LogoLogo
v2021-10
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
v2021-10
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
  • Welcome
  • FundApps Policies
    • Technical & Platform Overview
    • Software Development
    • Risk Management
      • Risk Management Framework
      • Information Asset Register
      • Information Systems Register
      • Data Classification and Protection Standard
    • Information Security Management System
      • Information Security Management Policy
      • Scope
      • Statement of Applicability
      • Objective Plan
      • Roles, Responsibilities and Organisation
      • Performance Evaluation
      • Internal Audit Policy
      • Internal Audit Plan 2021
      • Continual Improvement Process
      • Internal and External Communication Plan
      • Document Control Policy
    • Information Security Policies
      • Client Services Access to Client Environments
      • Employee Guide
      • Security Awareness Program
      • Social Media
      • Access Control
      • Physical Security
      • Network Security
      • Logging, Monitoring and Alerting
      • Incident Response
      • Data Backups
      • Privacy Policy
      • Vulnerability Management Policy
      • Security Exception Management Policy
      • Information Security Risk Register
      • Data Retention Policy
      • Patch Management Policy
      • Cryptographic Policy
      • Information Security in Project Management
      • Information Transfer Policy
    • Business Continuity
      • Business Continuity Management System
      • Business Continuity Policy
      • Business Continuity Risk Register
      • Technical Resilience
      • Business Continuity Documents
    • Personnel & Safety
      • Overview
      • Code of Conduct
      • Health and Safety
      • Third party vendors
  • Policy Change Log
    • August 2021
    • July 2021
    • January 2021
    • August 2020
    • May 2020
    • March 2020
    • November 2019
    • September 2019
Powered by GitBook
On this page
  • Services provided
  • People
  • Offices
  • Infrastructure
  • Software
  • Interfaces and Dependencies
  • Amazon Web Services
  • Alert Logic
  • Exclusions

Was this helpful?

Export as PDF
  1. FundApps Policies
  2. Information Security Management System

Scope

The ISMS applies to the shareholding disclosure, position limits and sensitive industries services, which FundApps delivers to its clients. It also applies to the information assets, processes, teams and external service providers which FundApps relies on to provide these services.

Services provided

FundApps’ three main services provided are:

Shareholding Disclosure

FundApps’ Shareholding Disclosure service helps compliance professionals with shareholding disclosure requirements, prove adherence to regulation and mitigate reputational risk to avoid fines.

FundApps’ outsourced, managed service combines FundApps’ proprietary rules engine with a team of compliance professionals and legal information from aosphere (an affiliate of Allen & Overy) and other regulatory data sources.

FundApps automates disclosure requirements such as major shareholding, 13F reporting, short selling (including EU Short Selling Rules, takeover panels, issuer limits, and issuer requests (such as Section 793).

Position Limits

FundApps' Position Limits is a managed service for financial institutions, who trade derivative contracts on multiple exchanges. It combines FundApps’ proprietary rules engine with a dedicated team of compliance professionals and up-to-date contract limits and exchange data. It helps compliance managers monitor holdings against position limits for exchange-traded contracts resulting from MiFID II regulation, as well as limits imposed by regulatory bodies such as the United States’ Community Futures Trading Commission (CFTC).

Sensitive Industries

FundApps automates the monitoring of regulatory disclosure thresholds in “sensitive industries”, including pre-approval and post notification, hard-stop and issuer-specific limits. FundApps’ Sensitive Industry rules cover industries in jurisdictions which have different regulations governing ownership.

People

The FundApps departments within the scope of the ISMS are:

  • Client Services – On-board clients and assist them throughout their experience with Rapptr.

  • Content – Help to ensure rules correctly mirror current regulation.

  • Finance – Manage FundApps’ budget, cash flow, tax planning and record keeping.

  • People Operations – Team responsible for employer brand, recruitment and on-boarding through to development, reward and recognition.

  • Product – Design and develop products to achieve the company’s objectives.

  • Engineering – Manage and maintain system architecture and design for all hosted clients.

At a high level, the following executives and teams support FundApps’ processes and services:

  • CEO – Assigns authority and responsibility for operating activities and reporting relationships. FundApps’ CEO defines and communicates the company’s objectives.

  • Head of Client Services – Takes the lead in owning FundApps client portfolio and drive cross-team collaboration to support FundApps’ objectives.

  • Head of Product – Accountable for all product management and content team activities globally.

  • Chief Technology Officer – Provides direction and decision making on what technologies to use, the architecture of the platforms and best technical practices to follow.

  • Head of Sales – Accountable for all sales activities within the region and as the People Leader for the Regional Sales team.

  • Head of People Operations – Reporting directly to the CEO, the head of People Operations smooths the next phase in growth as FundApps scales.

  • Information Security Lead – Responsible for managing Information Security, Cyber Security and Business Continuity risks potentially impacting FundApps.

Offices

FundApps operates out of three offices:

  • 114-116 Curtain Road, London EC2A 3AH, United Kingdom

  • 115 Broadway, New York, NY 10006, USA

  • #02-11, Capitol Piazza, 13 Stamford Road, Singapore 0178905

Infrastructure

FundApps services make use of a resilient infrastructure, which is hosted within multiple data centres (availability zones) and regions operated by Amazon Web Services.

There are two environments with a primary environment made up of three data centres within a single geographic region, from which the service is provided in normal operation. There is also a secondary environment, in an alternate geographic region, which is used in case the primary environment is unavailable.

Each of the three data centres within the primary environment have discrete power and Internet connectivity. FundApps’ primary environment is designed to continue to provide its service should two of the three centres suffer concomitant failures.

Should the whole primary environment fail, FundApps has procedures to recover its service in the secondary environment.

The critical components of this highly available infrastructure include:

  • Proxy servers, which filter inbound traffic and route them to the correct servers;

  • Web front-end servers, which provide FundApps clients with a web user interface and an application programming interface (API);

  • Engine servers, which perform apply rule sets analysis of FundApps clients’ financial positions;

  • Database servers, which store the results of this analysis, as well as objects and events related to client environments;

  • Network Address Translation Gateways used by the servers to connect to non-FundApps resources; and

  • Bastion hosts, which FundApps staff use to administrate the infrastructure.

Software

FundApps’ platform consists of system software (operating systems, middleware, and utilities) that supports its applications. FundApps’ stack is made of Windows servers running Internet Information Services (IIS), SQL Server and RabbitMQ.

AWS services such as Elastic Load Balancing, Amazon Route 53, AWS Lambda and Amazon Simple Storage Service are also used to support the service provided. Ingress traffic is filtered by high availability web proxies deployed to Linux servers running Ubuntu operating system.

The software developed by FundApps is mostly written in C# and NodeJS programming languages. This software is accessible to clients through a Web User Interface and an Application Programming Interface (API).

FundApps’ platform is kept up to date with the latest enhancements and fixes. FundApps delivers changes from development and content teams to client production environments. To support this activity FundApps employs test-driven development, pair programming and code review to reduce risk and improve software quality.

Every change to software and rule content is run through a test suite to achieve a minimal amount of reduce risk in this continuous update process. Security considerations are built into the software lifecycle. FundApps identify work items early on that have security implications.

Deployment of changes of the FundApps platform software is a fully automated process

Interfaces and Dependencies

Amazon Web Services

AWS provide hosting services and is used to host the FundApps platform.

Data Centre Physical Security Overview

All data hosted in FundApps’ platform is hosted by AWS within the EU in facilities with physical security controls in place. AWS hold industry standard certifications relating to security and availability, including but not limited to ISO 9001, 27001, as well as SOC I and II attestations. Full details of the certification activities undertaken by FundApps’ hosting partner are available via AWS compliance.

Data Centre Access Control

AWS provides physical data centre access only to approved employees. All employees who need data centre access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data centre the individual needs access, and are time-bound. Requests are reviewed and approved by authorised personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.

Third-party access is requested by approved AWS employees, who must apply for third-party access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data centre the individual needs access, and are time-bound. These requests are approved by authorised personnel, and access is revoked after request time expires. Once granted admittance, individuals are restricted to areas specified in their permissions. Anyone granted visitor badge access must present identification when arriving on site and are signed in and escorted by authorised staff.

Alert Logic

Alert Logic provide network-based and host-based Intrusion Prevention Services (IPS), as well as a 24/7 Security Operation Centre (SOC).

Exclusions

There are no exclusions to the ISMS.

PreviousInformation Security Management PolicyNextStatement of Applicability

Last updated 3 years ago

Was this helpful?