You are on page 1of 374

Attachment 3 - Services - Applications

Table of Contents

1 Overview................................................................................................................................2
2 Definitions and acronyms.....................................................................................................3
2.1 Definitions.............................................................................................................3
2.2 Acronyms..............................................................................................................8
3 Service Requirements............................................................................................................9
3.1 Included Services..................................................................................................9
3.2 Anticipated Applications Maintenance, Support and Enhancement Growth
Volumes during the Term.............................................................................14
3.3 Excluded Services and Applications...................................................................14
4 Support Services..................................................................................................................15
4.1 Planning and Analysis.........................................................................................15
4.2 Project Management principles...........................................................................15
4.3 Construction/Development.................................................................................17
4.4 Integration and Testing........................................................................................17
4.5 Implementation and Migration............................................................................18
4.6 Emergency Services............................................................................................18
4.7 Application Warranty..........................................................................................18
4.8 Continuous Process Improvement.......................................................................19
4.9 Level 2 Service Desk Problem Management Rectification and Resolution.......19
4.10 Level 3 Service Desk........................................................................................21
4.11 Root Cause Analysis..........................................................................................21
4.12 Training.............................................................................................................22
4.13 Monitoring and Reporting.................................................................................22
4.14 Local Implementation/Deployment..................................................................23
4.15 Managed Asset Management............................................................................23
4.16 Configuration Management/Change Control....................................................23
4.17 Documentation..................................................................................................24
4.18 Security Management and Administration........................................................25
4.19 Business Continuity (BC).................................................................................27
Pass-through Services and Management..................................................................28
Project Initiation.......................................................................................................28
Event Response Services..........................................................................................29
Risk Management.....................................................................................................29
5 Roles and Responsibilities..................................................................................................31
Application Maintenance, Support and Enhancement Roles and Responsibilities..31
Information Security Roles and Responsibilities.....................................................41
6 Service Level Requirements.............................................................................................373
6.1 SLR and Abatement Commencement...............................................................373
6.2 Service Level Requirement Classifications......................................................373
6.3 SLR Details.......................................................................................................373

Page 1
Attachment 3 - Services - Applications

1 Overview
This attachment defines and describes the Customer's requirements for Services in relation to the
System. The Contractor must provide all of the Services relating to applications maintenance,
support and enhancement (which include those Services described as support Services) specified
below.

Where any part of a particular Service is not included or no detail is provided on such part of the
Service, the Contractor is wholly responsible for the provision of that part of the Service.

This attachment consists of the following sections:


a) Defined Terms. This includes a table of acronyms.
b) Service Requirements. This is a statement of the Customer’s Service requirements.
c) Support Services. This describes the Services that will underpin and support the fulfilment
of the Customer’s Service requirements.
d) Roles and Responsibilities. This provides further detail as to the Customer’s Service
requirements and details the parties’ roles and responsibilities for Service provision on a
daily basis.
e) Service Level Requirements (SLRs). These are the standards to which the Contractor will
be required to provide the Services, and the principal means by which the parties will
monitor and manage the Services.

Page 2
Attachment 3 - Services - Applications

2 Definitions and acronyms


2.1 Definitions
In addition to the terms defined in the Contract, the following terms are defined below.

Common Term Definition


AVAILABILITY The percentage of time that a given Service or the System is fully
operational and available when its resources are called upon at a random
point in time. Availability represents a measure of the fraction of time
(expressed as a percentage) during a defined period when the System or
the provided Service is deemed to be equal to or better than a minimum
availability threshold, specified as an MASL in the applicable Service
Levels.
Availability (%) = 100%–Unavailability (%)
Where Unavailability is defined as:
Σ Outage Duration x 100%
Schedule Time–Pre-planned Downtime
Schedule Time = obligatory time for operation of Service or System; and
Downtime = downtime during Schedule Time.

BATCH PROCESSING The processing of non-online applications according to agreed


completion dates and times.
BUSINESS CONTINUITY How each work unit will function if the facilities in which it operates are
(BC) lost due to fire, explosion or other disruption. This includes the
responsibilities of personnel to ensure clear and concise communication
lines are established immediately when an incident impacts on a business
unit’s ability to function and directions for the reporting of Problems to
the relevant authorities both initially and after the Problem has been
Resolved.
BASE OPERATING The Customer’s base operating environment including all associated user
ENVIRONMENT (BOE) and technical Documentation, Updates and New Releases. The BOE
includes Microsoft Windows XP and associated drivers. It excludes the
purchase, licensing and/or creation of standard operating environment
(SOE) and Specialist Software.
CALL A call is counted for each unique Problem involving a separate individual
event that results in opening a Ticket. Calls regarding open Problems,
calls received at the Service Desk that enter the queue and that are
terminated (e.g. user hang up) prior to response, and status calls
regarding open items do not result in opening a Ticket and so are not
counted. For Problems where multiple calls are related to a single point
of failure (that is, calls related to a server Outage), such calls will be
considered as a single call; will not result in opening a separate Ticket;
and will not be aggregated or counted as individual calls for measuring
call volume statistics.
CONTRACT MANAGER The person appointed by the Customer to manage the Contract in
accordance with Attachment 7.
DISASTER An unplanned event that will or is likely to render a key component of
the System and/or applications unavailable for use by the Customer for a
period of greater than 12 consecutive hours (or less than 12 hours at the
Customer’s discretion) and the Contractor has not confirmed that
recovery of the System and/or applications will be achieved within the
maximum allowable downtime specified in the BC SLR.
Alternatively, the Customer may at its sole discretion declare a disaster.

Page 3
Attachment 3 - Services - Applications

Common Term Definition


DISASTER RECOVERY Ensuring that all parts of the System, including but not limited to,
applications, interfaces and network connections are re-established after a
Disaster.
EVENTS Events are situations that generally require immediate increased levels of
resources, response and Problem Rectification and Resolution to be able
to deal with the situation at the time. Some Events are unpredictable and
occur without warning, and some are predictable and can be managed
and planned. They include, but are not limited to:
• Special events – festivals, sporting events, fetes etc
• Emergency situations – bush fires, floods, storm damage,
accidents etc
• Operational events – taskforce formation, civil marches, public
disturbances, crime sites etc
The Sites requiring Services of this nature include, but are not limited to,
the State Emergency Response Centre (“SERC”), Mobile Response
Units, the Crimes Unit, Covert Operations, Counter Terrorist Areas,
Special Operations, all Regional Operational Policing areas and any
special task force which may be set up for a short time period.
Events are independent; therefore there is a possibility that multiple,
simultaneous Events may be declared by the Customer. Events, however,
are NOT Disasters and therefore do not warrant the implementation of a
Disaster Recovery plan.
IMAC (INSTALLATIONS, Activities performed as pre-scheduled events to install (this means from
MOVES, ADDS AND
the Customer request until the Customer user is able to begin or continue
normal use), remove, relocate, Update, modify or otherwise reconfigure
CHANGES)
the System and/or telecommunications infrastructure components and
applications that are covered by the Services, including but not limited to
activation of data points. IMACs are included in the Services and will be
performed at no additional charge to the Customer. One IMAC is counted
for each unique action that occurs during normal business hours and can
normally be completed within four full-time equivalent (FTE) work
hours. In the event that IMAC-related work must be performed outside of
normal work hours on a Business Day, due to operating/scheduling
constraints, the parties shall mutually agree on how these IMACs will be
handled. Repeat visits to correct Problems that arise or result from
implementing IMACs shall be considered Problems, and will not be
included under the IMAC count. If multiple Updates or reconfigurations
are scheduled for a single piece of equipment, only one IMAC will be
counted, unless the time required is significantly greater than four hours
to complete the work.
LEVEL 1 SERVICE DESK The Service Desk which interfaces with users of the System or Services
and, where appropriate, a Level 2 Service Desk, with regard to the
logging of Calls and the Rectification and Resolution of Problems.
LEVEL 2 SERVICE DESK The Service Desk to be provided by the Contractor as per this
Attachment, which will liaise with the Level 1 Service Desk (and where
necessary any Level 3 Service Desk) in the process of Rectifying and
Resolving Problems associated with the Services or the System.
LEVEL 3 SERVICE DESK The Service Desk which Rectifies and Resolves Defects or manages the
Rectification and Resolution of Defects in applications that cause
Problems that cannot be Rectified and/or Resolved by the Level 2 Service
Desk.

Page 4
Attachment 3 - Services - Applications

Common Term Definition


MANAGED ASSET Includes Software, applications, hardware, Documentation, facilities,
intellectual property and all associated peripherals to be managed by the
Contractor and recorded as part of the Managed Asset register. Managed
Asset includes leased assets.
MEASUREMENT INTERVAL Any specified period within which the metrics shall be measured and
(A.K.A MEASUREMENT reported on for determining the Contractor’s performance to the SLRs.
This takes into consideration the impact of continuous outage. For
PERIOD) example, a 28 day month measurement interval for a 99 percent
Minimum Acceptable Service Level for a 24x7 System would allow 6.7
hours of a continuous outage, with no other outages during the month. A
weekly interval would only allow 1.6 hours of a continuous outage.
MINIMUM ACCEPTABLE The lowest level of acceptable Service performance before service credits
SERVICE LEVEL (MASL) apply for non-performance during a defined period.

OUTAGE An event where the Service or a defined component of the System


becomes unavailable, excluding scheduled or planned downtime. Each
Outage will be counted incrementally, regardless of whether the same
Problem occurs several times over a Measurement Period. If multiple
users experience the same Problem simultaneously on a single occasion
then this will be counted as only one Outage.
PROBLEM A single event in relation to the System or a Service requiring a
Contractor response, typically identified by a user making a Call, the
Contractor, a third party or any automated warning system. The Customer
will determine the Severity Level of each reported Problem. Repeat visits
to correct Problems that arise from previously implemented IMACs are
considered Problems, not IMACs, and will not be added to the IMAC
count. The Contractor will provide the Customer with an escalation
procedure (to be approved by the Customer) for Rectification and
Resolution of reported Problems.
PROCEDURES MANUAL A manual describing how the Contractor will perform and deliver the
Services, including the provision of Documentation (e.g., processes,
specifications) that provide further details of such activities. This must be
suitable for use by the Customer, such that the Customer can fully
understand, operate and exploit the System and the Services. The
Procedures Manual must include detailed descriptions of:
• How the Contractor will provide the Services;
• How the Contractor and the Customer will interact;
• Communication protocols between account management and
technical personnel;
• Quality assurance procedures;
• The Contractor’s interaction with the Customer’s other IT
service providers, third party vendors and internal support areas;
• Change management procedures;
• Procedures for initiating requests for Service and project work;
• Maintenance windows;
• Problem management and escalation procedures; and
• Other standards and procedures pertinent to the Customer’s
interaction with Contractor in obtaining the Services.

Page 5
Attachment 3 - Services - Applications

Common Term Definition


PROJECT ESTIMATION A set of disciplines and techniques that allow an IT professional to
METHODS AND TOOLS quantify labour and materials to determine schedule and cost, which is
adjusted for risk. Project estimation tools provide a series of questions
that allow the professional to input values to a system. The system
provides a common frame of reference for the Contractor and the
Customer to understand how costs and schedules were derived.
RECTIFY / RECTIFICATION Rectification occurs when the functionality of the System or every
application is available to the end user of the System or application such
that business operations can occur with minimal interruption or
impediment. Implementing a satisfactory Workaround is rectification.
Rectification can be achieved even though the root cause of a Problem
has not been Resolved. In some cases, Rectification can only be
achieved by Resolution of the Problem. Rectification is not achieved
until the Customer is satisfied that the Problem has been Rectified.
RELIABILITY The maximum acceptable number of individual Problems including
Outages, failures, batch overruns or dropouts during a Measurement
Interval.
RESOLVE / RESOLUTION To repair, replace, reconfigure, re-install, re-route, or otherwise provide a
complete solution to a Problem that returns the System and/or end-user(s)
to non-degraded full functionality. Resolution requires the root cause of
a reported Problem to be identified and also requires the correction of
both the results and the cause of the Problem. A Workstation Problem at
a virtual office/remote access (VORA) Site is considered “resolved” by
the overnight shipment of a repaired or a replacement Workstation that is
fully operational. Implementing a Workaround is not resolution. Subject
to the next sentence, resolution is achieved when the Contractor has
notified the Customer that the part of the System which caused the
Problem is ready for Acceptance Testing. If the Acceptance Tests are not
passed, then resolution has not been achieved and the same Problem
remains unresolved. In this event, the time between the notification that
the part of the System which caused the Problem is ready for Acceptance
Testing and its failure to pass the Acceptance Tests is not counted as time
during which resolution was not achieved.
ROOT CAUSE ANALYSIS A Problem analysis process undertaken to identify and quantify the
underlying cause(s) of a Problem, and document the necessary corrective
actions to be taken to prevent recurring Problems/trends which could
result in Problems. This process is further defined in clause 4.11.
SERVICE DESK The centralised mechanism in place to respond to Problems and to
communicate information regarding the Rectification and Resolution of
Problems.
STANDARD OPERATING The Customer's standard operating environment Software including all
ENVIRONMENT (SOE) associated user and technical Documentation, Updates and New
Releases.

Page 6
Attachment 3 - Services - Applications

Common Term Definition


SEVERITY LEVEL The Customer defined category that identifies the degree of problem
importance and associated Contractor response requirements attributed to
such a problem. Problems are categorised as Severity Level 1 to 3 only,
with Severity Level 4 being specifically related to user inquiries,
assistance, information or non-urgent help. Unless otherwise specified by
the Customer, the Contractor must accept the Severity Level that is
assigned to any Problem by the Level 1 Service Desk.
• Severity Level 1: A business critical function is not operational,
impacting major Customer business processes.
• Severity Level 2: A major function impacting Customer business
processes is not operational, resulting in disruption to the business.
• Severity Level 3: Part of the System is not operational but is not
immediately impacting Customer business functions.
• Severity Level 4: User inquiries, assistance, information or non-
urgent help.
SPECIALIST SOFTWARE All of the Software that is not included within the SOE or BOE.

TICKET A unique logical electronic record that the Contractor will create, update,
maintain and archive for each Call. A Ticket is used to record all
Customer user/Contractor interaction pertaining to a Problem and all
Contractor-related actions, and corresponding date/time, taken to Rectify
and Resolve a Problem, from the time it is first reported to the Service
Desk until Problem Resolution and closure by the Service Desk. Also, it
is used for application change-control traceability.
VORA Virtual Office/Remote Access (VORA) pertaining to the Customer's
remote users whose offices are either permanently or temporarily located
outside of Customer premises and who connect to the Customer's
network via remote access facilities (that is, VPN, Dial-up) using a laptop
or desktop PC, and have different service requirements from the
Customer's IT-managed/staffed business facilities.
WORKAROUND A process established by or approved by the Customer that the Contractor
or the Customer can implement as an alternate method of System or
process functionality in the event of a Problem. The alternate method
allows the System or affected process(es) to deliver the Customer an
acceptable level of business operations continuity until Resolution can be
implemented.

Page 7
Attachment 3 - Services - Applications

Common Term Definition


WORKSTATION An end-user computing device which comprises the personal computer,
laptop computer and notebook computer and other associated peripheral
devices including:
a) USB memory repositories.
b) Printers.
c) Data point.
d) DVDs/CD rewrites.
e) CD jukeboxes.
f) Monitors.
g) Scanners.
h) Plotters.
i) Speakers.
j) Cables.
k) Modems.
l) Mouse.
m) Docking Station.
n) Media Libraries.
o) PDAs where connected to the LAN,
and any other devices specified by the Customer.

2.2 Acronyms
Acronym Definition
BC Business Continuity
BIOS Basic Input/Output System
BITS Business Information & Technology Services department
BOE Base Operation Environment (Operating System)
COTS Commercial Off-The-Shelf
CPU Computer Processing Unit
DR Disaster Recovery
IDS Intrusion Detection System
IMAC Installations, Moves, Adds and Changes
IT Information Technology
LAN Local-Area Network
LEAP Law Enforcement Assistance Program
MAC Moves, Adds and Changes
MASL Minimum Acceptable Service Level
PDA Personal Digital Assistants
SLR Service Level Requirement
SOE Standard Operation Environment (Approved software)
VPN Virtual Private Network

Page 8
Attachment 3 - Services - Applications

3 Service Requirements
This section describes the Services. The support Services in the following section also
form part of the Services.

3.1 Included Services


3.1.1 Current applications
The Contractor must fully maintain, support, and enhance all of the Customer’s current
applications such that the Customer can fully exploit the functions and features of the
System. Current applications are defined as the Customer's applications that are
currently in a production environment or which are scheduled to be introduced into a
production environment and as at the Contract Date are listed in Attachment 1 and
indicated as being "Supported".

Addition and subtraction of applications will be addressed in accordance with the


change control procedures in the Contract.

3.1.2 General responsibilities


In performing the Services, the Contractor must:
a) Comply with the Customer's policies, regulations, and standards as required by
the Contract.
b) Conform to changes in laws, regulations and policies stipulated or otherwise
mandated by applicable Federal, State and Local governments as required by the
Contract.
c) Report project progress and overall performance against the applicable Service
Levels as required by the Contract.
d) Meet the Service Levels for the Services in accordance with the SLRs.
e) Perform the Services in accordance with the Procedures Manual as approved by
the Customer.
f) Ensure Availability of the System in accordance with the SLRs.

g) Provide and make appropriate use of the systems or tools (hardware or software)
that are required to provide the Services. This includes:
i. The Customer's approved systems for work authorisation, Problem
Rectification and Resolution and project management processes.
ii. The Customer's approved systems for software quality assurance,
configuration management, and document management.
iii. The Customer's approved tools for software, database and interface,
design, development and testing.
iv. The Customer's approved templates, processes, personal tools for
communication (email, phone, pager, etc.) and general functions (PC for
word processing, spreadsheets, etc.).

Page 9
Attachment 3 - Services - Applications

h) Provide the Customer with Personnel resources with the required skills and
competencies to provide the Services at the specified Service Levels. This
includes any technical and non-technical training or induction for initially
assigned Personnel, replacement Personnel, or added Personnel.
i) Provide or facilitate agreed technical and non-technical training, or induction
transition activities for the Contractor's Personnel from the Customer's personnel,
or provide required knowledge transfer from the Customer's personnel to the
Contractor's Personnel or from the Contractor's Personnel to the Customer's
personnel.
j) Coordinate with the Customer and third parties who provide IT services to the
Customer (as required by the Customer) prior to any desired or required changes
to the application(s) and application platform(s) being supported by the
Contractor that may affect the operating performance and/or service level
performance of any IT service environments that may be retained by the
Customer or provided by third parties.
k) Specify, implement, and consistently employ across all projects an industry-
recognised standard effort estimation model and methodology for the purposes of
estimating application maintenance, support and enhancement efforts, which
delivers consistently reliable and accurate effort estimation forecasts and is
appropriate to the application(s) being maintained/supported/developed. As a
minimum, the Contractor must use function points as an estimation tool.
l) Provide the Customer with an agreed level of personnel resources with the
required skills and competencies to provide accurate and timely input to BC
activities including contingency planning meetings for such events and
completing any action items resulting from these activities required to be
provided or facilitated by the Contractor in order to meet the Service Levels.
m) Manage and administer backups, recovery and media management related to the
running of applications. Specifically, the Customer requires access to and
recovery of all files (including email) for a minimum period of 7 years from the
creation of such files. The backup and recovery activities include but are not
limited to working with third parties who provide IT services to the Customer to
ensure that the backups and recoveries are successful. In addition, the Contractor
must maintain a current copy of all supported applications. Such copies are to be
made available to the Customer immediately upon request.

3.1.3 Application Maintenance


The Services include application maintenance, which is all activities associated with
correcting non conforming performance for production application programs and systems
that result in less than 5 working days of effort. These activities include all life-cycle
support activities described above.
Applications maintenance must be provided across all of the Customer's platforms.
Application maintenance activities require the Contractor to ensure that sufficient skilled
resources are available on a full time basis to ensure that all maintenance activities are
completed in a timely manner.
Without limiting the scope of the Contractor's obligations, the Contractor must:

Page 10
Attachment 3 - Services - Applications

3.1.3.1 Correcting non conforming performance


Repair all applications which are in production, to ensure that they function in
accordance with the Service Levels. Full repair/recovery of the application(s) is to be
completed unless otherwise approved by the Customer (in writing) and is to cover all
files/deliverables, including:
a) Databases.
b) Printed reports.
c) Microfiche.
d) Interface files.
e) Web pages.

3.1.3.2 Preventive Maintenance


Provide preventative maintenance for all applications in production such that no events
occur, which if not addressed proactively, could impact applications in production. Such
events include:
a) Changing business volumes.
b) Certified vendor patches or bug fixes provided from the vendor for the
Customer's approved and licensed application software.
c) Special testing for events, such as:
• Public holidays.
• End of financial year.
• End of calendar year.
• Leap years.
• Daylight savings.

3.1.3.3 Adaptive Maintenance


Ensure that application performance is not affected by changes to interfacing
applications, new applications or packages and technical environment changes, which if
not addressed proactively, could impact applications in production. Such events include:
a) Updates of operating software.
b) New/changed equipment.
c) Interface changes.

3.1.3.4 Perfective Maintenance


Ensure that applications operate at peak efficiency with particular focus on areas such
as:
a) System CPU hours.
b) Storage space.
c) Response time.

Page 11
Attachment 3 - Services - Applications

d) Database performance tuning.

3.1.3.5 Release Packaging


Package all software changes into suitable releases for approved application as
approved by the Customer. This includes all activities associated with providing
software version control, both electronic and manual. All releases must conform to the
Customer's approved risk mitigation strategy. The Contractor must develop an ongoing
process for the implementation of a 12-month rolling application release timetable (with
associated variation mechanism). The ongoing process and the initial 12-month rolling
timetable for each application are to be approved by the nominated Customer
representative.

3.1.4 Technical and End-User Support


The Services include technical and end-user support, which is all necessary expert
technical assistance that is required for the tuning of approved applications and utilities
for optimal System performance. This includes expert Level 2 Service Desk and Level
3 Service Desk technical assistance for the Customer's end-users and the Customer's, or
third party's, IT professionals.

3.1.5 Application Enhancement


The Services include application enhancement, which is all life-cycle activities, across
all of the Customer's platforms, associated with:
a) Approved "Minor Enhancements" – being enhancements requiring greater than
or equal to 5 days work effort, and less than 25 days work effort; and
b) Approved "Major Enhancements" – being enhancements requiring greater than
or equal to 25 days work effort, and less than 60 days work effort.
Application enhancement includes:
a) Minor Enhancements or Major Enhancements to existing applications;
b) The creation of new applications where the time required to completion is
within the bounds of Minor Enhancements or Major Enhancements; and
c) Integration, testing, implementation, and migration support of any applications
developed or modified by a third party, where the work effort involved is
within the bounds of Minor Enhancements or Major Enhancements.
Application enhancement activities are discrete units of non-recurring work to design,
develop, build, test and/or implement, install or deploy a solution or deliverable, that do
not otherwise form part of the Services. Typically they require the Customer to undergo
more rigorous approval processes, project management and reporting than maintenance
or support activities.
The Contractor must not undertake any application enhancement activities unless the
Customer has approved a "Change Request" in accordance with the Contract.
All anticipated work effort beyond 60 days will be regarded as a "Development
Project". The Contractor may, or may not be requested to bid for any Development
Project. The Contractor will be required to participate in all activities associated with
"Project Initiation", at no additional cost to the Customer.

Page 12
Attachment 3 - Services - Applications

Without limiting the scope of the Contractor's obligations, throughout the Term, the
Contractor must:

3.1.5.1 Requirements Definition


Perform requirements definition, which is all activities associated with the assessment
of the Customer's users' requirements which are needed to determine detailed
application designs. This includes:
a) Conducting interviews, group workshops and surveys.
b) Meeting the Customer's requirements groups and contract management
representatives.
c) Developing functional requirements documents, logical and physical data
models, etc.
d) Undertaking impact analysis to determine BC requirements and the extent of
the impact of the proposed changes, including possible impact to interfacing
systems.
e) Undertaking an "Information System Threat and Risk Assessment", so that
specific security requirements can be documented.
All Documentation produced in the course of these activities is the Customer's property.

3.1.5.2 Design Specifications


Produce application design specifications that meet the Customer's applications
technical architectural standard(s), and identify and describe the most cost-effective
solution to the implementation option under consideration. These activities include:
a) Creating Documentation that specifies all components (including security
controls), program modules, data stores, interfaces, interface components and
associated operations procedures for the Customer's technical environment.
b) Obtaining the Customer's oversight and approval through co-ordination with
the appropriate architectural or technical oversight authority and authorised
Development Project governance representatives.

3.1.5.3 Test and Development and Training Environment


Establish a test, development and training environment to fully support the Customer's
current and future application requirements.
Without limiting the scope of the Contractor's obligations, the Contractor must:
a) Obtain and/or provide the necessary application development tools, testing
tools, change and configuration management tools, project management and
reporting tools, and other software (the “Test, Development and Training
Environment Components”) required to establish and support the Application
Product(s) development and testing environment at agreed Customer Sites.
b) Advise the Customer of appropriate sized hardware requirements, as well as
appropriate license quantities, types and revision levels of application
development, testing and runtime environment software not already owned by
the Customer and available for use.

Page 13
Attachment 3 - Services - Applications

c) In the event that any components are non-generic or are otherwise proprietary,
restricted and/or unique to the Customer's development environment, comply
with any method for the acquisition and disposition of such components that
the Customer determines to be equitable.

The Contractor is not required to maintain or support the infrastructure of the Test,
Development and Training Environment where the Provider of IT services in relation to
the Desktop Tower, or Mainframe Tower (whichever is applicable) is responsible for
maintaining and supporting such infrastructure. In the event that any component of the
Test, Development and Training Environment (including hardware or infrastructure) is
not so supported by another Provider, then the Contractor is required to maintain and
support this component.

The Contractor is required to maintain or support all infrastructure for the Test and
Development environment located in its facilities.

3.2 Anticipated Applications Maintenance, Support and Enhancement Growth


Volumes during the Term
The Contractor must ensure that the Services provided are adequate to meet the
Customer's requirements and the SLRs at all times throughout the Term.

3.3 Excluded Services and Applications


The following services are excluded:
a) COTS licence support and maintenance procurement.
b) Support and maintenance of all applications that the Customer has not
approved.
c) Support and maintenance of all applications not in production as at the Service
Commencement Date or not included as part of the change control process.
d) Specialist application support and maintenance arrangements for Fleetsmart
and BEAMS. The Customer will continue to support these applications via its
existing relationships with third party vendors, however, these may be included
in the future.
e) Services in respect of applications listed in Attachment 1 that are not listed as
"Supported". For the avoidance of doubt, this does not exclude Services in
respect of the interfaces between Not-Supported and Supported (Third Party)
applications and Supported Applications (as those terms are defined in
Attachment 1); only Services in respect of the applications themselves.

Page 14
Attachment 3 - Services - Applications

4 Support Services
The Contractor must provide the Customer with all support Services (which form part
of the Services) and which are all life cycle activities associated with the provision of
the Services by the Contractor.
All support Services are to be provided at no additional cost to the Customer. The
support Services include the following activities:

4.1 Planning and Analysis


Researching new application development trends, products, and services that offer
opportunities to improve the efficiency and effectiveness of the application
environment, as well as for meeting business requirements and delivering new or
improved benefits to government and the broader community.
The Contractor must present such research to the Customer's CIO or the nominated
Customer representative(s) in an agreed, relevant and understandable format.
Such activities include but are not limited to:
a) Investigating and documenting new products and services, such as hardware
components, system software and transmission facilities.
b) Assessing process re-engineering methodologies.
c) Performing operational planning for capacity and performance impact of
researched technologies.
d) Conducting feasibility studies approved by the Customer's CIO or the Customer's
nominated representative for the implementation of new technologies.
e) Performing project estimation using commercial Project Estimation Methods and
Tools that can size applications in function points and can categorise applications
as easy, medium or difficult to facilitate function point pricing.
f) Participating in annual technical and business planning sessions with the
Customer to establish standards, architecture and project initiatives.
g) Conducting quarterly technical reviews and workshops for the Customer on
trends and best practices.
h) Participating in the Customer's business continuance planning process.

4.2 Project Management principles


All activities required to establish reasonable plans for performing the required
Software development and for managing enhancements and potential "Development
Projects". This includes the establishment of visibility into actual progress so that
management can take effective actions when enhancement activities or Development
Project performance deviates from the project plans.

4.2.1 Enhancement activities


Support Services in relation to application enhancement include:

Page 15
Attachment 3 - Services - Applications

a) Providing, maintaining and updating a comprehensive project plan, identifying all


critical path dependencies, staffing resources, major milestones and project
deliverables.
b) Providing weekly status reviews and progress reports.
c) Creating a Personnel plan identifying the Contractor's Personnel assigned to the
work.
d) Assigning Personnel who have experience and expertise in the appropriate
application domain and software development to such work.
e) Assigning a project manager to actively manage the performance of the work and
to be responsible for acquiring commitments and developing the project plan for
that project.
f) Sufficiently training project team Personnel to ensure that they perform all
necessary roles and assume all necessary responsibilities.
g) Implementing all tools and processes required to support the provision of the
Services. Such tools and processes include:
i. Project management reporting.
ii. Design, coding and testing.
iii. Configuration management.
iv. Quality assurance.
h) Creating a "Statement of Work" for each discrete task which includes:
i. A defined scope of work.
ii. Technical goals and objectives.
iii. Identification of customers and end users.
iv. Standards.
v. Assigned responsibilities.
vi. Cost and schedule constraints.
vii. Dependencies between the project team and other organisations.
viii. Resource constraints and goals.
ix. Planning assumptions.
x. The parties’ responsibilities.
i) Creating a "Risk Assessment Plan" (“RAP”) for each discrete task which
identifies the risks associated with the cost, resource, schedule, and technical
aspects of the project. The risks must be analysed and prioritised based on their
potential impact to the project and the RAP must specify contingencies and
mitigation strategies for the risks that are identified.
j) Implementing a Customer approved program change control process that
identifies, evaluates and assesses any change that impacts the work (cost, timing,
risk).

Page 16
Attachment 3 - Services - Applications

4.2.1.1 Activities
Reviewing the progress and management of each discrete task with the Customer's
senior management (Program and Customer) or nominated representative on a regular
basis as specified by the Customer or otherwise weekly. This includes reviewing and
reporting to the Customer on the following criteria:
a) Completions and progress towards completion of milestones, compared to the
project plan.
b) Funds expended, compared to the project plan.
c) Latest forecast of schedule and expenditures (to end of program).
d) Changes to approved or previously assigned resources.
e) Changes to project plan estimates or assumptions.
f) Conflicts and issues that are not resolvable at lower levels.
g) Software project risks.
h) Action items, all of which must be assigned, reviewed, and tracked to closure.
The Contractor must prepare summary reports from each meeting and distribute such
reports to the affected groups and individuals.

4.2.2 Development Projects


The same requirements as listed in Section 4.2.1 apply to development projects. The
Contractor must complete these requirements in such detail as the Customer requires.
The detail required in relation to a development project will be significantly greater
than that required for an enhancement task.

4.3 Construction/Development
All activities associated with the construction and/or development of application
modules. The Contractor must use the information from previous phases as critical
input when constructing and/or developing every application module. The Contractor
can construct an application module by in-house custom development, customisating
commercial off-the-shelf (COTS) products or implementing COTS packages.

4.4 Integration and Testing


All activities necessary to ensure that all individual program components that are
configured with, or added to, the support applications environment work together
properly and perform all of the intended functions. This includes application interfaces
to other support applications in production. Such activities include:
a) Performing all appropriate life-cycle integration and development tests (e.g., unit
testing, socialisation, end-to-end testing, stress testing, regression testing, etc.).
b) Selective random independent testing, where the random selection includes some
complex modules (i.e. independent verification and validation testing).
c) User acceptance and quality assurance testing.
d) Maintaining test data.
e) Staging systems before implementation.

Page 17
Attachment 3 - Services - Applications

f) Performing modifications and performance enhancement adjustments to the


Customer's System and Software and utilities as a result of changes to
architectural standards.
g) Managing the integration lab facility.

4.5 Implementation and Migration


All activities associated with the installation and migration of new and upgraded
components to the Customer's production environment. Such activities include:
a) Installing new or enhanced functions or features.
b) Installing, or assisting third parties with the installation of new or enhanced
configuration and system management tools to operate within the support
application environment.
c) Performing data migration from existing systems to new systems, by either
electronic or manual methods.
d) Delivering all necessary system code and Documentation and user
Documentation.
e) Conducting pre-installation Site surveys.
f) Supporting test to production turnover implementation.
g) Distributing Software to Workstations and installing Software.
h) Conducting tests of documented BC procedures including all activities necessary
for backup and restoration of data and applications.

4.6 Emergency Services


All activities necessary to provide application enhancements and maintenance, as
specified above, to support the Customer's user requirements under emergency
conditions while maintaining the Service Levels. Emergency events may increase work
volumes substantially within a short period of time and may persist for a specified or an
indeterminate duration. The Contractor must provide a structured process for
supporting, managing, monitoring and reporting actions related to unanticipated
changes in operational requirements.

4.7 Application Warranty


All activities associated with repairing Defects in Contractor developed production
application programs and systems, where such Defects are discovered within 180 days
of the application being placed into a production environment. This includes all
life-cycle support activities described in Section 3.1 above, as well as any activities
necessary to repair Defects to enable applications to perform in accordance with the
documented specifications and operational functionality.
Application warranty services shall be provided at no additional charge to the
Customer, even where such activities amount to minor enhancements. Full correction of
the application(s) Defect is to be completed unless otherwise approved by the
Customer, and the corrected code shall be fully tested to ensure that no regression errors
are introduced. This shall include updating all Documentation and related
files/deliverables, such as:

Page 18
Attachment 3 - Services - Applications

a) Databases.
b) Printed reports.
c) Technical manuals.
d) Interface files.
e) Web pages.

4.8 Continuous Process Improvement


Establishing, implementing, managing and maintaining a set of processes and
procedures with which the Contractor must continually monitor and analyse its service
delivery methods and procedures. Such processes and procedures must be industry
recognised best practice and must ensure that the Contractor identifies all weaknesses
and opportunities for improvement in its Service delivery methods and procedures. The
Contractor must systematically implement those improvements.
The Contractor must provide quarterly reports on its continuous process improvement
activities and provide the Customer with the opportunity to have input into the process.
The Contractor must extend the benefits of these continuous process improvements to
the Customer through appropriate means such as cost containment or fee reduction, or
improvements to service delivery levels, increased productivity and the reduction in
defects.

4.9 Level 2 Service Desk Problem Management Rectification and Resolution


4.9.1 Level 2 Service Desk
All activities associated with the provision and operation of a Level 2 Service Desk.
A Provider will provide the Level 1 Service Desk to the Customer. This Level 1 Service
Desk will assign and escalate all Problems related to the System or Services to the
Contractor.
As part of the provision and operation of a Level 2 Service Desk, the Contractor must:
a) Provide Level 2 Service Desk support for the System and all of the Services
(including onsite support for Problem Rectification and Resolution).
b) Manage and resolve all Problems (including assignment and escalation to third
parties or the Level 3 Service Desk (if applicable) and provide management,
monitoring and feedback of such Problem Rectification and Resolution activities
to the Level 1 Service Desk).
c) Provide progress feedback to the Level 1 Service Desk during the Rectification
and Resolution process as per the SLRs.
The Level 1 Service Desk will monitor all Problems through to Resolution and will
provide feedback to the affected user(s).

4.9.2 Level 2 Problem Management


As part of the operation of the Level 2 Service Desk, the Contractor must implement
and maintain Problem management policies and procedures that significantly decrease
the number of Problems which occur by Resolving any Defects within the
application(s) in the System. The Contractor's policies and procedures must address,

Page 19
Attachment 3 - Services - Applications

and the Contractor must report on, all aspects of its policies and the specific
implementation of those policies with respect to:
a) Problem control.
b) Error control.
c) Proactive prevention of Problems.
d) Identifying Problem trends.
e) Contingency planning and Disaster Recovery.
Without limiting the scope of the support Services or the Contractor's obligations, the
Contractor must:
a) Package and release Updates for all Problems in accordance with approved
change management and configuration management procedures. These include
New Releases necessary for the Rectification and Resolution of Problems,
including Software application configuration and operation errors that have been
escalated by the Customer's Personnel or users (whether through the Service Desk
or otherwise).
b) Provide a single point of contact for receiving, logging, and tracking all Problems
escalated to the Contractor's Level 2 Service Desk.
c) Troubleshoot all reported Problems to determine the probable cause of the
reported Problem.
d) Recommend and implement Rectification of each Problem until a permanent
Resolution can be implemented.
e) Track all Problems to Resolution to ensure that all necessary corrective action is
provided through to Resolution.
f) Escalate unknown errors and identified Problem trends in accordance with the
policies and procedures developed for Problem management.
g) Provide progress reports to the Customer throughout the Problem Rectification
and Resolution process, via the Service Desk.
h) Ensure that key application support personnel are able to be reached during off-
shift hours via pagers or cell phones.

4.9.3 Level 2 Problem Monitoring and Reporting


As part of the operation of the Level 2 Service Desk, the Contractor must also provide a
reporting capability which identifies the following metrics for a specified (ad hoc) time
period or as otherwise required by the Customer:
a) Number of open Tickets.
b) Average age (in hours) of open Tickets until Rectification and Resolution.
c) Percentage of Tickets resolved during the first call.
d) Average time to Rectification and Resolution (in hours) for closed Tickets.
e) Total hours of Contractor resource time expended for closed Tickets.
f) Hours of downtime by application.

Page 20
Attachment 3 - Services - Applications

g) Number of repeat Calls about the same application. A repeat call is one that is
made after an attempt has been made to Rectify and/or Resolve a Problem.

4.10 Level 3 Service Desk


All activities associated with the provision and operation of a Level 3 Service Desk.
As part of the provision and operation of a Level 3 Service Desk, the Contractor must
support all applications and Services that it directly manages and supports. The Level 3
Service Desk is responsible for all support provided by any third party in relation to an
application that is in (or scheduled to be in) the Customer's production environment.
The Contractor must work closely with any third party that is providing management
and support for such an application.
As part of the operation of the Level 3 Service Desk, the Contractor must also provide a
reporting capability in relation to the support provided by the Level 3 Service Desk
which identifies the following metrics for a specified (ad hoc) time period or as
otherwise required by the Customer:
a) Number of open Tickets.
b) Average age (in hours) of open Tickets until Rectification and Resolution.
c) Percentage of Tickets resolved during the first call.
d) Average time to Rectification and Resolution (in hours) for closed Tickets.
e) Total hours of Contractor resource time expended for closed Tickets.
f) Hours of downtime by application.
g) Number of repeat Calls about the same application. A repeat call is one that is
made after an attempt has been made to Rectify and/or Resolve a Problem.

4.11 Root Cause Analysis


All activities associated with the implementation of a process that will cause the
Contractor to understand and prevent recurring Problems/trends which could result in
Problems. Without limiting the scope of the support Services or the Contractor's
obligations, the Contractor must:
a) Ensure that its Personnel on the Service Desk and any other support Personnel have
access to the Problem Rectification and Resolution database to view the history of
previous application Problems and their Rectifications and Resolutions.
b) Conduct a Root Cause Analysis of all such Problems or failures, including all
Severity Level 1 and Severity Level 2 Problems, within two days of the Problem
occurring unless an alternative timeframe is agreed with the Customer.
c) Assign appropriate resources to identify and remedy such Problems or failures, and
track and report on any consequences of such Problems or failures.
d) Provide the Customer with a written report detailing the cause of and procedure for
correcting such Problems or failures within five days of the Problem occurring.
Provide updates on a monthly basis until the underlying defect resulting in the
Problems or failures is corrected. The Customer reserves the right at its own
discretion to conduct its own review. The results of such reviews must be
implemented by the Contractor.

Page 21
Attachment 3 - Services - Applications

e) Substantiate to the Customer that all reasonable actions have been taken to prevent
recurrence of such Problem or failure.
Note: These Services are provided in consultation with the Customer and other
Providers.
The Contractor must provide the Customer with access to the raw data used to conduct
every Root Cause Analysis. The Customer may, at its own discretion, conduct
independent reviews and analysis of any Problems, failures or the Contractor's Root
Cause Analysis recommendations. The Customer's review outcomes must be actioned
by the Contractor if the Customer requires this to be done.

4.12 Training
All activities associated with the improvement of skills for the Contractor's Personnel
and the Customer’s IT technical staff (and business managers, at the Customer's sole
option) through education and instruction. Additionally, training includes the initial end-
user training on new and current applications and Services. Training services are
provided to the Customer's end users for improving “how-to-use” skills related to
systems and applications. Delivery methods that are offered for training include
classroom style and computer-based instruction.
In accordance with the Contract, the Contractor must utilise Personnel with appropriate
skills and knowledge to satisfy all of its Contractual requirements.

4.13 Monitoring and Reporting


All activities associated with ongoing health checks, Service Level performance
reporting, review of error logs, status reporting, and Problem management (ongoing
surveillance, tracking, escalation, Rectification, Resolution, and tracking of Problems)
of application enhancement and support activities. These Problem management
activities require the Contractor to integrate and coordinate its Level 2 Service Desk
support Services with the Level 1 Service Desk. All Reports specified in Attachment 6
(Reports) must be provided when required by that Attachment.
Without limiting the scope of the support Services or the Contractor's obligations, the
Contractor must:
a) Provide monthly Service Level performance reports.
b) Provide monthly staffing utilisation reports.
c) Provide monthly milestone achievement review and performance reports.
d) Provide an electronic copy of a consolidated list of applications being maintained
with related information on a monthly basis.
e) Conduct and complete a function count prior to any release using the most recent
International Society of Function Point User Group (IFPUG) standards.
f) Use a Customer approved reporting format and assessment criteria, provide the
Customer with a consolidated list of development and major enhancement
projects in progress, including project status, as required by the Customer or, at a
minimum, on a monthly basis.

Page 22
Attachment 3 - Services - Applications

4.14 Local Implementation/Deployment


All activities associated with providing support for enhancement of the Customer's
authorised local adaptations of the application development product(s) and providing
on-site deployment and integration of the applications. The Contractor must provide
integration teams that will receive direction from the Customer's business-unit liaisons
for deployment of the application development product(s). Local
implementation/deployment activities include all the applicable Services described in
Section 3 above, which shall be performed in accordance with the Service Levels and
the parties' defined roles and responsibilities.

4.15 Managed Asset Management


All activities associated with input to and the continuous maintenance of the Managed
Asset register (which is maintained by Provider responsible for the Desktop Tower) for
all of the Customer's Managed Assets. Managed Assets includes, but is not limited to all
applications including Specialist Software which are in, or are scheduled to be in, the
Customer's production environment.
Without limiting the scope of the support Services or the Contractor's obligations, the
Contractor must:
a) Provide updates to the Managed Asset register database according to defined
procedures.
b) Ensure all inputs to the Managed Asset register are accurate and fully up to date.
c) Track all Managed Assets (by user, location, Managed Asset ID, finances, version
as appropriate) and ensure third party agreements for services are in force as
needed to meet SLRs.
d) Assist the Customer and third parties in auditing the Managed Assets.
e) Coordinate the termination, disposal of and relocation of Managed Assets as
needed/specified by the Customer in accordance with the Customer security
policy (For example, sanitise desktop and server hard disk drives).
f) Advise the Customer in a timely manner of expiration and renewal requirements
for Customer owned software licences and third party support agreements. At a
minimum, such notice is to be given to the Customer three months prior to such
expiration.
g) Report on the Managed Asset register inputs on both an ad hoc and a
defined/structured basis. This includes, but is not limited to tracking Managed
Assets and advising the Customer three months in advance of expiration and
renewal requirements for Contractor-owned software licences.

4.16 Configuration Management/Change Control


All activities necessary to administer and adhere to a standard change management
process for the Services that aligns and complies with the Customer's policies,
procedures and standards, as set out in the Procedures Manual approved by the
Customer. The change management process will include impact analysis, contingencies,
risk management, planning/implementation, approval, post-change review and back-out
processes.

Page 23
Attachment 3 - Services - Applications

Without limiting the scope of the support Services or the Contractor's obligations, in
making changes to the Services, the Contractor must:
a) Eliminate or minimise disruptions to the Customer's users caused by the
implementation of any change.
b) Without limiting paragraph a), implement changes according to a mutually-agreed
schedule between the parties.
c) Eliminate or minimise the number of change “back-outs” caused by ineffective
change planning or implementation.
d) Eliminate or minimise the number of Problems caused by change.
e) Eliminate or minimise the Outages caused by change.
f) Manage changes to individual components and coordinate changes across all
components that comprise an end-to-end solution to minimise disruption to the
Services and the Customer’s business.
g) Document all changes to the Services.
h) In conjunction with the Customer (and Customer specified third parties), ensure
that all change management processes facilitate communication, and that tested
back-out plans exist to provide a high degree of success. The Contractor
acknowledges that the stability of the production environment is critical to the
Customer's business. Accordingly, the Contractor must employ all reasonable
safeguards to ensure continuity of the Customer's business operations when
changes to the production environment or the Services are initiated or
implemented.
i) Plan and communicate scheduled changes in advance in accordance with the
Customer’s business requirements. The Contractor must use the change
management process to plan, coordinate, monitor and communicate the changes
that affect the Services.

4.17 Documentation
All activities associated with the creation and maintenance of the Documentation
relating to the System and the Services and the provision of such Documentation to the
Customer. These activities include maintaining and managing copies of all such
Documentation in a technical library.
Without limiting the scope of the support Services or the Contractor's obligations, the
Contractor must:

4.17.1 General
Develop, revise, maintain, store, retrieve, reproduce and distribute information in hard
copy and electronic form. The types of documents include:
a) End-user documentation.
b) Standard operating procedures (including but not limited to the Procedures
Manual).

Page 24
Attachment 3 - Services - Applications

4.17.2 The Procedures Manual


a) Ensure that the Procedures Manual is complete and in such a form that the
Customer can fully understand, operate and exploit the System and the Services.
b) Periodically, and on at least an annual basis, update the Procedures Manual to
reflect changes in operations or procedures. Updates of the Procedures Manual will
be provided to the Customer for review, comment and approval (not to be
unreasonably withheld), provided that the Contractor must incorporate the
reasonable comments or suggestions of the Customer into every revised Procedures
Manual.
c) Perform the Services in accordance with the Procedures Manual.

4.18 Security Management and Administration


4.18.1 Overview
This clause defines and describes the Customer's requirements for the provision of
security services relating to the System and for the System.
4.18.2 Current Environment
The Customer's requirements and the Contractor's obligations for the provision of
security services relating to the System must be read in conjunction with the detail
provided in Attachment 1 (Current Environment).
The Customer creates and manages information that varies in sensitivity from some
that may be made freely available to the public (classified as PUBLIC DOMAIN) to
information that, should a breach of confidentiality occur, could lead to serious injury
or death (classified as HIGHLY PROTECTED).
The classification scheme currently used by the Customer is that defined in the
Commonwealth of Australia’s Protective Security Manual (2000) for non-national
security classified information.
Previous analysis has identified that both the quantity and geographic distribution of
PROTECTED information across the Customer's network (i.e. the LAN and WAN
environments) is sufficiently great to require security controls for the general network
that will ensure appropriate protection for information classified as PROTECTED.
Workgroups managing HIGHLY PROTECTED information will also require
additional security controls to ensure appropriate protection for information classified
at that level.
The Customer does not currently have access to its security protocol information.
However, as identified in the document “Enterprise Security Strategy - Gap Analysis”,
the Customer recognises that the current solution is not sufficient to fully meet
Commonwealth Security Standards.
4.18.3 Security Requirements for the current environment
The Contractor must do everything associated with the provision, management and
administration of security of the System as required by the Customer. The Customer’s
requirements for the provision of security services relating to the System are detailed
below and in section 5 of this Attachment (Roles and Responsibilities). These
requirements are to be fulfilled as part of the core managed services.

Page 25
Attachment 3 - Services - Applications

Without limiting the scope of these Services or the Contractor's obligations, the
Contractor must:
a) Do everything necessary for maintaining the security of the System.
b) Liaise with and provide relevant information to other persons assigned
responsibility for the security of any part of the Customer's IT environment.
4.18.4 Security Policies & Procedures
As a minimum, the Contractor must fully comply with all aspects of the Customer's
Enterprise Information Security Policy, the following security policies, standards and
guidelines and all policies, procedures and standards in Attachment 9 in all their
interactions with the Customer and in the performance and provision of the Services
(including any security service). Where, in the Customer's Enterprise Information
Security Policy, compliance to the Commonwealth information security policies and
standards is currently discretionary, the Contractor must treat those references as
requiring mandatory compliance.
The following is an adapted extract from the Customer's Enterprise Information
Security Policy with which the Contractor must comply.
“The development and management of all Victoria Police information Systems must
be fully compliant with the following policies, standards and guidelines (or their
successors or as amended):
(i) IT&T-14: Information Security Policy (Victorian Government, May 1999);
(ii) IT Network and Application Security Best Practice Statements
(Multimedia Victoria, February 1999);
(iii) Information Technology —Code of Practice for Information Security
Management [AS/NZS ISO/IEC 17799:2001] (Standards
Australia/Standards New Zealand);
(iv) Information Security Management Part 2: Specification for Information
Security Management Systems [AS/NZS 7799.2:2003] (Standards
Australia/Standards New Zealand);
(v) Information Security Risk Management Guidelines [HB 231:2004]
(Standards Australia); and
(vi) Guidelines for the Management of IT Security [AS13335 (Set): 2003]
(Standards Australia).
However, as the documents listed above are relatively non-prescriptive, the
information security control measures implemented in relation to the Customer's
information systems must also be fully compliant with the policies, standards and/or
guidelines defined in the following (or their successors or as amended):
(i) Commonwealth Protective Security Manual (2000 edition, Attorney
General’s Department, Commonwealth of Australia);
(ii) ACSI 33: The Australian Government Information Technology Security
Manual: (2004 edition, Defence Signals Directorate [DSD], Department of
Defence, Commonwealth of Australia);

Page 26
Attachment 3 - Services - Applications

(iii) Gateway Certification Guide (Ver. 3 2004 edition, Defence Signals


Directorate [DSD], Department of Defence, Commonwealth of Australia);
(iv) Security Equipment Catalogue, Security Construction and Equipment
Committee (SCEC), Commonwealth of Australia; and
(v) Key Management Plan Guidance [July 2003] (Information Security Group,
Defence Signals Directorate)”.

4.19 Business Continuity (BC)


All activities associated with the provision to the Customer of BC support, including
BC planning and strategy development, strategy implementation, capability testing,
rehearsals and ongoing management of BC for each component of the System. In
undertaking such activities, the Contractor must take into account and minimise their
impact on all other elements of the Customer's IT environment. The Customer will
retain responsibility for Business Continuity for non-IT resources within each of its
individual business units. The Contractor must coordinate its BC activities with those of
third parties who provide similar services to the Customer in relation to other parts of
the Customer's IT environment and consistently meet or exceed the BC SLRs.
Without limiting the scope of the support Services or the Contractor's obligations in
accordance with the Customer's policies, procedures and standards, the Contractor
must:
a) Appoint and maintain an ‘on call’ (24x7) BC Manager to manage ongoing BC
requirements including preparation activities, capability testing and emergency
response. The Contractor's BC manager will be expected to liaise directly with the
Customer's BITS BC Coordinator.
b) Provide recovery of IT resources, within the System, in timeframes that meet the
Recovery Time Objectives (RTO), including restoration from backups stored offsite,
as specified in SLRs.
c) Ensure the continuance of electronic communication with other departments,
agencies and jurisdictions in the event of an emergency.
d) Undertake a 6 monthly test of BC procedures.
e) Report on the outcomes of the test as soon as practicable after the test. Before,
during and after rehearsals and tests, the Contractor must provide advice, analysis
and suggestions for improvement, and implement improved BC processes (where
shortfalls are identified).
f) Ensure minimum downtime and data loss.
g) Maintain data integrity, including security and access rights.
h) Maintain network security.
i) Minimise any negative impact on the Customer’s business operation.
j) Maintain the Customer's users' satisfaction.
k) Ensure that all BC documents are current and valid.
l) Ensure that the Contractor's staff involved in recovery procedures are fully trained
in the requirements of the plans.

Page 27
Attachment 3 - Services - Applications

The Customer may at its sole discretion review the outcomes of BC testing and reviews.
The Contractor must implement the Customer's recommendations made as an outcome
of such reviews.
4.19.1 Contractor Reporting
The Contractor must report to the Customer any incidents related to the mandatory
requirements such as raising of alarms, security breaches etc. Additional details of this
reporting will be specified by the Customer.

Pass-through Services and Management


All activities associated with managing Third Party Contracts. Without limiting the
scope of the support Services or the Contractor's obligations, the Contractor must on-
charge directly to the Customer amounts invoiced by a third party contractor under a
managed Third Party Contract, without adding any margin or mark-up. The Contractor
must also provide commercial and technical management of the third party contractors
specified by the Customer.
Project Initiation
All activities necessary for the Contractor to comply with the procedures in Attachment
19 and the Procedures Manual when initiating, assessing or implementing projects.
These activities relate to all projects, including those that the Contractor may be
required to undertake, be engaged for as a development project, or in support of a third
party engaged for a development project.
Project initiation activities include, but are not limited to:
a) Developing an initial project plan, identifying all critical path dependencies,
staffing resources, major milestones and project deliverables.
b) Developing reporting requirements.
c) Creating a development project Personnel plan identifying the Personnel assigned
to the development project.
d) Identifying any project inhibitors and mitigation strategies to ensure that the
project can be undertaken in a viable manner.
e) Developing RFT evaluation criteria.
f) Creating a development project Statement of Work (SOW) which includes:
i. A defined scope of work.
ii. Technical goals and objectives.
iii. Identification of customers and end users.
iv. Standards.
v. Assigned responsibilities.
vi. Cost and schedule constraints.
vii. Dependencies between the development project team and other
organisations.
viii. Resource constraints and goals.

Page 28
Attachment 3 - Services - Applications

ix. Planning assumptions.


x. The parties’ responsibilities.
g) Creating a development project Risk Assessment Plan (“RAP”) which identifies
the risks associated with the cost, resource, schedule, and technical aspects of the
project. The risks must be analysed and prioritised based on their potential impact
to the project and contingencies and mitigation strategies for the risks that are
identified must be detailed.
h) Designing a project change control process that identifies, evaluates, assesses any
change that impacts the development project (including any impact on cost,
timing, or risk).
Event Response Services
All activities necessary to support the Customer during an Event. This includes
assistance with the delivery, configuration, installation and connection of hardware and
Software to communication service providers in nominated short time periods. It also
may include the Contractor being obliged to provide fast responses, Rectifying and
Resolving Problems within short timeframes and, in relation to the System, and
providing dedicated onsite assistance. The Contractor must be able to cater for multiple
simultaneous Events.
Without limiting the scope of the support Services or the Contractor's obligations, the
Contractor must:
a) Make available resources (Personnel and equipment) that can be activated when
the Customer declares an Event.
b) Provide support on an as needed basis to deal with an Event to the Customer's
satisfaction.
c) Cooperate with and provide resources and Services (as part of the support
Services) to any Provider of Event related services to the Customer.
Risk Management
All activities associated with minimising the Customer's risk that is associated with the
Services. Such activities include the Contractor developing, implementing and
maintaining a thorough risk mitigation plan for provision of the Services that aligns
with the Customer’s policies, procedures and standards. The risk mitigation plan must
be approved by the Customer and must adequately address the issues of risk
identification (being anything that has the potential to impede the Customer or the
Contractor from achieving its objectives) and risk classification (i.e. the likelihood and
consequence of each risk). It must also involve the Contractor actively tracking and
mitigating each risk throughout the Term.
The risk mitigation and management activities are in addition to the Contractor's BC
obligations.
Without limiting the scope of the support Services or the Contractor's obligations, the
Contractor must actively:
a) Identify and prioritise organisational, operational and strategic risk.
b) Adopt an integrated approach to risk management that involves all relevant
internal and external stakeholders including support from the Customer’s senior

Page 29
Attachment 3 - Services - Applications

management.
c) Ensure risk management becomes part of day to day management.
d) Provide Personnel with the policies, procedures and training necessary to manage
risks.
e) Develop appropriate strategies to ensure that identified risks and options for
treatment are communicated to stakeholders at all levels.
f) Monitor its strategic risk profile and achieve continuous improvement in risk
management.
g) Prepare reports on the risk management strategy and its implementation, as and
when required by the Customer, in a form that the Customer can submit to VMIA
to satisfy the Customer's obligations under the Financial Management Act 1994
and Victorian Managed Insurance Authority Act 1996.

Page 30
Attachment 3 - Services - Applications

5 Roles and Responsibilities


Application Maintenance, Support and Enhancement Roles and
Responsibilities
The following table identifies the underlying roles and responsibilities associated with
the provision of the Services (including all required Updates). An “X” is placed in the
column under the party that will be primarily responsible for performing the task. The
Customer's responsibilities are indicated in the column labelled "Customer". The
Customer is designated the responsible party for performing tasks which must be
performed by the Contractor or a third party where the Customer has retained
provisioning or management responsibility.
Where no detail is provided on a specific part of a Service, the Contractor is wholly
responsible for the provision of that part of the Service, unless otherwise advised by the
Customer.

Application Maintenance, Support and Enhancement Contractor Customer


Roles and Responsibilities
1. Application Maintenance
1.1 Define maintenance and support policies and procedures. X

1.2 Approve maintenance and support policies and X


procedures.
1.3 Dispatch technicians to the point-of-service location, if X
required.
1.4 Perform diagnostics on hardware, Software, peripherals X
and services (as appropriate).
1.5 Install manufacturer field change orders, service packs, X
firmware and software maintenance New Releases, BIOS
Updates, etc.
1.6 Perform Software distribution and version control, both X
electronic and manual.
1.7 Perform code efficiency and stress testing. X
1.8 Replace defective parts and systems, including preventive X
maintenance according to the manufacturer’s published
mean- time-between rates.
1.9 Perform routine system management on support X
applications such as system tuning.
1.10 Provide preventive maintenance. X
1.11 Provide adaptive maintenance. X
1.12 Provide perfective maintenance. X
1.13 Provide release packaging of Software changes. X
1.14 Approve release packaging of Software changes. X

Page 31
Attachment 3 - Services - Applications

Application Maintenance, Support and Enhancement Contractor Customer


Roles and Responsibilities
1.15 Establish the priority of service requests. X
2. Technical and End User Support
2.1 Define technical support policies and procedures. X
2.2 Approve technical support policies and procedures. X
2.3 Test, install and tune technical environment hardware, X
Software, peripherals and services.
2.4 Manage hardware, Software, peripherals, and Services to X
optimise Service Levels and minimise the Customer's
resource requirements.
2.5 Perform system backups in accordance with established X
procedures.
2.6 Coordinate Level 2 Service Desk interaction and response X
with the Level 1 Service Desk.
2.7 Provide Level 2 Service Desk technical assistance and X
production support.
2.8 Coordinate Level 3 Service Desk interaction and response X
with the Level 1 Service Desk and the Level 2 Service
Desk.
2.9 Provide Level 3 Service Desk technical assistance and X
production support.
3. Applications Enhancement
3.1 Requirements Definition
3.1.1 Define requirements determination standards. X
3.1.2 Coordinate end-user interaction with the Level 1 Service X
Desk.
3.1.3 Conduct interviews, group workshops and surveys to X
determine user requirements.
3.1.4 Meet with the Customer's requirements groups and X
representatives.
3.1.5 Serve on appropriate requirements groups and panels. X
3.1.6 Determine software Update conversion requirements for X
COTS hardware and software.
3.1.7 Document all requirements in required formats (e.g., X
system specifications, data models, and network design
schematics).
3.1.8 Approve all requirements documents. X
3.1.9 Recommend System and user acceptance test criteria. X
3.1.10 Approve System and user acceptance test criteria. X
3.2 Design Specification

Page 32
Attachment 3 - Services - Applications

Application Maintenance, Support and Enhancement Contractor Customer


Roles and Responsibilities
3.2.1 Design and configure technical environment through an X
annual technology plan based on the Customer's
standards, architecture and project initiatives.
3.2.2 Authorise and approve technology plan through X
coordination with the Customer's appropriate technology
standards group.
3.2.3 Conduct Site surveys for design efforts as required. X
3.2.4 Provide design documentation in formats required by the X
Customer for all products and Services.
3.2.5 Approve design documentation for products and Services. X
4. Acquisition
4.1 Establish acquisition policies and procedures. X
4.2 Approve acquisition policies and procedures. X
4.3 Develop and issue requests for proposals, as required. X
4.4 Rate the supplier proposals, as required. X
4.5 Negotiate supplier contracts, as required. X
4.6 Procure assets, as required. X
4.7 Manage/track service orders, as required. X
4.8 Coordinate delivery and installation of new products and X
Services.
4.9 Ensure compliance with the Customer's established IT X
standards and architectures, as required.
4.10 Adhere to the Customer's acceptance process. X
5. Support Services
5.1 Planning and Analysis
5.1.1 Define services and standards for planning and analysis X
activities.
5.1.2 Approve services and standards for planning and analysis X
activities.
5.1.3 Recommend policies and procedures to implement X
planning and analysis activities.
5.1.4 Conduct an information system threat risk assessment to X
identify formal security requirements.
5.1.5 Authorise and approve policies and procedures. X
5.1.6 Perform business liaison function to operational units. X
5.1.7 Perform business planning for capacity and performance. X
5.1.8 Continuously monitor technical trends through X
independent research; document and report on products

Page 33
Attachment 3 - Services - Applications

Application Maintenance, Support and Enhancement Contractor Customer


Roles and Responsibilities
and services with potential use for the Customer.
5.1.9 Perform feasibility studies for the implementation of new X
technologies that best meet the Customer's business needs
and expense/service level expectations.
5.1.10 Perform project management and estimation functions X
(including the creation of project plans and appropriate
management documentation).
5.1.11 Conduct annual technical and business planning sessions X
to establish standards, architecture and project initiatives.
5.1.12 Participate in annual technical and business planning X
sessions to establish standards, architecture and project
initiatives.
5.1.13 Conduct semi-annual technical reviews. X
5.1.14 Conduct semi-annual workshops on industry trends and X
best practices.
1.5.15 Planning for BC. X X
1.5.16 Perform security planning. X
1.5.17 Provide standards, procedures and policies regarding X
security.
5.2 Development Project Management
5.2.1 Provide Development Project management methodology. X
5.2.2 Approve Development Project management X
methodology.
5.2.3 Provide Development Project management Services and X
reporting.
5.2.4 Approve and sign-off project management Services and X
reporting.
5.3 Construction/Development
5.3.1 Establish construction/development policies and X
procedures.
5.3.2 Approve construction/development policies and X
procedures.
5.3.3 Perform engineering functions required to implement X
design plans for additional or new products and services.
5.3.4 Manage construction/development efforts using industry X
standard project management tools and methodologies.
5.3.5 Conduct development reviews and provide results to the X
Customer.
5.3.6 Create standard infrastructure profiles specific to the X
Customer's IT service area (e.g., desktop profiles for

Page 34
Attachment 3 - Services - Applications

Application Maintenance, Support and Enhancement Contractor Customer


Roles and Responsibilities
distributed computing).
5.3.7 Develop scripts and macro programs to automate X
standard Customer processes as appropriate (e.g.,
upgrading desktop profiles).
5.3.8 Approve construction/development plans and procedures X
where there is an impact on the Customer's other
entities/facilities.
5.4 Integration and Testing
5.4.1 Develop integration and testing policies and procedures. X
5.4.2 Approve integration and testing policies and procedures. X
5.4.3 Conduct integration and testing for all new and upgraded X
equipment, Updated Software or services to include unit,
System, integration and regression testing.
5.4.4 Evaluate all new and upgraded equipment, Updated X
Software or services for compliance with the Customer's
security policies, regulations and procedures.
5.4.5 Approve all integration, user acceptance and security X
testing for new and upgraded equipment, Updated
Software or services.
5.4.6 Stage new and upgraded equipment, Updated Software or X
services to smoothly transition into existing environment.
5.4.7 Perform modifications and performance-enhancement X
adjustments to the Customer's system Software and
utilities as a result of changes to architectural standards.
5.4.8 Test New Releases of supported hardware and Software X
to ensure conformance with the Customer's SLRs.
5.4.9 Oversee the Customer's integration test laboratory X
facilities.
5.4.10 Manage the Customer's integration test laboratory X
facilities.
5.4.11 Perform configuration management and change control X
activities.
5.4.12 Approve configuration management and change control X
results.
5.5 Implementation and Migration
5.5.1 Define equipment migration and redeployment policies. X
5.5.2 Approve equipment migration and redeployment policies. X
5.5.3 Conduct pre-installation Site surveys. X
5.5.4 Install enhancements to technical architecture or Services X
provided.

Page 35
Attachment 3 - Services - Applications

Application Maintenance, Support and Enhancement Contractor Customer


Roles and Responsibilities
5.5.5 Install new or enhanced functions or features—hardware, X
Software, peripherals and configurations.
5.5.6 Coordinate support activities with and between the X
Contractor's Service Desk and other Service Desks.
5.5.7 Provide technical assistance during conversion as X
requested.
5.5.8 Perform data migration by either electronic or manual X
methods as a result of implementation or migration.
5.5.9 Perform appropriate tests on all installs, moves, additions X
and changes.
5.5.10 Conduct user acceptance tests. X
5.5.11 Approve user acceptance results. X
5.5.12 Provide end-user training for new products and services X
5.5.13 Conducting tests of documented BC procedures including X X
all backup and restoration activities.
5.5.14 Approve implementation and migration "Go/No Go" X
decisions.
5.6 Emergency
5.6.1 Define requirements for emergency capability (including X
BC requirements.
5.6.2 Approve requirements for emergency capability. X
5.6.3 Provide a structured process for monitoring, managing X
and reporting on actions related to emergency activities.
5.6.4 Identify the members of an emergency response team. X X
5.6.5 Develop emergency management plan to meet emergency X
requirements.
5.6.6 Approve emergency management plan. X
5.6.7 Perform emergency processes as required by the X
Customer.
5.7 Application Warranty
5.7.1 Conduct maintenance and parts management and X
monitoring during warranty and off-warranty periods.
5.8 Continuous Process Improvement
5.8.1 Develop processes for monitoring and analysing service X
delivery methods and procedures.
5.8.2 Approve processes for monitoring and analysing service X
delivery methods and procedures.
5.8.3 Present opportunities for improvement in service delivery X
methods and procedures.

Page 36
Attachment 3 - Services - Applications

Application Maintenance, Support and Enhancement Contractor Customer


Roles and Responsibilities
5.8.4 Analyse and if proven approve opportunities for X
improvement in service delivery methods and procedures.
5.8.5 Implement opportunities for improvement in service X
delivery methods and procedures as per
change/configuration control procedures.
5.9 Level 2 Problem Management And Resolution (Specialised Problem, Skilled Technical
Solution)
5.9.1 Identify Problem characteristics and, if possible, root X
cause.
5.9.2 Respond to and resolve inquiries/Problems within X
prescribed time limits, if possible; otherwise, escalate to
appropriate Level 3 Service Desk within SLR escalation
time periods.
5.9.3 Coordinate call progress Rectification and Resolution X
with Level 1 Service Desk for tracking and reporting
purposes.
5.9.4 Notify and/or escalate issues to the Customer and third X
party management as required.
5.10 Level 3 (Severe Problem, Extended Technical Solution) Problem Management and
Resolution
5.10.1 Identify Problem characteristics, including root-cause X
analysis and identification.
5.10.2 Respond to and resolve inquiries/Problem within SLR X
time periods; coordinate Rectification and Resolution
with the Customer, as well as appropriate suppliers and
third parties as needed.
5.10.3 Co-ordinate call progress Rectification and Resolution X
with Level 1 Service Desk for tracking and reporting
purposes.
5.11 Root Cause Analysis
5.11.1 Flag all Severity Level 1 Problems as requiring Root X
Cause Analysis along with all recurring problems.
5.11.2 Determine protocols and requirements for Root Cause X
Analysis.
5.11.3 Implement protocols and requirements for Root Cause X
Analysis.
5.11.4 Initiate Root Cause Analysis reports and assign and X
manage the collation of data between all parties including
but not limited to third party vendors, other third parties
that provide I'T services to the Customer and the
Customer.
5.11.5 Identify the root cause of Severity Level 1 Problems or X
failures and recommend appropriate Resolution action,
where/whenever possible.

Page 37
Attachment 3 - Services - Applications

Application Maintenance, Support and Enhancement Contractor Customer


Roles and Responsibilities
5.11.6 Track and report on progress of all Severity Level 1 X
Problems that are escalated to the Level 2 Service Desk to
ensure that Root Cause Analysis is performed and
reported on (incident reports /Tickets to remain open until
Root Cause Analysis report is completed and submitted).
5.11.7 Provide the Customer with a written report detailing the X
cause of and procedure for correcting such failure;
provide updates on a monthly basis until closure.
5.11.8 Substantiate to the Customer that all reasonable actions X
have been taken to prevent recurrence of such failure.
5.11.9 Review and approve actions for Resolution of Problems X
as reported in Root Cause Analysis recommendations.
5.12 Training Activities
5.12.1 Establish training plans and procedures. X
5.12.2 Approve training plans and procedures. X
5.12.3 Provide training for the Customer's end-users to improve X
“how-to-use” skills related to IT service area systems and
applications.
5.13 Monitoring and Reporting
5.13.1 Approve and document SLRs, Severity Levels and X
reporting cycles.
5.13.2 Document Service Level objectives and requirements. X
5.13.3 Determine escalation points and triggers. X
5.13.4 Define high-level on line reporting requirements. X
5.13.5 Provide access to problem management systems in X
accordance with on line reporting requirements.
5.13.6 Measure and analyse performance relative to X
requirements.
5.13.7 Develop improvement plans. X
5.13.8 Authorise and approve improvement plans. X
5.13.9 Implement improvement plans. X
5.13.10 Report on Service Level results. X
5.13.11 Coordinate monitoring and reporting of Service Desk. X
5.13.12 Provide appropriate metrics and measures of performance X
to the Customer's appropriate representatives including
the information system security action centre.
5.14 Local Implementation/Deployment
5.14.1 Define and approve local implementation/deployment X
Services standards and policies.

Page 38
Attachment 3 - Services - Applications

Application Maintenance, Support and Enhancement Contractor Customer


Roles and Responsibilities
5.14.2 Develop local implementation/deployment Services X
procedures.
5.14.3 Implement and deploy applications as per local X
implementation/deployment Services procedures.
5.14.4 Test and approve implemented and deployed applications. X
5.15 Managed Asset Management
5.15.1 Establish and authorise Managed Asset register X
management policies and processes.
5.15.2 Implement and fully comply with Managed Asset register X
management policies and procedures.
5.15.3 Provide updates of Managed Assets to the Managed Asset X
register database in accordance with defined procedures.
5.15.4 Establish, update, and maintain an Managed Asset X
register database.
5.15.5 Provide management tools, infrastructure and end-to-end X
support for interfaces with the Managed Asset register
management database.
5.15.6 Review and approve Managed Asset register tracking X
methodology.
5.15.7 Ensure inputs to the Managed Asset register are accurate X
and fully up to date.
5.15.8 Track all Managed Assets (by user, location, Managed X
Asset ID, finances) and ensure service contracts are in
force as needed to meet SLRs.
5.15.9 Provide inventory tracking and management including X
support for centralised warranty and license management.
5.15.10 Assist in auditing Managed Assets. X
5.15.11 Conduct Managed Asset audits. X
5.15.12 Establish and define Managed Asset register database X
reporting requirements and policies.
5.15.13 Develop Managed Asset register management procedures X
and comply with all reporting requirements.
5.15.14 Determine acceptance process for new or replacement X
Managed Assets.
5.15.15 Adhere to the Customer's acceptance processes. X
5.15.16 Report on Managed Asset register on an ad hoc and X
defined/structured basis.
5.15.17 Periodic review/audit Managed Asset register X
management procedures.
5.16 Configuration Management/Change Control

Page 39
Attachment 3 - Services - Applications

Application Maintenance, Support and Enhancement Contractor Customer


Roles and Responsibilities
5.16.1 Establish change requirements (Workstation, operating X
system, network operating system, application Software,
user access).
5.16.2 Define configuration management and change control X
policies and procedures.
5.16.3 Review and approve configuration management and X
change control policies and procedures.
5.16.4 Determine change logistics. X
5.16.5 Determine change cost and impact. X
5.16.6 Schedule and conduct change management meeting. X
5.16.7 Authorise and approve change. X
5.16.8 Notify affected clients of change timing and impact. X
5.16.9 Implement change. X
5.16.10 Verify that change met objectives and did not have other X
negative impacts.
5.16.11 Report results of change. X
5.16.12 Ensure that each change is accompanied by a business X
continuity and back out plan.
5.16.13 Perform quality control audits and approve change X
control results.
5.16.14 Approve post implementation review reports. X
5.17 Documentation
5.17.1 Define Documentation requirements and formats. X
5.17.2 Approve Documentation requirements and formats. X
5.17.3 Provide output in the format specified by the Customer X
for support of activities throughout the life cycle of the
Services.
5.17.4 Approve Documentation delivered. X
5.18 Security Management and Administration
5.18.1 Establish and maintain the necessary security X
management and administration requirements.
5.19 BC - Ongoing Management
5.19.1 Establish and maintain BC requirements. X X
5.19.2 Policy (incl. key responsibilities). X
5.19.3 Maintain IT BC team structure. X
5.19.4 Maintain BC management team structure. X
5.19.5 Ensure awareness of BC responsibilities (business). X

Page 40
Attachment 3 - Services - Applications

Application Maintenance, Support and Enhancement Contractor Customer


Roles and Responsibilities
5.19.6 Ensure awareness of BC responsibilities (IT). X
5.19.7 Update IT BC procedures as required X
5.19.8 Approve updates of BC. X
5.19.9 Update BC procedures (business) as required. X
5.19.10 Plan storage and access (Central database, immediate off- X
site access).
5.19.11 Embed BC responsibilities in work practices and X
reporting requirements under SLRs.
5.19.12 Embed BC responsibilities in work practices and X
reporting under internal KPIs.
5.20 Pass-through Services and Management
5.20.1 Define policies, procedures and standards for pass– X
through services and management.
5.20.2 Implement policies, procedures and standards for pass– X
through services and management.
5.20.3 Manage and track any issues relating to Third Party X
Contracts.
5.20.4 Provide itemised third party vendor charges on to X
Customer

Information Security Roles and Responsibilities


These roles and responsibilities are applicable to the delivery of the Services (where
applicable).

Page 41
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 42
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 43
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 44
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 45
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 46
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 47
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 48
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 49
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 50
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 51
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 52
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 53
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 54
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 55
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 56
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 57
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 58
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 59
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 60
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 61
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 62
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 63
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 64
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 65
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 66
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 67
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 68
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 69
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 70
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 71
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 72
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 73
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 74
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 75
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 76
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 77
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 78
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 79
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 80
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 81
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 82
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 83
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 84
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 85
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 86
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 87
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 88
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 89
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 90
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 91
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 92
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 93
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 94
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 95
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 96
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 97
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 98
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 99
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 100
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 101
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 102
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 103
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 104
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 105
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 106
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 107
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 108
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 109
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 110
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 111
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 112
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 113
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 114
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 115
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 116
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 117
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 118
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 119
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 120
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 121
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 122
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 123
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 124
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 125
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 126
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 127
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 128
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 129
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 130
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 131
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 132
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 133
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 134
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 135
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 136
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 137
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 138
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 139
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 140
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 141
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 142
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 143
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 144
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 145
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 146
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 147
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 148
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 149
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 150
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 151
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 152
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 153
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 154
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 155
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 156
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 157
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 158
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 159
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 160
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 161
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 162
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 163
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 164
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 165
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 166
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 167
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 168
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 169
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 170
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 171
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 172
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 173
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 174
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 175
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 176
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 177
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 178
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 179
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 180
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 181
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 182
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 183
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 184
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 185
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 186
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 187
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 188
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 189
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 190
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 191
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 192
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 193
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 194
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 195
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 196
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 197
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 198
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 199
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 200
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 201
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 202
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 203
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 204
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 205
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 206
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 207
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 208
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 209
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 210
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 211
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 212
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 213
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 214
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 215
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 216
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 217
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 218
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 219
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 220
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 221
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 222
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 223
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 224
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 225
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 226
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 227
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 228
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 229
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 230
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 231
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 232
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 233
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 234
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 235
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 236
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 237
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 238
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 239
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 240
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 241
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 242
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 243
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 244
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 245
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 246
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 247
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 248
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 249
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 250
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 251
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 252
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 253
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 254
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 255
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 256
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 257
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 258
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 259
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 260
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 261
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 262
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 263
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 264
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 265
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.
6.1.6 Implement regular (at least annual) self-audits of the X
Contractor’s performance against its ISMS, and provide a
report of the audit activities and findings to the
Customer’s Contract Manager.
6.1.7 Audit the structure and content of the Contractor’s ISMS, X
and the Contractor’s performance against it.
6.1.8 Implement corrective and preventive actions to remediate X
any shortcomings identified by the Contractor and/or the
Customer regarding the structure and content of the
Contractor’s ISMS, or the Contractor’s performance
against it.
6.1.9 Assist the Customer in defining a security X
calendar/schedule of known security events (including
reporting) through the provision of relevant authoritative
advice.
6.1.10 Define a security calendar/schedule of all known security X
events (including reporting).
6.1.11 Advise the Customer of any scheduled security events X
such as systems maintenance that are additional to those
defined in the calendar/schedule, at least 24 hours before
the event is scheduled to occur.
6.1.12 Evaluate and advise the Customer (through the Contract X
Manager) regarding the:
• Information security implications;
Page 266
Attachment 3 - Services - Applications

Information Security Roles and Responsibilities Contractor Customer


Matrix
6 INFORMATION SECURITY
6.1 INFORMATION SECURITY MANAGEMENT
SYSTEM (ISMS)
6.1.1 Implement and maintain an "Information Security X
Management System" (ISMS) for the secure management
of the Customer’s System that is fully compliant with the
Customer's policies and standards
6.1.2 Provide the Customer’s authorised representatives with X
access (including copies, where requested) to all
documentation regarding the Contractor’s ISMS for the
secure management of the Customer’s System.
6.1.3 Enable the Customer’s authorised representatives to X
undertake whatever activities are necessary for the
effective monitoring and/or auditing of the Contractor’s
ISMS, and the Contractor’s performance against it.
6.1.4 Monitor the structure and content of the Contractor’s X
ISMS, and the Contractor’s performance against it.
6.1.5 Implement regular (at least annual) self-audits of X
structure and content of the Contractor’s ISMS against
the recommendations and content of the Customer's
policies and standards and provide a report of the audit
activities and findings to the Customer’s Contract
Manager.