LogoLogo
Current Version
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
Current Version
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
  • Welcome to FundApps' Policy Portal
  • FundApps Policies
    • Technical & Platform Overview
    • Software Development
    • Risk Management
      • Risk Management Framework
      • Information Asset Register
      • Information Systems Register
      • Data Classification and Protection Standard
    • Information Security Management System
      • Information Security Management Policy
      • Scope
      • Statement of Applicability
      • Objective Plan
      • Roles, Responsibilities and Organisation
      • Performance Evaluation
      • Internal Audit Policy
      • Internal Audit Plan for a 3 year cycle
      • Continual Improvement Process
      • Internal and External Communication Plan
      • Document Control Policy
    • Information Security Policies
      • Client Services Access to Client Environments
      • Employee Guide
      • Security Awareness Program
      • Social Media
      • Access Control
      • Physical Security
      • Network Security
      • Logging, Monitoring and Alerting
      • Incident Response
      • Data Backups
      • Privacy Policy
      • Vulnerability Management Policy
      • Security Exception Management Policy
      • Information Security Risk Register
      • Data Retention Policy
      • Patch Management Policy
      • Cryptographic Policy
      • Information Security in Project Management
      • Information Transfer Policy
      • Third Party Risk Management
    • Business Continuity
      • Business Continuity Management System
      • Business Continuity Policy
      • Business Continuity Risk Register
      • Technical Resilience
      • Business Continuity Documents
    • Personnel & Safety
      • Overview
      • Code of Conduct
      • Health and Safety
      • Third party vendors
      • The FundApps Code for Third Parties
  • Legal Information
    • 📖General Terms
      • Fair Usage Policy
      • Third Party Data Provider Terms
    • DORA
      • Operational Resilience Statement
      • Statement on Contractual Compliance
      • Subcontractors and Service Location
      • Threat-Led Penetration Tests (TLPT) Policy
    • Insurance
    • 🌍Carbon Neutral
  • Policy Change Log
    • March 2025
    • January 2025
    • December 2024
    • November 2024
    • October 2024
    • August 2024
    • July 2024
    • June 2024
    • April 2024
    • February 2024
    • January 2024
    • November 2023
    • October 2023
    • September 2023
    • August 2023
    • June 2023
    • February 2023
    • December 2022
    • October 2022
    • September 2022
    • June 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • August 2021
    • July 2021
    • January 2021
    • August 2020
    • May 2020
    • March 2020
    • November 2019
    • September 2019
Powered by GitBook
On this page
  • Objective
  • Scope
  • Policy
  • Information which requires encryption
  • Encryption ciphers and key lengths
  • Cryptographic Key Management
  • Roles and responsibilities

Was this helpful?

Export as PDF
  1. FundApps Policies
  2. Information Security Policies

Cryptographic Policy

Objective

The purpose of this policy is to define the way in which FundApps manages cryptographic controls to protect the confidentiality, authenticity and/or the integrity of information.

Scope

The policy applies to all FundApps Information Systems.

Policy

FundApps will implement cryptographic controls to protect information as defined in the Data Classification and Protection Standard.

Information which requires encryption

The following tables summarises when cryptography must be used:

Public
Open
Restricted
Confidential

Encryption in transit

-

Mandatory

Mandatory

Mandatory

Encryption at rest

-

-

-

Mandatory

Encryption at rest on removable media

-

-

Mandatory

Mandatory

Encryption of data in transit

All client data sent to or generated inside our platform follows an encrypted data lifecycle and all interactions with the system occur over an encrypted protocol: Secure HTTP (HTTPS). We keep supported cipher suites for the SSL encryption used for HTTPS in line with industry standards and regularly run external tests to verify this, the results of these tests are publicly available.

Encryption of data at rest

All client data is encrypted at rest. FundApps employs a key management system which allows us to rotate the keys used for the encryption of these volumes on a regular basis. Backups are also stored encrypted at rest, meaning your data is never available in cleartext. Data is encrypted using AES-256-GCM, a symmetric algorithm based on Advanced Encryption Standard (AES) in Galois Counter Mode (GCM) with 256-bit keys.

Encryption ciphers and key lengths

FundApps supports TLS v1.2 and TLS v1.3. The full list of supported ciphers are available on this website.

Encryption ciphers and key lengths used to protect information must comply with requirements set out in NIST Special Publication 800-131A Revision 2.

The minimum length of a symmetric key to encrypt restricted client data at rest is 256 bits.

Cryptographic Key Management

Cryptographic keys must be generated, transmitted, stored and managed in a secure manner that prevents loss, unauthorised access, or compromise.

Access: Access to cryptographic keys must be restricted to authorised staff only.

Distribution: Private and symmetric keys must be distributed securely such as through the use secure email or out of band techniques like phone conversations with known individuals. Physical transportation of private and symmetric keys will require that they will be encrypted

Physical security: Equipment used to generate, store and archive keys must be physically protected using appropriate, secure access controls.

Key rotation: Cryptographic keys must be rotated at a minimum every 3 years.

Compromised keys: In the event of a cryptographic key being compromised, a new key (or key pair) must be generated and the existing key must be revoked.

Backup: Backup of cryptographic keys must be maintained to recover them should they be lost.

Logging and auditing: All accesses to cryptographic keys as well as modifications to these keys must be logged. Logs must be audited for anomalous activity.

Roles and responsibilities

The system owner (Supplier Relationship Manager), as defined in FundApps' Information System Inventory [restricted to FundApps staff], is responsible for ensuring information to protected by cryptographic controls as set out in this policy.

The Head of Information Security is responsible for ensuring the policy is aligned to FundApps' business objectives.

PreviousPatch Management PolicyNextInformation Security in Project Management

Last updated 11 months ago

Was this helpful?