Edris Security Policy.

Introduction

At Edris, we believe in building simple, secure, and 100% digital tools that put you in control of your finances. We highly value our customers and understand the crucial role cybersecurity plays in enabling you to use our services with absolute peace of mind.

We implement a defense-in-depth strategy, employing multiple layers of security to mitigate potential compromises even if one layer is breached. Protecting your information is our core principle, and this Cybersecurity Policy ("Policy") outlines our dedication to safeguarding your data.

Scope

This policy applies to all Edris Bank’s companies ("Edris") and their personnel, consultants, third-party providers, suppliers, and partners who access, store, process, or transmit information belonging to or under the custody of Edris.

Objective

  • Maintain the confidentiality, integrity, and availability of information belonging to or under the custody of Edris.

  • Establish robust measures for protecting the infrastructure supporting business services and activities.

  • Prevent, detect, and minimize vulnerability to cyber-related incidents.

Information Security Principles

  • Confidentiality: Ensuring information is only accessible to authorized individuals, entities, or processes.

  • Integrity: Guaranteeing information is accurate, complete, and protected from unauthorized or unintentional alterations.

  • Availability: Ensuring information is accessible and usable upon request by authorized individuals, entities, or processes.

Guidelines

  • Access to systems, resources, and other information assets must be granted based on:

    • Business need: Access granted only for legitimate business purposes.

    • Least privilege principle: Users granted minimum access necessary to perform their duties.

    • Segregation of duties: Separation of critical tasks to minimize risk of unauthorized activity.

  • Accesses must be managed throughout their lifecycle, from creation to deactivation, with regular reviews for accuracy and suitability.

  • Strong password policies must be implemented, encouraging complex, unique passwords that are never reused, shared, or written down.

  • Logs and audit trails must be enabled in production environments, protected from unauthorized access and changes, and record:

    • What activity was performed.

    • Who performed the activity.

    • When the activity was performed.

    • On what the activity was performed.

  • Cryptographic algorithms should be applied as needed to safeguard data at rest, in transit, and in use.

  • Data Loss Prevention (DLP) solutions or equivalent controls should be in place to prevent unauthorized exfiltration of sensitive information.

  • Intrusion Detection and Prevention Systems (IDS/IPS) and Security Information and Event Management (SIEM) solutions should be deployed to identify and respond to potential attacks.

  • A comprehensive vulnerability management process should be established to identify, prioritize, and remediate vulnerabilities throughout their lifecycle.

  • Anti-malware solutions or equivalent controls must be deployed to protect the Edris environment.

  • Critical information assets and those storing and/or processing sensitive data must be restricted to segregated network areas with strict access controls.

  • Production databases must have robust backups to ensure system and service restoration in case of data loss or service interruptions.

  • Security requirements must be integrated throughout the software development lifecycle to ensure information confidentiality, integrity, and availability.

  • Security assessments must be conducted before implementing any new technology, tool, or solution in production.

  • Incident response procedures and controls must be established to address, mitigate, and recover from cybersecurity incidents, including guidelines for recording, analyzing cause and impact, and assessing incident relevance.

  • Information classification should be implemented to map information assets and determine appropriate levels of protection for storage, transmission, and use.

  • A regularly tested Business Continuity Plan (BCP) should ensure critical and essential processes are maintained during crises, preserving the continuity of critical business functions, operations, and services.

  • Annual security awareness training programs should be mandatory for all employees, educating them on information security principles and enabling them to recognize and respond to risky situations.

  • Secure channels should be used for sharing incident and threat information with other local and global institutions.

  • This Edris Cybersecurity Policy will be reviewed at least annually and updated as needed.

Security Recommendations for Customers

  • Create strong, complex passwords not based on personal information (e.g., dates of birth, family names). Consider using at least 4 random words.

  • Change your password immediately if you suspect a leak or compromise of your credentials.

  • Avoid using the same password for multiple services. Consider a password manager for secure storage and management.

  • Treat your password as confidential and never share it with anyone or write it down in easily accessible places.

  • Enable two-factor authentication (e.g., biometrics, SMS) whenever possible.

  • Avoid accessing banking websites and applications or conducting transactions on public or untrusted devices (e.g., internet cafes, public computers). The same applies to public Wi-Fi networks.

  • Keep your devices' operating systems and applications updated.