Section G of the SEC sets out the security arrangements for Users and the DCC to comply with to ensure the security of the End-to-End Smart Metering System. These arrangements cover system security, organisational security and information security.
Part of these security arrangements include Users (and Parties wishing to become Users) having to undergo a cycle of Security Assessments. These assessments are performed by the organisation appointed by the Panel to undertake the roles of User Independent Security Assurance Service Provider and the Independent Privacy Auditor, collectively known as the User Competent Independent Organisation (CIO).
The Security Assessments are to ensure Users’ compliance with their obligations and requirements set out in SEC Sections G3-G6. Initially, a Full User Security Assessment is required as part of the User Entry Process (set out in SEC Section H1). The cycle of assessments following this initial assessment are dependent on the type and size of User.
The Initial Full User Security Assessment can be undertaken as a staged assessment. This allows Parties an initial review of the high level scope and governance and then a break before the User CIO performs a detailed compliance review. The length of the break between Phase 1 and Phase 2 is up to the Party being assessed. Further detail on this staged approach can be found in the Security Controls Framework (SCF). Parties wishing to have a two phase assessment should indicate this when submitting their application form.
Party Assurance Status
Following the completion of an Initial Full User Security Assessment the Panel will be provided with the outcomes of the assessment in order to assign the Party with an assurance status, with the support of the Security Sub-Committee. As per SEC Section G8.34, the Panel shall assign one of four assurance statuses. In order to complete the User Entry Process, the assurance status must be set to Approved (in one of the two forms). Further description of the assurance statuses can be found in the SCF and the Security Guidance document (available in the documents section).
In order to aid understanding of the assessment process and security requirements a number of documents are available, which are described below.
Security Assessment Processes
SECAS have compiled process flows of both the pre-assessment (initial engagement through to the User CIO commencing the assessment) and post-assessment (from the User CIO producing their assessment report through to the SEC Panel setting a Party’s assurance status). These are compiled for the benefit of SEC Parties and are available for download on the right hand side of this page.
Security Controls Framework (SCF)- Please click here to be directed the SCF webpage
The SCF details the User Security Assessment Methodology to be applied during a Security Assessment. It describes the types of evidence the User CIO would expect to see to demonstrate compliance against each obligation and describes their working practices. The SCF has been developed to ensure consistency across assessments, as required by the SEC.
Before undergoing an assessment, it is recommended that you become familiar with the SCF, the obligations that you will be assessed against, and the examples of the evidence expected to be produced during your assessment.
Booking and Charges
Those seeking to book a Full User Security Assessment should complete the Booking Form and submit it to SECAS@Gemserv.com . A member of the SECAS team will be in contact following your submission to discuss your request. We require requested assessment dates to be at least twelve weeks after the date the request is submitted. Please note that Security and Privacy Assessments can be performed by the User CIO in parallel.
The rate card for assessments is available in the documents section on this page following member login.
Booking amendments and cancellations
SEC Parties wishing to reschedule or cancel their assessment are required to do so at least four weeks in advance of their assessment date. After this point a cancellation fee of 25% of the total cost is chargeable. Please note that User CIOs are entitled to recover any costs they may have incurred relating to an assessment, regardless of the notice provided. Cancellation requests should be submitted to SECAS@gemserv.com