Skip to main content

Information Security Policy

It is our policy and intent that information in all of its forms – whether written, spoken, printed or recorded electronically – should be protected from accidental or intentional unauthorised use, modification, destruction or disclosure throughout its lifecycle. The scope of this protection extends to ensure an appropriate level of security is in place for the premises, equipment, and applications or systems used to process, store and transmit such information.

GAM is committed to the safeguarding of its information (regardless of format) from both internal and external security threats, whether accidental or intentional, and looks to achieve this through the appropriate, risk-based implementation of security measures and controls.

GAM manages risks through its Operational Risk Framework which comprises procedures designed to ensure the most significant exposures are identified, assessed, monitored and mitigated. The Risk Management Framework includes Key Risk Indicators, Process, Risk & Control Self Assessments, Error Management and Reporting and Analysis.

GAM operates a Data Privacy Network consisting of a number of Data Protection Officers (DPOs) across the Group who meet on a regular basis to identify privacy risks, conduct privacy impact assessments and maintain documented operational processes and procedures. The Group DPO reports directly to the Group Chief Risk Officer (who is a member of the Group Management Board).

GAM is pursuing a defence in depth strategy through information and cybersecurity controls that combine preventative, detective and reactive measures, and maintains a comprehensive set of additional information security related polices which are approved, published and made available to all staff.

Policies are reviewed on a periodic basis and cover areas that include:

  • Data Protection & Privacy
  • Cybersecurity Management
  • Clear Desk
  • Password
  • Acceptable Use
  • Laptops & Mobile Device
  • Penetration testing
  • Security Exception
  • Identity and Access Control
  • Cybersecurity Incident Response
  • Removable Media
  • Business Continuity