Information Systems Register

FundApps' information systems register [Restricted to FundApps staff] contains any system (internal or external) that holds or permits access to information assets in our information asset register. For example, this includes:

• Client instances

• Amazon AWS (production data)

• Google Mail (our own internal communications)

Identification

Information systems are identified as part of:

• Supplier Review Procedure

• Monthly security review meetings

• Our software development lifecycle

• Everyday working practice

Third-party vendors

This register includes information systems that FundApps depends on and that third-party vendors manage. As such, we evaluate business continuity and sufficient security controls as part of our assessment process.

Assessment

For each information system identified, we

• Assign an owner (Supplier Relationship Manager) for the system.

• Identify the business criticality.

• Identify the data classification the system falls under based on the maximum data classification of the information stored.

• Based on the data classification, identify information security and business continuity controls. This information is stored in our Third-Party Risk Management System.

• Identify any specific risks relating to this third party and record them in our

  • Third-Party Risk Management System,

  • The Information Security Risk Register,

  • Business Continuity Risk Register, or

  • DPIA.

Review

Information systems are reviewed as part of our monthly security review meetings.