CAPGEMINI_REGISTRATION_DOCUMENT_2017

3

OUR COMMITMENT TO SOCIAL RESPONSIBILITY

3.1 A renewed strategy: “Architects{of{Positive{Futures”

Cyber-security and data protection 3.1.6 The Group’s Cybersecurity & Information Protection (CySIP) Program reflects our strong commitment, as a leading IT{company, to high standards of data protection for the benefit of our clients and our own organization and employees. We comply with legislation, starting with the recent European regulations on the matter, and with regulations in all the countries in which we operate for our clients. The Program's objectives are to: deliver secure business services; X develop and maintain client trust for sustainable business X growth; protect information and Digital assets in Capgemini; X comply with the applicable law. X CySIP{Program was launched in November{2014 and is aimed at reinforcing Group competitiveness whilst anticipating new regulations. Sponsored by the Group General Secretary, the CySIP{Program published a strategy in{2015, encompassing objectives, governance, a CySIP{Baseline (minimum and mandatory practices), a data privacy strategy and a personal data protection policy. The strategy has been implemented in all Capgemini entities in{2017. As of 1 st of January 2018, the program is led by the Group ChiefTechnology Officer. The CySIP program steers three{communities working together under the Group CySIP Officer: the CySIP Officers in Strategic Business Units (focused on 1. clients’ requirements and security of delivery projects); the Data Protection Officers in country (DPO: focused on 2. personal data protection and sensitive data confidentiality); the Chief Information Security Officers (CISO) in Group{IT 3. (focused on internal{IT), recently supplemented with CySIP Officers in Delivery entities and in key global accounts teams. Data protection and data privacy were a major priority on the{2017{strategic agenda. Capgemini implemented its Binding Corporate Rules on personal data protection (BCRs), covering activities where the Group acts as data controller and data processor, approved by the French data protection authority, Commission Nationale de l'Informatique et des Libertés (CNIL), in{2016, while mutualizing actions to prepare for the General Data Protection Regulation (GDPR) coming into force on May{25, 2018. The DPOs worked with the CySIP community and the relevant stakeholders to review internal processes, implement appropriate technical and organizational measures, identify the relevant tools and train employees in the new rules and processes.

The CySIP{operational projects focus on three{major topics: Identity and Access Management to reinforce access controls X to applications and data, and Security Information and Event Management to reinforce detection and response capacities; the Capgemini Security Operation Center (SOC) in Europe to X provide monitoring services of our Infrastructures and IT{systems; BYOD (Bring Your Own Device) policy and tool to secure X access and data while using personal devices for professional purpose. The CySIP{Program has enabled numerous technical and organizational changes relating to Cyber security and information protection at Capgemini Group, such as: launch of a governance in all the SBUs with the creation of the CySIP community of a hundred people; ISO{27001 certification of our sites: more than X 160,000{employees completed e-learning; an incident detection capability implemented following the X operational implementation of a SOC in early{2017; CySIP Strategy{&{Baseline regular reviews; X accelerated migration to Windows{10 for laptops; X encryption mail PGP roll-out for highly confidential internal X communications; CySIP{2016 status and action plan for{2017 reviewed and approved by SBU leaders; Concord program launched to manage increased X cybersecurity threats. Finally, maturity assessments related to the CySIP{Baseline, data protection practices and operational projects implementation are performed on an annual basis (in March{2017 and September{2017). They are now part of an overall Audit and Control Plan. Self-assessment is to verify whether mandatory practices are implemented, and is complemented by technical audits and penetration tests, enabling the definition of the yearly risk mitigation plan globally and for each entity. These measures enabled the Group to reach the objectives of the CySIP strategy, and successfully implement the governance and rules in{2017.

128

REGISTRATION DOCUMENT 2017 — CAPGEMINI