LogoLogo
Current Version
Current Version
  • Welcome to FundApps' Policy Portal
  • FundApps Policies
    • Technical & Platform Overview
    • Software Development
    • Risk Management
      • Risk Management Framework
      • Information Asset Register
      • Information Systems Register
      • Data Classification and Protection Standard
    • Information Security Management System
      • Information Security Management Policy
      • Scope
      • Statement of Applicability
      • Objective Plan
      • Roles, Responsibilities and Organisation
      • Performance Evaluation
      • Internal Audit Policy
      • Internal Audit Plan for a 3 year cycle
      • Continual Improvement Process
      • Internal and External Communication Plan
      • Document Control Policy
    • Information Security Policies
      • Client Services Access to Client Environments
      • Employee Guide
      • Security Awareness Program
      • Social Media
      • Access Control
      • Physical Security
      • Network Security
      • Logging, Monitoring and Alerting
      • Incident Response
      • Data Backups
      • Privacy Policy
      • Vulnerability Management Policy
      • Security Exception Management Policy
      • Information Security Risk Register
      • Data Retention Policy
      • Patch Management Policy
      • Cryptographic Policy
      • Information Security in Project Management
      • Information Transfer Policy
      • Third Party Risk Management
    • Business Continuity
      • Business Continuity Management System
      • Business Continuity Policy
      • Business Continuity Risk Register
      • Technical Resilience
      • Business Continuity Documents
    • Personnel & Safety
      • Overview
      • Code of Conduct
      • Health and Safety
      • Third party vendors
      • The FundApps Code for Third Parties
  • Legal Information
    • 📖General Terms
      • Fair Usage Policy
      • Third Party Data Provider Terms
    • DORA
      • Operational Resilience Statement
      • Statement on Contractual Compliance
      • Subcontractors and Service Location
      • Threat-Led Penetration Tests (TLPT) Policy
    • 📃Insurance
    • 🌍Carbon Neutral
  • 🤖AI
    • 💬FundApps Assistant (Intercom)
  • Policy Change Log
    • May 2025
    • March 2025
    • January 2025
    • December 2024
    • November 2024
    • October 2024
    • August 2024
    • July 2024
    • June 2024
    • April 2024
    • February 2024
    • January 2024
    • November 2023
    • October 2023
    • September 2023
    • August 2023
    • June 2023
    • February 2023
    • December 2022
    • October 2022
    • September 2022
    • June 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • August 2021
    • July 2021
    • January 2021
    • August 2020
    • May 2020
    • March 2020
    • November 2019
    • September 2019
Powered by GitBook
On this page
  • Approach
  • Responsibilities
  • FundApps & third parties
  • System Owners
  • Security Team
  • Classification and Protection Guidance
  • Reporting Violations

Was this helpful?

Export as PDF
  1. FundApps Policies
  2. Risk Management

Data Classification and Protection Standard

PreviousInformation Systems RegisterNextInformation Security Management System

Last updated 4 months ago

Was this helpful?

In order to preserve the appropriate confidentiality, integrity and availability of FundApps information assets, we must make sure they are protected against unauthorized access, disclosure or modification. This is critical for all personal data, client data and FundApps proprietary data we deal with across the FundApps business.

This standard applies to all FundApps information, irrespective of the data location or the type of device it resides on.

Approach

We maintain an detailing all key information assets at FundApps, who owns them, the business processes they are used in, and any external service providers that may utilise or store the information.

As a result, we can see at a glance

  • What information assets fall under which data classification

  • What information systems hold data falling under those classifications

  • The controls that we expect each system to have in place

Responsibilities

FundApps & third parties

All FundApps employees, contractors and third parties who interact with information held by and on behalf of the FundApps are responsible for assessing and classifying the information they work with and applying the appropriate controls. Individuals must respect the security classification of any information as defined and must report the inappropriate situation of information to the Information Security Manager or Head of Security as quickly as possible.

System Owners

Each System has an owner (Supplier Relationship Manager) responsible for assessing the information it contains and classifying its sensitivity. Systems owners are then responsible for ensuring the appropriate controls are in place in conjunction with the Head of Security.

Security Team

Responsible for advising on and recommending information security standards on data classification and ensuring these are regularly reviewed.

Classification and Protection Guidance

The latest classification guidance can be found below.

Public
Open
Restricted
Confidential

Description

Publicly available data.

Accessible only to FundApps staff, authorised clients and partners.

Access restricted to specific FundApps teams. Data which the data owner has not decided to make public; data that is legally regulated and requires some level of access control, and data protected by contractual obligations.

Access restricted to specific FundApps staff on a ‘need to know’ basis. Data which if disclosed publicly could cause significant financial or reputational damage to FundApps or our clients; data which is legally regulated requiring an extremely high level of protection; data protected by contractual obligations.

Impact

None

Low

Medium

High

Current data in this classification

- Regulatory information - Publicly available information on a company.

- FundApps policies, - List of clients, - Development and test data, - Prospective client visitor data and analytics, - Task lists, potential future work - FundApps ISMS and asset register.

- Employee contracts, passports, salaries, bank records, - Engineering Source Code, - FundApps’ rule package, - Client portfolio, structures, - Client queries, - Server event logs, application logs, exception logs.

- Client positions - Client results (disclosures, breaches etc) and data overrides - Encryption keys and infrastructure credentials

Current services included in this classification

- OneLogin - Aosphere.

- Amazon AWS Development, - OneDrive, - HubSpot, - PagerDuty, - GitBook, - Bonusly, - Google Analytics.

- GitHub, - Intercom, - Google Mail, - Google Drive, - Slack, - Kingston Smith, - HSBC, - Datadog SIEM, - Sentry.

- Amazon AWS Production, - Octopus, - Client environments.

Data access & control

No access restrictions. Data is available for public access.

Available to FundApps prospects and clients (under NDA) and staff.

Available only to specified FundApps staff.

Access is controlled and restricted to specific FundApps staff, following a 'need to know' and 'least privilege' basis.

Legal requirements

Protection of data is at the discretion of the owner or custodian.

Protection of data is at the discretion of the owner or custodian.

Protection of data is required by law or at the discretion of the owner or custodian.

Protection of data is required by law or at the discretion of the owner or custodian.

Transmission

No other protection is required for public information.

Data must be shared through systems which restrict access to the intended audience. If this is not possible (e.g. data needs to be shared through internal chat or email), data must be sent encrypted (e.g. password protected encrypted archive where password is sent through unrelated channel) or through the means of a link to a system which implements the appropriate access control (link to Google Docs drive).

Data must be shared through systems which restrict access to the intended audience. If this is not possible (e.g. data needs to be shared through internal chat or email), data must be sent encrypted (e.g. password protected encrypted archive where password is sent through unrelated channel) or through the means of a link to a system which implements the appropriate access control (link to Google Docs drive).

Transmission through email, support tickets, internal chat tools is prohibited. Transmission may only be made through approved channels that are authenticated and encrypted (HTTPS or VPN).

Audit controls

No audit controls required.

Information owners must periodically monitor and review their systems and procedures for potential misuse and/or unauthorized access.

Information owners must periodically monitor and review their systems and procedures for potential misuse and/or unauthorized access. Audit trails for the purposes of non-repudiation must be in place.

Systems must be actively monitored and reviewed for potential misuse and/or unauthorized access. Audit trails for the purposes of non-repudiation must be in place.

Storage

No restrictions.

No restrictions. Care must always be taken when storing this information on mobile devices.

Encryption is required if stored on a system without access control.

Encryption at rest mandatory for all data not within a physically secure ISO 27001 environment. Storage is prohibited on unapproved computing equipment.

Backup & Recovery procedures

Not required.

Documented backup and recovery procedures are required in line with FundApps' Service Levels.

Documented backup and recovery procedures are required in line with FundApps' Service Levels.

Documented backup and recovery procedures are required, including automated failover wherever feasible in order to achieve FundApps' Service Levels.

Disposal (digital file)

No restrictions.

Standard deletion from media

Standard deletion from media

Delete all files or data using a secure delete tool (such as Eraser).

Disposal (physical medium)

No restrictions.

Media must be erased before disposal

Media must be erased before disposal. Cryptographic keys must be deleted for encrypted media. Media must be disposed of securely using state of the art approved solutions for the permanent removal of data (e.g. shredding or physical destruction).

Media must be erased before disposal. Cryptographic keys must be deleted for encrypted media. Media must be disposed of securely using state of the art approved solutions for the permanent removal of data (e.g. shredding or physical destruction).

Transport

Normal mail service

Normal mail service

Must never be printed. Transport of media or devices containing such data must be done through a trusted courier.

Must never be printed. Transport of media or devices containing such data must be done through a trusted courier.

Storage

No requirements

Secure office or other location. Room need not be locked if access to the building or floor is restricted to employees and authorised non-employees.

Must never be printed

Must never be printed

Disposal

No requirements

Information must be disposed of securely using strip-cut shredders or confidential waste bins which are certified for secure destruction.

Must never be printed

Must never be printed

Reporting Violations

Report suspected violations of this policy to the Head of Information Security, the CTO or the CEO. Reports of violations are considered Restricted data until otherwise classified.

information asset register