Holding and Hosting Form
Technology, Distribution & ArchiveError! Unknown document
BBC Data Holding and Hosting Request Form
Status
Approved
Content
Authority
Head of Information Security, Governance & Compliance - David Jones
Description
This form is to be completed, whenever BBC information is to be hosted away from
BBC infrastructure and covers requests, to hold/host both personal and nonpersonal data, held on an external ISP, or other data processor.
Template Control
Location
Template
Version
Request Form
Date
Last Reviewed
5.0
21/04/2014
April 2014
Internal:
IS Approval Forms page [explore.gateway.bbc.co.uk]
External:
DQ Third Party Policies page [bbc.co.uk]
Document history
Sys Review ID
(Syyyy/nnnnn/rr)
Division & Dept
BBC ISGC Owner
BBC PM
(BBC Project Manager Name)
BBC Data Owner
Document Name
BBC ISGC Holding and Hosting form – Project Name Vver.docx
Project
Supplier
Go Live Date
(Planned or actual go live date)
Date
Version
Author
0.1
Date Approved
V5.0 ©BBC 2014
Version
Change / Comments
Initial draft version
ISGC Approver
Comments
Confidential When Complete
Page i
Holding and Hosting Form
Technology, Distribution & ArchiveError! Unknown document
Contents
1.
Purpose of this document .............................................................................. 1
1.1.
Background ............................................................................................. 1
1.2.
About this form ....................................................................................... 1
1.3.
Completing and submitting this form....................................................... 1
2.
Summary Information ................................................................................... 2
3.
High Level Details ......................................................................................... 2
3.1.
To be completed by BBC staff responsible for this project. ....................... 2
3.2.
To be completed by supplier .................................................................... 3
4.
Support Responsibilities Matrix ....................................................................... 4
5.
Information Security Policy ............................................................................ 4
6.
Organisation of Information Security ............................................................... 5
7.
Human Resource Security .............................................................................. 5
8.
Asset Management ....................................................................................... 5
9.
Logical Security ............................................................................................ 6
10.
Cryptography ............................................................................................... 6
11.
Physical and Environmental Security ................................................................ 7
12.
Operations Security ...................................................................................... 7
13.
Monitoring and Logging ................................................................................. 8
14.
Access and Control ....................................................................................... 8
15.
Acquisition, development and maintenance ...................................................... 8
16.
Supplier relationships .................................................................................... 8
17.
Incident Management ................................................................................. 10
18.
Business Continuity ..................................................................................... 10
19.
Compliance................................................................................................ 10
20.
Appendix A - Personal Data Processing Activities ............................................. 12
20.1. Third Party Data Processing – Data Lifecycle Questionnaire ..................... 12
20.2. Eight Data Protection Principles (set out in the Data Protection Act 1998)
13
V5.0 ©BBC 2014
Confidential When Complete
Page ii
Holding and Hosting Form
21.
Technology, Distribution & ArchiveError! Unknown document
Appendix B - Approvals ............................................................................... 15
21.1. BBC Information Security, Governance & Compliance .............................. 15
21.2. BBC Information Policy & Compliance (if required) .................................. 15
22.
Appendix C – Contact and help Information .................................................... 16
22.1. BBC Information Security, Governance & Compliance .............................. 16
22.2. BBC Information Policy Compliance ........................................................ 16
23.
Appendix D – Template Version Control ......................................................... 16
V5.0 ©BBC 2014
Confidential When Complete
Page iii
Holding and Hosting Form
Technology, Distribution & ArchiveError! Unknown document
1.
Purpose of this document
1.1.
Background
BBC Information Security, is required to assess the adequacy of security controls, for all
systems/projects/services that host BBC data, prior to those systems going live. Increasingly,
those systems are hosted by third party organisations, away from BBC Infrastructure.
Before you start – please be aware, that when looking at a new 3rd party hosted system, or
service, you must have first considered, whether existing BBC in-house capabilities, are able to
deliver what you need.
1.2.
About this form
You’ve been asked to fill in this form, because you are involved in planning a new system, which
will process/host BBC data outside of the BBC network, or, are intending to make changes to one
that already exists. Where technical expertise is required, we expect relevant technicians to be
consulted, to provide accurate answers.
The answers should be provided, by a combination of staff from the third parties involved and the
internal BBC team responsible for the project, depending on where the necessary understanding
resides.
Where the system is not affected by questions in this form, you are at liberty to mark these N/A,
but please detail why you believe these are not applicable.
This document, is used to assess your security capabilities in the context of the system/service
being delivered, and in particular, the sensitivity of the data being hosted. Small organisations are
not precluded and a single person may be responsible, for many roles that appear to be defined
within these questions.
There are 2 parts to this form.
Part 1 – Information Security Review – Sections 2-19
Part 2 – BBC IP&C Review – Section 20 (to be completed where personal data is stored)
Once you have completed the form, please submit it to BBC Information Security
([email protected]), who will review the form, distribute to BBC IP&C/BBC
PR&C(where required) and ask further questions as required, to complete their review. Based on
this review, BBC Information Security may require additional controls/mitigations to be
implemented, as a condition for signoff.
1.3.
Completing and submitting this form
The BBC Staff managing this project, should fill in the following sections:
 Section 2
 Section 3.1
The supplier should complete sections 3.2 to 19. If any form of personal data is to be hosted on
the solution, section 20 should also be completed by the supplier.
The completed form, should only be emailed to the BBC within an encrypted zip file, with the key
being sent by sms, to the intended recipient of the email.
V5.0 ©BBC 2014
Confidential When Complete
Page 1
Holding and Hosting Form
2.
Technology, Distribution & ArchiveError! Unknown document
Summary Information
Summary information about system/project under review
To be completed by BBC staff responsible for this project.
2.1
Please enter your name, contact details and your role
with this project or system
(Details, must include email address and mobile number)
2.2
Please detail the name of the third party supplier contact
and their details.
(Details)
2.3
If the system, solution, project, or development has a
name, please indicate it here.
(Details)
We sometimes encounter systems that have previously
been known as something else; if this is the case, please
let us know any previous names:
(Details)
If your submission is part of a larger system or project,
please give the name of the “parent” system or project.
If you have already submitted one of these forms for
the parent system, please indicate this here and only
answer the rest of the questionnaire, if there is a
difference between this child system and its parent.
(Details)
If the submission is replacing an older system – please
explain here, how the data / crypto keys on this system,
will be securely destroyed/migrated.
(Description)
2.5
Please give an indication of how urgent the Information
Security approval is –indicate any critical decision dates
or project milestones:
(Description)
2.6
If the system were to become non-operationa, as a
result of a security event that affected it, (or dependent
systems), would this impact broadcast output, or the
ability of the BBC to perform its normal business
functions? Please explain how:
(Description)
Similarly, if information were to become stolen from the
system, or modified/deleted as a result of a security
event, would this impact broadcast output, or the ability
of the BBC to perform its normal business functions?
Please explain how:
(Description)
2.4
3.
High Level Details
3.1.
To be completed by BBC staff responsible for this project.
3.1.1
Please give a very brief description, of what the system
will be for and how it will work
(Description)
3.1.2
Please describe the information/data that will be
stored/processed by the system.
(Description)
(If you are collecting ,or processing ,any personal data
(including name, email, address, telephone numbers,
DOB, age, bank details, staff number, salary, NI
number, next of kin, images, nationality, race, gender,
criminal record, religion, sex life, political
opinion/affiliations, IP addresses) you must fill out the
Data Lifecycle Questionnaire in Section 20)
V5.0 ©BBC 2014
Confidential When Complete
Page 2
Holding and Hosting Form
3.1.3
Technology, Distribution & ArchiveError! Unknown document
Is your requirement likely to need a name registered on
the Internet?
(Description)
If yes – you must contact [email protected]
[Domain Manager in the GAL] to manage this process.
3.1.4
Has any funding been allocated to secure the solution,
including Penetration Testing?
(Description)
3.1.5
Who in the BBC, will be responsible for controlling
access to the data after go-live? (e.g. who is the data
(Description)
Most systems need to be operated, supported,
maintained and repaired. What plans are in place to
perform these functions?
(Description)
Which group(s) or suppliers will be responsible?
(Name)
3.1.7
What is the contract period for each 3rd party?
(Description)
3.1.8
What audit rights will the BBC have, in the contract with
the supplier?
(Description)
3.1.9
Will the data be shared with any other third parties? If
so, a separate Holding and Hosting forms will be
required.
(Description)
3.1.10
If the system were to be affected by an external event,
how long could it be unavailable before it causes
significant disruption to BBC operations?
(Description)
owner)
3.1.6
3.2.
To be completed by supplier
3.2.1
Please enter your name, contact details and your role
with this project or system
(Details)
3.2.2
Please give a very brief description of what the system
will be for and how it will work
(Description)
3.2.3
Please describe the information/data that can be
stored/processed by the system.
(Description)
(If you are collecting or processing any personal data
(including name, email, address, telephone numbers,
DOB, age, bank details, staff number, salary, NI
number, next of kin, images, nationality, race, gender,
criminal record, religion, sex life, political
opinion/affiliations, IP addresses) you must fill out the
Data Lifecycle Questionnaire in Section 20)
3.2.4
Please supply us, with a detailed diagram of the
information flows within the system and between it and
other systems?
(Attached File)
3.2.5
Please supply us, with a high-level system or
architectural diagram, showing what equipment will be
used, where it will be located, how it will be interconnected and what Operating, Database and main
software components run on each? This should also
include Firewalls and any IDS/IPS installed. (This can be
(Attached File)
the same diagram as above if it covers both clearly.)
V5.0 ©BBC 2014
Confidential When Complete
Page 3
Holding and Hosting Form
Technology, Distribution & ArchiveError! Unknown document
3.2.6
Please supply us,with the high-level System Design
Documentation, including details of all Information
Security requirements and planned implemented
InfoSec functionality?
(Attached File)
3.2.7
Will the system accept data from another system and if
so, what?
(Yes/No and Description)
Will the system send data to another system and if so,
what?
(Yes/No and Description)
What will be the principle methods of transporting
information?
(Description)
Most systems need to be operated, supported,
maintained and repaired. What plans are in place to
perform these functions?
(Description)
Which group(s) or suppliers will be responsible?
(Name)
Where are your corporate headquarters based?
(Location)
Do you have any subsidiaries, affiliates or parent
companies based in the United States of America? (If
yes please give details).
(Yes/No & Location)
Please indicate whether any vulnerability scanning or
penetration testing have been, or are scheduled to be,
carried out on the application?
(Description)
If so – please indicate any critical, or significant findings
from such reviews and how you have addressed them.
(Yes/No and Description)
3.2.8
Examples include (but are not limited to): HTTP “get”;
SFTP over SSH; HTTPS; email etc.
3.2.9
3.2.10
3.2.11
4.
Support Responsibilities Matrix
INFRASTRUCTURE SUPPORT LAYER
NAME OF RESPONSIBLE
ORGANISATION/INDIVIDUAL (or N/A)
4.1
Physical Hardware/Data Centre (Computers, Network
infrastructure, Power and Cooling)
(Name)
4.2
Virtualisation Layer Support (where applicable)
(Name)
4.3
Operating System Support
(Name)
4.4
Database Support (DBAs)
(Name)
4.5
Application / Web Application Support (Code)
(Name)
4.6
Application / Web Application Support (User Admin)
(Name)
5.
Information Security Policy
5.1
Does your organisation have in place, a set of
Information Security Policies? If so, please provide
copies of the policies.
(Yes/No and Attachments)
5.2
Are these policies, approved by the senior management
within your organisation, regularly reviewed and
communicated to all your staff?
(Yes/No)
V5.0 ©BBC 2014
Confidential When Complete
Page 4
Holding and Hosting Form
5.3
6.
Technology, Distribution & ArchiveError! Unknown document
If the organisation who will hold the BBC data, is a
subcontractor to your organisation, how will you ensure
that their Information Security meets required
standards?
(Description)
Organisation of Information Security
6.1
Who has been appointed to take ultimate responsibility,
for Information Security within your organisation?
(Name & Role)
6.2
Has all information security responsibilities within your
organisation, been defined and allocated, including
maintaining appropriate contacts with relevant
authorities and groups, ensuring that Information
security is addressed in project management and
ensuring that conflicting duties and areas of
responsibility are segregated?
(Yes/No)
7.
Human Resource Security
7.1
Are background checks, Disclosure and Barring Service
(DBS, previously CRB) checks, or similar, carried out on
staff that will be accessing BBC data or systems?
(Yes/No)
7.2
Have staff members agreed to and signed, the BBC's
Acceptable Use Policy?
(Yes/No)
7.3
When a person working with BBC data, no longer
performs that role, are their permissions to BBC data
revoked?
(Yes/No)
8.
Asset Management
8.1
Will an asset register be completed, to log all assets
holding BBC data and who is responsible for updating it?
(Yes/No and Description)
8.2
Will all BBC Data held on removable media, including
Back-ups, be encrypted?
(Description)
8.3
Describe how and when, media containing BBC Data,
would be securely destroyed?
(Description)
8.4
Will any physical media containing BBC Data, be
transferred outside your organisation (e.g. Back-ups)
and if so, what procedures will be in place to protect the
media from loss?
(Yes/No and Description)
V5.0 ©BBC 2014
Confidential When Complete
Page 5
Holding and Hosting Form
9.
Technology, Distribution & ArchiveError! Unknown document
Logical Security
9.1
How will you decide, which of your staff (support,
development etc.) need access to the BBC system and
data? How will you manage that access and what
controls are in place, to ensure that privileged access
rights, will be restricted and controlled?
(Description)
9.2
Will the User/Privileged access rights for your staff, be
regularly reviewed?
(Yes/No)
9.3
What system functionality will be in place, to enable
BBC staff to manage access to the BBC system and
data, including, what controls are in place, to ensure
that privileged access rights can be restricted and
controlled?
(Description)
9.4
Please state what system enforced password settings
are active for:
(Description)

Password Minimum Length/Complexity

Password Change Interval

Lockout (after incorrect password entries)

Password aging/history
Can you confirm all default passwords have been
changed?
10.1
10.3
10.4
10.5
(Description)
(Yes/No)
Cryptography
Will any, or all BBC data,be encrypted at rest within the
system?
If yes, provide details of what data will be encrypted
and of the strength and type of encryption used.
10.2
(Description)
(Description)
Can you also state, what additional measures will be in
place, to secure administrator accounts. (e.g. stronger
passwords, 2FA or crypto keys required to access
systems)?
10.
(Description)
(Yes/No)
(Description)
Will password hashing be used within the system; if so
where, to what standard and will any salting be used?
(Yes/No)
Will BBC data be encrypted whilst in transit?
(Yes/No)
If yes, provide details of when data will be encrypted
and of the strength and type of encryption used.
(Description)
In the case of web based applications, will users of the
application be required to login?
(Yes/No)
Will this login be over a secure link – e.g. HTTPS?
(Description)
Please describe any other planned data transfers /
connections, between the users' browsers and the web
application?
(Description)
e.g. Cookies, Form submissions etc
Please explain how these data transfers will be secured
V5.0 ©BBC 2014
(Description)
(Description)
Confidential When Complete
Page 6
Holding and Hosting Form
Technology, Distribution & ArchiveError! Unknown document
in transit (e.g. HTTPS - SSL/TLS etc)?
11.
11.1
Physical and Environmental Security
What physical measures will be in place, to protect BBC
data that is stored:

At your offices/location?

At the data centre?
(Description)
(Description)
E.g. CCTV, Coded Locks, Guards.
11.2
12.
How will these controls be managed and monitored?
(Description)
Where will the servers be located, which will hold the
BBC data?
(Description)

All in the UK

Some in the UK (where are the rest?)

None in the UK (where are they?)
Will the servers be held in secure Server Rooms?
(Description)
Will any hardware be stored outside of locked server
rooms?
(Description)
Operations Security
12.1
Is there a documented standard procedure followed, for
building and hardening host machines?
(Yes/No and Description)
12.2
Are these procedures periodically reviewed and kept in
line with current best practice?
(Yes/No)
12.3
Please outline your planned approach, to security
patching of operating systems and applications that form
part of the system.
(Description)
Please confirm, that critical and important security
patches will be up to date.
(Yes/No)
12.4
Please outline any anti-malware (antivirus, etc.) tools,
that will be used to protect the system.
(Description)
12.5
What firewalls and network/host protection measures,
(e.g. IDS or IPS) will be in place to protect BBC data?
(Description)
Describe how you will configure, maintain the above and
monitor alerts generated.
12.6
(Description)
Will the application collect, and/or host, any User
Generated Content (UGC)?
(Yes/No)
If so – describe the UGC in detail and explain what
moderation approach will be applied?
(Description)
V5.0 ©BBC 2014
Confidential When Complete
Page 7
Holding and Hosting Form
13.
Technology, Distribution & ArchiveError! Unknown document
Monitoring and Logging
13.1
Will event logging/audit mechanisms, be turned on at all
times for the system.
(Yes/No)
13.2
What information will be contained within logs?
(Description)
13.3
Will logs be regularly reviewed?
(Yes/No and Description)
13.4
How long will logs be retained?
(Description)
14.
Access and Control
14.1
Will any form of Remote Access technology be required,
if so what? Does this include two factor authentication?
(Yes/No and Description)
14.2
Please describe, how BBC data will be kept logically
and/or physically separated from other users’ data?
(Description)
15.
Acquisition, development and maintenance
15.1
Please provide an overview, on your formal
methodology for software development and security
testing. Including, on how you engineer secure systems.
(Description)
15.2
Is there a formal change control procedure for any
application or solution changes, will BBC services be
tested and reviewed to ensure there are no adverse
impacts on operations and security?
(Yes/No and Description)
How will these changes be communicated to the BBC?
15.3
Will a pen test of the full system be completed? Were
there any identified vulnerabilities, if so, what?
(Yes/No and Description)
15.4
Will a separate test environment be used? Will this
include the use of dummy or live BBC data? If Live
Data, how will that data be secured?
(Description)
16.
Supplier relationships
V5.0 ©BBC 2014
Confidential When Complete
Page 8
Holding and Hosting Form
Technology, Distribution & ArchiveError! Unknown document
16.1
Are you planning to use any third parties, to help
develop the system, or host or process any BBC data?
(Yes/No and Description)
16.2
Are you planning to share BBC data with any other third
parties?
(Yes/No and Description)
V5.0 ©BBC 2014
Confidential When Complete
Page 9
Holding and Hosting Form
16.3
17.
Technology, Distribution & ArchiveError! Unknown document
If yes to either of the above, have you audited the third
parties, to determine whether they have implemented
appropriate security measures?
(Description)
Incident Management
17.1
Have management responsibilities and procedures been
established, to ensure a quick, effective and orderly
response, to information security incidents?
(Yes/No)
17.2
How will security incidents relating to BBC data, be
reported to the BBC?
(Yes/No)
18.
Business Continuity
18.1
Is there a proven, documented, secure Disaster
Recovery process, which will be used for BBC data?
Please provide an overview, i.e. DR facility site location,
testing of restore processes, etc.
(Description)
18.2
What processes and methods will be put in place, to
securely back-up the system?
(Description)
18.3
How will the system be restored (i.e. From backup or a
rebuild from scratch) to a known working state?
(Description)
18.4
Where will the Back-up data be stored?
(Description)
18.5
If the contract with the BBC requires a high availability
level, (95% availability or above), how will you meet
these requirements? Namely, Power outage, Single
points of failure, Unavailability of critical staff,
Unsatisfactory maintenance of equipment, Failure of
equipment/software.
(Description)
19.
Compliance
19.1
Is your organisation ISO/IEC 270001 certified or
compliant? Please provide details.
(Certified/Compliant/No & Details)
19.2
Is your organisation’s Information Security Management
System (i.e. control objectives, controls, policies,
processes and procedures for information security)
reviewed and inspected for compliance, independently
at planned intervals, or when significant changes to the
security implementation occurs?
(Yes/No and Description)
V5.0 ©BBC 2014
Confidential When Complete
Page 10
Holding and Hosting Form
19.3
Technology, Distribution & ArchiveError! Unknown document
Have all relevant statutory, regulatory, contractual
requirements, (including: intellectual property rights,
protection of records, protection of personally
identifiable information and cryptographic controls) and
the organisation’s approach to meet these
requirements, been explicitly identified, documented
and kept up to date, for the/each BBC information
system and the organisation as a whole?
V5.0 ©BBC 2014
(Yes/No)
Confidential When Complete
Page 11
Holding and Hosting Form
Technology, Distribution & ArchiveError! Unknown document
20.
Appendix A - Personal Data Processing Activities
20.1.
Third Party Data Processing – Data Lifecycle Questionnaire
The below questionnaire, will help the BBC to assess this activity’s compliance with the Data
Protection Act 1998 and the BBC’s own internal DP policies.
Please over-write the guidance text in the right-hand column, with your responses (the easiest way
to do this is by navigating with the TAB key). It is important to complete as much of this as
possible. Questions marked with ** indicate areas of increased risk.
A separate map should be completed by the BBC, to show the data flow within the BBC.
*Please ensure a contract is in place before any personal data is transferred to a third party supplier*
Supplier :
Activity :
[ summary of Personal Data processing activity ]
Key Contact :
[ person who ‘owns’ this process - usually person completing this form ]
BBC Contact :
[ insert team & division ]
1.
Preliminaries
1.1
Is a contract with DP clauses in place?
(Yes/No)
(if yes, please attach a copy)
(Yes/No)
1.2
Has a BBC Holding & Hosting form previously been
completed?
2.
Data collected
2.1
What BBC data is being processed?
(List all personal data fields)
2.2
Is any sensitive personal data being processed?
(Yes/No and Description)
(Defined as: race, criminal record, religion, sex life, political
opinion/affiliations, trade union membership, health status)
2.3
Why do you need to collect the personal data or
sensitive personal data?
3.
Collection process - consent
3.1
How is the data collected?
(Description)
(Description)
(e.g. shared by the BBC or collected via webform, application
form )
If data is collected by the supplier:
3.2
Have you provided a Privacy Notice?
(Yes/No)
(If yes, please attach a copy)
3.3
If collecting under-16s data, have you obtained parental
consent? **
(Yes/No)
(If yes, specify mechanism used – e.g. tick box or verified
parental email)
3.4
Did you obtain consent, for the collection of any
sensitive personal data?
(Yes/No and Description)
4.
Cookies
4.1
4.2
Does this process utilise cookies?
(Yes/No)
(If yes, specify name of cookie(s))
What data is stored in the cookie?
(Description)
V5.0 ©BBC 2014
Confidential When Complete
Page 12
Holding and Hosting Form
Technology, Distribution & ArchiveError! Unknown document
(Description)
4.3
Who sets the cookie – supplier or BBC?
5.
5.1
5.2
5.3
6.
Data storage
(Description)
(e.g. shared drive, external server)
Where is the data stored?
(Yes/No)
Are hard copies taken off-site? **
(If yes, provide details of where and why)
Does the data ever leave your network? (for example,
the use of third party clouds, and archiving)
(job title, team (and company, if relevant) for each person
with access)
What access controls are in place for electronic records?
6.3
Do you keep an electronic, auditable record of who has
accessed data?
7.
Sharing
7.1
Is data shared with another supplier? **
7.3
(If yes, please provide details of where and why)
(Description)
Who has access to the data?
7.2
(Yes/No)
Access
6.1
6.2
(If set by supplier, please specify how consent is obtained, if
appropriate)
Is there a contract in place with the supplier?
(Description)
(e.g. individual login, password protection )
(Yes/No and Description)
(Yes/No and Description)
(Yes/No)
(if yes, please attach a copy)
(Description)
(e.g. by encrypted email)
How is the data transferred?
(Yes/No)
(if yes, specify country)
7.4
Is data sent out of the UK? **
(if US, is the company ‘Safe Harbor’ registered?)
8.
Retention & Deletion
8.1
What is the retention policy for this processing?
(Description)
8.2
How will you ensure this policy is adhered to?
(Description)
8.3
If hard copies are kept, how are hard copies disposed
of?
(Description)
(e.g. normal waste or shredded)
8.4
8.5
20.2.
(Description)
How are electronic records deleted?
(e.g. overwritten or secure erasure)
Do you keep a log of what data is deleted, and when?
(Yes/No and Description)
Eight Data Protection Principles (set out in the Data Protection Act 1998)
1.
2.
3.
4.
5.
6.
Process fairly and lawfully
Obtained for specified and lawful purposes
Adequate, relevant and not excessive
Accurate and up to date
Not kept any longer than necessary
Process in line with the individual’s rights
V5.0 ©BBC 2014
Confidential When Complete
Page 13
Holding and Hosting Form
7.
8.
Technology, Distribution & ArchiveError! Unknown document
Process securely
Not transferred outside EU without adequate protection
V5.0 ©BBC 2014
Confidential When Complete
Page 14
Holding and Hosting Form
Technology, Distribution & ArchiveError! Unknown document
21.
Appendix B - Approvals
21.1.
BBC Information Security, Governance & Compliance
Approval
System Review ID
Syyyy/nnnnn/rr
ISGC Contact
Details
Name:
Role: Information Security & Governance Specialist
Address:
Telephone:
Email:
ISGC Approval
Name – Date
Linked Dispensations
Dispensation ID 1
Dispensation ID 2
Dispensation ID 3
Dispensation ID 4
High Level Risk
Assessment
Very Low / Low / Medium / High / Very High
Information
Classification
Next Review Date
Date
Approval Condition(s)
Details
Comments
Comments
21.2.
BBC Information Policy & Compliance (if required)
Approval
IP&C Contact
Details
IP&C Approval
Name – Date
Approval Condition(s)
Details
V5.0 ©BBC 2014
Confidential When Complete
Page 15
Holding and Hosting Form
Technology, Distribution & ArchiveError! Unknown document
Comments
Comments
22.
Appendix C – Contact and help Information
22.1.
BBC Information Security, Governance & Compliance
Contact
BBC ISGC Team
Email:
[email protected]
BBC InfoSec Incident Reporting
Email:
[email protected]
Daryl Pilgrim (Information Security
& Governance Manager)
Email:
[email protected]
22.2.
BBC Information Policy Compliance
Contact
BBC IP&C Team
23.
Email:
[email protected]
Appendix D – Template Version Control
Date
Version
Author
Change / Comments
01 Aug 14
4.1
Bruno Garrancho
Initial draft version
04 Apr 14
4.2
Paul Finn
Review by Team
10 Apr 14
4.3
Paul Finn
IP&C Section Updated
14 Apr 14
4.4
Paul Finn
Completed Draft
21 Apr
5.0
Daryl Pilgrim
Fully approved version
V5.0 ©BBC 2014
Confidential When Complete
Page 16