Information Security Management Policy

FundApps is committed to a robust implementation of Information Security Management. All our hosting environments are certified to ISO 27001. As an organisation we are endeavour to align our processes to ISO 27001 and the NIST Cyber Security Framework.

We are specifically committed to preserving the confidentiality, integrity and availability of data and documentation supplied by, generated by and held on behalf of our clients. The principles defined in this policy will be applied to all of the physical and electronic information assets for which the FundApps is responsible.

Our senior management team are directly responsible for ensuring that all FundApps staff have been made aware of these procedures and their contents.

All employees have access to this information, are required to abide by them, and are encouraged to regularly review and update these in their relevant areas.

Definitions

Information security is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It focuses primarily on the confidentiality, integrity and availability of data.

FundApps Data, for the purposes of this policy, is data owned, processed or held by FundApps, whether primary or secondary, irrespective of storage location. It is used interchangeably with the term ‘information’.

Context of the organisation

FundApps, headquartered in London, United Kingdom, helps investment managers to harness the power of community and technology to automate regulatory compliance.

There are a number of internal and external factors that create uncertainty that gives rise to risk. These include:

Internal Issues

Information

• FundApps processes the following types of information which require adequate protection:

  • sensitive client information,

  • personal data,

  • Sensitive FundApps Intellectual property.

People

• Staff turnover,

• Induction of new joiners,

• Staff role changes,

• High rate of recruitment due to rapid growth.

Organisation

• Use of contractors,

• Staff working in different time zones.

Products/Services

• Alignment of products with evolving regulations,

• FundApps services’ competitive advantage relies partly on its intellectual property.

Systems and Processes

• Security or resilience issues with FundApps' information systems,

• Lack of process documentation.

External Issues

Political Factors

• War in Eastern Europe,

• Divergence of regulations between the UK and EU following Brexit,

• Changes made to regulations.

• Commercial war between the USA and China

Economic Factors

• Economic recession,

• Market conditions affect our client's ability to subscribe to FundApps’ services,

• Higher staff costs due to increasing demand for software engineers or regulatory experts in a constrained market.

Social Factors

• Increase in working from home and bring your own devices practices.

• Public services industrial action in the UK.

Technological Factors

• Fast-evolving threat landscape (e.g. ransomware campaigns),

• Increased expectations from clients to manage their own security (e.g. Bring Your Own Key, feed export logs to client SIEM).

• Rise of Artificial Intelligence.

Environmental Factors

• Pandemic affects how people work.

Legal Factors

• More lenient financial regulations makes our products less appealing.

• Regulations on personal data such as GDPR

• Regulations on access to MNPI and insider trading.

• Technology related legislation, such as the Computer Misuse Act 1990 or Freedom of Information Act 2000

• Intellectual property concerns related to the use of open source software.

Objectives

The objectives of the ISMS are:

The plan to achieve these objectives is described in the Objective Plan.

Scope

cf. ISMS Scope

Information security principles

The following eight information security principles provide overarching governance for the security and management of information at FundApps.

1. Information should be recorded in our information asset register, with the Information Systems which make use of it, classified in accordance with our data classification policy and in accordance with relevant legislative, regulatory and contractual requirements.

2. Risks to information security should be assessed and assigned an owner in accordance with our risk management framework

3. Staff with particular responsibilities for information are responsible for ensuring the classification of that information; for handling that information in accordance with its classification level; and for any policies, procedures or systems for meeting those responsibilities.

4. All users covered by the scope of this policy must handle information appropriately and in accordance with its classification level.

5. As far as is reasonably possible, endeavours must be made to ensure data is complete, relevant, accurate, timely and consistent.

6. Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.

7. Information will be protected against unauthorized access and processing in accordance with its classification level.

8. Information will be protected against loss or corruption.

9. Breaches of this policy must be reported

Legal & Regulatory Obligations

FundApps has a responsibility to abide by and adhere to all current UK and EU legislation as well as a variety of regulatory and contractual requirements. Relevant legislation includes: • The Computer Misuse Act 1990 • General Data Protection Regulation 2018 • Data Protection Act 2018 • The Freedom of Information Act 2000 • Regulation of Investigatory Powers Act 2000 • Copyright, Designs and Patents Act 1988 • Defamation Act 1996 • Obscene Publications Act 1959 • Protection of Children Act 1978 • Criminal Justice Act 1988 • Digital Economy Act 2010

A non-exhaustive summary of the legislation and regulatory and contractual obligations that contribute to the form and content of this policy is provided below. Related policies will detail other applicable legislative requirements or provide further detail on the obligations arising from the legislation summarised below.

Key Legislation Summary

The Computer Misuse Act 1990 defines offences in relation to the misuse of computers as:

1. Unauthorised access to computer material.

2. Unauthorised access with intent to commit or facilitate commission of further offences.

3. Unauthorised modification of computer material. 3ZA: Unauthorised acts causing, or creating risk of, serious damage 3A: Making, supplying or obtaining articles for use in offence under section 1, 3 or 3ZA

The General Data Protection Regulation 2018 (GDPR) defines obligations for businesses and organisations that collect, process and stored individuals' personal data. GDPR outlines seven data protection principles which relate to:

1. Lawfulness, fairness and transparency

2. Purpose limitation

3. Data minimisation

4. Accuracy

5. Storage limitation

6. Integrity and confidentiality (security)

7. Accountability

Data Protection Act 2018

GDPR and DPA 2018 are based on the same principles. The main differences between the two are around:

• Freedom of information,

• Compliance reports,

• Data subject access request,

• Age of consent,

• Information Commissioner’s Office codes of practice,

• National security and crime.

Supporting Policies, Codes of Practice, Procedures and Guidelines

• Data Classification Policy

• Incident Response Policy

• ISMS Risk Register [Restricted to FundApps Staff]

Compliance, Policy Awareness and Disciplinary Procedures

Any security breach of FundApps information systems could lead to the possible loss of confidentiality, integrity and availability of personal or other confidential data stored on these information systems. The loss or breach of confidentiality of personal data is an infringement of the Data Protection Act 1998, contravenes FundApps Data Protection Policy, and may result in criminal or civil action against FundApps.

The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties or criminal or civil action against FundApps. Therefore it is crucial that all users of the FundApps information systems adhere to the Information Security Policy and its supporting policies as well as the Information Classification Standards.

All current staff and other authorised users will be informed of the existence of this policy and the availability of supporting policies, codes of practice and guidelines.

Any security breach will be handled in accordance with all relevant FundApps policies, including the Conditions of Use of IT Facilities at FundApps and the appropriate disciplinary policies.

Incident Handling

If a member staff is aware of an information security incident then they must report it to the Head of Information Security, the CEO or the CTO immediately. For more information, please see our Incident Response Policy.

Review and Development

This policy, and its subsidiaries, shall be reviewed by FundApps and updated regularly to ensure that they remain appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations.

FundApps ensures that all changes to the ISMS are carried out in a planned and controlled manner, in alignment with our Continual Improvement Process.

Interested Parties

The list of interested parties in FundApps' ISMS and their requirements are as follows: