Employee Guide

Whether it's a USB stick left on a train, a website hack leading to stolen confidential information, or phishing attacks compromising accounts - IT security is in the news more and more.

FundApps is privy to sensitive client information daily, and therefore it’s important a proactive approach to security is taken. Our policies captured in this living document are therefore the responsibility of everyone in the Company to uphold and update. With suggestions and improvements be raised and addressed as required with the team and the CTO.

NOTE: Security doesn't stop when you leave the office. This policy applies to both FundApps provided equipment, but also any other equipment you may use to access FundApps systems or software.

Guiding principles & security awareness

Top tips

• Better safe than sorry. Use common sense. If you're not sure whether something is a good idea (downloading a piece of software, opening an email, leaving a laptop unattended, using a particular third-party service) - it probably isn't. Discuss it with the team!

• Be aware of the kinds of information we look after as a company and how we protect them. You can find more in our policy.

• Be aware of - don't trust an attachment or a hyperlink in an email just because it comes from someone you know or an organisation you trust. Better to type the URL into the browser window yourself and avoid that unexpected attachment.

• Educate yourself - read about a security breach? Find out how it happened and why. Think about whether there's anything we could do differently at FundApps to stop it from happening here. Also, see "other reading".

• If you know or suspect a loss or theft of confidential information has occurred or the security or integrity of any system has potentially been compromised - report it immediately to the Head of Information Security, CTO and CEO. Keep trying until they confirm they are aware.

• Familiarize yourself with our

Raising others awareness

Don't just educate yourself, share with the team.

• Join our #ask-security channel in Slack

• Read about a recent security breach at a company? Find a link that talks about what happened in detail and share it in Slack with the company

• See someone leaving their screen unlocked? Lock it for them, and make sure they know you did!

Security Musts

This applies to all computers you access FundApps platforms from, not just your work computer.

• Hard disk encryption enabled (BitLocker, FileVault).

• Windows update enabled and configured for automatic update installs.

• Anti-virus software must be installed and configured for automatic updates.

• Make sure your computer password meets our minimum security requirements. It should be at least 12 characters.

• Set your PC so it will automatically lock after 5 minutes.

• Only install applications from official application stores (e.g. Microsoft Store, App Store, Google Play).

Daily habits

• Lock your computer whenever you leave it unattended.

• Keep your desks clear of any printed material and keep those containing sensitive data locked away.

Policies

Credentials

• Use a different password for each service you access.

• Use two-factor authentication whenever available (we enforce this for services where we can, such as Google Mail and GitHub).

• Use secure passwords (minimum 12 characters in length).

• Never share individual account credentials.

• Immediately change compromised credentials and report the compromise to the Information security team.

Bring your own device

• Any mobile device accessing FundApps email must have a secure PIN set and remote-wipe software installed.

• Any device you use to access the FundApps platform or related services must comply with our security checklist (cf. Security Musts) - this includes but is not limited to - hard disk encryption, antivirus, a secure password and a 5-minute lock timeout.

• Bring Your Own Devices compliant with these rules may be used to access all FundApps systems, provided access to production systems is done through virtualised systems or bastion hosts.

• Confidential data must not be stored on BYODs.

Email

• Email is not a secure medium. You should be conscious of this and consider how emails might be used by others. Emails can be spoofed (not come from the person you expect) and intercepted.

• If your Email account is breached this is often a route into accessing many other services (given the reliance on email-based password resetting). You should never use your email password for other services.

• When sending attachments containing FundApps confidential information, you should use a password-protected archive and share the password via a secondary, unrelated channel (such as SMS)

• Remember that emails can easily be taken out of context, that once an email is sent you cannot control what the recipients might do with it, and that it is very easy to forward large amounts of information.

• Similarly, you should not necessarily trust what you receive in an email - in particular, you must never respond to an email request to give a username or password.

Physical security

• Lock your computer whenever you leave it unattended.

• Any computer equipment should be secured behind locked doors when left unattended.

• Any unattended portable equipment should be physically secure if possible, for example, locked in an office or a desk drawer. When being transported in a vehicle they should be hidden from view. Staff should avoid storing sensitive information on portable equipment whenever possible (see data security section).

• Enable 5-minute screen savers on your computer. (Go to Screen Saver settings, wait 5 minutes, and check On resume, display logon screen).

Data security

FundApps attaches great importance to the secure management of the data it holds and generates and will hold staff accountable for any inappropriate mismanagement or loss of it.

• If a client emails you sensitive portfolio data, please advise them that they should not be doing this.

• Do not create users for clients, even if you know them. Every client has an Admin user who can create users for themselves.

• • If you need to debug client portfolio data, you should use our secure VMs in our production environment.

  • Client data (of any kind) should never be stored on mobile devices or taken off-site (with the exception of email).

  • Failure to comply with these requirements will be considered a serious breach of this policy.

Acceptable use

Internet access is provided as a critical aspect of our business. It should be used in a responsible manner and any personal use should be reasonable. The Internet may not be accessed and used for any of the following:

• Any activity that would violate the laws and regulations of the UK

• Sending offensive or harassing material to other users

• Any activity that would violate the privacy of others

• Cause damage or disruption to organisational systems

Monitoring

Monitoring software is in use to protect the effectiveness, security, availability and integrity of FundApps systems. We monitor the type and volume of internet and network traffic. The information recorded can be used to identify an individual user and the website domain being accessed.

Working from outside the office

Whether you are working from home or from a public place (e.g. whilst travelling) you must ensure you keep our data and Information System secure. This means that you must:

• lock your laptop whenever you leave it unattended;

• ensure others cannot read sensitive information (e.g. Client data) by looking over your shoulder (order a privacy screen if needed);

• ensure sensitive conversations cannot be overheard by others;

• do not let anyone use your corporate devices.

Breaches of security

If you know or suspect a loss or theft of confidential information has occurred, or the security or integrity of any system has potentially been compromised - report it to the Head of Information Security, the CTO or the CEO. This could include

• The disclosure of confidential information to any unauthorised person.

• The integrity of any system or data being put at risk (for example virus, malware, hacking).

• Availability of the system or information being put at risk.

• Loss of any system, laptop, mobile phone or other portable device.

• Finding doors and/or windows broken and/or forced entry gained to a secure room/building in which computer equipment exists.

Further reading

For general awareness, we recommend the following sites.

For more technical information, check out