TfL RESTRICTED
FINAL INTERNAL AUDIT REPORT
Security of Data within Santander Cycle
Hire (IA 15 412)
Leon Daniels, Managing Director, Surface
Transport
Audit Conclusion: Well Controlled and
Audit Closed
16 July 2015
Number of issues Priority 1 0 Priority 2 0 Priority 3 0
TfL RESTRICTED Page 2 CONTENTS
EXECUTIVE SUMMARY ... 3 APPENDIX 1 – DISTRIBUTION LIST ... 6 APPENDIX 2 – DEFINITION OF ISSUE RATINGS ... 7
Audit information
Version 1 Draft versions issued 1
Fieldwork started 8 June 2015 Fieldwork completed 10 July 2015 Draft report issued 15 July 2015
Auditor Thomas Mathew
Audit Manager Emilija Antevska Director of Internal Audit Clive Walker
TfL RESTRICTED Page 3 EXECUTIVE SUMMARY
Introduction and background
The cycle hire scheme is run by Transport for London (TfL) to enable customers to hire and use bicycles as a mode of transport throughout London. The
operation of the scheme is outsourced to Serco with sponsorship funding provided by the Santander Bank.
Contractual agreements are in place with Serco to ensure that appropriate processes, technology and staff are available to facilitate the smooth operation of the scheme.
As part of the cycle hire operations, Serco maintains customer data on its systems which must be retained and used in a secure manner to avoid the risk of the data being misused or becoming available to unauthorised individuals.
Objective
The objective of this audit was to review the effectiveness of the IT security arrangements that have been established between Serco and Transport for London (TfL), to provide assurance that the confidentiality, integrity and availability of the data is maintained within the Cycle Hire systems. Scope
The audit focused on the control environment in relation to the following key risk areas:
TfL requirements for securing Santander Cycle Hire data are reflected within the contractual arrangements with Serco
The processes and arrangements are established between Serco and TfL to review and obtain assurance of the confidentiality, integrity and availability of data
Arrangements and processes are implemented to review and, where necessary, implement improvements to the contractual arrangements related to IT security
Summary of findings
TfL RESTRICTED Page 4 TfL requirements for security of data for the cycle hire scheme have been
captured within a Statement of Requirements (SOR) document which is
incorporated into the contract with Serco. The SOR specifically requires Serco to implement a number of security measures to preserve the confidentiality; integrity and availability of the cycle hire scheme information.
The measures put in place include the implementation of a robust security framework for the protection of information and systems that extends to sub contractors who are required to comply with it and the associated security policies.
The SOR document includes specific requirements for Serco to be compliant with the principles of the Data Protection Act, the requirements of the ISO 27001 (the best practice framework for information security management) and the Payment Card Industry Data Security Standards (PCI DSS).
Furthermore, Serco have mapped and specified how the SOR will be met within the Security Policy as Appendix B to the SOR. The Security Policy sets out in detail the approach and measures that Serco have put in place to maintain the security of data.
In addition to the Security Policy, the security framework established by Serco includes the Security Management Policy and the Service Security Policy which are underpinned by a Security Plan that sets out the security controls
implemented and maintained by Serco.
The measures within the security plan are derived from the SOR document and encapsulated within Schedule 14 of the contract. Specifically, the Security Plan addresses the overall organisation of information security, asset management, human resource security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, incident management, business continuity management and compliance processes.
TfL Cycle Hire obtains assurance that the confidentiality, integrity and
availability of information are maintained by independent audits of Serco. These include Data Protection and ISO 27001 audits conducted by Quality Matters Limited and PCI DSS audits performed by Trustwave. These reports are made available to TfL senior management and the reports discussed at the monthly security forums.
As part of the cycle hire scheme governance structure, a number of meetings are held regularly with Serco, including contractual, performance and
operational review meetings. In addition, a specific security review meeting is also held between TfL and Serco IM Security staff to clearly understand the performance of security against service targets and risks.
TfL RESTRICTED Page 5 This security meeting provides a forum to review and discuss the monthly
security reports provided by Serco in relation to vulnerabilities and risks
identified, in conjunction with the overall security activities being undertaken by Serco to minimise and mitigate security risks. Escalation processes are
available through this forum and other contractual and operational meetings to discuss and remediate issues or deficiencies identified.
Conclusion
Based on the findings, we have concluded that the arrangements that have been established between Serco and TfL to ensure the integrity of the data maintained within the Cycle Hire systems are well controlled.
This audit is now closed.
We would like to thank all those who were involved in and contributed to this audit.
TfL RESTRICTED Page 6 APPENDIX 1 – Distribution list
This report was sent to Leon Daniels, Managing Director, Surface Transport, by Clive Walker, Director of Internal Audit, and copied to:
James Mead General Manager Cycle Hire, ST Garrett Emmerson Chief Operating Officer, ST
Peter Blake Director of Service Operations, ST Patrick Doig Director of Finance, ST
David Eddington London Cycle Hire Operations Manager, ST Gary Trotter IM Technical Solutions Architect, IM
Ashwini Karanjalkar IM Security Analyst
Karlene Reid as Key Risk Representative Nigel Blore Head of Group Insurance Andrea Clarke Director of TfL Legal
Andrew Pollins Interim Chief Finance Officer Howard Carter General Counsel
Karl Havers EY
TfL RESTRICTED Page 7 APPENDIX 2 – Definition of issue ratings
Priority 1
Significant weakness(es) in the control environment which, if not addressed, have the potential to undermine the achievement of key corporate and/or business area objectives.
Priority 2
Other control weakness(es) that are less significant but still have the potential to threaten the achievement of corporate and/or business area objectives.
Priority 3
While not necessarily a control weakness there ispotential for process improvement by, for example, ensuring compliance with good practice, increasing process efficiency, identifying areas of ‘over control’, or
strengthening the overall control environment by building upon the existing controls.