![Show Menu](styles/mobile-menu.png)
![Page Background](./../common/page-substrates/page0032.jpg)
PRESENTATION OF THE GROUP AND ITS ACTIVITIES
1.7 Risk analysis
1
30
Registration Document 2016 — Capgemini
Information systems
Risk factors
delivery of our projects, service interruptions at our clients, or
additional costs that could impact the reputation or financial health of
the Group.
and new practices (social networks, mobility, Software-as-a-Service -
SaaS, etc.) inevitably expose the Group to new risks. Risks relating to
cyber criminality of all kind could lead to a loss of data, delays in the
New technologies (Cloud computing, “Bring your own device”, etc.)
consolidated financial statements also present a specific risk in
view of the strict reporting deadlines.
The systems underlying the publication of the Group’s
management systems
event of a disruption to IT services. The main management IT
systems are covered by back-up plans in different data centers.
The Group has implemented business continuity procedures in the
procedures (our operating sites are certified ISO 27001). This
security policy and the back-up plans are validated and audited
periodically.
meeting the highest international standards, proactive controls, a
detection center operating 24/7 and specific technical equipment
such as firewalls. Rules and procedures are defined in a security
policy founded on numerous international standards and
The Group is aware of the importance of internal communication
network security, and protects its networks
via
security rules
For some projects or clients, enhanced systems and network
protection are provided on a contractually agreed basis.
the Cyber Security and Information Protection Director (CySIP).
The Group also has a program that seeks to control the cyber
risks for its main systems. This dedicated structure is headed by
operational projects (data protection, mobility management,
access management, information system control and steering and
strengthening infrastructures). The CySIP community includes
cyber risk specialists in the following areas:
This program covering exposure to cyber risks comprises three
subgroups dealing with governance related issues (organization,
policy and communication and awareness-raising) and five
CySIP Officers in the business units, for client project monitoring;
◗
Data Protection Officers responsible for the protection of
◗
personal data;
Chief Information Security Officers responsible for the protection
◗
of internal information systems.
The aim of this program is to become a benchmark presented to
our clients which helps strengthen the credibility of the Group on
Digital and cybercrime issues. The Group’s policy and
organization for the protection of personal data were drawn-up
Corporate Rules - BCR) and validated by the CNIL (French
National Commission for Data Protection and Liberties), for the
processing and storage of our own data and that of our clients.
based on rules defined by the European Commission (Biding
Service continuity
Risk factors
services to sites or countries other than those in which the
operational units could be affected simultaneously. The use of a
large number of production sites increases the range of
contingency options available to the Group.
America countries. The development of this model has made the
Group more reliant on telecommunications networks, which may
increase the risk of business interruption at a given production site
due to an incident or a natural disaster, in so far as several
services are used or in which the Group’s clients are located and
particularly India, Poland, China and other Asian and Latin
Capgemini’s evolving production model, Rightshore
®
, involves
transferring a portion of the Group’s production of part of its
Risk management systems
Production systems and services provided by the Group to its
subsidiaries are duplicated and covered by back-up plans that are
tested.
measures.
possibly the country. Communication (for example e-mail) and
collaborative systems are covered by a redundant architecture at
two data centers ensuring service continuity, or are hosted by a
supplier with systems with similar redundancy and reliability
with the Good Practice Guidelines of the Business Continuity
Institute (BCI). These measures take account of various degrees of
hypothetical threats along with the related damages considering
the situation and impacts on the site, urban agglomeration and
continuity is ensured by tried and tested alternative routes. The
Group’s Indian subsidiary has set up a Business Continuity
Management (BCM) structure to ensure service continuity in line
Telecommunications networks used by the Group are duplicated
in cases where “Rightshored” production resources are deployed.
In the event of a breakdown in the preferred (fastest)
communications network between Europe and India, service
or contact, are the responsibility of the Group subsidiaries.
disruption to the specific IT infrastructures of a given center, client
Business continuity and resumption plans in the event of a
the subsidiary entities to test the efficiency of these plans. Certain
of these entities have heightened security requirements reflecting
certain clients’ imperatives and they are consequently certified
ISO 27001 compliant by an independent agency.
Where required by specific contracts, a business continuity plan is
prepared by selecting appropriate measures according to the
criticality of the service. Reviews and simulations are performed in
Suppliers and sub-contractors
Risk factors
Technology Services and networks businesses. While alternative
solutions exist for most software and networks, the failure of a
supplier to deliver specific technology or expertise could have
prejudicial consequences for certain projects.
Capgemini is dependent upon certain suppliers, especially in its