Information Security Policy

Company Name: MDOTM

Effective Date: 03/12/2024

Date: 05/12/2025

Description: N/D

Author: Anna Impedovo

Approved by: Federico Invernizzi

Field of Application

This policy defines the framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) at MDOTM. Its purpose is to protect the company's information assets, including the AI-driven investment solutions provided to institutional investors. This document applies to all employees, contractors, and third parties who have access to MDOTM's information and systems, and it governs all information assets owned by or entrusted to the company.

Regulatory References

●     ISO/IEC 27001:2022

●     SOC 2 (Service Organization Control 2)

Terms and Definitions

●      Availability: The property of being accessible and usable upon demand by an authorized entity.

●      Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

●      Information Security Management System (ISMS): A systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organization's information security to achieve business objectives.

●      Integrity: The property of safeguarding the accuracy and completeness of assets.

●      Risk: The effect of uncertainty on objectives, associated with the potential that threats will exploit vulnerabilities of an information asset and thereby cause harm to an organization.

Roles and Responsibilities

●      Chief Executive Officer: Provides overall strategic direction for information security, ensuring that security objectives are aligned with business goals and that the necessary resources are allocated to support the ISMS.

●      Chief Technology Officer: Ensures that ISMS requirements are integrated into the organization's technological processes and oversees the implementation of technical security controls.

●      Chief Operating Officer: Oversees the information security risk management process, ensures compliance with security policies, and monitors the overall performance and continuous improvement of the ISMS.

●      Chief Product Officer Platform (CPO): Ensures that information related to the company's products and platform is appropriately classified and protected throughout its lifecycle.

●      Chief Investment and Research Officer (CIRO): Ensures that data related to investment and research activities is appropriately classified and protected in accordance with its sensitivity and criticality.

●      HR Manager: Manages the formal processes for user access, including registration, authorization, and revocation, in collaboration with the technical teams.

●      Head of Infrastructure: Oversees the implementation of physical, environmental, and technical safeguards for company assets, manages the incident response process, and ensures user access controls are correctly implemented.

Information Security Objectives

MDOTM is committed to establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) in accordance with the requirements of ISO/IEC 27001:2022 and SOC2 Type II. The strategic objectives of this policy are to protect the organization's information assets and the AI-driven investment solutions it provides to institutional investors. The Chief Executive Officer shall ensure that information security objectives are defined, communicated, and aligned with the company's strategic direction. These objectives shall be reviewed annually and updated as necessary.

Theprimary objectives for information security at MDOTM are:

●      Confidentiality: To ensure that information is accessible only to authorized personnel and to protect sensitive data, including client information, proprietary algorithms, and employee data, from unauthorized disclosure.

●      Integrity: To safeguard the accuracy and completeness of information and processing methods, ensuring that data, such as that used in the 'Sphere' AI platform, is reliable and protected from unauthorized modification.

●      Availability: To ensure that authorized users have access to information and associated assets when required, protecting against disruptions from system failures or cyber-attacks.

To achieve these, MDOTM establishes the following strategic goals:

●      To meet all applicable legal, statutory, regulatory, and contractual requirements related to information security.

●      To implement a comprehensive risk management framework to identify, assess, and treat information security risks, as detailed in the "PRO Risk management procedure".

●      To foster a culture of security awareness where all personnel understand their responsibilities in protecting the company's information assets.

●      To manage and control access to information and systems based on the principles of least privilege and need-to-know.

●      To implementand maintain robust technical and organizational controls, including network segregation, data loss prevention (DLP) solutions, and enhanced logging and monitoring capabilities.

●      To ensure business continuity and the timely recovery of critical services in the event of a disruption, as defined in the "PRO Business continuity and disaster recovery procedure".

●      To continually monitor, review, and improve the effectiveness of the ISMS through measurable performance indicators and regular audits, as documented in the "MOD Improvement Program".

Fundamental Information SecurityPrinciples

MDOTM's approach to information security is founded on a set of core principles that guide the entire Information Security Management System (ISMS). These principles ensure a consistent and comprehensive approach to protecting the company's information assets.

Leadership and Governance

Top Management is fully committed to the effectiveness of the ISMS.

●      The Chief Executive Officer shall demonstrate leadership and commitment by ensuring the information security policy and objectives are established and are compatible with the strategic direction of the company.

●      The Chief Technology Officer shall ensure that the requirements of the ISMS are integrated into the organization's processes.

●      This policy and all subject-specific policies shall be reviewed at least annually or upon significant changes to the organizational context, legal requirements, or risk landscape, as defined in the "PRO Change management procedure".

●      All policies shall be approved by management, published, and communicated to all relevant personnel and stakeholders.

Risk-Based Approach

MDOTM adopts a risk-based approach to information security, ensuring that controls are appropriate to the level of risk identified.

●      The Chief Operating Officer and Chief Technology Officer shall oversee the information security risk assessment process to identify threats to assets, assess their impact and likelihood, and select appropriate risk treatment options.

●      Control activities shall be selected and developed to contribute to the mitigation of information security risks to acceptable levels.

●      The risk management process shall be conducted in accordance with the "PRO Risk management procedure".

Shared Responsibility and Ethical Conduct

Information security is the shared responsibility of every employee, contractor, and partner of MDOTM.

●      All personnel shall adhere to the principles and rules set forth in this policy and the broader ISMS.

●      All employees must sign the MDOTM IT Policy.

●      A culture of integrity and ethical values is fundamental to information security. All personnel must comply with the "Code of conduct", which establishes expectations for professional behavior and links ethical conduct to security obligations.

●      Specific information security roles and responsibilities are formally assigned and documented in the "POL Information security roles and responsibilities policy" to ensure clarity and accountability across the organization.

Information and Asset Management

All information and associated assets shall be identified, classified, and protected throughout their lifecycle.

●      Classification: Information shall be classified according to its level of sensitivity, criticality, and legal requirements. The Chief Product Officer Platform (CPO) and Chief Investment and Research Officer (CIRO) shall ensure that data related to products and research, respectively, is appropriately classified and protected. Detailed requirements are specified in the "POL Information classification and labelling policy".

●      Acceptable Use: All personnel shall follow the rules for the acceptable use of information and associated assets, including IT equipment, software, and networks. These rules are defined to prevent misuse, damage, or compromise of company resources.

●      Clear Desk and Clear Screen: All personnel shall secure sensitive information at their workstations. This includes locking screens when unattended and ensuring that paper documents and removable media are not left unprotected.

●      Asset Protection: All company assets, including those used off-site, shall be protected against unauthorized access, theft, damage, and environmental threats. The Head of Infrastructure shall ensure that physical and technical safeguards are implemented as detailed in the "PRO Physical and environmental security procedure" and "PRO Asset configuration, management and disposal procedure".

Access Control

Access to MDOTM's information, systems, and networks shall be strictly controlled.

●      The principle of least privilege shall be enforced, granting users only the minimum access rights necessary to perform their job functions.

●      The HR Manager and Head of Infrastructure shall ensure that formal processes for user registration, authorization, access review, and revocation are implemented and followed, as detailed in the "PRO Logical access control management procedure".

●      All personnel are responsible for maintaining the confidentiality of their authentication credentials.

Incident Management

MDOTM is prepared to respond to and manage information security events and incidents in a timely and effective manner.

●      All personnel shall promptly report any observed or suspected information security events, incidents, or vulnerabilities through the designated channels.

●      The Head of Infrastructure shall oversee the "PRO Information security incident management procedure", which defines the process for incident detection, response, containment, and recovery to minimize impact.

Compliance and Continuous Improvement

The ISMS is subject to continuous monitoring and improvement to adapt to evolving threats and business requirements.

●      The Chief Operating Officer shall ensure that compliance with this policy and other ISMS policies is regularly monitored through internal and external audits.

●      The effectiveness of the ISMS and progress toward security objectives shall be measured and reported to Top Management for review.

●      Findings from audits, risk assessments, and incident reviews shall be used to identify opportunities for improvement and implement corrective actions, as managed through the "PRO Findings and events management procedure".

Archiving and Updates

This document shall be reviewed at least annually, or upon significant changes to the business, legal, or risk environment. All updates will be approved by management and communicated to relevant personnel. The document will be archived in accordance with the company's record retention policies to ensure ahistorical trail of changes is maintained.

Reference Documents

●     Code of conduct

●     POL Information security roles and responsibilities policy

●     POL Information classification and labelling policy

●     PRO Risk management procedure

●     PRO Business continuity and disaster recovery procedure

●     PRO Change management procedure

●     PRO Physical and environmental security procedure

●     PRO Asset configuration, management and disposal procedure

●     PRO Logical access control management procedure

●     PRO Information security incident management procedure

●     PRO Findings and events management procedure

●     MOD Improvement Program

●     MDOTM IT Policy

MDOTM Ltd
MDOTM Ltd. is the global provider of AI-driven investment solutions for Institutional Investors. Founded in London in 2015, the company has a team of over 100 physicists, data scientists, engineers, and finance professionals.  MDOTM Ltd. provides Portfolio Advisory and Asset Allocation services to Banks, Insurance Companies, Family Offices, Pension Funds, Wealth and Asset Managers. Financial institutions across the UK, Europe, and the US leverage MDOTM Ltd.’s advisory and its AI platform to support their investment process.
New York | London | Milan
Solutions
AI-Driven Investment InsightsPortfolio Rebalancing At ScaleStoryFolioUse Cases
Research
BlogInsightsNewsroom
Company
About UsCareersContacts
UN Principles for Responsible InvestmentAI Fintech 100 logoWealthtech 100 logo
Information
Security Policy
Management
System Policy
Private
Research Access
Privacy
Policy
Terms &
Conditions
Cookie
Policy
Book a Custom Demo Today.

Get in touch or talk with our customer success. We will walk you through a personalised version of Sphere and show how you can leverage it in your investment process.

BOOK A DEMO

MDOTM Ltd (FRN: 824056) is an appointed representative of Thornbridge Investment Management LLP (FRN: 713859) which is authorised and regulated by the Financial Conduct Authority.