Due to the interconnected nature of systems supporting smart metering, SEC Parties require confidence that Users and the DCC are operating secure systems and are compliant with their security obligations. Assurance arrangements have been developed to provide a mechanism for assessing security compliance on an on-going basis. The assurance arrangements aim to provide confidence to all SEC Parties that the systems supporting smart metering are appropriately secure. In having a connection to the DCC, all parties become a source of security risk to the system as a whole.
As required by the Smart Energy Code (SEC), the DCC shall be independently assessed by the DCC Independent Security Assurance Service Provider also known as the DCC Competent Independent Organisation (DCC CIO) to in the circumstances and times set out in the SEC Section G9 .
As DCC delegates elements of operation of the DCC Total System to various Service Providers (SPs), the DCC CIO will also independently assess these organisations against those elements of the DCC Licence conditions and SEC assigned to them by the DCC. The SPs are not SEC Parties; instead the requirement for them to undergo a DCC CIO assessment is based on their contract with DCC.
The DCC SCF is intended to provide support and guidance to all parties involved in the DCC Security Assessment Process. As stated in the SEC (G7.19), the Security Controls Framework (DCC SCF) shall set out the appropriate DCC Security Assessment Methodology to be applied to different categories of security assurance assessment carried out in accordance with Section G9 (DCC Security Assurance).
Part 1 of the DCC SCF provides the methodology and high-level guidance to explain the approach, the assessment type and the method that the DCC CIO will use to conduct the DCC Security Assessment in line with the in-scope security obligations.
Part 2 of the DCC SCF provides more detailed and practical guidance for the DCC and SPs to assist them through the assessment process and the review by the SSC and the potential steps required prior to commencing and continuing live operations. The Appendices in Part 2 describe the type of evidence the DCC CIO will expect to see, as well as providing advice on formulating a DCC management response to the DCC CIO observations, preparing for the review by the Security Sub-Committee (SSC) and the likely steps needed to be able to commence live operations.