This document provides an introduction to FundApps' shareholding disclosure service and its platform. FundApps provide shareholding disclosure monitoring services via a hosted web application 'Rapptr'. Rapptr is provided via FundApps controlled infrastructure from secure and strictly controlled hosting environments. We maintain the software, continuously updating with the latest software enhancements and legislative content updates.

Workflow

Users of the system may choose to receive notification e-mails letting them know when this process has concluded and results are available inside the system. Users use a browser-based user interface to view the results of running the batch job and follow a workflow inside the software to investigate any results and file disclosures. Historical data from checks is retained within the system to provide a timeline of results and to facilitate correct calculation of disclosure requirements.

Software

Rapptr is kept constantly up to date with the latest enhancements and fixes. We continuously deliver changes from development and content teams to client production environments. To support this activity we employ a best practices-based development approach employing test-driven development, pair programming and code review to reduce risk and improve software quality.

Every change to our software and rule content is run through an ever growing test suite to ensure a minimal amount of risk in this continuous update process. Security considerations are built into our software lifecycle; we identify work items early on that have security implications. We conduct an annual penetration test and supply our clients with the report and a remediation plan.

Deployment of changes of the Rapptr software is a fully automated and hands-off process.

Platform

With control over both software and infrastructure FundApps is able to deliver best in class availability and security. The principle of least privilege is applied throughout; at the network, system and software levels to tightly control availability of data and reduce the potential for security breaches.

Data Security

On our AWS infrastructure, this data is subsequently encrypted at rest and employs a key management system which allows us to rotate the keys used for the encryption of these volumes on a regular basis. Backups are also stored encrypted at rest, meaning data is never available in cleartext.

Access Control

Rapptr enforces several layers of access control.

Authentication: Rapptr allows clients to either use the Rapptr native single-factor authentication mechanism, the native multi-factor authentication mechanism or to integrate the platform with their Single-Sign-On.

Network access control: FundApps is able to provide further access control by applying IP restrictions to client environments, preventing access from networks other than those of the client site. These restrictions operate before any authentication to the system and prevent any requests being made to the application at all.‌

Client Segregation: Individual client environments are isolated at infrastructure level using separate databases, web and engine instances.

Access Control Audit Trail: A complete audit trail is visible inside the application and allows tracking of all operations taken inside the system, along with user access events. This auditing includes any support activities performed by FundApps staff.

Processes & Controls

We ship all log events generated on the platform to a central store for audit, reporting and alerting activity. Direct access to production systems is strictly restricted, to key personnel with a direct operational need and these accesses are reviewed on a monthly basis.

Monitoring

We have automated monitoring of critical conditions for both infrastructure and software in the platform. These conditions create alerts following escalation policies and where necessary alert operators on a 24/7 basis to preserve the integrity and availability of the platform.

Furthermore, FundApps uses a 24/7 Security Operation Centre (SOC) to detect and respond to security alerts.

Application performance and infrastructure metrics are used for capacity planning and platform management; ensuring there is always sufficient capacity available across the platform to satisfy all demands.

Technical Resilience

NOTE: At FundApps we're focused on offering the best possible services to the investment management industry. As part of that, we have a firm commitment to ensuring our platform remains highly available and your data remains secure. We have made this resource available to clients and prospective clients in order to learn more about how we achieve this and to assist with any due diligence questions you may have.

Our own staff use this resource to review security policy and educate themselves on our approaches. This is by it's nature a "living" document - which will evolve as we continually evaluate how we can deliver a best of breed platform to the industry.

If you require any clarifications or have any questions then don't hesitate to contact us.

Overview

FundApps approaches both information security and business continuity from risk based principles. Each identified information security or business continuity risk is reviewed with regard to Likelihood (the possibility of a risk happening), and Impact (the consequence of a risk happening).

Risks can be identified by any member of staff, and, staff members are encouraged to contribute. Once risks are identified and reviewed for Likelihood and Impact, an appropriate remediation plan can be formulated.

The key is that risk management drives activity to resolve identified risks, and is the responsibility is that of each employee of FundApps.

Risk Appetite

FundApps has no appetite for safety risks that could result in the injury or loss of life of FundApps staff, clients or partners.

FundApps has no appetite for information security risks that could result in unauthorised or accidental disclosure of, client or other sensitive information.

FundApps has a low appetite for business continuity risks which prevent it's ability to provide it's service to it's client.

Risk Tolerance

It is important to note that following the risk management framework, any risk that equals or exceeds a risk rating of twelve (12) will exceed the FundApps Risk Tolerance level and therefore will require a risk treatment plan to lower the risk profile. See the FundApps Risk Management Matrix at the bottom of the page for further information.

Risk Management Process

A- Risk Identification

Potential information security risks and business continuity risks are identified through both formal and informal channels:

1. Monthly security review meetings

2. Incident response and reviews

3. As part of the Software Development Lifecycle

4. As part of the continuous release management

5. As part of everyday working practice

B- Risk Assessment

Likelihood and impact

Potential risks are recorded in the risk register and assigned an owner. Risks are assessed on two criteria with regards to any current controls that may already be in place:

• Likelihood, according to the FundApps Risk Management Matrix (cf. bottom of the page). Likelihood should consider the specific vulnerability or threats that may exploit this vulnerability.

Residual risk

The assessment of likelihood and impact places the risk within risk tolerance levels defined in the Risk Management Matrix (cf. bottom of the page).

Each risk level consists of

• the likelihood and impact levels

• a timeframe for review while the risk is open

• a timeframe for review once the risk is closed

C- Risk Response

Based on this categorization we can then design a risk response in order to reduce our residual risk.

Strategies for responding to the risk can include:

• Avoid risk – activities with a high likelihood of loss and large business impact. The best response is to avoid the activity.

• Mitigate risk – activities with a high likelihood of occurring, but business impact is small. The best response is to use management control systems to reduce the risk of potential loss.

• Transfer risk – activities with low probability of occurring, but with a large business impact. The best response is to transfer a portion or all of the risk to a third party by purchasing insurance, hedging, outsourcing, or entering into partnerships.

• Accept risk – if cost-benefit analysis determines the cost to mitigate risk is higher than cost to bear the risk, then the best response is to accept and continually monitor the risk.

Our risk response may generate information security or business continuity controls which could be technical, procedural or policy based.

D- Risk and Control Monitoring

Identified risks and their mitigating controls are monitored and reviewed at least annually in order to ensure the residual risk is within the risk appetite. Should the residual risk change, either due to a change in the intrinsic risk, or due to the control effectiveness, the risk response will be reviewed.

Risk Management Matrix

• Client support queries

• Internal communications

• Server logs

• Development source code

Identification

Information assets are identified as part of:

• Monthly company-wide security awareness sessions

• Monthly security review meetings

• Our software development lifecycle

• Everyday working practice

Assessment

For each information asset identified, we

• Assign an owner for the information

• Identify if it falls under any specific regulation (primarily General Data Protection Regulation)

• Identify an appropriate data classification from these ratings

Any changes to the register results in:

• updates to our data classification policy with regards the information systems and asset information falling under each classification

Review

Information systems are reviewed as part of our monthly security review meetings.

The ISMS applies to the shareholding disclosure, position limits and sensitive industries services, which FundApps delivers to its clients. It also applies to the information assets, processes, teams and external service providers which FundApps relies on to provide these services.

Services provided

FundApps’ three main services provided are:

Shareholding Disclosure

FundApps’ Shareholding Disclosure service helps compliance professionals with shareholding disclosure requirements, prove adherence to regulation and mitigate reputational risk to avoid fines.

FundApps’ outsourced, managed service combines FundApps’ proprietary rules engine with a team of compliance professionals and legal information from aosphere (an affiliate of Allen & Overy) and other regulatory data sources.

FundApps automates disclosure requirements such as major shareholding, 13F reporting, short selling (including EU Short Selling Rules, takeover panels, issuer limits, and issuer requests (such as Section 793).

Position Limits

FundApps' Position Limits is a managed service for financial institutions, who trade derivative contracts on multiple exchanges. It combines FundApps’ proprietary rules engine with a dedicated team of compliance professionals and up-to-date contract limits and exchange data. It helps compliance managers monitor holdings against position limits for exchange-traded contracts resulting from MiFID II regulation, as well as limits imposed by regulatory bodies such as the United States’ Community Futures Trading Commission (CFTC).

Sensitive Industries

FundApps automates the monitoring of regulatory disclosure thresholds in “sensitive industries”, including pre-approval and post notification, hard-stop and issuer-specific limits. FundApps’ Sensitive Industry rules cover industries in jurisdictions which have different regulations governing ownership.

People

The FundApps departments within the scope of the ISMS are:

• Client Services – On-board clients and assist them throughout their experience with Rapptr.

• Content – Help to ensure rules correctly mirror current regulation.

• Finance – Manage FundApps’ budget, cash flow, tax planning and record keeping.

• People Operations – Team responsible for employer brand, recruitment and on-boarding through to development, reward and recognition.

• Product – Design and develop products to achieve the company’s objectives.

• Engineering – Manage and maintain system architecture and design for all hosted clients.

At a high level, the following executives and teams support FundApps’ processes and services:

• CEO – Assigns authority and responsibility for operating activities and reporting relationships. FundApps’ CEO defines and communicates the company’s objectives.

• Head of Client Services – Takes the lead in owning FundApps client portfolio and drive cross-team collaboration to support FundApps’ objectives.

• Head of Product – Accountable for all product management and content team activities globally.

• Chief Technology Officer – Provides direction and decision making on what technologies to use, the architecture of the platforms and best technical practices to follow.

• Head of Sales – Accountable for all sales activities within the region and as the People Leader for the Regional Sales team.

• Head of People Operations – Reporting directly to the CEO, the head of People Operations smooths the next phase in growth as FundApps scales.

• Information Security Lead – Responsible for managing Information Security, Cyber Security and Business Continuity risks potentially impacting FundApps.

Offices

FundApps operates out of three offices:

• 114-116 Curtain Road, London EC2A 3AH, United Kingdom

• 115 Broadway, New York, NY 10006, USA

• #02-11, Capitol Piazza, 13 Stamford Road, Singapore 0178905

Infrastructure

FundApps services make use of a resilient infrastructure, which is hosted within multiple data centres (availability zones) and regions operated by Amazon Web Services.

There are two environments with a primary environment made up of three data centres within a single geographic region, from which the service is provided in normal operation. There is also a secondary environment, in an alternate geographic region, which is used in case the primary environment is unavailable.

Each of the three data centres within the primary environment have discrete power and Internet connectivity. FundApps’ primary environment is designed to continue to provide its service should two of the three centres suffer concomitant failures.

Should the whole primary environment fail, FundApps has procedures to recover its service in the secondary environment.

The critical components of this highly available infrastructure include:

• Proxy servers, which filter inbound traffic and route them to the correct servers;

• Web front-end servers, which provide FundApps clients with a web user interface and an application programming interface (API);

• Engine servers, which perform apply rule sets analysis of FundApps clients’ financial positions;

• Database servers, which store the results of this analysis, as well as objects and events related to client environments;

• Network Address Translation Gateways used by the servers to connect to non-FundApps resources; and

• Bastion hosts, which FundApps staff use to administrate the infrastructure.

Software

FundApps’ platform consists of system software (operating systems, middleware, and utilities) that supports its applications. FundApps’ stack is made of Windows servers running Internet Information Services (IIS), SQL Server and RabbitMQ.

AWS services such as Elastic Load Balancing, Amazon Route 53, AWS Lambda and Amazon Simple Storage Service are also used to support the service provided. Ingress traffic is filtered by high availability web proxies deployed to Linux servers running Ubuntu operating system.

The software developed by FundApps is mostly written in C# and NodeJS programming languages. This software is accessible to clients through a Web User Interface and an Application Programming Interface (API).

FundApps’ platform is kept up to date with the latest enhancements and fixes. FundApps delivers changes from development and content teams to client production environments. To support this activity FundApps employs test-driven development, pair programming and code review to reduce risk and improve software quality.

Every change to software and rule content is run through a test suite to achieve a minimal amount of reduce risk in this continuous update process. Security considerations are built into the software lifecycle. FundApps identify work items early on that have security implications.

Deployment of changes of the FundApps platform software is a fully automated process

Interfaces and Dependencies

Amazon Web Services

AWS provide hosting services and is used to host the FundApps platform.

Data Centre Physical Security Overview

All data hosted in FundApps’ platform is hosted by AWS within the EU in facilities with physical security controls in place. AWS hold industry standard certifications relating to security and availability, including but not limited to ISO 9001, 27001, as well as SOC I and II attestations. Full details of the certification activities undertaken by FundApps’ hosting partner are available via AWS compliance.

Data Centre Access Control

AWS provides physical data centre access only to approved employees. All employees who need data centre access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data centre the individual needs access, and are time-bound. Requests are reviewed and approved by authorised personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.

Third-party access is requested by approved AWS employees, who must apply for third-party access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data centre the individual needs access, and are time-bound. These requests are approved by authorised personnel, and access is revoked after request time expires. Once granted admittance, individuals are restricted to areas specified in their permissions. Anyone granted visitor badge access must present identification when arriving on site and are signed in and escorted by authorised staff.

Alert Logic

Alert Logic provide network-based and host-based Intrusion Prevention Services (IPS), as well as a 24/7 Security Operation Centre (SOC).

Exclusions

There are no exclusions to the ISMS.

• Rapptr (client instances)

• Amazon AWS (production data)

• Google Mail (our own internal communications)

Identification

Information systems are identified as part of:

• Monthly company-wide security awareness sessions

• Monthly security review meetings

• Our software development lifecycle

• Everyday working practice

Third party vendors

Information systems that FundApps depend on that are managed by third party vendors are included in this register. As such we evaluate business continuity and sufficient security controls as part of our assessment process.

Assessment

For each information system identified, we

• Assign an owner for the system

• Identify information security controls based on the data classification

• Identify business continuity controls based on the data classification

Review

Information systems are reviewed as part of our monthly security review meetings.

Introduction

At FundApps we believe in simplicity, automation and testing in order to deliver high quality software - and that follows through our entire software development process. Testing is a integral part of this - not only through our software development but also our rules team who implement the legal changes made around the world.

Supporting Information

Roadmaps and ideas for new development are captured as ‘living documents’, describing areas of functionality of our product, and possible new features - both internal ideas and suggestions from clients.

All artifacts are deployed from a centralized system that retains all deployed versions of artifacts and records of the versions, times and where applicable, manual intervention to trigger a deployment. This information is made available throughout the company via internal communications and stored for audit purposes.

Change Management Controls

Authorising Changes

Testing changes

All changes are tested with a multi-level test suite (Front End tests, integration tests, unit tests, rule tests, static application security testing as well as Open Source Software License scans) as can be seen in figures 4, 5, 6 and 7. Changes cannot be applied to production if tests fail. Finally, a dynamic application security testing tool scans a client-like environment on a weekly basis.

Approving changes and Segregation of Duties

Emergency changes

All builds are stored allowing to rollback to the last known good build in case of an emergency.

Change Management Steps

1. Work item specified Work items are scoped and defined as development tasks in ClubHouse. Potential security issues flagged and discussed at this stage. Items prioritised and tackled by the team (Figure 2)

2. Development work Development or configuration work is performed as scoped and defined in the work item.

3. Pull Request created Once the work is complete, or at intermediate stages for larger work items ‘pull requests’ are created (Figure 3). Pull requests specify the desired changes across files and act as proposals for specific change.

5. Built by CI server All releases and pull requests are compiled on a build server, to check that the artifacts contained in source control are complete.

6. Unit Tests Run All unit tests contained within the test suites are run on the build server to verify that the release functions as specified in an isolated environment. This occurs both on pull requests and on the master branch (Figure 3 & 4).

7. Change merged to master branch Once the pull request has all tests passing and any identified changes to pass review have been made, the pull request is merged to master and becomes a potential release of the system.

8. Test Rule Content with release The test suite maintained for our legislative rule content is run using the logic and algorithms of the proposed new release to confirm behaviour and semantics are maintained.

9. Deploy to master testing environment The proposed release is deployed to a master testing environment, to validate that the release can be successfully deployed and that the resulting instance reports a healthy status.

10. Run Feature Tests A series of automated feature tests, using a scripted web browser covering the key functionality of the system are run (uploading files, viewing results etc). These establish that the proposed release loads correctly and performs the desired tasks.

11. Deploy to master staging environment The proposed release is deployed into a staging environment in our Production network (Figure 5). This verifies that the release can be deployed successfully with production configuration and infrastructure

12. Smoke Test A smoke test is performed by checking the health of the master staging environment and uploading a position file. This ensures that in the production environment, the system is able to accept uploads and process data.

13. Deploy to client performance environment If desired, or if the release presents questions regarding performance impact (identified during the pull request review), the release may be deployed to a specific performance testing environment to examine performance characteristics on the production network before availability to clients.

14. Deploy to client staging environment (automated) Given successful completion of all previous steps and check, a release is promoted to all client staging environments.

15. Deploy to client production environment (automated) Given that a release has been successfully deployed to a client’s staging environment, it is promoted to all client production environments. This process may be conducted for all clients sequentially.

In order to preserve the appropriate confidentiality, integrity and availability of FundApps information assets, we must make sure they are protected against unauthorized access, disclosure or modification. This is critical for all personal data, client data and FundApps proprietary data we deal with across the FundApps business.

This standard applies to all FundApps information, irrespective of the data location or the type of device it resides on.

Approach

As a result, we can see at a glance

• What information assets fall under which data classification

• What information systems hold data falling under those classifications

• The controls that we expect each system to have in place

Responsibilities

FundApps & third parties

All FundApps employees, contractors and third parties who interact with information held by and on behalf of the FundApps are responsible for assessing and classifying the information they work with and applying the appropriate controls. Individuals must respect the security classification of any information as defined and must report the inappropriate situation of information to the Information Security Manager or Head of Security as quickly as possible.

System Owners

Each System has an owner who is responsible for assessing the information it contains and classifying its sensitivity. Systems owners are then responsible for ensuring the appropriate controls are in place in conjunction with the Information Security Lead.

Management team

Responsible for the advising on and recommending information security standards on data classification and ensuring these are regularly reviewed.

Classification and Protection Guidance

The latest classification guidance can be found below.

(*) RTO means Recovery Time Objective.

Reporting Violations

Report suspected violations of this policy to the Information Security Lead, the CTO or the CEO. Reports of violations are considered Restricted data until otherwise classified.

The following table describes the plan for 2021 to achieve FundApps' objectives.

At FundApps we are dedicated to providing the highest quality of support while ensuring consistent data confidentiality, integrity, and availability.

As such, there are certain actions we can (and cannot) take on your behalf. The following is a list of some of the work practices you can expect from us:

What we do

• We use secure virtual desktops hosted in our AWS production environment to access client platforms.

• We provide a valid and unambiguous reason every time we log into a client environment (reviewable at any time in the audit trail).

• We may click the "Validate File" button in order to troubleshoot failed file validations

• We may download/export relevant files in order to conduct necessary analysis to troubleshoot unexpected behaviour (i.e. disclosure documents, positions and portfolio files). These files will only be downloaded to secure virtual desktops and destroyed when no longer required.

• We may create or edit Companies as part of the environment setup. Subsequent changes must be based on a written request from a client with the administrator privileges.

What we are unable to do

• We cannot create or edit any users (except the initial admin users when setting up the environment)

• We cannot create or edit any data overrides

• We cannot upload any files to client environments (except disaggregations & imported disclosures as part of the initial setup)

• We cannot interact with results, except when downloading already generated documents to support

• We cannot action any tasks, including approving any rules

• We cannot download any files from a client’s platform anywhere except a secure virtual desktop.

FundApps management believes that embedding security into the culture of FundApps is critical to the success of our information security program, and as such this is a management priority.

FundApps implements the following practices to achieve this objective:

• New joiners go through an Information Security training when they start at FundApps. This training covers what is Information Security, why it’s important to FundApps and what is expected of FundApps staff and contractors;

• Security-themed presentations to all of FundApps’ staff;

• Technical Security presentations to engineers on most common vulnerabilities;

• Channels in company communication tool with security news;

• Monthly security review session for key stakeholders where we actively review security access lists, audit logs and risk register;

• Culture of continuous improvement across all areas of the business.

FundApps is committed to a robust implementation of Information Security Management. All our hosting environments are certified to ISO 27001. As an organisation we are endeavour to align our processes to ISO 27001 and the NIST Cyber Security Framework.

We are specifically committed to preserving the confidentiality, integrity and availability of data and documentation supplied by, generated by and held on behalf of our clients. The principles defined in this policy will be applied to all of the physical and electronic information assets for which the FundApps is responsible.

Our senior management team are directly responsible for ensuring that all FundApps staff have been made aware of these procedures and their contents.

All employees have access to this information, are required to abide by them, and are encouraged to regularly review and update these in their relevant areas.

Definitions

Information security is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It focuses primarily on the confidentiality, integrity and availability of data.

FundApps Data, for the purposes of this policy, is data owned, processed or held by FundApps, whether primary or secondary, irrespective of storage location. It is used interchangeably with the term ‘information’.

Context of the organisation

FundApps, headquartered in London, United Kingdom, helps investment managers to harness the power of community and technology to automate regulatory compliance.

There are a number of internal and external factors that create uncertainty that gives rise to risk. These include:

Internal Issues

Information

• FundApps processes the following types of information which require adequate protection:

  • sensitive client information,

  • personal data,

  • Sensitive FundApps Intellectual property.

People

• Staff turnover,

• Induction of new joiners,

• Staff role changes,

• High rate of recruitment due to rapid growth.

Organisation

• Use of contractors,

• Staff working in different time zones.

Products/Services

• Products needs to align with evolving regulations,

• FundApps services’ competitive advantage relies partly on its intellectual property.

Systems and Processes

• Staff work from home,

• Lack of process documentation.

External Issues

Political Factors

• Divergence of regulations between UK and EU following Brexit,

• Frequent changes made to regulations.

Economic Factors

• Market conditions affect our clients’ ability to subscribe to FundApps’ services,

• Higher staff costs due to an increasing demand for software engineers or regulatory experts in a constrained market.

Social Factors

• Increase in working from home and bring your own devices practices.

Technological Factors

• Fast evolving threat landscape (e.g. ransomware campaigns),

• Increased expectation from clients to manage their own security (e.g. Bring Your Own Key, feed export logs to client SIEM).

Environmental Factors

• Pandemic affects how people work.

Legal Factors

• More lenient financial regulations makes our products less appealing.

• Regulations on personal data such as GDPR

• Regulations on access to MNPI and insider trading.

• Technology related legislation, such as the Computer Misuse Act 1990 or Freedom of Information Act 2000

• Intellectual property concerns related to the use of open source software.

Objectives

The objectives of the ISMS are:

Scope

Information security principles

The following eight information security principles provide overarching governance for the security and management of information at FundApps.

3. Staff with particular responsibilities for information are responsible for ensuring the classification of that information; for handling that information in accordance with its classification level; and for any policies, procedures or systems for meeting those responsibilities.

4. All users covered by the scope of this policy must handle information appropriately and in accordance with its classification level.

5. As far as is reasonably possible, endeavours must be made to ensure data is complete, relevant, accurate, timely and consistent.

6. Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.

7. Information will be protected against unauthorized access and processing in accordance with its classification level.

8. Information will be protected against loss or corruption.

9. Breaches of this policy must be reported

Legal & Regulatory Obligations

FundApps has a responsibility to abide by and adhere to all current UK and EU legislation as well as a variety of regulatory and contractual requirements. Relevant legislation includes: • The Computer Misuse Act 1990 • General Data Protection Regulation 2018 • The Freedom of Information Act 2000 • Regulation of Investigatory Powers Act 2000 • Copyright, Designs and Patents Act 1988 • Defamation Act 1996 • Obscene Publications Act 1959 • Protection of Children Act 1978 • Criminal Justice Act 1988 • Digital Economy Act 2010

A non-exhaustive summary of the legislation and regulatory and contractual obligations that contribute to the form and content of this policy is provided below. Related policies will detail other applicable legislative requirements or provide further detail on the obligations arising from the legislation summarised below.

Key Legislation Summary

The Computer Misuse Act 1990 defines offences in relation to the misuse of computers as: 1. Unauthorised access to computer material. 2. Unauthorised access with intent to commit or facilitate commission of further offences. 3. Unauthorised modification of computer material.

The General Data Protection Regulation 2018 (GDPR) defines obligations for businesses and organisations that collect, process and stored individuals' personal data. GDPR outlines seven data protection principles which relate to:

1. Lawfulness, fairness and transparency

2. Purpose limitation

3. Data minimisation

4. Accuracy

5. Storage limitation

6. Integrity and confidentiality (security)

7. Accountability

Supporting Policies, Codes of Practice, Procedures and Guidelines

Compliance, Policy Awareness and Disciplinary Procedures

Any security breach of FundApps information systems could lead to the possible loss of confidentiality, integrity and availability of personal or other confidential data stored on these information systems. The loss or breach of confidentiality of personal data is an infringement of the Data Protection Act 1998, contravenes FundApps Data Protection Policy, and may result in criminal or civil action against FundApps.

The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties or criminal or civil action against FundApps. Therefore it is crucial that all users of the FundApps information systems adhere to the Information Security Policy and its supporting policies as well as the Information Classification Standards.

All current staff and other authorised users will be informed of the existence of this policy and the availability of supporting policies, codes of practice and guidelines.

Any security breach will be handled in accordance with all relevant FundApps policies, including the Conditions of Use of IT Facilities at FundApps and the appropriate disciplinary policies.

Incident Handling

Review and Development

This policy, and its subsidiaries, shall be reviewed by FundApps and updated regularly to ensure that they remain appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations.

Interested Parties

The list of interested parties in FundApps' ISMS and their requirements are as follows:

Analysis of performance

Based on these indicators, FundApps will assess whether its ISMS is performing efficiently and whether root causes of underperformance are being identified and managed appropriately.

Management Review

At least once per calendar year a review of the ISMS will be done to ensure its continuing suitability, adequacy and effectiveness.

Attendees

The annual management review meeting will have the following attendees:

• the ISMS Implementer,

• the ISMS Manager, and

• at least one member from the Leadership Team, which can be the ISMS Manager.

Agenda

The agenda will include the following topics:

1. Status of actions from previous management reviews

2. Relevant changes in external and internal issues

3. Performance of the ISMS

   1. Audit results, non conformities and corrective actions

   2. Monitoring and measurement results

   3. Information Security Objectives

4. Feedback from interested parties

5. Results of risk assessment and status of risk treatment plan

6. Opportunities for continual improvement

Objective

This policy defines the internal audit process of FundApps' Information Security Management System (ISMS).

Scope

Frequency and Coverage

Internal audits shall be performed against FundApps' ISMS at planned intervals at least once per year.

The annual internal audit must cover a section of the ISMS so that over a period of 3 years, the entirety of the ISMS scope can be audited.

Internal Auditor

The internal auditor shall be appointed by the ISMS Manager. The auditor and may be a member of FundApps or an external trusted third party auditor. Auditor selection shall be done to ensure objectivity and the impartiality of the audit process.

Internal Audit Process

Audit Planning

Audits shall be planned in advance and the ISMS Manager shall be notified no less than 5 business days ahead of time.

The internal auditor shall prepare the audit plan which shall define the scope of the ISMS, including the scope of the controls, which shall be audited.

Amongst others, the audit plan must take as an input the following items:

• Security related incidents that have occurred since last audit;

• Changes made to the Information Security Policy;

• Changes made to Information Security controls;

• Improvements made to the ISMS.

The resulting audit plan must be validated by the ISMS Manager.

Upon validation the ISMS auditor must communicate the plan to the interested parties.

Audit Preparation

The internal auditor shall collect and study the previous audit findings and outstanding issues. They shall also prepare relevant documents required for the audit (e.g. ISMS Audit checklist).

Conduct Audit

During the audit, the internal auditor shall find relevant evidence to ascertain that:

• The information security policy reflects the current business requirements;

• An appropriate risk assessment methodology is being used;

• Documented procedures (within the scope of the ISMS) are being followed and are meeting their objectives;

• Controls are in place and working as intended;

• Residual risks have been assessed correctly and are within FundApps' risk appetite and risk tolerance levels;

• The agreed actions from the previous audits have been implemented;

• The ISMS is compliant with ISO 27001.

Audit Reporting

The internal auditor shall prepare an audit report based on the audit findings. Findings shall be labelled according to their severity and priority level:

• Major Non-Conformity - This pertains to a major deficiency in the ISMS and exists if one or more elements of the ISO/IEC 27001: 2013 Information Security standard is not implemented and this finding shall have a direct effect on information security, specifically on the preservation of confidentiality, integrity and availability of information assets.

• Minor Non-Conformity - A minor deficiency. One or more elements of the ISMS is/are only partially complied with. Minor non-conformities have an indirect effect on information security.

• Observations/Potential Improvements – An audit recommendation for improvement for consideration by FundApps.

The internal auditor shall send the audit report to the ISMS Manager and the ISMS Implementer.

Audit Remediation

According to the audit findings and the non-conformity levels, an action plan and potential follow-up audit shall be defined by the ISMS Implementer and validated by the ISMS Manager. The scope of a follow-up audit is limited to the non conformity and the same mechanisms that produced the finding are used.

Appendix

Internal Audit Template

Whether it's a USB stick left on a train, a website hack leading to stolen confidential information, or phishing attacks compromising accounts - IT security is in the news more and more.

FundApps is privy to sensitive client information daily and therefore it’s important a pro-active approach to security is taken. Our policies captured in this living document are therefore the responsibility of everyone in the Company to uphold and update. With suggestions and improvements be raised and addressed as required with the team and the CTO.

NOTE: Security doesn't stop when you leave the office. This policy applies to both FundApps provided equipment, but also any other equipment you may use to access FundApps systems or software.

Guiding principles & security awareness

Top tips

• Better safe than sorry. Use common sense. If you're not sure whether something is a good idea (downloading a piece of software, opening an email, leaving a laptop unattended, using a particular third party service) - it probably isn't. Discuss it with the team!

• Educate yourself - read about a security breach? Find out how it happened and why. Think about whether there's anything we could do differently at FundApps to stop it happening here. Also see "other reading".

• If you know or suspect a loss or theft of confidential information has a occurred, or the security or integrity of any system has potentially been compromised - report it immediately to the CTO and CEO. Keep trying until they confirm they are aware.

Raising others awareness

Don't just educate yourself, share with the team.

• Join our #security channel in Slack

• Read about a recent security breach at a company? Find a link that talks about what happened in detail and share it in Slack with the company

• See someone leaving their screen unlocked? Lock it for them, and make sure they know you did!

Security Musts

This applies to all computers you access FundApps platforms from, not just your work computer.

• Hard disk encryption enabled (BitLocker, FileVault).

• Windows update enabled and configured for automatic update installs.

• Anti-virus software installed and configured for automatic updates.

• Make sure your computer password meets our minimum security requirements. It should be at least 8 characters with at least one upper/lowercase character, a number and symbol.

• Set your PC so it will automatically lock after 3 minutes.

• Only install applications from official application stores (e.g. Microsoft Store, App Store, Google Play).

Daily habits

• Lock your computer whenever you leave it unattended.

• Keep your desks clear of any printed information.

Policies

General security

• Use a different password for each service you access.

• Use two factor authentication whenever available (we enforce this for services where we can, such as Google mail and GitHub).

• Use secure passwords (minimum 8 characters in length, and at least 3 out of 4 of lower case, upper case, digits and symbols).

• Never share individual account credentials.

• Immediately change compromised credentials and report compromise to the Information Security Lead.

Bring your own device

• Any mobile device accessing FundApps email must have a secure PIN set and remote-wipe software installed.

• Any device you use to access the FundApps platform or related services must comply to our security checklist (cf. Security Musts) - this includes but is not limited to - hard disk encryption, anti-virus installed, a secure password and 3 minute lock timeout.

• Bring Your Own Devices compliant with these rules may be used to access all FundApps systems, provided access to production systems is done through virtualised systems or bastion hosts.

Email

• Email is not a secure medium. You should be conscious of this and consider how emails might be used by others. Emails can be spoofed (not come from the person you expect), and intercepted.

• If your Email account is breached this is often a route into accessing many other services (given the reliance of email based password re-setting). You should never use your email password for other services.

• When sending attachments containing FundApps confidential information, you should use a password protected archive and share the password via a secondary, unrelated channel (such as SMS)

• Remember that emails can easily be taken out of context, that once an email is sent you cannot control what the recipients might do with it, and that it is very easy to forward large amounts of information.

• Similarly you should not necessarily trust what you receive in an email - in particular, you must never respond to an email request to give a username or password.

Physical security

• Lock your computer whenever you leave it unattended.

• Any computer equipment should be secured behind locked doors when left unattended.

• Any unattended portable equipment should be physically secure if possible, for example locked in an office or a desk drawer. When being transported in a vehicle they should be hidden from view. Staff should avoid storing sensitive information on portable equipment whenever possible (see data security section).

• Enable 3 minute screen savers on your computer. (Go to Screen Saver settings, wait 3 minutes, and check On resume, display logon screen).

Data security

FundApps attaches great importance to the secure management of the data it holds and generates and will hold staff accountable for any inappropriate mismanagement or loss of it.

• If a client emails you sensitive portfolio data, please advise them that they should not be doing this.

• Do not create users for clients, even if you know them. Every client has an Admin user who can create users for themselves.

• • If you need to debug client portfolio data, you should use our secure VMs in our production environment.

  • Client data (of any kind) should never be stored on mobile devices or taken off-site (with the exception of email).

  • Failure to comply with these requirements will be considered a serious breach of this policy.

Social media

• If your profile mentions FundApps, be honest about who you are and what you do.

• Be aware if your profile mentions FundApps, you may be more of a target for social engineering or phishing attacks

• Never share your login details or let others post on your behalf.

• Be respectful to other people, even if you disagree with their opinion.

• Don’t post things or send messages that could damage our reputation, bring the company into disrepute or cause actual or likely harm to the company or colleagues.

• You’re responsible for what you put online and any impact it has on others so set up privacy settings if you need to. Never give out personal or private information about colleagues or clients. As a general rule, if you wouldn’t say or show it to your manager, then it’s probably not appropriate to post or send it online!

• Help us protect our company and reputation by thinking carefully about what you put online. If you see something online that concerns you please talk to the senior management team.

Acceptable use

Internet access is provided as a critical aspect of our business. It should be used in a responsible manner and any personal use should be reasonable. The Internet may not be accessed and used for any of the following:

• Any activity that would violate the laws and regulations of the UK

• Sending offensive or harassing material to other users

• Any activity that would violate the privacy of others

• Cause damage or disruption to organisational systems

Monitoring

Monitoring software is in use to protect the effectiveness, security, availability and integrity of FundApps systems. We monitor the type and volume of internet and network traffic. The information recorded can be used to identify an individual user and the website domain being accessed.

Breaches of security

If you know or suspect a loss or theft of confidential information has a occurred, or the security or integrity of any system has potentially been compromised - report it to the Information Security Lead, the CTO or CEO. This could include

• Disclosure of confidential information to any unauthorised person.

• Integrity of any system or data being put at risk (for example virus, malware, hacking).

• Availability of the system or information being put at risk.

• Loss of any system, laptop, mobile phone or other portable device.

• Finding doors and/or windows broken and/or forced entry gained to a secure room/building in which computer equipment exists.

Further reading

For general awareness, we recommend the following sites.

For more technical information, check out

Objective

This process aims to allow FundApps to continually improve the suitability, adequacy and effectiveness of the information security management system.

Scope

Nonconformities of FundApps' Information Security Management System with ISO 27001:2013.

Policy

FundApps shall implement the following process when nonconformities arise:

React to the nonconformity

FundApps shall react to the nonconformity as applicable by taking action to control and correct it and deal with its consequences.

Evaluate the root cause

FundApps shall evaluate the need for action to eliminate the causes of the nonconformity to ensure it does not occur again.

To do so FundApps shall:

• review the nonconformity;

• determine the cause of the nonconformity; and

• determine if similar nonconformities exist or could potentially occur.

Remediate root cause

FundApps shall implement actions required to address the root cause of the nonconformity.

Determine effectiveness of the remediation

FundApps shall review the effectiveness of the remediation actions which have been taken and make further changes to the ISMS if necessary.

Retain evidence

FundApps shall retain evidence of:

• the nature of the nonconformities and any subsequent action taken, and

• the result of any remediation actions.

FundApps shall perform it's first ISMS audit in 2021.

This internal audit shall cover the following elements:

• Observations from the Readiness Assessment against ISO/IEC 27001:2013 standard;

The audit will be performed before the end of June 2021.

Data Center Physical Security Overview

All data hosted in FundApps’ platform is hosted in facilities with top grade physical security. These facilities are located within the EU with Amazon Web Services (AWS). AWS hold industry standard certifications relating to security and availability, including but not limited to ISO 9001, 27001 and SOC I, II certifications. Full details of the certification activities undertaken by our hosting partner are available via AWS compliance.

Data Center Access Control

AWS provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.

Third-party access is requested by approved AWS employees, who must apply for third-party access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. These requests are approved by authorized personnel, and access is revoked after request time expires. Once granted admittance, individuals are restricted to areas specified in their permissions. Anyone granted visitor badge access must present identification when arriving on site and are signed in and escorted by authorized staff.

FundApps Offices Physical Security

All FundApps offices are protected by locked doors which can be opened only with a valid access card, and CCTV. All doors are equipped with alarm systems which trigger if doors are forced open. Visitors are escorted throughout their visit to our offices.

FundApps has implemented a tiered network architecture to hosts its services. This tiered architecture allows to restrict communications between networks in order to reduce the probability and impact of a security incident. Each tier comprises host-based and network-based intrusion protection systems (IPS) which are monitored by a 24/7 Security Operation Centre (SOC) to detect and respond to security incidents.

Access to the administration of the network is limited to a small number of FundApps staff.

The following table summarises the controls that are relevant and applicable to FundApps' Information Security Management System in accordance with the requirements of ISO 27001:2013.

Access Control

FundApps implements physical and logical access controls across its IT systems and services in order to provide authorised, granular, audit-able and appropriate user access, and to ensure appropriate preservation of data confidentiality, integrity and availability in accordance with our Information Security Policy.

• An owner responsible for managing user access

• The types of data it holds and therefore the data classification and controls required to protect that information.

• Status of basic controls such as SSO and two-factor

FundApps' Identity and Access Management system allows to simplify and automate the on-boarding and off-boarding processes in terms of provisioning and de-provisioning accesses to systems.

Logical access controls for FundApps Platform

• Access via HTTPS only;

• Named accounts using Single sign-on (SSO) and two-factor authentication;

• Audit logs of support staff accessing the system, which is visible to our clients;

• Access is granted on a least-privilege and need-to-know basis;

• Access review by head of Client Services on a quarterly basis.

Access to our production network is restricted to a very small set of staff. Controls in place include:

• All credentials and accounts are provisioned through a configuration change management system that requires approval of the change;

• Access to the network must be made via a secure connection through the use of multi-factor authentication.

• Each member of operational staff uses a named account to each server where access is required which is separately provisioned from the above network access;

• Access is granted on a least-privilege and need-to-know basis;

  All access to and key administrative actions on production servers are logged to a centralised audit store;

• Access review by CTO on a quarterly basis.

Logical access controls for all IT systems

• Named accounts are mandatory, unless an exception is granted by the data owner responsible.

• Any built-in, default accounts should be disabled or renamed and passwords changed

• Single-sign-on should be enabled and mandatory wherever possible

• Two-factor should be enabled and mandatory whenever possible

• Passwords should not be re-used across systems. Passwords should be stored using an approved password management tool with a strong master password.

• Use secure passwords (minimum 8 characters in length, and at least 3 out of 4 of lower case, upper case, digits and symbols).

• Audit logs must provide non-repudiation for changes and access to FundApps Restricted and Confidential data

See our data classification policy for more information on the specific controls in place.

Physical access controls

Roles and Responsibilities

ISMS Manager

The CTO shall ensure FundApps allocates the appropriate resources to ensure the ISMS' conformity with the ISO 27001 standard and shall report the performance of the ISMS to the Leadership team.

ISMS Implementer

The Information Security Lead shall maintain the ISMS, assess its conformity with the ISO 27001 standard, define appropriate corrective actions and report its performance to the CTO.

ISMS Internal Auditor

The internal auditor, who can be a staff member or a consultant, shall perform an impartial internal audit against the requirements of the ISO 27001 standard, and follow-up on the internal audit results to achieve continual improvement.

Leadership Team

The leadership team will ensure the performance of the ISMS aligns with FundApps' business objectives.

FundApps staff

Finally all FundApps staff members contribute to the ISMS, FundApps' security policies and procedures.

Organisation

The following diagram details the organisation between the staff who have a role in the ISMS.

Competence

FundApps assesses the competencies of those who play a role in the ISMS based on the table below:

If gaps are identified with the required competencies, FundApps will define a set of actions to remediate it. These actions may include training, mentoring or hiring or contracting competent persons.

Internal communication regarding this ISMS will be conducted as described below:

Objective

Define the version control, change approval and review cycle of FundApps policies.

Scope

FundApps Information Security , Risk management and business continuity policies.

Policy

Version control

Policies in scope shall be versioned through the use of git. Any change to a policy will be tied to a commit number and an author. This information will be stored in the policies git log.

Change approval

Policies in scope shall be approved by a member of the leadership team. These approvals will be stored in the policies git log.

Review Cycle

Policies in scope shall be reviewed by the Information Security Lead and at least one member of the Leadership Team annually.

Introduction

Whatever part of FundApps we work in we are ambassadors for our company.

Lots of us are having conversations and sharing through social media or online communities. We approach the online world in the same way we do the physical one – by using sound judgement, respect and common sense.

Who’s this policy for?

It applies to anyone working for and on behalf of FundApps. This policy doesn’t form part of your contract and may be amended at any time.

What types of social media does this cover?

This policy covers the use of any online platform which can be used for networking, sharing information or opinions. This includes posting comments, pictures, videos, blogging, using forums, sending private messages relating to FundApps its clients or colleagues, endorsing other people’s content and re-tweeting/circulating posts. It covers platforms like YouTube, LinkedIn, Facebook, Twitter, Instagram, Pinterest, Yammer and Instant Messaging services e.g. WhatsApp, etc., or any other existing or new social media platforms, whether it’s internal or external on your own or a work device.

Can I say that I work for FundApps on my profile?

If you want to then yes you can; just make sure it’s clear that you’re not speaking on behalf of FundApps and say that ‘all views are my own’ somewhere on your profile.

How should I use social media (including internal sites)?

Be yourself

If your profile mentions FundApps, be honest about who you are and what you do. Never share your login details or let others post on your behalf. If you’re leaving, remember to update your profile with your new company name or employment status.

Be respectful

Be respectful to other people, even if you disagree with their opinion.

Don’t post things or send messages that could damage our reputation, bring the company into disrepute or cause actual or likely harm to the company or colleagues.

Don’t use statements, photos, videos, audio or send messages that reasonably could be viewed as malicious, abusive, offensive, obscene, threatening, intimidating or contain nudity or images of a sexual nature, or that could be seen as bullying, harassment or discrimination.

Use common sense

You’re responsible for what you put online and any impact it has on others so set up privacy settings if you need to. Never give out personal or private information about colleagues or clients. As a general rule, if you wouldn’t say or show it to your manager, then it’s probably not appropriate to post or send it online!

And remember, what you post or send can be difficult to delete once it’s online.

Be aware

Help us protect our company and reputation by thinking carefully about what you put online. If you see something online that concerns you please talk to the senior management team.

Did you know?

Even when you say something is your personal opinion we can still be held liable, so pause and think before you post.

You should never assume your social media content won’t reach a wider, public audience. Even if it was originally meant for a small group of friends or for a private message, colleagues or clients may have access to things you put online.

Disseminating confidential or sensitive information; or posting, sharing or endorsing inappropriate messages about your colleagues or FundApps, could result in disciplinary action, which could lead to your dismissal.

Protecting our business

To help protect our business anything you develop or create, including programs or documentation, whilst working for us remains the property of FundApps and must not be used or shared on social media sites or online forums, unless you have specific permission from your director to do so.

Never reveal confidential or sensitive information including anything that is given to us in confidence by suppliers or third parties.

This includes information about FundApps which is not in the public domain.

Respect intellectual property laws

Intellectual property laws (which include copyright and trademarks) are in place to protect the ideas people have, create or develop so that other people can’t steal or use them without permission. For example, FundApps is our trademark, which means we can stop other people from using it on their products.

We must always take care to protect intellectual property rights and respect the rights of others. Stealing someone’s idea can reflect badly on FundApps and damage client trust.

Most forms of published information are protected by copyright, which means you shouldn’t re-use it without getting the owner’s permission first.

Copyright applies to stuff that’s used both internally and externally so make sure you always respect copyright and see permission first – even if it’s only being used within FundApps. Copyright can also apply when sharing content on Twitter and Facebook, so be mindful when doing this.

Can I use my FundApps email address when I’m using social media?

You should use your personal e-mail address unless you’re speaking on behalf of the company (and are authorised to do so).

Can I use the company logo, brand name or pictures of the office etc. in my posts?

Yes, as long as it’s connected with work, appropriate to post, does not reveal confidential information and any people in the photo are happy for it to be posted.

Can I use social media during working hours?

Yes, if you’re using social media for part of your job or it’s related to work (for example, to help a client). Otherwise, using social media during working hours must be reasonable and shouldn’t interfere with you carrying out your job.

What should I do if I see a colleague has posted something offensive or inappropriate on line?

If it’s something that’s personally offensive to you, you should speak to the person involved, if you’re comfortable to do so, and ask them to remove the post. If the posts aren’t removed or it happens again you should speak to your manager about it. If the post is directly about you, and has been posted without your consent or you’re offended by it, or it’s inappropriate, please speak to your manager or the senior management team.

If you endorse, share or send an offensive or inappropriate comment or message about FundsApps or your colleagues, it will be investigated and may result in us taking disciplinary action against you, which could lead to your dismissal.

If the post contains company information which you believe to be confidential (basically something which isn’t already in the public domain), you should report this immediately to our CTO and security@fundapps.co.

Is social media monitored?

Yes. Social media sites are scanned for any mention of FundApps, our products and services or inappropriate comments about the company, our colleagues, managers or clients. If you spot anything that’s been posted about our business that concerns you please contact the senior management team.

Inappropriate behaviour including posting confidential or sensitive information will be investigated, and may result in us taking disciplinary action against you which could lead to your dismissal. You will be asked to co-operate with any investigation.

If it comes to our attention that any inappropriate posts, comments or messages have been made/sent by you or can be viewed on your profile, then we reserve the right to access these posts and to take copies of them. You may also be asked to remove any content that we consider to be a breach of this policy. If you don’t remove the content when asked, it may result in disciplinary action. Any such posts may be used in internal proceedings and/or legal action.

We treat the online world the same as the physical one, so if your post, comment or message would breach our policies in another forum it will breach it in an online forum too.

For anyone else not directly employed by FundApps: if you breach this policy we may terminate the arrangements we have with you for your services.

FundApps backups production data to local storage at the following frequency:

• Weekly full backups,

• Daily differential backups,

• 15 minute transaction log backups.

Backups are retained for a week on the local disk and replicated immediately into archival storage (AWS S3) in the primary and secondary regions. The archival storage retains 30 days of all backups generated.

Each backup contains the entire history of the client instance. Backup integrity is checked automatically at the end of each backup. Backups are fully encrypted.

Logging

FundApps logs system and network events in order to detect and respond to information security threats.

The following events are logged:

• Application events:

  • Login attempts,

  • Changes to users and privileges,

• System events:

  • System accesses,

  • File system accesses,

  • Host-based IPS (Intrusion Prevention System) alerts.

• Network events:

  • Network traffic,

  • Network-based IPS (Intrusion Prevention System) alerts.

All events are aggregated, stored centrally and protected against alteration.

Monitoring and Alerting

FundApps has processes in place to monitor logs. Automated alerting of certain events or event thresholds allows FundApps staff and a 24/7 Security Operation Centre to detect and respond to a potential security incident.

Security alerts are reviewed by the Information Security Lead and tracked in the Security Incident and Event Management tool and a summary is provided during the monthly security meeting.

Objective

The purpose of this policy is to define the way in which FundApps manages patching of it's Information System.

Scope

The policy applies to all FundApps managed Information Systems.

Policy

End user computers

End user computers must receive system patches automatically. Users must not be able to defer patching for more than 30 days.

Servers

Proxy servers

Proxy servers must be cycled at least on a monthly basis, and must be built using an image including the latest system patches.

Web servers

Web servers must receive system patches automatically every month.

Other servers

Other servers must receive system patches at least every 3 months.

Objective

The purpose of this policy is to define the way in which FundApps raises, approves, records and reviews exceptions to its information security policies.

Scope

This policy applies to all exceptions to FundApps' security policies.

Policy

Raising Exceptions

All exceptions must be raised to the Information Security Lead, the CTO or the CEO in a timely fashion once they have been detected.

Approving Exceptions