In order to preserve the appropriate confidentiality, integrity and availability of FundApps information assets, we must make sure they are protected against unauthorized access, disclosure or modification. This is critical for all personal data, client data and FundApps proprietary data we deal with across the FundApps business.
This standard applies to all FundApps information, irrespective of the data location or the type of device it resides on.
We maintain an information asset register detailing all key information assets at FundApps, who owns them, the business processes they are used in, and any external service providers that may utilise or store the information.
As a result, we can see at a glance
What information assets fall under which data classification
What information systems hold data falling under those classifications
The controls that we expect each system to have in place
All FundApps employees, contractors and third parties who interact with information held by and on behalf of the FundApps are responsible for assessing and classifying the information they work with and applying the appropriate controls. Individuals must respect the security classification of any information as defined and must report the inappropriate situation of information to the Information Security Manager or Head of Security as quickly as possible.
Each System has an owner (Supplier Relationship Manager) responsible for assessing the information it contains and classifying its sensitivity. Systems owners are then responsible for ensuring the appropriate controls are in place in conjunction with the Head of Security.
Responsible for advising on and recommending information security standards on data classification and ensuring these are regularly reviewed.
The latest classification guidance can be found below.
Description
Publicly available data.
Accessible only to FundApps staff, authorised clients and partners.
Access restricted to specific FundApps teams. Data which the data owner has not decided to make public; data that is legally regulated and requires some level of access control, and data protected by contractual obligations.
Access restricted to specific FundApps staff on a ‘need to know’ basis. Data which if disclosed publicly could cause significant financial or reputational damage to FundApps or our clients; data which is legally regulated requiring an extremely high level of protection; data protected by contractual obligations.
Impact
None
Low
Medium
High
Current data in this classification
- Regulatory information - Publicly available information on a company.
- FundApps policies, - List of clients, - Development and test data, - Prospective client visitor data and analytics, - Task lists, potential future work - FundApps ISMS and asset register.
- Employee contracts, passports, salaries, bank records, - Engineering Source Code, - FundApps’ rule package, - Client portfolio, structures, - Client queries, - Server event logs, application logs, exception logs.
- Client positions - Client results (disclosures, breaches etc) and data overrides - Encryption keys and infrastructure credentials
Current services included in this classification
- OneLogin - Aosphere.
- Amazon AWS Development, - OneDrive, - HubSpot, - PagerDuty, - GitBook, - Bonusly, - Google Analytics.
- GitHub, - Intercom, - Google Mail, - Google Drive, - Slack, - Kingston Smith, - HSBC, - Datadog SIEM, - Sentry.
- Amazon AWS Production, - Octopus, - Client environments.
Data access & control
No access restrictions. Data is available for public access.
Available to FundApps prospects and clients (under NDA) and staff.
Available only to specified FundApps staff.
Access is controlled and restricted to specific FundApps staff, following a 'need to know' and 'least privilege' basis.
Legal requirements
Protection of data is at the discretion of the owner or custodian.
Protection of data is at the discretion of the owner or custodian.
Protection of data is required by law or at the discretion of the owner or custodian.
Protection of data is required by law or at the discretion of the owner or custodian.
Transmission
No other protection is required for public information.
Data must be shared through systems which restrict access to the intended audience. If this is not possible (e.g. data needs to be shared through internal chat or email), data must be sent encrypted (e.g. password protected encrypted archive where password is sent through unrelated channel) or through the means of a link to a system which implements the appropriate access control (link to Google Docs drive).
Data must be shared through systems which restrict access to the intended audience. If this is not possible (e.g. data needs to be shared through internal chat or email), data must be sent encrypted (e.g. password protected encrypted archive where password is sent through unrelated channel) or through the means of a link to a system which implements the appropriate access control (link to Google Docs drive).
Transmission through email, support tickets, internal chat tools is prohibited. Transmission may only be made through approved channels that are authenticated and encrypted (HTTPS or VPN).
Audit controls
No audit controls required.
Information owners must periodically monitor and review their systems and procedures for potential misuse and/or unauthorized access.
Information owners must periodically monitor and review their systems and procedures for potential misuse and/or unauthorized access. Audit trails for the purposes of non-repudiation must be in place.
Systems must be actively monitored and reviewed for potential misuse and/or unauthorized access. Audit trails for the purposes of non-repudiation must be in place.
Storage
No restrictions.
No restrictions. Care must always be taken when storing this information on mobile devices.
Encryption is required if stored on a system without access control.
Encryption at rest mandatory for all data not within a physically secure ISO 27001 environment. Storage is prohibited on unapproved computing equipment.
Backup & Recovery procedures
Not required.
Documented backup and recovery procedures are required in line with FundApps' Service Levels.
Documented backup and recovery procedures are required in line with FundApps' Service Levels.
Documented backup and recovery procedures are required, including automated failover wherever feasible in order to achieve FundApps' Service Levels.
Disposal (digital file)
No restrictions.
Standard deletion from media
Standard deletion from media
Delete all files or data using a secure delete tool (such as Eraser).
Disposal (physical medium)
No restrictions.
Media must be erased before disposal
Media must be erased before disposal. Cryptographic keys must be deleted for encrypted media. Media must be disposed of securely using state of the art approved solutions for the permanent removal of data (e.g. shredding or physical destruction).
Media must be erased before disposal. Cryptographic keys must be deleted for encrypted media. Media must be disposed of securely using state of the art approved solutions for the permanent removal of data (e.g. shredding or physical destruction).
Transport
Normal mail service
Normal mail service
Must never be printed. Transport of media or devices containing such data must be done through a trusted courier.
Must never be printed. Transport of media or devices containing such data must be done through a trusted courier.
Storage
No requirements
Secure office or other location. Room need not be locked if access to the building or floor is restricted to employees and authorised non-employees.
Must never be printed
Must never be printed
Disposal
No requirements
Information must be disposed of securely using strip-cut shredders or confidential waste bins which are certified for secure destruction.
Must never be printed
Must never be printed
Report suspected violations of this policy to the Head of Information Security, the CTO or the CEO. Reports of violations are considered Restricted data until otherwise classified.
FundApps approaches both information security and business continuity from risk based principles. Each identified information security or business continuity risk is reviewed with regard to Likelihood (the possibility of a risk happening), and Impact (the consequence of a risk happening).
Risks can be identified by any member of staff, and, staff members are encouraged to contribute. Once risks are identified and reviewed for Likelihood and Impact, an appropriate remediation plan can be formulated.
The key is that risk management drives activity to resolve identified risks, and is the responsibility is that of each employee of FundApps.
FundApps has no appetite for safety risks that could result in the injury or loss of life of FundApps staff, clients or partners.
FundApps has no appetite for information security risks that could result in unauthorised or accidental disclosure of, client or other sensitive information.
FundApps has a low appetite for business continuity risks which prevent the ability to provide service to clients.
It is important to note that following the risk management framework, any risk that equals or exceeds a risk rating of twelve (12) will exceed the FundApps Risk Tolerance level and therefore will require a risk treatment plan to lower the risk profile. See the FundApps Risk Management Matrix at the bottom of the page for further information.
Potential information security risks and business continuity risks are identified through both formal and informal channels:
Monthly security review meetings
Incident response and reviews
As part of the Software Development Lifecycle
As part of the continuous release management
As part of everyday working practice
Likelihood and impact
Potential risks are recorded in the risk register and assigned an owner. Risks are assessed on two criteria with regards to any current controls that may already be in place:
Likelihood, according to the FundApps Risk Management Matrix (cf. bottom of the page). Likelihood should consider the specific vulnerability or threats that may exploit this vulnerability.
Impact, according to the FundApps Risk Management Matrix (cf. bottom of the page). Further guidance must be taken from the FundApps Data Classification and Handling Policy when referring to impact. This will take into account the Confidentiality, Integrity and Availability requirements of any data asset.
Residual risk
The assessment of likelihood and impact places the risk within risk tolerance levels defined in the Risk Management Matrix (cf. bottom of the page).
Each risk level consists of
the likelihood and impact levels
a timeframe for review while the risk is open
a timeframe for review once the risk is closed
Based on this categorization we can then design a risk response in order to reduce our residual risk.
Strategies for responding to the risk can include:
Avoid risk – activities with a high likelihood of loss and large business impact. The best response is to avoid the activity.
Mitigate risk – activities with a high likelihood of occurring, but business impact is small. The best response is to use management control systems to reduce the risk of potential loss.
Transfer risk – activities with low probability of occurring, but with a large business impact. The best response is to transfer a portion or all of the risk to a third party by purchasing insurance, hedging, outsourcing, or entering into partnerships.
Accept risk – if cost-benefit analysis determines the cost to mitigate risk is higher than cost to bear the risk, then the best response is to accept and continually monitor the risk.
Our risk response may generate information security or business continuity controls which could be technical, procedural or policy based.
Identified risks and their mitigating controls are monitored and reviewed at least annually in order to ensure the residual risk is within the risk appetite. Should the residual risk change, either due to a change in the intrinsic risk, or due to the control effectiveness, the risk response will be reviewed.
Use of definitions based upon ISACA’s standard Glossary of Terms
FundApps' information systems register [Restricted to FundApps staff] contains any system (internal or external) that holds or permits access to information assets in our information asset register. For example, this includes:
Client instances
Amazon AWS (production data)
Google Mail (our own internal communications)
Information systems are identified as part of:
Supplier Review Procedure
Monthly security review meetings
Our software development lifecycle
Everyday working practice
This register includes information systems that FundApps depends on and that third-party vendors manage. As such, we evaluate business continuity and sufficient security controls as part of our assessment process.
For each information system identified, we
Assign an owner (Supplier Relationship Manager) for the system.
Identify the business criticality.
Identify the data classification the system falls under based on the maximum data classification of the information stored.
Based on the data classification, identify information security and business continuity controls. This information is stored in our Third-Party Risk Management System.
Identify any specific risks relating to this third party and record them in our
Third-Party Risk Management System,
The Information Security Risk Register,
Business Continuity Risk Register, or
DPIA.
Information systems are reviewed as part of our monthly security review meetings.
Our information asset register [Restricted to FundApps staff] contains every information asset of value to FundApps. For example, this includes:
Client support queries
Internal communications
Server logs
Development source code
Information assets are identified as part of:
Monthly company-wide security awareness sessions
Monthly security review meetings
Our software development lifecycle
Everyday working practice
For each information asset identified, we
Assign an owner for the information
Identify if it falls under any specific regulation (primarily General Data Protection Regulation)
Assess CIA ratings in accordance with our risk management process
Identify an appropriate data classification from these ratings
Identify the information systems that contain this data
Identify any specific information risks relating to this information and record it in our infosec risk register
Identify any specific business continuity risks relating to this information and record it in our BC risk register
Any changes to the register results in:
updates to our information systems register with regards the classification of information they hold
updates to our data classification policy with regards the information systems and asset information falling under each classification
updates to our access control register requiring us to record privileges granted to this systems and ensuring revokation during the offboarding process
Information systems are reviewed as part of our monthly security review meetings.
