Section G of the SEC details the security arrangements required for DCC Users to interact with the DCC. These are designed to ensure that there is no single point of vulnerability.
To become eligible to use the DCC Systems, SEC Parties must pass a User Security Assessment conducted by the User Competent Independent Organisation (User CIO). After this, assessments are annual. The specific type of User Security Assessment required depends on the number of Smart Meter Systems a User interacts with.
The SEC highlights three areas of security obligations for the DCC and Users:
- System Security – This requires ensuring the overall security of systems, with protective monitoring of events and any deviations from steady state operation.
- Organisational Security – This requires ensuring that personnel able to access systems are granted an appropriate level of access and ensuring that users with high levels of access are appropriately cleared.
- Information Security – This requires establishing Information Security Management Systems which shall also comply with recognised International Standards.
In addition to the three categories above, there are also obligations relating to the assurance and enforcement of security measures. Each User has responsibilities under the SEC to identify and manage the risk of Compromise, which should comply with the ISO27005 standard, or equivalent.
Section I of the SEC sets out the obligations of the Data and Communications Company (DCC) and each User of the DCC Services, in relation to data protection, access to consumption data, and Other User Privacy Audits.
These obligations include the requirement for all Users acting in the User Role of ‘Other User’ to undergo a cycle of Privacy Assessments. Users not acting in the role of ‘Other User’ are not required to go through this process. The Privacy Assessment cycle begins with a Full Privacy Assessment which is a mandatory part of the User Entry Process (set out in Section H1).
Privacy Assessments are performed by the User Independent Privacy Auditor (IPA), as appointed by the SEC Panel. If you have any questions about your Security and Privacy Obligations, please contact the SECAS Helpdesk.