Professional Documents
Culture Documents
www.servicedcloud.com
Introduction
Perhaps one of the most important things the 2007 credit crunch and the ensuing global economic recession demonstrates is the
uently, the rationale for robust regulatory oversight of the
Today the Alternative Investment Fund Managers Directive (AIFMD) and the Capital Requirements Directive IV (CRD IV) are primary
tools governing the core business of UK domiciled alternative invest
Authority (FCA) guidelines in conjunction with the Information Commis
for breaches of the Data Protection Act (DPA).
As a result there is a mix of recommendations and mandatory compliance points. This means some areas are open
to interpretation and there is a need to understand where any distinctions exist, and act appropriately.
In this guide we discuss 7 ways alternative investment businesses, and professional services companies supplying services
O/DPA regulatory guidelines for using technology
within their businesses.
40 Beaufort Court Canary Wharf London E14 9XL Email: talk@servicedcloud.com Phone: 02070936020 www.servicedcloud.com
2. Keep your systems up-to-date
to prevent hacking. Hackers often exploit vulnerabilities
(thats IT code for holes in security) to gain unauthorised access to networks, systems and data.
Passwords
One key aspect is password access and control. Companies should have strict password control policies. Users should not use the
same name and password combinations for company and personal accounts, as this would allow hackers to gain access to company
data and systems by stealing account data from personal or consumer accounts. Forcing regular password changes is one option,
or consider Dual Factor Authentication. This means a unique, One Time Key is required at every login, so just knowing a
user/password combination is not enough to permit access.
Data loss
laptop) and then losing it are frequent. Consider prohibiting
the practice or only allowing download to secure devices - those managed by the business and with encrypted storage
- that are only accessible using a username/password combination.
Activity monitoring
Consider monitoring communications activity. Record all telephone calls and
archive all email. Some companies record all network activity, although this is Enforcement action
more for internal security rather than for FCA compliance.
Jala Transport Limited
40 Beaufort Court Canary Wharf London E14 9XL Email: talk@servicedcloud.com Phone: 02070936020 www.servicedcloud.com
4. Keep on top of Enforcement action
RFI
mmencing trading with your company. This will almost certainly
include questions on software, versioning and IT security. Likewise, your business should consider issuing an RFI to any new partner
before doing business. Also consider formalising documentation for existing partners if an RFI has not previously been part of the
partner engagement process.
Data retention
Backup is central to the data retention strategy. Creating a reliable archive of legacy data is essential for compliance with FCA data
retention rules. Ideally, legacy data needs to be kept accessible but out of the way and this could guide the design any hierarchical
40 Beaufort Court Canary Wharf London E14 9XL Email: talk@servicedcloud.com Phone: 02070936020 www.servicedcloud.com
FCA retention periods for data
Emails 6 years
3 6 years
MiFID 1 5 years
another site. Then comes the question How far away is far enough?
Data replication
The potential for disasters both natural and man-made - is a key consideration when determining the distance to the replication
site. Many businesses in the UK conclude that a distance of 50 miles is appropriate. For even better risk reduction consider replicating
in more than one place. Remember to include telephone systems.
How long before the business returns to operational status? (Sometimes referred to as the Recovery Time Objective, RTO)
External IT partner
If you have an external IT partner ensure you check its credentials. It should be appropriately accredited and should adhere closely to
industry best practice for information security.
40 Beaufort Court Canary Wharf London E14 9XL Email: talk@servicedcloud.com Phone: 02070936020 www.servicedcloud.com
Internal IT team
If you have an internal IT team consider getting a second opinion by engaging an appropriately accredited company to audit your
network. An internal IT team may only have in depth experience in your environment. Employing an external team to check the
systems often gives an insight into your own network you may otherwise not be able to obtain.
Penetration testing
Consider penetration testing or pen testing. This is the process of stress testing your systems to see if a tiger team of computer
security professionals acting as hackers is able to break through to gain access to your network, servers and data.
Data sovereignty
It is vitally important to consider the issue of data sovereignty, the geographic locations where data is stored. When evaluating offsite
data storage it is essential to understand where data may be stored by service providers. Changing legislation and challenges to
agreements such as Safe Harbour mean the landscape may shift suddenly.
or compliance team. This means FCA compliance is highly subjective. Getting it wrong can be a costly mistake.
40 Beaufort Court Canary Wharf London E14 9XL Email: talk@servicedcloud.com Phone: 02070936020 www.servicedcloud.com
Serviced Cloud works with in-house compliance experts or external consultants to ensure any solution exceeds interpretation of
the regulatory code. Serviced Cloud is able to provide the appropriate level of services required by the majority of SME FCA regulated
businesses.
The business benefits of the cloud are regularly highlighted in the press and deliberated in boardrooms.
Cloud technology is a topic about which the vast majority of business leaders are likely to have more than a passing interest.
Based in the heart of London in Canary Wharf, Serviced Cloud was incorporated in 2009 with a clear and simple vision.
We are dedicated to helping business leaders in financial service organisations find the best way of successfully adopting cloud
technology in their businesses. We offer best of breed Hosted Cloud Services in our ISO27001 London data centres, and help
clients to create their own Private Cloud systems in their own offices or data centres.
Our friendly and professional engineers and consultants have extensive experience, proven track records and can-do attitudes.
We offer independent advice but partner with the leading cloud technology companies to ensure seamless support.
We are serviced focused; our clients satisfaction is paramount.
http://www.fca.org.uk/your-fca/documents/fsa-data-security-factsheet
http://www.fca.org.uk/firms/being-regulated/meeting-your-obligations/firm-guides/information-gathering/call-taping
https://www.fca.org.uk/your-fca/documents/guidance-consultations/gc15-06
https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/
Miscellaneous
http://www.cioupdate.com/trends/article.php/3872926/Disaster-Recovery-Planning---How-Far-is-Far-Enough.htm
http://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/
https://www.watsonhall.uk/resources/downloads/paper-uk-data-retention-requirements.pdf
www.servicedcloud.com