ARDCIBANK, INC.

INFORMATION SECURITY POLICY

1 INTRODUCTION

The confidentiality, integrity and availability of information, in all its forms, are critical to the
business transaction of the bank. Failure to adequately secure information increases the risk of
financial and reputational losses from which it may be difficult for bank to recover. This
information security policy outlines ARDCIBANK’s approach to information security
management. It provides the guiding principles and responsibilities necessary to safeguard the
security of the Bank’s information systems.

It aims to ensure the appropriate confidentiality, integrity and availability of its data. The
principles defined in this policy will be applied to all of the physical and electronic information
assets.

1.1 PURPOSE

The primary purposes of this policy are to:

1. Ensure the protection of information systems (including but not limited to all computing
network equipment, software and data) and to mitigate the risks associated with loss,
misuse, damage or abuse of the system.

2. Maintain an adequate level of security to protect ARDCIBANK, INC. data and

information systems from unauthorized access.

3. Ensure that all users understand their own responsibilities for protecting the
confidentiality and integrity of the data that they handle.

4. Respond to feedback and update as appropriate, initiating a cycle of continuous

improvement.

1.2 SCOPE

This policy is applied to all staff who uses computing networks and velocitysoft system of
the ARDCIBANK, INC. where data or information system used to store and processed.
1.3 DEFINITIONS

Information System - are the software and hardware systems that support data-intensive
applications

Network System - to allow shared application system, data, users, and other network
function.
Data User - authorized user to have access to bank Information Systems and/or
information assets.

2. POLICY

GENERAL POLICY
XXXXXXXXX

2.1 SERVER

1. Servers should be placed in physically secured or access controlled areas and

accessible only to authorized personnel.

2. Administrators should run only services on a server that are needed for it to complete
its designed task.

3. The latest system patches should be applied regularly. (if patches are not applied in
a timely manner, the server could be disconnected from the network until
vulnerabilities have been addressed.)

4. Regular scanning of antivirus software must be done to all servers with updated
virus detection.

5. Daily full offsite backup of database from velocitysoft system should be retain at least
for one year.

6. Monthly incremental offsite backup of working files of staff should be retain for a
minimum of 2 years.

7. Preventive and corrective maintenance shall be done regularly to minimized

vulnerabilities on the server.
2.2 WORKSTATION

1. Enable in all workstation a password-protected screen saver with a short timeout

period to ensure that workstations that were left unsecured will be protected from
unauthorized user.

2. Enable or power on password for the CPU and BIO’s to protect systems bio’s setting
alteration.

3. Active workstations are not to be left unattended for prolonged periods of time, when
user leaves a workstation, the user is expected to properly log out of all applications
and networks.

4. Installation, removal or alteration of any software, hardware, or system settings on the

workstation is prohibited unless you have been directed to do so by the System
Administrator.

5. Eating and drinking is prohibited near from the workstation in order to avoid
accidentals spills.

6. Staff shall make a reasonable effort to store all sensitive information or important
working files bank related data on backup server.

7. Ensure that all workstations are used for authorized bank business purposes only.

2.3 VELOCITYSOFT APPLICATION

1. User connecting to the system application shall be achieved via user IDs that are
unique to each individual user to provide individual accountability.

2. Only authorized users are granted access to velocity systems, and users are limited to
specific defined levels of access rights.

3. Users are responsible for maintaining the security of their own systems accounts and
passwords and may not share to others staff.

4. CASA, LOANS, and GL system shall implement automatic termination or re-

authentication of active sessions after a pre-determined period of inactivity.

5. User access is to be immediately revoked if the individual has been removed or

transfer to other office.
3. ROLES AND RESPONSIBILITIES

3.1 THE SYSTEM ADMINISTRATOR

i. Monitoring and reviewing information security policy at the ARDCIBANK, INC.,

including the efficacy of controls and applying continuous improvement.
ii. Coordinating with auditors, executive management and user departments to
enhance information security.
iii. Exercising disaster recovery scenarios as asked by the Compliance Officer
iv. Investigating and resolving information security incidents.

3.2 AUTHORIZED USER

i. User are responsible for getting acquainted and complying with ARDCIBANK,
INC. IT regulations.
ii. Users shall not purposely engage in activity with the intent to degrade the
performance of the system; divert system resources to their own use; or gain
access to bank systems for which they do not have authorization.
iii. Users shall not download unauthorized software from the Internet onto their PCs
or workstations.
iv. Do not attempt to subvert IT security measures
v. Users shall report any weaknesses in the bank information security, any incidents
of misuse or violation of this policy to the bank manager or IT designee.

Mandatory controls

Minimum information protection safeguards for the use of portable storage devices must
include:

 Disabling portable storage devices, media drives or connection ports where no business
reason.
 Not storing the only version of a document on portable storage devices;
 Documented authorization processes for use of portable storage devices;
 Encryption of stored data;