top of page

DATA PROTECTION (INFOSEC) POLICY

Owner: Security & Compliance
Effective date: 23rd August 2025
Review: Annual
Review cadence: Annual, and on material change

 

Arno is an NDPC-approved Data Controller/Processor of Major Importance (DCPMI) under NDPA 2023 / GAID 2025. This can be verified on the NDPC register. View our NDPC certification here


Purpose: This policy establishes Arno’s information security objectives and control framework, aligned to
NDPA 2023 / GAID 2025, Kenya’s DPA 2019/General Regulations 2021 (where applicable), and industry
frameworks (ISO 27001/27002; NIST CSF). It applies to all staff, contractors, and vendors with access to Arno
data/systems.ā€‹ā€‹ā€‹

1) Governance, Commitment & Metrics

  •  Leadership commitment. Management endorses this policy and provides resources to achieve its

  • objectives.

  • Security objectives & KPIs (reported quarterly): incident MTTR, patch SLAs met, unresolved high

  • vulns, access review defects, DSR SLA adherence, vendor reassessment completion, backup restore

  • success, phishing click-rate.

  •  Management review. Annual review of risks, KPIs, audit findings, incidents, and improvement plan;

  • decisions recorded.

  • Internal audit. Periodic internal audits against this policy and procedures.

2) Risk Management & Data Classification

  •  Maintain a Security Risk Register with owners and treatments; review quarterly.

  • Classify information as Public / Internal / Confidential / Restricted; handling, storage, and

  • transmission requirements are defined per class.

  •  Maintain data flow diagrams and Records of Processing Activities (RoPA).

3) Asset & Configuration Management

  • Maintain centralized inventories of hardware, software, SaaS, cloud services, repositories, secrets, and
    certificates; assign owners and criticality.

  •  Enforce configuration baselines (CIS or equivalent) via Infrastructure-as-Code; changes reviewed and
    tracked.

4) Identity, Access & Endpoint Security

  •  Principles: single sign-on (SSO) where feasible; least privilege; segregation of duties.

  •  Admin access: MFA required; production access just-in-time (JIT) via bastion or approved workflow;
    break-glass accounts monitored and reviewed within 24h of use.

  •  Joiner-Mover-Leaver (JML): SCIM/automation where available; access revoked on exit; quarterly
    access recertification for all systems.

  •  Endpoints: All admin devices enrolled in MDM with full-disk encryption and EDR; screen-lock
    enabled; OS/browser critical patches ≤ 14 days; USB and local admin restricted.

5) Network & Cloud Security

  • Segmented VPCs/VNETs; private subnets for data stores; egress restrictions.

  •  WAF/DDoS and rate-limiting on public endpoints; HTTPS-only (TLS 1.2+).

  • CSPM scans enforce cloud baselines; secrets stored in a secrets manager; no hard-coded secrets.

  •  Logging for network gateways, load balancers, and security groups retained per §10.

6) Cryptography & Key Management

  •  Encryption: TLS 1.2+ in transit; AES-256 at rest using cloud KMS; encryption is mandatory for
    backups and logs.

  • Key management: role-based key access; dual control for key changes; key rotation ≥ annually or on
    compromise; certificate lifecycle managed with auto-renew where possible; secrets rotated ≥ every 90
    days.

7) Secure Software Development (SSDLC)

  • Security requirements captured in design; threat modeling for new high-risk features.

  • Code review with security checks; SAST/SCA on each PR; DAST each release for internet-facing
    components; container and IaC scans pre-deploy; SBOM maintained.

  •  Secrets scanning enforced in CI; staging/prod separation; migrations and rollbacks documented.

8) Vulnerability Management

  • Scanning coverage: endpoints, servers, containers, IaC, dependencies, and external attack surface.

  • Remediation SLAs: Critical 7 days; High 30; Medium 90; Low 180. Exceptions require risk acceptance
    with target date and owner.

  • Track remediation to closure; verify critical fixes with retest.

9) Logging, Monitoring & SIEM

  • Centralize auth/admin/app logs; protect integrity/immutability where feasible; time sync (NTP)
    enforced.

  •  Retention: auth logs ≥ 180 days; admin/audit logs ≥ 365 days (see §11 for full retention table).

  •  Alerting: SIEM/SOAR rules with severity matrix; High-sev triage ≤ 15 minutes, containment plan
    initiated ≤ 4 hours; 24/7 on-call for production incidents.

10) Incident Response & Breach Notification

  • Maintain an IR Plan (RACI) covering detection, triage, containment, eradication, recovery, and
    post-incident review.

  • Exercises: table-top simulations twice per year.

  •  Notification: conduct privacy breach assessment promptly; notify regulators/data subjects per law
    (NDPA/ODPC) when threshold of risk is met.

  •  Post-mortems documented with actions and owners.

11) Business Continuity, Backups & DR

  • Backups: encrypted, 30-day rolling; quarterly restore tests; consider immutable/offline copies for
    ransomware resilience.

  • RTO/RPO targets: define by service tier (e.g., Tier-1 RTO 4h / RPO 1h); DR plan tested at least
    annually.

  •  BCP maintained; critical third-party dependencies identified with alternatives.

12) Vendor & Third-Party Risk Management

  • Tiering: categorize vendors (High/Med/Low) by data sensitivity/criticality.

  •  Onboarding: perform due diligence; require DPA and minimum security controls; collect attestations
    (ISO 27001, SOC 2, PCI DSS AOC) as applicable.

  • Cross-border: perform Transfer Impact Assessments (TIAs) and apply contractual/technical
    safeguards.

  • Reassessment: at least annually for High-risk vendors; maintain a public Sub-processor Register and
    internal vendor files.

  •  Exit: ensure data return/deletion with evidence (deletion certificates).

13) Training & Awareness

  • All staff: onboarding and annual refresh on security/privacy.

  •  Role-based: admins/engineers receive targeted training (secure coding, cloud security, IR).

  • Awareness: periodic phishing simulations or equivalent programs.

14) Compliance & Records

  • Maintain RoPA; ensure alignment with NDPA/GAID and Kenya DPA/Regulations where applicable.

  • Preserve security and audit records per retention requirements; support inspections/inquiries by
    regulators.

15) Exceptions & Enforcement

  • Exceptions require approvals from Security & DPO with documented mitigations and expiry.

  • Violations may result in disciplinary action or access revocation.

16) Public Disclosure & Vulnerability Reporting

  • Publish /.well-known/security.txt with a security contact (security@[domain].com) and PGP key if
    available.

  •  Coordinate vulnerability disclosure; consider managed bounty as maturity increases.

17) Metrics & Continuous Improvement

  • Track at least: patch aging, unresolved high vulns, auth failures, MFA coverage, access recertification
    defects, DSR SLA, vendor reassessment status, backup restore success, IR MTTR, phishing click-rate.

  • Use metrics to drive quarterly improvement actions.

Appendix A — Severity & Remediation SLA Matrix

Severity Examples

SLA
(Containment)

SLA
(Fix)

Critical

ā€‹

ā€‹

High

ā€‹ā€‹

ā€‹

ā€‹

Medium

ā€‹ ā€‹

 

Low

ā€‹

Active exploitation; remote code exec; exposed secrets; critical
misconfig in prod

ā€‹

Privilege escalation; injection; auth bypass; sensitive data exposure
potential

ā€‹ā€‹

Insecure defaults; reflected XSS in low-risk paths; moderate
misconfigs

ā€‹ā€‹

Informational issues; missing headers

≤ 4h

ā€‹

ā€‹

≤ 1 business day

ā€‹

ā€‹

N/A

ā€‹

ā€‹

N/A

≤ 7d

ā€‹

ā€‹

≤ 30d

ā€‹

ā€‹

 

≤ 90d

ā€‹

ā€‹

≤ 180d

Appendix B — Access Review Checklist (Quarterly)

  • User list export per system; compare to HRIS; remove leavers; verify least privilege.

  • Review privileged groups, break-glass accounts, and service accounts.

  •  Document findings and remediation actions.

Appendix C — Backup & DR Test Checklist

  • Validate restore times against RTO; validate data recency against RPO.

  • Verify encryption and integrity; document variances and improvements.

Appendix D — Vendor Due-diligence Pack (per vendor)

  • DPA, security questionnaire, AOC/SOC2/ISO evidence, sub-processor list, data location map, TIA
    summary, exit/deletion terms.

Change Log

  • v1.1: Added leadership commitment & KPIs; asset inventory; endpoint/MDM/EDR; JIT access and
    access reviews; CSPM & secrets manager; key rotation & secrets rotation;
    SAST/SCA/DAST/containers/IaC; vuln SLAs; SIEM alert SLAs; IR tabletop cadence; RTO/RPO
    benchmarks; vendor tiering & AOC evidence; VDP/security.txt; metrics.

  •  v1.0: Initial issue aligned to NDPA 2023 / GAID 2025.

bottom of page