Information Security Policy

Company Name: MDOTM
Effective Date: 10/06/2024

Version History

Version: 1.0
Date: 10/06/2024
Description: N/D
Author: Anna Impedovo
Approved by: Federico Invernizzi

Scope

This information security policy aims to protect MdotM employees, partners, and the company itself from illegal or harmful actions by individuals, whether intentional or unintentional. Systems related to Internet/Intranet/Extranet, including but not limited to computer equipment, software, operating systems, storage media, and network accounts providing email, web browsing, and file transfers, are the property of the company. These systems are to be used for business purposes in the interest of the company and our clients during normal operations. Effective security is a team effort involving the participation and support of all employees or collaborators handling information and/or information systems. Each team member is responsible for reading and understanding this procedure and conducting their activities accordingly.

Index

  • Reporting of security incidents
  • Fraud reporting
  • Mobile devices
  • Personal mobile devices (BYOD - Bring Your Own Device)
  • Screen lock and clean desk
  • Work and remote access
  • Acceptable use
  • Unacceptable use
  • E-mail and communication activities
  • Compliance with policies
  • Exceptions
  • Violations and enforcement

Reporting of Security Incidents

All employees are required to report known or suspected security events or incidents, including policy violations and any observed security vulnerabilities. Incidents should be reported immediately or as soon as possible to dario.mazzorin@mdotm.ai in which please describe the incident or observation along with all relevant details.

Fraud Reporting

Information security policies are intended to encourage and enable employees and others, to raise any concerns internally so that inappropriate behavior/actions can be addressed and corrected. It is the responsibility of all parties involved in this policy to raise concerns about violations of the company's code of ethics or suspected violations of laws/regulations to which the company must adhere.

It is contrary to our values for anyone to retaliate against an employee or anyone who, in good faith, reports an ethics violation or suspected violation of law, or suspected fraud or suspected violation of any regulation. An employee who retaliates against someone who has reported a violation in good faith is subject to disciplinary action, up to and including possible dismissal.

Mobile Devices

Company mobile phones are considered IT Tools under this Policy. If you are assigned a Company mobile phone, we may use your information and personal data, for instance, for activating your mobile service, for administrative and accounting purposes, and to monitor service anomalies.

In particular, in accordance with the procedure and within the limits set out in Section 18 below we may monitor your activities based on information from our telephone operator. Depending on your plan, we may review:

- Total volume of telephone traffic (time and amount);

- Outgoing calls charged to the Company, including voice/data services;

- Details of voice and SMS/MMS traffic (date, time, duration, and the last three digits of the

number called);

- Data volume for internet traffic.

If we spot any misuse of the Company mobile phone on your behalf, such as unauthorized roaming charges, you might be billed for the unjustified traffic. You are not allowed to download and use applications on the Company mobile phone assigned to you unless authorized by the IT Department.

Personal mobile devices (BYOD - Bring Your Own Device)

For all BYOD devices, i.e., owned by employees, partners, or contractors of the company, such as cell phones, tablets, laptops, and which, therefore, are not company assets, users should be aware of the following:

Users using such mobile devices for business purposes are subject to the processing of personal data and thus to the conditions and limitations of the EU Regulation 2016/679 ("GDPR")

At the point when users use their private devices for business purposes, additional information protection issues arise because the same device is used for both personal and company communications. On private devices, the company is not able to exercise the same level of control that is applied to corporate devices. For these reasons, BYOD cannot be used to access corporate resources (such as corporate e-mail, cloud, servers, etc.).

In order to ensure information security compliance, if it is necessary to use BYOD for work activities that deal with corporate information, it is important that the HR Manager and/or the Head of Infrastructure are involved early in the planning stages of introducing the use of BYOD to ensure that the measures taken are in line with ensuring information security, in line with the paragraph "Mobile Devices."

Screen Lock and Clean Desk

Employees should not leave unprotected confidential materials on their desks or workspace and will ensure that screens are locked when not in use.

Work and remote access

Remote work refers to any situation in which organizational staff operate from locations outside the office. This includes telecommuting, flexible workplace, virtual work environments, and remote maintenance. Laptops and other computing resources used to access the corporate network must comply with the security requirements defined in the Information Security Policy and adhere to the following standards:

- Business rules must be followed while working remotely, including clean desk protocols, printing, resource disposal, and information security event reporting to prevent improper handling or accidental exposure of sensitive information.

- To ensure that mobile devices do not contain viruses that could compromise the corporate network, employee-side antivirus software is required to be installed.

- Antivirus software should be configured to detect and prevent or quarantine malicious software, perform periodic system scans, and enable automatic updates.

- When the employee connects from a home network, it should be ensured that the default Wi-Fi settings are changed, such as name, password and administrator access.

- Employees should not connect to any external network without a secure and up-to-date software firewall configured on the laptop.

- Employees are prohibited from modifying or disabling any organizational security controls such as personal firewalls, antivirus software on systems used to access company resources.

- The use of remote access software and/or services (e.g., VPN client) is permitted as long as it is provided by the company.

- Unauthorized remote access technologies may not be used or installed on any enterprise system.

Acceptable Use

Proprietary and customer information stored on electronic and computing devices, whether owned or leased by the organization, the employee, or a third party, remains the exclusive property of the company. Employees and external contractors must ensure, through legal or technical means, that proprietary information is protected in accordance with the Information Management Policy procedure. Employees are responsible for promptly reporting the theft, loss or unauthorized disclosure of company proprietary information or equipment. Company proprietary information may be accessed, used, or shared only to the extent authorized and necessary to perform assigned job duties. Employees are expected to exercise common sense regarding the reasonableness of personal use of company-provided devices. For network security and maintenance purposes, authorized persons within the company may monitor equipment, systems, and network traffic at any time. The company reserves the right to periodically audit networks and systems to ensure compliance with this procedure.

Do's:

- Keep IT Tools safe and to yourself. Third parties are not allowed to use the IT Tools.

- Respect intellectual property laws and the terms and conditions of licensed materials,such as software and movies.

- Protect IT Tools from prying eyes, especially if you use IT Tools outside of the offic e orduring remote working.

- Lock your IT Tools or log off when you step away or are not using them.

- Ensure that your IT Tool automatically locks after 1 minute of inactivity

Unacceptable Use:

The following activities are, in general, prohibited. Employees may be exempted from these restrictions while performing their legitimate job responsibilities, subject to properly documented top management approval. Under no circumstances is an employee of the organization permitted to engage in any activity illegal under local, state, or international law while using company-owned resources or while representing the company in any capacity. The following list is not exhaustive, but attempts to provide a framework for activities that fall into the category of unacceptable use.

Dont's:

- Do not access, copy, reproduce, use, download, upload, install, store or share unauthorized software (including apps) on the IT Tools. If you need to access or use specific software, contact the IT Department.

- Do not make, access, reproduce, use, download, upload, install, store or share unauthorized personal copies of computer programs or software provided by the Company.

- Do not access, copy, reproduce, use, download, upload, install, store or share pirated materials, including software, movies, music, videogames and other works.

- Do not use software or other tools to intercept, forge, alter or delete electronic communications or documents for illicit purposes.

- Do not delete, destroy or modify existing systems, software, computer programs, information or data unless as required in the performance of your duties or otherwise authorized by the IT Department.

- Do not modify or attempt to modify the system configurations of the IT Tools without authorization.

- Do not reset or restore any of the IT Tools to their factory settings.

- Do not customize the IT Tools with stickers or other distinctive signs that make them recognizable as belonging to the Company.

- Do not use the IT Tools for streaming content, gaming or gambling.

E-mail and communication activities

When using company resources to access and use the Internet, employees must realize that they represent the company and act accordingly.

The following activities are strictly prohibited without exception:

1. Sending unsolicited e-mail messages, including sending "junk mail" or other advertising material to individuals who have not specifically requested such material (e-mail spam).

2. Any form of harassment via email, phone, or text message

3. Unauthorized use or falsification of e-mail header information

4. Email solicitation for any email address other than the author's account with the intent to harass or collect responses.

5. Creation or forwarding of "chain letters," "ponzi" or other "pyramid" schemes of any kind.

6. Use of unsolicited e-mail from within networks or other service providers on behalf of, or to advertise, any of the organization's hosted services connected through the company's network

Additional policies incorporated by reference. Personnel are responsible for reading and following all policies related to their roles and responsibilities listed on the corporate document.

Policies and Their Respective Purpose

Information security roles and responsibilities policy:

This policy establishes and communicates roles and responsibilities within the company. Roles are necessary within the organization to provide clearly defined responsibilities and an understanding of how information is protected. Their purpose is to clarify, coordinate the activities and actions necessary to disseminate information security policy, standards and implementation.

Human resources policy on information security: The purpose of this policy is to ensure that employees and contractors meet safety requirements, understand their responsibilities, and are suited to their roles.

Access control policy: Restrict access to information and information processing systems, networks and facilities to authorized parties in accordance with business objectives.

Encryption policy: Ensure proper and effective use of encryption to protect the confidentiality, authenticity and/or integrity of information.

Information security risk management policy: The following policy is intended to define actions to address information security risks and establish a plan for achieving the Information security and privacy objectives.

Information management policy: The purpose of this policy is to ensure that information is classified, protected, stored, and disposed of securely according to its importance.

Third-party management policy:

To ensure the protection of the organization's data and resources shared with, accessed, or managed by vendors, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery inline with vendor agreements.

Asset management policy: Identify organizational resources and define appropriate protection responsibilities.

Safe design and development policy: Ensure that information security is designed and implemented within the application and information system development life cycle.

Information security policy for former employees: This policy is written to ensure the security of information and protection of company assets after an employee's termination of employment. Former employees are required to follow the directions in this document.

Physical security policy: The purpose of this policy is to prevent unauthorized physical access or damage to the company's information and information processing facilities.

Operational security policy: Ensure the proper and secure operation of information processing systems and facilities.

Compliance with policies

The organization will measure and verify compliance with this procedure through various methods, including but not limited to continuous monitoring and internal and external audits.

Exceptions

Requests for exceptions to this procedure should be submitted to the ISMS Manager or HR Manager or the Head of Infrastructure for approval.

Violations and enforcement

Any known violations of this procedure should be reported to the ISMS Manager or HR Manager or the Head of Infrastructure Violations of this procedure may result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including dismissal.

MDOTM Ltd
MDOTM Ltd. is the global provider of AI-driven investment solutions for Institutional Investors. Founded in London in 2015, the company has a team of over 100 physicists, data scientists, engineers, and finance professionals.  MDOTM Ltd. provides Portfolio Advisory and Asset Allocation services to Banks, Insurance Companies, Family Offices, Pension Funds, Wealth and Asset Managers. Financial institutions across the UK, Europe, and the US leverage MDOTM Ltd.’s advisory and its AI platform to support their investment process.
New York | London | Milan
Solutions
AI-Driven Investment InsightsPortfolio Rebalancing At ScaleStoryFolioUse Cases
Research
BlogInsightsNewsroom
Company
About UsCareersContacts
UN Principles for Responsible InvestmentAI Fintech 100 logoBusiness @ Biodiversity logoWealthtech 100 logo
Information
Security Policy
Management
System Policy
Private
Research Access
Privacy
Policy
Terms &
Conditions
Cookie
Policy
Book a Custom Demo Today.

Get in touch or talk with our customer success. We will walk you through a personalised version of Sphere and show how you can leverage it in your investment process.

BOOK A DEMO

MDOTM Ltd (FRN: 824056) is an appointed representative of Thornbridge Investment Management LLP (FRN: 713859) which is authorised and regulated by the Financial Conduct Authority.