MP103 DCC SOC2 Assessments

Proposer Gordon Hextall
Lead Analyst SEC Change
Date raised 18/12/2019
StageImplemented
Implementation date November 2020 SEC Release
Latest update This Modification was implemented on 29 November 2020 as part of the November 2020 SEC Release.

What is the issue?

Currently, SEC Section G requires the Data Communications Company (DCC) to undertake an annual Systems Organisation Controls 2 (SOC) 2 assessment to gain independent assurance of its compliance with the SEC security obligations and the security controls in place at DCC and its Service Providers. Unnecessary cost is incurred in both undertaking the assessment and in complying with an assurance framework that does not relate to the SEC provisions.

What is the solution?

The proposed solution is to retain the approach that requires the DCC to procure a DCC Security Assessment (whereby the procurement effort and cost of the assessment is for the DCC to bear) but to emulate the User Security Assessment process by adopting much of the legal text in Section G8 that applies to Users.

Who is impacted?

DCC

What SEC documents are affected?

Section G 'Security'

Timeline

18 Dec 2019
Draft Proposal Raised
17 Jan 2020
Draft Proposal converted to Modification Proposal
01 Apr 2020
Modification discussed with Working Group
22 Jun 2020
Modification Report Consultation
22 Jul 2020
Change Board Vote

Modification documents

MP103 Conclusions Report
23/07/2020
MP103 Modification Report Consultation
19/06/2020
MP103 Refinement Consultation Responses
03/06/2020
MP103 Refinement Consultation
11/05/2020
MP103 April 2020 Working Group summary
08/04/2020
DP103 Problem Statement
18/12/2019
No files
No files
No files
No files
No files

If you believe there is a problem with this modification, please let us know HERE.

Feedback
close slider