LogoLogo
v2018-04
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
v2018-04
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
  • Welcome
  • FundApps Policies
    • Technical & Platform Overview
    • Software Development
    • Risk Management
      • Risk Management Framework
      • Information Asset Register
      • Information Systems Register
      • Data Classification
    • Information Security
      • Employee Guide
      • Information Security Framework
      • Security Awareness Program
      • Incident Response Policy
      • Privacy Policy
      • Social Media Policy
      • Access Control
      • Vulnerability Management
      • Information Security Risk Register
    • Business Continuity
      • Business Continuity Framework
      • Business Continuity Risk Register
      • Business Continuity Plan
    • Personnel & Security
      • Overview
      • Code of Conduct
      • Health and Safety
      • Third party vendors
  • Frequently Asked Questions
    • Untitled
Powered by GitBook
On this page
  • Approach
  • Responsibilities
  • FundApps & third parties
  • Information Owners
  • Management team
  • Classification guidance
  • Reporting Violations

Was this helpful?

Export as PDF
  1. FundApps Policies
  2. Risk Management

Data Classification

In order to preserve the appropriate confidentiality, integrity and availability of FundApps information assets, we must make sure they are protected against unauthorized access, disclosure or modification. This is not just critical for assets covered by the Data Protection Act but for all customer information we deal with across the FundApps business.

This standard applies to all FundApps information, irrespective of the data location or the type of device it resides on.

Approach

We maintain an information asset register detailing all key information assets at FundApps, who owns them, the business processes they are used in, and any external service providers that may utilize or store the information.

As a result we can see at a glance

  • What information assets fall under which data classification

  • What information systems hold data falling under those classifications

  • The controls that we expect each system to have in place

Responsibilities

FundApps & third parties

All FundApps employees, contractors and third parties who interact with information held by and on behalf of the FundApps are responsible for assessing and classifying the information they work with, and applying the appropriate controls. Individuals must respect the security classification of any information as defined, and must report the inappropriate situation of information to the Information Security Manager or Head of Security as quickly as possible.

Information Owners

Each type of information in our asset register has an explicitly designated owner, who is responsible for assessing information and classifying its sensitivity. They should then apply the appropriate controls in conjunction with our technology team to protect that information.

Management team

Responsible for the advising on and recommending information security standards on data classification, and ensuring these are regularly reviewed.

Classification guidance

The latest classification guidance can be found here. This version as of 9 Sept 2017.

Public

Open

Restricted

Confidential

Description

Data for which there is no expectation for privacy or confidentiality.

Normally accessible only to FundApps staff

Data which the data owner have not decided to publish or make public; data that is legally regulated and requires some level of access control, and data protected by contractual obligations.

Data which if disclosed publically could cause significant financial or reputational damage to FundApps or our customers; data which is legally regulated requiring an extremely high level of protection (such as DPA sensitive); data protected by contractual obligations.

Impact

None

Low

Medium

High

Current data in this classification

- Regulatory information - Staff names, job titles, work contact details

- Customer contracts and negotiations - Questions and responses to customer RFPs, RFIs - Prospective customer marketing data - Customer or sales prospect requirements- ISMS policy documents - Internal communications - Server availability logs - Prospective employee CVs and contact information - Staff emergency contact details - Development and test data - Staff company feedback - Prospective customer visitor data and analytics - Task lists, potential future work

- Customer portfolio structures - Customer queries - Infrastructure source code - Rule package - Development source code - Financial records, salary payments, bank records - Employment contracts, Passports, References - ISMS asset and risk register - Server event logs, application logs, exception logs

- Customer portfolio holdings and transactions - Customer results (disclosures, breaches etc) and data overrides - Encryption keys and infrastructure credentials

Current services included in this classification

- OneLogin - Aosphere

- Amazon AWS Development - OneDrive - HubSpot - NewRelic - PagerDuty - Workable - ReadTheDocs - Trello - OfficeVibe - Bonusly - Google Analytics

- GitHub - ZenDesk - Google Mail - Google Drive - Slack - Bamboo HR - Voipfone - Xero - Kingston Smith - HSBC - Silicon Valley Bank - AlertLogic - SumoLogic - Sentry

- Amazon AWS - Atlas - Octopus - Customer Rapptr

General requirements

Data access & control

No access restrictions. Data is available for public access.

Available to FundApps prospects and customers (under NDA) and staff.

Normally available only to specified FundApps staff.

Access is controlled and restricted to specific FundApps staff, following a 'need to know' and 'least privilege' basis.

Legal requirements

Protection of data is at the discretion of the owner or custodian.

Protection of data is at the discretion of the owner or custodian.

Protection of data is at the discretion of the owner or custodian.

Protection of data is required by law, or at the discretion of the owner or custodian.

Requirements for data in digital format

Transmission

No other protection is required for public information.

May be transmitted by email and internal chat tools. Care must be taken to use all FundApps and customer information appropriately.

Transmission through email and internal chat tools must be used with caution, and only take place through approved systems with use of HTTPS and two factor authentication where possible. As an example send attachments using a password protected ZIP and share the password via a secondary, unrelated channel (such as SMS)

Transmission through email, support tickets, internal chat tools is prohibited. Transmission may only be made through approved channels that are authenticated and encrypted (HTTPS or VPN).

Audit controls

No audit controls required.

Information owners must periodically monitor and review their systems and procedures for potential misuse and/or unauthorized access.

Information owners must periodically monitor and review their systems and procedures for potential misuse and/or unauthorized access. Audit trails for the purposes of non-repudiation must be in place.

Systems must be actively monitored and reviewed for potential misuse and/or unauthorized access. Audit trails for the purposes of non-repudiation must be in place.

Storage

No restrictions.

No restrictions. Care must always be taken when storing this information on mobile devices.

Encryption may be required if stored on mobile devices. If appropriate level of protection is not known, check with Information Security Officer before storing Restricted data unencrypted.

Encryption at rest mandatory for all data not within a physically secure ISO 27001 environment. Storage is prohibited on unapproved computing equipment.

Backup & Recovery procedures

Not required.

Documented backup and recovery procedures are required achieving an RTO of 7 days

Documented backup and recovery procedures are required achieving a minimum RTO of 1 day. A higher RTO may be required for certain types of data.

Documented backup and recovery procedures are required, including automated failover wherever feasible in order to achieve our RTO of 4 hours.

Disposal (digital file)

No restrictions.

Standard deletion from media

Standard deletion from media

Delete all files or data using a secure delete tool (such as Eraser).

Disposal (physical medium)

No restrictions.

Media must be erased before disposal

Media must be erased before disposal if encrypted. Media must be disposed of securely using state of the art approved solutions for the permanent removal of data (e.g. shredding or physical destruction).

Media must be erased before disposal if encrypted. Media must be disposed of securely using state of the art approved solutions for the permanent removal of data (e.g. shredding or physical destruction).

Requirements for data in printed format

Transport

Normal mail service

Normal mail service

Must never be printed

Must never be printed

Storage

No requirements

Secure office or other location. Room need not be locked if access to the building or floor is restricted to employees and authorised non-employees.

Must never be printed

Must never be printed

Disposal

No requirements

Information must be disposed of securely using strip-cut shredders or confidential waste bins which are certified for secure destruction.

Must never be printed

Must never be printed

Reporting Violations

Report suspected violations of this policy to the CTO or CEO. Reports of violations are considered Restricted data until otherwise classified.

PreviousInformation Systems RegisterNextInformation Security

Last updated 5 years ago

Was this helpful?