Facilities and Security Schedule V1.4

Transcription

Audit, Risk Management and Compliance
Sky Supplier Security Standard V2.9
Supplier
Security Standard
v2.9
Introduction
Sky operates in an environment of significant legislative, regulatory and industry standards
compliance requirements and must have continued assurance that information and data for
which Sky is responsible is secure against accidental or unauthorised disclosure, manipulation,
damage or loss.
Sky implements security controls across its business and in its computer facilities with the aim
of ensuring the confidentiality, integrity and availability of data. Sky requires that the same
level of protection is in place for data handled by its suppliers and that they are aware of the
risks that exist if controls are missing or where known vulnerabilities remain to be addressed.
This Sky Security Standard (the “Standard”) contains the information assurance controls Sky
requires its suppliers and business partners to employ when they are entrusted with handling
Sky Data or materials. Sky considers these controls to be the minimum standards to be
implemented across a supplier's systems and infrastructure.
This document forms part of the Agreement and as such sets out the contractual obligations
Sky places on suppliers in regards to security controls.
All suppliers who process personal data are categorised by Sky as either “Tier 1”, “Tier 2” or “Tier
3”. Tier 1 suppliers are those who process data that is classified as “Secret” by Sky; while Tier 2
suppliers are those who process “Confidential” data. Suppliers that process all other types of
personal data are classified as Tier 3. Guidance on the application of these definitions can be
found in Appendix 1.
This Standard sets out in separate sections the controls that are applicable to suppliers who
process Tier 1 or Tier 2 data. While these controls do not apply to Tier 3 data, all Sky Data
should be processed safely and securely regardless of its classification.
Sky wishes to draw particular attention to the fact that the Supplier who is originally classified
as Tier 2 but then, by virtue of receiving additional data in the course of that service or
additional services are provided, becomes the holder of Tier 1 data will be expected to adhere
to the standards set out in the Tier 1 section before receiving the new data or providing the
additional services.
We also draw attention to the fact that the requirements of this Standard apply only to those
locations and associated systems and controls that are used to process Sky Data. This means
that if the Supplier has multiple locations, only those that are used to process Sky Data are
within scope of this Standard, and for systems, only those systems used to process Sky Data.
The provisions contained in this Standard are supplemental to, and in addition to, any other
contractual terms contained in the Agreement and, except to the extent that the Supplier and
Sky expressly agree to the contrary, in writing and signed between them, the terms of the
Agreement shall not be construed as limiting the provisions of this Standard (and vice versa).
To the extent that there is any conflict between the provisions of this Standard and the
Agreement, this Standard shall prevail.
2.9
Version
Review Date March 2015
Sky Supplier Security Standard
Reference
 Sky UK Limited – All rights reserved
Page 2 of 32
Restricted
Tier 2 Suppliers
The requirements set out in this section are only for those suppliers who are categorised by
Sky as “Tier 2”, which are those that hold Sky’s Confidential Data.
The Supplier’s compliance with these requirements, as they apply to personal data, will be
assessed by Sky’s Audit, Risk Management and Compliance (“ARMC”) department. This work will
be performed prior to Supplier being given access to Sky Data and will entail, at a minimum, an
assessment of the Supplier’s responses to this Standard and may include an on-site audit,
depending on the type of data to be held, and the volume.
The process to be followed will already have been set out in writing by your Sky Business
Relationship Owner.
ARMC is happy to work with suppliers to address any issues that arise as a result of requiring
compliance with this Standard.
Where the Supplier holds external validation or certification over the systems and processes
that will be used to protect Sky’s Data and/or Sky Materials such as an SSAE16 (or equivalent), a
copy should be provided to Sky in addition to the completion of obligations in this Standard.
Suppliers will be required to complete an annual re-certification when requested by ARMC
which may also involve an on-site visit, in accordance with Sky’s policy of visiting all suppliers
who hold Sky Data as part of a rolling programme of audits.
Tier 1 Suppliers
The requirements set out in this section are only for those suppliers who are categorised by
Sky as “Tier 1”, which are those that hold Sky’s Secret Data.
Tier 1 suppliers must obtain annual independent certification to demonstrate the operation of
the controls set out in this Standard.
The independent certification must be provided prior to the initial receipt of data, and annually
thereafter, in accordance with the timetable communicated to the Supplier by ARMC.
The review to support such independent certification should be conducted against
appropriate professional standards and be delivered against the International Standard on
Assurance Engagements 3402; “Assurance Reports on Controls at a Service Organisation”; an
SSAE16 report; or a report in an equivalent format.
The SSAE16 reports for new suppliers should be in the form of ‘type 1’, as at a point in time, to
demonstrate that controls are in place prior to receiving Sky Data and, in subsequent years, in
the form of ‘type 2’, which confirms the operation of the controls over the preceding 12 month
period.
The report must set out the controls that are in operation to demonstrate compliance with
this Standard and specify the testing that has been performed by the independent verifier and
the results.
2.9
Version
Reference
Page 3 of 32
Restricted
The review should be commissioned directly by the Supplier and should, after the initial
submission, be for the 12 month period ending 31 December of each year. The report should be
executed by PriceWaterHouseCoopers, E&Y, Deloitte, KPMG, Grant Thornton or Detica.
A Supplier who intends to use an alternative verifier must seek approval in writing from Sky in
advance to confirm that the verifier is acceptable to Sky.
The terms used in this standards document are defined in Appendix 1.
2.9
Version
Reference
Page 4 of 32
Restricted
Sky Security Standard for Tier 2 Suppliers
The following requirements apply only to those suppliers who have been designated by Sky as
Tier 2. The requirements for Tier 1 suppliers are set out in a separate section in this document.
1
Anti-Bribery and Corruption
1.1
The Supplier shall provide a copy of employee codes of conduct covering anti-bribery
and corruption, whistle-blowing and ethics policies in place that have been clearly
communicated to all staff.
1.2
Show that there are mechanisms in place to ensure compliance with these policies.
2
Data Protection Governance
2.1
Accountability for data protection across all jurisdictions is clearly assigned.
2.2
A clear data protection policy, which includes retention and destruction times, is in
place.
2.3
Day to day responsibilities for data protection have been clearly defined and
communicated to all relevant staff.
2.4
A training log demonstrating that all staff with access to Sky Data have successfully
completed data protection training is maintained.
2.5
Staff are aware that they need to notify Sky of any security breaches relevant to Sky.
2.6
A process is in place to advise Sky of any data protection breaches.
2.7
There have been no unreported data breaches in the last 12 months.
3
Notice, Choice and Consent
3.1
Supplier will advise Sky in writing if the processing of data changes from what was
originally intended under the contract with Sky, and this must be notified to Sky before
any change in processing occurs.
3.2
The Supplier will provide individuals whose data is likely to be processed with an
additional privacy notice, before such additional processing, that specifies how the
Supplier intends further to process the data and for what specified purpose.
3.3
The processing of Sky Data will be justified either:
2.9
Version
Reference
Page 5 of 32
Restricted
(i)
(ii)
through having obtained the consent of the individuals; or
by another condition notified to Sky in advance of the change.
4
Data Collection
4.1
Data collected and/or processed by the Supplier will be restricted only to that which is
required to fulfil the Services.
4.2
Where marketing activities are carried out on Sky’s behalf, such marketing must be
carried out in accordance with the scope of the individuals’ permissions, and such
scope and permissions can be evidenced for each individual.
4.3
There are controls in place to ensure that consumers’ chosen marketing preferences
are adhered to.
4.4
Where web sites are used to collect Sky Data and/or cookie codes, this is done in
accordance with the privacy notice displayed on the website and any other applicable
privacy and cookie statements.
4.5
Supplier has a policy explaining how it uses personal data and cookies (if they are
used).
5
Subject Data Access
5.1
Supplier staff are aware how to identify a subject access request (“SAR”) and what to
do when they receive a SAR relating to Sky Data.
5.2
The Supplier has the requisite functionality on all systems which will hold Sky Data
and/or Sky Materials to enable the Supplier to comply with SARs on a timely basis.
6
Data disclosure to Third Parties (including for all
Subcontractors)
6.1
Where Sky Data will be processed by third parties including Subcontractors, the
Supplier will provide:
(i) A list of all third parties;
(ii) What data will be accessible by them; and
(iii) How the Supplier will ensure the data is kept secure.
This includes, for example, outsourced data centres or call recording suppliers.
2.9
Version
Reference
Page 6 of 32
Restricted
6.2
Where Sky Data is processed by a third party, written contracts are in place with all
such third parties to cover the disclosure of Sky Data to them.
The Supplier will state whether those contracts require the third parties to have in
place the same levels of control and security as set out in this standard and how the
Supplier assures this is the case.
6.3
If Sky Data will be processed outside the European Economic Area, there is a written
agreement in place covering such processing.
This would include, for example, where data or backups are processed by teams in
overseas outsourced data centres or in the Cloud.
7
Supplier Responsibilities and Subcontractor Management
7.1
Responsibilities for physical security, risk management and IT security are clearly
defined and allocated.
7.2
The Supplier has a contractual obligation to conduct a full annual security audit of all
Subcontractors who will hold Sky Data.
The Supplier has conducted such audits at the Subcontractor in the past; or
The Supplier intends to conduct such audits if the Subcontractor is new under the
proposed contract and the Supplier will notify Sky by when these audits will be
conducted.
7.3
The Supplier will notify Sky if it intends to process Sky Data and/or Sky Materials in such
a way as to aggregate and/or anonymise the data for Supplier use.
7.4
The Supplier will notify Sky if it intends to process or otherwise make use of Sky Data,
and/or Sky materials for any purpose other than that which is directly required for the
supply of the Services.
7.5
The Supplier maintains a register of data protection breaches, reportable to Sky, which
includes breaches that have arisen under the conduct of a Subcontractor.
7.6
All complaints relating to personal data, including complaints received by
Subcontractors are captured and recorded.
8
Personnel Security
8.1
Where appropriate to the nature and classification of data handled by the Supplier, and
as agreed with Sky, screening checks may be conducted on Supplier Personnel including
reference checks and, where applicable, financial probity checks. As appropriate to the
job role and permitted by law, criminal record checks are to be conducted.
Where appropriate, these checks are refreshed on a periodic basis.
2.9
Version
Reference
Page 7 of 32
Restricted
The results are logged and recorded.
8.2
All Supplier Personnel sign an agreement which requires them to keep information
confidential. This also covers Sky Data and/or Sky Materials.
8.3
The Supplier has a comprehensive code of conduct in place which includes
requirements for Supplier Personnel to demonstrate awareness of procedures around
breaches of security.
8.4
As part of the Agreement, Supplier Personnel are required to agree to adhere to all
Supplier company policies, rules and procedures, including applicable data protection
policies.
8.5
There is a clear process to handle Supplier Personnel who terminate their services with
the Supplier.
Access to Sky Data, facilities and Sky Materials is removed from those Supplier
Personnel within one week.
9
Physical and Environmental Security
9.1
The Supplier has a clearly defined physical security policy and related standards.
9.2
The requirements of the physical security policy are applied to all locations that will be
used to support Sky operations, including locations used by Subcontractors who will
process Sky Data.
9.3
Access to all entry points where Sky Data will be processed, including those at locations
used by Subcontractors, is restricted and logged.
9.4
The access logs are reviewed.
9.5
Controls are in place at all premises where Sky Data will be held, to prevent
unauthorised individuals from entering.
9.6
Physical and environmental controls are in place within the data centre(s) and
communications rooms, including those provided or used by Subcontractors, in order to
protect against the loss or damage to the premises or equipment.
9.7
The areas in 9.6 above are covered by an internal and external CCTV system which is
used and monitored.
The system has sufficient coverage and capability to monitor reception areas, exit /
entry points, and vulnerable or sensitive / confidential working areas.
9.8
A monitored alarm system is in place across all sites to be used for Services.
9.9
A clear desk policy is operated at all sites where Sky Data is processed.
2.9
Version
Reference
Page 8 of 32
Restricted
10
Incident Response
10.1
All security incidents are logged with their origin and resolution recorded.
10.2
There is a clear escalation process.
11
Business Continuity and Disaster Recovery
11.1
There are business continuity and disaster recovery plans in place.
11.2
The plans are tested annually.
11.3
Off-site backups are taken on a regular basis and are encrypted and securely
transported.
11.4
Capacity monitoring is in place for those systems that will support the Services
12
IS Security
12.1
The Supplier adopts Sky’s IS security policy and standards; or
The Supplier has its own IS Security policy of equal rigour in place, and will provide a
copy to Sky.
12.2
All Supplier systems and related control processes to be used to process Sky Data are
compliant with Sky’s Group IS Security policies and standards; or
Supplier systems that will be used to transmit and/or store Sky Data adhere to the
supplier's own IS security policy.
This includes but is not limited to:
•
•
•
•
•
•
Network (including firewall and intrusion detection) security
Malicious code prevention including anti-virus (state frequency of updates)
Encryption (provide type)
Masking of personal data (for financial transactions)
Patching (state frequency and approach, particularly with reference to security patches
and associated criticality)
Cookies (state how supplier adheres to applicable privacy law requirements as
illustrated by ICO guidance)
12.3
All Sky Data is transferred or exchanged via secure channels and/or where technically
possible, subject to an appropriate level of encryption.
12.4
Penetration testing is regularly conducted on the network perimeter and infrastructure,
and websites used to host, process or transmit Sky Data.
2.9
Version
Reference
Page 9 of 32
Restricted
12.5
The Supplier will provide details of the date the last tests were performed and whether
any identified issues have been resolved.
12.6
Reviews of firewall and remote access logs are performed on a periodic basis.
12.7
Systems which will hold Sky Data enforce areas such as:
(i) Unique user identification and prevention of shared logon credentials;
(ii)Complex passwords (state the minimum length enforced by the systems and
applications processing Sky Data, whether they are alpha numeric and what the expiry
period is);
(iii) Controls to track the addition and deletion of users and regular review of allocated
rights and privileges;
(iv) Controls to log sensitive user transactions;
(v) Default (admin) user name and passwords are changed; and
(vi) Segregation of duties.
12.8
System development, test, and production environments are separated to reduce the
risks of unauthorised access or changes.
12.9
All new services, applications and tools used to enable or support the hosting,
processing or transmission of Sky Data, or changes made to them, are subject to an
appropriate level of testing conducted in accordance with appropriate guidance (such
as OWASP) before launch.
Sky Data is not used for testing purposes unless it has been suitably anonymised such
that it no longer represents personally identifiable data.
12.10
Use of any media to record, store or process Sky Data (including hard copy output,
laptops, USB sticks, pen drives, CDs, or other magnetic media) is suitably authorised,
handled, transported and encrypted.
12.11
There is a log of system changes which details why the changes were required, who
approved them and how and when the changes were executed.
13
Data Management
13.1
The Supplier follows Sky’s Data Retention and Destruction policy and standards or
alternatively the Supplier has its own policy of equal rigour, and will provide a copy to
Sky.
13.2
The Supplier will state its proposed retention period for Sky Data (listed by type if a
single period is not to be enforced).
13.3
Processes are in place to ensure and demonstrate compliance with the policy.
13.4
The Supplier has a process in place to ensure maintenance of the integrity and
accuracy of Sky Data.
2.9
Version
Reference
Page 10 of 32
Restricted
13.5
The Supplier has a process to authorise who receives all reports that the Supplier
intends to generate that contain Sky Data.
14
Customer Protection
14.1
Where Services involve the Supplier in direct interaction with customers, the Supplier
provides ID passes for those personnel who will interact with customers, for example by
visiting customers’ premises.
14.2
The Supplier has a procedure in place for dealing with vulnerable customers.
15
Continued Compliance
15.1
The Supplier will maintain compliance with this Standard at all times during the
provision of the Services and will notify Sky promptly in the event that it is not at any
time fully compliant.
15.2
The Supplier will provide any other information that would assist Sky in assessing the
Supplier’s control environment relevant to the services provided to Sky.
2.9
Version
Reference
Page 11 of 32
Restricted
Sky Security Standards for Tier 1 Suppliers
The following requirements apply only to Tier 1 suppliers and should, as noted, be subject to
independent verification.
1
Anti-bribery and Corruption
1.1 The Supplier shall at all times:
-
maintain an anti-bribery and corruption policy which complies with the Bribery Act
2010 and any other applicable statute, regulation or industry code, and has top level
management support;
-
ensure that proportionate procedures are put in place to mitigate the bribery risks
faced by its organisation;
-
ensure that the anti-bribery and corruption policies are adequately communicated
to employees and appropriate training is provided and can be evidenced; and
-
ensure that a whistle blowing policy/grievance procedure exists so that alleged
instances of bribery and/or corruption can be reported on a confidential basis and
that there is a means available for personnel to report security issues other than via
line management as necessary.
2
Data Protection
2.1
The Supplier shall at all times ensure that a Data Protection policy exists, across all
jurisdictions, to safeguard data in accordance with the terms of the Agreement, the Data
Protection Act 1998 and any other applicable statute, regulation or industry code.
2.2
Where any Sky Data is intended to be transferred, stored or processed outside the
European Economic Area (“EEA”) the Supplier shall provide in advance of any transfer full
details of the locations and what data is to be transferred, stored or processed outside
the EEA for Sky approval, such approval not to be unreasonably withheld.
2.3
The Supplier shall maintain a controlled paper environment by ensuring that paperwork
shall be kept to a minimum and where appropriate for the services provided to or on
behalf of Sky, that Sky customer financial data (including, but not limited to, payment
card or bank detail) is never written down or otherwise extracted from the appropriate
system.
2.4
The Supplier shall ensure that shredding facilities or confidential waste bins are present
in each operations area and a process is implemented to suitably dispose of such
material securely.
2.9
Version
Reference
Page 12 of 32
Restricted
3. Payment Card Industry Data Security Standards (where
applicable to services)
3.1
Where financial transactional functionality is (or becomes) a part of Services to Sky, the
Supplier shall:
-
comply with the latest version under the PCI DSS requirements;
-
maintain a strategy for PCI DSS compliance in accordance with the Supplier’s
corporate information security policy which addresses each of the PCI DSS
requirements and shall assign responsibility for PCI DSS to a designated person or
compliance function;
-
provide evidence annually to Sky of PCI compliance through external certification or
self-assessment declaration;
-
provide Sky with access to evidence that is used in supporting the supplier’s PCI
compliance accreditation upon request;
-
ensure that a current network configuration diagram is produced and maintained to
show clear data flows (including Sky’s payment card transactions) and to ensure that
all connections (including Sky’s cardholder data) are identified, including any wireless
networks;
-
not disclose Sky cardholder data to any third party or entity with the exception of
where this is authorised by Sky under the provision of Services to Sky or required by
law;
-
maintain and provide on request a scope of the environment that is included in the
assessment (e.g. Internet access points, internal corporate network) and identify any
areas that are excluded from the PCI DSS Sky cardholder data environment;
-
maintain and provide on request details of any gap analysis that has been produced
either internally or by a PCI DSS Qualified Security Advisor (QSA). This shall include
details of the most recent Self-Assessment Questionnaire or Report on Compliance;
-
maintain and provide on request results of the most recent mandatory compliance
or vulnerability scans as required by the PCI DSS;
-
maintain and provide on request details around any compensating controls to
achieve risk mitigation in areas which do not meet the PCI DSS requirements; and
-
inform Sky immediately on any changes affecting the Supplier’s compliance status.
2.9
Version
Reference
Page 13 of 32
Restricted
4
Suppliers Responsibilities and Subcontractor
Management (including Cloud services)
4.1
The Supplier shall have in place a dedicated in-house security risk management function
or nominate an appropriate member of the Supplier personnel to take ownership of the
control areas.
A nominated individual shall act as the point of contact for Sky, ensure adherence to the
escalation process, facilitate any review meetings and manage any remediation and
restoration plan in the event of any breach.
4.2
The Supplier shall maintain a register of the security risks related to the provision of its
Services to Sky, to Sky Data and to Sky Materials. That register shall be maintained to
show the nature and extent of, and progress made in, mitigating the identified risks.
4.3
The Supplier shall notify Sky, and obtain Sky approval, before engaging any
subcontractors including but not limited to data centres used in the provision of the
Services to Sky.
4.4
The Supplier shall provide full details of any Subcontractor(s) that as a minimum shall
include company name, address, location, type of services to be provided and the volume,
frequency and nature of Sky Data to be used.
4.5
The Supplier shall:
-
not process or otherwise make use of Sky Data, and/or Sky Materials for any purpose
other than that which is directly required for the supply of the Services;
-
only perform such Services in accordance with the Agreement;
-
not purport to sell, let for hire, assign rights in or otherwise dispose of any of Sky
Data or Sky Materials;
-
not make Sky Data or Sky Materials available to any third party without the prior
approval of Sky; and
-
not commercially exploit Sky Data or Sky Materials unless expressly approved by Sky.
4.6
The Supplier shall establish and at all times maintain safeguards against the destruction,
loss or alteration of Sky Data and Sky Material in the possession of the Supplier.
4.7
The Supplier shall ensure that it maintains written agreements with all Subcontractors
that contain security controls, service definitions and delivery levels commensurate with
the requirements set out in this document, and such are implemented, operated, and
maintained by the Subcontractor(s) at all times and in any event the Supplier must
ensure that such controls, definitions and levels are in place before:
-
any data is processed by the Subcontractor; and
2.9
Version
Reference
Page 14 of 32
Restricted
4.8
the Subcontractor commences the provision of services to Sky or the Supplier.
The Supplier shall conduct annual security audits at all Subcontractors to confirm that
the controls set out in this document and as noted in 4.7 above are in place and being
operated by the Subcontractor and the Supplier will maintain evidence of these audits to
include any security risks, recommendations and remedial actions suggested and
implemented.
Supplier security audits shall be conducted in accordance with this Standard and in any
event before:
4.9
-
any data is processed by the Subcontractor; and
-
the Subcontractor commences the provision of services to Sky or the Supplier.
The Supplier shall provide a copy of the audit reports to Sky upon request. The Supplier
shall notify Sky of any identified issues or deficiencies and the timeframes for their
resolution on an on-going basis.
4.10 The Supplier shall ensure that it is not reliant on any key single individual to support
Services anywhere in its supply chain.
5
Personnel Security – before employment
5.1
The Supplier shall ensure that a written policy exists for pre-employment screening and
that the screening status and results of all Supplier personnel on the Sky account or with
access to Sky Data or materials are fully collated, kept on record and made available to
Sky for audit and compliance purposes.
5.2
The Supplier shall obtain two references prior to personnel completing training, and
commencing operations to process Sky’s data. Such references may be verbal, but must
be verified, fully documented and auditable. Where reasonably possible, the Supplier
shall obtain at least one reference from a previous employer or academic professional.
5.3
The Supplier shall ensure that the application process and contractual process contain
declarations to cover criminal convictions as per the terms of the Rehabilitation of
Offenders Act 1974, pending criminal investigations or adverse financial probity
judgements such as county court judgments or bankruptcy rulings.
5.4
The Supplier shall have a comprehensive disciplinary policy, code of conduct & work rules
in place to protect the interests and safety of Supplier personnel and the Services. That
policy, code of conduct or work rules shall clearly define breaches of security, indicating
examples of what is classed as misconduct and the possible consequences of such
misconducts.
5.5
The Supplier shall ensure that the application process and contractual process include
requirements to obtain authorisation to cover pre or post-employment (‘Security
Screening Waivers’), including authorisation for the Supplier to obtain County Court
Judgment, and/or Criminal Record reports where appropriate and relevant.
2.9
Version
Reference
Page 15 of 32
Restricted
5.6
As appropriate to the job role and permitted by law, the Supplier shall ensure that a basic
level criminal record check and security disclosure is conducted with Disclosure Scotland
or other reputable agency (the “Criminal Record Checks”) against all Supplier personnel
who process Sky’s data or materials and that these checks are completed before the
personnel process Sky’s data. If the declarations or the relevant Criminal Record Check
reveal adverse findings then the Supplier shall comply with Sky’s ‘CRC non-acceptance
criteria guidelines’ (provided by Sky to the Supplier from time to time and incorporated
into the Agreement by reference) and outlined at Appendix 2 and shall in every case
bring this to Sky’s attention for consultation.
5.7
Where the Supplier’s business function includes financial payment transactions, the
Supplier shall ensure that a financial probity check (including checks for adverse County
Court Judgments and bankruptcy rulings) is conducted with Experian or other reputable
agency (the “Financial Probity Check”) against all Supplier personnel who process Sky
Data. If the declarations or the relevant Financial Probity Check reveal any adverse
County Court Judgments or bankruptcy rulings then the Supplier shall comply with Sky’s
‘financial probity non-acceptance criteria guidelines’ as provided by Sky to the Supplier
from time to time and outlined at Appendix 3.
5.8
Where appropriate to the nature and classification of data handled by the Supplier and
as agreed with Sky, the Supplier shall ensure that all Background Checks (which shall
mean reference check, if appropriate to the job role and permitted by law, criminal record
checks and, if applicable, the Financial Probity Check) shall be conducted at the Supplier’s
cost and within a reasonable time period and in any event shall be completed prior to
such Supplier personnel commencing provision of the Services (excluding training). The
Supplier shall bear all training and attrition costs if any Supplier personnel are removed
from the Services as a result of an adverse finding on any declaration or Background
Check.
5.9
The Supplier shall ensure that all personnel sign a non-disclosure agreement relating to
Sky Data and Sky Materials in the possession of the Supplier.
5.10 The Supplier shall ensure that all personnel enter into a written contract of employment
under which they agree to adhere to all company policies, rules/procedures, including all
data protection policies, and agree to assign all intellectual property created in the
course of providing the Services.
5.11
6
The Supplier shall ensure that a Security module forms part of the compulsory induction
and training programme sufficient to include data protection, acceptable use policy,
issues of confidentiality and company standards.
Personnel Security – during employment
6.1
Where appropriate to the nature and classification of data handled by the Supplier and
as agreed with Sky, the Supplier shall conduct a sample of random Background Checks on
existing personnel on an annual basis.
6.2
The Supplier shall review requirements on a regular basis with respect to security
2.9
Version
Reference
Page 16 of 32
Restricted
awareness and knowledge of fraud and security issues with Supplier personnel and its
pre-approved Subcontractors throughout the provision of the Services.
6.3
The Supplier shall ensure that all personnel who process Sky Data have the appropriate
qualifications, skills and training to support the Services.
6.4
The Supplier shall consult Sky Group Security on a timely basis where personnel are
subject to a change of circumstance and assessed to be a risk to the Services, Sky Data
or Sky Materials.
7
7.1
8
Personnel Security - termination of employment
The Supplier shall carry out a ‘check list’ of actions, including exit interview, prior to the
conclusion of the departing personnel’s employment/assignment. This checklist of
actions shall also cover cancellation of access control privileges, user ID's/passwords and
all other entitlements required for access to the Supplier and Sky Systems and recovery
of any asset(s) that may contain Sky Data and Sky Materials.
Facilities and Equipment Security
8.1
The Supplier shall provide and maintain suitable accommodation, facilities, equipment,
space, furnishing, utilities and fixtures necessary to provide secure physical premises
that provide a safe working environment to provide the Services to Sky and which
adequately protect against loss or damage to the premises or to the equipment.
8.2
The Supplier shall protect power and telecommunications infrastructure carrying data or
supporting information services from interception or damage.
8.3
The Supplier shall implement uninterruptible power supplies (“UPS”) for critical
infrastructure and shall test the UPS regularly.
8.4
The Supplier shall ensure that all power supplies and fire safety mechanisms undergo
regular maintenance checks and that facilities comply with appropriate health and safety
standards.
8.5
Where Sky Data or Sky Materials are stored or processed, the Supplier shall provide
sufficient secure storage space for personnel to store those personal effects that are
capable of capturing and storing Sky Data and shall ensure that personnel utilise such
storage space.
8.6
The Supplier shall ensure that prominent security signage or information in suitable
electronic form detailing security policies and requirements are provided and displayed in
all relevant locations where Sky Data is processed.
8.7
The Supplier will not perform the Services from alternate sites, without obtaining the
prior written consent of Sky, and any processing at alternate sites will be approved by,
and implemented at no additional cost to, Sky (unless any relocation is due to a specific
request from Sky) and as far as reasonably practicable without causing any material
2.9
Version
Reference
Page 17 of 32
Restricted
disruption to the business of Sky or the Services.
8.8 Where Sky agrees to a shared Site, the Supplier shall:
9
-
as a minimum, segregate or ‘ring-fence’ the area in which the Services take place for
Sky or advise Sky in advance if this is not possible and obtain agreement to the site
security being implemented; and
-
ensure that the Services and facilities required to provide the Services to Sky permit
Sky’s data to be separately identified from the Supplier’s other customers.
Physical Security
9.1
The Supplier shall implement a policy identifying the requirements for physical access
and control of such access at its Sites.
9.2
Where an automated access control system is deployed, the Supplier shall ensure that
the system captures and records all access control events and that this record is
reviewed on an appropriate on-going basis.
In the event that an automated access control system is not able to check and verify all
access enabled is using employee ID passes, and is not able to prevent tailgating, the
Supplier shall deploy a physical security function, or other mitigating control, to enforce
compliance in this area.
9.3
The Supplier shall ensure that all Supplier personnel are individually identifiable and
issued with unique ID passes, which shall then be worn and visible at all times unless
alternative arrangements have been agreed in advance with Sky.
9.4
The Supplier shall be responsible for retrieving the identification cards of any Supplier
personnel that have had their assignment/employment terminated, transferred or where
those personnel otherwise no longer require access to the Site.
9.5
The Supplier shall ensure that an appropriate policy is in place to manage loss of ID cards
and ID cards not available for use at a specific location by Supplier personnel.
9.6
The Supplier shall operate a sign-in procedure for any visitors to the Sites, which, as a
minimum, requires visitors to prove their identity, log their name, company, the time and
date and the name of the person whom they are visiting at the relevant Sites.
9.7
Without prejudice to any of Sky’s remedies, sanctions for breaches of security
requirements shall be governed by the Supplier’s disciplinary policy.
9.8
The Supplier shall deny entry to visitors to the Sites who are not legitimately connected
with the Services being performed unless they are duly authorised to do so by the
appropriate management.
9.9 The Supplier shall inform all visitors of the existence of Site security policies.
2.9
Version
Reference
Page 18 of 32
Restricted
9.10 The Supplier shall ensure that there is a manned guarding or other physical security
presence during hours of operation to Sites which are processing or storing Sensitive Sky
Data unless alternative arrangements have been agreed in advance with Sky in writing.
9.11 The Supplier shall ensure that there is a physical security response capability during out of
hours periods for those Sites storing or processing Sky Data.
9.12 The Supplier shall ensure security response personnel are instructed to take action as
appropriate or escalate the incident to a manager.
9.13 The Supplier shall have in place an internal and external CCTV system with sufficient
coverage to monitor reception areas, exit/entry points, and vulnerable or
sensitive/confidential working areas.
9.14 The Supplier shall implement, operate, support, and maintain alarm systems (including
appropriate environmental alarms), and access mechanisms.
9.15 The Supplier shall ensure a clear desk policy is operated and maintained within the Sites
where Sky Data is stored or processed.
9.16 When using data centre rackspace, the Supplier shall have the ability to identify Sky
rackspace and equipment used in the provision of the Services as well as implement
appropriate access controls to the equipment used in the provision of the Services.
9.17 With the exception of key Supplier personnel, the Supplier shall ensure that no mobile
devices are taken into the operations area.
10
10.1
Incident Response
The Supplier shall at all times maintain a security incident response procedure.
10.2 In the provision of Services to Sky and as part of the security incident response
procedure, if the Supplier becomes or is made aware of any contravention of privacy or
security requirements relating to the data, or of unauthorised access to the Systems, Sky
Data, Sky Materials or any Sky Systems including the Sky Network, the Supplier shall:
-
immediately report the incident to Sky Group Security ([email protected])
and to the business relationship owner;
-
promptly provide Sky with a written report setting out the details of the
contravention of the data security requirements and describing any Sky Data, Sky
Materials and/or Sky Systems which have or may have been compromised;
-
provide Sky, at no additional cost, with all assistance required to restore the Sky
Data and any other assistance that may be required by Sky
-
preserve evidence to include collection, retention and presentation to Sky Group
Security;
2.9
Version
Reference
Page 19 of 32
Restricted
-
return to Sky any Sky Data and/or Sky Materials;
-
comply with all reasonable directions of Sky; and
-
take immediate remedial action to secure the Sky Data , Sky Materials and /or Sky
Systems and to prevent reoccurrences of the same or similar contravention and
provide Sky with details of such remedial action.
10.3 If either a criminal situation or a breach of security rules occurs involving personnel
providing Services to Sky and such criminal situation or breach of security becomes
known to the Supplier, Sky must be notified as soon as practicable of the facts
surrounding the same.
11
Business Continuity Management
11.1
The Supplier shall identify the activities and processes that support Sky Services and
conduct a risk assessment of potential interruptions and identify their likely
consequences.
11.2
The Supplier shall develop a business continuity plan to restore business operations
following an interruption or failure to business processes (“Business Continuity Plan”)
within a time period agreed to be acceptable by Sky.
11.3
The Business Continuity Plan shall include arrangements to inform and engage
appropriate Sky personnel in its execution.
11.4
The Supplier shall test the Business Continuity Plan at least annually, unless otherwise
agreed in advance by Sky.
11.5
The Supplier shall at least annually review and update, as necessary, the Business
Continuity Plan.
12
Network Security
12.1 The Supplier shall maintain the confidential nature and integrity of Sky Data and Sky
Materials and the consistency of the Supplier and the Systems and data isolation needs
by:
-
utilising secure network architecture and operations;
-
ensuring that networks carrying Sky Data are designed, built, monitored, and
managed according to industry standards, best practices and frameworks such as,
but not limited to, ISO27001, TOGAF, OWASP ITIL., such that they enforce the
required information security policy boundaries;
-
boundaries must prevent unauthorised access to Systems and Sky Data by default
and allow only explicitly authorised and authenticated access;
2.9
Version
Reference
Page 20 of 32
Restricted
12.2
12.3
-
restricting and monitoring the use of tools and utility programs capable of overriding
Systems;
-
utilising and maintaining appropriate firewall and security screening technology that
is designed to:
o
prevent unauthorised access to the Supplier and Sky Systems by prohibiting all
access by default and explicitly allowing authorised access; and
o
appropriately limit access to Sky Data and Sky Material processed by the
Supplier Systems.
The Supplier shall ensure that anti-virus and firewall protection systems are
implemented in relation to both internal and external traffic and ensure that:
-
firewall platforms are hardened;
-
firewalls have real-time logging and alerting capabilities;
-
intrusion detection systems are implemented where Internet connections exist;
and
-
access lists are implemented on network routers to restrict access to sensitive
internal networks or servers.
Remote support access shall be controlled via a secure gateway that implements the
following controls:
-
two factor authentication (e.g. security tokens) combined with a valid, unique, user
account which ensures personal accountability;
-
access via a secure gateway (e.g. a firewall);
-
remote support accounts only enabled for the duration of troubleshooting activity;
and
-
all activity is logged and reviewed.
12.4 The Supplier shall provide evidence that any third party remote support of Supplier
systems is authorised, governed by a contract detailing security requirements, including
logging of activity and that access is given with the minimum required privileges and
revoked on completion.
12.5
The Supplier shall have in place an internet, email and acceptable use policy and shall
ensure that appropriate controls are in place and documented to prevent unauthorised
access or download of software or web content by Supplier personnel.
12.6 The Supplier shall ensure that utility programs capable of overriding system and
application controls shall be restricted and tightly controlled.
2.9
Version
Reference
Page 21 of 32
Restricted
12.7
The Supplier shall provide evidence on request by Sky of a chosen intrusion detection
strategy (“IDS”), what methods are employed, whether these are recognised IDSs or
whether there is a reliance on other controls in place (firewalls, network router/switch
protection) and whether the function is outsourced.
12.8 The Supplier shall ensure that regular penetration testing exists as part of a vulnerability
strategy and shall agree the scope of penetration testing for the Services with Sky.
Further, the Supplier shall notify Sky of the results of testing and take action on the
recommendations in timescales commensurate with the associated risks.
13
Protection against Malicious Code
13.1 The Supplier shall install and maintain operational anti-virus protection software on all
relevant Supplier systems. The Supplier and its Subcontractor(s) shall use all reasonable
endeavours to detect hidden code or data that is designed to, or may have the effect of:
-
destroying, altering, intercepting, withholding, corrupting or facilitating the theft of,
any Sky Data or Sky Material;
-
disabling or locking software or systems; or
-
using undocumented or unauthorised access methods for gaining access to Sky
Data, Sky Material or the Systems.
13.2 The Supplier shall ensure that anti-virus software and anti-virus definition files are
updated for all Supplier Systems that receive, hold, process or send Sky Data in
accordance with the relevant vendor’s guidelines and on a timely basis.
13.3 The Supplier shall promptly notify Sky as soon as it becomes aware of viruses in the
Systems, directly affecting Sky Data, and provide a report to Sky describing any incident
and what measures were taken to prevent any reoccurrence.
14
14.1
Platform and Application Security
The Supplier shall ensure that:
-
platforms and infrastructure used to receive, store, process or send Sky Data are
built using consistent and formally documented platform build standards;
-
all unnecessary services are removed or disabled from platforms in accordance with
the vendors’ recommendations and active settings and software are security
hardened;
-
development, testing, production and operational facilities are separated both
physically and logically to reduce the risks of unauthorised access or changes to the
operational system;
-
duties and responsibilities are segregated to reduce opportunities for
2.9
Version
Reference
Page 22 of 32
Restricted
unintentional or unauthorised modification or misuse of Sky Data;
-
applicable policies and procedures are enforced to protect Sky Data associated
with the interconnection of Supplier and Sky Systems;
-
appropriate patch management procedures are in place to remain current with
platform security fixes, and conduct adequate testing;
-
all software installed on platforms used to receive, store or process Sky Data is
authorised and fully licensed; and
-
where cryptographic controls are implemented, they are securely managed using
documented policy procedures, keys are subject to appropriate management and
key changes are made under dual control.
14.2 Where financial transactional functionality is (or becomes) a part of the Services, the
Supplier shall provide data masking functionality in relation to bespoke software in
respect of any financial data (including but not limited to debit/credit card and direct
debit banking information) which Supplier handles for, or on behalf of, Sky.
14.3 This section is applicable only where the Supplier is providing application development
and/or service provision
-
The Supplier must document and implement a formal and secure process for
software development and/or the acquisition of software and systems receiving,
storing, processing or sending Sky Data, whether in-house or through one of its
Subcontractors;
-
The Supplier shall define, document and maintain, and make available to Sky upon
request, technical security standards (including secure build configuration) for
applications and systems used for receiving, storing, processing or sending Sky
Data. New systems and applications must comply with this Standard (as updated
from time to time and notified to Supplier);
-
The Supplier shall ensure that change control procedures are agreed and
documented as regards the development of or implementation of or operation of
bespoke systems used for receiving, storing, processing or sending Sky Data and
that such documented procedures require that detail as to why the change was
required and how and when the changes were executed are recorded and also
include an emergency change process;
-
The Supplier shall ensure that all new application developments, changes to
existing systems, upgrades, and new software in relation to the Services have
considered security control requirements, based upon the identified risks, and that
all deliverables are tested and subject to an appropriate level of vulnerability
scanning prior to being released to Sky, or being used as part of the Services;
-
The Supplier shall ensure that application development is done in accordance with
generally accepted good practice and that appropriate code review and validation
controls are operated;
2.9
Version
Reference
Page 23 of 32
Restricted
15
15.1
15.2
-
The Supplier shall ensure that live Sky Data and information may not be used for
test purposes without the explicit agreement of Sky. Data and information to be
used for test purposes must otherwise be anonymised, scrambled or otherwise
rendered in such a way that no live Sky Data or information can be reconstructed
from that used for test purposes unless explicitly approved by Sky;
-
The Supplier shall ensure that access to program source code is restricted and
strictly controlled; and
-
The Supplier shall ensure that back out procedures are documented prior to
implementing any change or promoting a new piece of software.
System Management
The Supplier shall maintain systems security measures to guard against unauthorised
access, alteration, interception, destruction, corruption of information through
processing errors, system faults, loss or misuse of Sky Data. As a minimum, these
measures should:
-
require all users of the Systems to enter a unique user identification code or
number and password prior to gaining access to the Systems;
-
control the data which a user can access and/or amend and ensures that
appropriate authorisation has been granted before processing any change;
-
control and track the addition and deletion of users of the Systems;
-
control and track user access to areas and features of the Systems; and
-
require the Supplier to operate controls to ensure that access to Sky Data and
systems is granted at the minimum level necessary to achieve business objectives,
access privileges are amended or removed when business requirements or
objectives change and leavers’ accounts are removed promptly.
The Supplier shall provide Sky with a record of such access from time to time where Sky
reasonably requests such information.
15.3 The Supplier shall ensure that system clocks are synchronised with an agreed accurate
time source. The Supplier shall ensure that logs are maintained which contain times
stamped details on user activity and critical system events and which are periodically
reviewed by an appropriate level of management;
15.4 The Supplier shall ensure that sufficient segregation is applied to any equipment
operated by the Supplier for services offered to Sky unless explicit authorisation is given
by Sky for exceptions.
15.5 The Supplier shall ensure that capacity requirements are monitored and Systems and
networks are regularly reviewed so that they are scaled accordingly.
2.9
Version
Reference
Page 24 of 32
Restricted
15. 6 The Supplier shall ensure that the Services are fully resilient unless Sky has confirmed in
writing that this is not required, in which case a formally documented and tested service
recovery or continuity must be in place.
15.7
16
16.1
The Supplier shall ensure that any faults are logged, investigated, prioritised and rectified
in timescales commensurate with the associated risks, and in accordance with any
service levels agreed between the Parties, forming part of this Agreement.
Data Management
The Supplier shall ensure that regular backups of all Systems are performed, and the
recoverability of backed up data, and its integrity, periodically tested, dependent on the
frequency of data change.
16.2 The Supplier shall ensure that where backups are stored off-site they are encrypted and
securely transported and a written register maintained of all backup tapes stored offsite.
16.3 The Supplier shall maintain a data retention & destruction policy to ensure that Sky Data
is retained for no longer than necessary and is protected from unauthorised or unlawful
processing. Where the Supplier is acting as a data processor for the Services, they must
act in accordance with Sky instructions on retention and destruction.
16.4 The Supplier shall transfer/exchange Sky Data via secure channels which are encrypted
using a Sky approved encryption solution. This shall be compliant with all relevant
agreements, laws, and regulations.
16.5 The Supplier shall ensure that Sky Data is secure when accessed dynamically or when at
rest.
16.6 Any subsequent disposal of Sky Data should be carried out in a secure manner and
agreed with Sky in advance. All storage media and devices, or items of equipment
containing storage media shall be checked to ensure that any Sky Data and licensed
software has been removed or securely overwritten prior to disposal.
16.7 The Supplier shall ensure that information containing Sky Data is classified in terms of its
value, legal requirements, sensitivity and criticality.
16.8 The Supplier shall ensure that an appropriate set of procedures for information labelling
and handling is developed and implemented in accordance with the classification
scheme adopted by the Supplier.
16.9 The Supplier shall ensure that any devices or media used to record, store or process Sky
Data as part of the Services, including hard copy output, laptops, USB sticks, pen drives,
CDs, or other media are authorised, securely handled, transported and encrypted.
16.10 The Supplier shall ensure that a policy is adopted to protect against the risks associated
with using mobile computing, teleworking activities and communication facilities where
2.9
Version
Reference
Page 25 of 32
Restricted
these are used to deliver the Services to Sky.
16.11 On termination or expiry of the Services to Sky the Supplier shall immediately discontinue
the provision of the Services and deliver to Sky all deliverables (in whole or in part) as at
the date of such termination unless otherwise agreed under the terms of, or in
accordance with the provisions of the Agreement.
16.12 The Supplier shall, subject to the retention of records for accounting and tax purposes
(as required by law or either party’s internal tax and accounting procedures), either
destroy or promptly return to Sky all Sky Data and Sky Materials; and the Supplier shall,
unless authorised by Sky or required by law, cease all Processing of Personally Identifiable
Data in relation to any Agreements and return in a format as instructed by Sky, all copies
of the Sky Data held in whatever form by the Supplier, or on its behalf, in relation to the
Services.
17
User and Access Management
17.1
The Supplier shall have an established, documented, and reviewed procedure for the
provision and limitation of access to the Systems, any Sky Systems, Sky Data and Sky
Material to those personnel that need access to such materials or systems to perform
their duties.
17.2
The Supplier shall have a password and user account policy with which Supplier
personnel must comply. This will set a minimum password length of at least eight
characters; the password must be alpha numeric; the password must expire at a
maximum of 90 days and there should be minimum and maximum age and password
reuse prevention. This shall include procedures to be followed when personnel leave
their work station and a process to control and manage user accounts upon completion
of employment or a change in role.
17.3
An automated system lock is to be invoked where a work station used to access or
process Sky Data is left unattended for a period in excess of 15 minutes.
17.4
The Supplier shall ensure that restrictions on connection times shall be used to provide
additional security for high risk applications processing Sensitive Sky Data.
17.5
The Supplier shall ensure that all platform and application user accounts are unique,
justified, authorised, regularly reviewed and:
-
all platform accounts are granted the minimum required privileges to enable a user
to perform their designated function;
-
significant platform activity is logged and reviewed;
-
access to platform audit trails is restricted and logged;
-
default accounts are regularly deleted or disabled where possible and suitably
authorised and controlled where this is not possible;
2.9
Version
Reference
Page 26 of 32
Restricted
18
18.1
-
privileged platform accounts, e.g. root, are only used under change control
procedures and not for day-to-day system operation;
-
where privileged account access is used, this access is logged and reviewed;
-
access to databases is restricted - where SQL databases are implemented, recent
vulnerabilities are patched or mitigated; and
-
access to information systems audit tools shall be restricted and controlled to
prevent any possible misuse or compromise.
System Change Control
The Supplier shall apply a change control process, including an assessment of security
matters that may apply to any systems, and which includes appropriate testing and
rectification, including notifying Sky of any upgrades or configuration changes which will
impact on the security of Sky Data, including payment card data, prior to testing such
change control processes.
18.2 The Supplier shall ensure that any new systems introduced into Sky’s Data environment
are compliant with PCI DSS (where appropriate), the requirements of the Data Protection
Act and any other relevant legal and regulatory requirements.
19
19.1
Customer Protection (where applicable to Services)
The Supplier shall ensure that all Supplier personnel visiting Sky Customers are issued
with unique, clearly identifiable ID passes.
19.2 The Supplier shall ensure that ID passes are visible at all times and that a policy is in place
to manage loss of ID cards and ID cards left at home by Supplier personnel.
19.3 The Supplier shall track the issue and subsequent disposal of any Sky branded items
that are used in the provision of the Services to Sky customers.
19.4 The Supplier shall maintain a register of lost/stolen Sky branded items.
19.5 The Supplier shall ensure that personnel do not share their unique ID/Authorised Sales
Agent number with other personnel or with any third parties.
19.6 The Supplier shall provide to Sky a regular list of personnel including details of all joiners
and leavers.
19.7 The Supplier shall obtain all necessary licenses or permissions required in the provision of
Services to Sky (e.g. trading licence).
19.8 The Supplier shall have a policy detailing actions to be observed for No Cold Calling zones,
any by-laws and any local Neighbourhood Watch schemes.
2.9
Version
Reference
Page 27 of 32
Restricted
19.9 The Supplier shall have a customer interaction incident escalation process.
19.10 The Supplier shall detail how any campaign activity and geographical deployment is
controlled and shall provide full details if requested by Sky.
19.11 The Supplier shall notify the local police of any campaign activity in the area in which the
Supplier is operating.
19.12 The Supplier shall have in place a procedure for dealing with vulnerable customers.
20
Notice Choice and Consent
20.1
Supplier will state if the processing of data changes from what was originally intended
under the Agreement with Sky and this must be notified to Sky before any change in
processing.
20.2
Supplier will provide individuals whose data is likely to be processed with an additional
privacy notice, before such additional processing, that specifies how the Supplier
intends further to process the data and for what specified purpose.
20.3
The processing of Sky data will be justified either:
(i)
(ii)
through having obtained the consent of the individuals; or
by another condition notified to Sky in advance of the change.
21
Subject Access Requests
21.1
Supplier Personnel are aware of how to identify a subject access request (“SAR”) and
what to do when they receive a SAR.
21.2
The Supplier has the requisite functionality on all systems which will hold Sky Data
and/or Sky Materials to enable the Supplier to comply with SARs on a timely basis.
2.9
Version
Reference
Page 28 of 32
Restricted
Appendix 1 – Defined Terms
The following terms used herein shall have the following definitions:
“Agreement” means the agreement(s) between Sky and the Supplier which incorporates this
Security Standard by inclusion or reference;
“Customer” means the individuals or organisations who procure Services from Sky;
“Sensitive Data” has the meaning set out in the Data Protection Act 1998 or any other
equivalent;
“Services” means the services provided by the Supplier to Sky as set out in the Agreement;
“Sites” means any location utilised by the Supplier in providing the Services including but not
limited to the Supplier’s sites and any other location where Sky data or materials are stored
and/or processed;
“Sky Data” means any and all data owned, processed or produced by or on behalf of Sky
(including data produced by Supplier in the provision of the Services);
“Sky Materials” means any materials and or devices supplied by Sky to the Supplier or
otherwise generated though the provision of the Services under the Agreement including but
not limited to all devices, computer hardware, computer and telecoms equipment, appliances
or property of any kind;
“Sky Network” means any electronic communications systems operated by the Sky group,
namely British Sky Broadcasting Group plc and any parent and all
subsidiary undertakings from time to time or its affiliates or on their behalf;
“Supplier” means organisations (and their Sky approved Subcontractors) that provide Services
to Sky on a contractual basis under this Agreement;
“Subcontractor” means contractor appointed by the Supplier in accordance with the
Agreement to provide all or part of the Services;
“Supplier Personnel” means any employee, contractor or agent (including the employees of
such contractor or agent) of the Supplier engaged by the Supplier to provide the Services;
“Systems” - means the information and communications technology system used by a party in
performing the Services including any software, middleware, hardware, devices and peripheries.
2.9
Version
Reference
Page 29 of 32
Restricted
Appendix 2 – Sky Account Criminal Record Guide
Never work on Sky Account
Consider work on Sky Account
Sexual offenders/on sexual offenders register
Civil offences (public order)
Drug related offences – supply and distribution
Class A&B possession
Class C drug offences (possession only)
Violence/Assault/GBH/ABH
Motoring offences (depending on role)
Aggravated Theft/Burglary/handling stolen
goods
Miscellaneous criminal convictions
Serious Fraud/white collar financial crime
Firearms/weapon offences
Harassment/stalking offences
Miscellaneous petty theft offences
Motoring offences (depending on role)
Going equipped for stealing
Blackmail
Perjury
Libel
Obscene publication offences
2.9
Version
Reference
Page 30 of 32
Restricted
Appendix 3 – Adverse Financial Probity Guide
Disclosure
Action
Disclosed on Form
1. If less than £1,000 – NO ACTION
(The CCJ must however be Satisfied (i.e., paid) or
applicant provides proof that matter is being
dealt with (e.g., paying £x per week).
If not, applicant not to access Sky Customer
Data until Satisfied or being dealt with.
2. If £1,000 + – obtain explanation and review.
Note that CCJ and outstanding monies owed
must be Satisfied or being dealt with, and nonmultiple (i.e. 2 or less). If criteria met and
satisfactory explanation received – NO ACTION.
If not, applicant not to access Sky Customer
Data until satisfied or being dealt with. If
multiple CCJs the continued appointment must
be risk assessed.
Not Disclosed on Form
(The form used should leave the applicant in no
doubt as to their requirements. A secondary
level of guidance provided during induction &
acknowledged by the applicant must remove
any misunderstanding or ambiguity around
what the applicant’s obligations are)
Upon any disclosure, suspend, and investigate.
Only where exceptional circumstances exist
should NO ACTION be taken (e.g., it is believed
the candidate had no knowledge of the court
ruling).
This aside the ‘Not Disclosed’ highlights a
significant honesty and integrity issue and as
such may not be considered suitable for
appointment.
If exceptional circumstances exist follow
guidance above as if the candidate had
‘Disclosed on Form’.
2.9
Version
Reference
Page 31 of 32
Restricted
Appendix 4 – Supplier Levels
Data Examples
(not exhaustive)
Classification
Tier 1
SECRET
Information which if lost or wrongly disclosed could cause very serious
damage to the interests of Sky, our customers, people, suppliers and
•
business partners
CONFIDENTIAL
Personal information that can be traced to individual customers.
Information which if lost or wrongly disclosed could cause distress to
our customers or people, or damage the interests of Sky
Tier 2
• DPA Sensitive, e.g. Racial origin, political opinion,
religious belief
• Bank account and payment card detail
• Maiden name/PIN
• Individual call records (numbers called)
• Content of Sky customer @sky.com email accounts
•
•
•
•
Bid processes
M&A projects
Price Sensitive information
Financial Statements (pre-release)
• DPA Personally Identifiable Data
• Name/Address
• Email/Telephone number
• Age/DoB
• Contacts with Sky (engineer visits)
• Websites visited
• Payment method/due date/collection
• Viewing PIN
• IP Address
• System architecture
• Performance reports
• Project plans
• Departmental budget information
• Aggregate Customer information and viewing
RESTRICTED
•
Tier 3
Hard to trace back to individual customers but valuable to
competitors
Information which if lost or wrongly disclosed may cause limited
negative effects for Sky
PUBLIC
No personally Identifiable Data held
2.9
Version
Reference
• Viewing card numbers
• Policies and standards
• Newsletters
• Non attributable data
• Data on public websites and social media
• Forum postings
• Product material – posters, flyers, adverts
Page 32 of 32
Restricted

Facilities and Security Schedule V1.4

Transcription

Similar documents

R.O. Writer

planet dance.pages

PDF

SGTP Membership 2014 Application - Society of Government Travel

2015 Big Sky Kartway Driver Registration

Aimee Franco Experience

Agulia, Johnny 2014, 5

Supplier`s Checklist - The Wine Management System

0845 SKY 11 BBWF C - Sky Lake Sions Loft