Information Security Framework

FundApps is committed to a robust implementation of Information Security Management. All our hosting environments are certified to ISO 27001. As an organisation we are endeavour to align our processes to ISO 27001 and the NIST Cyber Security Framework.

We are specifically committed to preserving the confidentiality, integrity and availability of data and documentation supplied by, generated by and held on behalf of our customers. The principles defined in this policy will be applied to all of the physical and electronic information assets for which the FundApps is responsible.

Our senior management team are directly responsible for ensuring that all FundApps staff have been made aware of these procedures and their contents.

All employees have access to this information, are required to abide by them, and are encouraged to regularly review and update these in their relevant areas.

Purpose

The primary purposes of this policy are to:

1. Ensure the protection of all FundApps information systems (including but not limited to all computers, mobile devices, networking equipment, software and data) and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems.

2. Make certain that users are aware of and comply with all current and relevant UK and EU legislation.

3. Provide a safe and secure information systems working environment for staff and any other authorised users.

4. Make certain that all FundApps’s authorised users understand and comply with this policy and any other associated policies, and also adhere to and work within the relevant codes of practice.

5. Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data that they handle.

6. Protect FundApps from liability or damage through the misuse of its IT facilities.

7. Respond to feedback and update as appropriate, initiating a cycle of continuous improvement.

Scope

This policy is applicable to, and will be communicated to, all staff and third parties who interact with information held by the FundApps and the information systems used to store and process it. This includes, but is not limited to, any systems or data attached to the FundApps data or telephone networks, systems managed by FundApps, mobile devices used to connect to FundApps networks or hold FundApps data, data over which FundApps holds the intellectual property rights, data over which FundApps is the data owner or data custodian, communications sent to or from the FundApps.

Definitions

FundApps Data, for the purposes of this policy, is data owned, processed or held by FundApps, whether primary or secondary, irrespective of storage location. It is used interchangeably with the term ‘information’.

Information security principles

The following eight information security principles provide overarching governance for the security and management of information at FundApps.

1. Information should be recorded in our information asset register, with a named owner, and classified in accordance with our data classification policy and in accordance with relevant legislative, regulatory and contractual requirements

2. Risks to information security should be assessed and assigned an owner in accordance with our risk management framework

3. Staff with particular responsibilities for information are responsible for ensuring the classification of that information; for handling that information in accordance with its classification level; and for any policies, procedures or systems for meeting those responsibilities.

4. All users covered by the scope of this policy must handle information appropriately and in accordance with its classification level.

5. As far as is reasonably possible, endeavours must be made to ensure data is complete, relevant, accurate, timely and consistent.

6. Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.

7. Information will be protected against unauthorized access and processing in accordance with its classification level.

8. Information will be protected against loss or corruption.

9. Breaches of this policy must be reported

Legal & Regulatory Obligations

FundApps has a responsibility to abide by and adhere to all current UK and EU legislation as well as a variety of regulatory and contractual requirements. Relevant legislation includes: • The Computer Misuse Act 1990 • General Data Protection Regulation 2018 • The Freedom of Information Act 2000 • Regulation of Investigatory Powers Act 2000 • Copyright, Designs and Patents Act 1988 • Defamation Act 1996 • Obscene Publications Act 1959 • Protection of Children Act 1978 • Criminal Justice Act 1988 • Digital Economy Act 2010

A non-exhaustive summary of the legislation and regulatory and contractual obligations that contribute to the form and content of this policy is provided below. Related policies will detail other applicable legislative requirements or provide further detail on the obligations arising from the legislation summarised below.

Key Legislation Summary

The Computer Misuse Act 1990 defines offences in relation to the misuse of computers as: 1. Unauthorised access to computer material. 2. Unauthorised access with intent to commit or facilitate commission of further offences. 3. Unauthorised modification of computer material.

The General Data Protection Regulation 2018 (GDPR) defines obligations for businesses and organisations that collect, process and stored individuals' personal data. GDPR outlines seven data protection principles which relate to:

1. Lawfulness, fairness and transparency

2. Purpose limitation

3. Data minimisation

4. Accuracy

5. Storage limitation

6. Integrity and confidentiality (security)

7. Accountability

Supporting Policies, Codes of Practice, Procedures and Guidelines

• Data Classification Policy

• Incident Response Policy

• ISMS Risk Register

Compliance, Policy Awareness and Disciplinary Procedures

Any security breach of FundApps information systems could lead to the possible loss of confidentiality, integrity and availability of personal or other confidential data stored on these information systems. The loss or breach of confidentiality of personal data is an infringement of the Data Protection Act 1998, contravenes FundApps Data Protection Policy, and may result in criminal or civil action against FundApps.

The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties or criminal or civil action against FundApps. Therefore it is crucial that all users of the FundApps information systems adhere to the Information Security Policy and its supporting policies as well as the Information Classification Standards.

All current staff and other authorised users will be informed of the existence of this policy and the availability of supporting policies, codes of practice and guidelines.

Any security breach will be handled in accordance with all relevant FundApps policies, including the Conditions of Use of IT Facilities at FundApps and the appropriate disciplinary policies.

Incident Handling

If a member staff is aware of an information security incident then they must report it to the Information Security Lead, the CEO or the CTO immediately. For more information, please see our Incident Response Policy.

Review and Development

This policy, and its subsidiaries, shall be reviewed by the FundApps board and updated regularly to ensure that they remain appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations.