Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
FundApps is committed to a robust implementation of Information Security Management. All our hosting environments are certified to ISO 27001. As an organisation we are endeavour to align our processes to ISO 27001 and the NIST Cyber Security Framework.
We are specifically committed to preserving the confidentiality, integrity and availability of data and documentation supplied by, generated by and held on behalf of our customers. The principles defined in this policy will be applied to all of the physical and electronic information assets for which the FundApps is responsible.
Our senior management team are directly responsible for ensuring that all FundApps staff have been made aware of these procedures and their contents.
All employees have access to this information, are required to abide by them, and are encouraged to regularly review and update these in their relevant areas.
The primary purposes of this policy are to:
Ensure the protection of all FundApps information systems (including but not limited to all computers, mobile devices, networking equipment, software and data) and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems.
Make certain that users are aware of and comply with all current and relevant UK and EU legislation.
Provide a safe and secure information systems working environment for staff and any other authorised users.
Make certain that all FundApps’s authorised users understand and comply with this policy and any other associated policies, and also adhere to and work within the relevant codes of practice.
Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data that they handle.
Protect FundApps from liability or damage through the misuse of its IT facilities.
Respond to feedback and update as appropriate, initiating a cycle of continuous improvement.
This policy is applicable to, and will be communicated to, all staff and third parties who interact with information held by the FundApps and the information systems used to store and process it. This includes, but is not limited to, any systems or data attached to the FundApps data or telephone networks, systems managed by FundApps, mobile devices used to connect to FundApps networks or hold FundApps data, data over which FundApps holds the intellectual property rights, data over which FundApps is the data owner or data custodian, communications sent to or from the FundApps.
FundApps Data, for the purposes of this policy, is data owned, processed or held by FundApps, whether primary or secondary, irrespective of storage location. It is used interchangeably with the term ‘information’.
The following eight information security principles provide overarching governance for the security and management of information at FundApps.
Staff with particular responsibilities for information are responsible for ensuring the classification of that information; for handling that information in accordance with its classification level; and for any policies, procedures or systems for meeting those responsibilities.
All users covered by the scope of this policy must handle information appropriately and in accordance with its classification level.
As far as is reasonably possible, endeavours must be made to ensure data is complete, relevant, accurate, timely and consistent.
Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.
Information will be protected against unauthorized access and processing in accordance with its classification level.
Information will be protected against loss or corruption.
Breaches of this policy must be reported
FundApps has a responsibility to abide by and adhere to all current UK and EU legislation as well as a variety of regulatory and contractual requirements. Relevant legislation includes: • The Computer Misuse Act 1990 • General Data Protection Regulation 2018 • The Freedom of Information Act 2000 • Regulation of Investigatory Powers Act 2000 • Copyright, Designs and Patents Act 1988 • Defamation Act 1996 • Obscene Publications Act 1959 • Protection of Children Act 1978 • Criminal Justice Act 1988 • Digital Economy Act 2010
A non-exhaustive summary of the legislation and regulatory and contractual obligations that contribute to the form and content of this policy is provided below. Related policies will detail other applicable legislative requirements or provide further detail on the obligations arising from the legislation summarised below.
The Computer Misuse Act 1990 defines offences in relation to the misuse of computers as: 1. Unauthorised access to computer material. 2. Unauthorised access with intent to commit or facilitate commission of further offences. 3. Unauthorised modification of computer material.
The General Data Protection Regulation 2018 (GDPR) defines obligations for businesses and organisations that collect, process and stored individuals' personal data. GDPR outlines seven data protection principles which relate to:
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability
Any security breach of FundApps information systems could lead to the possible loss of confidentiality, integrity and availability of personal or other confidential data stored on these information systems. The loss or breach of confidentiality of personal data is an infringement of the Data Protection Act 1998, contravenes FundApps Data Protection Policy, and may result in criminal or civil action against FundApps.
The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties or criminal or civil action against FundApps. Therefore it is crucial that all users of the FundApps information systems adhere to the Information Security Policy and its supporting policies as well as the Information Classification Standards.
All current staff and other authorised users will be informed of the existence of this policy and the availability of supporting policies, codes of practice and guidelines.
Any security breach will be handled in accordance with all relevant FundApps policies, including the Conditions of Use of IT Facilities at FundApps and the appropriate disciplinary policies.
This policy, and its subsidiaries, shall be reviewed by the FundApps board and updated regularly to ensure that they remain appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations.
Information should be recorded in our information asset register, with a named owner, and classified in accordance with our and in accordance with relevant legislative, regulatory and contractual requirements
Risks to information security should be assessed and assigned an owner in accordance with our
If a member staff is aware of an information security incident then they must report it to the Information Security Lead, the CEO or the CTO immediately. For more information, please see our .
Whether it's a USB stick left on a train, a website hack leading to stolen confidential information, or phishing attacks compromising accounts - IT security is in the news more and more.
FundApps is privy to sensitive customer information daily and therefore it’s important a pro-active approach to security is taken. Our policies captured in this living document are therefore the responsibility of everyone in the Company to uphold and update. With suggestions and improvements be raised and addressed as required with the team and the CTO.
NOTE: Security doesn't stop when you leave the office. This policy applies to both FundApps provided equipment, but also any other equipment you may use to access FundApps systems or software.
Each month we have a 30 minute company-wide session to discuss security issues, address any new concerns or risks people can raise, and check in with any security incidents that have been in the press.
Better safe than sorry. Use common sense. If you're not sure whether something is a good idea (downloading a piece of software, opening an email, leaving a laptop unattended, using a particular third party service) - it probably isn't. Discuss it with the team!
Educate yourself - read about a security breach? Find out how it happened and why. Think about whether there's anything we could do differently at FundApps to stop it happening here. Also see "other reading".
If you know or suspect a loss or theft of confidential information has a occurred, or the security or integrity of any system has potentially been compromised - report it immediately to the CTO and CEO. Keep trying until they confirm they are aware.
Don't just educate yourself, share with the team.
Join our #security channel in Slack
Read about a recent security breach at a company? Find a link that talks about what happened in detail and share it in Slack with the company
See someone leaving their screen unlocked? Lock it for them, and make sure they know you did!
This applies to all computers you access FundApps platforms from, not just your work computer.
Hard disk encryption enabled (BitLocker, FileVault).
Windows update enabled and configured for automatic update installs.
Anti-virus software installed and configured for automatic updates.
Set your PC so it will automatically lock after 3 minutes.
Lock your computer whenever you leave it unattended.
Keep your desks clear of any printed information.
Use a different password for each service you access.
Use two factor authentication whenever available (we enforce this for services where we can, such as Google mail and GitHub).
Use secure passwords (minimum 8 characters in length, and at least 3 out of 4 of lower case, upper case, digits and symbols).
Never share individual account credentials.
Immediately change compromised credentials and report compromise to the Information Security Lead.
Any mobile device accessing FundApps email must have a secure PIN set and remote-wipe software installed.
Any device you use to access the FundApps platform or related services must comply to our security checklist - this includes but is not limited to - hard disk encryption, anti-virus installed, a secure password and 3 minute lock timeout.
Email is not a secure medium. You should be conscious of this and consider how emails might be used by others. Emails can be spoofed (not come from the person you expect), and intercepted.
If your Email account is breached this is often a route into accessing many other services (given the reliance of email based password re-setting). You should never use your email password for other services.
When sending attachments containing FundApps confidential information, you should use a password protected ZIP and share the password via a secondary, unrelated channel (such as SMS)
Remember that emails can easily be taken out of context, that once an email is sent you cannot control what the recipients might do with it, and that it is very easy to forward large amounts of information.
Similarly you should not necessarily trust what you receive in an email - in particular, you must never respond to an email request to give a username or password.
Lock your computer whenever you leave it unattended.
Any computer equipment should be secured behind locked doors when left unattended.
Any unattended portable equipment should be physically secure if possible, for example locked in an office or a desk drawer. When being transported in a vehicle they should be hidden from view. Staff should avoid storing sensitive information on portable equipment whenever possible (see data security section).
Enable 3 minute screen savers on your computer. (Go to Screen Saver settings, wait 3 minutes, and check On resume, display logon screen).
FundApps attaches great importance to the secure management of the data it holds and generates and will hold staff accountable for any inappropriate mismanagement or loss of it.
If a customer emails you sensitive portfolio data, please advise them that they should not be doing this.
Do not create users for customers, even if you know them. Every customer has an Admin user who can create users for themselves.
If you need to debug customer portfolio data, you should use our secure VMs in our production environment.
Customer data (of any kind) should never be stored on mobile devices or taken off-site (with the exception of email).
Failure to comply with these requirements will be considered a serious breach of this policy.
If your profile mentions FundApps, be honest about who you are and what you do.
Be aware if your profile mentions FundApps, you may be more of a target for social engineering or phishing attacks
Never share your login details or let others post on your behalf.
Be respectful to other people, even if you disagree with their opinion.
Don’t post things or send messages that could damage our reputation, bring the company into disrepute or cause actual or likely harm to the company or colleagues.
You’re responsible for what you put online and any impact it has on others so set up privacy settings if you need to. Never give out personal or private information about colleagues or customers. As a general rule, if you wouldn’t say or show it to your manager, then it’s probably not appropriate to post or send it online!
Help us protect our company and reputation by thinking carefully about what you put online. If you see something online that concerns you please talk to the senior management team.
Internet access is provided as a critical aspect of our business. It should be used in a responsible manner and any personal use should be reasonable. The Internet may not be accessed and used for any of the following:
Any activity that would violate the laws and regulations of the UK
Sending offensive or harassing material to other users
Any activity that would violate the privacy of others
Cause damage or disruption to organisational systems
Monitoring software is in use to protect the effectiveness, security, availability and integrity of FundApps systems. We monitor the type and volume of internet and network traffic. The information recorded can be used to identify an individual user and the website domain being accessed.
If you know or suspect a loss or theft of confidential information has a occurred, or the security or integrity of any system has potentially been compromised - report it to the Information Security Lead, the CTO or CEO. This could include
Disclosure of confidential information to any unauthorised person.
Integrity of any system or data being put at risk (for example virus, malware, hacking).
Availability of the system or information being put at risk.
Loss of any system, laptop, mobile phone or other portable device.
Finding doors and/or windows broken and/or forced entry gained to a secure room/building in which computer equipment exists.
For general awareness, we recommend the following sites.
For more technical information, check out
Be aware of the kinds of information we look after as a company, and how we protect them. You can find more in our policy.
Be aware of - don't trust an attachment or a hyperlink in an email just because it comes from someone you know, or an organisation you trust. Better to type the URL into the browser window yourself, and avoid that unexpected attachment.
Make sure your computer password meets our minimum security requirements - you can use to check if it is strong enough. It should be at least 8 characters with at least one upper/lowercase character, a number and symbol.
(or equivalent) installed and used for all passwords.
If you use your mobile phone for accessing company systems (including email) your mobile phone must have a PIN set and remote-wipe software installed. You must never store data classified as FundApps Confidential on your phone. You can find more in our .
Do not store FundApps confidential data on any removable media or equipment, in accordance with our .
In order to facilitate this, use a tool like for securely storing passwords.
You must comply with our and ensure you do not store data in breach of this.
is enforced for your FundApps email. .
Customer data, particularly portfolio data should be treated with great care, and in accordance with our .
Please familiarize yourself with our
(developed in association with The UK's Citizen's Advice Bureau)
(changes monthly)
Whatever part of FundApps we work in we are ambassadors for our company.
Lots of us are having conversations and sharing through social media or online communities. We approach the online world in the same way we do the physical one – by using sound judgement, respect and common sense.
It applies to anyone working for and on behalf of FundApps. This policy doesn’t form part of your contract and may be amended at any time.
This policy covers the use of any online platform which can be used for networking, sharing information or opinions. This includes posting comments, pictures, videos, blogging, using forums, sending private messages relating to FundApps its customers or colleagues, endorsing other people’s content and re-tweeting/circulating posts. It covers platforms like YouTube, LinkedIn, Facebook, Twitter, Instagram, Pinterest, Yammer and Instant Messaging services e.g. WhatsApp, etc., or any other existing or new social media platforms, whether it’s internal or external on your own or a work device.
If you want to then yes you can; just make sure it’s clear that you’re not speaking on behalf of FundApps and say that ‘all views are my own’ somewhere on your profile.
If your profile mentions FundApps, be honest about who you are and what you do. Never share your login details or let others post on your behalf. If you’re leaving, remember to update your profile with your new company name or employment status.
Be respectful to other people, even if you disagree with their opinion.
Don’t post things or send messages that could damage our reputation, bring the company into disrepute or cause actual or likely harm to the company or colleagues.
Don’t use statements, photos, videos, audio or send messages that reasonably could be viewed as malicious, abusive, offensive, obscene, threatening, intimidating or contain nudity or images of a sexual nature, or that could be seen as bullying, harassment or discrimination.
You’re responsible for what you put online and any impact it has on others so set up privacy settings if you need to. Never give out personal or private information about colleagues or customers. As a general rule, if you wouldn’t say or show it to your manager, then it’s probably not appropriate to post or send it online!
And remember, what you post or send can be difficult to delete once it’s online.
Help us protect our company and reputation by thinking carefully about what you put online. If you see something online that concerns you please talk to the senior management team.
Even when you say something is your personal opinion we can still be held liable, so pause and think before you post.
You should never assume your social media content won’t reach a wider, public audience. Even if it was originally meant for a small group of friends or for a private message, colleagues or customers may have access to things you put online.
Disseminating confidential or sensitive information; or posting, sharing or endorsing inappropriate messages about your colleagues or FundApps, could result in disciplinary action, which could lead to your dismissal.
To help protect our business anything you develop or create, including programs or documentation, whilst working for us remains the property of FundApps and must not be used or shared on social media sites or online forums, unless you have specific permission from your director to do so.
Never reveal confidential or sensitive information including anything that is given to us in confidence by suppliers or third parties.
This includes information about FundApps which is not in the public domain.
Intellectual property laws (which include copyright and trademarks) are in place to protect the ideas people have, create or develop so that other people can’t steal or use them without permission. For example, FundApps is our trademark, which means we can stop other people from using it on their products.
We must always take care to protect intellectual property rights and respect the rights of others. Stealing someone’s idea can reflect badly on FundApps and damage customer trust.
Most forms of published information are protected by copyright, which means you shouldn’t re-use it without getting the owner’s permission first.
Copyright applies to stuff that’s used both internally and externally so make sure you always respect copyright and see permission first – even if it’s only being used within FundApps. Copyright can also apply when sharing content on Twitter and Facebook, so be mindful when doing this.
You should use your personal e-mail address unless you’re speaking on behalf of the company (and are authorised to do so).
Yes, as long as it’s connected with work, appropriate to post, does not reveal confidential information and any people in the photo are happy for it to be posted.
Yes, if you’re using social media for part of your job or it’s related to work (for example, to help a customer). Otherwise, using social media during working hours must be reasonable and shouldn’t interfere with you carrying out your job.
If it’s something that’s personally offensive to you, you should speak to the person involved, if you’re comfortable to do so, and ask them to remove the post. If the posts aren’t removed or it happens again you should speak to your manager about it. If the post is directly about you, and has been posted without your consent or you’re offended by it, or it’s inappropriate, please speak to your manager or the senior management team.
If you endorse, share or send an offensive or inappropriate comment or message about FundsApps or your colleagues, it will be investigated and may result in us taking disciplinary action against you, which could lead to your dismissal.
If the post contains company information which you believe to be confidential (basically something which isn’t already in the public domain), you should report this immediately to our CTO and security@fundapps.co.
Yes. Social media sites are scanned for any mention of FundApps, our products and services or inappropriate comments about the company, our colleagues, managers or customers. If you spot anything that’s been posted about our business that concerns you please contact the senior management team.
Inappropriate behaviour including posting confidential or sensitive information will be investigated, and may result in us taking disciplinary action against you which could lead to your dismissal. You will be asked to co-operate with any investigation.
If it comes to our attention that any inappropriate posts, comments or messages have been made/sent by you or can be viewed on your profile, then we reserve the right to access these posts and to take copies of them. You may also be asked to remove any content that we consider to be a breach of this policy. If you don’t remove the content when asked, it may result in disciplinary action. Any such posts may be used in internal proceedings and/or legal action.
We treat the online world the same as the physical one, so if your post, comment or message would breach our policies in another forum it will breach it in an online forum too.
For anyone else not directly employed by FundApps: if you breach this policy we may terminate the arrangements we have with you for your services.
FundApps management believe that embedding security into the culture of FundApps is critical to the success of our information security program, and as such this is a management priority.
FundApps implements the following practices to achieve this objective:
New joiners go through an Information Security training when they start at FundApps. This training covers what is Information Security, why it’s important to FundApps and what is expected of FundApps staff and contractors;
Security-themed presentations to all of FundApps’ staff;
Technical Security presentations to engineers on most common vulnerabilities;
Channels in company communication tool with security news;
Monthly security review session for key stakeholders where we actively review security access lists, audit logs and risk register;
Culture of continuous improvement across all areas of the business.
A rapid response to incidents that threaten the confidentiality, integrity, and availability (CIA) of FundApps information assets, information systems and the networks that deliver the information is required to protect those assets. Without a rapid response, those assets could be compromised and FundApps could be in breach of legislation, our own stated policies, and the potential of of breaching the trust of our customers and users.
Information Security incidents will occur that require full participation of FundApps technical staff as well as management leadership to properly manage the outcome. To accomplish this FundApps has established an incident response policy and procedures that will ensure appropriate leadership and technical resources are involved to:
assess of the seriousness of an incident
assess the extent of damage
identify the vulnerability created
estimate what additional resources are required to mitigate the incident
It will also ensure that proper follow-up reporting occurs and that procedures are adjusted so that responses to future incidents are improved.
The primary emphasis of processes and activities described within this policy is the return to a normal (secure) state as quickly as possible, whilst minimising the adverse impact to FundApps. The capture and preservation of incident relevant data (e.g., network flows, data on drives, access logs, etc.) is performed primarily for the purpose of problem determination and resolution. Strict forensic measures are not used in the data capture and retention. Forensic measures will be determined on a case by case basis.
Contingency Planning, Business Continuity and Disaster Recovery are governed by a different set of policies. An event may initially be declared an ‘Information Security Incident’ and subsequently declared to be a ‘Disaster’. In this case, the activities described below will be included in the Disaster Recovery process.
An Information Security Incident is generally defined as any known or highly suspected circumstance that results in an actual or possible unauthorised release of information deemed sensitive by FundApps or subject to regulation or legislation, beyond FundApps sphere of control.
Examples of an Information Security Incident may include but are not limited to:
the theft or physical loss of computer equipment known to hold files containing sensitive customer or company information
a server known to hold sensitive data is accessed or otherwise compromised by an unauthorised party
the FundApps network is subjected to a Distributed Denial of Service (DDoS) attack
a firewall is accessed by an unauthorised entity
a network outage is attributed to the activities of an unauthorised entity
For the purposes of this protocol, incidents are categorised as “Unauthorised Access” or “Unauthorised Acquisition” and can be recognised by associated characteristics.
The unauthorised access to or disclosure of FundApps or customer information through network and/or computing related infrastructure, or misuse of such infrastructure, to include access to related components (e.g., network, server, workstation, router, firewall, system, application, data, etc.). Characteristics of security incidents where unauthorised access might have occurred may include but are not limited to:
Evidence (e‐mail, system log) of disclosure of sensitive data
Anomalous traffic to or from the suspected target
Unexpected changes in resource usage
Increased response time
System slowdown or failure
Changes in default or user‐defined settings
Unexplained or unexpected use of system resources
Unusual activities appearing in system or audit logs
Changes to or appearance of new system files
New folders, files, programs or executables
User lock out
Appliance or equipment failure
Unexpected enabling or activation of services or ports
Protective mechanisms disabled (firewall, anti‐virus)
The unauthorised physical access to, disclosure or acquisition of assets containing or providing access to FundApps or customer information (e.g., removable drives or media, hardcopy, file or document storage, server hardware, etc.)/ Characteristics of security incidents where unauthorised acquisition might have occurred may include but are not limited to:
Theft of computer equipment where sensitive data is stored
Loss of storage media (removable drive, flash drive, etc)
Illegal entry (burglary)
Suspicious or foreign hardware is connected to the network
Normally secured storage areas found unsecured
Broken or non‐functioning locking mechanisms
Presence of unauthorised personnel in secured areas
Disabled security cameras or devices
Incidents assigned a criticality rating according to the actual and potential impact on the business of FundApps.
Level
Level Definition
Typical Incident Categories
Incident Response Time
C1
Incident affecting critical systems or information with potential to be revenue or customer impacting.
Denial of service Compromised Asset (critical) Internal Hacking (active) External Hacking (active) Virus / Worm (outbreak) Destruction of property (critical)
60 minutes
C2
Incident affecting non‐critical systems or information, not revenue or customer impacting. Employee investigations that are time sensitive should typically be classified at this level.
Internal Hacking (not active) External Hacking (not active) Unauthorised access Policy breaches Unlawful activity Compromised information Compromised asset (non‐critical) Destruction of property (non‐critical)
4 hours
C3
Possible incident, non‐critical systems. Incident or employee investigations that are not time sensitive. Long‐term investigations involving extensive research and/or detailed forensic work.
Email Forensics Request Inappropriate use of property. Policy breaches
48 hours
Key roles and responsibilities of those who form part of the Incident Response Team (IRT) have been defined below:
Role
Responsibilities
CTO or Information Security Lead
Incident response team lead (IRTL)
CEO
Participates in incident response team, leading external communications.
IT Team / Engineering
Normally form part of the incident response team, subject to CTO approval after initial assessment.
The Critical Incident Response Protocol consists of these key components
Detection
Activation of team
Containment
Notification of non-IRT team members
Assessment
Notification of external parties
Corrective Measures
Washup & lessons learned
Closure
Timely detection of incidents is critical to containment and minimizing it's impact on our business and customers. Please see our IT security policy and specific controls regarding how we detect security incidents.
All suspected security incidents are reported to the Incident Response Team Lead, mobilization will be immediate and based on initial orientation and observation. Notification of the rest of the team should occur via a direct communication - that is any form of communication where you get a response from the other party (ie voicemail or email are not considered direct notification). Team members should rely on usual company communication channels to ensure they have up to date information.
The IRT will determine and cause to be executed the appropriate activities and processes required to quickly contain and minimise the immediate impact to the FundApps and our customers.
Containment activities are designed with the primary objectives of:
Counteract the immediate threat
Prevent propagation or expansion of the incident
Minimise actual and potential damage
Restrict knowledge of the incident to authorised personnel
Preserve information relevant to the incident
Activities that may be required to contain the threat presented to systems where unauthorised access may have occurred:
A1. Disconnect the system or appliance from the network or access to other systems.
A2. Isolate the affected IP address from the network.
A3. Power off the appliance(s), if unable to otherwise isolate.
A4. Disable the affected application(s).
A5. Discontinue or disable remote access.
A6. Stop services or close ports that are contributing to the incident.
A7. Remove drives or media known or suspected to be compromised.
A8. Where possible, capture and preserve system, appliance and application logs, network flows, drives and removable media for review.
A9. Notify IRT of status and any action taken.
Activities that may be required to contain the threat presented to a assets where unauthorised acquisition may have occurred:
B1. Identify missing or compromised assets.
B2. Gather, remove, recover and secure sensitive materials to prevent further loss or access.
B3. Power down, recycle or remove equipment known to be compromised.
B4. Where possible, secure the premises for possible analysis by local management and law enforcement.
B5. Gather and secure any evidence of illegal entry for review by local management and law enforcement.
B6. Where possible, record identities of all parties who were a possible witness to events.
B7. Preserve camera logs and sign‐in logs for review by local management and law enforcement.
B8. Notify IRT of disposition of assets and any action taken.
Designated persons will take action to notify the appropriate internal parties, as necessary. All internal & external communication must be approved by the IRT Lead
The IRT will determine the category and severity of the Incident and undertake discussions and activities to best determine the next best course of action, i.e., decide if protocol execution is required. Once the IRT is assembled, the Assessment Checklist is executed and reviewed to ensure all pertinent facts are established. All discussions, decisions and activities are to be documented.
Assessment should consist of the following at a minimum:
Incident data
The current date and time, and a brief description of the Incident
Who discovered the incident and how?
Types of information
What is the nature of the data?
Was the data held by FundApps or a third party?
How was the information held? Was the data encrypted or otherwise obfuscated?
Risk
Can we reasonably determine the risk or exposure?
To what degree are we certain that the data has or has not been released?
Can we identify and do we have contact with the party that received the data or caused the compromise? Describe what is known.
Identify the impacted customers, if possible.
What is the risk or exposure to FundApps?
What is the risk or exposure to the customer?
Next Steps
Do we have enough information to establish the category and severity of the Incident?
If additional data collection data is required, assign responsibility to IRT member for collection
Is there any deadline or reporting requirement (self‐imposed or regulatory) we need to address?
What communications need to be established? Provide details
Are there any immediate issues that have not been addressed? Describe
Recap all work and responsibility assignment
When do we meet again to follow‐up? Provide details
Designated persons will take action to notify the appropriate internal and external parties, as necessary. Communications may include meetings, video conferencing, teleconferencing, e‐mail, telephone/messaging, voice recordings or other means as deemed appropriate. All external communication must be approved by the IRT Lead. FundApps will endeavour to notify clients of any potential incidents impacting the confidentiality, integrity or availability of the client's data, stored in the FundApps platform, no later than 48 hours after having first detected an anomaly.
Customers - IRT Lead or CEO will establish communication with Customers, as appropriate for the circumstance
Other affected parties - IRT Lead or CEO will establish communication with other affected parties (such as hosting providers) as appropriate for the circumstance
Law enforcement - IRT Lead will establish if law enforcement is required and take appropriate action
Government or Regulatory Bodies - IRT Lead will establish if government notification (e.g. Information Commissioner) is required and take appropriate action
Media interest - CEO will deal with any communications with Media.
The IRT will determine and cause to be executed the appropriate activities and processes required to quickly restore circumstances to a normal (secure) state.
Corrective measures are designed with the primary objectives of:
Secure the processing environment
Restore the processing environment to its normal state
Activities that may be required to return conditions from unauthorised access to a normal and secure processing state.
A1. Change passwords on all local user and administrator accounts or otherwise disable the accounts as appropriate.
A2. Change passwords for all administrator accounts where the account uses the same password across multiple appliances or systems (servers, firewalls, routers).
A3. Re image systems to a secure state.
A4. Restore systems with data known to be of high integrity.
A5. Apply OS and application patches and updates.
A6. Modify access control lists as deemed appropriate.
A7. Implement IP filtering as deemed appropriate.
A8. Modify/implement firewall rule sets as deemed appropriate.
A9. Ensure anti‐virus is enabled and current.
A10. Make all personnel “security aware”.
A11. Monitor/scan systems to ensure problems have been resolved.
A12. Notify IRT of status and any action taken.
Activities that may be required to return conditions from an unauthorised acquisition to a normal and secure processing state.
B1. Retrieve or restore assets where possible.
B2. Store all sensitive materials in a secure manner (e.g., lockable cabinets or storage areas/container).
B3. Install/replace locks and issue keys only to authorised personnel.
B4. Restore security devices and/or apparatus to working condition.
B5. Remove and retain unauthorised equipment from network/area.
B6. Implement physical security devices and improvements (e.g., equipment cables, alarms) as deemed appropriate.
B7. Make all personnel “security aware”.
B8. Notify IRT of status and any action taken.
After the incident has been dealt with, a subsequent washup session will be run in order to identify if any further lessons can be learnt or actions taken aside from the immediate corrective measures.
The IRT will stay actively engaged throughout the life cycle of the Information Security Incident to assess the progress/status of all containment and corrective measures and determine at what point the incident can be considered resolved.
Recommendations for improvements to processes, policies, procedures, etc. will exist beyond the activities required for incident resolution and should not delay closing the Information Security Incident.
We have broken this policy out into seperate areas, based on your relationship with us:
INFORMATION WE COLLECT FROM YOU:
Information submitted through our Websites - for example when requesting further information, downloading a whitepaper, responding to a survey or subscribing to a newsletter.
Any correspondence between ourselves and you. This may sometimes include recording of calls.
Details of actions that you carry out through our Websites.
Information which is tied to your usage of our Websites or your web browser - for example, your IP address, operating system, the site that referred you to our site, and the resources that you access.
Data on how marketing campaigns perform - for example, email opens and clicks.
INFORMATION WE COLLECT FROM OTHER SOURCES:
Publicly available information such as company and staff details of target audiences we can help to make their compliance simple.
WE USE THIS INFORMATION TO:
Approach you with information about FundApps services that we think is directly relevant to your profession. We rely on legitimate interest as the lawful basis on which we collect and use your data to do this.
Provide you with information, products or services that you request from us or which we think is directly relevant to your enquiry. We rely on legitimate interest as the lawful basis on which collect and use your data to do this.
Provide you with FundApps news which we feel may interest you. We rely on consent as the lawful basis on which collect and use your data to do this.
To investigate and help prevent security issues and abuse. We rely on legitimate interest as the lawful basis on which collect and use your data to do this.
Ensure that content from the Website is presented in the most effective manner for you and for your computer. We rely on legitimate interest as the lawful basis on which collect and use your data to do this.
WHO WILL WE SHARE IT WITH?
Anyone who works for us, our parent company or one of our subsidiaries.
Third parties if required to comply with the law, enforce our terms and conditions, or to protect the rights, property, or safety of us, our customers, or others.
HOW LONG WILL WE HOLD YOUR DATA?
Until you retract your consent.
Or if there is no reason for legitimate interest and no consent.
INFORMATION WE COLLECT FROM YOU:
We collect and process some or all of the following types of information from you:
Information you submit through our Website or third party Websites when applying for a job at FundApps.
Any correspondence between ourselves and you.
Information which is tied to your usage of our Website or your web browser - for example, your IP address, operating system, the site that referred you to our site, and the resources that you access.
INFORMATION WE COLLECT FROM OTHER SOURCES:
Publicly available information such as LinkedIn profiles or other social network profiles.
If you are successful through the initial stages of our recruitment process, we may also obtain personal data from other third parties such as:
References from nominated individuals.
Confirmation of educational qualifications from the relevant organisations.
Financial and criminal records from the relevant organisations.
WE USE THIS INFORMATION TO:
Approach you for a role we think is directly relevant to you. We rely on legitimate interest as the lawful basis on which we collect and use your data to do this.
Assess your fit for a role at FundApps. We rely on consent as the lawful basis on which we collect and use your data to do this.
Keep you updated with relevant job opportunities at FundApps. We rely on consent as the lawful basis on which we collect and use your data to do this.
Ensure we comply with anti-discrimination legislation.
WHO WILL WE SHARE IT WITH?
We may disclose your personal information to:
Anyone who works for us, our parent company or one of our subsidiaries.
Credit reference and employment agencies in order to perform educational, financial and criminal background checks.
Third parties if required to comply with the law, enforce our terms and conditions, or to protect the rights, property, or safety of us, our customers, or others.
HOW LONG WILL WE HOLD YOUR DATA?
Legally for a minimum of 12 months, or otherwise with your consent for a longer period.
A separate agreement governs delivery, access and use of the Services (the “Customer Agreement”), including information submitted through Services accounts (collectively, “Customer Data”). The organization (e.g., your employer or another entity or person) that entered into the Customer Agreement (“Customer”) controls their instance of the Services (their “Workspace”) and any associated Customer Data.
INFORMATION WE COLLECT FROM YOU:
We collect and process some or all of the following types of information from you:
Information that you provide using the FundApps platform - for example, your work email address, name and other contact details.
Information that you choose to share on the ‘Service’ - for example via our Rule Commentary feature.
Information you choose to share as part of a survey or collecting product feedback.
Any correspondence between ourselves and you. This may sometimes include recording of calls.
Details of all actions that you carry out through the Website and of the provision of services to you.
Details of your visits to the Platform including, but not limited to, traffic data, location data, weblogs and other communication data, the site that referred you to our site and the resources that you access.
INFORMATION WE COLLECT FROM OTHER SOURCES:
From time to time we also obtain personal data from other sources as follows:
Names and contact details of individuals who are Authorised Users for the Customer’s account may be added by existing Authorised Users.
WE USE THIS INFORMATION TO:
Provide access to Authorised Users of the platform.
Prevent and investigate security issues and abuse, for ourselves and our customers.
Ensure that content from the Service is presented in the most effective manner for you and for your computer.
Send you emails directly related to your use of the Service.
Improve the usability, reliability and functionality of the Service.
To provide support for your use of the Service.
Meet contractual obligations with our customers.
Where you are using our Services on behalf of our Customer, we rely on legitimate interests in performing our contract with our Customer as the lawful basis on which we collect and use your personal data.
WHO WILL WE SHARE IT WITH?
We may disclose your personal information to:
Anyone who works for us, our parent company or one of our subsidiaries.
Any sub-processors we’ve appointed in order to deliver the uses described above, such as hosting our platform, sending emails, providing product support and keeping the platform secure.
Other Authorised Users of the Customer on the FundApps platform.
Other Authorised Users of the wider FundApps platform, with your consent.
If we must disclose your personal data to comply with the law, or to enforce our Terms and Conditions or other agreements; or to protect the rights, property, or safety of us, our customers, or others.
HOW LONG WILL WE HOLD YOUR DATA?
FundApps will retain this data in accordance with a Customer’s instructions, including any applicable terms in the Customer Agreement and Customer’s use of Services functionality, and as required by applicable law.
FundApps works hard to protect the information you provide from loss, misuse, and unauthorised access or disclosure. These steps take into account the sensitivity of the information we collect, process and store, and the current state of technology.
Access to your personal data and to certain other supplementary information that this Policy is already designed to address.
Require us to correct any mistakes in your information which We hold.
Require the erasure of personal data concerning you in certain situations.
Receive the personal data concerning you which you have provided to Us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations.
Object at any time to processing of personal data concerning you for direct marketing.
Object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you.
Object in certain other situations to our continued processing of your personal data.
Otherwise restrict our processing of your personal data in certain circumstances.
Claim compensation for damages caused by our breach of any data protection laws.
If you would like to exercise any of those rights, please:
Contact us using our contact details below.
Let us have enough information to identify you,
Let us have proof of your identity and address. Where you are a user of our Services you should email us from the email address that you use to access FundApps. Receipt of an email from this address will usually be sufficient to confirm your identity. In all other cases we may request one or more identification documents, such as a copy of your driving licence or passport and a recent utility or credit card bill; and
Let us know the information to which your request relates.
The Website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and terms of use and that we do not accept any responsibility or liability for these policies and terms of use. Please check these policies before you submit any personal data to these websites.
To support delivery of our services, FundApps Limited. (or one of its affiliates listed below) engages and uses third party data processors with access to certain personal data - for example, providing infrastructure services, managing our candidate recruitment process, and to help us provide customer support and email notifications. These processors are:
Depending on your geographic location, or that of our customer, FundApps may also engage one or more of the following affiliates as sub-processors.
Entity Name
Entity Country
FundApps, Inc.
United States
FundApps Limited
UK
We apply the same privacy standards regardless of the affiliate you are engaged with. Please contact us if you require information as to the specific entity you have a relationship with.
We hope that We can resolve any query or concern you raise about our use of your information.
We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration, customer support and to collect aggregate information for internal reporting purposes.
In addition, our Websites use cookies. A cookie is a small file of letters and numbers that we put on your computer if you agree. These cookies allow us to distinguish you from other users of the Website, which helps us to provide you with a good experience when you browse our Website and also allows us to improve the Website.
The cookies we use are "analytical" cookies. Some of the common uses for our cookies are as follows:
To recognise and count the number of visitors and to see how visitors move around the site when they are using it. This helps us to improve the way our Website works, for example by ensuring that users are finding what they are looking for easily.
To identify and authenticate a user across different pages of our Website, within our own Website, in a session or across different sessions. This is so that the user does not need to provide a password on every page the user visits; and
To be able to retrieve a user’s previously stored data, for example, information that the user previously submitted to the Website, so as to facilitate reuse of this information by the user.
FundApps may change this Privacy Policy from time to time. Laws, regulations and industry standards evolve, which may make those changes necessary, or we may make changes to our business. We will post the changes to this page and encourage you to review our Privacy Policy to stay informed. If we make changes that materially alter your privacy rights, FundApps will provide additional notice, such as via email or through the Services.
This privacy policy was last reviewed on 27 September 2019.
FundApps implements physical and logical access controls across its IT systems and services in order to provide authorised, granular, audit-able and appropriate user access, and to ensure appropriate preservation of data confidentiality, integrity and availability in accordance with our Information Security Policy.
An owner responsible for managing user access
The kinds of data it stores and therefore the data classification and controls required to protect that information.
Status of basic controls such as SSO and two-factor
We utilise a centralised identity management platform in order to simplify and automate on-boarding and off-boarding for any information systems that support single-sign on or automated user provisioning. Our staff access database and identity management platform is then used during the off-boarding process to ensure all required privileges are revoked in a timely manner.
Access via HTTPS only;
Named accounts using Single sign-on (SSO) and two-factor authentication;
Audit logs of support staff accessing the system, which is visible to our customers;
Access is granted on a least-privilege and need-to-know basis;
Access review by head of Client Services on a quarterly basis.
Access to our production network is restricted to a very small set of staff. Controls in place include:
All credentials and accounts are provisioned through a configuration change management system that requires approval of the change;
Access to the network must be made via a secure connection to a bastion host using a previously authorised key and verified with a physical MFA token (YubiKey);
Each member of operational staff uses a named account to each server where access is required which is separately provisioned from the above network access;
Access is granted on a least-privilege and need-to-know basis;
All access to and key administrative actions on production servers are logged to a centralised audit store;
Access review by CTO on a quarterly basis.
Named accounts are mandatory, unless an exception is granted by the data owner responsible.
Any built-in, default accounts should be disabled or renamed and passwords changed
Single-sign-on should be enabled and mandatory wherever possible
Two-factor should be enabled and mandatory whenever possible
Passwords should not be re-used across systems. Passwords should be stored using an approved password management tool with a strong master password.
Use secure passwords (minimum 8 characters in length, and at least 3 out of 4 of lower case, upper case, digits and symbols).
Audit logs must provide repudiation for changes and access to FundApps Restricted and Confidential data
See our data classification policy for more information on the specific controls in place.
Our hosting environments are provided by Amazon Web Services (AWS). AWS data centres are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilising video surveillance, intrusion detection systems, and other electronic means. Authorised staff must pass two-factor authentication a minimum of two times to access data centre floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorised staff.
AWS keep some details of the physical measures in place at their data centres private; a fuller subset of information is available under mutual NDA with AWS in their SOC 1 and SOC 2 reports.
Our office environment is alarmed and has both a keypad lock and physical key required for opening at start of business. In accordance with our IT policies, all staff equipment is encrypted using BitLocker. See our IT security policies for more information on further controls we have in place.
Sensitive data is considered anything classified as Confidential or Restricted by our .
This Privacy Policy describes how FundApps collects, uses and discloses information, and what choices you have with respect to the information. When we refer to “FundApps”, we mean the FundApps entity that acts as the controller or processor of your information, as described in the .
including fundapps.co and other FundApps websites (“Websites”)
We are committed to protecting and respecting your privacy. If you have any questions about your personal information please email us at . We are registered with the Information Commissioner’s Office under number ZA064794.
To learn more about current practices and policies regarding security and confidentiality that apply if you are a user of the FundApps platform, please see our .
Under the you have a number of important rights. Those include rights to:
For further information on each of those rights, including the circumstances in which they apply, see the.
Prior to engaging any third party sub-processor, FundApps performs diligence to evaluate their privacy, security and confidentiality practices, and executes an agreement implementing its applicable obligations. Please contact if you require information on these third parties with respect to your personal information.
The also gives you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at or telephone: 0303 123 1113.
All questions, comments and requests regarding this Privacy Policy should be addressed to .
This policy covers all FundApps IT systems and information not classified as 'Public' in our .
Each information system is recorded in our , which includes:
Access to each information system is on a least-privilege and as-needed basis. These are managed by the nominated owner of the system and access to each system is . These are reviewed as part of our monthly security stakeholder meeting.
Data stored in the FundApps platform is classified as 'FundApps Confidential' (see ). Support staff access the platform through the same interface our customers do. As such, controls in place include:
Ongoing ;
Our classifies data stored across all our IT Systems. Principles we follow include:
FundApps has performed a business impact analysis and maintains a risk register as part of our information security management system. The full risk register is .
The purpose of this policy is to define the way in which FundApps detects, classifies, mitigates and corrects vulnerabilities on its Information System. Effective implementation of this policy will allow to reduce the probability and/or impact of vulnerabilities affecting the FundApps Information System
This policy applies to applications and infrastructure which makes up FundApps’ production environment. Physical vulnerability management is out of scope of this policy and managed by our hosting provider (AWS).
Applications
A technical security audit will be conducted annually against FundApps’ application in order to detect vulnerabilities and other security concerns. This assessment will be conducted against an environment identical to the production environment except that it will not contain production or sensitive data. An executive summary of the assessment and it’s finding will be available to clients who request it within 20 working days of the assessment being completed.
Infrastructure
An automated scanning of production vulnerabilities will be conducted on a monthly basis.
Applications
Infrastructure
Process
Once vulnerabilities have been identified, rated and formalised, FundApps will manage risk treatment based on the following diagram:
By default, and as a maximum, the vulnerability acceptance period will be one year.
Applications
FundApps will endeavour to address vulnerabilities based on their severity as defined in the following table:
Critical
High
Medium
Low
Action plan defined
<=2 (*)
<=5 (*)
<=20 (*)
<=20 (*)
Vulnerability mitigated
<=2 (*)
<=5 (*)
<=20 (*)
<=20 (*)
Vulnerability corrected or accepted (**)
<=2 (*)
<=5 (*)
<=20 (*)
<=20 (*)
(*) number of working days after application vulnerability report is formalised. (**) Critical or High vulnerabilities will not be accepted. In the worst case scenario FundApps will mitigate these to reduce the risk to Medium.
Infrastructure
FundApps will endeavour to address infrastructure vulnerabilities based on their severity as defined in the following table:
Critical
High
Medium
Low
Vulnerability corrected or accepted
<=20 (*)
<=40 (*)
<=60 (*)
Best effort
(*) number of working days after vulnerability has been identified.
Application vulnerabilities will be rated based on their impact and likelihood. Possible vulnerability ratings are Low, Medium, High and Critical. The rating system is based on the OWASP Risk Rating Methodology ().
Infrastructure vulnerabilities will be rated using the Common Vulnerability Scoring System (). Possible vulnerability ratings are None (0.0), Low (0.1 - 3.9), Medium (4.0 - 6.9), High (7.0 - 8.9) and Critical (9.0 - 10.0).