Atos - Registration Document 2016

D Corporate Responsibility D.4

Ethical excellence inAtos’ sphere of influence

Asset Protection D.4.1.3

Security Incident Response Team). Group security Governance is structured around weekly calls under the responsibility of the continued to be reinforced in Atos Divisions (e.g. Infrastructure & Data Management and Business & Platforms Solutions) as well as further assignment or set up of Security Management teams and roles to address specific areas (e.g. creation of a Computer Following 2013 initiatives, Security organization and governance Atos entities. Group Chief Security Officer – Head of Security, with all Group and Business Units security officers, representatives from all During weekly calls, Chief Security Officers (CSO) from all part of the Group organization are working all together on: tracking all decisions and actions around the security; • reviewing all the security events and security incidents of • global interest; networks (Internet, Intranet, production environments); reviewing results of all the vulnerabilities scanners running • since the second semester of 2013 on all categories of Atos improving the security management system. • 27001, ISAE 3402 and PCI/DSS for “Worldline” (payments industry). The Group’s main certifications regarding security include: ISO Security key performance indicators and reporting From a security performance management perspective, Atos is monitoring the deployment of ISO27001 at all the Atos business activities. of 19 locations in the GBUs: Asia Pacific, Iberia, Meaddle East and Africa, Central and East Europe, France, Benelux and The Nordics, South America, Germany for selected Divisions for each chosen location. Atos performed 121 internal audits at further sites. In 2016, the External Certifier (Ernst and Young) audited a total these measures are part of the Atos security framework [AO3] . In addition to these high-level indicators, technical monitoring and reporting are in place to act proactively on security anomalies (weekly security watch analysis, monthly monitoring of firewall configurations, weekly vulnerability scans, yearly penetration tests, reviews of access rights, intrusion detection systems, and monitoring and logging of system events). All

A comprehensive approach to the protection of assets

of Atos internal and external (i.e. “Customer related”) business processes. They apply to all staff, contractors and consultants throughout the Atos organization. Atos Group security organization has a set of 50 Global Security and Safety policies, standards and guidelines. The Atos Group security policies are mandatory and binding for all Atos entities and employees in order to guarantee the safety and the security network, personnel, software and hardware). protection of all Atos assets, whether owned, used or held in custody by Atos (information, intellectual property, sites, The Atos Group Safety and Security policies encompass the The main Atos security policies are part of the Atos “Book of Internal Policies”: AP90 Atos information Security Policy; • AP91 Atos information Classification Policy; • AP92 Atos Safety Policy; • AP96 Atos IT acceptable use Policy. • In addition, Atos has put in place measures and policies to protect its intellectual property assets and confidential confidentiality agreements, encryption and logical and physical protection of information where required. information, including, but not limited to, the use of Furthermore the Atos Legal, Compliance and Contract Management department advises on all commercial transactions as to ensure that appropriate provisions are included in its contracts with customers and suppliers and that confidential matters are appropriately dealt with and in compliance with applicable laws. Securitymanagement system, organization and governance Atos’ Information Security Management System (ISMS), built in 2001, is mandated across all the Group Business Units and Divisions. The Security organization is aligned with the continuous improvement cycle related to this ISMS. Planned enhancements to the ISMS include a single set of security policies that are harmonized across all areas of Atos Worldwide and will be: worldwide to understand and comply with; written in clear English, at a level that allows Atos staff • consistent in structure & terminology; • easy to use & maintain. • This will be supported by a streamlined document review and approval process.

Trusted partner for your Digital Journey

90