Spotlight on Security

17 September 2019

In light of some recent changes to a number of Security Assessment processes, we have put together a short list of what you need to know in a hurry:

  • Remediation plans may now be required if you have any remaining non-compliances following your Verification User Security Assessment (VUSA). This needs to clearly set out your planned actions and timescales for remediating your outstanding obligations, and once you’re done, you will also need to submit a director-signed cover letter for SSC approval. You can find further guidance at the bottom of this page under ‘Director’s Letter Guidance’.
  • It is now easier to become compliant with SEC Obligations G3.17 – G3.20! After working with the User CIO and the SSC, it was agreed that a Letter of Intent or Memorandum of understanding may be submitted regarding “Duty to Notify / Be Notified”. Further information can be found here.
  • Security Self-Assessments must be scheduled within a year of your last User CIO fieldwork (dates can be found on your Egress report). We have also updated the SSA questions to include risks of SMETS1 Enrolment and Adoption, and added an extra column to make it easier to see which questions are relevant to your SEC Party type. Find the new workbook here.
  • We have a new Validation Workbook which has a new tab for Parties to refer to additional uploaded evidence, as well as adding in the new Remediation Plan and the SSA questions. Find the new workbook here.
  • SMETS1 Enrolment and Adoption may mean you cross the 250,000 premises threshold this year, which affects your third-year assessment type. Check the Security Controls Framework here for more guidance. SECAS will be checking in on Users to check the 3rd year assessment booked it still the relevant type.
  • If you use a Shared Resource Provider and are a Live DCC User, G5.27 requires you to let us know every 6 months how many Smart Metering Systems are in your portfolio capable of sending Critical Requests to the DCC. We can also accept the figures directly from your SRP – if in doubt, get in touch with them.

For any further queries, please contact