D
Corporate Responsibility
D.4
Ethical excellence inAtos’ sphere of influence
Trusted partner for your Digital Journey
90
Asset Protection
D.4.1.3
A comprehensive approach to the protection of assets
of Atos internal and external (i.e. “Customer related”) business
processes. They apply to all staff, contractors and consultants
throughout the Atos organization.
Atos Group security organization has a set of 50 Global Security
and Safety policies, standards and guidelines. The Atos Group
security policies are mandatory and binding for all Atos entities
and employees in order to guarantee the safety and the security
network, personnel, software and hardware).
protection of all Atos assets, whether owned, used or held in
custody by Atos (information, intellectual property, sites,
The Atos Group Safety and Security policies encompass the
The main Atos security policies are part of the Atos “Book of
Internal Policies”:
AP90 Atos information Security Policy;
•
AP91 Atos information Classification Policy;
•
AP92 Atos Safety Policy;
•
AP96 Atos IT acceptable use Policy.
•
confidentiality agreements, encryption and logical and physical
protection of information where required.
information, including, but not limited to, the use of
In addition, Atos has put in place measures and policies to
protect its intellectual property assets and confidential
matters are appropriately dealt with and in compliance with
applicable laws.
Furthermore the Atos Legal, Compliance and Contract
Management department advises on all commercial transactions
as to ensure that appropriate provisions are included in its
contracts with customers and suppliers and that confidential
Securitymanagement system, organization and
governance
improvement cycle related to this ISMS. Planned enhancements to
the ISMS include a single set of security policies that are
harmonized across all areas of Atos Worldwide and will be:
Atos’ Information Security Management System (ISMS), built in
2001, is mandated across all the Group Business Units and
Divisions. The Security organization is aligned with the continuous
worldwide to understand and comply with;
written in clear English, at a level that allows Atos staff
•
consistent in structure & terminology;
•
easy to use & maintain.
•
This will be supported by a streamlined document review and
approval process.
Security Incident Response Team). Group security Governance is
structured around weekly calls under the responsibility of the
continued to be reinforced in Atos Divisions (e.g. Infrastructure
& Data Management and Business & Platforms Solutions) as well
as further assignment or set up of Security Management teams
and roles to address specific areas (e.g. creation of a Computer
Following 2013 initiatives, Security organization and governance
Atos entities.
Group Chief Security Officer – Head of Security, with all Group
and Business Units security officers, representatives from all
During weekly calls, Chief Security Officers (CSO) from all part
of the Group organization are working all together on:
tracking all decisions and actions around the security;
•
reviewing all the security events and security incidents of
•
global interest;
networks (Internet, Intranet, production environments);
reviewing results of all the vulnerabilities scanners running
•
since the second semester of 2013 on all categories of Atos
improving the security management system.
•
27001, ISAE 3402 and PCI/DSS for “Worldline” (payments
industry).
The Group’s main certifications regarding security include: ISO
Security key performance indicators and reporting
From a security performance management perspective, Atos is
monitoring the deployment of ISO27001 at all the Atos business
activities.
of 19 locations in the GBUs: Asia Pacific, Iberia, Meaddle East and
Africa, Central and East Europe, France, Benelux and The Nordics,
South America, Germany for selected Divisions for each chosen
location. Atos performed 121 internal audits at further sites.
In 2016, the External Certifier (Ernst and Young) audited a total
these measures are part of the Atos security framework
[AO3]
.
In addition to these high-level indicators, technical monitoring
and reporting are in place to act proactively on security
anomalies (weekly security watch analysis, monthly monitoring
of firewall configurations, weekly vulnerability scans, yearly
penetration tests, reviews of access rights, intrusion detection
systems, and monitoring and logging of system events). All