# September 2019 ## Information Security > Employee Guide * Rule added to forbid credential sharing and obligation to change and report compromised credentials; * References updated to tools (e.g. 1password); * Links updated in Further reading. ## Information Security > Security Awareness Program * Aligned policy to our current practices (e.g. added dev talk on OWASP vulnerability). ## Information Security > Access Control * Added quarterly access review for Rapptr and AWS Production environment access. ## Information Security > Security Incident Response Policy * Corrected typos. ## Information Security > Vulnerability Management Policy: * New vulnerability Management Policy ## Information Security > Information Security Framework: * Replaced Data Protection Act with GDPR * Added summary of GDPR * Added reference to NIST Cyber Security Framework ## Risk Management > Risk Management Framework * Added a risk appetite statement. ## Risk Management > Data Classification Standard * Simplified descriptions of data classification ratings; * Reviewed list of existing data classification ratings; * Removed references to systems not used anymore; * Simplified rules on data transmission and storage; * Removed references to Data Protection Act; * Added reference to InfoSecLead. ## Business Continuity > Business Continuity Framework * Removed references to commissioning OPREL * Changed responsibility for maintaining BCMS from CTO to Information Security Lead; * Merged awareness and communication paragraphs; * Added headings for incident detection, Crisis Management activation and management of staff contact details; * Removed paragraphs which repeated each other; * Simplified paragraph on Framework review and improvements. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://policies.fundapps.co/client-portal/-LubIC9uIsME-_T0mNXu/policy-change-log/september-2019-changes.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.