Governance Structure
A set of senior stakeholders within Gamma, including the General Counsel, Security Director, Chief Architect and Group Commercial Director, meet monthly to review the progress of our TSA programme of work.
Processes and Controls
All of our in scope products and networks are managed in line with the following processes:
Incident Management
Gamma will follow Gamma’s internal Security Incident Management Procedure for all incidents relating to Gamma products. The Customer Communications process will be followed to ensure customer notification occurs as required. The Gamma procedure outlines the expected actions Gamma UK employees will take in response to a confirmed or suspected cyber incident, or a significant cybersecurity event.
Should customers wish to report a security incident, please contact the Gamma Security Operations Centre (SOC) (security@gamma.co.uk or soc@gamma.co.uk).
Where appropriate the output of incidents, post incident reviews and continuous improvement activities will be discussed at the relevant Governance meetings.
Risk Management
Gamma has a Group Risk Management Policy that outlines the approach to risk and that defines responsibilities within the senior management team.
A risk can be defined as “An event that could adversely affect an organisation’s ability to achieve its objectives”. We will describe risks using the following three elements: cause, event and consequence(s).
The Risk Management Policy is enacted through the Risk Management process. The process, along with the roles and responsibilities defined in the policy, outline formal reporting expectations.
Risk Management incorporates Security. Where identified risks have a security implication, Gamma Security work in liaison with other internal teams to identify and implement mitigating actions where needed.
Risk owners should regularly monitor changes to the nature of risks they own, such as an increase in severity or circumstances that can affect risk impact and likelihood, as well as the effectiveness of existing controls and status of actions.
All risks require a review at least quarterly.
Third Party Risk Management
Third Parties are assessed based on the type of service or provision they supply. Where third parties are required for the contract, Gamma will follow the Third-Party Risk Management Standard to ensure that the correct due diligence and ongoing governance is supplied. The standard outlines control Gamma will use to manage the supplier throughout the lifecycle of the service.
The Procurement team are responsible for managing the relevant contractual flow down for required contractual obligations.
Security Standards
All TSA Code of Practice controls have been reviewed and aligned with our security standards. Our standards are used to drive controls into various technologies used within in scope systems. These standards are available for review as part of an Audit.
Audit process
Internal
Gamma will perform regular audits of in scope security controls. The output will be discussed with the Operational teams overseeing the service and the Head of Technical Security. Internal audit findings are not shared with customers but any changes required due to the findings would be actioned via internal change processes.
External
Customers can contact their Gamma account manager to arrange an annual audit. The internal audit team will review the scope of the audit along with when the audit is proposed to take
place, if appropriate and proportionate the audit will be arranged. The findings will be logged following Gamma’s Governance Non-conformance and Improvement Process.
Notice of a requirement for external audit should be made 3 months in advance unless otherwise agreed.
Capacity Management
All Gamma products and services have a formalised capacity management structure in place. This process aligns forecasted growth and technology delivery to ensure our products and services are available.
Service availability
Gamma maintain products and services in line with our reported Service Level Agreements, these are managed through our Service Assurance program. Where appropriate, customers are compensated for service affecting outages by means of service credits.
Business Continuity
Gamma has established a Business Continuity Management (BCM) Programme designed to minimise service disruption and the potential impact on Gamma, our customers, and our staff. The BCM policy is supported by a BCM framework which outlines how the BCM team will deliver and manage the programme with the business. Although the specific details of our BCM arrangements are confidential, Gamma maintains Business Continuity Plans (BCPs) that manage People, Property, Technology, Supplier and Data incidents. Gamma focuses its programme on those business teams and processes that present a risk to service, this helps to ensure the delivery of key products and services in the event of an incident or crisis causing disruption.
Exit or termination
Upon termination of services and where relevant, Gamma provides assistance to customers to help the transition to a new service provider in an orderly fashion
