPS
equipment can initiate the automated shut down of systems without
human intervention.
If processing time is more critical, the bank may arrange for a generator,
which will provide power to at least the mission critical equipment
during extended power outages. Management shall maintain an ample
supply of fuel on hand and have arrangements for replenishment.
EQUIPMENT AND SOFTWARE FAILURE
Equipment and software failures may result in extended processing
delays and/or implementation of BCPs for various business units
depending on the severity of the failure. The performance of preventive
maintenance enhances system reliability and shall be extended to all
Diamond Bank
Business Process
Assurance
Page 101 of 176
Subject:
August 5, 2015
supporting equipment, such as temperature and humidity control

systems and alarm or detecting devices.
TRANSPORTATION SYSTEM DISRUPTIONS
The bank shall not assume transportation systems will continue to
operate normally during a disruption. Air traffic and/or trains may be
halted by natural or technical disasters, malicious activity, work
stoppages, or accidents. This can adversely impact cash distribution,
cheque clearing, and relocation of staff to back-up sites. The bank shall
investigate the option of using private, ground-based carriers (e.g.,
messenger services, trucking companies, bus companies) to ensure the
continuation of these vital functions.
INTERDEPENDENCIES
TELECOMMUNICATIONS INFRASTRUCTURE
Voice and data communications are essential for conducting business
and connecting critical elements of the bank such as business areas,
customers and service providers/vendors. The advancement in network
technologies allows greater geographic separation between people and
system resources and/or primary and alternate processing locations.
Network technologies have played a key role in enabling distributed
processing environments, which reflect an increased reliance on
telecommunications networks for both voice and data communications.
Given their critical nature and importance, it is necessary for the bank to
design high levels of redundancy and resiliency into their voice and data
communication infrastructures. In addition, as critical as it is to have
effective business continuity arrangements for a data center, it is equally
important to have effective back-up arrangements for voice and data
telecommunications links. Since voice and data infrastructures are
typically a shared resource across the different business areas of the
bank, the dependency and criticality of these resources are further
heightened.
The telecommunications infrastructure contains single points of failure
that represent vulnerabilities and risks for the bank. Elements of risk
reside within the public telecommunications network infrastructure and
are outside the control of a single bank. This necessitates the need for
banks to be proactive in establishing robust processes to ensure
telecommunication resiliency and diversity. The bank shall develop risk
management practices to identify and eliminate single points of failure
across its network infrastructures. Risk management strategies need to
be incorporated into the design, acquisition, implementation, and
Diamond Bank
Business Process
Assurance
Page 102 of 176
Subject:
August 5, 2015
maintenance processes related to communication networks and shall

address single points of failure or points of commonality relating to:
Primary and back-up network infrastructures;
Telecommunication carriers;
Points of entry into facilities;
Telecommunication routing through central offices; and
PBXs within the bank.
The bank shall actively manage its service relationship with the
telecommunication providers in order to manage risk more effectively. In
coordination with vendors, management shall ensure that, at minimum,
risk management strategies:
Establish Service Level Agreements that address contingency
measures and change management for services provided;
Establish processes to inventory and validate telecommunication
circuits and routing paths; and
Include a framework to periodically verify telecommunication routing
paths.
In addition to robust risk management practices, the bank shall have
viable business continuity arrangements for voice and data services. At a
minimum, telecommunications plans shall address skilled human
resources, internal and external connectivity, communications media,
network equipment and telecommunication management systems. The
BCP shall establish priorities and identify critical network components.
Original plan components such as reliability, flexibility, and compatibility
must also be considered in formulating the back-up plan. For example, a
modem used for back-up may not provide the level of service required, or
a line may satisfactorily transmit voice, but be insufficient in quality and
speed for data transmission. The costs of various back-up alternatives
shall be weighed against the level of risk protection provided by the
alternatives. This assessment also shall address costs associated with
testing, since all components of a plan shall be tested periodically,
including the communications media.
The BCP shall address the practicality of each component. Selected
alternatives shall be able to accommodate the anticipated volumes or
capacities at the necessary speeds to meet the established priorities. For
example, several dial-up lines may not be a practical replacement for an
E-1 line. Also, the back-up plan shall recognize availability and lead
times required to employ certain components, such as installing
additional lines or modems and multiplexers/concentrators at a recovery
site.
Diamond Bank
Business Process
Assurance
Page 103 of 176
Subject:
August 5, 2015
THIRD-PARTY PROVIDERS, KEY SUPPLIERS, AND BUSINESS

PARTNERS
Reliance on third-party providers, key suppliers, or business partners
may expose the bank to points of failure that may prevent resumption of
operations in a timely manner. The risks in outsourcing information,
transaction processing, and settlement activities include threats to the
security, availability and integrity of systems and resources, to the
confidentiality of information, and to regulatory compliance. In addition,
when a third party performs services on behalf of the bank, increased
levels of credit, liquidity, transaction, and reputation risk can result. The
bank shall review and understand service providers' BCPs and ensure
critical services can be restored within acceptable timeframes based
upon the needs of the bank. The contract shall address the service
providers responsibility for maintenance and testing of disaster recovery
and contingency plans. The bank shall be provided testing results and
review audits to determine the adequacy of plans and the effectiveness of
the testing process. If possible, the bank shall consider participating in
its service provider's testing process.
Contracts shall include detailed business recovery timeframes that meet
the business continuity planning needs of the bank. The banks business
continuity planning process shall include developing call lists necessary
for contacting key individuals at the service providers primary and
recovery locations. The banks BCP shall also address how it will be
exchanging information with its service providers shall the bank be
operating from an alternative location, e.g., transmission via a branch
facility that has redundant telecommunications links with the service
provider.
CONTRACTS
Where the bank contract with third-party service providers and other
vendors for disaster recovery assistance, the bank shall consider:
StaffingWhat kinds of technical support personnel is the service
provider obligated to make available onsite to assist bank employees in
getting the recovery site operating?
Processing Time Availabilityassuming other clients are also using
the same recovery site, how much processing time is the bank entitled to
on a particular computer system? Is the bank guaranteed a sufficient
amount of processing time to handle the volume of work that will need to
be done at the site?
Access RightsSince most back-up sites can be used by numerous
clients, does the bank have a guaranteed right to use the site in case of
an emergency? Alternatively, does the service provider accept clients on
a first-come, first-serve basis until the recovery site is at full capacity?
Diamond Bank
Business Process
Assurance
Page 104 of 176
Subject:
August 5, 2015
Hardware and SoftwareIs the recovery site equipped with the

precise computer hardware and software that the bank needs to continue
operations? Will the bank be notified of changes in the equipment at the
recovery site?
Security ControlsDoes the recovery site have sufficient physical and
logical security to adequately protect the bank's information assets?
TestingDoes the contract with the service provider permit the bank
to perform at least one full-scale test of the recovery site annually? Does
the service provider perform tests of its own BCP and submit test reports
to the bank?
Confidentiality of DataIn the event other businesses are also using
the recovery site, what steps will the service provider take to ensure the
security and confidentiality of bank data? Has the service provider
entered into an appropriate contract with the bank that addresses the
requirements of the Interagency Guidelines Establishing Standards for
Safeguarding Customer Information?
TelecommunicationsHas the service provider taken appropriate
steps to ensure the recovery site will have adequate telecommunications
services (both voice and data) for the number of personnel that will be
working at that site and the volume of data transmissions that are
anticipated?
Reciprocal AgreementsIn the event the bank's recovery site is
another bank with whom it has a reciprocal agreement, does the other
bank have sufficient excess computer capacity to ensure the affected
bank's work will get done? Are the hardware and software at the
recovery site compatible with the affected bank's systems? Will the bank
be notified of changes in equipment at the recovery site?
SpaceDoes the recovery site have adequate space and related
services to accommodate the affected bank's staff and enable them to
conduct business? This may also include consideration of the space at
the service provider or in the local community to provide food, toilets,
medical supplies, family care, counselling, news, housing, and diversions
to personnel.
Paper Files and FormsDoes the recovery site maintain a sufficient
inventory of paper-based files and forms that are necessary to the
conduct of the affected bank's business?
Printing Capacity/CapabilityDoes the recovery site maintain
adequate printing capacity to meet the demand of the affected bank?
ContactsWho at the bank is authorized to initiate use of the back-up
site? Who does the bank contact at the back-up site?
BCP COMPONENTS
PERSONNEL
Diamond Bank
Business Process
Assurance
Page 105 of 176
Subject:
August 5, 2015
Based on the BIA, the BCP shall assign responsibilities to management,

specific personnel, teams, and service providers. The plan shall identify
integral personnel that are needed for successful implementation of the
plan and develop contingencies to be implemented shall those employees
not be available. Additionally, vendor support needs shall be identified.
The BCP shall address:
How will decision making succession be determined in the event of
the loss of management personnel?
Who will be responsible for leading the various BCP Teams (e.g.,
Crisis/Emergency, Recovery, Technology, Communications, Facilities,
Human Resources, Business Units and Processes, Customer Service)?
Who will be the primary contact with critical vendors, suppliers, and
service providers?
Who will be responsible for security (information and physical)?
Planning shall also consider personnel resources necessary for decision
making and staffing at alternate facilities under various scenarios. Key
personnel shall be identified to make decisions regarding efforts to
provide for renovating or rebuilding the primary facility. This could
require personnel beyond what is necessary for ongoing business
continuity efforts.
Finally, the business continuity planning coordinator and/or planning
committee shall be given responsibility for regularly updating the BCP on
at least an annual basis, and after significant changes to the operations
and environment.
TECHNOLOGY
The technology components that shall be addressed include:
Hardware mainframe, network, end-user;
Software applications, operating systems, utilities;
Communications (network and telecommunications);
Data files and vital records;
Operations processing equipment; and
Office equipment.
Comprehensive inventories will assist with the business resumption and
recovery efforts, and ensure all components are considered during plan
development. Planning shall include identifying critical business unit
data that may only reside on individual workstations, which may or may
not adhere to proper back-up schedules. Additionally, the plan shall
address vital records, necessary back-up methods, and appropriate
backup schedules for these records.
The Bank shall exercise caution when identifying non-critical assets. The
banks telephone banking, Internet banking, or ATM systems may not
Diamond Bank
Business Process
Assurance
Page 106 of 176
Subject:
August 5, 2015
seem mission critical when systems are operating normally. However,

these systems may play a critical role in the BCP and be a primary
delivery channel to service customers during a disruption. Similarly, the
bank's electronic mail system may not appear to be mission critical, but
may be the only system available for employee or external
communication in the event of a disruption.
DATA CENTER RECOVERY ALTERNATIVES
The bank shall make formal arrangements for alternate processing
capability in the event its data processing site becomes inoperable or
inaccessible.
The type of recovery alternative selected will vary
depending on the criticality of the processes being recovered and the
recovery time objectives. Recovery plan alternatives may take several
forms and involve the use of another data center, or installation, such as
a third-party service provider. A legal contract or agreement shall
evidence recovery arrangements with a third-party vendor.
The
following shall be acceptable alternatives for data center recovery:
Hot Site (traditional active/backup model)A hot site is fully
configured with compatible computer equipment and typically can be

operational within several hours. The bank may rely on the services of
a third party to provide back-up facilities. The traditional active/backup model requires relocating, at minimum, core employees to the
alternative site. This model also requires back-up media to be
transferred off-site on at least a daily basis. DB shall consider
mirroring or vaulting because it operates critical real-time processing
operations or critical high-volume processing. If the bank is relying
on a third party to provide the hot site, there remains a risk that the
capacity at the service provider may not be able to support their
operations in the event of a regional or large-scale event. Alternative
the bank may contract for a "mobile hot site," i.e., a trailer outfitted
with the necessary computer hardware that is towed to a
predetermined location in the event of a disruption and connected to a
power source.
Duplicate Facilities/Split Operations (active/active model)Under
this scenario, two or more separate, active sites provide inherent back
up to one another. Each site has the capacity to absorb some or all of
the work of the other site for an extended period of time. This
strategy can provide almost immediate resumption capacity,
depending on the systems used to support the operations and the
operating capacity at each site. The maintenance of excess capacity at
each site and added operating complexity can have significant costs.
Even using the active/active model, current technological limitations
preclude wide geographic diversity of data centers that use real-time,
Diamond Bank
Business Process
Assurance
Page 107 of 176
Subject:
August 5, 2015
synchronous data mirroring back-up technologies. However, other

alternatives beyond synchronous mirroring may be available to allow
for greater distance separation.
Cold SiteCold sites are locations that are part of a longer-term
recovery strategy. A cold site provides a back-up location without
equipment, but with power, air conditioning, heat, electrical, network
and telephone wiring, and raised flooring. An example of a situation
when a cold site can be a viable alternative is when a bank has
recovered at another location, such as a hot site, but needs a longerterm location while their data center is being rebuilt. Cold sites
typically can take up to several weeks to activate. Banks may rely on
the services of a third party to provide cold site facilities or may house
such a facility at another location, such as a branch or other
operations center.
Tertiary LocationThe bank may also consider the need to have a
third location or a back-up to the back-up. These tertiary locations
provide an extra level of protection in the event neither the primary
location nor the secondary location is available. Moreover a tertiary
location becomes the primary back up location in the event the bank
has declared a disaster and is operating out of its contingency or
secondary site.
DB may also enter into agreements, commonly referred to as
"Reciprocal Agreements," with other banks to provide equipment back

up. This arrangement is usually made on a best effort basis, whereby
bank A promises to back up bank B as long as bank A has time
available, and vice versa. In the vast majority of cases, reciprocal
agreements are unacceptable because the bank agreeing to provide
back-up has insufficient excess capacity to enable the affected bank to
process its transactions in a timely manner. If the bank chooses to
enter into a reciprocal agreement and can establish that such an
arrangement will provide an acceptable level of back-up, this
agreement shall be put in writing and made available to CBN to
obligate bank A" to make available sufficient processing capacity and
time. The agreement shall also specify that each bank will be notified
of equipment and software changes at the other bank.
BACK-UP RECOVERY FACILITIES
The recovery site shall be tested at least annually and when equipment
or application software is changed to ensure continued compatibility.
Additionally, the recovery facility shall exhibit a greater level of security
protection than the primary operations site since the people and systems
controlling access to the recovery site will not be as familiar with the
relocated personnel using it. This security shall include physical and
Diamond Bank
Business Process
Assurance
Page 108 of 176
Subject:
August 5, 2015
logical access controls to the site as well as the computer systems.

Further, the BCP and recovery procedures shall be maintained at the
alternative and off-site storage locations.
Regardless of which recovery strategy is utilized, the recovery plan shall
address how any backlog of activity and/or lost transactions will be
recovered. The plan shall identify how transaction records will be
brought current from the time of the disaster and the expected recovery
timeframes.
Alternative workspace capacity is just as important as alternative data
processing capabilities.
Management shall arrange for workspace
facilities and equipment for employees to conduct ongoing business
functions.
GEOGRAPHIC DIVERSITY
When determining the physical location of an alternate-processing site,
management shall consider geographic diversity. They shall consider the
geographic scope of disruptions and the implications of a citywide
disruption or even a regional disruption. The distance between primary
and back-up locations shall consider recovery time objectives and
business unit requirements. Locating a back-up site too close to the
primary site may not insulate it sufficiently from a regional disaster.
Alternatively, locating the back-up site too far away may make it difficult
to relocate the staff necessary to operate the site. If relocation of staff is
necessary to resume business operations at the alternate site,
consideration shall be given to their willingness to travel due to the
events, the modes of transportation available, and if applicable, lodging
and living expenses for employees that relocate. When evaluating the
locations of alternate-processing sites, it is also important to subject the
secondary sites to a threat scenario analysis.
BACK-UP AND STORAGE STRATEGIES
Management shall base decisions on software and data file back up on
the criticality of the software and data files to the bank's operations. In
establishing back-up priorities, management shall consider all types of
information and the potential impact from loss of such files. This
includes financial, regulatory, and administrative information, and
operating, application, and security software. In assigning back-up
priority, management shall perform a risk assessment that addresses
whether:
The loss of these files would significantly impair the bank's operations;
The files are being used to manage corporate assets or to make
decisions regarding their use;
Diamond Bank
Business Process
Assurance
Page 109 of 176
Subject:
August 5, 2015
The files contain updated security and operating system

configurations that would be necessary to resume operations in a secure
manner;
The loss of the files would result in lost revenue; and
Any inaccuracy or data loss would result in significant impact on the
bank (including reputation) or its customers.
The frequency of file back up also depends on the criticality of the

application and data. Critical data shall be backed up using the multiple
generation (i.e., grandfather-father-son, etc.) method and rotated to an
off-site location at least daily. Online/real-time or high volume systems
may necessitate more aggressive back-up methods such as mirroring or
electronic vaulting at a separate processing facility to ensure appropriate
back up of operations, as an alternative to back-up tape storage.
Back-up tape storage remains a viable solution for many banks.
However, when the banks primary back-up media is tape storage, backup tapes shall be sent to the off-site storage as soon as possible, and shall
not reside at their originating location overnight. Back-up media,
especially tapes, shall be periodically tested to ensure they are still
readable. Tapes repeatedly used or subjected to extreme variations in
temperature or humidity may become unreadable, in whole or part, over
time.
Remote journaling is the process of recording transaction logs or
journals at a remote location. These logs and journals are used to recover
transaction and database changes since the most recent back up.
Back-up of operating system software and application programs must be
performed whenever they are modified, updated, or changed.
DATA FILE BACK UP
One of the most critical components of the back-up process involves the
bank's data files, regardless of the platform on which the data is located.
The Bank must be able to generate a current master file that reflects
transactions up to the point in time of the disruption. Data files shall be
backed up both onsite and off-site to provide recovery capability.
Retention of current data files, or older master files and the transaction
files necessary to bring them current, is important so that processing can
continue in the event of a disaster or other disruption. The creation and
rotation of core processing data file back up shall occur at least daily,
more frequently if the volume of processing or online transaction activity
warrants. Less critical data files may not need to be backed up as
frequently. In either case, back-up data files shall be transported off-site
in a timely manner and not be returned until new back-up files are offsite.
Diamond Bank
Business Process
Assurance
Page 110 of 176
Subject:
August 5, 2015
SOFTWARE BACK UP
Software back up for all hardware platforms consists of three basic
areas: operating system software, application software, and utility
software. All software and related documentation shall have adequate
off-premises storage. Even when using a standard software package
from one vendor, the software can vary from one location to another.
Differences may include parameter settings and modifications, security
profiles, reporting options, account information, or other options chosen
by the bank during or subsequent to system implementation. Therefore,
comprehensive back up of all critical software is essential.
The operating system software shall be backed up with at least two
copies of the current version. One copy shall be stored in the tape and
disk library for immediate availability in the event the original is
impaired; the other copy shall be stored in a secure, off-premises
location. Duplicate copies shall be tested periodically and recreated
whenever there is a change to the operating system.
Application software, which includes both source (if the bank has it in its
possession) and object versions of all application programs, shall be
maintained in the same manner as the operating system software. Backup copies of the programs shall be updated as program changes are
made.
Given the increased reliance on the distributed processing environment,
the importance of adequate back-up resources and procedures for local
area networks and wide area networks is important. Management shall
ensure that all appropriate programs and information are backed up.
Depending on the size of the bank and the nature of anticipated risks and
exposures, the time spent backing up data is minimal compared with the
time and effort necessary for restoration. Files that can be backed up
within a short period of time may require days, weeks, or months to
recreate from hardcopy records, assuming hardcopy records are
available. Comprehensive and clear procedures are necessary to recover
critical networks and systems. Procedures shall, at a minimum, include:
Frequency of update and retention cycles for back-up software and
data;
Periodic review of software and hardware for compatibility with backup resources;
Periodic testing of back-up procedures for effectiveness in restoring
normal operations;
Guidelines for the labelling, listing, transportation and storage of
media;
Maintenance of data file listings, their contents, and locations;
Hardware, software, and network configuration documentation;
Diamond Bank
Business Process
Assurance
Page 111 of 176
Subject:
August 5, 2015
Controls to minimize the risks involved in the transfer of back-up data,

whether by electronic link or through the physical transportation of
diskettes and tapes to and from the storage site; and
Controls to ensure data integrity, client confidentiality, and the
physical security of hardcopy output, media, and hardware.
OFF-SITE STORAGE
The off-site storage location shall be environmentally controlled and
secure, with procedures for restricting physical access to authorized
personnel. Moreover, the off-site premises shall be an adequate distance
from the computer operations location so that both locations will not be
impacted by the same event. Beyond a copy of the BCP, duplicate copies
of all necessary procedures, including end of day, end of month, end of
quarter, and procedures covering relatively rare and unique issues shall
be stored at the offsite locations. Another alternative to consider would
be to place the critical information on a secure shared network drive,
with the data backed up during regularly scheduled network back-up.
However, this shared drive shall be in a different physical location that
would not be affected by the same disruption. Management needs to
maintain a certain level of non-networked (e.g., hardcopy) material in the
event that the network environment is not available for a period of time.
Reserve supplies, such as forms, manuals, letterhead, etc., shall also be
maintained in appropriate quantities at an off-site location and
management shall maintain a current inventory of what is held in the
reserve supply.
FACILITIES
The BCP shall address site relocation for short-, medium- and long-term
disaster and disruption scenarios. Continuity planning for recovery
facilities shall consider location, size, capacity (computer and
telecommunications), and required amenities necessary to recover the
level of service required by the critical business functions. This includes
planning for workspace, telephones, workstations, network connectivity,
etc. When determining an alternate processing site, management shall
consider scalability, in the event a long-term disaster becomes a reality.
Additionally, during the recovery period, the BCP shall be reassessed to
determine if tertiary plans are warranted. Procedures to utilize at the
recovery location shall be developed. In addition, any files, input work,
or specific forms, etc., needed at the back-up site shall be specified in the
written plan.
The plan shall include logistical procedures for moving personnel to the
recovery location, in addition to steps to obtain the materials (media,
documentation, supplies, etc.) from the off-site storage location. Plans
for lodging, meals, and family considerations may be necessary.
Diamond Bank
Business Process
Assurance
Page 112 of 176
Subject:
August 5, 2015
COMMUNICATION
Communication is a critical aspect of a BCP and shall include
communication with emergency personnel, employees, directors,
regulators, vendors/suppliers (detailed contact information), customers
(notification
procedures),
and
the
media
(designated
media
spokesperson). Alternate communication channels shall be considered
such as cellular telephones, pagers, satellite telephones, and Internet
based communications such as e-mail or instant messaging.
PART TWO (2) SPECIFIC PROCEDURES
IV. PROCEDURES
The business continuity planning manual covers all aspects of IT
Operations including but not limited to the following:
a.
Business Application Support
b.
Technical Support
c.
E-Business Support
It focuses mainly on processes and applications managed by IT Group of
the bank. The procedures guiding the execution of BCP are detailed
below:
Business Impact Analysis
The business impact analysis shall assist the IT group in analyzing all its
business functions and the effect a disaster may have upon them.
Risks arising out of the following potential business interruptions are
considered below:
i.
ii.
iii.
iv.
v.
Natural events
Technical and environmental events
Human Causes
Other failures
Outage duration scenarios
Three different outage durations have been considered:

<1 day
1-2 days
>2 days
Outage <1 Day
Diamond Bank
Business Process
Assurance
Page 113 of 176
Subject:
August 5, 2015
Diamond Bank Plc runs an online-real time environment. This implies

that any interruption to the smooth operations of its IT department for a
minimal duration may not adversely affect the business compared to an
extended period of interruption. Applications that can greatly impact the
business of the bank include Flexcube, Swift, ATMs, MS Exchange,
Mobile Banking, Internet Banking, Communication links and UPS. In
such a scenario, the backups to the applications must be ready for
deployment at the hot-site in VI1 on short notice. Because these servers
must be active within the shortest time possible, all backup media tapes
must be within reach of the BCP team. This responsibility lies with the
Head IT Services.
Outage 1-2 Days
A longer outage of 1 to 2 days implies that the bank put in place a
process that can ensure that it can carry out its business as usual so that
its customers are not affected. This involves activating the backup
servers, Communication equipment and UPS at the off site location
within 24 hours. The responsibility of ensuring that this is done lies with
the Head IT Services.
Outage >2 Days
A prolonged outage (> 2 days) due to environmental or human causes
leading to non-availability of phones or people would be the only
situation where there would be a significant loss of customer confidence
if not attended to. The approach in this case would be to relocate the
activities of the IT group to the off-site where backup facilities exist with
communication equipment to connect all the locations affected by the
interruption. This shall be carried out after 48hours of system downtime.
The responsibility lies with the BCP Team after appropriate approvals
are obtained from the Management.
vi.
Impact of potential interruptions

The consequences of each of the above causes and its impact on the
following have been considered, mainly with respect to the support
services that the IT department has been providing to the bank.
i.
Financial condition of the business

The direct impact of any outage on the financial position of the
bank would not be much given that it is easy to operate and
maintain business activity at acceptable levels through contingency
planning. However, financial loss due to damage to property,
systems, etc. could be serious. The mitigant to this would be
insurance cover.
Diamond Bank
Business Process
Assurance
Page 114 of 176
Subject:
1.
August 5, 2015
ii.
Legal and regulatory requirements

The legal and regulatory impact will be in terms of either inability
to produce required documents, delayed reporting or submission of
documents to Regulatory Bodies and delayed interest/returns to its
customers. When caused by circumstances beyond the banks
control, the impact would be minimal, as the regulators would most
likely be lenient in dealing with such situations; however the BCP
team shall determine what areas of the bank are affected and shall
initiate recovery procedures in line with the banks consolidated
Business Continuity Plan.
iii.
Internal requirements
The impact of any outage on internal requirements will primarily
be the day-to-day operations of the branches; consolidation of the
reports sent by the branches and the on going project teams
requirements. Also, the following activities may suffer due to the
outage.
Payroll processing
Mandatory reporting to regulatory authorities
Interruption to ongoing projects
iv.
External Requirements
The impact of any outage on the banks external customers may
include but is not limited to the following:
Erosion of Customer Confidence
Litigation due to inability of the Bank to satisfy customer

demands resulting in business losses.
The overall impact arising from these scenarios will be high in case
of duration greater than 2 days outage leading to non-availability of
systems.
Risk Assessment
The risk assessment is the second step in developing a business
continuity plan. It is critical and has significant bearing on whether
business continuity planning efforts will be successful or not.
The following risk areas are considered under risk assessment:
i.
Physical Security
The physical security of all IT resources against losses or damage
arising from natural or man-made sources cannot be
overemphasized. Physical security covers the following:
Diamond Bank
Business Process
Assurance
Page 115 of 176
Subject:
August 5, 2015
Access Doors /Locks (Biometric, Swipe Cards, etc)

CCTV
Security Guards/Authorisation Forms
Physical security involves all measures that DB plc employs to

control unauthorized physical access to its IT Hardware, Software
and Network Infrastructure. It also includes measures to prevent
individuals with ulterior motives from compromising the
Databases, Network Infrastructure, Applications, etc
DB Plc. operates a centralized system, implying that all the
Application/Database Servers are situated in the Head office. These
equipment are protected from unauthorized access by intruders
through the use of a biometric access doors.
All IT personnel, staff of DB plc or external vendors are required to
tender a free passage form before leaving the premises of the bank
with any Hardware or Software. Other measures adopted shall
include the use of CCTV devices to monitor the office environment
and IT resources where necessary.
For all DB plc subsidiaries or branches, physical movement of
equipment must be properly documented and a copy made
available to the Resident Internal Control Officer or IT Support
Officer in that location for record purposes.
ii.
Backup Systems
Each live application and database server has a redundant backup
currently located in the Head Office Systems room.
In order to ensure that there is no loss or interruption to business
arising from destruction to these equipment, all redundant backup
to the live servers must be re-located to the remote Disaster
Recovery hot site of the bank and connected via a high speed
fibre-optic channel or microwave link for online replication. This
ensures that the backup systems are updated instantly, while
restoration of Tape media is manually done.
In addition to the online backup, offline backup must equally be
maintained as a fallback when all else fails. Based on DBs backup
policy, all applications and database servers are backed up daily
unto 24GB/40GB/72GB DAT cartridges and 800GB Ultrium Tapes.
For redundancy, 2 sets of the backups are taken, one copy kept in
the media safe in Head office while the second copy kept in the
Offsite safe at Marina Branch. These backups shall be periodically
restored at periods to be determined by the BCP team for
consistency checks.
Diamond Bank
Business Process
Assurance
Page 116 of 176
Subject:
August 5, 2015
iii.
Data Security
The importance of data security in any organisation cannot be
over-emphasized. Therefore, the way and manner in which data is
maintained or managed can make or mar any organisation.
In order to ensure that data is protected from unauthorized access,
DB plc must put in place adequate security measures to safeguard
sensitive data.
Creating user profiles with login passwords is a way of enforcing
this security. The Bank must ensure that no single individual is the
sole administrator for an application by segregating functions.
After daily backups are taken, the tape media are stored in a fireproof data safe and periodically restored at the hot-site to ensure
data integrity at periods to be determined by the BCP team.
iv.
Personnel
These are the skilled individuals that manage the applications and
databases to ensure Business continuity at all times.
DB plc must as a matter of policy ensure that its IT personnel are
adequately equipped to manage the various processes and
activities involved in the operations of the bank. Regular training of
its IT personnel must be undertaken continuously.
IT Staff must be properly trained and backups for each specialized
function must exist as a contingency measure. The BCP team must
be made up of members drawn from each arm of the IT group (i.e.
BAS, TS, & E-Business Support).
v.
Exposures
In order to adequately respond to any disaster that may affect
business continuity, it is necessary that the BCP team identify
aspects of its operations that are most vulnerable to attacks and
take steps to mitigate such exposures.
Such areas include the Communication Networks, databases,
file/application servers, etc. There should be adequate backups for
these located at the hot-site. The responsibility of ensuring that
this is in place falls on the Head IT services.
2.
Initiation of BCP
Various activities are required to be performed before initiation of the
BCP can begin. These activities can be classified into the following
areas:
i.
Diamond Bank
Identification of BCP team members

Business Process
Assurance
Page 117 of 176
Subject:
August 5, 2015
The Head IT Services under approval of the ED Customer Services

& Technology shall identify various members of the IT group who
will form part of the BCP team. All persons will be apprised of the
current situation as well as the process in establishing business
contingency at the hot site/off site location. In addition, the IT
steering Committee and ICG/Inspection shall be advised.
ii.
Initiating preliminary infrastructure activities required for

smooth running of the BCP
Preliminary infrastructure activities consist the following:
1. Initial preparation of the space identified for movement of key
personnel by
hot- site/offsite personnel.
2. Transportation of key personnel to the hot site/off site location.
The Administration department shall coordinate this.
3. Informing key customers of the situation that has risen and the
alternate contact location as identified in the BCP (The
Corporate
Communications
Unit
shall
undertake
this
responsibility)
iii.
Education Strategy
The following is the strategy for education of all employees of
Diamond Bank Plc about the BCP plan and its ramifications:
Copies of the BCP plan will be made available in all branches
and the head office.
Copies of the BCP plan will be made available to all the
employees on the LAN in a sharable folder or on the Intranet.
iv.
BCP response team and responsibilities

The BCP response team is responsible for ensuring that the BCP
plan protects the banks information and computing resources. The
banks BCP response team will annually revise the BCP Plan.
ED Customer Services & Technology shall oversee the activities of
the BCP response team, which has representation from various
units of IT Services
In case any significant change occurs in the business environment,
such an event shall trigger a review of BCP Plan to incorporate
suitable revisions.
Examples of such changes are:
Diamond Bank
Addition or closure of a branch

Significant changes in Telecom network/Data Center setups
Acquisition of New Hardware/Software
Business Process
Assurance
Page 118 of 176
Subject:
August 5, 2015
The team will ensure that the BCP plan is maintained and updated
to reflect changes in the environment and other factors that affect
the plans viability with specific emphasis to the banks chosen IT
strategies.
3.
Containment Strategy
Containment refers to the measures adopted by
averting if possible or mitigating the impact of a
team shall evaluate the situation following
consequently which contingency measure shall be
the effects of the disaster.
i.
1.
2.
3.
4.
the BCP team in

disaster. The BCP
a disaster and
applied to contain
Response to fire
The bank currently has an FM200 automatic fire retardant
system installed in the Systems room in Head office and at the
hot-site in (Adeola Hopewell Branch) VI1. It is configured to
discharge in event of fire outbreak.
A mobile fire extinguisher is available in the Systems room for
handling fire of a lesser magnitude.
Where any equipment is damaged, the BCP response team shall
assess the damage, and determine its impact on the continuity
of the business.
Where replacements are required, the BCP team shall seek
management approval to replace.
ii.
Other - earthquake, riot, etc

Each situation will be tackled based on actual impact and response
time available.
General guiding principle would be a common sense approach as
decided by the BCP Response Team viz;
1. Determine the extent of damage to the IT infrastructure and
liaise jointly with other arms of the bank to determine the
general course of action.
2. In case of bomb scare or earthquake, steps of evacuation similar
to fire evacuation will be taken.
iii.
File Server(s) / LAN down

The IT department is responsible for ensuring that the Application
Servers, File Servers, LAN and WAN are up and running at all
times. In the event of a crash, the Head of the affected unit(s) shall
Diamond Bank
Business Process
Assurance
Page 119 of 176
Subject:
August 5, 2015
alert the IT Helpdesk to ensure that users are informed and

alternative arrangements made to handle customers. Furthermore,
all necessary actions to bring up the Servers/Network as quickly as
possible shall also be undertaken by the affected unit(s).
The appendices (I, J, and K) refer to the business impact analysis
chart highlighting key applications and their administrators or first
level contacts. Secondary contacts are also listed and this would
serve as backup where the primary responsible is incapacitated.
iv.
Power down
In the event of a planned power outage wherein there is prior
intimation by the electricity authorities, the Head Administration
Department will ensure that all the generator units are operational
and inform the IT personnel who may shutdown some of the
Servers if required to conserve UPS power. Only the critically
needed servers will be kept on. In the event that the outage is
unplanned, the Head of the Administration Department will liaise
with the Electricity personnel to get the power supply restored as
soon as possible.
The bank currently has 3 diesel generators of varying KVA
capacities to provide for power when there is a failure in supply
and the Data Center has a dedicated generator that is connected to
the UPS. If for any reason the power outage continues for a longer
period, additional generator units can be hired.
The hot-site must have a standby power supply system to act as
backup in the event of power loss or interruptions. In addition a
standby UPS must be located at the hot-site.
v.
Telephones / EPABX / Microwave link down

In case of telephone equipment not functioning, the operator /
receptionist will be informed, (who will thereafter inform the ITS
Helpdesk or any IT personnel), so that the defective instrument is
fixed or replaced as soon as possible.
In the event that the EPABX stops functioning, the operator /
receptionist will inform the Head of the IT Department who will
liaise with the Vendors to get the EPABX functioning as soon as
possible.
The cell-phones and direct lines provided to key
personnel (including some members of the BCP response team)
would be used to handle such outages. Telephone instruments can
also be connected directly to the telephone lines and the calls can
be attended to, by the operator / receptionist.
A schedule of all Support Staff contact numbers shall be circulated
to all branch CSMs and Managers including the Regional CSMs as
Diamond Bank
Business Process
Assurance
Page 120 of 176
Subject:
August 5, 2015
alternatives where the regular telecommunication facilities are

unavailable in the bank.
In the event that either the voice channel, or the data channel, or
both channels of the frame relay/microwave/satellite link goes
down, ITS Helpdesk or any member of the IT department shall be
informed. The IT department will liaise with the concerned vendor
to have the link restored as soon as possible. DB network
incorporates redundancy across all branches as a backup measure.
4.
Applications and Contingency Plans

i.
Internet Banking
Diamondonline is a fully functional Internet banking application
where prospective and regular customers can request for specific
financial services offered by the bank via the internet. In order to
minimize failure and ensure that the application is up 24/7, three
servers (Web, Application and Database servers) have been
identified as critical for the continuous functioning of this service.
These Servers act as the live systems with two servers as backup.
One server backs up the database while the other server backs up
web and application servers..
Any of these servers could be swapped from live to backup within a
short space of time if and when necessary to reduce service
downtime in times of crisis.
The Database server which hosts the details of customers created
for this service also doubles as the Microsoft Message Queuing
(MSMQ) server and Primary Domain Controller. The backup
database server with similar configurations as the live is provided
for BCP.
The dbonline domain having the database server as its primary
domain controller, hosts the Internet banking servers. This domain
has a trust relationship with diamondbank domain, which is
necessary for connectivity to the main Flexcube host database. The
web server has two gateways, one internal for local networking
and the other external for internet access
21st Century Technologies acts as the Banks Internet service
providers by providing the primary links between our customers
and the Internet banking application. GS Telecoms on the other
hand provides a backup link to the application.
The BCP plan includes continuous testing of the critical systems to
ensure that the services work as planned under contingency
situation.
The quarterly backup from the live servers are restored on the
backup server at the beginning of a new quarter. There is also a
Diamond Bank
Business Process
Assurance
Page 121 of 176
Subject:
August 5, 2015
provision for periodic server swap to ensure the readiness of the

servers. Tape backups of the database are done weekly and
checked for its integrity immediately after the process of backing
up. The live and backup systems have the same IP Addresses and
are on the same domain. This is to ensure that downtime for server
swapping is minimized and configuration changes are not required
to bring up the site on the backup systems. Furthermore all tested
patches on the backup servers are deployed to the live system to
ensure they are in sync.
Two Administrators manage the Internet Banking servers. In
addition, a simple checklist of activities has been documented to
enable any technical personnel within the group to run the various
processes on the servers under contingency situation. The detailed
business impact analysis can be found in Appendix K
ii.
ATM
The Automated Teller Machine (ATM) (branded as Any Time
Money in DB PLC.), enables any internal or external customer of
the bank to cash money and also carry out other basic banking
activities, outside the banking halls and beyond banking hours.
As an extension of the Banks network, the ATM serves to reduce
queues in the banking halls and on the long run minimize the cost
of servicing customers.
In order to ensure high availability of the ATM service, a
contingency plan that will reduce to the barest minimum, service
failures, is considered.
The contingency plan has as its goal to ensure that all ATMs at DB
plc branches connect to the Head Office Servers through any of the
following media; LAN, ISDN or VSAT.
Each ATM room has two network points which are connected to the
branch switches.
Where a point experiences failure, the ATM shall automatically be
switched to the backup point. Spare network cables also exist in
the ATM room to replace any defective one.
VSAT or ISDN links connect ATMs at customer locations to the
Head Office Servers. At present, the links are fully dependent on
the Service Providers, so the contingency plans for the link
depends on them. However, the Bank has established Service Level
Agreement with the link providers to ensure minimal downtime.
Four systems form the core of ATM operations. These are ATM
Controller, Channel Manager, Card-World Producer and ATM
Distributor.
Diamond Bank
Business Process
Assurance
Page 122 of 176
Subject:
August 5, 2015
A similar set of servers have been configured to act as backups to

the ATM Controller and Channel Manager servers in the event of
failures. Backups systems are not provided for Card-Word Producer
and ATM Distributor because they are offline systems that do not
impact on transactions and could be fully re-installed within a
period of 4 hours at the most. Backups of the live servers are taken
daily and copies of it are restored every morning on the backup
servers
All applications on the live servers are installed on the back-up
servers with the exception of one (the Bankworld ATM Manager
for opening and closing ATMs), which is installed on three clients,
that can be connected to the back-up server network. All
modifications on the live servers are normally replicated on the
back-up servers including patches and updates.
There are presently two administrators working on ATM related
issues under a supervisor. A quick fix document has also been
drawn up to ensure that any administrator within the E-Business
Support Unit can handle the processes involved.
The detailed business impact analysis can be found in Appendix K
iii.
PC Banking
The PC banking application provides access to customers account
via dial-up access. It offers: balance enquiry, term deposit, fx-rate
enquiry, Interest rate enquiry, mini statement, cheque book
request, stop cheque, statement request via e-mail, fund transfers
between accounts and bill payment. The application is hosted on
HP Proliant Live and Backup Servers situated in the Server room
at the Head Office complex.
The detailed business impact analysis can be found in Appendix K.
iv.
Tele Banking
The Tele banking application of the bank is an avenue that provides
telephone calling access enquiry to customer. Accounts balances
amidst other services could be verified via this medium. The
application is hosted on HP Proliant Live and Backup Servers
situated in the Server room at the Head Office complex. The
detailed business impact analysis can be found in Appendix K
v.
Mobile/ SMS Banking

This is a new service offered by the bank to customers leveraging
on the short message service feature of the GSM technology. The
application is hosted on HP Proliant Live and Backup Servers
Diamond Bank
Business Process
Assurance
Page 123 of 176
Subject:
August 5, 2015
situated in the Server room at the Head Office complex. The

detailed business impact analysis can be found in Appendix K.
vi.
Valucard
The bank is a member of the consortium of banks offering Valucard
in the country. The Valucard servers are located in the server room
along with the back up servers. The detailed business impact
analysis can be found in Appendix K
vii.
Debit cards / ATM
The evolution of electronic banking coupled with the banks focus
on electronic services has made Debit cards/ ATM application a key
selling tool to the bank. The ATM servers are also located in the
server room with the back up servers.
The backup servers are swapped quarterly for live test to ensure
viability. The backup procedure for these servers is as detailed in
the Standards and Procedure document. The detailed business
impact analysis can be found in Appendix K
viii.
Goldcard
The Savings Goldcard is a secure and convenient means of
identifying DB Plc Savings account holders. The card contains
relevant customers information such as customers name,
photograph, signature, branch code, account number and other
mandate details. The use of the card is open to all savings account
holders.
With this card, account holders can conveniently withdraw cash
from DB branches other than the branch where their accounts are
domiciled.
In order to enhance the services of Savings Goldcard product, a
user friendly and multi-user interface application known as Card
Soft has been introduced by the Bank. The introduction of the
multi-user interface is required to decentralize the process of data
capture from Head Office to the branches. The database resides on
the Mobile banking Server in the Head Office Systems room. The
detailed business impact analysis can be found in Appendix K
ix.
MessengeX
This is a new service offered by the bank to customers leveraging
on the bulk short message service feature of the GSM technology.
This would facilitate dissemination of information and retrievals
leveraging on Bulk SMS technology to the banks Internal and
Diamond Bank
Business Process
Assurance
Page 124 of 176
Subject:
August 5, 2015
External customers. The application has the Server & Client

versions. The server application is integrated with the Microsoft
Exchange Server 2003 for message dispatch capabilities via MS
Outlook. The server would be situated at the Server room at the
Head Office complex. The backup server would reside at the EBusiness Support unit office. The detailed configuration is as stated
in the Standards and Procedure document. The detailed business
impact analysis can be found in Appendix K.
x.
Credit cards
The Credit card / ATM application of the bank is in the design
stages and is expected to be operational soon and will be included
in the BCP plan at a later date. The detailed business impact
analysis can be found in Appendix K
xi.
NACS (ECPIX & KD Applications)

The bank (which is a member of NIBSS) has completed the
implementation of the Nigerian Automated Clearing System project
(NACS)
The following disaster recovery guidelines given by NIBSS
(Nigerian Inter-bank Settlement System plc) and CBN (Central
Bank of Nigeria) have been adopted by DB PLC.
The bank has procured backups for all equipment used in the
NACS project such as Reader/Sorter, Servers and all ancillary
equipments such as Modems and Routers used for NACS
operations.
Details are as provided in the Business Impact Analysis on
Appendix K.
Two types of processes are involved in the automated clearing
process, the first (Kliendienst-KD) involves capturing the data and
generating the transmit file while the second part (ECPIX) involves
transmission of the encrypted data file to NIBSS database. In order
to ensure consistency, the live ECPIX server is usually backed up
and restored to the ECPIX backup server daily. Part of the BCP
requirements is to ensure that the backup servers exist in a remote
location apart from the live system. However, due to manpower
considerations, this may not be entirely feasible. An alternative is
to put a microwave link between the live and backup sites for
online replication.
There is currently no defined backup strategy for the KD capture
system. However a full backup of the images and data files are
done regularly. NACS operations may be greatly impacted if the
BCP team does not take proximity as a requirement in setting up
the hot-site due to the fact that a considerable movement of
Diamond Bank
Business Process
Assurance
Page 125 of 176
Subject:
August 5, 2015
manpower and resources is required to make the hot-site active

within the shortest time possible in the event of failure. The
detailed business impact analysis on the NACS system can be
found in Appendix I.
xii.
Flexcube Corporate
This is an integrated banking Solution used for processing of all
Loans & Deposits, Money Market transactions, Journal Entry,
Balance Sheet maintenance, General Ledger Maintenances, etc.
The application is hosted on HP Proliant Server in the Head Office.
BAS staff shall be responsible for the administration of the
application in DB plc while Iflex-Solutions Ltd, India are the
application vendors. Two sets of Tape backups are done daily by
BAS staff during End of Day. A detailed business impact analysis
can be found in Appendix I
xiii.
Flexcube Retail
2.4 This is an integrated banking Solution used for processing of all
Retail Banking transactions. The application is hosted on a HP
Proliant server at the Head Ofice. BAS staf shall be responsible
for the administration of the application in DB plc while IflexSolutions Ltd, India are the application vendors. Two sets of Tape
backups are done daily and the detailed business impact analysis
can be found in Appendix I
xiv.
xv.
Diamond Bank
Xceed (HRM Application)

Xceed People Management (Xceed PM) provides a powerful
platform for building, defining and managing people assets
policies and strategies throughout the people management
spectrum. With an extensive coverage of all areas of people
management, Xceed PM provides modules for Recruitment,
Training and Development, HR Administration Services,
Performance Management, Career Planning, Compensation
Management, Separation and Benefits Administration. Xceed PM
makes it easy for the Knowledge worker to interact with HR
Department through its .NET Self Service Module which includes
complete process automation for virtually every aspect of People
Management. The application is deployed on two HP Proliant
ML370 Servers, with one as the live and the other as backup. The
detailed business impact analysis can be found in Appendix I
SWIFT
Business Process
Assurance
Page 126 of 176
Subject:
August 5, 2015
Swift is an acronym for the Society for Worldwide Inter-bank

Financial Telecommunications.
It is an application that enables financial institutions to conduct
transactions electronically in any part of the globe.
Diamondbank as one of the swift users is connected to the SWIFT
network via a leased line. There are two HP Proliant Servers, one
live, the other backup both of which reside in the head office. Two
administrators from BAS are responsible for the maintenance of
the application and the user base consists of International
Operations (INTOPS) and Treasury Operation (TROPS) units. Tape
backups are done daily. The detailed business impact analysis can
be found in Appendix I
xvi.
Service Desk Manager

This is helpdesk application developed in-house. The application is
webenabled allowing any user from his/her workstation to login
and post any problem through the intranet. The IT Service desk is
manned by two staff drawn from the 3 units of IT on a rotational
basis. Users log their problems online and alerts are sent to them
confirming the log, these issues are then resolved online or
escalated to backend engineers by Service desk operators. The
service desk application is hosted on a HP Proliant Server in Head
office. Backups to tape are done daily. The detailed business impact
analysis can be found in Appendix I
xvii.
Fixed Assets
This application is used by Financial Control and Admin Units to
monitor and maintain the banks Fixed Asset and Inventory items.
The application is hosted on a HP proliant server in Head Office
and updated regularly following which a handoff file is generated
and uploaded to the banking application (Flexcube). Backup is
done daily to Tape. The detailed business impact analysis can be
found in Appendix I
3
xviii.
Microsoft Exchange Server 2003
This is the bank's Enterprise Messaging Application which is
hosted on two HP Proliant Servers in the Head office. It is
managed by two administrators drawn from TSU. The
application runs on the Windows 2003 server operating
system.
Tape Backups are done daily. The detailed business impact
analysis can be found in Appendix I
xix.
Diamond Bank
Internet Acceleration Server 2000

Business Process
Assurance
Page 127 of 176
Subject:
August 5, 2015
This application acts both as the Firewall and Web proxy. The
application is hosted on a HP Proliant server in Head office and
managed by two administrators from TSU. Backups are done
monthly. The detailed business impact analysis can be found in
Appendix J
xx.
Windows XP/2000/2003
Three Operating System platforms exist in Diamond bank plc, viz;
Windows XP, 2000,2003. The Domain Controllers are hosted on
Windows 2000/2003 servers in Head office and managed by two
administrators from TSU. The flexible structure allows redundancy
for all authentications in DB plc domain. The servers have backups
located in Head Office server room. The detailed business impact
analysis can be found in Appendix J
xxi.
HP-Unix 11.11 OS
The HP-Unix Operating System hosts the banks Oracle database
application. It is resident on two HP RX8640 Servers located in
Head office and at the hot-site at Victoria Island branch. It is
managed by two administrators drawn from TSU. The servers are
regularly failed over to test the Disaster Recovery readiness. The
detailed business impact analysis can be found in Appendix J
xxii.
EPO
This is the E-Policy Orchestrator Application from Network
Associates. It is the Antivirus Management Console and is used for
the deployment of enterprise-wide Anti-virus Solutions in DB plc.
The application is hosted on a HP Proliant Server and managed by
an administrator from TSU. Tape backups are done on a quarterly
basis. The detailed business impact analysis can be found in
Appendix J
xxiii.
Windows 2000 Active Directory
This application is used for Domain user administration.
Authentication of all network objects in diamondbank.com
domain is done using this application. It resides on HP Proliant
Servers in the Head Office. The detailed business impact analysis
can be found in Appendix J
xxiv.
Diamond Bank
Ms Outlook 2000, XP, 2003
Business Process
Assurance
Page 128 of 176
Subject:
August 5, 2015
This is the Microsoft mail client application deployed in

Diamondbank plc. It interfaces with the Exchange Server2003 and
is used for electronic message delivery bank-wide.
The application comes embedded in the Windows XP, 2000 and
2003 operating systems. The detailed business impact analysis can
be found in Appendix J
xxv. ZyImage
The Zyimage Document Solution is used for the conversion of
physical documents to electronic format for archiving purposes.
The application is installed on a HP proliant Server running on a
Windows 2000 Operating System. The Application is managed by
an Administrator from BAS while its sever is located in the Data
centre at Head Office.
The detailed business impact analysis can be found in Appendix I
Communication Hardware
The bank has in its inventory an array of Communication
equipment that interconnects the Head Office and all branch
locations. There also exist communication links to her ATM kiosks
situated within the LAN with extended facilities to the WAN.
Some of the equipment include Cisco Routers and Switches,
Siemens EPABX units, VSAT equipment, Microwave Radios, Fiber
optics, etc
There are currently nine (9) service providers, namely; GST,IPNX,
VDT, 21st Century Technologies Ltd, DCC, ITECH, SUB-URBAN,
Direct-On-PC, EVOL and SWIFT
GST provides primary link to 19 branches and secondary links to 2
branches.
IPNX provides primary links to 18 branches and secondary links to
7 branches
VDT provides primary links to 10 branches and secondary links to
10 branches
21st Century Technologies Ltd provides primary links to 8
branches and secondary link to 7 branches
DCC provides primary link to 20 branches and secondary links to 2
branches
ITECH provides primary link to one branch and secondary links to
3 branches
SUB-URBAN provides primary links to one branch
Direct-On-PC provides primary links to 7 branches
EVOL provides secondary links to 4 branches
SWIFT provides secondary links to 3 branches
Diamond Bank
Business Process
Assurance
Page 129 of 176
Subject:
August 5, 2015
The network has been configured to fail-over from a primary link to

a secondary link in the event of failure to any of the branches. This
involves initial re-routing process by TS personnel and subsequent
contact with vendor.
In a situation where the Head-office (which warehouses the live
communications equipment) is affected by a disaster, the hot-site in
VI1 can be activated immediately
Detailed business impact analysis can be obtained from this
document in Appendix J
5.
Recovery Strategy
4.1
i.
Offsite backup / storage of vital records

The following procedure will be followed to safeguard against loss
of on-line data or software that exists on the Application, File
Servers and other systems.
A complete backup of all the data and software that exists on all
the disks on all the Applications and File Servers and other critical
systems at Data Center in Head Office will be taken on media (Data
Cartridges / Tapes) as per the backup strategy (as defined in the
Standards and Procedures Document for ITS).These shall be kept
in the Media proof safe at the on and off site locations. Two
registers are maintained - one in the off-site safe and the other at
the Data Center itself. They shall
contain details regarding the
media numbers and the contents of each Data Cartridge.
The core banking application comprises of two databases one for
the corporate and the other a retail banking database which are
currently working on separate HP-UX 8400 RISC servers at the
Data Center.
A hot-site with a similar server configuration hosting both the
databases has been completed, replication has also been set up
between the servers at the data center and the hot site through a
fiber link such that the servers have the same data and can be
activated within a short time. All branches can be configured to
connect to the off-site server in emergency cases.. The HP Proliant
server series are used as application servers at the branches. The
IT department maintains one server of the same series as a
redundant server at the Data Center and one at each of its four
regional headquarters so that it can be shipped to any of the
branches if required in a short time. The data in the branches is
backed up daily and is kept in a Media proof safe. This can be used
to restore to the redundant server and it can be made operational
in a short duration. This is in addition to the maintenance contracts
the bank has with its hardware and software vendors. All important
Diamond Bank
Business Process
Assurance
Page 130 of 176
Subject:
August 5, 2015
telephone numbers and addresses including those of employees,

utilities contact, vendors, police, insurance, contractors, etc. will
be an integral part of the BCP plan. The Systems and Procedure
manual can be referred for more details on the various backup and
restore procedures used.
All backup media shall be stored in the Fire-proof safe at Data
Center, off-site location (Marina branch) and all DB plc branches
ii.
Restoration of processing at Head office / Branches

Based on the damage assessment done by the BCP Response Team,
the team will determine the time, effort, cost, and logistical
requirements necessary to restore business continuity operations
at the locations by identifying the following:
1. Identify and list the items, in consultation with a civil engineer if
required, to assess the extent of damage.
2. Estimate the cost of re-installing the equipment.
3. Estimate the time required for re-installing.
4. Prioritize the tasks to be done.
5. Obtain the necessary approvals.
6. Begin the work.
6.
Testing Strategy
i.
Coverage and Scope

The BCP plan also implements a testing strategy to ensure that
essential services necessary for business operations work as
planned.
ii.
Methodology
The IT department tests the areas described above in a systematic
manner. The component(s) in each area are tested and the test
results documented. Testing involves verification as to whether
each component is working when subjected to a situation close to
or duplicating that which is expected in terms of a business
contingency situation.
iii.
Frequency
Testing is carried out at the head office and a sample branch
location at least once per year. The Head- IT Service determines as
to whether the tests need to be run as well as the frequency of
testing if required beyond once. Each test is run at least once and
repeated if there is a failure.
Diamond Bank
Business Process
Assurance
Page 131 of 176
Subject:
iv.
August 5, 2015
Coverage
There are seven areas that are identified for inclusion in the testing
strategy.
These are as follows:
1. Critical services
2. Hardware
3. UPS
4. EPABX
5. Media
6. Communication Links
7. People
Each of these services is described in detail in the section below.
The scope of this strategy refers in particular to the Head office.
Critical Services
Services that have been termed as critical include the Flexcube,
NACS, MS-Exchange, SWIFT, ATMs.
The Core banking application database works on two HP-RX8640
Servers. The hot site which is also hosts a replica connected via a
high-speed fibre-optic backbone for online replication. The detail
back up procedure for these servers is in the Standards and
Procedure document.
Uninterruptible Power Supply (UPS)
The UPS is indispensable equipment required for supplying power
especially when regular power from the electricity provider is not
available, or is cut due to emergency measures.
All UPS units at the bank have been elaborately designed and have
a built in capacity to handle extra power requirements.
Such
power requirements have been analyzed and projected at the
procurement stage itself and there would normally be no
modification to the existing units to handle extra power
requirements.
EPABX
In line with planning for business contingency, the EPABX at the
hot site/offsite location has been planned and ordered with extra
capacity.
In addition to this, basic communication services for key people are
ensured through the use of multiple direct lines as well as mobile
phones that have been issued to these key people. Customers may
Diamond Bank
Business Process
Assurance
Page 132 of 176
Subject:
August 5, 2015
contact the bank through the direct lines as well as mobile phones
that have been issued.
The list of direct lines as well as mobile phone numbers are
available through the Administration department and are regularly
updated and communicated to all employees at the bank.
Media
IT department underscores the need to have the same media
available at both on-site and hot site/off-site locations to ensure
effective business continuity. In this regard, the Head-IT Services
ensures that all critical media is stored at both locations and
maintains an inventory of these. Hence the downtime is reduced.
Communication Links availability of redundant links
The bank currently uses multiple technologies and vendors to
establish connectivity to its various branches; it uses microwave
links to connect to its service providers from its head office and the
branches and is in the process of ensuring that these lines have an
effective backup/redundant link. The ATMs are also connected to
the existing network.
In order to ensure business contingency, these links have been
configured to provide redundancy at any location.
The performances of these links are tested from time to time
according to procedures and checks as described in the Standards
and Procedures document.
Routers will be configured in a specific manner so that packets that
are generated will automatically flow from the redundant link if
any one link goes down.
People
The IT department has duplicity of skills. Thus, in any situation
requiring business contingency, it can deploy the necessary people
to the hot site/off site location having the same skills as in the onsite location. These personnel regularly undergo skills update
giving the bank the ability to deploy them quickly at any location.
7.
Testing Plan
The bank tests critical services at least once per year. The
following is a detailed explanation on the procedures used to
check each service. Multiple checklists are provided to ensure
that tests are documented. A sample of the testing checklist is
shown in Appendix J of this document.
Diamond Bank
Business Process
Assurance
Page 133 of 176
Subject:
August 5, 2015
The services can be divided into 4 areas:

1. Data Center services (Applications, hardware, communication
links)
2. EPABX
3. UPS facilities
4. Fire prevention equipment
1. Data Center Services
Data center services comprise of managing the core banking
application, hardware, as well as communication links that support
the banking application, ATM/ Credit card servers and NACS
servers and as well as other services.
Each service is tested via a defined procedure at least once a year,
not necessarily on an end-to-end basis. Each test process is
described for the specific component.
i. Core banking application-Flexcube
The aim of testing the application is to duplicate the on-site
main server at a hot site/ off-site location.
The priority is to
recover the complete data from the tapes and check whether
this server can be made operational.
Successful testing is established by checking the data on both
servers are same and whether all fields are operational. These
testing will be done by BAS personnel under the supervision of a
BCP team member.
ii. NACS server
The data from the backup tapes are restored to the backup
server and the data integrity is verified. This is in addition to
checking by shutting down the main server and allowing the
secondary server to handle the transactions.
Successful testing is established by checking that the backup
server is able to process the instruments and the data on both
servers are same and whether all fields are operational.
This testing is to be performed by the BAS personnel under the
supervision of a BCP team member and results verified by the
Clearing unit.
iii. Hardware availability
Diamond Bank
Business Process
Assurance
Page 134 of 176
Subject:
August 5, 2015
Availability of required hardware should be ensured for

installing the core banking application, as well as for the NACS
server at the hot site/ off site location.
Availability is ensured both during the test, as well as during a
business contingency situation by getting a confirmation from
the hot site/ off site location in charge when the Core banking
application and the Credit card/ATM server/NACS server
restoration tests are in effect.
iv. Communication Links
During any business contingency, it must be ensured that
communication links will work at the hot site/off site location.
These communication links are essential for especially for Core
banking application and the Credit card/ATM services/ NACS
Services.
The testing process is as follows:
1. Run the ping command to reach all servers in the hot
site/off site location. The ping command should result in a
response time of less or equal to 30 ms
2. Run the tracert command to ensure effective packet
delivery to internal as well as external locations.
3. Perform a loop test locally.
4. Perform digital loop test end to end.
5. Contact the Primary Service Provider to determine the likely
period of restoration
6. Fail-over to secondary link
2. UPS
UPS power is essential during a business contingency, especially
when regular power is not available. UPS at the bank are
purchased with extra capacity of at least 20% above on-site
requirement.
The scope of power requirements that a UPS must deliver is power
requirement for the hot site/off site location plus additional power
requirements of at least 20%.
The test process is as follows:
1. Calculate current power requirement at hot site/off site location.
2. Calculate current on-site requirement at on-site location.
3. Ensure that hot site/off site UPS caters to at least 20% of on-site
location.
Diamond Bank
Business Process
Assurance
Page 135 of 176
Subject:
August 5, 2015
4. Ensure that a spare UPS is tested and working

5. Ensure vendor maintenance certificates are up to date.
6. Ensure that early warning facilities exist to alert the staff
responsible, of any power loss to the equipment resulting from
power fluctuations.
There are 2 nos 120KVa UPS located in the ground floor of the
Head office. These are connected in parallel with one as the active
and the other as passive but with automatic failover in case of
power loss or fluctuation. There are also 2 nos 10KVa UPS units
located at the hot-site in VI1. they are linked in parallel with
automatic failover in case of power loss.
All the UPS in both locations are equipped with SNMP cards that
send alerts to all IT staff through SMTP whenever there is a failure
on any of the equipment. The UPS in the Head office has been
equipped with an audible alarm system connected to the TS
department to notify staff of any problems with the UPS.
3. EPABX
EPABX testing must ensure that during a business contingency
basic phone access to and from the bank is possible. The aim of the
test process is to ensure that capacity is available and working at
the hot site EPABX.
The testing process is as follows:
1. Check at least 2 extensions in each group by dialling internally,
externally, access the voice mailbox, and use p-codes provided.
2. Disconnect at least 5 lines from the PABX (one should be the
hunting number) and reconnect to direct lines. Ensure that all
are working properly, and can receive / dial out.
3. Ensure the software license codes for PABX are available.
4. Ensure additional equipment capacity (such as instruments,
extensions,) is available.
5. Ensure key people are reachable by mobile phones.
4. Fire Prevention Equipment
Fire prevention equipment must be tested and working at all times.
Testing of the fire alarm system is done at least once during the
testing period.
The testing process can be detailed as follows:
Diamond Bank
Business Process
Assurance
Page 136 of 176
Subject:
August 5, 2015
1. All fire alarms and controls are available at strategic locations

throughout the bank.
2. Each alarm is tested at regular intervals by the vendor and such
testing is documented by certification. These certificates are
available with the Administration/maintenance department.
3. The fire alarm control panel must show during testing where an
automatic or manual alarm has been triggered.
4. The vendor has conducted fire prevention training for staff and
records exist. These training records are available in the
Administration/maintenance department.
5. Designated fire wardens are certified to conduct fire drills and
are familiar with fire extinguishing methods.
6. Fire extinguishers and fire exits are clearly marked throughout
the site and are accessible easily by staff.
7. Appropriate types of fire extinguishers are available throughout
the site.
V. ROLES AND RESPONSIBILITIES
1.
BCP RESPONSE TEAM

The response team shall be responsible for:
i.
ii.
iii.
Preparation of BCP plan

Testing of the BCP plan and making suitable amendments.
Activation of BCP plan in the event of a business
interruption.
iv.
Assessing damage and determining outage duration.
v.
Informing relevant entities.
vi.
Initiating corrective action.
vii.
Documenting experience and amending the BCP plan as
necessary.
2.
SAFETY/DEPUTY SAFETY OFFICER

Safety/Deputy Safety Office (a designated staff in Security Unit) shall
be responsible for:
i.
ii.
iii.
Conducting fire and/or emergency drills once a year

Designate and train Fire Wardens and Searchers.
Train the employees in the workplace layout and the
various escape routes from the workplace.
iv.
Ensure that the floor has an adequate number of
responsible and dependable employees to carry out the various
functions that will have to be carried out in the event of an
emergency.
Diamond Bank
Business Process
Assurance
Page 137 of 176
Subject:
v.
3.
August 5, 2015
In the event of an emergency, shall ensure these:

a. Emergency service has been notified.
b. Manual alarms have been sounded (gong / whistle etc.).
c. Emergency team has been notified of the exact location of
the emergency.
d. Communication has been established with all affected fire
wardens.
e. Heating, Electrical and air-conditioning units have been shut
down.
F. All persons are accounted for and given first aid.
ELECTRICAL WARDEN
Electrical Warden (a designated staff under Administration Unit) shall
be responsible for:
i.
Ensuring that all electrical installations, UPS, emergency

lights, air-conditioning plant etc are okay.
ii.
Limit the usage of extension cords and ensure that
wherever an extension cord is used, it should have a fuse on it.
iii.
In the event of fire / emergency, ensure that all electrical
installations, air condition plant etc., are shut down.
iv.
Should ensure that all portable emergency lights are kept
handy at all times.
4.
FIRST AID WARDEN

First Aid Warden (a designated staff under HCM) shall be responsible
for:
i.
Ensuring that the first aid box on his / her floor has all the
necessary contents
ii.
In the event of fire / emergency, search the entire
premises with the help of the assigned searcher for any person
trapped or injured and give them the required first aid.
iii.
In the event of fire / emergency, telephone the hospital /
ambulance service.
5.
INTERNAL CONTROL/INSPECTION
Internal Control Group in conjunction with Inspection shall be
responsible for:
i.
Reviewing the adequacy of the business continuity process

to ensure that managements expectation is met. The review shall
include assessing threat scenario development, business impact
analysis and risk assessments, the written plan.
ii.
Designing work program for determining the effectiveness
Diamond Bank
Business Process
Assurance
Page 138 of 176
Subject:
August 5, 2015
of the business continuity planning process.

iii.
Ensuring that business continuity plan is reviewed on an
annual basis.
6.
EXECUTIVE MANAGEMENT (EXCO)

EXCO shall be responsible for:
i.
Allocating
sufficient
resources
and
competent
personnel to develop the business continuity plan.
ii.
Setting out policy on how the bank will manage and
control identified risk.
iii.
Reviewing business continuity test results and
approving the plan on an annual basis.
iv.
Ensuring that BCP is kept up-to-date and employees of
the bank are trained and are conversant with their roles and
responsibilities in the implementation.
Diamond Bank
Business Process
Assurance
Page 139 of 176
Subject:
August 5, 2015
Appendices
Appendix A - Members of the Fire Team
Designation
Head Office
Branches
Safety Officer
Deputy Safety Officer
Fire Fighting Warden
Alternate Fire Fighting Warden
Electrical Warden
Alternate Electrical Warden
First Aid Warden
Alternate First Aid Warden
N:B List shall be populated as appropriate on regular basis by the Chief
Security Officer.
Diamond Bank
Business Process
Assurance
Page 140 of 176
Subject:
August 5, 2015
Appendix B - Activation - Containment - Emergency Procedures

Due to the size of the Head Office and the number of employees, complete
evacuation of all the employees from within the office premises is moderately
difficult and is not possible without sounding the fire alarm. The key risk of fire
at the office is through a short circuit of the electrical wiring within the
premises. Since such fires are not known to spread fast like oil and other fires,
on detection of fire, it should not be very difficult to evacuate all the employees
from within the office premises.
Fire Outbreak
Manual Intervention
1. The fire warden shall among other contingencies, sound the fire alarms if
felt necessary (if the fire seems uncontrollable and big and there is no
time to waste - unlikely event - the fire alarm will go off on its own in any
case in such an event). Before or instead of sounding the fire alarm, the
officer may inform all the other officers about the fire verbally. Care
should be taken not to cause undue panic or sound false, unwarranted
alarms.
2. The Fire Warden will assess the extent of the fire and will decide whether
the fire is small enough to be fought by himself / herself and the officers
present. If it is indeed a small fire, the Fire Warden will use the fire
extinguishers / officers present to extinguish the fire. If it is necessary,
the Fire Warden will immediately call up the Fire Brigade or instruct
someone else to do so.
3. The Electrical Warden will shut off the electrical power supply mains
immediately.
4. All employees shall assemble in the compound of the building and leave
only after a head count has been carried out and instructions if any have
been given.
Automatic Intervention
As part of a fire containment and retardant strategy, the bank has deployed
the FM200 Automatic Fire Suppression System. These equipment including
smoke detectors are situated in the Systems Room in Head office, UPS room
and the hot-site at Victoria Island branch. They are set to automatically
discharge on the detection of a potential fire outbreak.
Diamond Bank
Business Process
Assurance
Page 141 of 176
Subject:
August 5, 2015
Appendix C - List of Individuals Who Can Authorize Activation

Ideally the BCP Response Team will authorize activation of the BCP plan as
and when necessary. However, where it is not feasible for the entire BCP
Response Team to do so, any of the following can authorize activation in
consultation with as many others as possible from the list given below:
BCP Response Team:
Head BAS
Head TSU
Head E-business support
Head IT Services
ED Customer Services & Technology
Diamond Bank
Business Process
Assurance
Page 142 of 176
Subject:
August 5, 2015
Appendix D - List of Individuals Involved in Plan Execution

Apart from the BCP Response Team, all other senior officers of the bank will be
involved in the plan execution.
Other than the banks employees, the persons from the following organization
may also be invited in the execution of BCP plan:
Vendors (with whom we have maintenance agreements)

Administration Unit of DB plc.
Appendix E - List of Individuals and Organizations to Be Notified

The BCP Response Team will determine which of the following need to be
notified upon the occurrence of an event:
Central Bank
Branch Managers
Courier Companies
Families of Employees
Fire Brigade
Insurance Company
Legal Authorities
Police
Telephone Authorities
Vendors / Maintenance People
Hot site /off site location
Diamond Bank
Business Process
Assurance
Page 143 of 176
Subject:
August 5, 2015
Appendix F - Hot Site /Off site Location Address

A copy of the BCP Plan will be kept with / at the following individuals /
locations:
Location
Head BAS
Head TSU
Head E-Business Support
Head IT Services
ED Customer Services &
Technology
Library
BPA
ICU
Inspection
Diamond Bank
# Copies
1 Hardcopy
1 Hardcopy
1 Hardcopy
1 Hardcopy
1 Hardcopy
1
1
1
1
Hardcopy
Hardcopy
Hardcopy
Hardcopy
Business Process
Assurance
Page 144 of 176
Subject:
August 5, 2015
Appendix G- BCP response Team Members and Telephone Numbers

Name
Head BAS
Head TS
Head E-Business Support
Head IT Services
ED O&TS
Telephone Number
08033019205
08022230369
08023236502
08033068399
08033237065
FIRE BRIGADE
999
08034422368, 08023197775,
08023150139
01-2633355
POLICE
997
08023127350, 08033137432
01-4978899
AMBULANCE
(LASAMBUS)
4979844, 49798766
08073051915, 08033013802
01 -2637853, 2637854
LASTMA
Diamond Bank
08023266303
Business Process
Assurance
Page 145 of 176
Subject:
August 5, 2015
Appendix H BCP Testing Checklist

Continuation of Business Plan Testing Checklist
On-site location
Hot site/ Off-site location
Sl.
No.
Date
of
Activit
y
Activity
Status
Ye
s
A
A.1
Diamond Bank
Remar
ks
Name of Signat
Person
ure
Performi
ng Test
No
Data Center Services

Mail Services
Test 1: OS Installation
Install Win 2000/2003
Test 2: MS Exchange
Install
a. Installed according
to MS-Exchange
internal document?
(Refer to MS-Exch
doc)
Test 3: Create Key Ids
a. Key id list used as
reference?
Test 4: Send internal
mail with delivery
receipt option enabled
Internal mail sent to at
least 2 key people at
internal location.
Delivery report
received?
Business Process
Assurance
Page 146 of 176
Subject:
August 5, 2015
Test 5: Send External

mail with delivery
receipt option enabled
External mail sent to
key people?
Delivery receipt
received?
A.2
Hardware Availability
Is server available at
offsite location?
Configuration matches
on-site location? If not
enter exact
configuration in
remarks column.
A.3
Communication Links
Test 1: Ping from hot
site to mail server
from DOS command
prompt.
Test 2: Ping from hot
site to branches from
DOS command
prompt.
Test 3: Tracert from
hot site to Head office
server from DOS
command prompt.
Test 4: Tracert from
hot site to branches
from DOS command
prompt.
Test 5: Perform a loop
test
B.
UPS
Diamond Bank
Business Process
Assurance
Page 147 of 176
Subject:
August 5, 2015
Are the Quarterly

maintenance reports
available?
Is there adequate
cooling in the
environment?
Test1:
Does the UPS change
to bypass with
simulated power
failure?
For how long?
C.
Diamond Bank
EPABX
Test 1: Dial at least 2
extensions internally?
Test 2: Dial at least 2
numbers externally?
Test 3: Verify at least 2
p-codes exist and are
functional.
Test 4: Disconnect 5
lines and reconnect to
direct lines. Ensure all
5 lines are reachable
and can dial out as
well.
Ensure buffer of
software license codes
have been maintained.
Ensure at least 10
additional phone
instruments and
provisions for the
same number of
extensions in the
EPABX is available.
Dial at least 2 key
people using their
mobile phone
numbers.
Business Process
Assurance
Page 148 of 176
Subject:
D.
August 5, 2015
Fire Prevention
Equipment
Test 1: Are all fire
alarms and controls
situated at strategic
locations?
Test 2:Are test
certificates available
from the vendor
Test 3: Test the fire
alarm control panel by
triggering an alarm.
Does the panel show
the correct location of
the alarm that has
been triggered?
Has fire training been
done at least once a
year at each location?
Do training records
exist for each session?
Approved:
Head IT Services
Diamond Bank
Location Head- Hot site
Business Process
Assurance
Page 149 of 176
Subject:
Appendix I Business Impact Analysis Chart (BAS)

APPLICATION
FUNCTION
ADMIN
ADMIN
PHONE
VENDOR
VENDOR
PHONE
HARDWARE
Flexcube
Corporate
Booking of
Loans &
Money market
Transactions
Barth
080330192
05
IFLEX
2613764
Flexcube
Retail
Retail Banking
Barth
080330192
05
IFLEX
2613764
ECPIX/KD
Automated
Clearing
Software
HR and payroll
Barth
080330192
05
NIBSS
(Obed,Niyi)
26022024
Chinedu
080540768
64
27033412
HP Proliant Server
FIXED ASSET
Fixed Asset
Mgt.
Tolu
080347532
81
ALLIED
SOFT
(Duke Obasi)
SYSTEM
SPECS
2633900,
2633786
HP Proliant Server
ZYIMAGE
Document
Imaging
Application
George
080232029
92
DPMS
(Niran)
7939750,
4612275
HP Proliant Server
SERVICE
DESK
APPLICATION
Logging of
User
complaints and
Resolution log
Electronic
Interbank
transactions
Chinedu
080540768
64
BAS/Ebiz
Support
Ext
343/339
HP Proliant & HP
wkstn
Tolu/
Blessing
080340958
50,
080347532
81
SWIFT
WORLDWID
E
+3171582
2822
HP Proliant Server
XCEED
SWIFT
HP RX8640
server,
HP Blades
Servers
HP RX8640
server,
HP Blades
Servers
HP Proliant & HP
wkstn
Appendix J Business Impact Analysis Chart (TSU)

APPLICATIO
N
FUNCTION
ADMIN
ADMIN
PHONE
VENDOR
VENDOR
PHONE
HWARE
OS
CL
AT
MS
Exchange
server 2003
Internet
Security
Acceleration
server ISA
Mail Server
Emma/
Aderemi/
Nsikak
Emma/
Aderemi/
Nsikak
08023531540
,0802314090
2
08023531540
,0802314090
2
Allied
Technologies
2703341-2
HP Proliant
Win2000
server
Allied
Technologies
2703341-2
HP Proliant
Win2000
server
Firewall, and
web Proxy
Diamond Bank
Business Process Assurance

Page 150 of 176
Subject:
2000
Windows
NT/2000/200
3 OS
Hp-Unix
11.11 OS
Operating
System
Emma/
Aderemi/
Nsikak
Emma/
Aderemi/
Nsikak
Emma/
Aderemi/
Nsikak
08023531540
,0802314090
2
08023531540
,0802314090
2
08023531540
,0802314090
2
EPO
Antivirus
Mgt Console
Win 2000
Active
directory
Ms Outlook
2000, XP,
2003
Domain user
administratio
n
Mail Client
Emma/
Aderemi/
Nsikak
Emma/
Aderemi/
Nsikak
08023531540
,0802314090
2
08023531540
,0802314090
2
Cisco Core
Router
Interconnect
ivity device
Gilbert
08026816275
Cisco
Cisco 7204
Cisco Core
Router
Interconnect
ivity device
Gilbert
08026816275
Cisco
Cisco 3640
Catalyst
Switch
Interconnect
ivity device
Gilbert
08026816275
Cisco
Catalyst
series 4000
Catalyst
Switch
Interconnect
s the backup
site
Interconnect
the Internet
via 21st
Century
Tech.
Interconnect
the Internet
via GST.
Connects
external
internet
routers
Connects
Security
equipment
Internet
firewall
Gilbert
08026816275
Cisco
Catalyst
series 4000
Gilbert
08026816275
Cisco
2600 Series
router
Gilbert
08026816275
Cisco
2600 Series
router
Gilbert
08026816275
Cisco
Gilbert
08026816275
Gilbert
UPS
Uninterruptible
Power Supply
PABX
Intercom
facility
Cisco Router
(Internet
router)
Cisco Router
(Internet
router)
Catalyst
Switch
(External)
Catalyst
Switch
(External)
PIX
Operating
System
Diamond Bank
Allied
Technologies
2703341-2
Hp Servers
Windows
NT/2000/
2003 OS
Hp-Unix
11.11
HP (Demola)
2706942
Hp rp8400
Servers
Soft
Solutions
Limited
(Ezekiel/Vict
or)
Allied
Technologies
7736045
Hp Servers
Win2000
server
2703341-2
Hp Servers
Windows
2000
Allied
Technologies
2703341-2
Hp
Computers
Windows
NT/2000/
Xp /2003
OS
Version
12.1(9)E
3
Version
12.1(5)T
7
Version
NMPSW
6.3(5)
Version
NMPSW
6.3(5)
Ver.
12.1(5)T
7
Catalyst
2820 Series
Ver.
12.0(2)
XC2
Ver.
V9.00.04
Cisco
Catalyst
1900 Series
Ver.
V9.00.04
08026816275
Cisco
PIX520
Ver.
5.2(5)
Patrison
08033261565
IPBC
N/A
N/A
Gilbert
08026816275
Siemens
Hicom
300E
2629991-5,
08043201246,
08032194914,
08033081757,
7763599

Page 151 of 176
C
C
C
C
C
Subject:
Appendix K Business Impact Analysis Chart (E-Business Support)

APPLICATI
ON
FUNCTION
ADMIN
ADMIN
PHONE
VENDO
R
VENDOR
PHONE
HWAR
E
SOFTWARE
INSTALLED
Bank-World
Controller
ATM
Administration
Daniel/
Uche
CR2
+9180566470
03
Card-World
Producer
Card Production
Daniel/
Uche
0803344963
7
0802318190
4
0803344963
7,080231819
04
CR2
+9180566470
03
Win2000
Server,
BankWorld
Controller
Win2000
Server, Card
World Producer
Channel
Manager
ATM
Administration
Daniel/
Uche
0803344963
7,080231819
04
CR2
+9180566470
03
MessengeX
(SMS)
Bulk Messaging
Kayode/
Olamide/
Debo
GIL
017223419
08052381705
CB2000/
Valucard
(ValuServer
2)
CardSoft
Valu-card
Transaction
Processing
0802302094
5,080237067
97
0802323650
2
0802300622
0,080230209
45
HP/
Compa
q ML
370
HP/
Compa
q ML
370
HP/
Compa
q ML
370
HP
Deskto
p EVO
ValuCard
012703021
Win2000
Server, Card
Base 2000
0802300622
0,080230209
45
Lubred
08037402891
08023190766
0802302094
5,080237067
97
0802323650
2
0802302094
5,080237067
97
0802323650
2
0802302094
5,080237067
97
0802323650
2
0802302094
5,080237067
97
0802323650
2
0802302094
5,080237067
97
0802323650
2
0802302094
5,080237067
97
0802323650
IFLEX
+9122566853
25
HP/
Compa
q ML
370
HP/
Compa
q ML
370
HP/
Compa
q ML
370
IFLEX
+9122566853
25
HP/
Compa
q ML
370
Windows 2000
Server
IFLEX
+9122566853
25
HP/
Compa
q ML
370
Windows 2000
Sever
Creative
014614241
08033801880
HP/
Compa
q ML
370
Windows NT,
Bank Response
2000, MS-SQL
Lubred
08037402891
08023190766
HP/
Compa
q ML
370
Windows 2000
Server, MS-SQL,
Oracle, Mobile
Banker PRO
Creative
014614241
08033801880
HP/
Compa
q ML
370
Windows 2000
Server, RAS, IIS,
MS-SQL, Oracle
Savings/
Gold-card
Production
Seyi/
Wale
Seyi/Wal
e
Diamond
Online
(FlexAt
App)
Internet Banking
Application
Diamond
Online
(FlexAt DB)
Internet Banking
Database
Kayode/
Olamide/
Debo
Diamond
Online
(FlexAt
Web)
Internet Banking
Web Server
Kayode/
Olamide/
Debo
TeleBank2
Telephone
Banking
Kayode/
Olamide/
Debo
Diamond
Mobile
(SMSBanki
ng)
SMS/ Mobile
Banking
Kayode/
Olamide/
Debo
Diamond
Connect
(PCBank)
PC Banking
Olamide/
Debo/
Kayode
Diamond Bank
Kayode/
Olamide/
Debo

Page 152 of 176
Win2000
Server, Channel
Manager
Win2000
Server,
MessengeX,
Oracle
Windows 2000
Server, MS-SQL,
Oracle, Mobile
Banker PRO
Windows 2000
Server
Subject:
2
PayDirect
(AL_CSU_51
)
PayDirect
Olamide
/ Kayode
0802302094
5,
0802323650
2
Interswit
ch
014616300
014610161
HP
Vectra
420
Windows 2000
Server, IIS, ISA
2000
Note:
Classification of impact to BCP (C-CRITICAL (<1 day), E-ESSENTIAL(2-4
days), N-NECESSARY(5-7 days), D-DESIRABLE(>10 days))
Backup Frequency (DLY-DAILY,WKL-WEEKLY, MTH-MONTHLY,QTRQUARTERLY)
Backup Type (T-TAPE, D-DISK, DB-DATABASE, R-REGISTRY,F-FILE, SSYSTEM)
MTTR-(Mean-Time-To-Recover) i.e minimum recovery period
CONTAINMENT & RECOVERY STRATEGIES
S/N
FLEXCUBE
1.0 PRECAUTIONARY & CONTAINMENT
Ensure that the two(2) Application Servers are up to date
with the latest Windows security patches and software
Timing
Responsibility
Weekly
Head, BAS
Ensure that adequate Hardware resources (Disk

space and RAM) are available to run the Oracle
database
Ensure that no unauthorized user gains access to the
Application/Database
Regular purging Host and Branch Databases to
reduce
- EOD/BOD processing time
- transaction processing time
- daily backup time
- the hard disk space required for storage of database
and for
backups
Load Balancing of Batch processes:
End of Day processes, Statement Generation etc. are
run in multiple streams i.e. the data or branches to be
processed are divided in streams and the
application processes more than one such stream
in parallel
Ensure regular analysis and monitoring of the
schemas, free spaces and available Rollback segments
using the Spotlight for Oracle utility
Weekly
Database Administra
Weekly
ICU/Inspection
Quarterly
Database Administra
Monthly
Head, BAS
Daily
Database Administra
Check for segments in the database running out of

resources or extents or growing at an excessive rate.
The storage parameters of these segments may need
to be adjusted
Daily
Database Administra
Diamond Bank

Page 153 of 176
Subject:
Statspack Reports and Quest Spotlight should be run

at regular intervals to identify any database
operations that are expensive and require tuning
Write_to_file logs area
For debugging purposes, the FCR application creates
a trace output file in a designated area on the
database server. These logs are meant primarily for
tracing specific problems and should normally be
turned off in the production environment. The area
configured for generation of this log file, needs to be
checked for available free space. The log file needs to
be regularly deleted, after they are backed up.
Archive Logs area
DBA needs to ensure sufficient space on the disks
where archivelogs are being generated.CPU
Utilization on the database server should be
monitored at regular intervals to ensure that it is
within acceptable limits using the Spotlight for Oracle
utility
Rjsout area in the FLEXCUBE folder is used for
storing reports generated by the system while the
Rjsin area is for file uploads into the system. These
areas need to be backed up and purged on a regular
basis. Recommended frequency is monthly for low
account/transaction volume sites. For high volumes
the frequency could be as high as weekly
C:\temp folder on branch servers
The FCR branch application uses the C:\temp folder
on the branch servers to store user wise transaction
trace files. This folder needs to be present on all
branch servers with enough free disk space. This area
should be cleared at regular intervals.
The application logs some informational and error
messages in the Event viewer. The Event viewer on
the application and branch servers should be
configured to overwrite events after a predefined
maximum log size is reached
Regularly checking of the Operating system hosting
the Oracle database for idle and sleeping processes
and terminating them to release memory and
processor resources
Ensuring that the Database Snapshots and
Archivelogs are taken in accordance to the given
schedule stated in the EVA/Database Backup Strategy
Policy
Regular Application of Security Patches and Service
Packs to the host and application servers
Diamond Bank
Daily
Database Administra
weekly
Database Administra
Daily
Database Administra
weekly/monthly
Head, BAS
weekly
Head, BAS
weekly
Head, BAS
daily
System Administrato
Daily
Head, BAS
After successful
testing on the
UAT
environment
Head, BAS

Page 154 of 176
Subject:
Regular Antivirus updates and scanning of the host

servers
Should be
scheduled to run
daily after
banking hours
Head, BAS
1.1 RECOVERY STRATEGY

Damage assessment and workload status determination
In the event of the occurrence of a business interruption
caused by Flexcube unavailability, determine the following:
Likely duration of the stoppage/interruption.
Required corrective steps, including shifting
temporarily to the hot site or the off site.
Status of the workload with a view to determining
the need and the urgency of shifting to the hot site
or the off site.
Immediat
ely
H-BAS,DBA
Two Flexcube Application Servers have been

configured to run in parallel for load shedding and
redundancy. In the event that one application server
fails, the system automatically fails-over to the active
system.
The following recovery measures shall be adopted to
recover the failed system
Determine if the hardware can be fixed or
replaced?
Notify the TS engineer where this requires expert
intervention
Undertake the repairs in-house if possible or get in
touch with vendor for replacement
Re-install Operating System and all system utilities
after repairs/replacement of defective hardware
Notify BAS after completing the repairs or
replacement of hardware.
<=1day
Head BAS
<=1day
H-TS
Re-install all Flexcube Application files on the server

Restore the database
Conduct User Acceptance Test
Deploy to production
1-3 days
H-BAS
1-3days
H-BAS
Timing
Responsibility
Hardware failure
Software failure
S/N
When the application is affected as a result of file or data

corruption, the following measures shall be adopted
Isolate the data/application files affected
Determine if this can be corrected immediately with
minimal delays
Take the affected system offline if otherwise
Obtain relevant application / data file backups for reinstallation
Conduct a UAT to test the server
Deploy to production
ECPIX (NACS)
Diamond Bank

Page 155 of 176
Subject:
2.0
PRECAUTIONARY & CONTAINMENT

Ensure that the systems are ready for activities by checking
if the following components are running.
Primary and backup servers
Network switch
Workstations
Examine the windows event logs and note any application
or system errors
Choose start>settings>control panel>administrative
tools>event viewer
Check to ensure that the NACS application, the ECPIX is
running and start if necessary. To verify that the application
is running, please check the EBS icon on the system tray.
The EBS icon is a traffic light like service running at the
background. If the icon is a big red dot please perform the
following instructions:
Choose start>settings>control
panel>administrative tools>services.
Locate the EBS service and note its status.
If the EBS status is blank, please proceed to the next
step, otherwise, right click the ECPIX Base Service
(EBS) and choose stop.
Right-click the EBS service and choose start.
The JRUN application service controls the web server. The
application service starts automatically on system start up.
If it is not running please do the following:
Locate start>settings>control panel>Administrative
tools>services
Locate the JRUN service and note its status.
If the JRUN status is blank, please proceed to the
next step, otherwise, right click the JRUN default
server service and choose stop.
Right-click the JRUN default server service and
choose start.
The EBS service is the service that runs the NACS
application. This is an auto start service located in the
services panel of the system. Check the status in the using
this link
Start>settings>control panel>administrative
tools>services. If the status is anything other than start,
please right-click the service and choose start
On a daily basis monitor system resources on the server.
Choose start>settings>control
panel>administrative tools.
Check the amount of disk space in the logical drives.
Choose computer management>storage>logical drives and
select each drive in turn.
If the hard drives are approaching full capacity, use the
datacleanup.pl and filecleanup.pl scripts in the
administrative utilities folder on the desktop to clean up the
system.
Diamond Bank
Daily
NACS Administrator (B
Daily
Daily
Daily
Daily
NACS Administrator(BA
Daily
Daily

Page 156 of 176
Subject:
Each day after the last clearing session, the ECPIX server is
supposed to be shut down for a two -hour maintenance. To
maintain the system do the following:
Stop the NACS application (The EBS and JRUN
services)
Perform an offline system backup
Clean the file system
Start the NACS application
Daily
Daily

or the off site.
Immediat
ely
H-BAS,DBA
PBCC Offline Admin task, when the VPN network is

down and there is no possible communication
medium to transmit data to the ZCH.
Action:
Immediat
ely
Immediat
ely
Cleaning the file system
Parameters have been defined in the ECPIX whereby

certain stale files are cleaned in order to ensure system
stability. To perform this task please follow the following
steps:
Log into the system as ecpix admin user
Locate and double click the cleanup script in the
admin utilities folder.
Check NT event log and script.out to ensure the
script deleted successful

Log into the ECPIX as dbn_opr2

Copy CHT from the ZCH to the MediaIn folder
Add the files to the clearing session
Build the OEF files
Copy the built or encrypted OEF (*.xcf files) files
from the Exchange out folder in the current date
directory to a CD and send to the ZCH.
Obtain a copy of IEF files from the ZCH and dump in

the Hostout folder.
Remote communication server can not be contacted,
VPN link down either at the ZCH end or NIBSS end or RSA
card contact with the communication port down.
Action: Check the network connectivity at both DB plc and
NIBSS ends.
Diamond Bank

Page 157 of 176
Subject:
Password not validated :failure to log on, Password

either not correct or wrong card usage
Action: Check your password and RSA card in use. If every
parameter is okay and problem still persist, please check
the network connectivity.
ECPIX home page can not be displayed, Link is down
or the EBS service is not running
Action: Check the EBS icon on the system tray and ensure
it is running. If it running and this error persist, please
contact NIBSS
Validation error after adding capture files from the
source files screen, Wrong parameters in the file,
Action: Identify the particular bundle id that showed the
error. Go the following directory path D/program
files/ncr/ecpix/data/063150000/current date/hostinwork.
Locate the bundle and look at the file parameters especially
the session id, the destination bank routing number and the
presenting bank routing number. Correct invalid data and
copy back to hostin folder on the desktop. Re-add the file
to the session.
Built error, Wrong encryption key,
Action: Contact NIBSS and if they require you to generate a
new public key then use createnewpairkey and export
public key scripts to do so. Both scripts are in the admin
utilities tools.
Immediat
ely
Administrator (BAS)
Immediat
ely
Administrator (BAS)
Immediat
ely
Administrator (BAS)
Immediat
ely
Administrator (BAS)
Acceptance error after file has been sent, Wrong

key or wrong session addition
Action: Go to clearing house monitor screen to view
the error. If file is out of business date then un-build
the files. Go to source files and add the files to the
correct date. Otherwise contact NIBSS.
Immediat
ely
Administrator (BAS)
Clearing version different from current session,

Clearing table not retrieved
Action: Retrieve the current clearing table. Copy your files
to hostin area and go to source files, if current session is
not seen, close the browser and re-open it. If problem still
persist, contact NIBSS.
Sent no acceptance, Change of public key
Action: Contact NIBSS. Apparently there is a validation
error at the NIBSSs end. Your files could not be decrypted
Immediat
ely
Administrator (BAS)
S/N SERVICE DESK APPLICATION

3.0
PRECAUTIONARY AND CONTAINMENT

Ensure that there is adequate space on the DBL server by
regularly purging c:\Temp folder
Ensure that all the databases including (e.g.
intranet,db1,db2,caution, salary, etc) are backed up to
tape/disk
Ensure that the IIS services are running
Diamond Bank
Immediat
ely
Immediat
ely
Responsibility
Weekly
Administrator
daily
Administrator
daily
administrator

Page 158 of 176
Subject:
Ensure that the application files in \\dbl\home are backed

up
Ensure that the Coldfusion server services are up
Ensure that SQL Agent/Services are up
daily
administrator
daily
daily
administrator
administrator

In the event of the occurrence of a business interruption,
determine the following:
What resource is affected.
Required corrective steps, including swapping to the
backup server
Estimated recovery period.
Immediat
ely
H-BAS, Administrator
In case of a hardware failure leading to system down,

determine the following
If the Operating System is affected
intervention
Activate the backup system or server and plug-in
to the network
replaced?
Notify eBusiness Support and BAS after completing
the repairs or replacement of hardware.
Immediat
ely
Administrator, H-BAS
<=1day
H-TS
<=1day
H-TS
<=2
days
Administrator, H-BAS,H
eBiz
Timing
Responsibility
weekly
Administrator(BAS)
daily
Administrator(BAS)
monthly
Administrator(BAS)
Re-install all Application files on the server

Restore the SQL2000 Database backups
Conduct UAT
Relocate to the hot-site as backup server
S/N ZYIMAGE
4.0
PRECAUTIONARY AND CONTAINMENT

Ensure that the C: drive on the Scan workstation has
adequate space, by purging non-critical files.
Ensure that tape backups of the saved images on the data
server are taken
Take Data Server full system backup to tape

Diamond Bank

Page 159 of 176
Subject:

or the off site.
Immediat
ely
H-BAS, Administrator(BAS)
Immediat
ely
H-TSU,H-ITS,
Administrator(BAS)
1-3 days
H-TSU, H-ITS,
Administrator(BAS)
1-2days
Administrator(BAS)
Timing
Responsibility
Network Administrator
Maintenance of Telecom Equipments/Infrastructure

by Service Providers
Monthly
Upon
exit/leav
e of
Administ
rator
Quarterl
y
Testing Offsite/backup links and backup telecom

equipment
Check and Generate link status report
Producing Link Availability Report
Quarterl
y
Daily
Weekly
Printing of Telephone Call Bills
Monthly
Hardware failure
In case where the Scan Station hardware is faulty or
bad,
intervention
Request for a Stop-gap PC
Re-install the Operating System
Re-install the ZyScan client application on the
Scan Station
In case where the Data Server hardware is faulty or
bad,
intervention
Request for a Stop-gap
Re-install the Operating System
Re-install the ZyImage application
Restore all backed up Images
Software failure
If the Operating System is affected
Format the C: drive and re-install the OS
Re-install the ZyScan/ZyImage application plus Scanner
drivers
Restore the application files
S/N
NETWORKS
Backup of routers/switches configurations
Password Changes
Diamond Bank

Page 160 of 176
Subject:
Generating of Link Downtimes

S/N
Daily
MessengeX
Timing

Ensure that the backup MessengeX application Server is up
to date with the latest Windows security patches and
software
Responsibili
Weekly
Head, eBiz
Support
Ensure that adequate Hardware resources are

available to run the Oracle database and IPSentry
MessengeX Application/Database
Regular purging of Message Database to aid:
- Backup processing time
- Message search processing time
- Sent message List
- the hard disk space required for storage
resources, free spaces and sent & received message
analysis.
Weekly
MessengeX
Administrator
ICU/Inspectio
Ensure the configured message routing to

eCustomerService is fully functional for customer
care purposes.
Generate a scheduled report of the sent & received
messages and also handle PCFC
Re-booting of the MessengeX Application server to
clear all debugging processes
Supervision of Regular Application of Security
Patches and Service Packs to the Server
Regular Antivirus updates and scanning of the Server
Weekly
Quarterly
MessengeX
Administrator
Weekly
MessengeX
Administrator
Weekly
MessengeX
Administrator
weekly
MessengeX
Administrator
MessengeX
Administrator
Head, eBiz
Support
As Required
After successful testing
on the UAT
environment
Weekly
MessengeX
Administrator

caused by Network unavailability (Mobile Phone/ Computer),
determine the following:
Required corrective steps, including adequate
evaluation of the network downtime
Immediately
Hardware failure
Diamond Bank

Page 161 of 176
Head, eBiz
Support;
MessengeX A
Subject:

Type of Hardware or Operating System affected
intervention
Activate the backup system or server and plug-in to
the network
Determine if the hardware can be fixed or replaced?
Notify eBusiness Support after completing the repairs
or replacement of hardware.
Re-install all MessengeX Application files on the server

Restore the MessengeX Database
Conduct UAT
Immediately
H-eBiz Suppo
<=1day
H-TS
<=1day
H-TS
2 days
H-eBiz Sup
1-2days
H-eBiz Sup
Timing
Responsibili
Software failure
S/N

minimal delays
Activate the backup system or server and plug-in to the
network where the above is not feasible
Relocate to the hot-site as backup server.
DIAMOND MOBILE (MOBILE BANKING)

Ensure that the backup application Server is up to date
with the latest Windows security patches and software.
Weekly
H-eBiz Suppo

available to run the SQL2000/Oracle database.
Application/ Database.
Regular purging of Databases to reduce
- Processing time
- Transaction processing time
- Daily backup time
- the hard disk space required for storage of database
and for backups
Weekly
SMS Banking
Administrator
ICU/Inspectio
Diamond Bank
Weekly
Quarterly

Page 162 of 176
SMS Banking
Administrator
Subject:

schemas, free spaces and available Rollback
segments, with critical analysis of message routing.
Weekly
SMS Banking
Administrator

to be adjusted
SMS Blaster is for sending out SMS messages while
Email Blaster is for sending of Emails to customers;
this should be monitored regularly to ensure adequate
functioning of the application.
messages in the Activity Log. This should be checked
regularly for report tracking.
Re-booting of the application server to clear all locks
and idle system processes
Packs to the Mobile Banking Servers
Weekly
SMS Banking
Administrator
Daily
SMS Banking
Administrator
Weekly
SMS Banking
Administrator
As Required
SMS Banking
Administrator
H-EBiz Suppo
SMS Banking
Administrator
H-EBiz Suppo
SMS Banking
Administrator
Regular Antivirus updates and scanning of the Mobile

Banking Servers

on the UAT
environment
On Scheduled Basis/ As
Required

caused by Mobile Banker PRO unavailability, determine the
following:
temporarily to the Backup Server
Status of the workload with a view to determining the
need and the urgency of shifting to the Backup Server
Immediately
H-EBiz Suppo
SMS Banking
Administrator
Immediately
H-eBiz Suppo
Hardware failure

intervention
the network
Diamond Bank

Page 163 of 176
Subject:

Notify e-Business Support after completing the repairs
or replacement of hardware.
<=1day
H-TS
<=1day
H-TS
1-3 days
H-eBiz Suppo

minimal delays
1-3days
H-eBiz Suppo
DIAMOND ONLINE {INTERNET BANKING (FLEXAT

SERVERS APP, WEB & DB)}
Timing
Responsibili
Re-install all Mobile Banking Application files on the

server
Conduct UAT
Software failure
S/N

Ensure that the backup application Servers are up to date
with the latest Windows security patches and software
Weekly
H-eBiz Suppo

available to run the SQL2000
Application/Database
Ensure regular analysis and monitoring of the EVENT
Logs, free spaces and available Rollback segments on
the servers.
Weekly
Diamond Onli
Administrator
ICU/Inspectio
Weekly/ As required
Diamond Onli
Administrator

to be adjusted
Weekly
Diamond Onli
Administrator
Diamond Bank
Weekly

Page 164 of 176
Subject:
Event logs
The log file needs to be regularly deleted, after
retaining one previous backup copy. Before being
deleted, they are to be saved for backup purposes.
Databases FCAT Corporate, FCAT Infra & FCAT
Retail
Diamond Online Admin needs to ensure sufficient
space exists on the disks for the Databases where logs
are being generated.CPU Utilization on the database
server (FLEXAT_DB) should be monitored at regular
intervals to ensure that it is within acceptable limits.
MxtUserKeyMap Table in the FCAT Infra Database it
keeps a list of Locked Out users. This should be
checked regularly in order to prevent users from
being denied access to DiamondOnline after the
maximum threshold is reached.
messages in the Event viewer. The Event viewer on
the servers should configured to overwrite events
after a predefined maximum log size is reached
Re-booting of the application server to clear all locks
and idle system processes
Packs to the host servers
Weekly
Diamond Onli
Administrator
Weekly
Diamond Onli
Administrator
Weekly
Diamond Onli
Administrator
Weekly
Head, eBiz
Support
Diamond Onli
Administrator
Rarely
Regular Antivirus updates and scanning of the host

servers
When Required
Diamond Onli
Administrator
Head, eBiz
Support
Diamond Onli
Administrator
Head, eBiz
Support
Diamond Onli
Administrator

on the UAT
environment

caused by Applications unavailability, determine the
following:
temporarily to the backup servers, hot site or the off
site.
Status of the workload with a view to determining the
need and the urgency of shifting to the Backup
Servers, the hot site or the off site.
Immediately
Hardware failure
Diamond Bank

Page 165 of 176
Head, eBiz
Support; Diam
Online
Administrator
Subject:

intervention
the network
Notify eBiz Support after completing the repairs or
Escalate to Iflex
Re-install all FLEXAT Applications running on the servers
as well as the COM+ Components
Conduct UAT
Immediately
Head, eBiz
Support
<=1day
H-TS
<=1day
H-TS
1-3 days
Head, eBiz
Support
1-3days
Head eBiz
Support
Software failure
S/N

minimal delays
MS Exchange Server 2003

Ensure that the Exchange Server services are running
Timing
Responsibili
Daily
System
Administrator
System
Administrator
ICU/Inspectio
Backup of the Exchange Server Database
Daily

Exchange Server
Ensure that the Exchange Server is up to date with
the latest Windows security patches and software
Checking for the Availability of Space for the
Exchange Server Transaction Logs
Weekly
Weekly
Weekly

Diamond Bank

Page 166 of 176
System
Administrator
System
Administrator
Subject:
In the event of the occurrence of a email interruption

caused by Exchange Server unavailability, determine the
following:
or the off site.
Immediately
Systems
Administrator
Immediately
Systems
Administrator
<=1day
Systems
Administrator
<=1day
Hardware
Vendor
1-3 days
Systems
Administrat
1-3days
Systems
Administrat
Timing
Responsib
Hardware failure

Notify the Hardware Vendor where this requires
expert intervention
to the network
replaced?
Notify TSU after completing the repairs or
S/N
10.0
Re-install the OS and the Exchange Server

Conduct UAT
When the Exchange Server is affected as a result of file or

data corruption, the following measures shall be adopted
minimal delays
Obtain relevant Information Store backups for reinstallation
ISA Server 2000
Diamond Bank

Page 167 of 176
Subject:
Ensure that the systems are ready for activities by checking

if the following components are running.
Microsoft ISA Server Control
Microsoft Firewall
Daily
Systems
Administrat
Examine the ISA server event logs and note any application
or system errors
Choose start>settings>control panel>administrative
tools>event viewer
Monitor ISA Server Activity by viewing performance
counters
Go to Start > Programs > MS ISA Server > ISA
Server Performance Monitor
View ISA Server Alerts by pointing to Internet
Security and Acceleration Server > Server and
Arrays > Name > Monitoring > Sessions
Daily
Systems
Administrat
Daily
Systems
Administrat
Daily
Systems
Administrat
Immediately
Systems
Administrator
Immediately
Systems
Administrator
1-2days
Systems
Administrator
<=1day
Hardware
Vendor

In the event of the occurrence of a proxy server caused by
ISA Server unavailability, determine the following:
or the off site.
Hardware failure

expert intervention
to the network
replaced?
Diamond Bank

Page 168 of 176
Subject:
1-3 days
Systems
Administrat
Timing
Responsibili
Daily
System
Administrator
Ensure that SYSVOL is shared to allow for replication

of the Active Directory
Monitor Replication between Domain Controllers in
the Domain
Active Directory ( Domain)
Daily
System
Administrator
System
Administrator
ICU/Inspectio
Backup the Active Directory System State Data
Monthly
System
Administrator
Immediately
Systems
Administrator
Immediately
Systems
Administrator
S/N
Re-install the OS and the ISA Server

Restore the ISA Server Configuration Files
Conduct UAT
Windows Server 2003 Active Directory

Ensure that the Directory Services are running
Net Logon
DNS Service
Daily
Weekly

In the event of the occurrence of a failure of the Directory
Services caused by a crash of the forest root Domain
Controller, determine the following:
Likely duration of the stoppage/interruption
Required corrective steps, including seizing of
FSMO roles to a temporary Domain Controller
or the off site.
Hardware failure

expert intervention
to the network
Diamond Bank

Page 169 of 176
Subject:

replaced?
S/N
Re-install the Domain Controller

Make the Domain Controller a Global Catalogue Server
Transfer the FSMO roles back to the Domain Controller
E-Policy Orchestrator Server

Ensure that the following e-policy services are running
Discovery & Notification
E-policy server
Event Parser
Backup the Network Security Folder and the SQL

Database
Ensure that the DAT Engine is being updated on the
epolicy orchestrator
EPO Server
1-2days
Systems
Administrator
<=1day
Hardware
Vendor
Systems
Administrat
1-3 days
Timing
Responsibili
Daily
System
Administrator
Weekly
System
Administrator
System
Administrator
ICU/Inspectio
Daily
Weekly

In the event of the occurrence of a failure of the Anti-Virus
Update Services caused by a crash of the epolicy
orchestrator server, determine the following:
Required corrective steps, including reinstalling the
epolicy orchestrator server
or the off site.
Immediately
Systems
Administrator
Immediately
Systems
Administrator
Hardware failure

expert intervention
to the network
Diamond Bank

Page 170 of 176
Subject:

replaced?
S/N
Re-install the E-Policy Orchestrator Software

Reconfigure Distributed Repository Servers
HP-UNIX 11.23

Ensure that the UNIX packages are running
Ensure that the cluster service is running to ensure

proper fail over
Monitor the size of the root directory and Oracle user
directory
Backup UNIX system
1-2days
Systems
Administrator
Solutions
<=1day
Hardware
Vendor
1-3 days
Systems
Administrat
Soft solutio
Timing
Responsibili
Daily
System
Administrator
System
Administrator
System
Administrator
ICU/Inspectio
Daily
Daily
Weekly
Quarterly
System
Administrator
Immediately
Systems
Administrator
Immediately
Systems
Administrator
Hardware Ven
1-2days
Systems
Administrator
Hardware Ven

In the event of a failure of flexcube services caused by a
crash of the UNIX Servers , determine the following:
Required corrective steps, including proper failing
over to the backup servers
or the DR site.
Hardware failure

expert intervention
Failover to hot-Site
replaced?
Diamond Bank

Page 171 of 176
Subject:
S/N
Notify TSU/BAS after completing the repairs or

<=1day
Hardware
Vendor
HP-UNIX 11.11
Timing
Responsibili
Daily
System
Administrator
System
Administrator
System
Administrator
ICU/Inspectio

Ensure that the UNIX packages are running
Ensure that the cluster service is running to ensure

proper fail over
Monitor the size of the root directory and user
directory
Backup UNIX system using omni backup
Daily
Daily
Weekly
Weekly
System
Administrator
Immediately
Systems
Administrator
Immediately
Systems
Administrator
1-2days
Systems
Administrator
<=1day
HP
1-3 days
HP
Timing
Responsibili

In the event of the occurrence of a failure flex cube
services caused by a crash of the UNIX Servers , determine
the following:
Required corrective steps, including proper failing
over to the backup servers
or the off site.
Hardware failure

expert intervention
to the network
replaced?
Notify TSU/BAS after completing the repairs or
Re-install the UNIX Server
S/N
SWIFTAlliance Entry
Diamond Bank

Page 172 of 176
Subject:
Ensure that the backup SWIFT application Server is up to

date with the latest SWIFTAlliance Release, Patches and
Bank files.
Quarterly
SWIFT
Administrator
Ensure that regular backup of the SWIFTAlliance

Database.
Ensure regular Message Archiving and backup of the
SWIFTAlliance message File
Daily
SWIFT
Administrator
SWIFT
administrator
Ensure that the Backup connectivity Lines and

Modems are tested regularly.
Weekly
Fortnightly
SWIFT
Administrator

In the event of the occurrence of a business interruption caused
by SWIFTAlliance Application unavailability, determine the
following:
Required corrective steps, including swapping the
application server temporarily with the backup
application server.
Status of the backup application server with a view to
determining the need of updating the application
database.
When the application is affected as a connectivity failure, the

following measures shall be adopted
Identify the point of failure in the SWIFTNet connectivity
network.
Determine if the failure can be rectified immediately or if
escalation to service providers is necessary.
Connect the backup connectivity option and restore services
while working on the primary connection line.
Test the primary after fault is rectified.

15.0 XCEED APPLICATION
Immediately
SWIFT
Administrator
Head, BAS
1 day
H-BAS/ SW
Administrat
Timing
Responsib
Daily
Administrat
Regularly
Administrat

Ensure that the Xceed Live and Backup Servers are on the
network
Action: Run a ping Test to 201.0.0.220 and 200.0.0.100 from any
PC
Ensure that the SQL 2000 is up and running and SQL agent
service is up.
Action:
1) From any PC that has SQL2000 installed, click on Start,
Run, type isqlw and enter to connect to the live or backup
using sa as user ID.
2) On the Server console, double-click on the SQL Service
Manager icon on the task bar to open, and then start each of
the services if they are off.
Diamond Bank

Page 173 of 176
Subject:
Ensure that the Crystal Report Services are running

Action: Open the Control panel, Services, then checking the
Network DDE, Network DDE DSDM, Seagate Page Server and
Seagate web component server services are enabled and
running.
Ensure that the IIS service is running
Regularly
Administrat
Regularly
Ensure that the Xceed application files and folders are backed
up on tape/disk
Ensure that the Xceed database is backed up to tape/disk
Daily
Administrat
Administrat
Daily
Administrat
At Logon
Xceed User
Administrat
At least once a
year
Head, ITS/
Contingenc
Response T
During each test
Head, ITS/
Contingenc
Response T
After each test
Contingenc
Response T
Timing
Responsib

If a user tries to Connect to Xceed People Management and
receives the following error
messages in sequence The system cannot establish a database
connection for this session, please verify permissions, that your
network is functioning properly and you have supplied all
necessary information.
Action:
Check if :
1. The Xceed Server is currently turned on or still restarting
2. The workstation is connected by pinging the Xceed server
3. Passwords have been reset.
4. The SQL Services are running and database is up
5. The IIS service is running
3.0 TESTING STRATEGY

Test the component(s) in each area described above at the head
i)
office and a sample branch location, in a systematic manner and

document the test results.
Testing involves verification as to whether each component
is working when subjected to a situation close to what is
expected in terms of a business contingency situation.
ii)
iii)
Ensure that the tests cover the availability, adequacy,

functionality, and any other relevant emergency performance
criteria in the following areas:
Hardware
Media
Communication Links
People
Ensure that necessary amendments are made in respect of the
above areas and/or the plan based on the test experience.
16.0 Business disruptions in Branches (Riots, Link failures,

Server failures)
Diamond Bank

Page 174 of 176
Subject:
The bank operates an online/real-time system, implying that all

branches must be connected to the host database for real-time
transactions. The Flexcube application, though equipped with
offline functionality, has a limitation on the numbers of days the
branch can perform transactions on their local database in an
offline mode. For very brief disruptions, this can suffice and the
branch can apply the offline operational procedures relying on
the last downloaded balances from the host.
Ensure that the branch server database is up-to-date by
downloading all branch related tables from host database
Daily
Branch CSM
2. Ensure that branch database backups are taken
Daily
Branch CSM
3. Ensure that the Server room has adequate cooling and is secure
Daily/Quarterly
4. Ensure that the branch server is powered up in the morning and Daily
Branch
CSM/Regio
IT Engineer
Branch CSM
5. Ensure that Branch UPS are working well and Backup power
Weekly
Branch CSM
6. scheduled testing to ensure that Primary link/Secondary links to
Bi-weekly
7. Ensure that the UPS and generators are functional and working
Bi-Weekly
8. Shutdown all PCs including branch Server where the Generator
Immediately
Regional IT
Engineer
CSM /Regio
Engineer
CSM
9. Ensure that the Antivirus signatures are updated on the branch
Daily
Branch CSM
Immediately
Branch CSM
2. Contact RCSM/IT Helpdesk/Regional IT Engineer
Immediately or
ASAP
Branch CSM
3. Shutdown the branch servers and all other telecommunications
Immediately or
ASAP
Branch CSM
4. Relocate the branch server including about 2-3 PCs to the
Immediately or
2days max
5. Change the network address of the affected branch server to
2-4hours
CSM/Regio
IT Engineer
Regional IT
Engineer
6.
Immediately or
ASAP
1.
to prevent unauthorised access
shutdown gracefully each day
supply (standby generators ) are fully functional/serviceable

the branch is active
properly
cannot support the UPS after power failure

server

1.
If a branch experiences disruption of an extensive nature such

as riots, link failures, etc:
Assess and determine the level of disruption to the branch
hardware including the UPS
closest stable branch location
the LAN address of the new location and test connection to the
Host database
Release 2-3 workstations to be configured for the affected
branch Tellers where there is a shortage of PCs
7. Configure workstations to see reconfigured branch server
Diamond Bank
2-3hrs

Page 175 of 176
CSM/BM of
new branch
location
Regional IT
Engineer
Subject:
If there is a branch server failure
Immediately
Branch CSM
2. Apply Operational Offline procedures
Immediately
Branch CSM
3. Inspect affected system and if OS is intact, restore the last
1-2 Days
4. Test Server and restore client connections
1-2Days
Regional IT
Engineer
Regional IT
Engineer/C
database backup tape
If the branch is burnt due to fire outbreak
Immediately
Branch CSM
2. Determine the extent of damage to IT resources at affected
1-2days
3. Commence re-deployment of PCs , printers and
Once notified
Regional IT
Engineer/C
Head IT
Services
branch and report to Head IT Services
4.
5.
Telecommunications infrastructure at branch as soon as

notification is received and extent of damage estimated and
schedule of reconstruction received from Head Branch
development
Place request for the procurement of all affected IT equipment
for replacement, engage telecom vendor for the affected link
where necessary.
Re-build branch Server from Host Database using the last
updated details for the affected branch; restore other damaged
equipments
Once notified
Head IT
Services
Head
BAS/Head T
6. Ship branch Server to the branch
1-2 Days in line

with
reconstruction
plan.
1 day
7. Test Server and restore client connections
1 day
Regional IT
Engineer
Diamond Bank

Page 176 of 176
Head TS

IT Policies, Procedures and Standards v1

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

IT Policies, Procedures and Standards v1

Diunggah oleh

Hak Cipta:

Format Tersedia

Subject:

IT Policies, Procedures & Standards

Internet Security Policy

Technology Support-Virtual Private Network

E-mail Security Policy

Business Application Support-Back up

Technology Support-Network Operating

Technology Support -Documents Rights

Business Application Support-Database

Business Information System-System

IT Change Management Procedures

IT Services Document Managment

Uninterruptible Power Supply (UPS) Usage

Software: Acceptable Use Policy

Acceptable Use of Diamond Bank Systems

Data Center Policy and Procedures

Information Security Policies

Information Security Framework

Business Continuity Planning

IT Policies, Procedures & Standards

Internet Security Policy

FORM NUMBER: 240-007

All staff of Diamond Bank.

The purposes of the Policy statements are:

To enlighten DB staff on the inherent risk involved in surfing

IT Policies, Procedures & Standards

To provide operational guidelines for usage of Internet

The Internet is a worldwide collection of computer networks

All DB staff shall have access to the internet between

All non-text files (databases, software object code,

Automatic updating of software or information whereby

IT Policies, Procedures & Standards

DB software, documentation, and all other types of

Firewalls have been established to routinely prevent users

To avoid libel, defamation of character, and other legal

All users must realise that communications on the internet

The Bank is committed to respecting user privacy.

DB employees in receipt of information about system

IT Policies, Procedures & Standards

All new internet web pages dealing with the Banks

The internet user must notify ITG Helpdesk once it is

Only designated spokesperson(s) of the Bank are allowed

All staff, contractors or 3rd party employees given

V. ROLES AND RESPONSIBILITIES

Information Technology Group

IT Policies, Procedures & Standards

a. Provide technical guidance on internet use and security to

IT Policies, Procedures & Standards

Technology SupportVirtual Private Network

IT Policies, Procedures & Standards

location and the business home network. In order to tap into

IT Policies, Procedures & Standards

IT Policies, Procedures & Standards

E-mail Security Policy

IT Policies, Procedures & Standards

FORM NUMBER: 240-006

IT Policies, Procedures & Standards

personal computers and servers under the jurisdiction and or

b) Outward bound e-mails through DB network generally must

d) Users privileges on e-mail communication systems shall be

IT Policies, Procedures & Standards

Office; ALCO; etc. shall be restricted

Name & Signature________ Date _

Name & Signature________ Date _