LogoLogo
v2021-10
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
v2021-10
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
  • Welcome
  • FundApps Policies
    • Technical & Platform Overview
    • Software Development
    • Risk Management
      • Risk Management Framework
      • Information Asset Register
      • Information Systems Register
      • Data Classification and Protection Standard
    • Information Security Management System
      • Information Security Management Policy
      • Scope
      • Statement of Applicability
      • Objective Plan
      • Roles, Responsibilities and Organisation
      • Performance Evaluation
      • Internal Audit Policy
      • Internal Audit Plan 2021
      • Continual Improvement Process
      • Internal and External Communication Plan
      • Document Control Policy
    • Information Security Policies
      • Client Services Access to Client Environments
      • Employee Guide
      • Security Awareness Program
      • Social Media
      • Access Control
      • Physical Security
      • Network Security
      • Logging, Monitoring and Alerting
      • Incident Response
      • Data Backups
      • Privacy Policy
      • Vulnerability Management Policy
      • Security Exception Management Policy
      • Information Security Risk Register
      • Data Retention Policy
      • Patch Management Policy
      • Cryptographic Policy
      • Information Security in Project Management
      • Information Transfer Policy
    • Business Continuity
      • Business Continuity Management System
      • Business Continuity Policy
      • Business Continuity Risk Register
      • Technical Resilience
      • Business Continuity Documents
    • Personnel & Safety
      • Overview
      • Code of Conduct
      • Health and Safety
      • Third party vendors
  • Policy Change Log
    • August 2021
    • July 2021
    • January 2021
    • August 2020
    • May 2020
    • March 2020
    • November 2019
    • September 2019
Powered by GitBook
On this page
  • Guiding principles & security awareness
  • Top tips
  • Raising others awareness
  • Security Musts
  • Daily habits
  • Policies
  • Credentials
  • Bring your own device
  • Email
  • Physical security
  • Data security
  • Social media
  • Acceptable use
  • Monitoring
  • Working from outside the office
  • Breaches of security
  • Further reading

Was this helpful?

Export as PDF
  1. FundApps Policies
  2. Information Security Policies

Employee Guide

Whether it's a USB stick left on a train, a website hack leading to stolen confidential information, or phishing attacks compromising accounts - IT security is in the news more and more.

FundApps is privy to sensitive client information daily and therefore it’s important a pro-active approach to security is taken. Our policies captured in this living document are therefore the responsibility of everyone in the Company to uphold and update. With suggestions and improvements be raised and addressed as required with the team and the CTO.

NOTE: Security doesn't stop when you leave the office. This policy applies to both FundApps provided equipment, but also any other equipment you may use to access FundApps systems or software.

Guiding principles & security awareness

Top tips

  • Better safe than sorry. Use common sense. If you're not sure whether something is a good idea (downloading a piece of software, opening an email, leaving a laptop unattended, using a particular third party service) - it probably isn't. Discuss it with the team!

  • Be aware of the kinds of information we look after as a company, and how we protect them. You can find more in our data classification policy.

  • Be aware of social engineering - don't trust an attachment or a hyperlink in an email just because it comes from someone you know, or an organisation you trust. Better to type the URL into the browser window yourself, and avoid that unexpected attachment.

  • Educate yourself - read about a security breach? Find out how it happened and why. Think about whether there's anything we could do differently at FundApps to stop it happening here. Also see "other reading".

  • If you know or suspect a loss or theft of confidential information has a occurred, or the security or integrity of any system has potentially been compromised - report it immediately to the CTO and CEO. Keep trying until they confirm they are aware.

Raising others awareness

Don't just educate yourself, share with the team.

  • Join our #security channel in Slack

  • Read about a recent security breach at a company? Find a link that talks about what happened in detail and share it in Slack with the company

  • See someone leaving their screen unlocked? Lock it for them, and make sure they know you did!

Security Musts

This applies to all computers you access FundApps platforms from, not just your work computer.

  • Hard disk encryption enabled (BitLocker, FileVault).

  • Windows update enabled and configured for automatic update installs.

  • Anti-virus software installed and configured for automatic updates.

  • Make sure your computer password meets our minimum security requirements. It should be at least 8 characters with at least one upper/lowercase character, a number and symbol.

  • 1Password (or equivalent) installed and used for all passwords.

  • Set your PC so it will automatically lock after 5 minutes.

  • If you use your mobile phone for accessing company systems (including email) your mobile phone must have a PIN set and remote-wipe software installed. You must never store data classified as FundApps Confidential on your phone. You can find more in our data classification policy.

  • Only install applications from official application stores (e.g. Microsoft Store, App Store, Google Play).

Daily habits

  • Lock your computer whenever you leave it unattended.

  • Keep your desks clear of any printed material and keep those containing sensitive data locked away.

  • Do not store FundApps confidential data on any removable media or equipment, in accordance with our data classification policy.

Policies

Credentials

  • Use a different password for each service you access.

  • Use two factor authentication whenever available (we enforce this for services where we can, such as Google mail and GitHub).

  • Use secure passwords (minimum 8 characters in length, and at least 3 out of 4 of lower case, upper case, digits and symbols).

  • Never share individual account credentials.

  • Immediately change compromised credentials and report compromise to the Information Security Lead.

  • In order to facilitate this, use a tool like 1Password for securely storing passwords.

Bring your own device

  • Any mobile device accessing FundApps email must have a secure PIN set and remote-wipe software installed.

  • Any device you use to access the FundApps platform or related services must comply to our security checklist (cf. Security Musts) - this includes but is not limited to - hard disk encryption, antivirus, a secure password and 5 minute lock timeout.

  • You must comply with our data classification policy and ensure you do not store data in breach of this.

  • Bring Your Own Devices compliant with these rules may be used to access all FundApps systems, provided access to production systems is done through virtualised systems or bastion hosts.

Email

  • Email is not a secure medium. You should be conscious of this and consider how emails might be used by others. Emails can be spoofed (not come from the person you expect), and intercepted.

  • Two factor authentication is enforced for your FundApps email. Instructions are here.

  • If your Email account is breached this is often a route into accessing many other services (given the reliance of email based password re-setting). You should never use your email password for other services.

  • When sending attachments containing FundApps confidential information, you should use a password protected archive and share the password via a secondary, unrelated channel (such as SMS)

  • Remember that emails can easily be taken out of context, that once an email is sent you cannot control what the recipients might do with it, and that it is very easy to forward large amounts of information.

  • Similarly you should not necessarily trust what you receive in an email - in particular, you must never respond to an email request to give a username or password.

Physical security

  • Lock your computer whenever you leave it unattended.

  • Any computer equipment should be secured behind locked doors when left unattended.

  • Any unattended portable equipment should be physically secure if possible, for example locked in an office or a desk drawer. When being transported in a vehicle they should be hidden from view. Staff should avoid storing sensitive information on portable equipment whenever possible (see data security section).

  • Enable 3 minute screen savers on your computer. (Go to Screen Saver settings, wait 3 minutes, and check On resume, display logon screen).

Data security

FundApps attaches great importance to the secure management of the data it holds and generates and will hold staff accountable for any inappropriate mismanagement or loss of it.

  • If a client emails you sensitive portfolio data, please advise them that they should not be doing this.

  • Do not create users for clients, even if you know them. Every client has an Admin user who can create users for themselves.

  • Client data, particularly portfolio data should be treated with great care, and in accordance with our data classification policy.

    • If you need to debug client portfolio data, you should use our secure VMs in our production environment.

    • Client data (of any kind) should never be stored on mobile devices or taken off-site (with the exception of email).

    • Failure to comply with these requirements will be considered a serious breach of this policy.

Social media

  • If your profile mentions FundApps, be honest about who you are and what you do.

  • Be aware if your profile mentions FundApps, you may be more of a target for social engineering or phishing attacks

  • Never share your login details or let others post on your behalf.

  • Be respectful to other people, even if you disagree with their opinion.

  • Don’t post things or send messages that could damage our reputation, bring the company into disrepute or cause actual or likely harm to the company or colleagues.

  • You’re responsible for what you put online and any impact it has on others so set up privacy settings if you need to. Never give out personal or private information about colleagues or clients. As a general rule, if you wouldn’t say or show it to your manager, then it’s probably not appropriate to post or send it online!

  • Help us protect our company and reputation by thinking carefully about what you put online. If you see something online that concerns you please talk to the senior management team.

  • Please familiarize yourself with our social media policy

Acceptable use

Internet access is provided as a critical aspect of our business. It should be used in a responsible manner and any personal use should be reasonable. The Internet may not be accessed and used for any of the following:

  • Any activity that would violate the laws and regulations of the UK

  • Sending offensive or harassing material to other users

  • Any activity that would violate the privacy of others

  • Cause damage or disruption to organisational systems

Monitoring

Monitoring software is in use to protect the effectiveness, security, availability and integrity of FundApps systems. We monitor the type and volume of internet and network traffic. The information recorded can be used to identify an individual user and the website domain being accessed.

Working from outside the office

Whether you are working from home or from a public place (e.g. whilst travelling) you must ensure you keep our data and Information System secure. This means that you must:

  • lock your laptop whenever you leave it unattended;

  • ensure others cannot read sensitive information (e.g. Client data) by looking over your shoulder (order a privacy screen if needed);

  • ensure sensitive conversations cannot be over heard by others;

  • do not let anyone use your corporate devices.

Breaches of security

If you know or suspect a loss or theft of confidential information has a occurred, or the security or integrity of any system has potentially been compromised - report it to the Information Security Lead, the CTO or CEO. This could include

  • Disclosure of confidential information to any unauthorised person.

  • Integrity of any system or data being put at risk (for example virus, malware, hacking).

  • Availability of the system or information being put at risk.

  • Loss of any system, laptop, mobile phone or other portable device.

  • Finding doors and/or windows broken and/or forced entry gained to a secure room/building in which computer equipment exists.

Further reading

For general awareness, we recommend the following sites.

  • Google's Stay Safe Online resources (developed in association with The UK's Citizen's Advice Bureau)

  • The UK Government-sponsored Get Safe Online website

  • SANS OUCH! Security Awareness Monthly Newsletters

  • SANS Security Awareness Video (changes monthly)

For more technical information, check out

  • OWASP Top 10 Project

  • Security, Cryptography and Privacy (Google)

  • SANS reading room

PreviousClient Services Access to Client EnvironmentsNextSecurity Awareness Program

Last updated 3 years ago

Was this helpful?