LogoLogo
Current Version
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
Current Version
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
  • Welcome to FundApps' Policy Portal
  • FundApps Policies
    • Technical & Platform Overview
    • Software Development
    • Risk Management
      • Risk Management Framework
      • Information Asset Register
      • Information Systems Register
      • Data Classification and Protection Standard
    • Information Security Management System
      • Information Security Management Policy
      • Scope
      • Statement of Applicability
      • Objective Plan
      • Roles, Responsibilities and Organisation
      • Performance Evaluation
      • Internal Audit Policy
      • Internal Audit Plan for a 3 year cycle
      • Continual Improvement Process
      • Internal and External Communication Plan
      • Document Control Policy
    • Information Security Policies
      • Client Services Access to Client Environments
      • Employee Guide
      • Security Awareness Program
      • Social Media
      • Access Control
      • Physical Security
      • Network Security
      • Logging, Monitoring and Alerting
      • Incident Response
      • Data Backups
      • Privacy Policy
      • Vulnerability Management Policy
      • Security Exception Management Policy
      • Information Security Risk Register
      • Data Retention Policy
      • Patch Management Policy
      • Cryptographic Policy
      • Information Security in Project Management
      • Information Transfer Policy
      • Third Party Risk Management
    • Business Continuity
      • Business Continuity Management System
      • Business Continuity Policy
      • Business Continuity Risk Register
      • Technical Resilience
      • Business Continuity Documents
    • Personnel & Safety
      • Overview
      • Code of Conduct
      • Health and Safety
      • Third party vendors
      • The FundApps Code for Third Parties
  • Legal Information
    • 📖General Terms
      • Fair Usage Policy
      • Third Party Data Provider Terms
    • DORA
      • Operational Resilience Statement
      • Statement on Contractual Compliance
      • Subcontractors and Service Location
      • Threat-Led Penetration Tests (TLPT) Policy
    • Insurance
    • 🌍Carbon Neutral
  • Policy Change Log
    • March 2025
    • January 2025
    • December 2024
    • November 2024
    • October 2024
    • August 2024
    • July 2024
    • June 2024
    • April 2024
    • February 2024
    • January 2024
    • November 2023
    • October 2023
    • September 2023
    • August 2023
    • June 2023
    • February 2023
    • December 2022
    • October 2022
    • September 2022
    • June 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • August 2021
    • July 2021
    • January 2021
    • August 2020
    • May 2020
    • March 2020
    • November 2019
    • September 2019
Powered by GitBook
On this page
  • Access Control
  • Logical access controls for FundApps Platform
  • User Interface
  • Production
  • Logical access controls for all IT systems
  • Physical access controls
  • Types of Authentication mechanisms supported by FundApps' platform
  • Roles and privileges in FundApps' platform

Was this helpful?

Export as PDF
  1. FundApps Policies
  2. Information Security Policies

Access Control

Access Control

FundApps implements physical and logical access controls across its IT systems and services in order to provide authorised, granular, audit-able and appropriate user access, and to ensure appropriate preservation of data confidentiality, integrity and availability in accordance with our Information Security Policy.

This policy covers all FundApps IT systems and information not classified as 'Public' in our data classification policy.

Each information system is recorded in FundApps' Information Systems Register [Restricted to FundApps staff] which includes:

  • An owner responsible for managing user access

  • The types of data it holds and therefore the data classification and controls required to protect that information.

  • Status of basic controls such as SSO and two-factor

Access to each information system is on a least-privilege and as-needed basis. These are managed by the nominated owner of the system and access to each system is managed through FundApps' Identity and Access Management system [Restricted to FundApps staff]. These are reviewed as part of our monthly security stakeholder meeting.

FundApps' Identity and Access Management system allows to simplify and automate the on-boarding and off-boarding processes in terms of provisioning and de-provisioning accesses to systems.

Logical access controls for FundApps Platform

Data stored in the FundApps platform is classified as 'FundApps Confidential' (see data classification policy).

User Interface

Support staff access the platform through the same interface our clients do. As such, controls in place include:

  • Access via HTTPS only;

  • Named accounts using Single sign-on (SSO) and two-factor authentication;

  • Audit logs of support staff accessing the system, which is visible to our clients;

  • Access is granted on a least-privilege and need-to-know basis;

  • Ongoing security awareness training;

  • Access review by head of Client Services on a quarterly basis.

Additionally, we provide clients with the option to enable Just-In-Time (JIT) access feature. This is a dynamic access control method that allows our Client Services staff to have temporary permissions to a client's environment only when necessary and for the duration required to complete specific tasks.

JIT has a number of benefits:

  • FundApps staff do not have default access to client data.

  • Access is granted and revoked by clients with the Administrator role.

  • Application access is restricted to predetermined time periods and designated FundApps staff members only.

  • Access is time-limited, automatically expiring once the predetermined period concludes.

  • As is currently the case, access is documented in the audit trail.

It is important to note that if you ask us to enable JIT and subsequently fail to grant CS access for support purposes in a timely manner, this may result in missed service levels or other consequential issues for which we cannot be held responsible. It is imperative that all necessary access permissions are granted promptly to ensure our ability to meet agreed-upon service standards.

More information about JIT is available in our Help Centre.

Production

Access to our production network is restricted to a very small set of staff. Controls in place include:

  • All credentials and accounts are provisioned through a configuration change management system that requires approval of the change;

  • Access to the network must be made via a secure connection through the use of multi-factor authentication.

  • Each member of operational staff uses a named account to each server where access is required which is separately provisioned from the above network access;

  • Access is granted on a least-privilege and need-to-know basis;

  • Access is subject to Just-In-Time (JIT) and peer approval;

  • All access to and key administrative actions on production servers are logged to a centralised audit store;

  • Access review by CTO on a quarterly basis.

Logical access controls for all IT systems

Our data classification policy classifies data stored across all our IT Systems. Principles we follow include:

  • Named accounts are mandatory, unless an exception is granted by the data owner responsible.

  • Any built-in, default accounts should be disabled or renamed and passwords changed

  • Single-sign-on should be enabled and mandatory wherever possible

  • Two-factor should be enabled and mandatory whenever possible

  • Passwords should not be re-used across systems. Passwords should be stored using an approved password management tool with a strong master password.

  • Use secure passwords (minimum 12 characters in length).

  • Audit logs must provide non-repudiation for changes and access to FundApps Restricted and Confidential data

See our data classification policy for more information on the specific controls in place.

Physical access controls

See physical security page.

Types of Authentication mechanisms supported by FundApps' platform

FundApps encourages its clients to implement Single Sign-On in order to automate provisioning/deprovisioning of their accesses, and provide their users with a seamless authentication process. Alternatively FundApps supports two-factor authentication as well as traditional user/password credentials. More information is available on FundApps' Help Centre.

Roles and privileges in FundApps' platform

In FundApps' platform, privileges are provided through roles which are assigned to users. More information on these roles and the privileges they grant is available on FundApps' Help Centre.

PreviousSocial MediaNextPhysical Security

Last updated 8 months ago

Was this helpful?