• No results found

FINAL INTERNAL AUDIT REPORT

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "FINAL INTERNAL AUDIT REPORT"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

TfL RESTRICTED

FINAL INTERNAL AUDIT REPORT

Security of Data within Santander Cycle

Hire (IA 15 412)

Leon Daniels, Managing Director, Surface

Transport

Audit Conclusion: Well Controlled and

Audit Closed

16 July 2015

Number of issues Priority 1 0 Priority 2 0 Priority 3 0

(2)

TfL RESTRICTED Page 2 CONTENTS

EXECUTIVE SUMMARY ... 3 APPENDIX 1 – DISTRIBUTION LIST ... 6 APPENDIX 2 – DEFINITION OF ISSUE RATINGS ... 7

Audit information

Version 1 Draft versions issued 1

Fieldwork started 8 June 2015 Fieldwork completed 10 July 2015 Draft report issued 15 July 2015

Auditor Thomas Mathew

Audit Manager Emilija Antevska Director of Internal Audit Clive Walker

(3)

TfL RESTRICTED Page 3 EXECUTIVE SUMMARY

Introduction and background

The cycle hire scheme is run by Transport for London (TfL) to enable customers to hire and use bicycles as a mode of transport throughout London. The

operation of the scheme is outsourced to Serco with sponsorship funding provided by the Santander Bank.

Contractual agreements are in place with Serco to ensure that appropriate processes, technology and staff are available to facilitate the smooth operation of the scheme.

As part of the cycle hire operations, Serco maintains customer data on its systems which must be retained and used in a secure manner to avoid the risk of the data being misused or becoming available to unauthorised individuals.

Objective

The objective of this audit was to review the effectiveness of the IT security arrangements that have been established between Serco and Transport for London (TfL), to provide assurance that the confidentiality, integrity and availability of the data is maintained within the Cycle Hire systems. Scope

The audit focused on the control environment in relation to the following key risk areas:

 TfL requirements for securing Santander Cycle Hire data are reflected within the contractual arrangements with Serco

 The processes and arrangements are established between Serco and TfL to review and obtain assurance of the confidentiality, integrity and availability of data

 Arrangements and processes are implemented to review and, where necessary, implement improvements to the contractual arrangements related to IT security

Summary of findings

(4)

TfL RESTRICTED Page 4 TfL requirements for security of data for the cycle hire scheme have been

captured within a Statement of Requirements (SOR) document which is

incorporated into the contract with Serco. The SOR specifically requires Serco to implement a number of security measures to preserve the confidentiality; integrity and availability of the cycle hire scheme information.

The measures put in place include the implementation of a robust security framework for the protection of information and systems that extends to sub contractors who are required to comply with it and the associated security policies.

The SOR document includes specific requirements for Serco to be compliant with the principles of the Data Protection Act, the requirements of the ISO 27001 (the best practice framework for information security management) and the Payment Card Industry Data Security Standards (PCI DSS).

Furthermore, Serco have mapped and specified how the SOR will be met within the Security Policy as Appendix B to the SOR. The Security Policy sets out in detail the approach and measures that Serco have put in place to maintain the security of data.

In addition to the Security Policy, the security framework established by Serco includes the Security Management Policy and the Service Security Policy which are underpinned by a Security Plan that sets out the security controls

implemented and maintained by Serco.

The measures within the security plan are derived from the SOR document and encapsulated within Schedule 14 of the contract. Specifically, the Security Plan addresses the overall organisation of information security, asset management, human resource security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, incident management, business continuity management and compliance processes.

TfL Cycle Hire obtains assurance that the confidentiality, integrity and

availability of information are maintained by independent audits of Serco. These include Data Protection and ISO 27001 audits conducted by Quality Matters Limited and PCI DSS audits performed by Trustwave. These reports are made available to TfL senior management and the reports discussed at the monthly security forums.

As part of the cycle hire scheme governance structure, a number of meetings are held regularly with Serco, including contractual, performance and

operational review meetings. In addition, a specific security review meeting is also held between TfL and Serco IM Security staff to clearly understand the performance of security against service targets and risks.

(5)

TfL RESTRICTED Page 5 This security meeting provides a forum to review and discuss the monthly

security reports provided by Serco in relation to vulnerabilities and risks

identified, in conjunction with the overall security activities being undertaken by Serco to minimise and mitigate security risks. Escalation processes are

available through this forum and other contractual and operational meetings to discuss and remediate issues or deficiencies identified.

Conclusion

Based on the findings, we have concluded that the arrangements that have been established between Serco and TfL to ensure the integrity of the data maintained within the Cycle Hire systems are well controlled.

This audit is now closed.

We would like to thank all those who were involved in and contributed to this audit.

(6)

TfL RESTRICTED Page 6 APPENDIX 1 – Distribution list

This report was sent to Leon Daniels, Managing Director, Surface Transport, by Clive Walker, Director of Internal Audit, and copied to:

James Mead General Manager Cycle Hire, ST Garrett Emmerson Chief Operating Officer, ST

Peter Blake Director of Service Operations, ST Patrick Doig Director of Finance, ST

David Eddington London Cycle Hire Operations Manager, ST Gary Trotter IM Technical Solutions Architect, IM

Ashwini Karanjalkar IM Security Analyst

Karlene Reid as Key Risk Representative Nigel Blore Head of Group Insurance Andrea Clarke Director of TfL Legal

Andrew Pollins Interim Chief Finance Officer Howard Carter General Counsel

Karl Havers EY

(7)

TfL RESTRICTED Page 7 APPENDIX 2 – Definition of issue ratings

Priority 1

Significant weakness(es) in the control environment which, if not addressed, have the potential to undermine the achievement of key corporate and/or business area objectives.

Priority 2

Other control weakness(es) that are less significant but still have the potential to threaten the achievement of corporate and/or business area objectives.

Priority 3

While not necessarily a control weakness there ispotential for process improvement by, for example, ensuring compliance with good practice, increasing process efficiency, identifying areas of ‘over control’, or

strengthening the overall control environment by building upon the existing controls.

References

Download now ( PDF - 7 Page - 30.32 KB )

Related documents

State Consent, Temporal Jurisdiction, and the Importation of Continuing Circumstances Analysis into International Investment Arbitration

jurisprudence that uses continuing violations to expand temporal jurisdiction. This paper will examine how investment tribunals have incorporated

Defamation, Reputation, and the Myth of Community

The chief focus of this Article has been the complex interaction between defamation, reputation, and community values and ideals. Defamation exists to protect

Private Concerns of Private Plaintiffs: Revisiting a Problematic Defamation Category

A potential objection to the above logic is that it might be thought to challenge other ways in which the public or private nature of speech fixes the degree of

O! they have lived long on the alms-basket of words: enhancing efficacy and reducing cost by limiting the role of law and lawyers in defamation disputes

The withdrawal of the single meaning rule combined with the introduction of a jurisdictional bar to claims where a publisher has made a correction or retraction promptly

What has the European Convention on Human Rights ever done for the UK?

In light of the above, Helena Kennedy and Philippe Sands, who expressed the minority view in the Commission’s report, were rightfully alarmed about “the real possibility that some

Georgia's structurally unemployed workers: do state job training programs help?

Answering this question requires that structurally unemployed workers in Georgia be assessed with respect to industry, demographics, geography, and Georgia Department of Labor

Nervous system: Embryonal tumors: Neuroblastoma

The International Neuroblastoma Pathology Classification (INPC - Shimada system) groups neuroblastic tumors into four histopathologic categories according to the

The Holy Land in British eyes: sacred geography and the ‘rediscovery’ of Palestine, 1839-1917

This deeply entrenched bias was for instance illustrated in the title of the Palestine Exploration Fund, a society established in London in 1865 “for the accurate and systematic