Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
FundApps is committed to a robust implementation of Information Security Management. All our hosting environments are certified to ISO 27001. As an organisation we are endeavour to align our processes to ISO 27001 and the NIST Cyber Security Framework.
We are specifically committed to preserving the confidentiality, integrity and availability of data and documentation supplied by, generated by and held on behalf of our clients. The principles defined in this policy will be applied to all of the physical and electronic information assets for which the FundApps is responsible.
Our senior management team are directly responsible for ensuring that all FundApps staff have been made aware of these procedures and their contents.
All employees have access to this information, are required to abide by them, and are encouraged to regularly review and update these in their relevant areas.
Information security is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It focuses primarily on the confidentiality, integrity and availability of data.
FundApps Data, for the purposes of this policy, is data owned, processed or held by FundApps, whether primary or secondary, irrespective of storage location. It is used interchangeably with the term ‘information’.
FundApps, headquartered in London, United Kingdom, helps investment managers to harness the power of community and technology to automate regulatory compliance.
There are a number of internal and external factors that create uncertainty that gives rise to risk. These include:
Information
FundApps processes the following types of information which require adequate protection:
sensitive client information,
personal data,
Sensitive FundApps Intellectual property.
People
Staff turnover,
Induction of new joiners,
Staff role changes,
High rate of recruitment due to rapid growth.
Organisation
Use of contractors,
Staff working in different time zones.
Products/Services
Products needs to align with evolving regulations,
FundApps services’ competitive advantage relies partly on its intellectual property.
Systems and Processes
Staff work from home,
Lack of process documentation.
Political Factors
Divergence of regulations between UK and EU following Brexit,
Frequent changes made to regulations.
Economic Factors
Market conditions affect our clients’ ability to subscribe to FundApps’ services,
Higher staff costs due to an increasing demand for software engineers or regulatory experts in a constrained market.
Social Factors
Increase in working from home and bring your own devices practices.
Technological Factors
Fast evolving threat landscape (e.g. ransomware campaigns),
Increased expectation from clients to manage their own security (e.g. Bring Your Own Key, feed export logs to client SIEM).
Environmental Factors
Pandemic affects how people work.
Legal Factors
More lenient financial regulations makes our products less appealing.
Regulations on personal data such as GDPR
Regulations on access to MNPI and insider trading.
Technology related legislation, such as the Computer Misuse Act 1990 or Freedom of Information Act 2000
Intellectual property concerns related to the use of open source software.
The objectives of the ISMS are:
Objective
Measurement
1) Ensure the protection of sensitive data managed by FundApps' Information Systems.
Zero data breaches.
2) Ensure the protection of all FundApps Information Systems against the risks of unauthorised access, misuse, damage and abuse.
Zero FundApps Information Systems compromised, misused, damaged or abused.
3) Demonstrate a high level of competence and expertise in Information Security
Obtain an ISO 27001 certification.
Zero clients lost due to Information Security issues.
4) Maintain compliance with security standards.
Maintain ISO 27001 certification and SOC 2 Type II Reports.
5) Foster a culture of security awareness within FundApps.
Zero security incident resulting from lack of security awareness (e.g. phishing).
6) Protect FundApps from liability or damage due to an Information Security Incident.
Zero law suits, fines or losses due to a security incident.
7) Maintain a cycle of continuous improvement.
All non-conformities with ISO 27001 standard are prioritised for remediation.
The following eight information security principles provide overarching governance for the security and management of information at FundApps.
Staff with particular responsibilities for information are responsible for ensuring the classification of that information; for handling that information in accordance with its classification level; and for any policies, procedures or systems for meeting those responsibilities.
All users covered by the scope of this policy must handle information appropriately and in accordance with its classification level.
As far as is reasonably possible, endeavours must be made to ensure data is complete, relevant, accurate, timely and consistent.
Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.
Information will be protected against unauthorized access and processing in accordance with its classification level.
Information will be protected against loss or corruption.
Breaches of this policy must be reported
FundApps has a responsibility to abide by and adhere to all current UK and EU legislation as well as a variety of regulatory and contractual requirements. Relevant legislation includes: • The Computer Misuse Act 1990 • General Data Protection Regulation 2018 • The Freedom of Information Act 2000 • Regulation of Investigatory Powers Act 2000 • Copyright, Designs and Patents Act 1988 • Defamation Act 1996 • Obscene Publications Act 1959 • Protection of Children Act 1978 • Criminal Justice Act 1988 • Digital Economy Act 2010
A non-exhaustive summary of the legislation and regulatory and contractual obligations that contribute to the form and content of this policy is provided below. Related policies will detail other applicable legislative requirements or provide further detail on the obligations arising from the legislation summarised below.
The Computer Misuse Act 1990 defines offences in relation to the misuse of computers as: 1. Unauthorised access to computer material. 2. Unauthorised access with intent to commit or facilitate commission of further offences. 3. Unauthorised modification of computer material.
The General Data Protection Regulation 2018 (GDPR) defines obligations for businesses and organisations that collect, process and stored individuals' personal data. GDPR outlines seven data protection principles which relate to:
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability
Any security breach of FundApps information systems could lead to the possible loss of confidentiality, integrity and availability of personal or other confidential data stored on these information systems. The loss or breach of confidentiality of personal data is an infringement of the Data Protection Act 1998, contravenes FundApps Data Protection Policy, and may result in criminal or civil action against FundApps.
The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties or criminal or civil action against FundApps. Therefore it is crucial that all users of the FundApps information systems adhere to the Information Security Policy and its supporting policies as well as the Information Classification Standards.
All current staff and other authorised users will be informed of the existence of this policy and the availability of supporting policies, codes of practice and guidelines.
Any security breach will be handled in accordance with all relevant FundApps policies, including the Conditions of Use of IT Facilities at FundApps and the appropriate disciplinary policies.
This policy, and its subsidiaries, shall be reviewed by FundApps and updated regularly to ensure that they remain appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations.
The list of interested parties in FundApps' ISMS and their requirements are as follows:
Interested Party
Requirements on the ISMS
Clients
Provide service in line with contractual Service Level Agreements.
Protect client data from unauthorised access.
Staff and contractors
Provide a secure Information System to allow them to perform their jobs.
Owners and Investors
Provide a cost-effective, safe and secure Information System which allows to FundApps to be profitable, attract new clients and develop new services.
Suppliers
Operate a secure Information System which prevents security incidents from impacting the supplier's Information System (e.g. malware propagation).
Regulators
Operate a secure Information System which complies with applicable laws and regulations.
The plan to achieve these objectives is described in the .
cf.
Information should be recorded in our information asset register, with the Information Systems which make use of it, classified in accordance with our and in accordance with relevant legislative, regulatory and contractual requirements.
Risks to information security should be assessed and assigned an owner in accordance with our
If a member staff is aware of an information security incident then they must report it to the Information Security Lead, the CEO or the CTO immediately. For more information, please see our .
The following table describes the plan for 2021 to achieve FundApps' objectives.
Objective
What will be done
Responsible
Resources required
Evaluation
Est. completion date
1) Ensure the protection of non-public data managed by FundApps' Information Systems.
Implement conditional access to allow same controls on BYOD than corporate devices
Information Security Lead
External expertise on conditional access
Conditional Access has been deployed to Okta
End of December 2021
2) Ensure the protection of all FundApps Information Systems against the risks of unauthorised access, misuse, damage and abuse.
Automate security testing for Infrastructure as Code
Information Security Lead
Recurrent budget
Automated security testing for IaC implemented in build pipeline
End of June 2021
3) Demonstrate a high level of competence and expertise in Information Security
Maintain a SOC 2 Type II Report
Information Security Lead
External auditor
SOC 2 Type II Report
End of November 2021
4) Maintain compliance with security standards.
Obtain ISO 27001 certification
Information Security Lead
Internal and External auditors
ISO 27001 certification
End of November 2021
5) Foster a culture of security awareness within FundApps.
Provide security awareness training refresher for all staff
Information Security Lead
None
Security awareness refresher training provided to all staff
End of September 2021
6) Protect FundApps from liability or damage due to an Information Security Incident.
Review compliance with Privacy laws
Legal counsel
Recruit legal counsel
Compliance with privacy laws reviewed
End of December 2021
7) Maintain a cycle of continuous improvement.
Remediate findings identified by ISO 27001 readiness assessment and Internal audit
Information Security Lead
None
All non-conformities have been remediated
End of July 2021
What will be monitored & measured
Methods for monitoring & measurement
Metrics used to measure
Target
When will it be done
Who shall monitor & measure
Protection of sensitive data managed by FundApps' Information Systems
Incident register
# of data breaches in last 12 months
0
Annually and after incident occurred
Information Security Lead
Information Systems misused, damaged or abused.
Incident register
# of C1 or C2 security incidents in last 12 months
0
Annually and after incident occurred
Information Security Lead
Demonstrate a high level of competence and expertise in Information Security
Client dissatisfaction of security practices
# of clients lost due to Information Security issues in last 12 months
0
Annually
Information Security Lead
Demonstrate a high level of competence and expertise in Information Security
Prospect dissatisfaction of security practices
# of deals with prospects lost due to Information Security issues in last 12 months
<5% closed lost deals
Annually
Information Security Lead
Compliance with security standards.
ISO certification audit
ISO 27001 certification achieved
Yes
Annually
Information Security Lead
Compliance with security standards.
SOC 2 Type II Report
SOC 2 Type II Report maintained in last 12 months
Yes
Annually
Information Security Lead
Foster a culture of security awareness within FundApps
Incident register
# of C1, C2 or C3 security incidents resulting from lack of security awareness (e.g. phishing) in last 12 months
0
Annually and after incident occurred
Information Security Lead
Information Security and Business Continuity Risks
Risk assessments and reviews
# of risks above the risk tolerance level
0
Annually and following risk is identified
Information Security Lead
Audit Findings
Internal or external audit
# and severity of findings identified during last internal audit
0 major non-conformities
Following internal or external audit
Information Security Lead
Liability due to an Information Security Incident.
Law suits
# of law suits, fines or losses due to a security incident in last 12 months
0
Annually and following law suit
Information Security Lead
Business Continuity Plan Effectiveness
BCP test report
Impact the last activation of BCP had on business activity and clients
No impact
Annually
Information Security Lead
Disaster Recovery Plan Effectiveness
DR test report
Service return time during last DR Test
Return Time < 4 hours
Annually
Information Security Lead
Security of FundApps' platform
Penetration test report
# and severity of findings in last penetration test
0 Critical and High vulnerabilities
Annually
Information Security Lead
Based on these indicators, FundApps will assess whether its ISMS is performing efficiently and whether root causes of underperformance are being identified and managed appropriately.
At least once per calendar year a review of the ISMS will be done to ensure its continuing suitability, adequacy and effectiveness.
The annual management review meeting will have the following attendees:
the ISMS Implementer,
the ISMS Manager, and
at least one member from the Leadership Team, which can be the ISMS Manager.
The agenda will include the following topics:
Status of actions from previous management reviews
Relevant changes in external and internal issues
Performance of the ISMS
Audit results, non conformities and corrective actions
Monitoring and measurement results
Information Security Objectives
Feedback from interested parties
Results of risk assessment and status of risk treatment plan
Opportunities for continual improvement
FundApps shall perform it's first ISMS audit in 2021.
This internal audit shall cover the following elements:
Observations from the Readiness Assessment against ISO/IEC 27001:2013 standard;
The audit will be performed before the end of June 2021.
Annex A controls in scope as per the from A.5.1.1 to A.9.4.5 included.
The ISMS applies to the shareholding disclosure, position limits and sensitive industries services, which FundApps delivers to its clients. It also applies to the information assets, processes, teams and external service providers which FundApps relies on to provide these services.
FundApps’ three main services provided are:
Shareholding Disclosure
FundApps’ Shareholding Disclosure service helps compliance professionals with shareholding disclosure requirements, prove adherence to regulation and mitigate reputational risk to avoid fines.
FundApps’ outsourced, managed service combines FundApps’ proprietary rules engine with a team of compliance professionals and legal information from aosphere (an affiliate of Allen & Overy) and other regulatory data sources.
FundApps automates disclosure requirements such as major shareholding, 13F reporting, short selling (including EU Short Selling Rules, takeover panels, issuer limits, and issuer requests (such as Section 793).
Position Limits
FundApps' Position Limits is a managed service for financial institutions, who trade derivative contracts on multiple exchanges. It combines FundApps’ proprietary rules engine with a dedicated team of compliance professionals and up-to-date contract limits and exchange data. It helps compliance managers monitor holdings against position limits for exchange-traded contracts resulting from MiFID II regulation, as well as limits imposed by regulatory bodies such as the United States’ Community Futures Trading Commission (CFTC).
Sensitive Industries
FundApps automates the monitoring of regulatory disclosure thresholds in “sensitive industries”, including pre-approval and post notification, hard-stop and issuer-specific limits. FundApps’ Sensitive Industry rules cover industries in jurisdictions which have different regulations governing ownership.
The FundApps departments within the scope of the ISMS are:
Client Services – On-board clients and assist them throughout their experience with Rapptr.
Content – Help to ensure rules correctly mirror current regulation.
Finance – Manage FundApps’ budget, cash flow, tax planning and record keeping.
People Operations – Team responsible for employer brand, recruitment and on-boarding through to development, reward and recognition.
Product – Design and develop products to achieve the company’s objectives.
Engineering – Manage and maintain system architecture and design for all hosted clients.
At a high level, the following executives and teams support FundApps’ processes and services:
CEO – Assigns authority and responsibility for operating activities and reporting relationships. FundApps’ CEO defines and communicates the company’s objectives.
Head of Client Services – Takes the lead in owning FundApps client portfolio and drive cross-team collaboration to support FundApps’ objectives.
Head of Product – Accountable for all product management and content team activities globally.
Chief Technology Officer – Provides direction and decision making on what technologies to use, the architecture of the platforms and best technical practices to follow.
Head of Sales – Accountable for all sales activities within the region and as the People Leader for the Regional Sales team.
Head of People Operations – Reporting directly to the CEO, the head of People Operations smooths the next phase in growth as FundApps scales.
Information Security Lead – Responsible for managing Information Security, Cyber Security and Business Continuity risks potentially impacting FundApps.
FundApps operates out of three offices:
114-116 Curtain Road, London EC2A 3AH, United Kingdom
115 Broadway, New York, NY 10006, USA
#02-11, Capitol Piazza, 13 Stamford Road, Singapore 0178905
FundApps services make use of a resilient infrastructure, which is hosted within multiple data centres (availability zones) and regions operated by Amazon Web Services.
There are two environments with a primary environment made up of three data centres within a single geographic region, from which the service is provided in normal operation. There is also a secondary environment, in an alternate geographic region, which is used in case the primary environment is unavailable.
Each of the three data centres within the primary environment have discrete power and Internet connectivity. FundApps’ primary environment is designed to continue to provide its service should two of the three centres suffer concomitant failures.
Should the whole primary environment fail, FundApps has procedures to recover its service in the secondary environment.
The critical components of this highly available infrastructure include:
Proxy servers, which filter inbound traffic and route them to the correct servers;
Web front-end servers, which provide FundApps clients with a web user interface and an application programming interface (API);
Engine servers, which perform apply rule sets analysis of FundApps clients’ financial positions;
Database servers, which store the results of this analysis, as well as objects and events related to client environments;
Network Address Translation Gateways used by the servers to connect to non-FundApps resources; and
Bastion hosts, which FundApps staff use to administrate the infrastructure.
FundApps’ platform consists of system software (operating systems, middleware, and utilities) that supports its applications. FundApps’ stack is made of Windows servers running Internet Information Services (IIS), SQL Server and RabbitMQ.
AWS services such as Elastic Load Balancing, Amazon Route 53, AWS Lambda and Amazon Simple Storage Service are also used to support the service provided. Ingress traffic is filtered by high availability web proxies deployed to Linux servers running Ubuntu operating system.
The software developed by FundApps is mostly written in C# and NodeJS programming languages. This software is accessible to clients through a Web User Interface and an Application Programming Interface (API).
FundApps’ platform is kept up to date with the latest enhancements and fixes. FundApps delivers changes from development and content teams to client production environments. To support this activity FundApps employs test-driven development, pair programming and code review to reduce risk and improve software quality.
Every change to software and rule content is run through a test suite to achieve a minimal amount of reduce risk in this continuous update process. Security considerations are built into the software lifecycle. FundApps identify work items early on that have security implications.
Deployment of changes of the FundApps platform software is a fully automated process
AWS provide hosting services and is used to host the FundApps platform.
Data Centre Physical Security Overview
All data hosted in FundApps’ platform is hosted by AWS within the EU in facilities with physical security controls in place. AWS hold industry standard certifications relating to security and availability, including but not limited to ISO 9001, 27001, as well as SOC I and II attestations. Full details of the certification activities undertaken by FundApps’ hosting partner are available via AWS compliance.
Data Centre Access Control
AWS provides physical data centre access only to approved employees. All employees who need data centre access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data centre the individual needs access, and are time-bound. Requests are reviewed and approved by authorised personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.
Third-party access is requested by approved AWS employees, who must apply for third-party access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data centre the individual needs access, and are time-bound. These requests are approved by authorised personnel, and access is revoked after request time expires. Once granted admittance, individuals are restricted to areas specified in their permissions. Anyone granted visitor badge access must present identification when arriving on site and are signed in and escorted by authorised staff.
Alert Logic provide network-based and host-based Intrusion Prevention Services (IPS), as well as a 24/7 Security Operation Centre (SOC).
There are no exclusions to the ISMS.
Define the version control, change approval and review cycle of FundApps policies.
FundApps Information Security , Risk management and business continuity policies.
Policies in scope shall be versioned through the use of git. Any change to a policy will be tied to a commit number and an author. This information will be stored in the policies git log.
Policies in scope shall be approved by a member of the leadership team. These approvals will be stored in the policies git log.
Policies in scope shall be reviewed by the Information Security Lead and at least one member of the Leadership Team annually.
This process aims to allow FundApps to continually improve the suitability, adequacy and effectiveness of the information security management system.
Nonconformities of FundApps' Information Security Management System with ISO 27001:2013.
FundApps shall implement the following process when nonconformities arise:
FundApps shall react to the nonconformity as applicable by taking action to control and correct it and deal with its consequences.
FundApps shall evaluate the need for action to eliminate the causes of the nonconformity to ensure it does not occur again.
To do so FundApps shall:
review the nonconformity;
determine the cause of the nonconformity; and
determine if similar nonconformities exist or could potentially occur.
FundApps shall implement actions required to address the root cause of the nonconformity.
FundApps shall review the effectiveness of the remediation actions which have been taken and make further changes to the ISMS if necessary.
FundApps shall retain evidence of:
the nature of the nonconformities and any subsequent action taken, and
the result of any remediation actions.
The CTO shall ensure FundApps allocates the appropriate resources to ensure the ISMS' conformity with the ISO 27001 standard and shall report the performance of the ISMS to the Leadership team.
The Information Security Lead shall maintain the ISMS, assess its conformity with the ISO 27001 standard, define appropriate corrective actions and report its performance to the CTO.
The internal auditor, who can be a staff member or a consultant, shall perform an impartial internal audit against the requirements of the ISO 27001 standard, and follow-up on the internal audit results to achieve continual improvement.
The leadership team will ensure the performance of the ISMS aligns with FundApps' business objectives.
Finally all FundApps staff members contribute to the ISMS, FundApps' security policies and procedures.
The following diagram details the organisation between the staff who have a role in the ISMS.
FundApps assesses the competencies of those who play a role in the ISMS based on the table below:
Role
Competencies
How competencies are assessed
ISMS Manager
Technical Leadership experience
Technical and architectural expertise
Experience in an environment with high security requirements
Competencies are assessed during recruitment process and ISMS annual review meeting.
ISMS Implementer
Information Security Leadership experience
Information Security expertise
Competencies are assessed during recruitment process and ISMS annual review meeting.
ISMS Internal Auditor
Auditor experience
ISO 27001 expertise
Competencies are assessed during recruitment/purchasing process and ISMS annual review meeting.
Leadership Team
FundApps Staff
Knowledge of FundApps' Information Security Policies
Knowledge on how to react to most common security threats (e.g. react to phishing emails)
Competencies are assessed during new joiner information security training and during annual refreshers.
If gaps are identified with the required competencies, FundApps will define a set of actions to remediate it. These actions may include training, mentoring or hiring or contracting competent persons.
This policy defines the internal audit process of FundApps' Information Security Management System (ISMS).
Internal audits shall be performed against FundApps' ISMS at planned intervals at least once per year.
The annual internal audit must cover a section of the ISMS so that over a period of 3 years, the entirety of the ISMS scope can be audited.
The internal auditor shall be appointed by the ISMS Manager. The auditor and may be a member of FundApps or an external trusted third party auditor. Auditor selection shall be done to ensure objectivity and the impartiality of the audit process.
Audits shall be planned in advance and the ISMS Manager shall be notified no less than 5 business days ahead of time.
The internal auditor shall prepare the audit plan which shall define the scope of the ISMS, including the scope of the controls, which shall be audited.
Amongst others, the audit plan must take as an input the following items:
Security related incidents that have occurred since last audit;
Changes made to the Information Security Policy;
Changes made to Information Security controls;
Improvements made to the ISMS.
The resulting audit plan must be validated by the ISMS Manager.
Upon validation the ISMS auditor must communicate the plan to the interested parties.
The internal auditor shall collect and study the previous audit findings and outstanding issues. They shall also prepare relevant documents required for the audit (e.g. ISMS Audit checklist).
During the audit, the internal auditor shall find relevant evidence to ascertain that:
The information security policy reflects the current business requirements;
An appropriate risk assessment methodology is being used;
Documented procedures (within the scope of the ISMS) are being followed and are meeting their objectives;
Controls are in place and working as intended;
Residual risks have been assessed correctly and are within FundApps' risk appetite and risk tolerance levels;
The agreed actions from the previous audits have been implemented;
The ISMS is compliant with ISO 27001.
The internal auditor shall prepare an audit report based on the audit findings. Findings shall be labelled according to their severity and priority level:
Major Non-Conformity - This pertains to a major deficiency in the ISMS and exists if one or more elements of the ISO/IEC 27001: 2013 Information Security standard is not implemented and this finding shall have a direct effect on information security, specifically on the preservation of confidentiality, integrity and availability of information assets.