Access Control Policy
Access Control
FundApps implements physical and logical access controls across its IT systems and services in order to provide authorised, granular, audit-able and appropriate user access, and to ensure appropriate preservation of data confidentiality, integrity and availability in accordance with our Information Security Policy.
This policy covers all FundApps IT systems and information not classified as 'Public' in our data classification policy.
Each information system is recorded in our information system register, which includes:
An owner responsible for managing user access
The kinds of data it stores and therefore the data classification and controls required to protect that information.
Status of basic controls such as SSO and two-factor
Access to each information system is on a least-privilege and as-needed basis. These are managed by the nominated owner of the system and access to each system is recorded in our staff database. These are reviewed as part of our monthly security stakeholder meeting.
We utilise a centralised identity management platform in order to simplify and automate on-boarding and off-boarding for any information systems that support single-sign on or automated user provisioning. Our staff access database and identity management platform is then used during the off-boarding process to ensure all required privileges are revoked in a timely manner.
Logical access controls for FundApps Platform
Data stored in the FundApps platform is classified as 'FundApps Confidential' (see data classification policy). Support staff access the platform through the same interface our customers do. As such, controls in place include:
Access via HTTPS only;
Named accounts using Single sign-on (SSO) and two-factor authentication;
Audit logs of support staff accessing the system, which is visible to our customers;
Access is granted on a least-privilege and need-to-know basis;
Ongoing security awareness training;
Access review by head of Client Services on a quarterly basis.
Access to our production network is restricted to a very small set of staff. Controls in place include:
All credentials and accounts are provisioned through a configuration change management system that requires approval of the change;
Access to the network must be made via a secure connection to a bastion host using a previously authorised key and verified with a physical MFA token (YubiKey);
Each member of operational staff uses a named account to each server where access is required which is separately provisioned from the above network access;
Access is granted on a least-privilege and need-to-know basis;
All access to and key administrative actions on production servers are logged to a centralised audit store;
Access review by CTO on a quarterly basis.
Logical access controls for all IT systems
Our data classification policy classifies data stored across all our IT Systems. Principles we follow include:
Named accounts are mandatory, unless an exception is granted by the data owner responsible.
Any built-in, default accounts should be disabled or renamed and passwords changed
Single-sign-on should be enabled and mandatory wherever possible
Two-factor should be enabled and mandatory whenever possible
Passwords should not be re-used across systems. Passwords should be stored using an approved password management tool with a strong master password.
Use secure passwords (minimum 8 characters in length, and at least 3 out of 4 of lower case, upper case, digits and symbols).
Audit logs must provide repudiation for changes and access to FundApps Restricted and Confidential data
See our data classification policy for more information on the specific controls in place.
Physical access controls
Our hosting environments are provided by Amazon Web Services (AWS). AWS data centres are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilising video surveillance, intrusion detection systems, and other electronic means. Authorised staff must pass two-factor authentication a minimum of two times to access data centre floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorised staff.
AWS keep some details of the physical measures in place at their data centres private; a fuller subset of information is available under mutual NDA with AWS in their SOC 1 and SOC 2 reports.
Our office environment is alarmed and has both a keypad lock and physical key required for opening at start of business. In accordance with our IT policies, all staff equipment is encrypted using BitLocker. See our IT security policies for more information on further controls we have in place.
Last updated
Was this helpful?