Privacy and Security Policy

Purpose & Scope

This policy preserves the confidentiality, integrity, and availability of QDB’s information assets and protects the privacy rights of individuals while ensuring compliance with national frameworks including NIAP, NCSA, NDPO, and QCB guidelines. It applies to all QDB employees, contractors, third-party service providers, systems, and data. The CISO owns implementation and annual review.

Regulatory & Framework Alignment

QDB aligns with:

  • National Information Assurance Policy (NIAP) and NCSA standards
  • National Data Classification Policy
  • QCB Information & Cyber Security Regulation for PSPs
  • National Data Privacy Office (NDPO) and PDPL requirements
  • National Cyber Security Strategy 2024–2030

Governance & Responsibilities

Roles and responsibilities:

  • Board of Directors: Oversight of cyber, privacy, and risk governance
  • Executive Management: Resource allocation and policy approval
  • CISO: Implementation, audits, and compliance reporting
  • DPO: PDPL compliance and data subject rights
  • All Employees: Awareness and reporting of incidents

Risk Management & Asset Classification

QDB conducts regular risk assessments to identify threats, vulnerabilities, and impacts. All assets are classified according to the NCSA National Data Classification Policy into Public, Internal, Confidential, or Critical levels. Asset owners are accountable for maintaining controls.

Access Control & Identity Management

Access follows the principle of least privilege. MFA is mandatory for critical systems and remote access. User access is reviewed quarterly. Role-based access and segregation of duties are enforced.

Technical & Physical Controls

Includes network firewalls, IDS/IPS, patch management, encryption, endpoint protection, and secure configuration. Server rooms must be physically secured with CCTV, controlled entry, and environmental protection.

Incident Management & Business Continuity

QDB maintains an Incident Response Plan (IRP) covering identification, containment, eradication, recovery, and lessons learned. Data breaches are reported to NDPO and regulators. Annual BCP and DR drills are mandatory.

Vendor & Third-Party Management

Third-party service providers are assessed for compliance and contractual security clauses are mandated. High-risk vendors undergo annual reviews, audits, and data destruction confirmations post-contract.

Privacy & Personal Data Protection

Personal data processing complies with PDPL and NDPO. Data minimization, consent, accuracy, and retention rules apply. Transfers outside Qatar require safeguards. Breaches must be reported promptly to NDPO.

Monitoring, Logging & Compliance

QDB implements centralized logging, anomaly detection, and security metrics. Internal and external audits ensure compliance with NIAP, NCSA, QCB, and NDPO requirements.

Enforcement & Review

Non-compliance may result in disciplinary action. The policy is reviewed annually or upon major regulatory or technological changes, and updates are communicated to all employees.