Security · 2019-04-26 · set security objectives, targets and procedures that reflect legal, regulatory and customer requirements and address identified risks inform and educate

SMS-GS-S1 – Security Management – May 2018 – Version 4.0

Group Standard

Security

Integral to our business operations, future business

opportunities and our reputation is that we

safeguard the security, integrity and availability of

our assets, people and information.

2 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business

Document Details

Document Details Serco Public

Reference

SMS GS-S1: Security

Version 4

Approval Date

May 2018

Date for next review

May 2020

Applicability

Serco Group covering all business regions, operating companies and business

units throughout the world1

Authority

Chief Executive, Serco Group plc

Accountable Policy Owner (Group) Chief Information Officer

Additional Information

Supporting standards, standard operating procedures and guidance relating to this Group Standard are available on ‘Our World’ under Serco Management

System (SMS)

Governance

Our policies and standards, together with any regional or market requirements

and enhancements to them, are authorised through a robust governance process. The SMS Quality Manual describes this process and is available on

Our World under SMS

Consequence Management

As a Group Standard the requirements detailed in this document are mandated

and must be adhered to. Non-compliance will have consequences which may include disciplinary action. The Consequence Management Group Standard

(Ref: SMS-GS-G1) details how instances of non-compliance will be dealt with As used herein, Serco Group plc and its affiliates, subsidiaries, business divisions/units, joint venture companies and operating companies are referred to as ‘Serco’, the ‘Company’/‘company’, ‘we’, ‘us’ or ‘our’

Contents

1 Objectives ....................................................................................... 3

2 Policy Standards .............................................................................. 3

2.1 Policy and management system ................................................. 3

2.2 Legal and regulatory requirements ............................................. 4

2.3 Training, awareness and competence ........................................ 4

2.4 Risk management ..................................................................... 4

2.5 Objectives, targets and performance monitoring ......................... 5

2.6 Compliance .............................................................................. 5

2.7 Incident management and reporting .......................................... 5

2.8 Information security .................................................................. 6

2.9 Personnel security .................................................................... 7

2.10 Physical security ....................................................................... 7

2.11 Asset disposal ........................................................................... 7

2.12 Credit/debit card data ............................................................... 8

2.13 Data protection......................................................................... 8

2.14 Third party and outsourcing ...................................................... 8

2.15 Technical infrastructure security ................................................ 8

2.16 Cloud Computing Security ......................................................... 9

3 Responsibilities & Accountabilities .................................................... 10

4 Processes and Controls .................................................................... 12

5 Supporting Documentation and Guidance ......................................... 23

6 Definitions ...................................................................................... 23

7 Further information and support ...................................................... 25

3 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business Error! Unknown document property name.

1 Objectives This Group Standard provides for the consistent application of security

principles throughout Serco. Integral to our business operations, future

business opportunities and our reputation is the confidentiality and privacy of our information (including personal information) and that of our

customers, the provision of protection for the integrity of information and for the availability of information. Effective security management will protect

the assets that are important to Serco, our employees and customers and meet the requirements of national legislation and good corporate

governance.

We will establish, implement, operate, monitor, review, maintain and

improve documented security management systems within the context of the organisation’s overall business activities and the risks it faces.

Applying these systems will ensure that we meet our objectives to:

identify, assess and manage the security risks to the information

(including personal information) we process, as well as those risks faced by our people and our business

identify, train and use necessary and competent resources within a

defined structure to manage security risk

set security objectives, targets and procedures that reflect legal,

regulatory and customer requirements and address identified risks

inform and educate employees about data protection and security

matters so that they are aware of and able to fulfil their security and

privacy responsibilities

ensure the physical environments that protect our assets are secure, in

good condition and fit for purpose

build and operate our IS infrastructure to ensure access is controlled

and the confidentiality, integrity and availability of our data is maintained at a level appropriate to the risk

adopt and implement measures which meet in particular the principles

of privacy by design and privacy by default

establish feedback mechanisms that encourage the free and honest reporting of security issues and consider the input of employees and

others with an interest in our work when making decisions relating to

security

assess compliance with Security and Information & Data Privacy Policy

and Standards through planned, independent and documented audits

measure, monitor and report performance of our Policy and Standards

against set objectives and targets

regularly review the security management system to ensure its

suitability, adequacy and effectiveness

2 Scope This Group Standard covers all Serco's electronic / IT systems and

information (including personal information).

This Group Standard applies to all employees and interested third parties

who need to comply with its requirements. All other supporting security information or detailed standard operating procedures will only be made

available where the individual or third party has a valid need to know its

contents and, in respect of information subject to customer and/or Government regulation, has been authorised by the customer and/or

Government Authority

3 Policy Standards

3.1 Policy and management system

S1. Security policy, standards and standard operating procedures will be defined, documented and maintained by the Group security

management function

S2. Systems and procedures will be proportional to the nature of the

organisation’s security risks (including those concerning personal

information)


S3. Systems and procedures will be communicated to all persons working under the control of the organisation with the intent that they are

made aware of their individual security obligations

S4. Operations and activities that are associated with security risks will be

identified

S5. Security controls for these operations and activities will be identified

and implemented in line with this Group Standard

S6. Responsibilities for security management will be clearly defined, with clear lines of accountability at all levels of the organisation

S7. All security documentation will be approved, controlled and periodically reviewed

3.2 Legal and regulatory requirements

S8. We will understand and meet security legal and regulatory requirements

S9. Security legal and regulatory responsibilities will be monitored,

reflected in relevant processes and controls, and communicated

S10. New or changes in security requirements will be monitored and

controls developed and communicated to ensure compliance

S11. A security management structure will be implemented to support the

delivery of security policies, systems, objectives and targets, review security performance and respond to security incidents

S12. A member of the Executive Committee and a member of each

Divisional Executive Management Team (EMT) will be chosen to ensure that the oversight and management of security is properly

implemented and effective

S13. Competent resources will be allocated to manage security risks and

deliver security objectives and targets

S14. Security responsibilities will be defined for all employees

2 See Risk Management Group Standard Ref: SMS-GS-RM1

3.3 Training, awareness and competence

S15. Serco will ensure the availability and completion of sufficient and

appropriate training for all employees to enable them to protect Serco's electronic / IT systems and information (including personal

information)

S16. Serco employees will be competent to undertake their role and deliver security compliance and performance

S17. Employee induction will include a security briefing relevant to the working environment

S18. Security training will be mandatory for all employees and records will

be maintained of each individual’s training and achievements

S19. All employees are required to renew their Security training annually,

with information workers completing training aligned to Serco Essentials and non-information workers attending an annual briefing

S20. Third party information workers who handle Serco information and/or

its customer’s data (including personal information) must complete annual Information Security and Data Protection awareness training

to an equivalent or greater standard than the Serco training, and have evidence to support completion

3.4 Risk management

S21. Security risk management will follow the Group’s risk management standards2

S22. Security risks of our operations, equipment and facilities, information (including personal information) and people will be regularly identified

and assessed, with appropriate controls implemented to manage the

risk. Where material residual risk remains, its acceptance must be owned at a level commensurate with the risk and it must be subject

to ongoing monitoring and regular review at an appropriate frequency.

S23. Security reviews will specifically address physical, personnel,

information security and service delivery


S24. Due to the nature of the services we provide, our technology and operational systems will be subject to threats from both internal and

external breaches. We will implement the controls contained within this Group Standard and any associated GSOP and ensure they are

proportionate to the level of sensitivity of the information we are protecting. We will act swiftly to minimise the impact of any breach

and will promptly carry out remedial actions to prevent further

breaches

S25. Risk assessment of information assets will specifically address the

protection of information (held in any form that has a national, commercial or personal value from unauthorised disclosure,

modification or denial of access

S26. Risk assessment of personnel security will specifically address:

a. validating the identity, qualifications and job history of all job

applicants (including contractors) and taking up references before making a job offer

b. implementing further customer-defined security checks if required c. providing security briefing for all employees (including contractors

and temporary employees)

d. establishing general protective measures for all employees e. establishing specific protective measures for employees identified

as vulnerable to assault or abuse

S27. Risk assessment of physical security will specifically address:

a. protection of people, buildings, vehicles, equipment and other

physical assets b. securing of high value or attractive items (e.g. computers,

electronic equipment, cash etc.)

c. control of access to buildings and other areas business continuity/disaster recovery/major incident plans addressing

measures to be adopted in case of loss or unavailability of the

physical asset

S28. Security risks associated with our facilities, equipment, secure areas

and visitors will be assessed and proportionate and appropriate controls implemented to manage the risk; controls may include

physical barriers, physical security, access controls, pass systems,

alarm and CCTV monitoring systems

3.5 Objectives, targets and performance monitoring

S29. The Executive Committee will set and publish annual overarching

Group-wide objectives and targets (i.e. KPIs/KRIs) for security across the Group

S30. Group objectives and targets will then inform Divisional, Business Unit and Contract objectives, target-setting and monitoring processes

S31. Each Division and Contract will develop objectives and targets which

are aligned with Group-wide objectives and targets while also reflecting relevant local risk and security performance

S32. Security management systems and information owners are responsible for determining the required level of confidentiality,

integrity and availability and ensuring their achievement

S33. Security performance will be measured against agreed indicators and the findings recorded and reported

S34. Performance will be reviewed by management in relation to business security objectives and targets and any necessary remedial or

improvement action taken

S35. Security performance will be monitored and reviewed by the relevant Divisional Security Manager, and compared with agreed objectives

and targets

3.6 Compliance

S36. Information systems will be regularly reviewed against this Group

Standard

S37. Technical or organisational controls will be implemented and

monitored to proactively prevent security incidents

3.7 Incident management and reporting

S38. Processes will be implemented to manage security incidents (including

those concerning personal information) subject to any legal limitations and appropriate preservation of Serco legal and other privileges


S39. Incident management will follow the Incident Management and Reporting Standard Operating Procedure3

S40. Employees, contractors and third-party users of information systems and services will note and report observed or suspected security

weaknesses in systems or services

S41. If requested as part of an authorised security investigation for legal,

regulatory, cyber related or due to the detection of malware/viruses,

employees, contractors and third-party users are required to surrender any IT equipment to a designated officer of the local

statutory Serco legal entity within one working day for audit/forensic examination

S42. Corrective and preventative actions arising from any investigation will

be initiated, tracked, monitored, completed and reviewed for effectiveness

S43. The Divisional Security Manager will ensure relevant learning will be shared across the organisation and with stakeholders and others

3.8 Information security

S44. Information must only be stored and processed using systems and services which have been confirmed to provide an appropriate level of

security protection, and data separation where applicable, in line with the classification of that information and any specific legal or

customer requirements and assurance processes (such as security

accreditations).

S45. Serco information will be classified into one of the following Primary

Classification categories (which are further described, along with Secondary Classification options, in the Information Privacy

Classification operating procedure4):

3 See Incident Reporting and Management GSOP Ref: SMS GSOP O1-2

a. Serco Business (SB)

Information which if disclosed without authorisation, may cause

unwanted exposure of the inner-workings of the company, but would not result in significant financial loss or serious harm to

the company or its business interests

b. Serco Restricted and Sensitive (SRS)

Our most valuable information, which, in the wrong hands could

cause serious damage to us, our customers, shareholders, partners or suppliers and may result in serious loss of reputation;

significant financial loss; loss of opportunity; or legal action

S46. Third-party suppliers or partners required to engage in processes to

view personal information, Serco Business, Serco Restricted and

Sensitive data or customer data will sign a Non-Disclosure Agreement (NDA) before being granted access

S47. Where information is handled on behalf of a customer, the customer’s classification must be used and not changed without the customer’s

permission, and the handling and storage of customer classified data must be conducted in accordance with the client’s protocols for that

classification.

S48. An appropriate and approved method of encryption will be deployed to prevent unauthorised access to Serco Restricted and Sensitive

information, as well as personal information, when transmitted using email and other electronic file transfer systems to any third parties

S49. Serco PCs/devices used for business purposes will have an

appropriate and approved method of encryption and corporate device management, unless permanently located wholly within secure Serco

premises or if the site has been approved by the Divisional Security Manager as being secure

S50. Where devices located within secure Serco premises are unable to be encrypted, alternative physical security measures must be employed

S51. Non-Serco PC/devices used to store Serco Business, Serco Restricted

and Sensitive or customer data will have an approved method of encryption and corporate device management, unless permanently

4 See Information Privacy Classification GSOP Ref: SMS GSOP S1-5


located wholly within secure Serco premises or if the site has been approved by the Divisional Security Manager as being secure. This

includes employees personal PC/devices whether or not they are part of a Bring Your Own Device (BYOD) programme (where permitted) or

equivalent and any PC/devices used by suppliers, consultants or contractors

S52. Removable media will not be used to store Serco Business, Serco

Restricted and Sensitive or customer data, other than where an exceptional business need has been approved and the removable

media is Serco approved and provisioned, with an approved method of encryption and management process. Removable media will not be

approved for long term storage of data, but only for temporary

transportation.

3.9 Personnel security5

S53. A process for pre-employment screening will be implemented for all

employees, including contractors and agency employees

S54. The level of screening will be proportionate and appropriate to the

roles, assessed security risk and customer, legal and regulatory requirements

S55. As a minimum, screenings will cover identity, employment history (covering the last three years), nationality and immigration status

and/or the ability to work legally in a given country, and criminal

record (unspent convictions only). The rigour of these checks is subject to local risk review and business requirements

S56. Ongoing reviews of screening requirements for individuals performed as required in S54 above will be undertaken by their line manager

working with local security vetting teams

3.10 Physical security6

S57. Assets will not be left unattended in a public location or on public

transport, taxis, trains and planes

5 See Employee Lifecycle Group Standard Ref: SMS-GS-P1 6 See Security pages of Our World>The Way we Work>Security

S58. If left unattended in a vehicle, PCs and other IS equipment must be stored in the boot or locked compartment , and the vehicle must be

locked

S59. PCs and other IS equipment containing customer data subject to

contract data handling requirements must not be left unattended at any time in a vehicle except where the customer policy allows for this

and any specified mitigating customer controls are adhered to at all

times (including use of a vehicle boot safe when dictated by such policy)

S60. PCs and other IS equipment must not be left in the vehicle if unattended for a long period of time, including overnight

S61. Access numbers or passwords will not be left with the corresponding

asset

S62. When working from home, information and equipment will be kept

secure

3.11 Asset disposal

S63. In accordance with Serco operating procedure7, Information will be

disposed of in a manner that protects against unauthorised access and use of the information on the asset

S64. Serco property including IS hardware will be disposed of in a safe and environmentally-friendly manner and in line with local statutory

requirements

S65. Audit trails and evidence pertaining to secure disposal will be maintained and accessible. All disposals of IS equipment must be

reported to the Group Software Asset Management (SAM) team

S66. Serco Business or Serco Restricted and Sensitive information, any

customer-owned information, and any software licenced to Serco

must be permanently and irretrievably removed prior to the disposal, or re-use in a different environment, of any IS equipment. Any end

user device which has been used to connect to the Serco corporate

7 See Asset Disposal and Reuse GSOP Ref: SMS GSOP-S1-7


infrastructure should be assumed to have handled Serco Restricted and Sensitive information

S67. Unencrypted hardware will be disposed of using a secure logistics service and by an approved contractor

3.12 Personal information Credit/debit card data

S68. Customer credit/debit card data will not be entered into, stored or

transmitted by any system other than those systems approved to

handle credit/debit card data in accordance with the Payment Card Industry Data Security Standard (PCI-DSS) as required by the industry

card schemes

3.13 Data protection

S69. Serco will implement appropriate technical and organisational security

measures to prevent unauthorised or unlawful disclosure or access to, or accidental or unlawful loss, destruction, alteration or damage to

personal information. Such measures will be in accordance with

customer requirements and applicable data privacy laws and regulations, as well as relevant Serco privacy-related policies,

standards and operating procedures8. As well as protecting the privacy of the data subjects, these measures will reduce the risks to

our business operations, future business opportunities and our

reputation posed by damaging security incidents

S70. It is important that we know where we hold personal information

within our IT systems in order to ensure the security and management of such data. Data Inventories containing details of

business processes which use personal data must therefore be maintained as part of the Data Protection Toolkit9

8 See Data Protection GSOP Ref: SMS GSOP-S1-3 9 See Information & Data Privacy Standard Ref: SMS-GS-II1 10 See Technology Solution Architecture Review GSOP Ref: SMS-GSOP-IT1-1

3.14 Personal information Third party and outsourcing

S71. The security requirements for third parties and outsource partners will

be contractually based, explicit, monitored, regularly reviewed and approved by the relevant Architecture Board10

S72. Third parties who have access to Serco information will be assigned a named Serco representative who has overall responsibility for all

aspects of the relationship

S73. Security is an important consideration where we disclose information (including personal information) to third parties. A commercial (or

personal where applicable) undertaking should be obtained from the third party recipient that they will only use the information (including

personal information) for legitimate / authorised purposes and keep it

secure. Where disclosure of personal information is proposed to a third party, it is important that Serco employees refer to the relevant

Serco privacy-related policy standards and operating procedures prior to disclosing any personal information11

S74. The locations, systems and information that will be accessible by

external employees will be recorded and managed in accordance with the Third Party and Outsourcing Standard Operating Procedure12

S75. Computing devices provided by the third party and holding Serco or its customer’s data (including in particular personal information) must

be encrypted to comply with Federal Information Processing Standards (FIPS) Publication 140-2

3.15 Technical infrastructure security

S76. Specific processes and controls will be implemented to manage and control remote access to Serco systems and networks

S77. Vendor default accounts and passwords will be changed before a

system is used for any Serco activity

11 See Data Protection GSOP Ref: SMS GSOP-S1-3, Data Protection Impact Assessment GSOP

Ref: SMS-GSOP-II1-3, Third Party and Outsourcing GSOP Ref: SMS GSOP-S1-2 12 See Third Party and Outsourcing GSOP Ref: SMS GSOP-S1-2


S78. No-one will log onto Serco systems unless they are authorised to do so

S79. A process will be in place for revoking the access rights of employees and contractors who leave the business; timescales for removal will

be defined in accordance with our People Standard and local business requirements; access to Serco premises will be removed on the last

day they will be present

S80. Remote access, including third parties, to any Serco network will be through a secure portal or other approved connection

S81. Controls such as anti-virus will be implemented to detect, prevent and recover from the introduction of malicious code and user awareness

procedures will be implemented

S82. Processes will exist for reporting, recording and clearing virus and other malicious code

S83. A patch management process will be implemented that:

a. monitors relevant announcements

b. is appropriate to the level of exposed risk c. only uses vendor-approved patches or genuine open source

packages with a valid signature

S84. Procedures covering the backup, storage and recovery of system and data files will be maintained and periodically reviewed

S85. Backup processes will include regular test restores to ensure backup and restore procedures are functioning correctly

S86. Where portable backup media is stored offsite by a third party, all

data classified as Serco in Confidence will be encrypted on the backup media

S87. A full backup and restore plan will be included in or referenced by all system incident response plans, disaster recovery and business

continuity plans

S88. Processes will be implemented to manage the introduction, access to,

usage and security of wireless networks, including providing security

guidance on home wireless systems

13 See Cloud Services Security GSOP Ref: SMS-GS-S1-20

S89. Serco trusted networks must be separated from un-trusted networks and must only be accessible from any un-trusted network through a

mechanism that ensures that only authorised access is permitted; wireless networks are to be classified as un-trusted, unless specifically

identified as adequately protected and approved by the Divisional Security Manager or Divisional CIO/CTO to be trusted

S90. Only Serco approved devices will be connected directly to Serco

trusted networks

S91. Processes will be implemented to manage the configuration and use

of mobile and handheld devices that use or connect with Company systems or networks

S92. If a mobile/portable device (or any IS equipment/asset) is lost or

stolen the incident will be reported as soon as practicably possible

S93. Applications produced or customised by Serco will be developed and

maintained in accordance with secure development principles, which will demonstrate the incorporation of information security principles

throughout the lifecycle and be endorsed and approved by the relevant Architecture Board

S94. A formal risk assessment will be conducted prior to development to

ensure the necessary security controls are implemented as part of the solution

S95. Production (live or ‘real’) data will not be used in the testing or development environments

S96. For systems processing high-value data such as financial details, any

custom code will be security reviewed prior to release to production

S97. For web-facing applications that accept, use or display payment card

information, even where obfuscated, an independent security code review will be performed prior to release into production

3.16 Cloud Computing Security

S98. Cloud Services must be selected and used in accordance with the Cloud Services Security operating procedure13


S99. When utilising any form of Software as a Service (SaaS), the Serco business data owner will be aware of the data locations, that any such

locations are contractually/legally acceptable for the nature of the data being stored and accept any residual risks that exists due to the

terms of the SaaS agreement

S100. No customer data subject to contract data handling requirements can

be relocated into a Cloud Computing environment without their

permission

S101. SaaS providers holding Serco Restricted and Sensitive or customer

data must be able to demonstrate that the level of security competency which they are asserting has been independently

validated (e.g. through an appropriately scoped ISO27001

Certification). As a minimum, the scope of their independent validation must include assurance of their security audit regime, and

their vulnerability identification and remediation processes. These providers must also ensure that the data is encrypted with the

cryptographic keys managed through an assured process agreed with Serco

S102. Contract Managers must be mindful of any customer requirements

which may restrict the geographic location(s) where customer’s data can be held by Serco or our service providers, and must ensure, with

advice where required from the relevant Serco service owner(s), that storage and hosting arrangements for that data meet these

requirements (or that any proposed exceptions have the express

consent of the customer)

4 Responsibilities & Accountabilities S103. The following responsibilities will apply to the delivery of the defined

standards. If these are not completed effectively, the person responsible will be accountable for any consequences14.

Group

14 See Consequence Management Group Standard Ref: SMS-GS-G1

S104. The Group CEO will appoint a Group Chief Information Security Officer responsible for:

a. Developing and maintaining Group Security policy b. Ensuring standards and associated procedures and key controls

remain fit for purpose, reflect legislative and regulatory requirements and effectively manage Security risks

c. Providing oversight and reporting Security performance

Division

S105. The Divisional CEO will appoint a Divisional Security Manager responsible for:

a. implementing Security policy, standards procedures and key

controls across the Division; which may include the development of country/region/Divisional procedures and management systems

b. ensuring procedures and key controls remain fit for purpose, reflect legislative and regulatory requirements and effectively

manage Security risks c. implementing an appropriately resourced security management

structure to support the delivery of Security policies, systems,

objectives and targets, review security performance and respond to security incidents

d. providing oversight and reporting divisional Security performance

Business Unit

S106. The Business Unit Managing Director, in conjunction with the Divisional Security Manager, is responsible for:

a. Complying with Security policy, standards, procedures and key controls; which may include the development of business Unit

management systems

b. Ensuring appropriate resources are appointed to support the business unit manage Security risks, deliver people objectives and

targets and provide competent Security advice


Contract/Function

S107. The Contract Manager (or Corporate Function Head), in conjunction

with the Divisional Security Manager, is responsible for:

a. Complying with Security policy, standards, procedures and key

controls; which may include the development of local operating procedures/work instructions

b. Ensuring Security responsibilities are clearly defined

c. Ensuring local controls are in place for providing assurance that Security risks are being effectively managed

d. Managing cyber risks by completing the Cyber Risk Assessment Questionnaire and maintaining appropriate evidence in support of

this risk assessment

All employees

S108. All employees are responsible for:

a. Undertaking training provided and ensuring any mandatory

training is kept up to date

b. Following defined Security procedures and work instructions

c. Telling a line manager or Security representative of any Security

concerns


5 Processes and Controls

5.1 Governance processes and controls

Process A set of related activities that must be carried out to achieve policy outcomes

Ref Description

Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference

Ref Description

Responsibility for ensuring controls are in place and

operating effectively

Gro

up

(S

10

5)

Div

isio

n (

S1

06

)

Bu

sin

ess U

nit

(S1

07

)

Co

ntr

act/

Fu

ncti

on

(S1

08

)

All

Em

plo

ye

es

(S1

09

)

P1 Security responsibilities are defined and

understood

C1 A Group Chief Information Security Officer is

appointed by the Group CEO with responsibility

for:

Developing and maintaining Group Security

policy

Ensuring standards and associated procedures

and key controls remain fit for purpose, reflect legislative and regulatory requirements

and effectively manage Security risks

Providing oversight and reporting Security

performance



Ref Description


Ref Description



Gro

up

(S

10

5)

Div

isio

n (

S1

06

)

Bu

sin

ess U

nit

(S1

07

)

Co

ntr

act/

Fu

ncti

on

(S1

08

)

All

Em

plo

ye

es

(S1

09

)

C2 A Divisional Security Manager is appointed by the

Divisional CEO with responsibility for:

Implementing Security policy, standards

procedures and key controls across the

Division; which may include the development

of country/region/Divisional procedures and management systems

Ensuring procedures and key controls remain

fit for purpose, reflect legislative and regulatory requirements and effectively

manage Security risks

Implementing a security management

structure to support the delivery of Security

policies, systems, objectives and targets,

review Security performance and respond to Security incidents

Providing oversight and reporting divisional

Security performance



Ref Description


Ref Description



Gro

up

(S

10

5)

Div

isio

n (

S1

06

)

Bu

sin

ess U

nit

(S1

07

)

Co

ntr

act/

Fu

ncti

on

(S1

08

)

All

Em

plo

ye

es

(S1

09

)

C3 The Business Unit MD, in conjunction with the

Divisional Security Manager, is responsible for:

Complying with Security policy, standards,

procedures and key controls; which may

include the development of Business Unit

management systems

Ensuring appropriate resources are appointed

to support the Business Unit manage Security

risks, deliver Security objectives and targets and provide competent Security advice

C4 Contract Managers (or Corporate Function Heads), in conjunction with the Divisional Security

Manager, are responsible for:

Complying with Security policy, standards,

procedures and key controls; which may include the development of local operating

procedures/work instructions

Ensuring Security responsibilities are clearly

defined and included in employee inductions

Ensuring local controls are in place for

providing assurance that Security risks are being effectively managed



Ref Description


Ref Description



Gro

up

(S

10

5)

Div

isio

n (

S1

06

)

Bu

sin

ess U

nit

(S1

07

)

Co

ntr

act/

Fu

ncti

on

(S1

08

)

All

Em

plo

ye

es

(S1

09

)

C5 All employees are responsible for:

Undertaking training provided and ensuring

any mandatory training is kept up to date

Following defined Security procedures and

work instructions

Telling a line manager or Security

representative of any Security concerns

P2 Establish Security Management policy C6 Policy, standards and Group procedures are

defined and published

C7 Policy, standards and Group procedures are communicated and implemented

P3 Establish Security management systems and processes

C8 Security Standard Operating Procedures are appropriate and proportionate to the nature of

security risks

C9 Security legal and regulatory requirements are

monitored, with changes reflected in systems and procedures

P4 Security Compliance C10 A Security compliance plan is in place



Ref Description


Ref Description



Gro

up

(S

10

5)

Div

isio

n (

S1

06

)

Bu

sin

ess U

nit

(S1

07

)

Co

ntr

act/

Fu

ncti

on

(S1

08

)

All

Em

plo

ye

es

(S1

09

)

C11 Information systems are regularly reviewed to ensure compliance with the Security Group

Standard

C12 Agreed actions are closed out


5.2 Key processes and controls


Ref Description


Ref Description



Gro

up

(S

10

5)

Div

isio

n (

S1

06

)

Bu

sin

ess U

nit

(S1

07

)

Co

ntr

act/

Fu

ncti

on

(S

10

8)

All

Em

plo

ye

es

(S1

09

)

P5 Incident Management and Reporting C13 Security incidents are recorded on ASSURE

C14 IT equipment is surrendered, where required, to a

designated investigator within one working day for any security incident investigation

C15 Corrective and preventative actions arising from investigations are monitored and completed with

learnings shared to ensure continuous improvement

P6 Training, Awareness & Competence C16 Mandatory Group security training is completed by all

employees and third party employees performing

work on behalf of Serco

C17 Security training given to staff provided by third party

organisations must be equivalent to or to a greater standard than Serco mandated security training

C18 Completion of mandatory security training is recorded and monitored

C19 Mandatory security training is completed annually for both information and non-information workers

P7 Objectives Targets and Performance Monitoring

C20 Group-wide objectives and targets are set annually for security



Ref Description


Ref Description



Gro

up

(S

10

5)

Div

isio

n (

S1

06

)

Bu

sin

ess U

nit

(S1

07

)

Co

ntr

act/

Fu

ncti

on

(S

10

8)

All

Em

plo

ye

es

(S1

09

)

C21 Performance against security objectives and targets is monitored by the relevant Security Lead and

reported

P8 Manage Security Risks C22 Risk registers include physical, personnel, information

and service delivery security risk, and are reviewed,

as a minimum, quarterly

C23 Security risks are effectively managed through the

implementation of mitigating controls

C24 Information assets risk assessments will include the

protection of information that has a national, commercial or personal value from unauthorised

disclosure, modification or denial of access

C25 Physical security risk assessments include:

Protection of people, buildings, vehicles, equipment and other physical assets

Securing high value or attractive items

Controlled access to buildings and other areas

reference and input to related business continuity/disaster recovery/major incident plans

P9 Information security C26 Serco information is classified in accordance with recognised Serco protective marking schemes. Where

customer information is held locally this is marked in accordance with the customer’s protective marking

schemes



Ref Description


Ref Description



Gro

up

(S

10

5)

Div

isio

n (

S1

06

)

Bu

sin

ess U

nit

(S1

07

)

Co

ntr

act/

Fu

ncti

on

(S

10

8)

All

Em

plo

ye

es

(S1

09

)

C27 Non-disclosure agreements are in place for third party suppliers or partners given access to sensitive,

customer or Serco Business/Serco Restricted and Sensitive data

C28 Encryption methods are deployed on PCs located

outside of Serco premises, portable devices and removable media and when transmitted using email

and other electronic file transfer systems to third parties

C29 Non-Serco PCs/devices or removable media that is used to store Serco Business or Serco Restricted and

Sensitive data has an approved method of encryption

and corporate device management, unless permanently located wholly within secure Serco

premises

P10 Personnel Security C30 A vetting and screening capability is implemented to

ensure proportionate and appropriate processes are in place

P11 Physical Security

C31 An appropriate and proportionate physical security

environment is implemented

C32 Guidance and instructions are provided regarding

Working From Home



Ref Description


Ref Description



Gro

up

(S

10

5)

Div

isio

n (

S1

06

)

Bu

sin

ess U

nit

(S1

07

)

Co

ntr

act/

Fu

ncti

on

(S

10

8)

All

Em

plo

ye

es

(S1

09

)

P12 Asset Disposal C33 Records are maintained of secure disposal of assets

in accordance with section 2.11

C34 A secure logistics service is used to dispose of unencrypted hardware

C35 All data is securely wiped using a Group approved methodology

P13 PCI-DSS compliance C36 Any payment card processing is compliant with the current Payment Card Industry – Data Security

Standard (PCI-DSS) and compliance is verified by an

external PCI-DSS accredited qualified security assessor unless documented as not required by the

Divisional Security Manager

P14 Data Protection C37 A data map is maintained to include the type of

personal information collected and retained

C38 Personal information is protected from threats, in

accordance with local legislation and the Data Protection GSOP

P15 Third party providers and outsourcing is

managed

C39 Third parties and outsource partner contracts are

reviewed and approved by the relevant Architecture Board, to ensure adequate security requirements



Ref Description


Ref Description



Gro

up

(S

10

5)

Div

isio

n (

S1

06

)

Bu

sin

ess U

nit

(S1

07

)

Co

ntr

act/

Fu

ncti

on

(S

10

8)

All

Em

plo

ye

es

(S1

09

)

C40 Before engaging a third party or outsourced

arrangement, a security assessment is completed

P16 Technical Infrastructure Security C41 Any third party access to Serco systems is controlled, approved, regularly monitored and

terminated immediately when access is no longer

required

C42 Default passwords are changed

C43 The Service Desk is notified of leavers promptly to ensure access rights are revoked

C44 Lost or stolen mobile/portable devices are reported on ASSURE and to the Service Desk

C45 The development or customisation of applications is risk assessed and endorsed and approved by the

relevant Architecture Board, to ensure necessary security controls are implemented15

C46 No live data will be used in the testing or

development environment

15 Divisional Security Manager & Divisional IT lead



Ref Description


Ref Description



Gro

up

(S

10

5)

Div

isio

n (

S1

06

)

Bu

sin

ess U

nit

(S1

07

)

Co

ntr

act/

Fu

ncti

on

(S

10

8)

All

Em

plo

ye

es

(S1

09

)

P17 Cloud Computing Security C47 The use of any Cloud services is approved by the

relevant Enterprise Architecture Board

23 – SMS-GS-S1 – Security – May 2018 – V4.0 – Serco Business

6 Supporting Documentation and Guidance

Ref Document

SMS GS-S1 Information Systems Group Standard

SMS GS-BC1 Acceptable Use Group Standard

SMS GS-G1 Consequence Management Group Standard

SMS GS-P1 Employee Lifecycle Group Standard

SMS GS-RM1 Risk Management Group Standard

SMS GSOP IT1-1 Technology Solution Architecture Review GSOP

SMS GSOP O1-2 Incident Reporting and Management GSOP

SMS GSOP S1-2 Third Party and Outsourcing GSOP

SMS GSOP S1-3 Data Protection GSOP

SMS GSOP S1-5 Information Privacy Classification GSOP

SMS GSOP S1-7 Asset Disposal and Reuse GSOP

SMS GSOP S1-15 (Data) Privacy Impact Assessment GSOP

SMS GSOP S1-20 Cloud Services Security GSOP

7 Definitions

Term Definition

Accountability Being accountable means being not only responsible for something but also answerable

for your actions.

Responsibility A responsible person is the individual who completes the task required. Responsibility can

be shared and delegated.

All responsible persons will also be accountable for completing tasks effectively. Non-

compliance will have consequences which may

include disciplinary action as defined within the Consequence Management Group Standard.

Group Serco Group plc is the administrative centre of

the organisation, responsible for setting

corporate strategy, defining governance requirements and supporting the business in its

day to day operations

Division The Group will define a set of business Divisions

which will be responsible for business delivery within a defined set of markets or geographies.


Term Definition

Business Unit A Business Unit is a cluster of contracts which

provide a similar service e.g. Health, Defence, Transport etc.

Where appropriate, a separate legal entity wholly owned or where Serco has a controlling

share may also be referred to as a Business

Unit, where appropriate.

This may also refer to Counties/Territories

Contract A Contract provides specified requirements to a customer (either directly with Serco or to a

consortium/Joint Venture in which Serco is a

party)

A Contract will also refer to a

corporate/functional area.

Corporate/functional areas are functions which

support the business and they include finance, HR, procurement etc.

Contract Manager This refers to a manager with responsibility for

managing the performance of a contract and can include a Contract Manager on a day-to-day

basis (or Operational Manager with devolved responsibility), a Contract Director, Partnership

Director and/or a Business Unit Managing

Director

Assets All computer hardware, including:

– desktops, laptops, servers, disk drives/disk arrays

– All network hardware, including:

– Servers, switches, routers, blade devices, intrusion detection systems.

– Any removable media or portable storage device, including:

Term Definition

– CDs, DVDS, removable hard drives, memory

cards, tapes, USB storage devices, floppy disks, flash disks, mobile phones,

PDAs/BlackBerry’s, voice recordings – Printers and in particular printers with hard

drives, printer ribbons, fax machines

All Serco in Confidence and Serco Internal information held on Serco systems, including all

credit/debit card records.

Any hard copy, handwritten or printed

document, paper, report or correspondence that contains Serco in Confidence, Serco Internal or

equivalent information. BYOD Bring Your Own Device - the policy (where

permitted) of allowing employees to bring personally owned devices (e.g. laptops, tablets,

etc.) to their workplace, and use those devices

to access privileged company or customer information and applications.

Cloud Computing The practice of using a network of remote servers hosted on the internet to store,

manage, and process data, rather than a local

server. Data Controller A person who determines the purposes for

which and the manner in which any personal information are, or are to be, processed

Information security Is the preservation of confidentiality, integrity and availability to authorised users of

information (held in any form), whether in

storage, processing or transit. Other properties, such as authenticity, accountability, non-

repudiation and reliability, can also be involved. Information System A set of components organised and coordinated

in order to collect, create, store, process, and

distribute information. Typically, its components will include information technology (e.g.


Term Definition

hardware, software, networks), but could also

be a manual or paper based system. Information Worker An employee who regularly uses a computer for

their job. Non-Information

Worker

An employee who very rarely or never uses a

computer for their job

Personal information

Is as defined in the country or territory of operation, or in the absence of any definition,

as defined in the Data Protection Standard Operating Procedure (SMS GSOP-S3).

Personnel security Is the process by which all employees meet and

maintain the Company’s standards of loyalty, suitability, reliability and trustworthiness.

Further measures may be required to meet specific customer requirements.

Physical security Is the physical measures designed to safeguard

personnel, to prevent unauthorised access to

equipment, installations, material and documents and to safeguard them against

espionage, sabotage, damage and theft. Software as a

Service (SaaS)

Software that is owned, delivered and managed

remotely by one or more providers.

The provider delivers software based on one set

of common code and data definitions that is consumed in a one-to-many model by all

contracted customers at any time on a pay-for-use basis or as a subscription based on use

metrics. SaaS is typically accessed by users

using a thin client via a web browser.

8 Further information and support

If you require any further information or support regarding this Group

Standard, or if you have any suggestions for improvement, please contact the Accountable Policy Owner (Group) or email [email protected]

mailto:[email protected]

Security · 2019-04-26 · set security objectives, targets and procedures that reflect legal, regulatory and customer requirements and address identified risks inform and educate

Documents