The purpose of this policy is to define the way in which FundApps manages cryptographic controls to protect the confidentiality, authenticity and/or the integrity of information.
The policy applies to all FundApps Information Systems.
FundApps will implement cryptographic controls to protect information as defined in the Data Classification and Protection Standard.
The following tables summarises when cryptography must be used:
Encryption in transit
-
Mandatory
Mandatory
Mandatory
Encryption at rest
-
-
-
Mandatory
Encryption at rest on removable media
-
-
Mandatory
Mandatory
Encryption of data in transit
Encryption of data at rest
All client data is encrypted at rest. FundApps employs a key management system which allows us to rotate the keys used for the encryption of these volumes on a regular basis. Backups are also stored encrypted at rest, meaning your data is never available in cleartext. Data is encrypted using AES-256-GCM, a symmetric algorithm based on Advanced Encryption Standard (AES) in Galois Counter Mode (GCM) with 256-bit keys.
The minimum length of a symmetric key to encrypt restricted client data at rest is 256 bits.
Cryptographic keys must be generated, transmitted, stored and managed in a secure manner that prevents loss, unauthorised access, or compromise.
Access: Access to cryptographic keys must be restricted to authorised staff only.
Distribution: Private and symmetric keys must be distributed securely such as through the use secure email or out of band techniques like phone conversations with known individuals. Physical transportation of private and symmetric keys will require that they will be encrypted
Physical security: Equipment used to generate, store and archive keys must be physically protected using appropriate, secure access controls.
Key rotation: Cryptographic keys must be rotated at a minimum every 3 years.
Compromised keys: In the event of a cryptographic key being compromised, a new key (or key pair) must be generated and the existing key must be revoked.
Backup: Backup of cryptographic keys must be maintained to recover them should they be lost.
Logging and auditing: All accesses to cryptographic keys as well as modifications to these keys must be logged. Logs must be audited for anomalous activity.
The Head of Information Security is responsible for ensuring the policy is aligned to FundApps' business objectives.
All client data sent to or generated inside our platform follows an encrypted data lifecycle and all interactions with the system occur over an encrypted protocol: Secure HTTP (HTTPS). We keep supported cipher suites for the SSL encryption used for HTTPS in line with industry standards and regularly run external tests to verify this, the results of these tests are .
FundApps supports TLS v1.2 and TLS v1.3. The full list of supported ciphers are available on
Encryption ciphers and key lengths used to protect information must comply with requirements set out in .
The system owner (Supplier Relationship Manager), as defined in , is responsible for ensuring information to protected by cryptographic controls as set out in this policy.