LogoLogo
Current Version
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
Current Version
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
  • Welcome to FundApps' Policy Portal
  • FundApps Policies
    • Technical & Platform Overview
    • Software Development
    • Risk Management
      • Risk Management Framework
      • Information Asset Register
      • Information Systems Register
      • Data Classification and Protection Standard
    • Information Security Management System
      • Information Security Management Policy
      • Scope
      • Statement of Applicability
      • Objective Plan
      • Roles, Responsibilities and Organisation
      • Performance Evaluation
      • Internal Audit Policy
      • Internal Audit Plan for a 3 year cycle
      • Continual Improvement Process
      • Internal and External Communication Plan
      • Document Control Policy
    • Information Security Policies
      • Client Services Access to Client Environments
      • Employee Guide
      • Security Awareness Program
      • Social Media
      • Access Control
      • Physical Security
      • Network Security
      • Logging, Monitoring and Alerting
      • Incident Response
      • Data Backups
      • Privacy Policy
      • Vulnerability Management Policy
      • Security Exception Management Policy
      • Information Security Risk Register
      • Data Retention Policy
      • Patch Management Policy
      • Cryptographic Policy
      • Information Security in Project Management
      • Information Transfer Policy
      • Third Party Risk Management
    • Business Continuity
      • Business Continuity Management System
      • Business Continuity Policy
      • Business Continuity Risk Register
      • Technical Resilience
      • Business Continuity Documents
    • Personnel & Safety
      • Overview
      • Code of Conduct
      • Health and Safety
      • Third party vendors
      • The FundApps Code for Third Parties
  • Legal Information
    • 📖General Terms
      • Fair Usage Policy
      • Third Party Data Provider Terms
    • DORA
      • Operational Resilience Statement
      • Statement on Contractual Compliance
      • Subcontractors and Service Location
      • Threat-Led Penetration Tests (TLPT) Policy
    • Insurance
    • 🌍Carbon Neutral
  • Policy Change Log
    • March 2025
    • January 2025
    • December 2024
    • November 2024
    • October 2024
    • August 2024
    • July 2024
    • June 2024
    • April 2024
    • February 2024
    • January 2024
    • November 2023
    • October 2023
    • September 2023
    • August 2023
    • June 2023
    • February 2023
    • December 2022
    • October 2022
    • September 2022
    • June 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • August 2021
    • July 2021
    • January 2021
    • August 2020
    • May 2020
    • March 2020
    • November 2019
    • September 2019
Powered by GitBook
On this page
  • Guiding principles & security awareness
  • Top tips
  • Raising others awareness
  • Security Musts
  • Daily habits
  • Policies
  • Credentials
  • Bring your own device
  • Email
  • Physical security
  • Data security
  • Acceptable use
  • Monitoring
  • Working from outside the office
  • Breaches of security
  • Further reading

Was this helpful?

Export as PDF
  1. FundApps Policies
  2. Information Security Policies

Employee Guide

Whether it's a USB stick left on a train, a website hack leading to stolen confidential information, or phishing attacks compromising accounts - IT security is in the news more and more.

FundApps is privy to sensitive client information daily, and therefore it’s important a proactive approach to security is taken. Our policies captured in this living document are therefore the responsibility of everyone in the Company to uphold and update. With suggestions and improvements be raised and addressed as required with the team and the CTO.

NOTE: Security doesn't stop when you leave the office. This policy applies to both FundApps provided equipment, but also any other equipment you may use to access FundApps systems or software.

Guiding principles & security awareness

Top tips

  • Better safe than sorry. Use common sense. If you're not sure whether something is a good idea (downloading a piece of software, opening an email, leaving a laptop unattended, using a particular third-party service) - it probably isn't. Discuss it with the team!

  • Be aware of the kinds of information we look after as a company and how we protect them. You can find more in our data classification policy.

  • Be aware of social engineering - don't trust an attachment or a hyperlink in an email just because it comes from someone you know or an organisation you trust. Better to type the URL into the browser window yourself and avoid that unexpected attachment.

  • Educate yourself - read about a security breach? Find out how it happened and why. Think about whether there's anything we could do differently at FundApps to stop it from happening here. Also, see "other reading".

  • If you know or suspect a loss or theft of confidential information has occurred or the security or integrity of any system has potentially been compromised - report it immediately to the Head of Information Security, CTO and CEO. Keep trying until they confirm they are aware.

  • Familiarize yourself with our social media policy

Raising others awareness

Don't just educate yourself, share with the team.

  • Join our #ask-security channel in Slack

  • Read about a recent security breach at a company? Find a link that talks about what happened in detail and share it in Slack with the company

  • See someone leaving their screen unlocked? Lock it for them, and make sure they know you did!

Security Musts

This applies to all computers you access FundApps platforms from, not just your work computer.

  • Hard disk encryption enabled (BitLocker, FileVault).

  • Windows update enabled and configured for automatic update installs.

  • Anti-virus software must be installed and configured for automatic updates.

  • Make sure your computer password meets our minimum security requirements. It should be at least 12 characters.

  • 1Password must be installed and used for all passwords.

  • Set your PC so it will automatically lock after 5 minutes.

  • If you use your mobile phone for accessing company systems (including email) your mobile phone must have a PIN set and remote-wipe software installed. You must never store data classified as FundApps Confidential on your phone. You can find more in our data classification policy.

  • Only install applications from official application stores (e.g. Microsoft Store, App Store, Google Play).

Daily habits

  • Lock your computer whenever you leave it unattended.

  • Keep your desks clear of any printed material and keep those containing sensitive data locked away.

  • Do not store FundApps confidential data on any removable media or equipment in accordance with our data classification policy.

Policies

Credentials

  • Use a different password for each service you access.

  • Use two-factor authentication whenever available (we enforce this for services where we can, such as Google Mail and GitHub).

  • Use secure passwords (minimum 12 characters in length).

  • Never share individual account credentials.

  • Immediately change compromised credentials and report the compromise to the Information security team.

  • In order to facilitate this, use 1Password for securely storing passwords.

Bring your own device

  • Any mobile device accessing FundApps email must have a secure PIN set and remote-wipe software installed.

  • Any device you use to access the FundApps platform or related services must comply with our security checklist (cf. Security Musts) - this includes but is not limited to - hard disk encryption, antivirus, a secure password and a 5-minute lock timeout.

  • You must comply with our data classification policy and ensure you do not store data in breach of this. In particular, never store confidential data on BYODs.

  • Bring Your Own Devices compliant with these rules may be used to access all FundApps systems, provided access to production systems is done through virtualised systems or bastion hosts.

  • Confidential data must not be stored on BYODs.

Email

  • Email is not a secure medium. You should be conscious of this and consider how emails might be used by others. Emails can be spoofed (not come from the person you expect) and intercepted.

  • Two factor authentication is enforced for your FundApps email. Instructions are here.

  • If your Email account is breached this is often a route into accessing many other services (given the reliance on email-based password resetting). You should never use your email password for other services.

  • When sending attachments containing FundApps confidential information, you should use a password-protected archive and share the password via a secondary, unrelated channel (such as SMS)

  • Remember that emails can easily be taken out of context, that once an email is sent you cannot control what the recipients might do with it, and that it is very easy to forward large amounts of information.

  • Similarly, you should not necessarily trust what you receive in an email - in particular, you must never respond to an email request to give a username or password.

Physical security

  • Lock your computer whenever you leave it unattended.

  • Any computer equipment should be secured behind locked doors when left unattended.

  • Any unattended portable equipment should be physically secure if possible, for example, locked in an office or a desk drawer. When being transported in a vehicle they should be hidden from view. Staff should avoid storing sensitive information on portable equipment whenever possible (see data security section).

  • Enable 5-minute screen savers on your computer. (Go to Screen Saver settings, wait 5 minutes, and check On resume, display logon screen).

Data security

FundApps attaches great importance to the secure management of the data it holds and generates and will hold staff accountable for any inappropriate mismanagement or loss of it.

  • If a client emails you sensitive portfolio data, please advise them that they should not be doing this.

  • Do not create users for clients, even if you know them. Every client has an Admin user who can create users for themselves.

  • Client data, particularly portfolio data should be treated with great care and in accordance with our data classification policy.

    • If you need to debug client portfolio data, you should use our secure VMs in our production environment.

    • Client data (of any kind) should never be stored on mobile devices or taken off-site (with the exception of email).

    • Failure to comply with these requirements will be considered a serious breach of this policy.

Acceptable use

Internet access is provided as a critical aspect of our business. It should be used in a responsible manner and any personal use should be reasonable. The Internet may not be accessed and used for any of the following:

  • Any activity that would violate the laws and regulations of the UK

  • Sending offensive or harassing material to other users

  • Any activity that would violate the privacy of others

  • Cause damage or disruption to organisational systems

Monitoring

Monitoring software is in use to protect the effectiveness, security, availability and integrity of FundApps systems. We monitor the type and volume of internet and network traffic. The information recorded can be used to identify an individual user and the website domain being accessed.

Working from outside the office

Whether you are working from home or from a public place (e.g. whilst travelling) you must ensure you keep our data and Information System secure. This means that you must:

  • lock your laptop whenever you leave it unattended;

  • ensure others cannot read sensitive information (e.g. Client data) by looking over your shoulder (order a privacy screen if needed);

  • ensure sensitive conversations cannot be overheard by others;

  • do not let anyone use your corporate devices.

Breaches of security

If you know or suspect a loss or theft of confidential information has occurred, or the security or integrity of any system has potentially been compromised - report it to the Head of Information Security, the CTO or the CEO. This could include

  • The disclosure of confidential information to any unauthorised person.

  • The integrity of any system or data being put at risk (for example virus, malware, hacking).

  • Availability of the system or information being put at risk.

  • Loss of any system, laptop, mobile phone or other portable device.

  • Finding doors and/or windows broken and/or forced entry gained to a secure room/building in which computer equipment exists.

Further reading

For general awareness, we recommend the following sites.

  • Google's Stay Safe Online resources (developed in association with The UK's Citizen's Advice Bureau)

  • The UK Government-sponsored Get Safe Online website

  • SANS OUCH! Security Awareness Monthly Newsletters

  • SANS Security Awareness Video (changes monthly)

For more technical information, check out

  • OWASP Top 10 Project

  • Security, Cryptography and Privacy (Google)

  • SANS reading room

PreviousClient Services Access to Client EnvironmentsNextSecurity Awareness Program

Last updated 1 year ago

Was this helpful?