Loading...
Loading...
FundApps management believe that embedding security into the culture of FundApps is critical to the success of our information security program, and as such this is a management priority.
We have the following in place to achieve this:
New starter survey to set the tone for those who join our organization, followed up by IT security survey a month later to raise awareness of our approach including staff security policies, data classification and our BYOD policies
6 monthly IT security survey for existing staff to assess awareness and identify improvements
Monthly company-wide security session, to discuss any issues that may have arisen, clarify policies (such as data classification), identify improvements and new risks
Channels in company communication tool with security news
Our secure software development lifecycle and specifically the scoping and review process
Monthly security review session for key stakeholders where we actively review security access lists, audit logs and risk register
Culture of continuous improvement across all areas of the business
A rapid response to incidents that threaten the confidentiality, integrity, and availability (CIA) of FundApps information assets, information systems and the networks that deliver the information is required to protect those assets. Without a rapid response, those assets could be compromised and FundApps could be in breach of UK Legislation, our own stated policies, and the potential of of breaching the trust of our customers and users.
Information Security incidents will occur that require full participation of FundApps technical staff as well as management leadership to properly manage the outcome. To accomplish this FundApps has established an incident response policy and procedures that will ensure appropriate leadership and technical resources are involved to:
assess of the seriousness of an incident
assess the extent of damage
identify the vulnerability created
estimate what additional resources are required to mitigate the incident
It will also ensure that proper follow-up reporting occurs and that procedures are adjusted so that responses to future incidents are improved.
The primary emphasis of processes and activities described within this policy is the return to a normal (secure) state as quickly as possible, whilst minimising the adverse impact to FundApps. The capture and preservation of incident relevant data (e.g., network flows, data on drives, access logs, etc.) is performed primarily for the purpose of problem determination and resolution. Strict forensic measures are not used in the data capture and retention. Forensic measures will be determined on a case by case basis.
Contingency Planning, Business Continuity and Disaster Recovery are governed by a different set of policies. An event may initially be declared an ‘Information Security Incident’ and subsequently declared to be a ‘Disaster’. In this case, the activities described below will be included in the Disaster Recovery process.
An Information Security Incident is generally defined as any known or highly suspected circumstance that results in an actual or possible unauthorised release of information deemed sensitive by FundApps or subject to regulation or legislation, beyond FundApps sphere of control.
Examples of an Information Security Incident may include but are not limited to:
the theft or physical loss of computer equipment known to hold files containing sensitive customer or company information
a server known to hold sensitive data is accessed or otherwise compromised by an unauthorised party
the FundApps network is subjected to a Distributed Denial of Service (DDoS) attack
a firewall is accessed by an unauthorised entity
a network outage is attributed to the activities of an unauthorised entity
For the purposes of this protocol, incidents are categorised as “Unauthorised Access” or “Unauthorised Acquisition”, and can be recognised by associated characteristics.
The unauthorised access to or disclosure of FundApps or customer information through network and/or computing related infrastructure, or misuse of such infrastructure, to include access to related components (e.g., network, server, workstation, router, firewall, system, application, data, etc.). Characteristics of security incidents where unauthorised access might have occurred may include but are not limited to:
Evidence (e‐mail, system log) of disclosure of sensitive data
Anomalous traffic to or from the suspected target
Unexpected changes in resource usage
Increased response time
System slowdown or failure
Changes in default or user‐defined settings
Unexplained or unexpected use of system resources
Unusual activities appearing in system or audit logs
Changes to or appearance of new system files
New folders, files, programs or executables
User lock out
Appliance or equipment failure
Unexpected enabling or activation of services or ports
Protective mechanisms disabled (firewall, anti‐virus)
The unauthorised physical access to, disclosure or acquisition of assets containing or providing access to FundApps or customer information (e.g., removable drives or media, hardcopy, file or document storage, server hardware, etc.)/ Characteristics of security incidents where unauthorised acquisition might have occurred may include but are not limited to:
Theft of computer equipment where sensitive data is stored
Loss of storage media (removable drive, flash drive, etc)
Illegal entry (burglary)
Suspicious or foreign hardware is connected to the network
Normally‐secured storage areas found unsecured
Broken or non‐functioning locking mechanisms
Presence of unauthorised personnel in secured areas
Disabled security cameras or devices
Incidents assigned a criticality rating according to the actual and potential impact on the business of FundApps.
Level
Level Definition
Typical Incident Categories
Incident Response Time
C1
Incident affecting critical systems or information with potential to be revenue or customer impacting.
Denial of service Compromised Asset (critical) Internal Hacking (active) External Hacking (active) Virus / Worm (outbreak) Destruction of property (critical)
60 minutes
C2
Incident affecting non‐critical systems or information, not revenue or customer impacting. Employee investigations that are time sensitive should typically be classified at this level.
Internal Hacking (not active) External Hacking (not active) Unauthorised access Policy breaches Unlawful activity Compromised information Compromised asset (non‐critical) Destruction of property (non‐critical)
4 hours
C3
Possible incident, non‐critical systems. Incident or employee investigations that are not time sensitive. Long‐term investigations involving extensive research and/or detailed forensic work.
Email Forensics Request Inappropriate use of property. Policy breaches
48 hours
Key roles and responsibilities of those who form part of the Incident Response Team (IRT) have been defined below:
Role
Responsibilities
CTO
Incident response team lead (IRTL)
CEO
Participates in incident response team, leading external communications.
IT Team / Engineering
Normally form part of the incident response team, subject to CTO approval after initial assessment.
The Critical Incident Response Protocol consists of these key components
Detection
Activation of team
Containment
Notification of non-IRT team members
Assessment
Notification of external parties
Corrective Measures
Washup & lessons learned
Closure
Timely detection of incidents are critical to containment and minimizing it's impact on our business and customers. Please see our IT security policy and specific controls regarding how we detect security incidents.
All suspected security incidents are reported to the Incident Response Team Lead, mobilization will be immediate and based on initial orientation and observation. Notification of the rest of the team should occur via a direct communication - that is any form of communication where you get a response from the other party (ie voicemail or email are not considered direct notification). Team members should rely on usual company communication channels to ensure they have up to date information.
The IRT will determine and cause to be executed the appropriate activities and processes required to quickly contain and minimise the immediate impact to the FundApps and our customers.
Containment activities are designed with the primary objectives of:
Counteract the immediate threat
Prevent propagation or expansion of the incident
Minimise actual and potential damage
Restrict knowledge of the incident to authorised personnel
Preserve information relevant to the incident
Activities that may be required to contain the threat presented to systems where unauthorised access may have occurred:
A1. Disconnect the system or appliance from the network or access to other systems.
A2. Isolate the affected IP address from the network.
A3. Power off the appliance(s), if unable to otherwise isolate.
A4. Disable the affected application(s).
A5. Discontinue or disable remote access.
A6. Stop services or close ports that are contributing to the incident.
A7. Remove drives or media known or suspected to be compromised.
A8. Where possible, capture and preserve system, appliance and application logs, network flows, drives and removable media for review.
A9. Notify IRT of status and any action taken.
Activities that may be required to contain the threat presented to a assets where unauthorised acquisition may have occurred:
B1. Identify missing or compromised assets.
B2. Gather, remove, recover and secure sensitive materials to prevent further loss or access.
B3. Power down, recycle or remove equipment known to be compromised.
B4. Where possible, secure the premises for possible analysis by local management and law enforcement.
B5. Gather and secure any evidence of illegal entry for review by local management and law enforcement.
B6. Where possible, record identities of all parties who were a possible witness to events.
B7. Preserve camera logs and sign‐in logs for review by local management and law enforcement.
B8. Notify IRT of disposition of assets and any action taken.
Designated persons will take action to notify the appropriate internal parties, as necessary. All internal & external communication must be approved by the IRT Lead
The IRT will determine the category and severity of the Incident and undertake discussions and activities to best determine the next best course of action, i.e., decide if protocol execution is required. Once the IRT is assembled, the Assessment Checklist is executed and reviewed to ensure all pertinent facts are established. All discussions, decisions and activities are to be documented.
Assessment should consist of the following at a minimum:
Incident data
The current date and time, and a brief description of the Incident
Who discovered the incident and how?
Types of information
What is the nature of the data
Was the data held by FundApps or a third party?
How was the information held? Was the data encrypted or otherwise obfuscated?
Risk
Can we reasonably determine the risk or exposure?
To what degree are we certain that the data has or has not been released?
Can we identify and do we have contact with the party that received the data or caused the compromise? Describe what is known.
Identify the impacted customers, if possible.
What is the risk or exposure to FundApps?
What is the risk or exposure to the customer?
Next Steps
Do we have enough information to establish the category and severity of the Incident?
If additional data collection data is required, assign responsibility to IRT member for collection
Is there any deadline or reporting requirement (self‐imposed or regulatory) we need to address?
What communications need to be established? Provide details
Are there any immediate issues that have not been addressed? Describe
Recap all work and responsibility assignment
When do we meet again to follow‐up? Provide details
Designated persons will take action to notify the appropriate internal and external parties, as necessary. Communications may include meetings, video conferencing, teleconferencing, e‐mail, telephone/messaging, voice recordings or other means as deemed appropriate. All external communication must be approved by the IRT Lead. FundApps will endeavour to notify clients of any potential incidents impacting the confidentiality, integrity or availability of the client's data, stored in the FundApps platform, no later than 48 hours after having first detected an anomaly.
Customers - IRT Lead or CEO will establish communication with Customers, as appropriate for the circumstance
Other affected parties - IRT Lead or CEO will establish communication with other affected parties (such as hosting providers) as appropriate for the circumstance
Law enforcement - IRT Lead will establish if law enforcement is required and take appropriate action
Government or Regulatory Bodies - IRT Lead will establish if government notification (e.g. Information Commissioner) is required and take appropriate action
Media interest - CEO will deal with any communications with Media.
The IRT will determine and cause to be executed the appropriate activities and processes required to quickly restore circumstances to a normal (secure) state.
Corrective measures are designed with the primary objectives of:
Secure the processing environment
Restore the processing environment to its normal state
Activities that may be required to return conditions from unauthorised access to a normal and secure processing state.
A1. Change passwords on all local user and administrator accounts or otherwise disable the accounts as appropriate.
A2. Change passwords for all administrator accounts where the account uses the same password across multiple appliances or systems (servers, firewalls, routers).
A3. Re image systems to a secure state.
A4. Restore systems with data known to be of high integrity.
A5. Apply OS and application patches and updates.
A6. Modify access control lists as deemed appropriate.
A7. Implement IP filtering as deemed appropriate.
A8. Modify/implement firewall rule sets as deemed appropriate.
A9. Ensure anti‐virus is enabled and current.
A10. Make all personnel “security aware”.
A11. Monitor/scan systems to ensure problems have been resolved.
A12. Notify IRT of status and any action taken.
Activities that may be required to return conditions from an unauthorised acquisition to a normal and secure processing state.
B1. Retrieve or restore assets where possible.
B2. Store all sensitive materials in a secure manner (e.g., lockable cabinets or storage areas/container).
B3. Install/replace locks and issue keys only to authorised personnel.
B4. Restore security devices and/or apparatus to working condition.
B5. Remove and retain unauthorised equipment from network/area.
B6. Implement physical security devices and improvements (e.g., equipment cables, alarms) as deemed appropriate.
B7. Make all personnel “security aware”.
B8. Notify IRT of status and any action taken.
After the incident has been dealt with, a subsequent washup session will be run in order to identify if any further lessons can be learnt or actions taken aside from the immediate corrective measures.
The IRT will stay actively engaged throughout the life cycle of the Information Security Incident to assess the progress/status of all containment and corrective measures and determine at what point the incident can be considered resolved.
Recommendations for improvements to processes, policies, procedures, etc. will exist beyond the activities required for incident resolution and should not delay closing the Information Security Incident.
Loading...
Whatever part of FundApps we work in we are ambassadors for our company.
Lots of us are having conversations and sharing through social media or online communities. We approach the online world in the same way we do the physical one – by using sound judgement, respect and common sense.
It applies to anyone working for and on behalf of FundApps. This policy doesn’t form part of your contract and may be amended at any time.
This policy covers the use of any online platform which can be used for networking, sharing information or opinions. This includes posting comments, pictures, videos, blogging, using forums, sending private messages relating to FundApps its customers or colleagues, endorsing other people’s content and re-tweeting/circulating posts. It covers platforms like YouTube, LinkedIn, Facebook, Twitter, Instagram, Pinterest, Yammer and Instant Messaging services e.g. WhatsApp, etc., or any other existing or new social media platforms, whether it’s internal or external on your own or a work device.
If you want to then yes you can; just make sure it’s clear that you’re not speaking on behalf of FundApps and say that ‘all views are my own’ somewhere on your profile.
If your profile mentions FundApps, be honest about who you are and what you do. Never share your login details or let others post on your behalf. If you’re leaving, remember to update your profile with your new company name or employment status.
Be respectful to other people, even if you disagree with their opinion.
Don’t post things or send messages that could damage our reputation, bring the company into disrepute or cause actual or likely harm to the company or colleagues.
Don’t use statements, photos, videos, audio or send messages that reasonably could be viewed as malicious, abusive, offensive, obscene, threatening, intimidating or contain nudity or images of a sexual nature, or that could be seen as bullying, harassment or discrimination.
You’re responsible for what you put online and any impact it has on others so set up privacy settings if you need to. Never give out personal or private information about colleagues or customers. As a general rule, if you wouldn’t say or show it to your manager, then it’s probably not appropriate to post or send it online!
And remember, what you post or send can be difficult to delete once it’s online.
Help us protect our company and reputation by thinking carefully about what you put online. If you see something online that concerns you please talk to the senior management team.
Even when you say something is your personal opinion we can still be held liable, so pause and think before you post.
You should never assume your social media content won’t reach a wider, public audience. Even if it was originally meant for a small group of friends or for a private message, colleagues or customers may have access to things you put online.
Disseminating confidential or sensitive information; or posting, sharing or endorsing inappropriate messages about your colleagues or FundApps, could result in disciplinary action, which could lead to your dismissal.
To help protect our business anything you develop or create, including programs or documentation, whilst working for us remains the property of FundApps and must not be used or shared on social media sites or online forums, unless you have specific permission from your director to do so.
Never reveal confidential or sensitive information including anything that is given to us in confidence by suppliers or third parties.
This includes information about FundApps which is not in the public domain.
Intellectual property laws (which include copyright and trademarks) are in place to protect the ideas people have, create or develop so that other people can’t steal or use them without permission. For example, FundApps is our trademark, which means we can stop other people from using it on their products.
We must always take care to protect intellectual property rights and respect the rights of others. Stealing someone’s idea can reflect badly on FundApps and damage customer trust.
Most forms of published information are protected by copyright, which means you shouldn’t re-use it without getting the owner’s permission first.
Copyright applies to stuff that’s used both internally and externally so make sure you always respect copyright and see permission first – even if it’s only being used within FundApps. Copyright can also apply when sharing content on Twitter and Facebook, so be mindful when doing this.
You should use your personal e-mail address unless you’re speaking on behalf of the company (and are authorised to do so).
Yes, as long as it’s connected with work, appropriate to post, does not reveal confidential information and any people in the photo are happy for it to be posted.
Yes, if you’re using social media for part of your job or it’s related to work (for example, to help a customer). Otherwise, using social media during working hours must be reasonable and shouldn’t interfere with you carrying out your job.
If it’s something that’s personally offensive to you, you should speak to the person involved, if you’re comfortable to do so, and ask them to remove the post. If the posts aren’t removed or it happens again you should speak to your manager about it. If the post is directly about you, and has been posted without your consent or you’re offended by it, or it’s inappropriate, please speak to your manager or the senior management team.
If you endorse, share or send an offensive or inappropriate comment or message about FundsApps or your colleagues, it will be investigated and may result in us taking disciplinary action against you, which could lead to your dismissal.
If the post contains company information which you believe to be confidential (basically something which isn’t already in the public domain), you should report this immediately to our CTO and security@fundapps.co.
Yes. Social media sites are scanned for any mention of FundApps, our products and services or inappropriate comments about the company, our colleagues, managers or customers. If you spot anything that’s been posted about our business that concerns you please contact the senior management team.
Inappropriate behaviour including posting confidential or sensitive information will be investigated, and may result in us taking disciplinary action against you which could lead to your dismissal. You will be asked to co-operate with any investigation.
If it comes to our attention that any inappropriate posts, comments or messages have been made/sent by you or can be viewed on your profile, then we reserve the right to access these posts and to take copies of them. You may also be asked to remove any content that we consider to be a breach of this policy. If you don’t remove the content when asked, it may result in disciplinary action. Any such posts may be used in internal proceedings and/or legal action.
We treat the online world the same as the physical one, so if your post, comment or message would breach our policies in another forum it will breach it in an online forum too.
For anyone else not directly employed by FundApps: if you breach this policy we may terminate the arrangements we have with you for your services.
Loading...
Loading...
Loading...