GovernanceI110

1

A network provider or service provider must ensure appropriate and proportionate management of persons given responsibility for the taking of measures on behalf of the provider for the purposes mentioned in section 105A(1) of the Act.

2

The duty in paragraph (1) includes in particular a duty—

a

to establish, and regularly review, the provider’s policy as to measures to be taken for the purposes mentioned in section 105A(1) of the Act,

b

to ensure that the policy includes procedures for the management of security incidents, at varying levels of severity,

c

to have a standardised way of categorising and managing security incidents,

d

to ensure that the policy provides channels through which risks identified by persons involved at any level in the provision of the network or service are reported to persons at an appropriate governance level,

e

to ensure that the policy provides for a post-incident review procedure in relation to security incidents and that the procedure involves consideration of the outcome of the review at an appropriate governance level and the use of that outcome to inform future policy, and

f

to give a person or committee at board level (or equivalent) responsibility for—

i

supervising the implementation of the policy, and

ii

ensuring the effective management of persons responsible for the taking of measures for the purposes mentioned in section 105A(1) of the Act.

3

In paragraph (2) “security incident” means an incident involving—

a

the occurrence of a security compromise, or

b

an increased risk of a security compromise occurring.

4

A network provider or service provider must take such measures as are appropriate and proportionate to identify and reduce the risks of security compromises occurring as a result of unauthorised conduct by persons involved in the provision of the public electronic communications network or public electronic communications service.