The purpose of this document is to provide guidance on the authority that the GSOC has and that which is shared with other stakeholders. The document also identify the circumstances under which approvals are required by the next level of authority.
The GSOC Authority Policy applies to the following:
- The GSOC as an entity within KPMG.
- All processes and activities of the GSOC.
- All KPMG employees and third parties working within the GSOC.
The statements outlined in this document apply to all activities within the GSOC as well as those outside but requiring the involvement of the GSOC. The statements shall be adhered to in normal operation as well as in an emergency. However, exclusions might be applicable during crisis situations, in which case the GSOC would be required to operate in accordance with policies defined to handle circumstances as crisis.
All KPMG staff, suppliers and business partners involved with the operations of the GSOC, and representatives from member firms that have opted into the GSOC service shall read and understand this policy document.
A Glossary of the terminology used can be found in the GSOC Information Security Policy .
Any exceptions shall be managed and maintained.
Non-compliance may jeopardise the effectiveness and reputation of the GSOC.
A clear line of reporting shall be defined and implemented within the GSOC in accordance with the job descriptions and the GSOC Terms of Reference . All GSOC staff shall familiarise themselves with the GSOC reporting lines and abide by them at all times.
The GSOC manager shall have the authority to approve resourcing requirements or changes to existing staffing arrangements.
All GSOC finances are subject to authorisation as set out in the GSOC Finance Policy .
The GSOC Manager shall have the authority over the day to day operations within the GSOC including monitoring usage, staffing and maintaining security of the GSOC.
All GSOC staff members shall exercise authority with respect to escalation of events in accordance with the job descriptions and all GSOC policies and processes. Where an event is not specifically covered by any of the GSOC processes, clarification must be sought and authorisation obtained from the GSOC Manager.
Change requests to the GSOC services including introduction of new services, data sources or communication channels must be authorised by the GSOC Manager.
All access requests by external contractors or other non-GSOC staff to the GSOC in order to undertake maintenance or similar work relating to equipment housed in the GSOC are subject to approval by the GSOC Manager.
The GSOC does not have the authority to execute direct investigation, intrusive analysis, containment, or remediation on KPMG member firm systems or networks.
GSOC is authorized to contact designated members within KPMG member firms to request additional information, inform KPMG member firms of the incident, or and provide advisory support for containment or remediation activities.
All decisions regarding the structure or operation of the GSOC that may affect member firms shall be made through a consensus in one or more committees as follows:
The GSOC Manager must seek approval from the appropriate Committee in accordance with their authority before changes can be committed.
All activities of the GSOC during an emergency are subject to approval. Approving party will be documented in the Business Continuity/Disaster Recovery Plans . Where the GSOC operates in a crisis mode, the GSOC Manager shall seek authorisation from relevant entities including KPMG’s health safety, crisis management and risk management departments before approving action to be performed by GSOC staff.