TECHNOLOGY POLICY SUMMARY FOR THIRD PARTY SUPPLIERS

Transcription

1 TECHNOLOGY POLICY SUMMARY FOR THIRD PARTY SUPPLIERS RATIONALE Group Policy Rationale This Policy has been designed to assist in managing the risk that Lloyds Banking Group (the Group) fails to simultaneously deliver Technology which meets customer expectations, supports Group strategy and complies with all applicable laws and regulations. The overall risk includes the following risk drivers: The risk that the Group fails to govern its Technology in line with corporate governance requirements, group strategic objectives and legal & regulatory requirements. The risk that the Group fails to build or acquire technology, maintain availability or correctly operate the processes that underpin the delivery of IT services that meets customer expectations, supports Group strategy and complies with all applicable laws and regulations. Whilst related, the risk that the Group fails to protect information from unauthorised disclosure, modification, or corruption and applications/systems being compromised is managed by the Information & Cyber Security Policy Customer Impact The Group s vision is to be the best bank for customers. The Technology Policy supports this vision and the aim of providing investors with strong, stable and sustainable returns by: Provision of the right structure and execution of governance to enable the customer impacts of technology risk to be assessed and addressed. Ensuring the customer impacts of IT risks are mitigated through having effective systems, controls and processes in place. Ensuring the customer impacts of IT events are effectively identified and managed through appropriate systems, controls and processes. Supporting operational efficiency which delivers good customer outcomes. SCOPE This third party summary of the Group Policy applies to suppliers where they are acting as a Technology Provider to or for the Group. Only those key controls relevant to the technology services being operated for the Group need to be in place. Page 1 of 5

2 MANDATORY REQUIREMENTS GENERAL Suppliers must: Governance Ensure that all elements of technology supporting Group services, including downstream supplier relationships, comply with contractual agreements and schedules of work. Ensure that technology processes, applications and systems are compliant with local, international, statutory, legislative, contractual and regulatory requirements. Build Demonstrate that applications / systems are designed, developed, tested and implemented in accordance with the Group s requirements, including the use of separate test environments and both functional and non-functional testing. Ensure that knowledge and information to support processes is accurately documented and made available to the Group on request including technical documentation, user manuals and recovery processes. Operate a Standard for managing the implementation of all types of technology change which includes documenting, impact assessing and approving all IT changes, including emergency, to ensure that they meet contractual requirements and do not negatively impact systems and services. Ensure that a change management application/tool is used to manage all IT changes. Ensure that appropriate implementation and back-out plans are in place and tested before promotion to live/production for all services operated on behalf of the Group. Availability and Performance Define, prioritise, regularly monitor and maintain IT services to ensure resilience, minimising potential disruption to Group services. Support continuity and recovery of service by ensuring that IT hardware and software are kept at version levels that allow the Group and the supplier (as per contractual obligations) to support, maintain, secure and/or patch where required. Implement processes to manage incidents and problems including trend analysis in line with service level agreements with the Group. Operation Create and maintain an up-to-date and accurate record of technology assets (for example: hardware, software, licences, source code and versioning). As a minimum, this must include all assets relating to Category A, B and C CBPs and other critical business activities, for example Financial and Regulatory reporting. Clearly document key IT resources (services, assets, people) and capabilities to enable delivery of contracted services to the Group. Page 2 of 5

3 Create and maintain an inventory of configuration information aligning with the relevant change and configuration management processes associated with providing contracted services to the Group. Ensure procedures are in place for the design, development and scheduling of batch jobs. Ensure a process to monitor the creation, prioritising, scheduling and execution of batch jobs and associated alerting is in place. Ensure capacity management processes including configuration are in place. Ensure maintenance of IT systems and assets in accordance with the supplier s recommended service intervals and specifications or other requirements as agreed with the Group. KEY CONTROLS Control Title Control Description Frequency Technology solutions are developed in accordance with Group requirements Sign off from the Group is obtained for technology solutions prior to implementation for Group Separate test environments are established services An environment definition document (or equivalent) and a master test plan (or equivalent) are in place for projects impacting Group services A readiness check is by the environment owner to confirm that the functional test environment is reflective of the live environment or a justification for it not reflecting live is documented Functional and nonfunctional testing is Technical support documentation Change standard and tooling Functional and non-functional testing (to documented requirements) for projects impacting Group services is Test plans must be formally documented and approved prior to the commencement of testing Technical documentation, user manuals recovery processes etc. for all Group services exists and is reviewed on an annual basis or following a change A standard for managing the implementation of technology change is in place and is reviewed annually A change management Page 3 of 5

4 Implementation and back out plans for technical change Emergency change An IT incident management process is fully implemented Problem trend analysis is Currency management procedures are in place Hardware and software inventories are in place Batch jobs are created, prioritised and scheduled application or tool is used to manage technology changes All technical changes for Group services have an approved implementation and back out plan An emergency change process is documented Emergency changes are approved as per process A process for Incident Management is documented All incidents are logged, prioritised and assigned to the relevant teams for timely response and investigation Incidents are tracked to resolution based on severity A process for Problem Management is documented Trend analysis is conducted for recurring problems on Group contracted services and progress on remediation documented and is tracked. A Currency Management process (hardware and software) is defined and reviewed annually All Group supporting applications/systems currency is reviewed in accordance with the process All currency issues are logged and tracked to remediation An asset inventory is in place which is updated following technology changes and contains configuration data, age of systems, and type of vendor support The inventory is reviewed on an annual basis Ensure procedures are in place for the design, development and scheduling of batch jobs impacting Group services Monitoring of the creation, prioritising, scheduling and execution of batch jobs must be in place Monthly Monthly Page 4 of 5

5 Alerts are prioritised and Alert monitoring requirements configured in line with are defined and approved alerting requirements Configure and prioritise alerts in line with defined requirements Ensure continual monitoring of alerts for all Group systems is in place and issues are identified and tracked to resolution Capacity management procedures are in place and executed A Capacity Management process, including configuration, must be documented, approved and reviewed annually Capacity Management processes must be operating for Group systems, with alerts managed and trend analysis MANDATORY REQUIREMENTS NON-COMPLIANCE Any material differences between the requirements set out above and the supplier s own controls should be raised by the Supplier with the Group s Supplier Manager. The Supplier Manager will then discuss the non compliance with the Accountable Executive for the relationship and local Risk team to agree way forward. Version Number Effective Date th November 2017 Next Planned Revision: July 2018 Page 5 of 5