scope:

This guidance document is designed for use by TfL System Owners, System Administrators and the Cyber Security Incident Response Team (CSIRT).

The guidance applies to information, IT devices, networks, endpoints and users that are owned, operated or supported by TfL or on behalf of TfL. This includes:

a) user devices, including 'thick' and 'thin' desktop computers, portable devices such as laptops and mobile devices such as tablet computers and smartphones

b) servers (physical and virtual), including file servers, application servers, web servers, database servers and any servers that manage network connections.

c) network infrastructure and security components, including devices managing connections (switches, routers), devices for protecting the networks and systems (IDS/IPS) or devices managing network connections (firewalls, load balancers).

This guidance is a subset of TfL's Cyber Security Risk Management Policy P123 and the Cyber Security Testing Standard S1746 (see Diagram 1 below). The Cyber Security Testing guidance G2401 outlines the initial identification and testing stage of Vulnerability management.