Asda. Privacy and Electronic Communications Regulations audit report

Similar documents
Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017

Data Protection and GDPR

Business Continuity and Disaster Recovery

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

The Role of the Data Protection Officer

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

DATA PROCESSING TERMS

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

This Privacy Policy applies if you're a customer, employee or use any of our services, visit our website, , call or write to us.

Cyber Review Sample report

Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013

Motorola Mobility Binding Corporate Rules (BCRs)

DATA PROTECTION POLICY THE HOLST GROUP

Audit Considerations Relating to an Entity Using a Service Organization

UWC International Data Protection Policy

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

Made In Hackney Data Protection Policy Last Updated:

AUDIT OF ICT STRATEGY IMPLEMENTATION

Data Protection Policy

Prohire Software Systems Limited ("Prohire")

Protecting your data. EY s approach to data privacy and information security

DATA PROCESSING AGREEMENT

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

PS Mailing Services Ltd Data Protection Policy May 2018

DATA SECURITY - DATA PROTECTION ACT

Canada Life Cyber Security Statement 2018

Data Protection Policy

Information Security Strategy

Digital Health Cyber Security Centre

Information Technology Branch Organization of Cyber Security Technical Standard

EU General Data Protection Regulation (GDPR) Achieving compliance

Eco Web Hosting Security and Data Processing Agreement

SECURITY & PRIVACY DOCUMENTATION

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

BHConsulting. Your trusted cybersecurity partner

Information Security Controls Policy

External Supplier Control Obligations. Cyber Security

SCHOOL SUPPLIERS. What schools should be asking!

NEBOSH Part A accreditation criteria

Schedule Identity Services

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

Cyber security tips and self-assessment for business

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

NHS R&D Forum Privacy Policy: FINAL v0.1 May 25 th 2018

General Data Protection Regulation

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

NDIS Quality and Safeguards Commission. Incident Management System Guidance

ADMA Briefing Summary March

CYBER RESILIENCE & INCIDENT RESPONSE

Version 1/2018. GDPR Processor Security Controls

Data Security Standards

What is cloud computing? The enterprise is liable as data controller. Various forms of cloud computing. Data controller

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

BHConsulting. Your trusted cybersecurity partner

A practical guide to IT security

Data Processing Agreement

Introductory guide to data sharing. lewissilkin.com

AUTHORITY FOR ELECTRICITY REGULATION

Nottinghamshire Office of the Police & Crime Commissioner & Nottinghamshire Chief Constable

TRULY INDEPENDENT CYBER SECURITY SPECIALISTS. Cyber Major

INFORMATION SECURITY AND RISK POLICY

World Wide Jobs Ltd t/a Findmyexpert.com Privacy Policy 12 th April 2018

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

IAF Information Document (draft)

DATA PROTECTION POLICY

Blue Alligator Company Privacy Notice (Last updated 21 May 2018)

Public Safety Canada. Audit of the Business Continuity Planning Program

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

GDPR: A QUICK OVERVIEW

NEN The Education Network

Unclassified. Date Monday 24 September Business Continuity Plan Review - Mission Critical Activities

Learning Management System - Privacy Policy

Bring Your Own Device (BYOD)

Security Awareness Training Courses

NEWSFLASH GDPR N 8 - New Data Protection Obligations

Project Better Energy Limited s registered office is Witan Gate House, Witan Gate West, Milton Keynes, Buckinghamshire, MK9 1SH

Implementation of the NATS-only recommendations of the Independent Enquiry

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

INTERNAL AUDIT SERVICES REPORT REF No 2016/ Loch Lomond & The Trossachs National Park Authority General ICT Controls

IBM Security Intelligence on Cloud

Data Sheet The PCI DSS

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

GDPR: An Opportunity to Transform Your Security Operations

IT Information Security Manager Job Description

Audit Report. Chartered Management Institute (CMI)

M&A Cyber Security Due Diligence

THE CYBER SECURITY PLAYBOOKECTOR SHOULD KNOW BEFPRE, DURING & AFTER WHAT EVERY DIRECTOR SHOULD KNOW BEFORE, DURING AND AFTER AN ATTACK

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

This procedure sets out the usage of mobile CCTV units within Arhag.

GDPR Compliance. Clauses

Security by Default: Enabling Transformation Through Cyber Resilience

Information Security Policy

Transcription:

Asda Privacy and Electronic Communications Regulations audit report Executive summary May 2018

1. Background and Scope The Information Commissioner may audit the measures taken by the provider of a public electronic communications service (service provider) to safeguard the security of that service (Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 Reg. 5(6)). The Information Commissioner sees auditing as a constructive process with real benefits for service providers and so aims to establish, wherever possible, a participative approach. July 2017, the ICO approached Asda with a view to undertaking a consensual audit of its public electronic communications service. Introductory discussions were held with representatives of Asda to identify and discuss the scope of the audit, and the extent to which it covered Asda s activities. The audit scope was the compliance with Regulation 5 of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011; in particular, the extent to which a service provider has taken appropriate technical and organisational measures to safeguard the security of the service. The scope agreed reflected the nature of the MVNO relationship between Asda and EE, with some areas such as business continuity planning and recovery capability wholly provided by their MNO partner and therefore not included in this audit. The audit was conducted following the Information Commissioner s Privacy and Electronic Communications Regulations audit methodology. The key elements of this are a desk-based review of selected policies and procedures, on-site visits including interviews with selected staff, and an inspection of selected records. The audit field work was undertaken at Asda s offices in Leeds between 25 and 26 April 2018.

2. Audit opinion The primary purpose of the audit is to provide the Information Commissioner and Asda with an independent opinion of the extent to which Asda, within the scope of this agreed audit, is complying with Regulation 5 of the PECR. The recommendations made are primarily around enhancing existing processes to facilitate compliance with Regulation 5 of the PECR. Overall Conclusion High Assurance The technical and organisational measures taken by the provider of a public electronic communications service to safeguard the security of that service provide a high level of assurance that processes and procedures are in place and being adhered to. The audit has identified limited scope for improvement in existing arrangements and as such it is not anticipated that significant further action is required to reduce the risk of non-compliance.

3. Summary of audit findings Areas of good practice ASDA have a range of global and local policies and procedures, and staff understanding of these is reinforced by robust training regime and strong awareness-raising materials to promote privacy and security consciousness amongst all staff. Asda operate an integrated Security Risk & Compliance Review (SRCR) process to provide assessments of systems and processes against appropriate security standards, with the Asda security team s analysts scrutinising platforms such as the software used to analyse the service. Asda s core systems are protected by a 24/7 Security Operations Centre which monitors and protects against external threats. The Data Assurance/Cyber Intelligence (DACI) team provide data assurance and cyber intelligence on the global threat landscape. Security Incident and Event Management (SIEM) protection is in place to provide Antivirus and Malware detection, and effective endpoint control. Areas for improvement ASDA have robust incident management procedures in place, as have EE, but these have not been tested together in a simulation of the type of reportable incident regarding the electronic communications service which would engage both parties and require breach reporting. Although Asda are the service provider as defined by PECR, and the commercial relationship between Asda and EE is defined by a service agreement, this needs to be mapped against both PECR security and GDPR joint data controllership requirements.

The matters arising in this report are only those that came to our attention during the course of the audit and are not necessarily a comprehensive statement of all the areas requiring improvement. The responsibility for ensuring that there are adequate security arrangements in place rests with the management of Asda. We take all reasonable care to ensure that our audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. We cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback