POL00362909
POL00362909
Post Office Limited - Document Classification: INTERNAL
Cyber Security Standards
Cyber and Information Security
Standard
Version — V2.2
INTERNAL Page 1 of 23 Cyber and Information
Security Standard 2.22
POL00362909
POL00362909
Post Office Limited - Document Classification: INTERNAL
1 Overview 3
1.1. Introduction by the Standard Owner. 3
1.2 Purpose .. 3
1.3. Core Principles. 3
1.4 Application ......cccccccccccccececseeeeeseueeeseueeeesueeseseueeeeseeueeseeeeeeeueueseseueessuaeeesauees 3
2 Policy Framework ......ccccccseeeeseeeeeeeeeeeeeeeeeeeeeeeeeseeeeeeaeeeeeaaeeeeaaeeeeeaaeeesaaeeeeeaeesenee 4
2.1 POliCY FraMeWOFK........sceeeeseeeeeeeeeeceeseeeeeeenssaeeeeeeeeeeeeeeeeeeeeessssaesaeeeeeeeeeseeeeee 4
2.2 WHO MUSt COMPLY? ......csssesssseeeeeseeesseeseeeseeesssneeseuseeesseeseeeeeeeseeaueneeseeeseeeeeeees 4
3 MINIMUM CONtrOls «2.2... eee rere eee eee reer nneee reese enneeeeee enna 5
4 Where to go for Helpa........cccceceececceeeceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseeeasseeeeeeeeeeeeeeeeeees 22
4.1 Additional Policies .......... cc cccceseeetee cece eeeeeeteeeeeeeeeeeeeeeeeeeeeeeteeeeeeeeeeeeeeaaee
4.2 How to raise a concern
4.3, Who to contact for more information
5 Version Control & Approval.
5.1. Version Control
5.2 Standard Approval ........cccsececseeeeeeseeeeeseeeeeseeeeeeaeeseeaeeeeeeaeeeeeeaeseeneeeenneeeeee 23
INTERNAL Page 2 of 23 Cyber and Information
Security Standard 2.22
POL00362909
POL00362909
Post Office Limited - Document Classification: INTERNAL
1 Overview
1.1 Introduction by the Standard Owner
Post Office is committed to protecting its employees, customers, Third Party Supply Chain
and information assets from damaging or illegal actions by individuals, either knowingly
or unknowingly. Post Office enables this through the development and deployment of
policies, standards and guidelines which are aligned to international best practices.
Effective cyber and information security is a team effort involving everyone in Post Office
1.2 Purpose
The purpose of the Cyber and Information Security Standard is to provide a structured
approach to maintaining the Confidentiality, Integrity and Availability of Post Office data.
1.3 Core Principles
Compliance with this standard will ensure that the following principles are met:
e Minimise the likelihood that Post Office’s information assets will be subject to
risks associated with theft, loss, misuse, damage or abuse of these information
assets, whether intentional or unintentional, by aiding in preserving their
confidentiality, integrity and availability.
e Ensure that employees remain aware of their responsibilities.
e Ensure on-going threat awareness, compliance and continual improvement of
information security processes within Post Office.
« Meeting Post Office’s contractual, legal and regulatory compliance requirements.
1.4 Application
This standard relates to all Post Office information and data assets whether they are owned
directly by Post Office or managed on behalf of Post Office by a third party supplier.
INTERNAL Page 3 of 23 Cyber and Information
Security Standard 2.22
POL00362909
POL00362909
Post Office Limited - Document Classification: INTERNAL
2 Policy Framework
2.1 Policy Framework
This standard forms part of the Cyber and Information Security Policy Set. This contains
controls that form part of the Information Technology Control Framework (ITCF) governed
by the overarching Post Office wide framework.
2.2 Who must comply?
Compliance with this standard is mandatory for all Post Office employees and applies
wherever in the world Post Offices business is undertaken. All third parties who do business
with Post Office, including consultants, suppliers and business and franchise partners, will
be required to agree contractually to this standard or have their own equivalent
policy/standard.
INTERNAL Page 4 of 23 Cyber and Information
Security Standard 2.22
Post Office Limited - Document Classification: INTERNAL
3 Minimum Controls
POL00362909
POL00362909
The table below sets out the relationships between identified risk, and the required minimum control standards.
Control Ref Control Attestation Guidance
Analyze the business environment in which the organization operates.
Identify the internal factors that may affect organizational objectives.
Include existing information in the analysis of the internal business
environment.
Include resources in the analysis of the internal business environment.
PHTO002 Analyze organizational objectives, I Include strengths and weaknesses in the analysis of the internal business
functions, and activities. environment.
Align assets with business functions and the business environment.
Disseminate and communicate the organization’s business environment
and place in its industry sector.
Monitor for changes which affect organizational objectives in the internal
business environment.
Monitor for changes which affect organizational strategies in the external
environment.
Monitor for changes which affect organizational objectives in the external
PHTOO11 Analyze the external environment in which I environment.
the organization operates. Include opportunities in the analysis of the external environment.
Include technology in the analysis of the external environment.
Cyber and Information Security must be embedded into change and project
management processes.
INTERNAL Page 5 of 23 Cyber and Information
Security Standard 2.22
Post Office Limited - Document Classification: INTERNAL
POL00362909
POL00362909
Control Ref Control Attestation Guidance
The purpose of the business analysis practice is to analyse a business or
PHT0016 Conduct a context analysis to define I Some element of it, define its associated needs, and recommend solutions
objectives and strategies. to address these needs and/or solve a business problem, which must
facilitate value creation for stakeholders.
Evaluate organizational objectives to determine impact on other
organizational objectives.
PHT0017 Establish, implement, and maintain I Identify events that may affect organizational objectives.
organizational objectives. Identify conditions that may affect organizational objectives.
Identify requirements that could affect achieving organizational objectives.
Identify opportunities that could affect achieving organizational objectives.
PHT0023 ae aoe a ee Disseminate and communicate organizational objectives to all interested
Prioritize organizational objectives. personnel and affected parties.
Identify threats that could affect achieving organizational objectives.
PHTO025 Document and communicate the linkage I CTRLO020676 Identify how opportunities, threats, and external
between organizational objectives, I requirements are trending.
functions, activities, and general controls. I Review the organization’s approach to managing information security, as
necessary.
INTERNAL Page 6 of 23 Cyber and Information
Security Standard 2.22
Post Office Limited - Document Classification: INTERNAL
POL00362909
POL00362909
Control Ref Control Attestation Guidance
Analyze and prioritize the requirements of interested personnel and
affected parties.
PHT0029 Identify all interested personnel and I A list of appropriate contacts from the relevant authorities for Cyber and
affected parties. Information Security must be created and maintained.
A list of membership to any special interest groups must be created and
maintained.
Classify the sensitivity to unauthorized disclosure or modification of
information in the information classification standard.
Establish, implement, and maintain an Classify the criticality to unauthorized disclosure or modification of
PHTO0031 information Classification standard information in the information classification standard.
. Classify the value of information in the information classification standard.
Classify the legal requirements of information in the information
classification standard.
PHT0036 Establish, implement, and maintain a data I An appropriate classification scheme will need to be enforced, such as the
classification scheme. Information Classification Standard.
The purpose of the architecture management practice is to provide an
i - inal, understanding of all the different elements that make up an organization
PHT0037 Forabishy implement, and ee and how those elements interrelate, enabling the organization to effectively
A achieve its current and future objectives.
Architecture model.
Establish, implement, and maintain sustainable infrastructure planning.
INTERNAL Page 7 of 23 Cyber and Information
Security Standard 2.22
Post Office Limited - Document Classification: INTERNAL
POL00362909
POL00362909
Control Ref Control Attestation Guidance
Subscribe to a threat intelligence service to receive notification of emerging
threats.
Disseminate and communicate emerging threats to all interested personnel
and affected parties.
PHT0039 Monitor regulatory trends to maintain Disseminate and communicate updated guidance documentation to
" interested personnel and affected parties upon discovery of a new threat.
compliance.
All relevant legislative statutory, regulatory, contractual requirements and
the approach to meet these requirements shall be explicitly identified,
documented, and kept up to date for all POL Systems.
Correct errors and deficiencies in a timely manner.
Document the deficiencies in a deficiency report that were found during
PHT0043 Establish, implement, and maintain a I Quality Control and corrected during Quality Improvement.
Quality Management framework. Include program documentation standards in the Quality Management
program.
Include system testing standards in the Quality Management program.
Identify roles, tasks, information, systems, and assets that fall under the
organization’s mandated Authority Documents.
Establish, implement, and maintain a policy and procedure management
program.
Include requirements in the organization’s policies, standards, and
Establish and maintain the scope of the I procedures.
PHTO054 organizational compliance framework and I Analyze organizational policies, as necessary.
Information Assurance controls. Establish and maintain a list of compliance documents.
Document organizational procedures that harmonize — external
requirements, including all legal requirements.
Establish, implement, and maintain full documentation of all policies,
standards, and procedures that support the organization’s compliance
framework.
INTERNAL Page 8 of 23 Cyber and Information
Security Standard 2.22
Post Office Limited - Document Classification: INTERNAL
POL00362909
POL00362909
Control Ref
Control
Attestation Guidance
Disseminate and communicate the organization’s policies, standards, and
procedures to all interested personnel and affected parties.
ISMS must be aligned to ISO027001/02 and independently assessed on an
annual basis.
PHT0063
Publish, disseminate, and communicate a
Statement on Internal Control, as
necessary.
Include management’s assertions on the effectiveness of internal control in
the Statement on Internal Control.
Include confirmation of any significant weaknesses in the Statement on
Internal Control.
Include roles and responsibilities in the Statement on Internal Control
Include limitations of internal control systems in the Statement on Internal
Control.
PHT0068
Approve all compliance documents.
Align the list of compliance documents with external requirements.
Assign the appropriate roles to all applicable compliance documents.
Establish, implement, and maintain a compliance exception standard.
Include all compliance exceptions in the compliance exception standard.
Review the compliance exceptions in the exceptions document, as
necessary.
PHT0074
Disseminate and communicate compliance
documents to all interested personnel and
affected parties.
Disseminate and communicate any compliance document changes when
the documents are updated to interested personnel and affected parties.
INTERNAL
Page 9 of 23
Cyber
and Information
Security Standard 2.22
Post Office Limited - Document Classification: INTERNAL
POL00362909
POL00362909
Control Ref Control Attestation Guidance
Establish and maintain a compliance oversight committee.
Provide critical project reports to the compliance oversight committee in a
timely manner.
Assign the corporate governance of Information Technology to the
compliance oversight committee.
Involve the Board of Directors or senior management in Information
Governance.
PHT0076 Define the Information Assurance I Address Information Security during the business planning processes.
strategic roles and responsibilities. Assign reviewing and approving Quality Management standards to the
appropriate oversight committee.
Governance and Risk Management processes must be in place and an
assessment must be completed for all systems annually and during major
change.
Conflicting roles must be documented defining any that require segregation
from other roles.
7 . . «cpre I FOP Management and oversight bodies, where applicable, should ensure
PHTOOBS panne and assion the chief of Risk’s that the authorities, responsibilities and accountabilities for relevant roles
ies with respect to risk management are assigned and communicated at all
responsibilities. ge
levels of the organization
Establish, implement, and maintain a decision management strategy.
Include criteria for risk tolerance in the decision making criteria.
PHTOO84 Establish, implement, and maintain a Include criteria for selecting objectives and strategies in the decision
strategic plan. making criteria. . Ghee iG cei A steari
Include criteria for setting priorities in the decision making criteria.
Align organizational objectives with compliance objectives in the decision-
making criteria.
INTERNAL Page 10 of 23 Cyber and Information
Security Standard 2.22
Post Office Limited - Document Classification: INTERNAL
POL00362909
POL00362909
Control Ref Control Attestation Guidance
Align organizational objectives with performance targets in the decision-
making criteria.
Align organizational objectives with the acceptable residual risk in the
decision-making criteria.
Identify and document the events that initiate the decision management
strategy.
Create additional decision-making criteria to achieve organizational
objectives, as necessary.
Document and evaluate the decision outcomes from the decision-making
process.
Cyber and Information security requirements for mitigating the risks within
the supplier must be assessed prior to the supplier entering into a contract
with Post Office or having access to Post Office Data.
A supplier management process must in place.
Include business continuity objectives in the Strategic Information
Technology Plan.
Align business continuity objectives with the business continuity policy.
Business Continuity Planning and Disaster Recovery must be in place and
PHTO095 Establish, implement, and maintain a tested annually for the continuity of Information Security Management
fs . during a crisis or disaster.
Strategic Information Technology Plan.
Backup copies of information, software and system images shall be taken
as per an agreed schedule and tested regularly.
Business impact assessment must performed on an annual basis to gain an
understanding of the impact of any adverse event.
INTERNAL Page 11 of 23 Cyber and Information
Security Standard 2.22
Post Office Limited - Document Classification: INTERNAL
POL00362909
POL00362909
Control Ref Control Attestation Guidance
PHTO098 isk-
Strategie information ‘Tachneloay flan to Mirror the organization’s business strategy during Information Technology
the business's needs. planning in the Strategic Information Technology Plan.
Establish, implement, and maintain tactical Information Technology plans
derived from the Strategic Information Technology Plan.
Document how each Information Technology project plan directly or
indirectly supports the Strategic Information Technology Plan.
Document the business case and return on investment in each Information
Technology project plan.
Document all desired outcomes for a proposed project in the Information
Technology project plan.
Assign senior management to approve business cases.
Establish, implement, and maintain Include milestones for each project phase in the Information Technology
PHT0100 tactical Information Technology plans in project plan.
support of the Strategic Information
Technology Plan. All systems holding or processing Post Office information shall operate anti-
malware protection regardless of the underling operating system. The
systems used shall be the current best practice offerings.
Anti-virus program must capable of detecting, removing, and protecting
against all known types of malicious software and Post Office must be
maintained as follows:
e keep current,
e Perform periodic scans
e Generate audit logs which are retained according to the data
retention policy.
INTERNAL Page 12 of 23 Cyber and Information
Security Standard 2.22
Post Office Limited - Document Classification: INTERNAL
POL00362909
POL00362909
Control Ref Control Attestation Guidance
e Anti-virus mechanisms are actively running and cannot be disabled
or altered by users.
Disseminate and communicate the Information Technology Plans to all
interested personnel and affected parties.
Monitor and evaluate the implementation and effectiveness of Information
Technology Plans.
PHTO107 Document lessons learned at _ the I Establish and maintain an Information Technology plan status report that
010 conclusion of each Information I covers both Strategic Information Technology Plans and_ tactical
Technology project. Information Technology plans
Include the Information Governance Plan in the Strategic Information
Technology Plan.
Review and approve the Strategic Information Technology Plan at the level
of senior management or the Board of Directors.
Establish, implement, and maintain a Establish and maintain a rapport with business and technical communities
imp! isk ’ d ' i throughout the organization to promote the value and importance of
PHT0113 Governance, RisI an Compliance Information Security.
awareness and training program.
All Staff must undergo annual Cyber and Information Security training.
INTERNAL Page 13 of 23 Cyber and Information
Security Standard 2.22
Post Office Limited - Document Classification: INTERNAL
POL00362909
POL00362909
Control Ref Control Attestation Guidance
PHT0115 fnanclal marecment prowam nn” a Establish, implement, and maintain financial reports.
Align the information being disseminated and communicated with the
communication requirements according to the organization's
communication protocol.
Assess the effectiveness of the communication methods used in the
communication protocol.
Include input from interested personnel and affected parties as a part of
PHT0117 Establish, implement, and maintain I the organization’s communication protocol.
communication protocols. Report to management and stakeholders on the findings and information
gathered from all types of inquiries.
Establish and maintain the organization's survey method.
Establish, implement, and maintain warning procedures that follow the
organization's communication protocol.
Establish, implement, and maintain alert procedures that follow the
organization's communication protocol.
Monitor service availability when implementing the service management
PHT0125 Establish, implement, and maintain an I monitoring and metrics program.
external reporting program. Compare the performance metrics of service availability against their
targets, as necessary.
INTERNAL Page 14 of 23 Cyber and Information
Security Standard 2.22
Post Office Limited - Document Classification: INTERNAL
POL00362909
POL00362909
Control Ref Control Attestation Guidance
Establish, implement, and maintain an approach for compliance
monitoring.
Establish, implement, and maintain risk management metrics.
Identify information being used to support the performance of the
governance, risk, and compliance capability.
Monitor personnel and third parties for compliance to the organizational
compliance framework.
Identify and document instances of non-compliance with the compliance
framework.
. . ue Determine the causes of compliance violations.
PHTO399 compliance monitoring palicy maintain a Determine if multiple compliance violations of the same type could occur.
. Review the effectiveness of disciplinary actions carried out for compliance
violations.
Carry out disciplinary actions when a compliance violation is detected.
Align disciplinary actions with the level of compliance violation.
Establish, implement, and maintain a security program metrics program.
Report on the policies and controls that have been implemented by
management.
Establish, implement, and maintain a Business Continuity metrics program.
Establish, implement, and maintain an Information Security metrics
program.
Establish, implement, and maintain a metrics standard and template.
. . apne Monitor compliance with the Quality Control system.
PHT0414 Establish, implement, and maintain a Establish, implement, and maintain a policies and controls metrics
metrics policy.
program.
Monitor the supply chain for Information Assurance effectiveness.
INTERNAL Page 15 of 23 Cyber and Information
Security Standard 2.22
Post Office Limited - Document Classification: INTERNAL
POL00362909
POL00362909
Control Ref Control Attestation Guidance
Establish, implement, and maintain a network management and firewall
management metrics program.
Establish, implement, and maintain a network activity baseline.
Establish, implement, and maintain an incident management and
vulnerability management metrics program.
i antai Report on the percentage of vulnerability assessment findings that have
PHT0419 Establish, implement, and maintain a . " .
technical measurement metrics policy. been addressed since the last reporting period.
Cyber and Information security events must be assessed and it shall be
decided if they are to be classified as information security incidents.
Cyber and Information security incidents must be responded to in
accordance with the documented procedures.
Restrict access to logs to a need to know basis.
Restrict access to audit trails to a need to know basis.
PHT0424 Establish, implement, and maintain a log I Back up audit trails according to backup procedures.
management program. Copy logs from all predefined hosts onto a log management infrastructure.
Protect logs from unauthorized activity.
Archive the audit trail in accordance with compliance requirements.
Monitor the performance of the I Monitor and periodically evaluate the performance of the capability to
PHT0431 governance, risk, and compliance I ensure it is designed and operated to be effective, efficient, and responsive
capability. to change.
INTERNAL Page 16 of 23 Cyber and Information
Security Standard 2.22
Post Office Limited - Document Classification: INTERNAL
POL00362909
POL00362909
Control Ref Control Attestation Guidance
PHT0432 Establish, implement, and maintain a itoring I ‘ ‘
corrective action plan. Include monitoring in the corrective action plan.
Report compliance monitoring statistics to Report actions taken on known security issues to the Board of Directors or
PHT0434 the Board of Directors and other critical Pc , . Y :
Senior Executive Committee on a regular basis.
stakeholders, as necessary.
PHT0613 Establish, implement, and maintain an I Establish, implement, and maintain a virtual environment and shared
application security policy. resources security program.
Establish, implement, and maintain a security awareness and training
policy.
PHT0849. Establish, implement, and maintain a I Establish, implement, and maintain security awareness and training
security awareness program. procedures.
Disseminate and communicate the security awareness and training
procedures to interested personnel and affected parties.
INTERNAL Page 17 of 23 Cyber and Information
Security Standard 2.22
Post Office Limited - Document Classification: INTERNAL
POL00362909
POL00362909
Control Ref Control Attestation Guidance
Include updates on emerging issues in the security awareness program.
Include cybersecurity in the security awareness program.
Include training based on the participants' level of responsibility and access
level in the security awareness program.
Include a requirement to train all new hires and interested personnel in the
PHT0853 Document security awareness security awareness program.
requirements. Disseminate and communicate the security awareness program to all
interested personnel and affected parties.
Train all personnel and third parties on how to recognize and report security
incidents.
Require personnel to acknowledge, through writing their signature, that
they have read and understand the organization's security policies.
Address common coding vulnerabilities in software-development processes
PHTO861 Conduct secure coding and development I as follows: - Train developers in secure coding techniques, including how
training for developers. to avoid common coding vulnerabilities, and understanding how sensitive
data is handled in memory
Include the mandate to refrain from installing, refrain from replacing, and
refrain from returning any asset absent verification in the tampering
prevention training.
Include how to identify and authenticate third parties claiming to be
PHTO862 Conduct tampering prevention training. maintenance personnel in the tampering prevention training.
Include how to report tampering and unauthorized substitution in the
tampering prevention training.
Include how to prevent physical tampering in the tampering prevention
training.
INTERNAL Page 18 of 23 Cyber and Information
Security Standard 2.22
Post Office Limited - Document Classification: INTERNAL
POL00362909
POL00362909
Control Ref Control Attestation Guidance
iwatian’ I The organization need to create an initial high-level overview of its
PHT0898 Document the organization's business activities and business relationships, the sustainability context in which
processes.
these occur, and an overview of its stakeholders.
Disseminate and communicate updates to the Governance, Risk, and
Compliance framework to interested personnel and affected parties.
Acquire resources necessary to support Governance, Risk, and Compliance.
Implement the prioritized plan for updating the Governance, Risk, and
Compliance framework.
: intai Evaluate the use of technology in supporting Governance, Risk, and
PHTO899 Establish, implement, and maintain a Compliance capabilities.
Governance, Risk, and Compliance . . a
Analyze the effect of the Governance, Risk, and Compliance capability to
framework. woes woot
achieve organizational objectives.
Assign accountability for maintaining the Governance, Risk, and
Compliance framework.
Assign defining the program for disseminating and communicating the
Governance, Risk, and Compliance framework.
PHTO0907 Establish, implement, and maintain a I Define the elements of a control environment for IT, aligned with the
positive information control environment. I enterprise's management philosophy and operating style
INTERNAL Page 19 of 23 Cyber and Information
Security Standard 2.22
Post Office Limited - Document Classification: INTERNAL
POL00362909
POL00362909
Control Ref
Control
Attestation Guidance
PHT0908
Establish,
implement, and maintain an
internal control framework.
Measure policy compliance when reviewing the internal control framework.
Assign ownership of the internal control framework to the appropriate
organizational role.
Assign resources to implement the internal control framework.
Define and assign the roles and responsibilities for interested personnel
and affected parties when establishing, implementing, and maintaining the
internal control framework.
Include procedures for continuous quality improvement in the internal
control framework.
PHT0923
Establish,
implement, and maintain an
information security program.
Include technical safeguards in the information security program.
Include access control in the information security program.
Review and approve access controls, as necessary.
Include operations management in the information security program.
Include physical security in the information security program.
Include a continuous monitoring program in the information security
program.
Include how the information security department is organized in the
information security program.
Include risk management in the information security program.
Include mitigating supply chain risks in the information security program.
Monitor and review the effectiveness of the information security program.
Establish, implement, and maintain an information security policy.
Align the information security policy with the organization's risk acceptance
level.
Include a commitment to the information security requirements in the
information security policy.
Include information security objectives in the information security policy.
Approve the information security policy at the organization's management
level or higher.
Document the roles and responsibilities for all activities that protect
restricted data in the information security procedures.
INTERNAL
Page 20 of 23
Cyber and Information
Security Standard 2.22
Post Office Limited - Document Classification: INTERNAL
POL00362909
POL00362909
Control Ref Control Attestation Guidance
Require interested personnel and affected parties to sign nondisclosure
agreements.
PHT0965 Establish, implement, and maintain I Establish, implement, and maintain a use of information agreement.
nondisclosure agreements.
Confidentiality or non-disclosure agreements must be in place when
sharing Post Office data with a third party.
Establish, implement, and maintain consequences for non-compliance with
the organizational compliance framework.
Comply with all implemented policies in the organization's compliance
framework.
Implement and comply with the I Provide assurance to interested personnel and affected parties that the
PHT0968 Governance, Risk, and Compliance I Governance, Risk, and Compliance capability is reliable, effective, efficient,
framework. and responsive.
Review systems for compliance with organizational information security
policies.
Disseminate and communicate the Governance, Risk, and Compliance
framework to all interested personnel and affected parties.
INTERNAL Page 21 of 23 Cyber and Information
Security Standard 2.22
POL00362909
POL00362909
Post Office Limited - Document Classification: INTERNAL
4 Where to go for help
4.1 Additional Policies
This standard is part of the Cyber Security Policy framework. The full set can be found at:
https://poluk.sharepoint.com/sites/cybersecurity2/SitePages/Cyber-and-Information-
Security-Policy-Set.aspx
4.2 How to raise a concern
Any Post Office employee who suspects something is wrong has a duty to:
e Discuss the matter fully with their Line Manager; or,
e Report their suspicions by contacting the Service Desk.
4.3. Who to contact for more information
If you need further information about this standard or wish to
to this standard, please contact Cyber Security Team via cybe'
INTERNAL Page 22 of 23 Cyber and Information
Security Standard 2.22
POL00362909
POL00362909
Post Office Limited - Document Classification: INTERNAL
5 Version Control & Approval
5.1 Version Control
Date Version Updated by Change Details
24/07/2019 0.1 IPA & IT Security First redraft for review - replaces the
Cyber and Information Security
policy
22/01/2020 1.0 IT Security Final draft version for approval
12/06/2020 1.0 Cyber Security Approved by ISC
28/07/2021 1. Cyber Compliance Final draft version for approval
02/08/2021 2.0 Cyber Compliance Approved by ISC
10/04/2023 2.1 Cyber Compliance Updated the controls to align with
UCF.
25/04/2023 2.2 Cyber Compliance CSF approval for publication
5.2 Standard Approval
Standard Owner:
Standard Author:
Approved by CSF:
Next review:
INTERNAL
Chief Information Security Officer
Ehtsham Ali
25/04/2023
25/04/2024
Page 23 of 23 Cyber and
Information
Security Standard 2.22