In order to preserve the appropriate confidentiality, integrity and availability of FundApps information assets, we must make sure they are protected against unauthorized access, disclosure or modification. This is not just critical for assets covered by the Data Protection Act but for all customer information we deal with across the FundApps business.
This standard applies to all FundApps information, irrespective of the data location or the type of device it resides on.
As a result we can see at a glance
What information assets fall under which data classification
What information systems hold data falling under those classifications
The controls that we expect each system to have in place
All FundApps employees, contractors and third parties who interact with information held by and on behalf of the FundApps are responsible for assessing and classifying the information they work with, and applying the appropriate controls. Individuals must respect the security classification of any information as defined, and must report the inappropriate situation of information to the Information Security Manager or Head of Security as quickly as possible.
Each type of information in our asset register has an explicitly designated owner, who is responsible for assessing information and classifying its sensitivity. They should then apply the appropriate controls in conjunction with our technology team to protect that information.
Responsible for the advising on and recommending information security standards on data classification, and ensuring these are regularly reviewed.
Public
Open
Restricted
Confidential
Description
Data for which there is no expectation for privacy or confidentiality.
Normally accessible only to FundApps staff
Data which the data owner have not decided to publish or make public; data that is legally regulated and requires some level of access control, and data protected by contractual obligations.
Data which if disclosed publically could cause significant financial or reputational damage to FundApps or our customers; data which is legally regulated requiring an extremely high level of protection (such as DPA sensitive); data protected by contractual obligations.
Impact
None
Low
Medium
High
Current data in this classification
- Regulatory information - Staff names, job titles, work contact details
- Customer contracts and negotiations - Questions and responses to customer RFPs, RFIs - Prospective customer marketing data - Customer or sales prospect requirements- ISMS policy documents - Internal communications - Server availability logs - Prospective employee CVs and contact information - Staff emergency contact details - Development and test data - Staff company feedback - Prospective customer visitor data and analytics - Task lists, potential future work
- Customer portfolio structures - Customer queries - Infrastructure source code - Rule package - Development source code - Financial records, salary payments, bank records - Employment contracts, Passports, References - ISMS asset and risk register - Server event logs, application logs, exception logs
- Customer portfolio holdings and transactions - Customer results (disclosures, breaches etc) and data overrides - Encryption keys and infrastructure credentials
Current services included in this classification
- OneLogin - Aosphere
- Amazon AWS Development - OneDrive - HubSpot - NewRelic - PagerDuty - Workable - ReadTheDocs - Trello - OfficeVibe - Bonusly - Google Analytics
- GitHub - ZenDesk - Google Mail - Google Drive - Slack - Bamboo HR - Voipfone - Xero - Kingston Smith - HSBC - Silicon Valley Bank - AlertLogic - SumoLogic - Sentry
- Amazon AWS - Atlas - Octopus - Customer Rapptr
General requirements
Data access & control
No access restrictions. Data is available for public access.
Available to FundApps prospects and customers (under NDA) and staff.
Normally available only to specified FundApps staff.
Access is controlled and restricted to specific FundApps staff, following a 'need to know' and 'least privilege' basis.
Legal requirements
Protection of data is at the discretion of the owner or custodian.
Protection of data is at the discretion of the owner or custodian.
Protection of data is at the discretion of the owner or custodian.
Protection of data is required by law, or at the discretion of the owner or custodian.
Requirements for data in digital format
Transmission
No other protection is required for public information.
May be transmitted by email and internal chat tools. Care must be taken to use all FundApps and customer information appropriately.
Transmission through email and internal chat tools must be used with caution, and only take place through approved systems with use of HTTPS and two factor authentication where possible. As an example send attachments using a password protected ZIP and share the password via a secondary, unrelated channel (such as SMS)
Transmission through email, support tickets, internal chat tools is prohibited. Transmission may only be made through approved channels that are authenticated and encrypted (HTTPS or VPN).
Audit controls
No audit controls required.
Information owners must periodically monitor and review their systems and procedures for potential misuse and/or unauthorized access.
Information owners must periodically monitor and review their systems and procedures for potential misuse and/or unauthorized access. Audit trails for the purposes of non-repudiation must be in place.
Systems must be actively monitored and reviewed for potential misuse and/or unauthorized access. Audit trails for the purposes of non-repudiation must be in place.
Storage
No restrictions.
No restrictions. Care must always be taken when storing this information on mobile devices.
Encryption may be required if stored on mobile devices. If appropriate level of protection is not known, check with Information Security Officer before storing Restricted data unencrypted.
Encryption at rest mandatory for all data not within a physically secure ISO 27001 environment. Storage is prohibited on unapproved computing equipment.
Backup & Recovery procedures
Not required.
Documented backup and recovery procedures are required achieving an RTO of 7 days
Documented backup and recovery procedures are required achieving a minimum RTO of 1 day. A higher RTO may be required for certain types of data.
Documented backup and recovery procedures are required, including automated failover wherever feasible in order to achieve our RTO of 4 hours.
Disposal (digital file)
No restrictions.
Standard deletion from media
Standard deletion from media
Delete all files or data using a secure delete tool (such as Eraser).
Disposal (physical medium)
No restrictions.
Media must be erased before disposal
Media must be erased before disposal if encrypted. Media must be disposed of securely using state of the art approved solutions for the permanent removal of data (e.g. shredding or physical destruction).
Media must be erased before disposal if encrypted. Media must be disposed of securely using state of the art approved solutions for the permanent removal of data (e.g. shredding or physical destruction).
Requirements for data in printed format
Transport
Normal mail service
Normal mail service
Must never be printed
Must never be printed
Storage
No requirements
Secure office or other location. Room need not be locked if access to the building or floor is restricted to employees and authorised non-employees.
Must never be printed
Must never be printed
Disposal
No requirements
Information must be disposed of securely using strip-cut shredders or confidential waste bins which are certified for secure destruction.
Must never be printed
Must never be printed
Report suspected violations of this policy to the CTO or CEO. Reports of violations are considered Restricted data until otherwise classified.
We maintain an detailing all key information assets at FundApps, who owns them, the business processes they are used in, and any external service providers that may utilize or store the information.
The latest classification guidance can be found . This version as of 9 Sept 2017.
FundApps approaches both information security and business continuity from risk based principles. Each identified information security or business continuity risk is reviewed with regard to Likelihood (the possibility of a risk happening), and Impact (the consequence of a risk happening).
Risks can be identified by any member of staff, and, staff members are encouraged to contribute. Once risks are identified and reviewed for Likelihood and Impact, an appropriate remediation plan can be formulated.
The key is that risk management drives activity to resolve identified risks, and is the responsibility is that of each employee of FundApps.
Potential information security risks and business continuity risks are identified through both formal and informal channels
Monthly company-wide security awareness sessions
Monthly security review meetings
Incident response and reviews
As part of the Software Development Lifecycle
As part of the continuous release management
As part of everyday working practice
Potential risks are recorded in the risk register and assigned an owner. Risks are assessed on two criteria with regards to any current controls that may already be in place:
Each risk level consists of
the likelihood and impact levels
a timeframe for review while the risk is open
a timeframe for review once the risk is closed
Based on this categorization we can then design a risk response in order to reduce our residual risk.
Strategies for responding to the risk can include:
Avoid risk – activities with a high likelihood of loss and large business impact. The best response is to avoid the activity.
Mitigate risk – activities with a high likelihood of occurring, but business impact is small. The best response is to use management control systems to reduce the risk of potential loss.
Transfer risk – activities with low probability of occurring, but with a large business impact. The best response is to transfer a portion or all of the risk to a third party by purchasing insurance, hedging, outsourcing, or entering into partnerships.
Accept risk – if cost-benefit analysis determines the cost to mitigate risk is higher than cost to bear the risk, then the best response is to accept and continually monitor the risk.
Our risk response may generate information security or business continuity controls which could be technical, procedural or policy based.
Risks remain open until we have:
implemented any new controls identified to reduce the likelihood or impact of the risk, and therefore reduce the residual risk
re-assessed the risk and ensured it is below High
decided to accept the residual risk level
Once closed, risks are re-assessed on a timeframe defined in in the risk levels.
It is important to note that following the risk management framework, any risk that equals or exceeds a risk scoring of twelve (12) will exceed the FundApps Risk Tolerance level and therefore will require a risk treatment plan to lower the risk profile. See the for further information.
Likelihood, according to the . Likelihood should consider the specific vulnerability or threats that may exploit this vulnerability.
Impact, according to the . Further guidance must be taken from the FundApps Data Classification and Handling when referring to impact. This will take into account the Confidentiality, Integrity and Availability requirements of any data asset.
The assessment of likelihood and impact places the risk within risk tolerance levels defined in the .
Use of definitions based upon ISACA’s
Customer support queries
Internal communications
Server logs
Development source code
Information assets are identified as part of:
Monthly company-wide security awareness sessions
Monthly security review meetings
Our software development lifecycle
Everyday working practice
For each information asset identified, we
Assign an owner for the information
Identify if it falls under any specific regulation (primarily General Data Protection Regulation)
Identify an appropriate data classification from these ratings
Any changes to the register results in:
updates to our data classification policy with regards the information systems and asset information falling under each classification
Information systems are reviewed as part of our monthly security review meetings.
Our contains every information asset of value to FundApps. For example, this includes:
Assess CIA ratings in accordance with our process
Identify the that contain this data
Identify any specific information risks relating to this information and record it in our
Identify any specific business continuity risks relating to this information and record it in our
updates to our with regards the classification of information they hold
updates to our requiring us to record privileges granted to this systems and ensuring revokation during the offboarding process
Rapptr (customer instances)
Amazon AWS (production data)
Google Mail (our own internal communications)
Information systems are identified as part of:
Monthly company-wide security awareness sessions
Monthly security review meetings
Our software development lifecycle
Everyday working practice
Information systems that FundApps depend on that are managed by third party vendors are included in this register. As such we evaluate business continuity and sufficient security controls as part of our assessement process.
For each information system identified, we
Assign an owner for the system
Identify information security controls based on the data classification
Identify business continuity controls based on the data classification
Information systems are reviewed as part of our monthly security review meetings.
Our contains any system (internal or external) that holds or permits access to information assets in our . For example, this includes:
Automatically identify the information assets stored in this system (as recorded in our .
Automatically identify the the system falls under based on the maximum data classification of the information stored.
Identify any specific information risks relating to this information and record it in our
Identify any specific business continuity risks relating to this information and record it in our