Using our systems and keeping our information safe toolbox
Our policies, standards and other resources
We have more in-depth Group policies and standards and guidance covering our systems and information. You can find links to all these resources here.
In addition, there may be specific policies and procedures that apply where you work. Your manager can tell you about these. If you are unsure then always ask your manager.
(Please note: some of our resources are only available to Serco employees. In this case, you’ll need to log in to MySerco to access them. If you have problems accessing them, please request a copy from your manager.)
SMS-PS-II Information Integrity
One page statement defining Serco’s commitment to ensuring information produced, meets customer, legislative and regulatory requirements and is accurate, kept up to date, consistent and provided in a timely manner in order to enable effective decision making.
One page statement defining Serco’s commitment to ensure that personal data is kept secure, handled with care and in compliance with all applicable data protection and privacy laws.
SMS-GS-BC1 Acceptable Use of Information Systems
Sets out the behaviours that must be adopted, the rules that colleagues must abide by and the legal requirements that must be complied with when using information systems. These include using the internet, social media and email to access, process and publish information either owned by or referencing Serco, our colleagues, clients or business. partners.
Detailing processes to ensure consistent application of security principles throughout Serco.
SMS-GSOP-O1-2 Incident and Fraud Reporting and Management
Provides a framework for the reporting of incidents.
Includes hardware, software and all data that is processed using them.
All IT and communication systems, equipment and media used by Serco employees to perform their duties and/or publish any information relating to Serco. This includes the internet, intranet, social media, email, messaging and telephones.
Refers to websites and apps that let users create and share content and participate in social networking.
It includes well known sites like Facebook, YouTube, Flickr, LinkedIn, Twitter, Instagram and Snapchat, as well as blogs, wikis, newsgroups, emails, texts - and any other means through which you can digitally post text or images to someone else.
There are many kinds of confidential information, including:
- information about finances, business plans or practices
- marketing plans
- pricing policies
- business strategies
- information about employees, customers, partners or third-parties
- intellectual property such as technical information, innovations, improvements, know-how and trade-secrets
Classifying our documents and emails, based on the information they contain, is a vital part of information security at Serco. It helps to ensure every piece of information is stored, handled and shared in the right places with the right people.
We need to understand the different classifications and select the right one for every document and email we create or change. This is particularly important where a document or email contains personal information, commercially sensitive, legally privileged or confidential information or trade secrets. It is our responsibility to know and understand the policy and guidelines for Information Privacy Classification.
Serco Restricted and Sensitive (SRS)
We classify the information we hold so we know how to keep it safe.
SRS information is our most valuable information, which, in the wrong hands could cause serious damage to us, our customers, shareholders, partners or suppliers through serious loss of reputation; significant financial loss; loss of opportunity; or legal action.
This information may belong to the Company, customers, or third-parties. Access to SRS information must be restricted on a need to know basis with only authorised Serco employees, or specified authorised external persons or entities being granted access. Encryption and controls over the distribution outside of Serco must be in place for all SRS information.
Serco Business (SB)
SB information is information which if disclosed without authorisation, may cause unwanted exposure of the inner workings of the company, but would not result in significant financial loss or serious harm to the company or its business interests. In essence, it is any information that is not generally made available to the public unless approved for release.
This information is generally available within our offices, systems or intranet and all company employees and affiliate employees are permitted to have general access to this kind of information.
This information must not be shared beyond the company premises unless with approval for formal business engagement.
Some information is made public. Serco uses this classification to indicate that the processes required to release the information must always be followed after marking the information as ‘Public’ and before publishing on the internet. We must follow the local approval processes when classifying any information as Public, as only certain individuals are authorised to assess whether information is suitable for full public disclosure.
If you're a manager
It’s important that everyone on your team understands and follows the requirements for keeping our systems and information safe. This includes the use of social media. If someone fails to do this either deliberately or by accident, be sure to act as soon as you know about it.
Ensure that data protection/privacy and information and data management responsibilities are clearly defined and appropriate controls are in place.
Provide assurance that these requirements are being implemented effectively.
Make sure data handlers and data owners - particularly anyone handling personal data - has had the appropriate training so they understand local processes, roles and responsibilities. Keep a record of this training.
Ensure all records and documentation (including contractual documentation) are held in a safe and secure manner and in accordance with our document management and data retention requirements.
If you’re not sure about any aspect of data and information retention, security, always ask your information security lead for advice and guidance.
Make sure any incidents, breaches and suspected breaches - particularly those concerning any loss of personal data - are managed in accordance with Incident and Fraud Reporting and Management procedures. They must be reported into Assure within defined timescales and categorised according to Serco’s marking rules.
Communicate the requirements of the Acceptable Use policy, standards, procedures and key controls. Make sure they’re understood, and that acceptable use risks are being effectively managed.