SEC Section G details the security arrangements of interactions with the DCC. These are designed under a principle that there must be no single point of vulnerability.
The SEC classes DCC and User security obligations into three categories:
1. System Security – requires ensuring the overall security of systems with protective monitoring of events and any deviations from steady state operation.
2. Organisational Security – requires ensuring that personnel able to access systems are granted an appropriate level of access, ensuring that users with high levels of access are appropriately cleared.
3. Information Security – requires establishing Information Security Management Systems which shall also comply with recognised International Standards.
In addition to the three categories above, there are also obligations relating to the assurance and enforcement of security measures. Each User has SEC responsibilities for the identification and management of the risk of Compromise, which shall comply with the ISO27005 standard, or equivalent.
To become eligible to use the DCC Systems, SEC Parties must pass a User Security Assessment conducted by the User Competent Independent Organisation (User CIO). After this, there is an annual Assessment cycle, and the type of User Security Assessment that is required depends on the number of Smart Meter Systems that you interact with via your User System.
Section I of the SEC sets out the obligations of the Data and Communications Company (DCC) and each User of the DCC Services on data protection, access to consumption data and Other User Privacy Audits.
Part of the requirements include all Users acting in the User Role of Other User undergoing a cycle of Privacy Assessments. Users not acting in the role of Other User are not required to go through this process.
The Privacy Assessment cycle begins with a Full Privacy Assessment which is required as part of the User Entry Process (set out in Section H1).
Privacy Assessments are also performed by an Independent Privacy Auditor, which is appointed by the SEC Panel. The organisation is also appointed to undertake the role of User Independent Security Assurance Service Provider and collectively are known as the User Competent Independent Organisation (CIO).