Pursuant to the Smart Energy Code (SEC) Section H1.10, all SEC Parties are required to undergo an Initial Full User Security Assessment as part of the User Entry Process. Each User shall be independently assessed by the User Independent Security Assurance Service Provider (also known as the User Competent Independent Organisation (User CIO)). The User CIO has been appointed by the SEC Panel to undertake security assessments on their behalf.
The assessment type and cycle varies by User role in both their approach and coverage of SEC obligations. The purpose of these assessments is to provide confidence to SEC Parties (via the SEC Panel) on the compliance status of each User. To allow the SEC Panel to make this assessment, each User is to be assessed against SEC obligations via a Security Controls Framework (SCF). The SCF is intended to provide the basis for enabling a consistent level of review across all Users, and to provide a guide to the types of evidence which could be provided by a User to demonstrate compliance with its obligations.
As stated in the SEC (G7.16), the Security Controls Framework (SCF) shall:
- Set out the appropriate User Security Assessment Methodology to be applied to different categories of security assurance assessment carried out in accordance with Section G8 (User Security Assurance); and
- Be designed to ensure that such security assurance assessments are proportionate, consistent in their treatment of equivalent Users and equivalent User Roles, and achieve appropriate levels of security assurance in respect of different Users and different User Roles.
In addition to this, the SCF describes the type of evidence the User CIO will expect to see, as well as formalise a number of the norms with regards to the working practices of the User CIO and its interactions with Users.
The SCF main body has now been updated with dates and timeframes which were previously marked as to be confirmed. The SCF was presented to the SSC who approved the document on the 25th August 2016 and has now been uploaded to this page on the SEC website.
The Security Controls Framework – Agreed Interpretations has been uploaded for the benefit of all SEC Parties. These agreed interpretations will not replace or alter SEC obligations but should offer clarity and context to specific defined terms.