We use cookies to optimize your user experience. All information shared with us through cookies is secure and covered by our data privacy obligations. To learn more, view our privacy policy.
+234 708 063 5777
[email protected]
KongaPay Logo
Privacy PolicyTerms & ConditionsIMS PolicyData PolicyInformation Security Policy

KongaPay Information Security Policy

KongaPay Integrated Management System Policy

1. Introduction

The confidentiality, integrity and availability of information, in all its forms, are critical to the on-going functioning and good governance of KongaPay. Failure to adequately secure information increases the risk of financial and reputational losses from which it may be difficult for KongaPay to recover.

KongaPay is committed to protecting its people, processes and information assets by deploying controls that minimize the impact of any security incident. All KongaPay staff and third parties requiring or having access to KongaPay information resources must understand their obligations and responsibilities to ensure that information is handled appropriately and securely to protect the reputation and interests of KongaPay and avoid placing themselves or KongaPay at risk of prosecution.

2. Purpose

The purpose of this policy is to provide management direction and support for information security. It also sets the security framework that will ensure the protection of KongaPay's Information from unauthorized access, loss or damage while supporting the open culture as well as implement good practice in accordance with ISO 27001 and other relevant information security standards including the Payment Card Industry Data Security Standard (PCI DSS).

3. Scope

The Information Security Policy applies to all KongaPay staff, contractors, consultants and any third party with access to KongaPay information assets.

4. Policy

This information security policy states the management commitment and sets out the approach to the protection of KongaPay's information assets against all internal, external, deliberate or accidental threats.

The policy ensures:

  • The confidentiality, integrity and availability of KongaPay information assets will be assured and maintained.
  • Information assets will be protected against unauthorized access.
  • Compliance with applicable legislative and regulatory requirements in the usage of information assets.
  • Security awareness and training programmes will be conducted regularly.
  • Staff with responsibilities for security breach response are periodically trained.
  • Conduct a security risk assessment at the initiation stage.
  • Identify data classification and potential threats.
  • Define security controls as part of the project scope.
  • Assign security roles and responsibilities within the project team.
  • Ensure security requirements are included in project documentation.
  • Conduct periodic security reviews throughout the project lifecycle.
  • Implement access control policies and data protection measures.
  • Comply with relevant security regulations and standards.
  • Perform security testing before project completion.
  • Define an incident response plan for project-related security breaches.
  • Ensure business continuity plans account for project risks.

5. Responsibility

All employees and third parties who require access to KongaPay's information and associated assets are responsible for ensuring that this policy is adhered to.

Management at all levels are responsible for ensuring that employees and third parties are aware of, and adhere to, this policy.

The following information security responsibilities are specifically and formally assigned:

  • Responsibility for establishing, documenting and distributing security policies and procedures is formally assigned.
  • Responsibility for monitoring and analyzing security alerts and distributing information to appropriate information security and business unit management personnel is formally assigned.
  • Responsibility for establishing, documenting, and distributing security incident response and escalation procedures is formally assigned.
  • Responsibility for administering (adding, deleting, and modifying) user account and authentication management is formally assigned.
  • Responsibility for monitoring and controlling all access to data is formally assigned.

6. Incident Handling

If any employee is aware of an information security incident then they must report it to the Information Management and Technology Service Desk at [email protected].

7. Supporting Policies

Supporting policies have been developed to strengthen and reinforce this policy statement. These, along with associated codes of practice, procedures and guidelines are published together and are available for viewing on KongaPay's google sites available to employees.

All employees and any third parties authorized to access KongaPay's network or computing facilities are required to familiarize themselves with these supporting documents and to adhere to them in the working environment.

Supporting policies may be found at: KongaPay IT Policy.

8. Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. An employee found to have violated this policy may also be liable to a suit and/or prosecution.

9. Review and Evaluation

The Tech Security Unit is responsible for the maintenance and review of the policy according to a defined review process. This process will ensure that a review takes place at least annually or in response to any changes affecting the basis of the original risk assessment, e.g. significant security incidents, new vulnerabilities or changes to the organizational or technical infrastructure.

PCI Risk Assessment to be carried out for the Cardholder data environment (CDE) using a formal risk assessment process such as ISO 27005, OCTAVE or NIST SP 800-30. The PCI Risk Assessment report should clearly highlight the threats and vulnerabilities and the risk treatment plan taken to mitigate the risks.