WIXLIB

GROUP TECHNOLOGY POLICYGROUP TECHNOLOGY POLICYSUMMARY FOR THIRD PARTY SUPPLIERS1.0 RATIONALEGroup Policy RationaleThe purpose of this Policy is to support the Group to deliver Technology whichmeets customer expectations, supports Group strategy and complies with allapplicable laws and regulations.In addition, this Policy has been designed to support compliance with the followinglegislation, regulations and / or guidelines:1. Senior Management & Certification Regime (SM&CR)2. FCA Handbook: Systems and Controls3. PRA Rulebook: Capital Requirement Regulation / Solvency II FirmsCustomer ImpactThese policy principles underpin technology provision within the Group and align tothe following risk themes for Technology: Governance – Effective technology governance is in place with clearaccountabilities to manage group impacting and systemic risks and deliverstrategic business objectives, regulatory and legal requirements. Build, Change and Acquisition – Development of technology solutions has awell-managed lifecycle from quality design through to safe implementation. Availability, Performance and Recovery – Optimised and highly resilienttechnology services are provided to run critical business processes for ourcustomers, colleagues and the wider financial services market. Operation – Efficient and effective technology processes maintain delivery ofbusiness services within expected operating thresholds and risk appetite.1.1 SCOPEThis Policy Summary applies to third party suppliers to Lloyds Banking Group asfollows: IT Disaster Recovery requirements (sections 2.3.4 & 2.3.5) apply to allsuppliers hosting technology used by the Group or its customers. Suppliers who are hosting bespoke technology off Group premises usedby the Group or its customers where the third or a fourth party ismanaging the implementation of controls - including providing thistechnology using an externally managed cloud service, including Software asa Service (SaaS), Infrastructure as a Service (IaaS) and Platform as aService (PaaS).Only those key controls relevant to the technology service being provided to orfor the Group need to be operated.The table below provides additional information to understand the policy scope.LLOYDS BANKING GROUP -PUBLICV3.0 January 2020Page 1 of 7

GROUP TECHNOLOGY POLICYThe following suppliers/services are out of scope of this Policy Summary: Third party suppliers where they are acting as a Technology Provider toor for the Group and their technology is hosted on Group premises whereLBG are managing the implementation of controls. LBG internally managed cloud services or public cloud services used byLBG where LBG are managing the implementation of controls.Note: IT Disaster Recovery for technology used solely by the Supplier for thedelivery of services to the Group is out of scope of this policy if it is not used bythe Group or its customers (as this is covered under the Resilience & ContinuityPolicy).ServiceHostingService CriteriaThird party supplier oftechnology used by the Groupor its customersCommercial Off The Shelftechnology (COTS) solutions,i.e. not bespoke to LBGTechnologyServiceHosting – OffGroupPremisesTechnologyServiceHosting – OnGroupPremisesThird party supplier oftechnology used by the Groupor its customers that provides abespoke service to LBG, wherethe third (or fourth) party ismanaging the implementation ofcontrolsThird party supplier oftechnology used by the Groupor its customers that provides abespoke service to LBG, and isan externally managed cloudservice, including: Software as a Service(SaaS) Infrastructure as a Service(IaaS) Platform as a Service(PaaS)LBG internally managed cloudservicesPublic cloud services used byLBG, where LBG are managingthe implementation of controlsThird Party supplier usingremote access capabilities tomanage the technologyprovided by the supplierThird Party technology serviceswhere LBG are managing theimplementation of controls(except where the supplier hasremote access capability)PolicyRequirementIT DisasterRecovery(sections 2.3.4& 2.3.5)IT DisasterRecovery(sections 2.3.4& 2.3.5)ApplicabilityAll policyrequirementsAll applicablesuppliersNot in PolicyscopeN/AAll policyrequirementsAll applicablesuppliersNot in PolicyscopeN/ALLOYDS BANKING GROUP -PUBLICV3.0 January 2020Page 2 of 7All suppliersAll suppliers

GROUP TECHNOLOGY POLICY2.0 MANDATORY REQUIREMENTSThe following requirements, applicable from the date of Policy publication areintended to support management of technology risk by third party suppliers:2.1 GOVERNANCE2.1.1ContractualAll elements of technology service, including supply chainrelationships, must meet the requirements of contractualagreements and schedules of work.2.1.2 LegalandRegulatoryTechnology processes, applications and systems must becompliant with legal and regulatory requirements for UK andInternational jurisdictions relevant to technology servicesprovided to LBG.2.1.3OperationalRiskManagementOperational risks with a potential material impact to thetechnology service must be notified to the LBG SupplierManager together with a mitigation / remediation action plan.2.1.4Innovation /NewTechnologyAdoption of significant new technology that changes how thetechnology service is provided must be notified to the LBGSupplier Manager ahead of implementation, for example amove to a cloud service.2.1.5 Skillsand ExpertiseLevels of IT resourcing and IT subject matter expertise forLBG hosted systems must be monitored to ensure continuityof development and operation of technology services.2.2 BUILD, CHANGE AND ACQUISTION2.2.1TechnicalDesign andBuildTechnology services must be designed, developed, tested andimplemented to meet LBG approved requirements.2.2.2 ITChangeManagementIT changes to production technology services must be risk andimpact assessed, with all changes and required approvalsmanaged through an IT Service Management tool.Potential change conflicts must be assessed in conjunctionwith LBG and prioritised to minimise risk to productionbusiness services.Support documentation required by LBG must be provided forchange implementation, post-live operational running andservice recovery.2.2.3 ITChangeRecoveryPlanningIT changes must have an approved recovery plan in placeprior to change implementation, with requirements for fullback-out plans risk assessed and agreed with LBG wherethere is potential to impact critical services.Back-out plans must be tested and proven to recovertechnology services and avoid consequential impacts.2.3 AVAILABILITY, PERFORMANCE AND RECOVERY2.3.1 ServiceHostingEnvironmentsTechnology services that are critical to an LBG CriticalBusiness Process, i.e. break the service chain, must belocated in highly resilient data centres or deployed on cloudservices with characteristics that are at least equivalent.LLOYDS BANKING GROUP -PUBLICV3.0 January 2020Page 3 of 7

GROUP TECHNOLOGY POLICY2.3.2TechnologyResilienceTechnology service resilience must be maintained to meetLBG Business Impact Assessment availability requirements.Where a technology service is part of an LBG CriticalBusiness Process it must be maintained in line with LBG ITresilience requirements and subject to ongoing review at aminimum annually and for any material changes.2.3.3TechnologyCurrencyIT hardware and software must be kept at version levels thatallow the supplier (as per contractual obligations) and LBG tosupport, maintain, secure and/or patch where required.IT disaster recovery capability of a technology service must beproven on a scheduled basis or following a material IT changeto evidence that LBG Business Impact Assessment availabilityand integrity requirements can be met. New implementationsmust undertake DR proving (including LBG connectivity) within4 weeks of service commencement.Proving must evidence that recovery can be achieved on2.3.4 Recovery target recovery infrastructure in line with LBG objectives i.e.:Proving / Recovery Time Capability (RTC) meets the Recovery TimeAssessmentObjective (RTO) Recovery Point Capability (RPC) meets the RecoveryPoint Objective (RPO) Data required to provide LBG services must be backed upand available at a secondary locationIT disaster recovery RTO/RPO and proving frequencyrequirements must be detailed in the contract for provision ofthe technology service.2.3.5 FailedRecoveryProvingAny failed disaster recovery proving and remediation actionrequired must be notified to the LBG Supplier Manager orrelevant Business contact.Recovery proving must be retested successfully within 3months of the failure.2.3.6 ServiceIncident andProblemManagementRecovery from technology service incidents must be timely tomeet service level agreements and remain within LBG riskappetite for LBG Critical Business Processes and LBGBusiness Impact Assessment availability requirements.Root cause determination and remediation for serviceimpacting incidents must be tracked to conclusion andconsider ‘read-across’ issues in other technology services.This ‘read across’ must include reporting to the LBG SupplierManager any incidents for other clients that have the potentialto also impact technology service provided to LBG.2.4 OPERATION2.4.1Asset andConfigurationManagementAn up-to-date, accurate and complete record of technologyassets and configuration must be maintained for thetechnology service provided to LBG (for example: hardware,software, licences, source code and versioning).2.4.2 ServiceManagementOperational procedures must be in place to support consistentdelivery of technology service to LBG and ongoingmaintenance of technology and recovery capability inaccordance with laws and regulations, technical and businessLLOYDS BANKING GROUP -PUBLICV3.0 January 2020Page 4 of 7

GROUP TECHNOLOGY POLICYrequirements and vendor ce of the technology service, component ITsystems and batch schedules, must be continually monitoredto maintain service provision performance, integrity ofexecution, timely response to system alerts and recovery fromincidents.2.4.4 CapacityManagementCapacity of IT systems must be monitored to ensure sufficientcapacity is maintained to ensure continued service atutilisation above predicted peak workloads, includingoperating in disaster recovery configurations.2.4.5Automation ofManualProcessesOperational processes should be automated to removemanual activities and repetitive tasks to improve efficiencyand reduce the risk of human error.2.5 SECURITYFor technology security requirements, refer to the Group Information & CyberSecurity Policy.2.6 DefinitionsTechnologyService(s)Refers to the technology related elements of the serviceprovided by the supplier, including IT systems, infrastructure,applications, networks, processes and people.Recovery Time The amount of time taken to switch from the primary systemCapabilityto a disaster recovery system from the point of recoveryinvocationRecovery Point The amount of data loss measured in time following the failureCapabilityof a systemRecovery Time The time required to switch from the primary system to aObjectivedisaster recovery system from the point of recoveryinvocation.Recovery Point The acceptable amount of data loss measured in timeObjectivefollowing the failure of a system3.0 KEY CONTROLSControl TitleControl DescriptionTechnology Sign off from the Group is obtained forsolutions aretechnology solutions prior to implementationdeveloped infor Group servicesaccordance withGroup requirements An environment definition document (orSeparate testequivalent) and a master test plan (orenvironments areequivalent) are in place for projectsestablishedimpacting Group services A readiness check is performed by theenvironment owner to confirm that theLLOYDS BANKING GROUP -PUBLICV3.0 January 2020Page 5 of 7FrequencyAd hocAd hoc