Welcome to Serco.com. Please review the region selection dropdown just below to get the most relevant content to your region.

Securing information

Our computer systems and printed archives contain vital information and valuable assets. We must properly protect and secure them.

With digital technology, including mobile devices and smartphones, we should take particular care with passwords and logins, and when we use the Internet.  We need to carefully manage the way we use our archiving and information storage systems.  We must also accurately classify our information and dispose of it properly.

If you are intending to use a portable PC, laptop, mobile device or removable media outside our secure premises you must make sure it is properly encrypted. If in doubt, speak to your IT Department.

Keep it safe.

Document classification

Classifying our documents and emails, based on the information they contain, is a vital part of information security at Serco. It helps to ensure every piece of information is stored, handled and shared in the right places with the right people.

Read more

You need to understand our different classifications and select the right one for every document and email you create or change. It is your responsibility to know and understand the policy and guidelines for Information Privacy Classification.

Serco Restricted and Sensitive (SRS)

SRS is our highest classification. We use it ONLY for the most sensitive and valuable information, requiring the greatest level of security.  SRS information must only be shared on a need to know basis and restricted to authorised personnel only. 

Serco Business (SB)

SB should be used for our day-to-day business information that is generally available within our offices, systems and intranet, or when sharing relevant business information with intended third parties.  Think carefully before sharing SB information outside of Serco as disclosure to the wrong people may cause unwanted exposure to the inner workings of our business and customers.

For more information visit:

Security Group Standard (Access - Serco Employees only)
Acceptable Use Group Standard
Data Protection Group Standard Operating Procedure (Access - Serco Employees only)

Read less

What you can expect from us:

  • We must protect valuable information from unauthorised disclosure, modification or deletion. This applies to information kept in any form, digital, analogue or printed.
  • We have policies and procedures to ensure our information remains secure at all times and does not fall into the wrong hands.
  • We will provide secure storage facilities for our information.
  • We give clear guidelines for making and distributing documents.
  • We monitor our systems for viruses, malware and other malicious code.
  • We provide encryption for all devices and situations where this is required.

We expect you to:

  • Always keep your Serco login details safe. If you think they have been compromised, you should change them and report it to your manager or IT department.
  • Maintain appropriate privacy for our information and ensure it is classified in line with Serco's standards, or your customer's standards where that's agreed. If you handle a customer's information, you should use the customer's classification. If there isn't one, you should use Serco's classification.
  • Never disclose information with a protective marking to anyone who doesn't have the right to see it or the need to know it. Only copy it onto removable media if there is a significant or unavoidable business need and the media is encrypted. If you are electronically transmitting the information outside Serco, then you should encrypt it.
  • Take great care not to give information about Serco employees, our customers or partners to any third parties, unless you have authorisation from the information owner.
  • Never connect non-Serco or private IT equipment to Serco or customer networks without your IT department's permission.
  • You must permanently remove business-sensitive and personal information from devices before their disposal or reuse, and shred any printouts that contain such information if you are disposing of them.
  • Never intentionally introduce viruses or other malicious programs into systems belonging to us, our customers or our partners.
  • Make sure you do not leave important documents or printed information lying around.

We need to carefully manage the way we use our archiving and information storage systems. With digital technology, including mobile devices and smartphones, we should take particular care with passwords and logins, and when we use the Internet. We must also accurately classify our information and dispose of it properly.

A friend calls you in a panic. She needs to send in a report to her boss urgently but she is unable to access it from home. She gives you her username and password and asks you to get the report and email it.

Should you?

1. No, we can't do this

Right answer because:

Passwords and log on details are a critical first line of protection for our systems, the information they contain and our digital security. For the cyber-criminal, each one of us represents a possible portal into Serco. That's why Our Code says,

"Always keep your Serco log in details safe."

It is against company rules to give anyone your username or password and it is against the rules to use anyone else's, even if you have been given permission.

So in this case, if you did as your friends asks, you'd both be breaking our policy on securing information. And that's a serious offence.

But since this is really urgent, there is something your friend can do. She can speak to her boss and arrange with IT to access the relevant report and get it sent.

If she didn't do this, and you heard her asking someone else to access her machine after you refused, you'd need to raise this issue with your manager and your divisional security manager.

Always ask if you are not sure what to do.

2. Ask your boss if you can do this

Wrong. Please try again.

3. It's urgent, she's given you permission - so it's fine

Wrong. Please try again.

You want to move some information to a non-Serco employee's machine and they give you an unencrypted memory stick to use as yours is not available.

Can you use it?

1. Yes, it's not confidential information

Wrong. Please try again.

2. Yes, it's a business need and we don't have an encrypted memory stick to hand

Wrong. Please try again.

3. No, not under any circumstances

Right answer because:

We often need to share information with third parties. That's an everyday occurrence. But we do need to take great care. And in this case, there are three important issues.

The first is about the nature of the information you want to transfer. If it's confidential information, then you must make sure that the person you're giving it to has signed a non disclosure agreement.

When transferring information you must make sure that the device is properly encrypted. Encryption helps to make sure that the information stays safe and doesn't fall into the wrong hands.

But the device must also be properly authorised. This is equally important. Never use a non-authorised device to do the transfer without the correct approvals. The reason is that attaching an unauthorised external device increases the risk of viruses, Trojans and other malware being introduced.

That's why our Code says:

"Never connect non-Serco or private IT equipment to Serco or customer networks without your IT department's permission."

If in doubt, speak to your IT Department

A colleague is off sick and your ugently need an important file on their machine.

You know their username and are pretty certain that their password is their child's name and age. You are certain your colleague won't mind you accessing their machine.

Anything wrong with this?

1. Everything. You can't access anyone else's computer

Right answer because:

Even though there's an urgent business need to get at these files, you cannot access another person's computer, with or without their permission.

Passwords and log on details are a critical first line of protection for our systems, the information they contain and our digital security. For the cyber-criminal, each one of us represents a possible portal into Serco. That's why it's against company rules to give anyone your username or password, or to use someone else's, even if you have been given permission.

There are a number of other important issues in this case.

Our Code says,

"Always keep your Serco log in details safe."

Your colleague has clearly not kept her log-in details safe or secure, since you're pretty sure you know what they are.

And since you are pretty certain of this, you should have told her that her details aren't safe and she needs to change them.

If the files are important and need to be accessed by more than one person then they need to be stored in a secure area with the correct access and privacy levels set.

But when there is a real need, like now, to access files when a colleague isn't contactable or can't help, you should discuss it with your manager and your IT department to see if they can access the documents or data.

You should never do this on your own, and in this case if you tried to do that, you could get yourself and your sick colleague into a lot of trouble.

2. It's alright if you get their permission first

Wrong. Please try again.

3. Nothing. It's got to be done and you know they won't mind

Wrong. Please try again.

As you are leaving the office you notice that a colleague has left new bid documentation on his desk. This information is of great commercial sensitivity.

Should you secure the documents before you leave?

1. This is really serious and I need to act

Wrong. Please try again.

2. No, maybe it's an old draft and not relevant any more

Wrong. Please try again.

3. Yes, I'll lock them away and tell them it was on the desk

Right answer because:

This document is highly confidential, and absolutely must not fall into the wrong hands.

Often documents like these have only been cleared for a small group of people to look at. So even if your colleague has left them on Serco premises, they could be seen by those not authorised to do so.

So your first duty is to secure them immediately and raise the matter with the colleague who left the documents unsecured.

Actually reporting your colleague is a step too far. It was probably a genuine error and a gentle reminder should be sufficient. But if they're constantly leaving commercially sensitive documents unsecured you must raise that with your manager, Human Resources or your divisional security manager, as it's a potentially serious security issue that must be dealt with.

Equally, if you knew this document had been lying on the desk for some time, and feel that security had been compromised or had the potential to be compromised, then you must report it.

Never leave sensitive information lying around or unsecured

Dilemma 1

A friend calls you in a panic. She needs to send in a report to her boss urgently but she is unable to access it from home. She gives you her username and password and asks you to get the report and email it.

Should you?

1. No, we can't do this

Right answer because:

Passwords and log on details are a critical first line of protection for our systems, the information they contain and our digital security. For the cyber-criminal, each one of us represents a possible portal into Serco. That's why Our Code says,

"Always keep your Serco log in details safe."

It is against company rules to give anyone your username or password and it is against the rules to use anyone else's, even if you have been given permission.

So in this case, if you did as your friends asks, you'd both be breaking our policy on securing information. And that's a serious offence.

But since this is really urgent, there is something your friend can do. She can speak to her boss and arrange with IT to access the relevant report and get it sent.

If she didn't do this, and you heard her asking someone else to access her machine after you refused, you'd need to raise this issue with your manager and your divisional security manager.

Always ask if you are not sure what to do.

2. Ask your boss if you can do this

Wrong. Please try again.

3. It's urgent, she's given you permission - so it's fine

Wrong. Please try again.

Dilemma 2

You want to move some information to a non-Serco employee's machine and they give you an unencrypted memory stick to use as yours is not available.

Can you use it?

1. Yes, it's not confidential information

Wrong. Please try again.

2. Yes, it's a business need and we don't have an encrypted memory stick to hand

Wrong. Please try again.

3. No, not under any circumstances

Right answer because:

We often need to share information with third parties. That's an everyday occurrence. But we do need to take great care. And in this case, there are three important issues.

The first is about the nature of the information you want to transfer. If it's confidential information, then you must make sure that the person you're giving it to has signed a non disclosure agreement.

When transferring information you must make sure that the device is properly encrypted. Encryption helps to make sure that the information stays safe and doesn't fall into the wrong hands.

But the device must also be properly authorised. This is equally important. Never use a non-authorised device to do the transfer without the correct approvals. The reason is that attaching an unauthorised external device increases the risk of viruses, Trojans and other malware being introduced.

That's why our Code says:

"Never connect non-Serco or private IT equipment to Serco or customer networks without your IT department's permission."

If in doubt, speak to your IT Department

Dilemma 3

A colleague is off sick and your ugently need an important file on their machine.

You know their username and are pretty certain that their password is their child's name and age. You are certain your colleague won't mind you accessing their machine.

Anything wrong with this?

1. Everything. You can't access anyone else's computer

Right answer because:

Even though there's an urgent business need to get at these files, you cannot access another person's computer, with or without their permission.

Passwords and log on details are a critical first line of protection for our systems, the information they contain and our digital security. For the cyber-criminal, each one of us represents a possible portal into Serco. That's why it's against company rules to give anyone your username or password, or to use someone else's, even if you have been given permission.

There are a number of other important issues in this case.

Our Code says,

"Always keep your Serco log in details safe."

Your colleague has clearly not kept her log-in details safe or secure, since you're pretty sure you know what they are.

And since you are pretty certain of this, you should have told her that her details aren't safe and she needs to change them.

If the files are important and need to be accessed by more than one person then they need to be stored in a secure area with the correct access and privacy levels set.

But when there is a real need, like now, to access files when a colleague isn't contactable or can't help, you should discuss it with your manager and your IT department to see if they can access the documents or data.

You should never do this on your own, and in this case if you tried to do that, you could get yourself and your sick colleague into a lot of trouble.

2. It's alright if you get their permission first

Wrong. Please try again.

3. Nothing. It's got to be done and you know they won't mind

Wrong. Please try again.

Dilemma 4

As you are leaving the office you notice that a colleague has left new bid documentation on his desk. This information is of great commercial sensitivity.

Should you secure the documents before you leave?

1. This is really serious and I need to act

Wrong. Please try again.

2. No, maybe it's an old draft and not relevant any more

Wrong. Please try again.

3. Yes, I'll lock them away and tell them it was on the desk

Right answer because:

This document is highly confidential, and absolutely must not fall into the wrong hands.

Often documents like these have only been cleared for a small group of people to look at. So even if your colleague has left them on Serco premises, they could be seen by those not authorised to do so.

So your first duty is to secure them immediately and raise the matter with the colleague who left the documents unsecured.

Actually reporting your colleague is a step too far. It was probably a genuine error and a gentle reminder should be sufficient. But if they're constantly leaving commercially sensitive documents unsecured you must raise that with your manager, Human Resources or your divisional security manager, as it's a potentially serious security issue that must be dealt with.

Equally, if you knew this document had been lying on the desk for some time, and feel that security had been compromised or had the potential to be compromised, then you must report it.

Never leave sensitive information lying around or unsecured