1.0 Scope
All personnel of FD Technologies plc and its affiliates (“FDT”) will comply in all respects to the Information Security Standards as set forth in this document. This Standard applies to FDT personnel, contractor, and third-party engagement of services for FDT pursuant to relevant services agreements, the data processing related provisions thereof (including any schedules relating to data processing), all processing of, and any Security Incidents (defined in Section 4) involving, FDT, client and third-party information. This security standard does not limit other obligations of personnel under laws that apply to members of FDT staff as well as its contractors.
2.0 General Information Security Requirements
2.1 Standards and frameworks
Personnel will adhere to physical, administrative, and technical security controls implemented to protect and ensure the confidentiality, integrity, and availability (“CIA”) of FDT Information as FDT progresses to align to industry recognised best-practice information security standards such as ISO 27001 and ISO 27002, NIST Cyber Security Framework (CSF).
FDT Information is defined herein as all digital or physical data created, stored, or processed by Group personnel, systems or on behalf of its clients within boundaries controlled and managed by FDT.
2.2 Specific information security control requirements
The FDT Information security program includes, at a minimum, the following security controls:
2.2.1 Written information security program
FDT has implemented a written information security framework which includes appropriate policies, procedures, and a defined risk management frameworks which are reviewed on an annual basis (at minimum). The information security framework will apply to personnel, agents, subcontractors, and suppliers. FDT will maintain a defined process for monitoring, enforcing, and recording compliance to the framework, and logging any program exceptions or policy violations.
2.2.2 Security awareness & training
FDT provides information security training to its personnel on a periodic basis covering known security threats such as social-engineering, phishing, as well as business policies and requirements such as for handling of sensitive data, identifying and reporting Security Incidents.
2.2.3 Systems inventory
FDT will document and maintain an updated inventory of all systems.
2.2.4 Secure configurations
FDT systems and technologies are configured and managed securely and aligned with its internal security policies and procedures to protect FDT Information from vulnerabilities and unauthorised access. All systems must be configured consistently and hardened in accordance with good practices.
2.2.5 Management of administrative privileges
FDT accounts with administrative privileges (on systems, networks, applications, or devices) are appropriately controlled, limited to only personnel who require it, consistent with its information security policies and these permissions are reviewed regularly.
2.2.6 Vulnerability management
FDT processes exist to identify and remediate vulnerabilities on systems and infrastructure on a scheduled basis.
2.2.7 Logging, monitoring, and review of audit logs
FDT system and application logs are collected, stored, and regularly reviewed to investigate suspicious and/or malicious activity relating to FDT Information. Logs will be stored securely to assist with security investigations. FDT logs are kept in line with applicable legislation or regulations, otherwise for a minimum period of 24 months.
2.2.8 Malicious code defences
FDT systems (servers, workstations, etc.) have appropriate anti-malware software applications installed to detect and prevent the introduction and execution of malicious code in line with good industry practice and updated to the latest versions. Software shall be configured to run scans on a periodic basis.
2.2.9 Network security – Firewalls
FDT configure and manage networks securely and utilise network security devices (such as firewalls, Intrusion Detection and Prevention systems) to protect systems and FDT Information from unauthorised access. FDT review the configuration of network security defences (including firewall rulesets) on a periodic basis.
2.2.10 Network security – insecure services
FDT ensure any insecure or unnecessary services, protocols, and ports within its control and under its management are disabled and are not accessible.
2.2.11 Environment management
FDT ensure that different technical environments are set up for both testing and development and production as appropriate. FDT ensure that production data is not used within test environments, and test data is not used in production environments.
2.2.12 Change management
Changes to production systems and/or environments are risk assessed, tracked, recorded, and reviewed and approval for changes is provided where required.
2.2.13 Encryption
FDT ensure that FDT Information is encrypted in transit and at rest when being transmitted across open networks (such as the internet) and when being stored on systems. Encryption mechanisms must be in accordance with industry recognised best-practices. Systems used by personnel to access FDT Information have full disk encryption.
2.2.14 Access management
FDT take all reasonable steps in line with industry recognised best practices to prevent unauthorised physical or electronic access to, or loss, of FDT’s Information and the services, systems, devices, or media containing this information. FDT implement and maintain the following access control mechanisms to secure FDT Information:
(a) Individual access
FDT ensure that accounts are unique and assigned to individual users, including those with administrative access. Accounts with direct access to FDT Information must not be shared under any circumstances.
(b) Restricted access
Access to FDT Information is restricted to individuals who require it for legitimate purposes to perform their duties on a ‘need to know’ basis.
(c) Access reviews
FDT conduct user access reviews on a periodic basis (at minimum every 90 days) in line with information security policies.
(d) Bulk access
FDT implement appropriate physical, administrative, and technical controls to detect ‘in bulk’ access. This limits access to specific personnel on a ‘need to know’ basis.
Definition of ‘in bulk’ access means accessing data by means of database query, report generation, or any other mass transfer of FDT managed or client data.
2.2.15 Logins and passwords
FDT implement and maintain account management and password policies to protect FDT Information, including the following:
(a) Default passwords
FDT ensure to change any default passwords and/or login credentials on systems (hardware or software) prior to deployment or before use.
(b) Strong passwords
FDT ensure strong passwords are used consistently across systems and infrastructure, meeting the following requirements: Passwords must be a minimum length of 12 characters and include, at minimum, 3 of the following – uppercase letter, lowercase letter, number, special character. Passwords must not match commonly used passwords or phrases and be reviewed against ‘known bad’ or compromised passwords for verification. Passwords must be enforced to be changed if there is evidence that a password may have been compromised.
(c) Administrative accounts
FDT document and maintain a list of accounts with administrative privileges with access to FDT Information. All users with administrative accounts must have a business justification for this elevated access.
(d) Encryption
Administrative passwords are stored encrypted in a secure environment, aligned with best-practice industry standards.
(e) Failed login attempts
FDT implement a mechanism that limits the number of authentication (login) attempts that can be made on a user’s account. For example, an account is disabled after 10 failed login attempts, requiring IT Administrators to reset or re-enable the account.
2.2.16 Remote access management
(a) Multi-Factor Authentication
For any individuals with remote access (outside of corporate or on-premises network) to systems, networks, or applications storing FDT Information, FDT enforce Multi-Factor Authentication (MFA), requiring at least 2 forms of authentication to verify personnel login credentials.
(b) Access to FDT systems and infrastructure
FDT may grant access to FDT infrastructure via non-public systems or web-portals. In this case, all users shall comply with the following requirements:
I. users will access the system(s) and collect, use, view, retrieve, download or store FDT Information for the permitted purpose only.
II. FDT will ensure that unique accounts are required for each user. Users must adhere to password good practice and safeguard credentials.
III. FDT will ensure access to the FDT environment, data and systems is established only through corporate devices, compliant with the information security requirements listed in section 2.2.9 (Network security – firewalls), section 2.2.6 (Vulnerability management), section 2.2.8 (Malicious code defences), and section 2.2.13 (Encryption).
IV. FDT has defined a specific technology or process for accessing FDT infrastructure / systems. Personnel will use that mechanism only for access and shall not circumvent any technical measures implemented by or on behalf of FDT in any way.
V. FDT personnel are prohibited from sharing, distributing, publishing, making available, copying, transferring, downloading, or modifying FDT or client Information unless written approval is provided by an authorised person.
VI. FDT conduct user access reviews on a periodic basis (at minimum every 90 days) in line with information security policies.
VII. Where personnel are provided with access to FDT Infrastructure/systems, personnel will adhere to FDT’s information security policies as set out in the FDT Group policy SharePoint site.
2.2.17 Data segregation
FDT will logically and physically separate FDT Information from third-party information. FDT will ensure appropriate physical, administrative, and technical security controls are in place to ensure effective segregation.
2.2.18 Security testing
For systems that store and/or process FDT Information, FDT will conduct periodic internal and external security testing in accordance with industry good practice (on an annual basis at minimum) to identify any vulnerabilities and threats that may be used to exploit those systems and information. FDT ensure vulnerabilities are assessed and remediated in line with information security policies and risk management frameworks.
2.3 Domain registration
Personnel shall not use or register any domain name utilising any FDT related trademarks (or any similar names) without management approval in respect of the use of such domain. For the avoidance of doubt, in all cases FDT shall maintain ownership and administration of the domain.
2.4 Website protections
If a public website is used for any FDT service, FDT shall ensure the following security controls are in place:
2.4.1 Denial of service protections
FDT ensure the website(s) have protections to detect Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
2.4.2 Vulnerability assessment
FDT ensure the website(s) are subject to periodic web-application vulnerability assessments / penetration testing.
2.4.3 Firewalls
FDT ensure the website(s) have Web Application Firewalls (WAFs) implemented and configured to protect against network security attacks.
2.4.4 Anti malware
FDT ensure website code and infrastructure (such as systems used for hosting and code management) are protected against malware, in line with the requirements listed in section 2.2.8.
2.4.5 Certificate management
FDT ensure websites are correctly configured with SSL/TLS certificates from reputable Certificate Authorities (“CA”), and details of the CA documented and provided to FDT.
2.5 Background checks and due diligence
2.5.1 Background checks
FDT conduct and satisfactorily complete background checks on new personnel before the conclusion of the recruitment process.
2.5.2 Due diligence
FDT perform due diligence checks with third parties at a corporate level prior to engaging to assess the satisfactory nature of their security posture and its alignment with our security standard. Failure to meet standards may discontinue any further engagement until appropriate remediation is met.
3.0 Data retention, return, and deletion
3.1 Return and secure deletion
All FDT Information will be deleted securely in line with its data retention policy, using an industry-accepted practice. The process shall ensure that data is unable to be recovered using good practices (such as secure overwriting, destruction of magnetic media, shredding). FDT ensure data that is encrypted, encryption keys are securely disposed of.
3.2 Backups and archives
FDT may be required by legal or regulatory purposes to retain archived copies of FDT Information and remain bound by its obligations in this security standard and its other confidentiality related obligations in relation to such information, including obligations to protect the information using appropriate security controls.
3.3 Media destruction
FDT ensure FDT Information is rendered unusable and unrecoverable on all storage media that has contained or had access to FDT Information (such as desktop / laptop hard-drives, backup media, etc.).
FDT Information stored in a third-party environment is securely deleted when no longer required, using an industry-accepted practice, in alignment with section 3.2.
4.0 Security incidents
4.1 Security incident definition
A Security Incident is an incident, event or breach that has an actual or suspected impact on the confidentiality, integrity, and/or availability of FDT Information, assets, or services.
4.2 Incident response plan
FDT will maintain a documented incident response plan and defined processes for the management of Security Incidents.
FDT will respond to each Security Incident in a timely manner following the incident response plan and FDT’s notification requirements for the escalation of incidents.
4.3 Incident notification
Personnel shall inform the FDT Information Security team (infosec@firstderivatives.com) of any Security Incidents directly impacting FDT Information, assets, or systems/services.
4.3.1 Supporting information
The information that personnel shall provide on the Security Incident (if known) includes:
I. When the incident occurred (time and date).
II. Description of the incident (e.g. type of data involved in a breach).
III. Cause of the incident (if known) and how it was discovered.
IV. Which system(s) or asset(s) (if any) are affected.
V. Whether any remedial action has been considered and/or implemented.
4.4 Cooperation with investigations
FDT as well as third party personnel will reasonably cooperate with FDT investigations of a Security Incident, including (a) coordinating with FDT on incident response plan; (b) assisting with FDT’s investigation of the Security Incident; (c) facilitating interviews with personnel and others involved in the Security Incident and/or response to the Security Incident; and (d) ensuring the availability of logs, records, files, forensic and investigation reports, and other materials required for FDT to comply with applicable laws, regulations, or industry standards, or as otherwise required by FDT.
4.5 Notifications to third parties
FDT designated authorised personnel have the sole right to determine (a) whether notice of the security incident is to be provided to any individuals, regulatory bodies, law enforcement agencies, or others; and (b) the format and contents of such notice, unless otherwise required by legislation. FDT maintains a data breach response plan and a security incident plan in accordance with applicable laws.
FDT personnel agree that they shall use and adhere to the FDT Incident Management Policy as set out in the FDT Group policy SharePoint site.
5.0 Notice of legal request for data
Personnel will inform FDT as soon as possible (and in any case within 24 hours) when FDT’s data is being sought by any regulator, in response to a legal process or pursuant to any applicable legal requirement.
6.0 Security reviews and audits
6.1 Information security audits
At FDT’s request, personnel will complete FDT’s information security audits and reviews.
6.2 Remediation
FDT will promptly address any vulnerabilities or deficiencies identified during FDT’s information security review or audit, by developing and implementing a corrective action plan.
7.0 Enhanced Information Security Requirements
7.1 Systems and applications
FDT formally document and maintain technical security standards (including secure build configuration) for applications and systems used for FDT Information. FDT ensure that access to and management of program source code is restricted and strictly controlled to authorised personnel only.
FDT ensure that all applications (including new application developments), changes to existing systems, upgrades, and new software have considered and implemented security control requirements based upon the identified risks as per 2.2.12 Change Management. All systems shall be subject to an appropriate level of security testing and vulnerability scanning prior to being used, deployed in a production environment, or interacting with FDT Information.
7.2 Logging and monitoring
FDT will implement and maintain continuous (24x7x365) monitoring of systems storing FDT Information (this could include automated monitoring using Security Information and Event Management (SIEM) tools for example). Monitoring includes analysis of logs from network devices, systems/applications, and user-devices. Monitoring tools shall have the capability to alert on any suspicious or malicious activity taken against the systems storing FDT Information, aligned to, and integrated with the incident response plans for escalating and managing incidents.
7.3 Personal and financial data
FDT require that data is handled in accordance with the 2.2 Specific information security control requirements.