top of page

DATA PROTECTION (INFOSEC) POLICY

Owner: Security & Compliance
Effective date: 23rd August 2025
Review: Annual
Review cadence: Annual, and on material change

 

Arno is an NDPC-approved Data Controller/Processor of Major Importance (DCPMI) under NDPA 2023 / GAID 2025. This can be verified on the NDPC register. View our NDPC certification here


Purpose: This policy establishes Arno’s information security objectives and control framework, aligned to
NDPA 2023 / GAID 2025, Kenya’s DPA 2019/General Regulations 2021 (where applicable), and industry
frameworks (ISO 27001/27002; NIST CSF). It applies to all staff, contractors, and vendors with access to Arno
data/systems.

1) Governance, Commitment & Metrics

  •  Leadership commitment. Management endorses this policy and provides resources to achieve its

  • objectives.

  • Security objectives & KPIs (reported quarterly): incident MTTR, patch SLAs met, unresolved high

  • vulns, access review defects, DSR SLA adherence, vendor reassessment completion, backup restore

  • success, phishing click-rate.

  •  Management review. Annual review of risks, KPIs, audit findings, incidents, and improvement plan;

  • decisions recorded.

  • Internal audit. Periodic internal audits against this policy and procedures.

2) Risk Management & Data Classification

  •  Maintain a Security Risk Register with owners and treatments; review quarterly.

  • Classify information as Public / Internal / Confidential / Restricted; handling, storage, and

  • transmission requirements are defined per class.

  •  Maintain data flow diagrams and Records of Processing Activities (RoPA).

3) Asset & Configuration Management

  • Maintain centralized inventories of hardware, software, SaaS, cloud services, repositories, secrets, and
    certificates; assign owners and criticality.

  •  Enforce configuration baselines (CIS or equivalent) via Infrastructure-as-Code; changes reviewed and
    tracked.

4) Identity, Access & Endpoint Security

  •  Principles: single sign-on (SSO) where feasible; least privilege; segregation of duties.

  •  Admin access: MFA required; production access just-in-time (JIT) via bastion or approved workflow;
    break-glass accounts monitored and reviewed within 24h of use.

  •  Joiner-Mover-Leaver (JML): SCIM/automation where available; access revoked on exit; quarterly
    access recertification for all systems.

  •  Endpoints: All admin devices enrolled in MDM with full-disk encryption and EDR; screen-lock
    enabled; OS/browser critical patches ≤ 14 days; USB and local admin restricted.

5) Network & Cloud Security

  • Segmented VPCs/VNETs; private subnets for data stores; egress restrictions.

  •  WAF/DDoS and rate-limiting on public endpoints; HTTPS-only (TLS 1.2+).

  • CSPM scans enforce cloud baselines; secrets stored in a secrets manager; no hard-coded secrets.

  •  Logging for network gateways, load balancers, and security groups retained per §10.

6) Cryptography & Key Management

  •  Encryption: TLS 1.2+ in transit; AES-256 at rest using cloud KMS; encryption is mandatory for
    backups and logs.

  • Key management: role-based key access; dual control for key changes; key rotation ≥ annually or on
    compromise; certificate lifecycle managed with auto-renew where possible; secrets rotated ≥ every 90
    days.

7) Secure Software Development (SSDLC)

  • Security requirements captured in design; threat modeling for new high-risk features.

  • Code review with security checks; SAST/SCA on each PR; DAST each release for internet-facing
    components; container and IaC scans pre-deploy; SBOM maintained.

  •  Secrets scanning enforced in CI; staging/prod separation; migrations and rollbacks documented.

8) Vulnerability Management

  • Scanning coverage: endpoints, servers, containers, IaC, dependencies, and external attack surface.

  • Remediation SLAs: Critical 7 days; High 30; Medium 90; Low 180. Exceptions require risk acceptance
    with target date and owner.

  • Track remediation to closure; verify critical fixes with retest.

9) Logging, Monitoring & SIEM

  • Centralize auth/admin/app logs; protect integrity/immutability where feasible; time sync (NTP)
    enforced.

  •  Retention: auth logs ≥ 180 days; admin/audit logs ≥ 365 days (see §11 for full retention table).

  •  Alerting: SIEM/SOAR rules with severity matrix; High-sev triage ≤ 15 minutes, containment plan
    initiated ≤ 4 hours; 24/7 on-call for production incidents.

10) Incident Response & Breach Notification

  • Maintain an IR Plan (RACI) covering detection, triage, containment, eradication, recovery, and
    post-incident review.

  • Exercises: table-top simulations twice per year.

  •  Notification: conduct privacy breach assessment promptly; notify regulators/data subjects per law
    (NDPA/ODPC) when threshold of risk is met.

  •  Post-mortems documented with actions and owners.

11) Business Continuity, Backups & DR

  • Backups: encrypted, 30-day rolling; quarterly restore tests; consider immutable/offline copies for
    ransomware resilience.

  • RTO/RPO targets: define by service tier (e.g., Tier-1 RTO 4h / RPO 1h); DR plan tested at least
    annually.

  •  BCP maintained; critical third-party dependencies identified with alternatives.

12) Vendor & Third-Party Risk Management

  • Tiering: categorize vendors (High/Med/Low) by data sensitivity/criticality.

  •  Onboarding: perform due diligence; require DPA and minimum security controls; collect attestations
    (ISO 27001, SOC 2, PCI DSS AOC) as applicable.

  • Cross-border: perform Transfer Impact Assessments (TIAs) and apply contractual/technical
    safeguards.

  • Reassessment: at least annually for High-risk vendors; maintain a public Sub-processor Register and
    internal vendor files.

  •  Exit: ensure data return/deletion with evidence (deletion certificates).

13) Training & Awareness

  • All staff: onboarding and annual refresh on security/privacy.

  •  Role-based: admins/engineers receive targeted training (secure coding, cloud security, IR).

  • Awareness: periodic phishing simulations or equivalent programs.

14) Compliance & Records

  • Maintain RoPA; ensure alignment with NDPA/GAID and Kenya DPA/Regulations where applicable.

  • Preserve security and audit records per retention requirements; support inspections/inquiries by
    regulators.

15) Exceptions & Enforcement

  • Exceptions require approvals from Security & DPO with documented mitigations and expiry.

  • Violations may result in disciplinary action or access revocation.

16) Public Disclosure & Vulnerability Reporting

  • Publish /.well-known/security.txt with a security contact (security@[domain].com) and PGP key if
    available.

  •  Coordinate vulnerability disclosure; consider managed bounty as maturity increases.

17) Metrics & Continuous Improvement

  • Track at least: patch aging, unresolved high vulns, auth failures, MFA coverage, access recertification
    defects, DSR SLA, vendor reassessment status, backup restore success, IR MTTR, phishing click-rate.

  • Use metrics to drive quarterly improvement actions.

Appendix A — Severity & Remediation SLA Matrix

Severity Examples

SLA
(Containment)

SLA
(Fix)

Critical

High

Medium

 ​

 

Low

Active exploitation; remote code exec; exposed secrets; critical
misconfig in prod

Privilege escalation; injection; auth bypass; sensitive data exposure
potential

Insecure defaults; reflected XSS in low-risk paths; moderate
misconfigs

Informational issues; missing headers

≤ 4h

≤ 1 business day

N/A

N/A

≤ 7d

≤ 30d

 

≤ 90d

≤ 180d

Appendix B — Access Review Checklist (Quarterly)

  • User list export per system; compare to HRIS; remove leavers; verify least privilege.

  • Review privileged groups, break-glass accounts, and service accounts.

  •  Document findings and remediation actions.

Appendix C — Backup & DR Test Checklist

  • Validate restore times against RTO; validate data recency against RPO.

  • Verify encryption and integrity; document variances and improvements.

Appendix D — Vendor Due-diligence Pack (per vendor)

  • DPA, security questionnaire, AOC/SOC2/ISO evidence, sub-processor list, data location map, TIA
    summary, exit/deletion terms.

Changes to Data Protection (Infosec) Policy

 

  • We may modify this policy from time to time to reflect changes in our practices or relevant regulations. We will provide notice of any significant changes through our platform or by contacting you directly. Any changes will be posted on this page with an updated effective date. We encourage you to review this Data Protection (Infosec) Policy regularly.

bottom of page