Audit, Risk Management and Compliance Sky Supplier Security Standard V2.9. Supplier Security Standard v2.9

Transcription

1 Supplier Security Standard v2.9

2 Introduction Sky operates in an environment of significant legislative, regulatory and industry standards compliance requirements and must have continued assurance that information and data for which Sky is responsible is secure against accidental or unauthorised disclosure, manipulation, damage or loss. Sky implements security controls across its business and in its computer facilities with the aim of ensuring the confidentiality, integrity and availability of data. Sky requires that the same level of protection is in place for data handled by its suppliers and that they are aware of the risks that exist if controls are missing or where known vulnerabilities remain to be addressed. This Sky Security Standard (the Standard ) contains the information assurance controls Sky requires its suppliers and business partners to employ when they are entrusted with handling Sky Data or materials. Sky considers these controls to be the minimum standards to be implemented across a supplier's systems and infrastructure. This document forms part of the Agreement and as such sets out the contractual obligations Sky places on suppliers in regards to security controls. All suppliers who process personal data are categorised by Sky as either Tier 1, Tier 2 or Tier 3. Tier 1 suppliers are those who process data that is classified as Secret by Sky; while Tier 2 suppliers are those who process Confidential data. Suppliers that process all other types of personal data are classified as Tier 3. Guidance on the application of these definitions can be found in Appendix 1. This Standard sets out in separate sections the controls that are applicable to suppliers who process Tier 1 or Tier 2 data. While these controls do not apply to Tier 3 data, all Sky Data should be processed safely and securely regardless of its classification. Sky wishes to draw particular attention to the fact that the Supplier who is originally classified as Tier 2 but then, by virtue of receiving additional data in the course of that service or additional services are provided, becomes the holder of Tier 1 data will be expected to adhere to the standards set out in the Tier 1 section before receiving the new data or providing the additional services. We also draw attention to the fact that the requirements of this Standard apply only to those locations and associated systems and controls that are used to process Sky Data. This means that if the Supplier has multiple locations, only those that are used to process Sky Data are within scope of this Standard, and for systems, only those systems used to process Sky Data. The provisions contained in this Standard are supplemental to, and in addition to, any other contractual terms contained in the Agreement and, except to the extent that the Supplier and Sky expressly agree to the contrary, in writing and signed between them, the terms of the Agreement shall not be construed as limiting the provisions of this Standard (and vice versa). To the extent that there is any conflict between the provisions of this Standard and the Agreement, this Standard shall prevail. Version 2.9 Review Date March 2015 Page 2 of 32

3 Tier 2 Suppliers The requirements set out in this section are only for those suppliers who are categorised by Sky as Tier 2, which are those that hold Sky s Confidential Data. The Supplier s compliance with these requirements, as they apply to personal data, will be assessed by Sky s Audit, Risk Management and Compliance ( ARMC ) department. This work will be performed prior to Supplier being given access to Sky Data and will entail, at a minimum, an assessment of the Supplier s responses to this Standard and may include an on-site audit, depending on the type of data to be held, and the volume. The process to be followed will already have been set out in writing by your Sky Business Relationship Owner. ARMC is happy to work with suppliers to address any issues that arise as a result of requiring compliance with this Standard. Where the Supplier holds external validation or certification over the systems and processes that will be used to protect Sky s Data and/or Sky Materials such as an SSAE16 (or equivalent), a copy should be provided to Sky in addition to the completion of obligations in this Standard. Suppliers will be required to complete an annual re-certification when requested by ARMC which may also involve an on-site visit, in accordance with Sky s policy of visiting all suppliers who hold Sky Data as part of a rolling programme of audits. Tier 1 Suppliers The requirements set out in this section are only for those suppliers who are categorised by Sky as Tier 1, which are those that hold Sky s Secret Data. Tier 1 suppliers must obtain annual independent certification to demonstrate the operation of the controls set out in this Standard. The independent certification must be provided prior to the initial receipt of data, and annually thereafter, in accordance with the timetable communicated to the Supplier by ARMC. The review to support such independent certification should be conducted against appropriate professional standards and be delivered against the International Standard on Assurance Engagements 3402; Assurance Reports on Controls at a Service Organisation ; an SSAE16 report; or a report in an equivalent format. The SSAE16 reports for new suppliers should be in the form of type 1, as at a point in time, to demonstrate that controls are in place prior to receiving Sky Data and, in subsequent years, in the form of type 2, which confirms the operation of the controls over the preceding 12 month period. The report must set out the controls that are in operation to demonstrate compliance with this Standard and specify the testing that has been performed by the independent verifier and the results. Version 2.9 Review Date March 2015 Page 3 of 32

4 The review should be commissioned directly by the Supplier and should, after the initial submission, be for the 12 month period ending 31 December of each year. The report should be executed by PriceWaterHouseCoopers, E&Y, Deloitte, KPMG, Grant Thornton or Detica. A Supplier who intends to use an alternative verifier must seek approval in writing from Sky in advance to confirm that the verifier is acceptable to Sky. The terms used in this standards document are defined in Appendix 1. Version 2.9 Review Date March 2015 Page 4 of 32

5 Sky Security Standard for Tier 2 Suppliers The following requirements apply only to those suppliers who have been designated by Sky as Tier 2. The requirements for Tier 1 suppliers are set out in a separate section in this document. 1 Anti-Bribery and Corruption 1.1 The Supplier shall provide a copy of employee codes of conduct covering anti-bribery and corruption, whistle-blowing and ethics policies in place that have been clearly communicated to all staff. 1.2 Show that there are mechanisms in place to ensure compliance with these policies. 2 Data Protection Governance 2.1 Accountability for data protection across all jurisdictions is clearly assigned. 2.2 A clear data protection policy, which includes retention and destruction times, is in place. 2.3 Day to day responsibilities for data protection have been clearly defined and communicated to all relevant staff. 2.4 A training log demonstrating that all staff with access to Sky Data have successfully completed data protection training is maintained. 2.5 Staff are aware that they need to notify Sky of any security breaches relevant to Sky. 2.6 A process is in place to advise Sky of any data protection breaches. 2.7 There have been no unreported data breaches in the last 12 months. 3 Notice, Choice and Consent 3.1 Supplier will advise Sky in writing if the processing of data changes from what was originally intended under the contract with Sky, and this must be notified to Sky before any change in processing occurs. 3.2 The Supplier will provide individuals whose data is likely to be processed with an additional privacy notice, before such additional processing, that specifies how the Supplier intends further to process the data and for what specified purpose. 3.3 The processing of Sky Data will be justified either: Version 2.9 Review Date March 2015 Page 5 of 32

6 (i) (ii) through having obtained the consent of the individuals; or by another condition notified to Sky in advance of the change. 4 Data Collection 4.1 Data collected and/or processed by the Supplier will be restricted only to that which is required to fulfil the Services. 4.2 Where marketing activities are carried out on Sky s behalf, such marketing must be carried out in accordance with the scope of the individuals permissions, and such scope and permissions can be evidenced for each individual. 4.3 There are controls in place to ensure that consumers chosen marketing preferences are adhered to. 4.4 Where web sites are used to collect Sky Data and/or cookie codes, this is done in accordance with the privacy notice displayed on the website and any other applicable privacy and cookie statements. 4.5 Supplier has a policy explaining how it uses personal data and cookies (if they are used). 5 Subject Data Access 5.1 Supplier staff are aware how to identify a subject access request ( SAR ) and what to do when they receive a SAR relating to Sky Data. 5.2 The Supplier has the requisite functionality on all systems which will hold Sky Data and/or Sky Materials to enable the Supplier to comply with SARs on a timely basis. 6 Data disclosure to Third Parties (including for all Subcontractors) 6.1 Where Sky Data will be processed by third parties including Subcontractors, the Supplier will provide: (i) A list of all third parties; (ii) What data will be accessible by them; and (iii) How the Supplier will ensure the data is kept secure. This includes, for example, outsourced data centres or call recording suppliers. Version 2.9 Review Date March 2015 Page 6 of 32

7 6.2 Where Sky Data is processed by a third party, written contracts are in place with all such third parties to cover the disclosure of Sky Data to them. The Supplier will state whether those contracts require the third parties to have in place the same levels of control and security as set out in this standard and how the Supplier assures this is the case. 6.3 If Sky Data will be processed outside the European Economic Area, there is a written agreement in place covering such processing. This would include, for example, where data or backups are processed by teams in overseas outsourced data centres or in the Cloud. 7 Supplier Responsibilities and Subcontractor Management 7.1 Responsibilities for physical security, risk management and IT security are clearly defined and allocated. 7.2 The Supplier has a contractual obligation to conduct a full annual security audit of all Subcontractors who will hold Sky Data. The Supplier has conducted such audits at the Subcontractor in the past; or The Supplier intends to conduct such audits if the Subcontractor is new under the proposed contract and the Supplier will notify Sky by when these audits will be conducted. 7.3 The Supplier will notify Sky if it intends to process Sky Data and/or Sky Materials in such a way as to aggregate and/or anonymise the data for Supplier use. 7.4 The Supplier will notify Sky if it intends to process or otherwise make use of Sky Data, and/or Sky materials for any purpose other than that which is directly required for the supply of the Services. 7.5 The Supplier maintains a register of data protection breaches, reportable to Sky, which includes breaches that have arisen under the conduct of a Subcontractor. 7.6 All complaints relating to personal data, including complaints received by Subcontractors are captured and recorded. 8 Personnel Security 8.1 Where appropriate to the nature and classification of data handled by the Supplier, and as agreed with Sky, screening checks may be conducted on Supplier Personnel including reference checks and, where applicable, financial probity checks. As appropriate to the job role and permitted by law, criminal record checks are to be conducted. Where appropriate, these checks are refreshed on a periodic basis. Version 2.9 Review Date March 2015 Page 7 of 32

8 The results are logged and recorded. 8.2 All Supplier Personnel sign an agreement which requires them to keep information confidential. This also covers Sky Data and/or Sky Materials. 8.3 The Supplier has a comprehensive code of conduct in place which includes requirements for Supplier Personnel to demonstrate awareness of procedures around breaches of security. 8.4 As part of the Agreement, Supplier Personnel are required to agree to adhere to all Supplier company policies, rules and procedures, including applicable data protection policies. 8.5 There is a clear process to handle Supplier Personnel who terminate their services with the Supplier. Access to Sky Data, facilities and Sky Materials is removed from those Supplier Personnel within one week. 9 Physical and Environmental Security 9.1 The Supplier has a clearly defined physical security policy and related standards. 9.2 The requirements of the physical security policy are applied to all locations that will be used to support Sky operations, including locations used by Subcontractors who will process Sky Data. 9.3 Access to all entry points where Sky Data will be processed, including those at locations used by Subcontractors, is restricted and logged. 9.4 The access logs are reviewed. 9.5 Controls are in place at all premises where Sky Data will be held, to prevent unauthorised individuals from entering. 9.6 Physical and environmental controls are in place within the data centre(s) and communications rooms, including those provided or used by Subcontractors, in order to protect against the loss or damage to the premises or equipment. 9.7 The areas in 9.6 above are covered by an internal and external CCTV system which is used and monitored. The system has sufficient coverage and capability to monitor reception areas, exit / entry points, and vulnerable or sensitive / confidential working areas. 9.8 A monitored alarm system is in place across all sites to be used for Services. 9.9 A clear desk policy is operated at all sites where Sky Data is processed. Version 2.9 Review Date March 2015 Page 8 of 32

9 10 Incident Response 10.1 All security incidents are logged with their origin and resolution recorded There is a clear escalation process. 11 Business Continuity and Disaster Recovery 11.1 There are business continuity and disaster recovery plans in place The plans are tested annually Off-site backups are taken on a regular basis and are encrypted and securely transported Capacity monitoring is in place for those systems that will support the Services 12 IS Security 12.1 The Supplier adopts Sky s IS security policy and standards; or The Supplier has its own IS Security policy of equal rigour in place, and will provide a copy to Sky All Supplier systems and related control processes to be used to process Sky Data are compliant with Sky s Group IS Security policies and standards; or Supplier systems that will be used to transmit and/or store Sky Data adhere to the supplier's own IS security policy. This includes but is not limited to: Network (including firewall and intrusion detection) security Malicious code prevention including anti-virus (state frequency of updates) Encryption (provide type) Masking of personal data (for financial transactions) Patching (state frequency and approach, particularly with reference to security patches and associated criticality) Cookies (state how supplier adheres to applicable privacy law requirements as illustrated by ICO guidance) 12.3 All Sky Data is transferred or exchanged via secure channels and/or where technically possible, subject to an appropriate level of encryption Penetration testing is regularly conducted on the network perimeter and infrastructure, and websites used to host, process or transmit Sky Data. Version 2.9 Review Date March 2015 Page 9 of 32

10 12.5 The Supplier will provide details of the date the last tests were performed and whether any identified issues have been resolved Reviews of firewall and remote access logs are performed on a periodic basis Systems which will hold Sky Data enforce areas such as: (i) Unique user identification and prevention of shared logon credentials; (ii)complex passwords (state the minimum length enforced by the systems and applications processing Sky Data, whether they are alpha numeric and what the expiry period is); (iii) Controls to track the addition and deletion of users and regular review of allocated rights and privileges; (iv) Controls to log sensitive user transactions; (v) Default (admin) user name and passwords are changed; and (vi) Segregation of duties System development, test, and production environments are separated to reduce the risks of unauthorised access or changes All new services, applications and tools used to enable or support the hosting, processing or transmission of Sky Data, or changes made to them, are subject to an appropriate level of testing conducted in accordance with appropriate guidance (such as OWASP) before launch. Sky Data is not used for testing purposes unless it has been suitably anonymised such that it no longer represents personally identifiable data Use of any media to record, store or process Sky Data (including hard copy output, laptops, USB sticks, pen drives, CDs, or other magnetic media) is suitably authorised, handled, transported and encrypted There is a log of system changes which details why the changes were required, who approved them and how and when the changes were executed. 13 Data Management 13.1 The Supplier follows Sky s Data Retention and Destruction policy and standards or alternatively the Supplier has its own policy of equal rigour, and will provide a copy to Sky The Supplier will state its proposed retention period for Sky Data (listed by type if a single period is not to be enforced) Processes are in place to ensure and demonstrate compliance with the policy The Supplier has a process in place to ensure maintenance of the integrity and accuracy of Sky Data. Version 2.9 Review Date March 2015 Page 10 of 32

11 13.5 The Supplier has a process to authorise who receives all reports that the Supplier intends to generate that contain Sky Data. 14 Customer Protection 14.1 Where Services involve the Supplier in direct interaction with customers, the Supplier provides ID passes for those personnel who will interact with customers, for example by visiting customers premises The Supplier has a procedure in place for dealing with vulnerable customers. 15 Continued Compliance 15.1 The Supplier will maintain compliance with this Standard at all times during the provision of the Services and will notify Sky promptly in the event that it is not at any time fully compliant The Supplier will provide any other information that would assist Sky in assessing the Supplier s control environment relevant to the services provided to Sky. Version 2.9 Review Date March 2015 Page 11 of 32

12 Sky Security Standards for Tier 1 Suppliers The following requirements apply only to Tier 1 suppliers and should, as noted, be subject to independent verification. 1 Anti-bribery and Corruption 1.1 The Supplier shall at all times: - maintain an anti-bribery and corruption policy which complies with the Bribery Act 2010 and any other applicable statute, regulation or industry code, and has top level management support; - ensure that proportionate procedures are put in place to mitigate the bribery risks faced by its organisation; - ensure that the anti-bribery and corruption policies are adequately communicated to employees and appropriate training is provided and can be evidenced; and - ensure that a whistle blowing policy/grievance procedure exists so that alleged instances of bribery and/or corruption can be reported on a confidential basis and that there is a means available for personnel to report security issues other than via line management as necessary. 2 Data Protection 2.1 The Supplier shall at all times ensure that a Data Protection policy exists, across all jurisdictions, to safeguard data in accordance with the terms of the Agreement, the Data Protection Act 1998 and any other applicable statute, regulation or industry code. 2.2 Where any Sky Data is intended to be transferred, stored or processed outside the European Economic Area ( EEA ) the Supplier shall provide in advance of any transfer full details of the locations and what data is to be transferred, stored or processed outside the EEA for Sky approval, such approval not to be unreasonably withheld. 2.3 The Supplier shall maintain a controlled paper environment by ensuring that paperwork shall be kept to a minimum and where appropriate for the services provided to or on behalf of Sky, that Sky customer financial data (including, but not limited to, payment card or bank detail) is never written down or otherwise extracted from the appropriate system. 2.4 The Supplier shall ensure that shredding facilities or confidential waste bins are present in each operations area and a process is implemented to suitably dispose of such material securely. Version 2.9 Review Date March 2015 Page 12 of 32

13 3. Payment Card Industry Data Security Standards (where applicable to services) 3.1 Where financial transactional functionality is (or becomes) a part of Services to Sky, the Supplier shall: - comply with the latest version under the PCI DSS requirements; - maintain a strategy for PCI DSS compliance in accordance with the Supplier s corporate information security policy which addresses each of the PCI DSS requirements and shall assign responsibility for PCI DSS to a designated person or compliance function; - provide evidence annually to Sky of PCI compliance through external certification or self-assessment declaration; - provide Sky with access to evidence that is used in supporting the supplier s PCI compliance accreditation upon request; - ensure that a current network configuration diagram is produced and maintained to show clear data flows (including Sky s payment card transactions) and to ensure that all connections (including Sky s cardholder data) are identified, including any wireless networks; - not disclose Sky cardholder data to any third party or entity with the exception of where this is authorised by Sky under the provision of Services to Sky or required by law; - maintain and provide on request a scope of the environment that is included in the assessment (e.g. Internet access points, internal corporate network) and identify any areas that are excluded from the PCI DSS Sky cardholder data environment; - maintain and provide on request details of any gap analysis that has been produced either internally or by a PCI DSS Qualified Security Advisor (QSA). This shall include details of the most recent Self-Assessment Questionnaire or Report on Compliance; - maintain and provide on request results of the most recent mandatory compliance or vulnerability scans as required by the PCI DSS; - maintain and provide on request details around any compensating controls to achieve risk mitigation in areas which do not meet the PCI DSS requirements; and - inform Sky immediately on any changes affecting the Supplier s compliance status. Version 2.9 Review Date March 2015 Page 13 of 32

14 4 Suppliers Responsibilities and Subcontractor Management (including Cloud services) 4.1 The Supplier shall have in place a dedicated in-house security risk management function or nominate an appropriate member of the Supplier personnel to take ownership of the control areas. A nominated individual shall act as the point of contact for Sky, ensure adherence to the escalation process, facilitate any review meetings and manage any remediation and restoration plan in the event of any breach. 4.2 The Supplier shall maintain a register of the security risks related to the provision of its Services to Sky, to Sky Data and to Sky Materials. That register shall be maintained to show the nature and extent of, and progress made in, mitigating the identified risks. 4.3 The Supplier shall notify Sky, and obtain Sky approval, before engaging any subcontractors including but not limited to data centres used in the provision of the Services to Sky. 4.4 The Supplier shall provide full details of any Subcontractor(s) that as a minimum shall include company name, address, location, type of services to be provided and the volume, frequency and nature of Sky Data to be used. 4.5 The Supplier shall: - not process or otherwise make use of Sky Data, and/or Sky Materials for any purpose other than that which is directly required for the supply of the Services; - only perform such Services in accordance with the Agreement; - not purport to sell, let for hire, assign rights in or otherwise dispose of any of Sky Data or Sky Materials; - not make Sky Data or Sky Materials available to any third party without the prior approval of Sky; and - not commercially exploit Sky Data or Sky Materials unless expressly approved by Sky. 4.6 The Supplier shall establish and at all times maintain safeguards against the destruction, loss or alteration of Sky Data and Sky Material in the possession of the Supplier. 4.7 The Supplier shall ensure that it maintains written agreements with all Subcontractors that contain security controls, service definitions and delivery levels commensurate with the requirements set out in this document, and such are implemented, operated, and maintained by the Subcontractor(s) at all times and in any event the Supplier must ensure that such controls, definitions and levels are in place before: - any data is processed by the Subcontractor; and Version 2.9 Review Date March 2015 Page 14 of 32

15 - the Subcontractor commences the provision of services to Sky or the Supplier. 4.8 The Supplier shall conduct annual security audits at all Subcontractors to confirm that the controls set out in this document and as noted in 4.7 above are in place and being operated by the Subcontractor and the Supplier will maintain evidence of these audits to include any security risks, recommendations and remedial actions suggested and implemented. Supplier security audits shall be conducted in accordance with this Standard and in any event before: - any data is processed by the Subcontractor; and - the Subcontractor commences the provision of services to Sky or the Supplier. 4.9 The Supplier shall provide a copy of the audit reports to Sky upon request. The Supplier shall notify Sky of any identified issues or deficiencies and the timeframes for their resolution on an on-going basis The Supplier shall ensure that it is not reliant on any key single individual to support Services anywhere in its supply chain. 5 Personnel Security before employment 5.1 The Supplier shall ensure that a written policy exists for pre-employment screening and that the screening status and results of all Supplier personnel on the Sky account or with access to Sky Data or materials are fully collated, kept on record and made available to Sky for audit and compliance purposes. 5.2 The Supplier shall obtain two references prior to personnel completing training, and commencing operations to process Sky s data. Such references may be verbal, but must be verified, fully documented and auditable. Where reasonably possible, the Supplier shall obtain at least one reference from a previous employer or academic professional. 5.3 The Supplier shall ensure that the application process and contractual process contain declarations to cover criminal convictions as per the terms of the Rehabilitation of Offenders Act 1974, pending criminal investigations or adverse financial probity judgements such as county court judgments or bankruptcy rulings. 5.4 The Supplier shall have a comprehensive disciplinary policy, code of conduct & work rules in place to protect the interests and safety of Supplier personnel and the Services. That policy, code of conduct or work rules shall clearly define breaches of security, indicating examples of what is classed as misconduct and the possible consequences of such misconducts. 5.5 The Supplier shall ensure that the application process and contractual process include requirements to obtain authorisation to cover pre or post-employment ( Security Screening Waivers ), including authorisation for the Supplier to obtain County Court Judgment, and/or Criminal Record reports where appropriate and relevant. Version 2.9 Review Date March 2015 Page 15 of 32

16 5.6 As appropriate to the job role and permitted by law, the Supplier shall ensure that a basic level criminal record check and security disclosure is conducted with Disclosure Scotland or other reputable agency (the Criminal Record Checks ) against all Supplier personnel who process Sky s data or materials and that these checks are completed before the personnel process Sky s data. If the declarations or the relevant Criminal Record Check reveal adverse findings then the Supplier shall comply with Sky s CRC non-acceptance criteria guidelines (provided by Sky to the Supplier from time to time and incorporated into the Agreement by reference) and outlined at Appendix 2 and shall in every case bring this to Sky s attention for consultation. 5.7 Where the Supplier s business function includes financial payment transactions, the Supplier shall ensure that a financial probity check (including checks for adverse County Court Judgments and bankruptcy rulings) is conducted with Experian or other reputable agency (the Financial Probity Check ) against all Supplier personnel who process Sky Data. If the declarations or the relevant Financial Probity Check reveal any adverse County Court Judgments or bankruptcy rulings then the Supplier shall comply with Sky s financial probity non-acceptance criteria guidelines as provided by Sky to the Supplier from time to time and outlined at Appendix Where appropriate to the nature and classification of data handled by the Supplier and as agreed with Sky, the Supplier shall ensure that all Background Checks (which shall mean reference check, if appropriate to the job role and permitted by law, criminal record checks and, if applicable, the Financial Probity Check) shall be conducted at the Supplier s cost and within a reasonable time period and in any event shall be completed prior to such Supplier personnel commencing provision of the Services (excluding training). The Supplier shall bear all training and attrition costs if any Supplier personnel are removed from the Services as a result of an adverse finding on any declaration or Background Check. 5.9 The Supplier shall ensure that all personnel sign a non-disclosure agreement relating to Sky Data and Sky Materials in the possession of the Supplier The Supplier shall ensure that all personnel enter into a written contract of employment under which they agree to adhere to all company policies, rules/procedures, including all data protection policies, and agree to assign all intellectual property created in the course of providing the Services The Supplier shall ensure that a Security module forms part of the compulsory induction and training programme sufficient to include data protection, acceptable use policy, issues of confidentiality and company standards. 6 Personnel Security during employment 6.1 Where appropriate to the nature and classification of data handled by the Supplier and as agreed with Sky, the Supplier shall conduct a sample of random Background Checks on existing personnel on an annual basis. 6.2 The Supplier shall review requirements on a regular basis with respect to security Version 2.9 Review Date March 2015 Page 16 of 32

17 awareness and knowledge of fraud and security issues with Supplier personnel and its pre-approved Subcontractors throughout the provision of the Services. 6.3 The Supplier shall ensure that all personnel who process Sky Data have the appropriate qualifications, skills and training to support the Services. 6.4 The Supplier shall consult Sky Group Security on a timely basis where personnel are subject to a change of circumstance and assessed to be a risk to the Services, Sky Data or Sky Materials. 7 Personnel Security - termination of employment 7.1 The Supplier shall carry out a check list of actions, including exit interview, prior to the conclusion of the departing personnel s employment/assignment. This checklist of actions shall also cover cancellation of access control privileges, user ID's/passwords and all other entitlements required for access to the Supplier and Sky Systems and recovery of any asset(s) that may contain Sky Data and Sky Materials. 8 Facilities and Equipment Security 8.1 The Supplier shall provide and maintain suitable accommodation, facilities, equipment, space, furnishing, utilities and fixtures necessary to provide secure physical premises that provide a safe working environment to provide the Services to Sky and which adequately protect against loss or damage to the premises or to the equipment. 8.2 The Supplier shall protect power and telecommunications infrastructure carrying data or supporting information services from interception or damage. 8.3 The Supplier shall implement uninterruptible power supplies ( UPS ) for critical infrastructure and shall test the UPS regularly. 8.4 The Supplier shall ensure that all power supplies and fire safety mechanisms undergo regular maintenance checks and that facilities comply with appropriate health and safety standards. 8.5 Where Sky Data or Sky Materials are stored or processed, the Supplier shall provide sufficient secure storage space for personnel to store those personal effects that are capable of capturing and storing Sky Data and shall ensure that personnel utilise such storage space. 8.6 The Supplier shall ensure that prominent security signage or information in suitable electronic form detailing security policies and requirements are provided and displayed in all relevant locations where Sky Data is processed. 8.7 The Supplier will not perform the Services from alternate sites, without obtaining the prior written consent of Sky, and any processing at alternate sites will be approved by, and implemented at no additional cost to, Sky (unless any relocation is due to a specific request from Sky) and as far as reasonably practicable without causing any material Version 2.9 Review Date March 2015 Page 17 of 32

18 disruption to the business of Sky or the Services. 8.8 Where Sky agrees to a shared Site, the Supplier shall: - as a minimum, segregate or ring-fence the area in which the Services take place for Sky or advise Sky in advance if this is not possible and obtain agreement to the site security being implemented; and - ensure that the Services and facilities required to provide the Services to Sky permit Sky s data to be separately identified from the Supplier s other customers. 9 Physical Security 9.1 The Supplier shall implement a policy identifying the requirements for physical access and control of such access at its Sites. 9.2 Where an automated access control system is deployed, the Supplier shall ensure that the system captures and records all access control events and that this record is reviewed on an appropriate on-going basis. In the event that an automated access control system is not able to check and verify all access enabled is using employee ID passes, and is not able to prevent tailgating, the Supplier shall deploy a physical security function, or other mitigating control, to enforce compliance in this area. 9.3 The Supplier shall ensure that all Supplier personnel are individually identifiable and issued with unique ID passes, which shall then be worn and visible at all times unless alternative arrangements have been agreed in advance with Sky. 9.4 The Supplier shall be responsible for retrieving the identification cards of any Supplier personnel that have had their assignment/employment terminated, transferred or where those personnel otherwise no longer require access to the Site. 9.5 The Supplier shall ensure that an appropriate policy is in place to manage loss of ID cards and ID cards not available for use at a specific location by Supplier personnel. 9.6 The Supplier shall operate a sign-in procedure for any visitors to the Sites, which, as a minimum, requires visitors to prove their identity, log their name, company, the time and date and the name of the person whom they are visiting at the relevant Sites. 9.7 Without prejudice to any of Sky s remedies, sanctions for breaches of security requirements shall be governed by the Supplier s disciplinary policy. 9.8 The Supplier shall deny entry to visitors to the Sites who are not legitimately connected with the Services being performed unless they are duly authorised to do so by the appropriate management. 9.9 The Supplier shall inform all visitors of the existence of Site security policies. Version 2.9 Review Date March 2015 Page 18 of 32

19 9.10 The Supplier shall ensure that there is a manned guarding or other physical security presence during hours of operation to Sites which are processing or storing Sensitive Sky Data unless alternative arrangements have been agreed in advance with Sky in writing The Supplier shall ensure that there is a physical security response capability during out of hours periods for those Sites storing or processing Sky Data The Supplier shall ensure security response personnel are instructed to take action as appropriate or escalate the incident to a manager The Supplier shall have in place an internal and external CCTV system with sufficient coverage to monitor reception areas, exit/entry points, and vulnerable or sensitive/confidential working areas The Supplier shall implement, operate, support, and maintain alarm systems (including appropriate environmental alarms), and access mechanisms The Supplier shall ensure a clear desk policy is operated and maintained within the Sites where Sky Data is stored or processed When using data centre rackspace, the Supplier shall have the ability to identify Sky rackspace and equipment used in the provision of the Services as well as implement appropriate access controls to the equipment used in the provision of the Services With the exception of key Supplier personnel, the Supplier shall ensure that no mobile devices are taken into the operations area. 10 Incident Response 10.1 The Supplier shall at all times maintain a security incident response procedure In the provision of Services to Sky and as part of the security incident response procedure, if the Supplier becomes or is made aware of any contravention of privacy or security requirements relating to the data, or of unauthorised access to the Systems, Sky Data, Sky Materials or any Sky Systems including the Sky Network, the Supplier shall: - immediately report the incident to Sky Group Security (investigations@bskyb.com) and to the business relationship owner; - promptly provide Sky with a written report setting out the details of the contravention of the data security requirements and describing any Sky Data, Sky Materials and/or Sky Systems which have or may have been compromised; - provide Sky, at no additional cost, with all assistance required to restore the Sky Data and any other assistance that may be required by Sky - preserve evidence to include collection, retention and presentation to Sky Group Security; Version 2.9 Review Date March 2015 Page 19 of 32

20 - return to Sky any Sky Data and/or Sky Materials; - comply with all reasonable directions of Sky; and - take immediate remedial action to secure the Sky Data, Sky Materials and /or Sky Systems and to prevent reoccurrences of the same or similar contravention and provide Sky with details of such remedial action If either a criminal situation or a breach of security rules occurs involving personnel providing Services to Sky and such criminal situation or breach of security becomes known to the Supplier, Sky must be notified as soon as practicable of the facts surrounding the same. 11 Business Continuity Management 11.1 The Supplier shall identify the activities and processes that support Sky Services and conduct a risk assessment of potential interruptions and identify their likely consequences The Supplier shall develop a business continuity plan to restore business operations following an interruption or failure to business processes ( Business Continuity Plan ) within a time period agreed to be acceptable by Sky The Business Continuity Plan shall include arrangements to inform and engage appropriate Sky personnel in its execution The Supplier shall test the Business Continuity Plan at least annually, unless otherwise agreed in advance by Sky The Supplier shall at least annually review and update, as necessary, the Business Continuity Plan. 12 Network Security 12.1 The Supplier shall maintain the confidential nature and integrity of Sky Data and Sky Materials and the consistency of the Supplier and the Systems and data isolation needs by: - utilising secure network architecture and operations; - ensuring that networks carrying Sky Data are designed, built, monitored, and managed according to industry standards, best practices and frameworks such as, but not limited to, ISO27001, TOGAF, OWASP ITIL., such that they enforce the required information security policy boundaries; - boundaries must prevent unauthorised access to Systems and Sky Data by default and allow only explicitly authorised and authenticated access; Version 2.9 Review Date March 2015 Page 20 of 32

21 - restricting and monitoring the use of tools and utility programs capable of overriding Systems; - utilising and maintaining appropriate firewall and security screening technology that is designed to: o o prevent unauthorised access to the Supplier and Sky Systems by prohibiting all access by default and explicitly allowing authorised access; and appropriately limit access to Sky Data and Sky Material processed by the Supplier Systems The Supplier shall ensure that anti-virus and firewall protection systems are implemented in relation to both internal and external traffic and ensure that: - firewall platforms are hardened; - firewalls have real-time logging and alerting capabilities; - intrusion detection systems are implemented where Internet connections exist; and - access lists are implemented on network routers to restrict access to sensitive internal networks or servers Remote support access shall be controlled via a secure gateway that implements the following controls: - two factor authentication (e.g. security tokens) combined with a valid, unique, user account which ensures personal accountability; - access via a secure gateway (e.g. a firewall); - remote support accounts only enabled for the duration of troubleshooting activity; and - all activity is logged and reviewed The Supplier shall provide evidence that any third party remote support of Supplier systems is authorised, governed by a contract detailing security requirements, including logging of activity and that access is given with the minimum required privileges and revoked on completion The Supplier shall have in place an internet, and acceptable use policy and shall ensure that appropriate controls are in place and documented to prevent unauthorised access or download of software or web content by Supplier personnel The Supplier shall ensure that utility programs capable of overriding system and application controls shall be restricted and tightly controlled. Version 2.9 Review Date March 2015 Page 21 of 32

22 12.7 The Supplier shall provide evidence on request by Sky of a chosen intrusion detection strategy ( IDS ), what methods are employed, whether these are recognised IDSs or whether there is a reliance on other controls in place (firewalls, network router/switch protection) and whether the function is outsourced The Supplier shall ensure that regular penetration testing exists as part of a vulnerability strategy and shall agree the scope of penetration testing for the Services with Sky. Further, the Supplier shall notify Sky of the results of testing and take action on the recommendations in timescales commensurate with the associated risks. 13 Protection against Malicious Code 13.1 The Supplier shall install and maintain operational anti-virus protection software on all relevant Supplier systems. The Supplier and its Subcontractor(s) shall use all reasonable endeavours to detect hidden code or data that is designed to, or may have the effect of: - destroying, altering, intercepting, withholding, corrupting or facilitating the theft of, any Sky Data or Sky Material; - disabling or locking software or systems; or - using undocumented or unauthorised access methods for gaining access to Sky Data, Sky Material or the Systems The Supplier shall ensure that anti-virus software and anti-virus definition files are updated for all Supplier Systems that receive, hold, process or send Sky Data in accordance with the relevant vendor s guidelines and on a timely basis The Supplier shall promptly notify Sky as soon as it becomes aware of viruses in the Systems, directly affecting Sky Data, and provide a report to Sky describing any incident and what measures were taken to prevent any reoccurrence. 14 Platform and Application Security 14.1 The Supplier shall ensure that: - platforms and infrastructure used to receive, store, process or send Sky Data are built using consistent and formally documented platform build standards; - all unnecessary services are removed or disabled from platforms in accordance with the vendors recommendations and active settings and software are security hardened; - development, testing, production and operational facilities are separated both physically and logically to reduce the risks of unauthorised access or changes to the operational system; - duties and responsibilities are segregated to reduce opportunities for Version 2.9 Review Date March 2015 Page 22 of 32

23 unintentional or unauthorised modification or misuse of Sky Data; - applicable policies and procedures are enforced to protect Sky Data associated with the interconnection of Supplier and Sky Systems; - appropriate patch management procedures are in place to remain current with platform security fixes, and conduct adequate testing; - all software installed on platforms used to receive, store or process Sky Data is authorised and fully licensed; and - where cryptographic controls are implemented, they are securely managed using documented policy procedures, keys are subject to appropriate management and key changes are made under dual control Where financial transactional functionality is (or becomes) a part of the Services, the Supplier shall provide data masking functionality in relation to bespoke software in respect of any financial data (including but not limited to debit/credit card and direct debit banking information) which Supplier handles for, or on behalf of, Sky This section is applicable only where the Supplier is providing application development and/or service provision - The Supplier must document and implement a formal and secure process for software development and/or the acquisition of software and systems receiving, storing, processing or sending Sky Data, whether in-house or through one of its Subcontractors; - The Supplier shall define, document and maintain, and make available to Sky upon request, technical security standards (including secure build configuration) for applications and systems used for receiving, storing, processing or sending Sky Data. New systems and applications must comply with this Standard (as updated from time to time and notified to Supplier); - The Supplier shall ensure that change control procedures are agreed and documented as regards the development of or implementation of or operation of bespoke systems used for receiving, storing, processing or sending Sky Data and that such documented procedures require that detail as to why the change was required and how and when the changes were executed are recorded and also include an emergency change process; - The Supplier shall ensure that all new application developments, changes to existing systems, upgrades, and new software in relation to the Services have considered security control requirements, based upon the identified risks, and that all deliverables are tested and subject to an appropriate level of vulnerability scanning prior to being released to Sky, or being used as part of the Services; - The Supplier shall ensure that application development is done in accordance with generally accepted good practice and that appropriate code review and validation controls are operated; Version 2.9 Review Date March 2015 Page 23 of 32

24 - The Supplier shall ensure that live Sky Data and information may not be used for test purposes without the explicit agreement of Sky. Data and information to be used for test purposes must otherwise be anonymised, scrambled or otherwise rendered in such a way that no live Sky Data or information can be reconstructed from that used for test purposes unless explicitly approved by Sky; - The Supplier shall ensure that access to program source code is restricted and strictly controlled; and - The Supplier shall ensure that back out procedures are documented prior to implementing any change or promoting a new piece of software. 15 System Management 15.1 The Supplier shall maintain systems security measures to guard against unauthorised access, alteration, interception, destruction, corruption of information through processing errors, system faults, loss or misuse of Sky Data. As a minimum, these measures should: - require all users of the Systems to enter a unique user identification code or number and password prior to gaining access to the Systems; - control the data which a user can access and/or amend and ensures that appropriate authorisation has been granted before processing any change; - control and track the addition and deletion of users of the Systems; - control and track user access to areas and features of the Systems; and - require the Supplier to operate controls to ensure that access to Sky Data and systems is granted at the minimum level necessary to achieve business objectives, access privileges are amended or removed when business requirements or objectives change and leavers accounts are removed promptly The Supplier shall provide Sky with a record of such access from time to time where Sky reasonably requests such information The Supplier shall ensure that system clocks are synchronised with an agreed accurate time source. The Supplier shall ensure that logs are maintained which contain times stamped details on user activity and critical system events and which are periodically reviewed by an appropriate level of management; 15.4 The Supplier shall ensure that sufficient segregation is applied to any equipment operated by the Supplier for services offered to Sky unless explicit authorisation is given by Sky for exceptions The Supplier shall ensure that capacity requirements are monitored and Systems and networks are regularly reviewed so that they are scaled accordingly. Version 2.9 Review Date March 2015 Page 24 of 32