23 GDF Suez 2010 - 009 en
23 GDF Suez 2010 - 009 en
Summary
This decision describes GDF SUEZ' objectives in terms of protecting its assets and covers site security
and information security via the deployment of risk-reduction solutions incorporating technical
(including IT), legal, managerial and organizational domains, and the acquisition of secure behavior
habits (vigilance, compliance with rules and best practices).
It dovetails with the Group's risk management procedure and the general framework of the Group's
policy on ethics (and its versions set out in the Ethics Charter and the Ethics Guidelines).
www.gdfsuez.com
Group Tangible and Intangible Assets Security Policy
Table of contents
INTRODUCTION 3
1.1. Definitions 3
1.2. Context 3
1.3. Scope 4
APPENDICES 11
Appendix 2: Glossary 12
2
Group Tangible and Intangible Assets Security Policy
Introduction
The Group's tangible and intangible property are assets that must be protected.
The Group aims to empower each top executive, manager and employee as to the need
to protect our tangible and intangible assets and continuously improve our protection
system.
1.1. Definitions
In this document:
the word Group refers to the GDF SUEZ Group.
the word entity refers to:
at the Corporate level, all of the Functional Divisions that comprise it;
a Business Line;
a Business Unit (BU);
a subsidiary.
Tangible property comprises industrial and tertiary assets which are the property of the Group
and assets which the Group uses or exploits for its business activities.
Intangible assets comprises all information and know-how available to the Group. The
protection of intangible assets in the sense of this Policy applies to all means and processes
which may protect this property, with the exception of specific processes relating to the
granting of patents and trademark or domain name protection.
1.2. Context
3
Group Tangible and Intangible Assets Security Policy
Consequently, access to our premises must be controlled, as well as the flows of people who
may enter them.
Protecting our sites is closely linked to industrial security. Strong industrial security is not
possible without high-level protection. Maliciousness can have very serious human,
environmental and economic consequences.
Information, whether on a virtual (computerized) or physical medium (paper, etc.) or even
transmitted orally, is also under threat: increased competition, malicious intent towards the
interests of the Group, its staff, its customers, its facilities, third parties, intent to jeopardize its
credibility and damage its image, etc.
Malicious techniques are constantly changing. They include:
intrusions into our IT systems;
remote theft of information, facilitated by the wide range of communication
devices available;
the alteration of information due to the increase in number and sophistication of
procedures for exploiting computer vulnerabilities.
Information theft, whatever the medium used (laptops, photocopier memories, USB sticks,
hard disks, files, etc.), encompasses further instances of breaches of confidentiality which
need to be prevented.
Our own business travels are another weak point which requires special attention.
1.3. Scope
The Policy is applicable to all entities in the GDF SUEZ Group, irrespective of their activity
and geographical location, and in accordance with local laws and regulations.
This Policy is applicable to all GDF SUEZ subsidiaries and affiliated companies controlled by
GDF SUEZ. For other affiliated companies, Group representatives at these companies must
endeavor to the best of their ability to introduce this Policy or a similar policy into these
affiliated companies.
This Policy is the compulsory minimum framework within which each entity ensures the
security of its tangible and intangible assets.
The Group's strategy is based on compliance with structuring principles (2.1) and the
deployment of a risk-management process (2.2). It is also based on international standards
(2.3).
4
Group Tangible and Intangible Assets Security Policy
To this end, questions must be asked. This must be an ongoing process and is related to
the following:
procurement of skills;
awareness of threats;
identification and valuation of assets;
identification of vulnerabilities (sites, zones, services, people, sensitive data);
definition of an acceptable risk level;
solutions to be commensurate with the value of the information to be protected;
allocation of resources and ensuring compliance with necessary commitments.
2.1.3. Monitoring security levels and security development over time
Each entity must set up an appropriate monitoring system for the earliest possible
detection of deliberate, accidental or potential attacks against the security of its personnel
and assets.
Services outsourced to third parties must likewise be monitored, especially in the case of
suppliers which may have privileged access to premises and/or information (travel agencies
– remote operators – maintenance, cleaning, waste-disposal services – consultants –
translators, temping agencies, etc.), as well as interns and temporary staff.
Locally, the officers in charge of site security are regularly in contact with the security forces
in order to discuss analyses and implement, where necessary, formalized intervention
protocols. These contacts are based on mutual confidence.
The adequacy of each entity's management in implementing this Policy must be monitored
and assessed each year.
2.1.4. Limit the impact of breaches of sensitive sites or information
Entities must set up systems for the management of security incidents and the resulting
crisis situations. This requires that incidents be reported up to the relevant level.
Beyond immediate processing, security incidents must be analyzed and corrective action
taken to prevent them from recurring.
The Health, Safety and Management Systems Division (HSMSD) must be systematically
notified of significant events which occur at entity level, or which have had or nearly had an
impact on other entities or the Group as a whole.
5
Group Tangible and Intangible Assets Security Policy
6
Group Tangible and Intangible Assets Security Policy
The principles described in this Policy are guided by the best practices in international
standards (e.g., ISO 900X – ISO 1400X - ISO 2700X), concerning in particular risk
assessment, continuous improvement and management reviews, to ensure risk
management. Each entity must endeavor to develop its management system and evaluate it
in line with these standards.
3.1.1. Corporate
The Health, Safety and Management Systems Division (HSMSD):
Defines Group policy concerning the protection of tangible and intangible assets
and ensures it is adapted accordingly;
Proposes strategic orientations in the form of action plans drawn up with the
Business Lines;
Leads the Functional Line of security officers, in particular by encouraging the
sharing of best practices, organizing feedback and proposing general solutions in
order to guarantee the required responsiveness to changing regulations or
incidents;
Makes available qualified risk-reduction solutions which integrate technical, legal,
managerial or organizational aspects;
Manages the production of teaching aids and methodological or technical tools to
support the implementation of the Policy;
Performs an annual assessment of the Policy and its adequacy in the course of a
general review with the Business Lines and the General Secretariat for Corporate
entities;
Keeps up to date a group of reference documents comprising the texts setting out
this Policy, published on the Group intranet. This gives each stakeholder a full
overview of applicable documents whose use within the Group is mandatory
('Rules') or recommended ('Recommendations' or Best Practices').
The Security Division (SD) is in charge of economic intelligence (EI) and consequently, and
more generally, in the fight against any form of interference that could have an impact on
7
Group Tangible and Intangible Assets Security Policy
the GDF SUEZ Group. Consequently, HSMSD and SD exchange information on the status
of the threat and on how to deal with attacks relating to the security of intangible assets
(section 3.3).
In addition, the Security Division is in charge of the Head Office and personnel on
assignment and/or expat personnel.
3.1.2. Business Line
The officers for the security of assets:
Take part in drawing up the Group doctrine;
Under the authority of management, coordinate the implementation of the Policy
within their Business Line in the form of annual action plans;
Assess the action taken by the BUs within their perimeter, in the form of periodic
assessments and an annual review;
Report to HSMSD the action results and progress.
3.1.3. BU
Each BU is responsible for implementing the Policy within its perimeter, which it does in line
with the specific nature of its activities.
The achievement of targets requires that a dedicated and matrixed1 functional line is created
at the various levels of the Group (entities).
To effectively play its role, the functional line meets several times a year in the form of select
meetings (Business Line managers) or plenary meetings (Convention). The purpose of
these meetings is:
to suggest improvements to the reference documents (Policy, Rules,
Recommendations);
to facilitate experience sharing;
to prepare Group reviews.
8
Group Tangible and Intangible Assets Security Policy
The ISC is chaired by the General Secretary and administrative duties are handled by the
Head of the Security Division.
The ISC members are the Heads of the following Functional Divisions:
The ISC meets at least twice a year and draws up an annual assessment of results
achieved. His/her report is sent to the members of the Executive Committee.
For the Corporate Functional Divisions, the Security Division leads the network of IASOs
and carries out the annual evaluation as well as providing the management maturity level in
this area. It is in charge of "processing" – with the support of HSMSD (placed under its
control), where appropriate – attempted breaches of information confidentiality when they
are clearly acts designed to harm the Group's image, damage its reputation, unlawfully
obtain information, destabilize the Group or, more generally, interfere.
The ISD defines and implements policies and standards, in particular in the area of
telecommunications, office automation, applications and operation. It heads the IS
Functional Line for the Group at Corporate, for the Business Line and BU level. It also
coordinates and steers Information System Security in a manner consistent with this Policy.
9
Group Tangible and Intangible Assets Security Policy
The Communications and Financial Communications Division designs and implements the
measures taken to identify the protection level of documents and media used which involve
the Group's image. It also intervenes during the information and communications phases of
actions intended to increase stakeholder awareness and the dissemination of policies and
regulations issued by the Corporate.
The Business Ethics and Compliance Division is in charge of drafting a Code of Good
Conduct specifically regarding the use of information systems by personnel, Internet access
and involvement in social and/or professional networks.
The Human Resources Division is in charge of supporting the drafting of Charters and
Codes of Good Conduct and reporting these commitments to staff representative bodies.
The Audit and Risk Management Division is in charge of assessing the financial impact on
the Group of the risk of breaches of confidentiality and checking the actual implementation
of this Policy.
10
Group Tangible and Intangible Assets Security Policy
APPENDICES
Within the scope of their mission, IASOs report to a level which gives them access to the top
manager of their entity. They must have strong recognition and time to devote to their
mission. They may also act as IASOs provided both workloads are compatible.
Their mission, delegated by the functional management, is to implement the Intangible Assets
Security Policy within the scope of a general plan validated by this authority, which is
assessed each year.
11
Group Tangible and Intangible Assets Security Policy
Appendix 2: Glossary
12