SMS-GS-S1 – Security Management – May 2018 – Version 4.0
Group Standard
Security
Integral to our business operations, future business
opportunities and our reputation is that we
safeguard the security, integrity and availability of
our assets, people and information.
2 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business
Document Details
Document Details Serco Public
Reference
SMS GS-S1: Security
Version 4
Approval Date
May 2018
Date for next review
May 2020
Applicability
Serco Group covering all business regions, operating companies and business
units throughout the world1
Authority
Chief Executive, Serco Group plc
Accountable Policy Owner (Group) Chief Information Officer
Additional Information
Supporting standards, standard operating procedures and guidance relating to this Group Standard are available on ‘Our World’ under Serco Management
System (SMS)
Governance
Our policies and standards, together with any regional or market requirements
and enhancements to them, are authorised through a robust governance process. The SMS Quality Manual describes this process and is available on
Our World under SMS
Consequence Management
As a Group Standard the requirements detailed in this document are mandated
and must be adhered to. Non-compliance will have consequences which may include disciplinary action. The Consequence Management Group Standard
(Ref: SMS-GS-G1) details how instances of non-compliance will be dealt with As used herein, Serco Group plc and its affiliates, subsidiaries, business divisions/units, joint venture companies and operating companies are referred to as ‘Serco’, the ‘Company’/‘company’, ‘we’, ‘us’ or ‘our’
Contents
1 Objectives ....................................................................................... 3
2 Policy Standards .............................................................................. 3
2.1 Policy and management system ................................................. 3
2.2 Legal and regulatory requirements ............................................. 4
2.3 Training, awareness and competence ........................................ 4
2.4 Risk management ..................................................................... 4
2.5 Objectives, targets and performance monitoring ......................... 5
2.6 Compliance .............................................................................. 5
2.7 Incident management and reporting .......................................... 5
2.8 Information security .................................................................. 6
2.9 Personnel security .................................................................... 7
2.10 Physical security ....................................................................... 7
2.11 Asset disposal ........................................................................... 7
2.12 Credit/debit card data ............................................................... 8
2.13 Data protection......................................................................... 8
2.14 Third party and outsourcing ...................................................... 8
2.15 Technical infrastructure security ................................................ 8
2.16 Cloud Computing Security ......................................................... 9
3 Responsibilities & Accountabilities .................................................... 10
4 Processes and Controls .................................................................... 12
5 Supporting Documentation and Guidance ......................................... 23
6 Definitions ...................................................................................... 23
7 Further information and support ...................................................... 25
3 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
1 Objectives This Group Standard provides for the consistent application of security
principles throughout Serco. Integral to our business operations, future
business opportunities and our reputation is the confidentiality and privacy of our information (including personal information) and that of our
customers, the provision of protection for the integrity of information and for the availability of information. Effective security management will protect
the assets that are important to Serco, our employees and customers and meet the requirements of national legislation and good corporate
governance.
We will establish, implement, operate, monitor, review, maintain and
improve documented security management systems within the context of the organisation’s overall business activities and the risks it faces.
Applying these systems will ensure that we meet our objectives to:
identify, assess and manage the security risks to the information
(including personal information) we process, as well as those risks faced by our people and our business
identify, train and use necessary and competent resources within a
defined structure to manage security risk
set security objectives, targets and procedures that reflect legal,
regulatory and customer requirements and address identified risks
inform and educate employees about data protection and security
matters so that they are aware of and able to fulfil their security and
privacy responsibilities
ensure the physical environments that protect our assets are secure, in
good condition and fit for purpose
build and operate our IS infrastructure to ensure access is controlled
and the confidentiality, integrity and availability of our data is maintained at a level appropriate to the risk
adopt and implement measures which meet in particular the principles
of privacy by design and privacy by default
establish feedback mechanisms that encourage the free and honest reporting of security issues and consider the input of employees and
others with an interest in our work when making decisions relating to
security
assess compliance with Security and Information & Data Privacy Policy
and Standards through planned, independent and documented audits
measure, monitor and report performance of our Policy and Standards
against set objectives and targets
regularly review the security management system to ensure its
suitability, adequacy and effectiveness
2 Scope This Group Standard covers all Serco's electronic / IT systems and
information (including personal information).
This Group Standard applies to all employees and interested third parties
who need to comply with its requirements. All other supporting security information or detailed standard operating procedures will only be made
available where the individual or third party has a valid need to know its
contents and, in respect of information subject to customer and/or Government regulation, has been authorised by the customer and/or
Government Authority
3 Policy Standards
3.1 Policy and management system
S1. Security policy, standards and standard operating procedures will be defined, documented and maintained by the Group security
management function
S2. Systems and procedures will be proportional to the nature of the
organisation’s security risks (including those concerning personal
information)
4 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
S3. Systems and procedures will be communicated to all persons working under the control of the organisation with the intent that they are
made aware of their individual security obligations
S4. Operations and activities that are associated with security risks will be
identified
S5. Security controls for these operations and activities will be identified
and implemented in line with this Group Standard
S6. Responsibilities for security management will be clearly defined, with clear lines of accountability at all levels of the organisation
S7. All security documentation will be approved, controlled and periodically reviewed
3.2 Legal and regulatory requirements
S8. We will understand and meet security legal and regulatory requirements
S9. Security legal and regulatory responsibilities will be monitored,
reflected in relevant processes and controls, and communicated
S10. New or changes in security requirements will be monitored and
controls developed and communicated to ensure compliance
S11. A security management structure will be implemented to support the
delivery of security policies, systems, objectives and targets, review security performance and respond to security incidents
S12. A member of the Executive Committee and a member of each
Divisional Executive Management Team (EMT) will be chosen to ensure that the oversight and management of security is properly
implemented and effective
S13. Competent resources will be allocated to manage security risks and
deliver security objectives and targets
S14. Security responsibilities will be defined for all employees
2 See Risk Management Group Standard Ref: SMS-GS-RM1
3.3 Training, awareness and competence
S15. Serco will ensure the availability and completion of sufficient and
appropriate training for all employees to enable them to protect Serco's electronic / IT systems and information (including personal
information)
S16. Serco employees will be competent to undertake their role and deliver security compliance and performance
S17. Employee induction will include a security briefing relevant to the working environment
S18. Security training will be mandatory for all employees and records will
be maintained of each individual’s training and achievements
S19. All employees are required to renew their Security training annually,
with information workers completing training aligned to Serco Essentials and non-information workers attending an annual briefing
S20. Third party information workers who handle Serco information and/or
its customer’s data (including personal information) must complete annual Information Security and Data Protection awareness training
to an equivalent or greater standard than the Serco training, and have evidence to support completion
3.4 Risk management
S21. Security risk management will follow the Group’s risk management standards2
S22. Security risks of our operations, equipment and facilities, information (including personal information) and people will be regularly identified
and assessed, with appropriate controls implemented to manage the
risk. Where material residual risk remains, its acceptance must be owned at a level commensurate with the risk and it must be subject
to ongoing monitoring and regular review at an appropriate frequency.
S23. Security reviews will specifically address physical, personnel,
information security and service delivery
5 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
S24. Due to the nature of the services we provide, our technology and operational systems will be subject to threats from both internal and
external breaches. We will implement the controls contained within this Group Standard and any associated GSOP and ensure they are
proportionate to the level of sensitivity of the information we are protecting. We will act swiftly to minimise the impact of any breach
and will promptly carry out remedial actions to prevent further
breaches
S25. Risk assessment of information assets will specifically address the
protection of information (held in any form that has a national, commercial or personal value from unauthorised disclosure,
modification or denial of access
S26. Risk assessment of personnel security will specifically address:
a. validating the identity, qualifications and job history of all job
applicants (including contractors) and taking up references before making a job offer
b. implementing further customer-defined security checks if required c. providing security briefing for all employees (including contractors
and temporary employees)
d. establishing general protective measures for all employees e. establishing specific protective measures for employees identified
as vulnerable to assault or abuse
S27. Risk assessment of physical security will specifically address:
a. protection of people, buildings, vehicles, equipment and other
physical assets b. securing of high value or attractive items (e.g. computers,
electronic equipment, cash etc.)
c. control of access to buildings and other areas business continuity/disaster recovery/major incident plans addressing
measures to be adopted in case of loss or unavailability of the
physical asset
S28. Security risks associated with our facilities, equipment, secure areas
and visitors will be assessed and proportionate and appropriate controls implemented to manage the risk; controls may include
physical barriers, physical security, access controls, pass systems,
alarm and CCTV monitoring systems
3.5 Objectives, targets and performance monitoring
S29. The Executive Committee will set and publish annual overarching
Group-wide objectives and targets (i.e. KPIs/KRIs) for security across the Group
S30. Group objectives and targets will then inform Divisional, Business Unit and Contract objectives, target-setting and monitoring processes
S31. Each Division and Contract will develop objectives and targets which
are aligned with Group-wide objectives and targets while also reflecting relevant local risk and security performance
S32. Security management systems and information owners are responsible for determining the required level of confidentiality,
integrity and availability and ensuring their achievement
S33. Security performance will be measured against agreed indicators and the findings recorded and reported
S34. Performance will be reviewed by management in relation to business security objectives and targets and any necessary remedial or
improvement action taken
S35. Security performance will be monitored and reviewed by the relevant Divisional Security Manager, and compared with agreed objectives
and targets
3.6 Compliance
S36. Information systems will be regularly reviewed against this Group
Standard
S37. Technical or organisational controls will be implemented and
monitored to proactively prevent security incidents
3.7 Incident management and reporting
S38. Processes will be implemented to manage security incidents (including
those concerning personal information) subject to any legal limitations and appropriate preservation of Serco legal and other privileges
6 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
S39. Incident management will follow the Incident Management and Reporting Standard Operating Procedure3
S40. Employees, contractors and third-party users of information systems and services will note and report observed or suspected security
weaknesses in systems or services
S41. If requested as part of an authorised security investigation for legal,
regulatory, cyber related or due to the detection of malware/viruses,
employees, contractors and third-party users are required to surrender any IT equipment to a designated officer of the local
statutory Serco legal entity within one working day for audit/forensic examination
S42. Corrective and preventative actions arising from any investigation will
be initiated, tracked, monitored, completed and reviewed for effectiveness
S43. The Divisional Security Manager will ensure relevant learning will be shared across the organisation and with stakeholders and others
3.8 Information security
S44. Information must only be stored and processed using systems and services which have been confirmed to provide an appropriate level of
security protection, and data separation where applicable, in line with the classification of that information and any specific legal or
customer requirements and assurance processes (such as security
accreditations).
S45. Serco information will be classified into one of the following Primary
Classification categories (which are further described, along with Secondary Classification options, in the Information Privacy
Classification operating procedure4):
3 See Incident Reporting and Management GSOP Ref: SMS GSOP O1-2
a. Serco Business (SB)
Information which if disclosed without authorisation, may cause
unwanted exposure of the inner-workings of the company, but would not result in significant financial loss or serious harm to
the company or its business interests
b. Serco Restricted and Sensitive (SRS)
Our most valuable information, which, in the wrong hands could
cause serious damage to us, our customers, shareholders, partners or suppliers and may result in serious loss of reputation;
significant financial loss; loss of opportunity; or legal action
S46. Third-party suppliers or partners required to engage in processes to
view personal information, Serco Business, Serco Restricted and
Sensitive data or customer data will sign a Non-Disclosure Agreement (NDA) before being granted access
S47. Where information is handled on behalf of a customer, the customer’s classification must be used and not changed without the customer’s
permission, and the handling and storage of customer classified data must be conducted in accordance with the client’s protocols for that
classification.
S48. An appropriate and approved method of encryption will be deployed to prevent unauthorised access to Serco Restricted and Sensitive
information, as well as personal information, when transmitted using email and other electronic file transfer systems to any third parties
S49. Serco PCs/devices used for business purposes will have an
appropriate and approved method of encryption and corporate device management, unless permanently located wholly within secure Serco
premises or if the site has been approved by the Divisional Security Manager as being secure
S50. Where devices located within secure Serco premises are unable to be encrypted, alternative physical security measures must be employed
S51. Non-Serco PC/devices used to store Serco Business, Serco Restricted
and Sensitive or customer data will have an approved method of encryption and corporate device management, unless permanently
4 See Information Privacy Classification GSOP Ref: SMS GSOP S1-5
7 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
located wholly within secure Serco premises or if the site has been approved by the Divisional Security Manager as being secure. This
includes employees personal PC/devices whether or not they are part of a Bring Your Own Device (BYOD) programme (where permitted) or
equivalent and any PC/devices used by suppliers, consultants or contractors
S52. Removable media will not be used to store Serco Business, Serco
Restricted and Sensitive or customer data, other than where an exceptional business need has been approved and the removable
media is Serco approved and provisioned, with an approved method of encryption and management process. Removable media will not be
approved for long term storage of data, but only for temporary
transportation.
3.9 Personnel security5
S53. A process for pre-employment screening will be implemented for all
employees, including contractors and agency employees
S54. The level of screening will be proportionate and appropriate to the
roles, assessed security risk and customer, legal and regulatory requirements
S55. As a minimum, screenings will cover identity, employment history (covering the last three years), nationality and immigration status
and/or the ability to work legally in a given country, and criminal
record (unspent convictions only). The rigour of these checks is subject to local risk review and business requirements
S56. Ongoing reviews of screening requirements for individuals performed as required in S54 above will be undertaken by their line manager
working with local security vetting teams
3.10 Physical security6
S57. Assets will not be left unattended in a public location or on public
transport, taxis, trains and planes
5 See Employee Lifecycle Group Standard Ref: SMS-GS-P1 6 See Security pages of Our World>The Way we Work>Security
S58. If left unattended in a vehicle, PCs and other IS equipment must be stored in the boot or locked compartment , and the vehicle must be
locked
S59. PCs and other IS equipment containing customer data subject to
contract data handling requirements must not be left unattended at any time in a vehicle except where the customer policy allows for this
and any specified mitigating customer controls are adhered to at all
times (including use of a vehicle boot safe when dictated by such policy)
S60. PCs and other IS equipment must not be left in the vehicle if unattended for a long period of time, including overnight
S61. Access numbers or passwords will not be left with the corresponding
asset
S62. When working from home, information and equipment will be kept
secure
3.11 Asset disposal
S63. In accordance with Serco operating procedure7, Information will be
disposed of in a manner that protects against unauthorised access and use of the information on the asset
S64. Serco property including IS hardware will be disposed of in a safe and environmentally-friendly manner and in line with local statutory
requirements
S65. Audit trails and evidence pertaining to secure disposal will be maintained and accessible. All disposals of IS equipment must be
reported to the Group Software Asset Management (SAM) team
S66. Serco Business or Serco Restricted and Sensitive information, any
customer-owned information, and any software licenced to Serco
must be permanently and irretrievably removed prior to the disposal, or re-use in a different environment, of any IS equipment. Any end
user device which has been used to connect to the Serco corporate
7 See Asset Disposal and Reuse GSOP Ref: SMS GSOP-S1-7
8 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
infrastructure should be assumed to have handled Serco Restricted and Sensitive information
S67. Unencrypted hardware will be disposed of using a secure logistics service and by an approved contractor
3.12 Personal information Credit/debit card data
S68. Customer credit/debit card data will not be entered into, stored or
transmitted by any system other than those systems approved to
handle credit/debit card data in accordance with the Payment Card Industry Data Security Standard (PCI-DSS) as required by the industry
card schemes
3.13 Data protection
S69. Serco will implement appropriate technical and organisational security
measures to prevent unauthorised or unlawful disclosure or access to, or accidental or unlawful loss, destruction, alteration or damage to
personal information. Such measures will be in accordance with
customer requirements and applicable data privacy laws and regulations, as well as relevant Serco privacy-related policies,
standards and operating procedures8. As well as protecting the privacy of the data subjects, these measures will reduce the risks to
our business operations, future business opportunities and our
reputation posed by damaging security incidents
S70. It is important that we know where we hold personal information
within our IT systems in order to ensure the security and management of such data. Data Inventories containing details of
business processes which use personal data must therefore be maintained as part of the Data Protection Toolkit9
8 See Data Protection GSOP Ref: SMS GSOP-S1-3 9 See Information & Data Privacy Standard Ref: SMS-GS-II1 10 See Technology Solution Architecture Review GSOP Ref: SMS-GSOP-IT1-1
3.14 Personal information Third party and outsourcing
S71. The security requirements for third parties and outsource partners will
be contractually based, explicit, monitored, regularly reviewed and approved by the relevant Architecture Board10
S72. Third parties who have access to Serco information will be assigned a named Serco representative who has overall responsibility for all
aspects of the relationship
S73. Security is an important consideration where we disclose information (including personal information) to third parties. A commercial (or
personal where applicable) undertaking should be obtained from the third party recipient that they will only use the information (including
personal information) for legitimate / authorised purposes and keep it
secure. Where disclosure of personal information is proposed to a third party, it is important that Serco employees refer to the relevant
Serco privacy-related policy standards and operating procedures prior to disclosing any personal information11
S74. The locations, systems and information that will be accessible by
external employees will be recorded and managed in accordance with the Third Party and Outsourcing Standard Operating Procedure12
S75. Computing devices provided by the third party and holding Serco or its customer’s data (including in particular personal information) must
be encrypted to comply with Federal Information Processing Standards (FIPS) Publication 140-2
3.15 Technical infrastructure security
S76. Specific processes and controls will be implemented to manage and control remote access to Serco systems and networks
S77. Vendor default accounts and passwords will be changed before a
system is used for any Serco activity
11 See Data Protection GSOP Ref: SMS GSOP-S1-3, Data Protection Impact Assessment GSOP
Ref: SMS-GSOP-II1-3, Third Party and Outsourcing GSOP Ref: SMS GSOP-S1-2 12 See Third Party and Outsourcing GSOP Ref: SMS GSOP-S1-2
9 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
S78. No-one will log onto Serco systems unless they are authorised to do so
S79. A process will be in place for revoking the access rights of employees and contractors who leave the business; timescales for removal will
be defined in accordance with our People Standard and local business requirements; access to Serco premises will be removed on the last
day they will be present
S80. Remote access, including third parties, to any Serco network will be through a secure portal or other approved connection
S81. Controls such as anti-virus will be implemented to detect, prevent and recover from the introduction of malicious code and user awareness
procedures will be implemented
S82. Processes will exist for reporting, recording and clearing virus and other malicious code
S83. A patch management process will be implemented that:
a. monitors relevant announcements
b. is appropriate to the level of exposed risk c. only uses vendor-approved patches or genuine open source
packages with a valid signature
S84. Procedures covering the backup, storage and recovery of system and data files will be maintained and periodically reviewed
S85. Backup processes will include regular test restores to ensure backup and restore procedures are functioning correctly
S86. Where portable backup media is stored offsite by a third party, all
data classified as Serco in Confidence will be encrypted on the backup media
S87. A full backup and restore plan will be included in or referenced by all system incident response plans, disaster recovery and business
continuity plans
S88. Processes will be implemented to manage the introduction, access to,
usage and security of wireless networks, including providing security
guidance on home wireless systems
13 See Cloud Services Security GSOP Ref: SMS-GS-S1-20
S89. Serco trusted networks must be separated from un-trusted networks and must only be accessible from any un-trusted network through a
mechanism that ensures that only authorised access is permitted; wireless networks are to be classified as un-trusted, unless specifically
identified as adequately protected and approved by the Divisional Security Manager or Divisional CIO/CTO to be trusted
S90. Only Serco approved devices will be connected directly to Serco
trusted networks
S91. Processes will be implemented to manage the configuration and use
of mobile and handheld devices that use or connect with Company systems or networks
S92. If a mobile/portable device (or any IS equipment/asset) is lost or
stolen the incident will be reported as soon as practicably possible
S93. Applications produced or customised by Serco will be developed and
maintained in accordance with secure development principles, which will demonstrate the incorporation of information security principles
throughout the lifecycle and be endorsed and approved by the relevant Architecture Board
S94. A formal risk assessment will be conducted prior to development to
ensure the necessary security controls are implemented as part of the solution
S95. Production (live or ‘real’) data will not be used in the testing or development environments
S96. For systems processing high-value data such as financial details, any
custom code will be security reviewed prior to release to production
S97. For web-facing applications that accept, use or display payment card
information, even where obfuscated, an independent security code review will be performed prior to release into production
3.16 Cloud Computing Security
S98. Cloud Services must be selected and used in accordance with the Cloud Services Security operating procedure13
10 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
S99. When utilising any form of Software as a Service (SaaS), the Serco business data owner will be aware of the data locations, that any such
locations are contractually/legally acceptable for the nature of the data being stored and accept any residual risks that exists due to the
terms of the SaaS agreement
S100. No customer data subject to contract data handling requirements can
be relocated into a Cloud Computing environment without their
permission
S101. SaaS providers holding Serco Restricted and Sensitive or customer
data must be able to demonstrate that the level of security competency which they are asserting has been independently
validated (e.g. through an appropriately scoped ISO27001
Certification). As a minimum, the scope of their independent validation must include assurance of their security audit regime, and
their vulnerability identification and remediation processes. These providers must also ensure that the data is encrypted with the
cryptographic keys managed through an assured process agreed with Serco
S102. Contract Managers must be mindful of any customer requirements
which may restrict the geographic location(s) where customer’s data can be held by Serco or our service providers, and must ensure, with
advice where required from the relevant Serco service owner(s), that storage and hosting arrangements for that data meet these
requirements (or that any proposed exceptions have the express
consent of the customer)
4 Responsibilities & Accountabilities S103. The following responsibilities will apply to the delivery of the defined
standards. If these are not completed effectively, the person responsible will be accountable for any consequences14.
Group
14 See Consequence Management Group Standard Ref: SMS-GS-G1
S104. The Group CEO will appoint a Group Chief Information Security Officer responsible for:
a. Developing and maintaining Group Security policy b. Ensuring standards and associated procedures and key controls
remain fit for purpose, reflect legislative and regulatory requirements and effectively manage Security risks
c. Providing oversight and reporting Security performance
Division
S105. The Divisional CEO will appoint a Divisional Security Manager responsible for:
a. implementing Security policy, standards procedures and key
controls across the Division; which may include the development of country/region/Divisional procedures and management systems
b. ensuring procedures and key controls remain fit for purpose, reflect legislative and regulatory requirements and effectively
manage Security risks c. implementing an appropriately resourced security management
structure to support the delivery of Security policies, systems,
objectives and targets, review security performance and respond to security incidents
d. providing oversight and reporting divisional Security performance
Business Unit
S106. The Business Unit Managing Director, in conjunction with the Divisional Security Manager, is responsible for:
a. Complying with Security policy, standards, procedures and key controls; which may include the development of business Unit
management systems
b. Ensuring appropriate resources are appointed to support the business unit manage Security risks, deliver people objectives and
targets and provide competent Security advice
11 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
Contract/Function
S107. The Contract Manager (or Corporate Function Head), in conjunction
with the Divisional Security Manager, is responsible for:
a. Complying with Security policy, standards, procedures and key
controls; which may include the development of local operating procedures/work instructions
b. Ensuring Security responsibilities are clearly defined
c. Ensuring local controls are in place for providing assurance that Security risks are being effectively managed
d. Managing cyber risks by completing the Cyber Risk Assessment Questionnaire and maintaining appropriate evidence in support of
this risk assessment
All employees
S108. All employees are responsible for:
a. Undertaking training provided and ensuring any mandatory
training is kept up to date
b. Following defined Security procedures and work instructions
c. Telling a line manager or Security representative of any Security
concerns
12 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
5 Processes and Controls
5.1 Governance processes and controls
Process A set of related activities that must be carried out to achieve policy outcomes
Ref Description
Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference
Ref Description
Responsibility for ensuring controls are in place and
operating effectively
Gro
up
(S
10
5)
Div
isio
n (
S1
06
)
Bu
sin
ess U
nit
(S1
07
)
Co
ntr
act/
Fu
ncti
on
(S1
08
)
All
Em
plo
ye
es
(S1
09
)
P1 Security responsibilities are defined and
understood
C1 A Group Chief Information Security Officer is
appointed by the Group CEO with responsibility
for:
Developing and maintaining Group Security
policy
Ensuring standards and associated procedures
and key controls remain fit for purpose, reflect legislative and regulatory requirements
and effectively manage Security risks
Providing oversight and reporting Security
performance
13 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
Process A set of related activities that must be carried out to achieve policy outcomes
Ref Description
Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference
Ref Description
Responsibility for ensuring controls are in place and
operating effectively
Gro
up
(S
10
5)
Div
isio
n (
S1
06
)
Bu
sin
ess U
nit
(S1
07
)
Co
ntr
act/
Fu
ncti
on
(S1
08
)
All
Em
plo
ye
es
(S1
09
)
C2 A Divisional Security Manager is appointed by the
Divisional CEO with responsibility for:
Implementing Security policy, standards
procedures and key controls across the
Division; which may include the development
of country/region/Divisional procedures and management systems
Ensuring procedures and key controls remain
fit for purpose, reflect legislative and regulatory requirements and effectively
manage Security risks
Implementing a security management
structure to support the delivery of Security
policies, systems, objectives and targets,
review Security performance and respond to Security incidents
Providing oversight and reporting divisional
Security performance
14 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
Process A set of related activities that must be carried out to achieve policy outcomes
Ref Description
Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference
Ref Description
Responsibility for ensuring controls are in place and
operating effectively
Gro
up
(S
10
5)
Div
isio
n (
S1
06
)
Bu
sin
ess U
nit
(S1
07
)
Co
ntr
act/
Fu
ncti
on
(S1
08
)
All
Em
plo
ye
es
(S1
09
)
C3 The Business Unit MD, in conjunction with the
Divisional Security Manager, is responsible for:
Complying with Security policy, standards,
procedures and key controls; which may
include the development of Business Unit
management systems
Ensuring appropriate resources are appointed
to support the Business Unit manage Security
risks, deliver Security objectives and targets and provide competent Security advice
C4 Contract Managers (or Corporate Function Heads), in conjunction with the Divisional Security
Manager, are responsible for:
Complying with Security policy, standards,
procedures and key controls; which may include the development of local operating
procedures/work instructions
Ensuring Security responsibilities are clearly
defined and included in employee inductions
Ensuring local controls are in place for
providing assurance that Security risks are being effectively managed
15 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
Process A set of related activities that must be carried out to achieve policy outcomes
Ref Description
Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference
Ref Description
Responsibility for ensuring controls are in place and
operating effectively
Gro
up
(S
10
5)
Div
isio
n (
S1
06
)
Bu
sin
ess U
nit
(S1
07
)
Co
ntr
act/
Fu
ncti
on
(S1
08
)
All
Em
plo
ye
es
(S1
09
)
C5 All employees are responsible for:
Undertaking training provided and ensuring
any mandatory training is kept up to date
Following defined Security procedures and
work instructions
Telling a line manager or Security
representative of any Security concerns
P2 Establish Security Management policy C6 Policy, standards and Group procedures are
defined and published
C7 Policy, standards and Group procedures are communicated and implemented
P3 Establish Security management systems and processes
C8 Security Standard Operating Procedures are appropriate and proportionate to the nature of
security risks
C9 Security legal and regulatory requirements are
monitored, with changes reflected in systems and procedures
P4 Security Compliance C10 A Security compliance plan is in place
16 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
Process A set of related activities that must be carried out to achieve policy outcomes
Ref Description
Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference
Ref Description
Responsibility for ensuring controls are in place and
operating effectively
Gro
up
(S
10
5)
Div
isio
n (
S1
06
)
Bu
sin
ess U
nit
(S1
07
)
Co
ntr
act/
Fu
ncti
on
(S1
08
)
All
Em
plo
ye
es
(S1
09
)
C11 Information systems are regularly reviewed to ensure compliance with the Security Group
Standard
C12 Agreed actions are closed out
17 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
5.2 Key processes and controls
Process A set of related activities that must be carried out to achieve policy outcomes
Ref Description
Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference
Ref Description
Responsibility for ensuring controls are in place and
operating effectively
Gro
up
(S
10
5)
Div
isio
n (
S1
06
)
Bu
sin
ess U
nit
(S1
07
)
Co
ntr
act/
Fu
ncti
on
(S
10
8)
All
Em
plo
ye
es
(S1
09
)
P5 Incident Management and Reporting C13 Security incidents are recorded on ASSURE
C14 IT equipment is surrendered, where required, to a
designated investigator within one working day for any security incident investigation
C15 Corrective and preventative actions arising from investigations are monitored and completed with
learnings shared to ensure continuous improvement
P6 Training, Awareness & Competence C16 Mandatory Group security training is completed by all
employees and third party employees performing
work on behalf of Serco
C17 Security training given to staff provided by third party
organisations must be equivalent to or to a greater standard than Serco mandated security training
C18 Completion of mandatory security training is recorded and monitored
C19 Mandatory security training is completed annually for both information and non-information workers
P7 Objectives Targets and Performance Monitoring
C20 Group-wide objectives and targets are set annually for security
18 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
Process A set of related activities that must be carried out to achieve policy outcomes
Ref Description
Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference
Ref Description
Responsibility for ensuring controls are in place and
operating effectively
Gro
up
(S
10
5)
Div
isio
n (
S1
06
)
Bu
sin
ess U
nit
(S1
07
)
Co
ntr
act/
Fu
ncti
on
(S
10
8)
All
Em
plo
ye
es
(S1
09
)
C21 Performance against security objectives and targets is monitored by the relevant Security Lead and
reported
P8 Manage Security Risks C22 Risk registers include physical, personnel, information
and service delivery security risk, and are reviewed,
as a minimum, quarterly
C23 Security risks are effectively managed through the
implementation of mitigating controls
C24 Information assets risk assessments will include the
protection of information that has a national, commercial or personal value from unauthorised
disclosure, modification or denial of access
C25 Physical security risk assessments include:
Protection of people, buildings, vehicles, equipment and other physical assets
Securing high value or attractive items
Controlled access to buildings and other areas
reference and input to related business continuity/disaster recovery/major incident plans
P9 Information security C26 Serco information is classified in accordance with recognised Serco protective marking schemes. Where
customer information is held locally this is marked in accordance with the customer’s protective marking
schemes
19 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
Process A set of related activities that must be carried out to achieve policy outcomes
Ref Description
Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference
Ref Description
Responsibility for ensuring controls are in place and
operating effectively
Gro
up
(S
10
5)
Div
isio
n (
S1
06
)
Bu
sin
ess U
nit
(S1
07
)
Co
ntr
act/
Fu
ncti
on
(S
10
8)
All
Em
plo
ye
es
(S1
09
)
C27 Non-disclosure agreements are in place for third party suppliers or partners given access to sensitive,
customer or Serco Business/Serco Restricted and Sensitive data
C28 Encryption methods are deployed on PCs located
outside of Serco premises, portable devices and removable media and when transmitted using email
and other electronic file transfer systems to third parties
C29 Non-Serco PCs/devices or removable media that is used to store Serco Business or Serco Restricted and
Sensitive data has an approved method of encryption
and corporate device management, unless permanently located wholly within secure Serco
premises
P10 Personnel Security C30 A vetting and screening capability is implemented to
ensure proportionate and appropriate processes are in place
P11 Physical Security
C31 An appropriate and proportionate physical security
environment is implemented
C32 Guidance and instructions are provided regarding
Working From Home
20 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
Process A set of related activities that must be carried out to achieve policy outcomes
Ref Description
Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference
Ref Description
Responsibility for ensuring controls are in place and
operating effectively
Gro
up
(S
10
5)
Div
isio
n (
S1
06
)
Bu
sin
ess U
nit
(S1
07
)
Co
ntr
act/
Fu
ncti
on
(S
10
8)
All
Em
plo
ye
es
(S1
09
)
P12 Asset Disposal C33 Records are maintained of secure disposal of assets
in accordance with section 2.11
C34 A secure logistics service is used to dispose of unencrypted hardware
C35 All data is securely wiped using a Group approved methodology
P13 PCI-DSS compliance C36 Any payment card processing is compliant with the current Payment Card Industry – Data Security
Standard (PCI-DSS) and compliance is verified by an
external PCI-DSS accredited qualified security assessor unless documented as not required by the
Divisional Security Manager
P14 Data Protection C37 A data map is maintained to include the type of
personal information collected and retained
C38 Personal information is protected from threats, in
accordance with local legislation and the Data Protection GSOP
P15 Third party providers and outsourcing is
managed
C39 Third parties and outsource partner contracts are
reviewed and approved by the relevant Architecture Board, to ensure adequate security requirements
21 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
Process A set of related activities that must be carried out to achieve policy outcomes
Ref Description
Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference
Ref Description
Responsibility for ensuring controls are in place and
operating effectively
Gro
up
(S
10
5)
Div
isio
n (
S1
06
)
Bu
sin
ess U
nit
(S1
07
)
Co
ntr
act/
Fu
ncti
on
(S
10
8)
All
Em
plo
ye
es
(S1
09
)
C40 Before engaging a third party or outsourced
arrangement, a security assessment is completed
P16 Technical Infrastructure Security C41 Any third party access to Serco systems is controlled, approved, regularly monitored and
terminated immediately when access is no longer
required
C42 Default passwords are changed
C43 The Service Desk is notified of leavers promptly to ensure access rights are revoked
C44 Lost or stolen mobile/portable devices are reported on ASSURE and to the Service Desk
C45 The development or customisation of applications is risk assessed and endorsed and approved by the
relevant Architecture Board, to ensure necessary security controls are implemented15
C46 No live data will be used in the testing or
development environment
15 Divisional Security Manager & Divisional IT lead
22 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
Process A set of related activities that must be carried out to achieve policy outcomes
Ref Description
Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference
Ref Description
Responsibility for ensuring controls are in place and
operating effectively
Gro
up
(S
10
5)
Div
isio
n (
S1
06
)
Bu
sin
ess U
nit
(S1
07
)
Co
ntr
act/
Fu
ncti
on
(S
10
8)
All
Em
plo
ye
es
(S1
09
)
P17 Cloud Computing Security C47 The use of any Cloud services is approved by the
relevant Enterprise Architecture Board
23 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business
6 Supporting Documentation and Guidance
Ref Document
SMS GS-S1 Information Systems Group Standard
SMS GS-BC1 Acceptable Use Group Standard
SMS GS-G1 Consequence Management Group Standard
SMS GS-P1 Employee Lifecycle Group Standard
SMS GS-RM1 Risk Management Group Standard
SMS GSOP IT1-1 Technology Solution Architecture Review GSOP
SMS GSOP O1-2 Incident Reporting and Management GSOP
SMS GSOP S1-2 Third Party and Outsourcing GSOP
SMS GSOP S1-3 Data Protection GSOP
SMS GSOP S1-5 Information Privacy Classification GSOP
SMS GSOP S1-7 Asset Disposal and Reuse GSOP
SMS GSOP S1-15 (Data) Privacy Impact Assessment GSOP
SMS GSOP S1-20 Cloud Services Security GSOP
7 Definitions
Term Definition
Accountability Being accountable means being not only responsible for something but also answerable
for your actions.
Responsibility A responsible person is the individual who completes the task required. Responsibility can
be shared and delegated.
All responsible persons will also be accountable for completing tasks effectively. Non-
compliance will have consequences which may
include disciplinary action as defined within the Consequence Management Group Standard.
Group Serco Group plc is the administrative centre of
the organisation, responsible for setting
corporate strategy, defining governance requirements and supporting the business in its
day to day operations
Division The Group will define a set of business Divisions
which will be responsible for business delivery within a defined set of markets or geographies.
24 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
Term Definition
Business Unit A Business Unit is a cluster of contracts which
provide a similar service e.g. Health, Defence, Transport etc.
Where appropriate, a separate legal entity wholly owned or where Serco has a controlling
share may also be referred to as a Business
Unit, where appropriate.
This may also refer to Counties/Territories
Contract A Contract provides specified requirements to a customer (either directly with Serco or to a
consortium/Joint Venture in which Serco is a
party)
A Contract will also refer to a
corporate/functional area.
Corporate/functional areas are functions which
support the business and they include finance, HR, procurement etc.
Contract Manager This refers to a manager with responsibility for
managing the performance of a contract and can include a Contract Manager on a day-to-day
basis (or Operational Manager with devolved responsibility), a Contract Director, Partnership
Director and/or a Business Unit Managing
Director
Assets All computer hardware, including:
– desktops, laptops, servers, disk drives/disk arrays
– All network hardware, including:
– Servers, switches, routers, blade devices, intrusion detection systems.
– Any removable media or portable storage device, including:
Term Definition
– CDs, DVDS, removable hard drives, memory
cards, tapes, USB storage devices, floppy disks, flash disks, mobile phones,
PDAs/BlackBerry’s, voice recordings – Printers and in particular printers with hard
drives, printer ribbons, fax machines
All Serco in Confidence and Serco Internal information held on Serco systems, including all
credit/debit card records.
Any hard copy, handwritten or printed
document, paper, report or correspondence that contains Serco in Confidence, Serco Internal or
equivalent information. BYOD Bring Your Own Device - the policy (where
permitted) of allowing employees to bring personally owned devices (e.g. laptops, tablets,
etc.) to their workplace, and use those devices
to access privileged company or customer information and applications.
Cloud Computing The practice of using a network of remote servers hosted on the internet to store,
manage, and process data, rather than a local
server. Data Controller A person who determines the purposes for
which and the manner in which any personal information are, or are to be, processed
Information security Is the preservation of confidentiality, integrity and availability to authorised users of
information (held in any form), whether in
storage, processing or transit. Other properties, such as authenticity, accountability, non-
repudiation and reliability, can also be involved. Information System A set of components organised and coordinated
in order to collect, create, store, process, and
distribute information. Typically, its components will include information technology (e.g.
25 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.
Term Definition
hardware, software, networks), but could also
be a manual or paper based system. Information Worker An employee who regularly uses a computer for
their job. Non-Information
Worker
An employee who very rarely or never uses a
computer for their job
Personal information
Is as defined in the country or territory of operation, or in the absence of any definition,
as defined in the Data Protection Standard Operating Procedure (SMS GSOP-S3).
Personnel security Is the process by which all employees meet and
maintain the Company’s standards of loyalty, suitability, reliability and trustworthiness.
Further measures may be required to meet specific customer requirements.
Physical security Is the physical measures designed to safeguard
personnel, to prevent unauthorised access to
equipment, installations, material and documents and to safeguard them against
espionage, sabotage, damage and theft. Software as a
Service (SaaS)
Software that is owned, delivered and managed
remotely by one or more providers.
The provider delivers software based on one set
of common code and data definitions that is consumed in a one-to-many model by all
contracted customers at any time on a pay-for-use basis or as a subscription based on use
metrics. SaaS is typically accessed by users
using a thin client via a web browser.
8 Further information and support
If you require any further information or support regarding this Group
Standard, or if you have any suggestions for improvement, please contact the Accountable Policy Owner (Group) or email [email protected]
Top Related