Information Security Policy — ValuePay MFB

12.5 Scope

This Policy applies to all information assets owned or processed by the Bank, all employees, contractors, vendors, agents, and any other person granted access to such assets.

12.6 Classification of information

Public — information cleared for unrestricted release.
Internal — general business information, not for public release.
Confidential — customer-, personnel-, or commercially-sensitive data.
Restricted — high-sensitivity data such as authentication credentials, cryptographic keys, and material non-public regulatory data.

12.7 Roles and responsibilities

Board — sets risk appetite, approves the ISP, and oversees its operation.
Chief Information Security Officer (CISO) — accountable for the ISP and the Bank's security programme.
Asset owners — accountable for the security of the assets in their domain.
All employees and contractors — responsible for following the ISP and supporting policies.

12.8 Control domains

The ISP is operationalised through twelve control domains, broadly aligned to ISO 27001:

Information security policies and risk management.
Organisation of information security and roles.
Human-resource security (vetting, training, exit).
Asset management and classification.
Access control and identity management.
Cryptography and key management.
Physical and environmental security.
Operations security and change management.
Communications security (network, email, transport).
System acquisition, development, and maintenance.
Supplier relationships and third-party security.
Incident management, business continuity, and regulatory compliance.

12.9 Review and continuous improvement

The ISP is reviewed at least annually, and following any material change in the Bank's operating environment, technology landscape, or threat profile. Material updates are approved by the Board.

ValuePay Microfinance Bank Limited has received Approval-in-Principle from the Central Bank of Nigeria (ref. FPR/LAD/CON/MFB/015/047 dated 17 March 2026). The Bank shall not commence banking business until the grant of a final licence.