US English (US)
FR French
DE German

Externis Knowledge

French

IT - Security policy

Super Administrator

Écrit par Admin FAQ (Super Administrator)

Mis à jour le 19/03/2024

Table des matières

INTRODUCTION Why have Information Security Policies? Breaking the Rules Education and Training 1. Policy Statement 2. IT Security Governance 3. IT Management Roles and Responsabilities 4. Breaches of security 5. Policy Awareness and Distribution 6. Risk Assessment and Compliance 7. Supporting Policies, Review Documentation and Guidance Notes

INTRODUCTION

Externis Group has an obligation to abide by all French legislation and relevant legislation of the European Community. All users of the Externis Group Information Systems must ensure that they are fully aware of and understand any of the relevant legislation, which applies to IT systems or data, assigned to them. 

This Guideline is not a full statement of the law but is an indication of the issues to be complied with when processing information. There are laws, practices and codes of conduct by which all Users of Externis information technology resources must abide.

Externis Group first approved an Information Technology Security Policy in July 2012.

It is the responsibility of all users to familiarize themselves with these policies.

Why have Information Security Policies?

Information Security Policies are necessary to ensure that important research and administrative data, and other confidential information is protected from theft or unauthorized disclosure.

Additionally, European laws, for example the RGPD, make Externis legally responsible for ensuring that information is accurate and used appropriately.

In addition to fulfilling your legal obligations, complying with the policies will ensure that Externis offers a professional and effective service. Make sure that you are aware of any legal requirements and policies that apply to you in your role at Externis Group.

Breaking the Rules

Breaking the rules puts us all at risk. By divulging sensitive information, or by not applying strict security controls to sensitive information in your care, you expose the information and Externis Group to potential damage and loss.

Education and Training

All users of Externis Group computing and networking facilities are expected to read and abide by the respective regulations.

1. Policy Statement

1.1 Information is a critical asset of Externis Group hereafter referred to as ‘Externis’. Accurate, timely, relevant, and properly protected information is essential to the success of Externis activities. Externis is committed to ensuring all accesses to, uses of, and processing of Externis information is performed in a secure manner. 

1.2 Externis is committed to adopting a security model in line with ISO27001 international best practice standards. 

1.3 Technological Information Systems hereafter referred to as ‘Information Systems’ play a major role in supporting the day-to-day activities of Externis. These Information Systems include but are not limited to all Infrastructure, networks, hardware, and software, which are used to manipulate, process, transport or store Information owned by Externis.

1.4 The object of this Information Security Policy and its supporting technical requirements policy is to define the security controls necessary to safeguard Externis’s Information Systems and ensure the security confidentiality and integrity of the information held therein. 

1.5 Externis recognizes that failure to implement adequate Information security controls could potentially lead to:

  • Financial loss
  • Irretrievable loss of Important Externis data
  • Damage to the reputation of Externis
  • Legal consequences 

Therefore, measures must be in place, which will minimize the risk to Externis from unauthorized modification, destruction or disclosure of data, whether accidental or deliberate. This can only be achieved if all staff observe the highest standards of ethical, personal and professional conduct. Effective security is achieved by working with a proper discipline, in compliance with French and European legislations. 

1.6 The Information Security Policy and supporting policies apply to all staff of Externis and all other users authorized by Externis. 

1.7 The Information Security Policy and supporting policies do not form part of a formal contract of employment with Externis, but it is a condition of employment that employees will abide by the regulations and policies made by Externis from time to time. 

1.8 The Information Systems Security Policy and supporting policies relate to use of:

  • All Externis networks.
  • All Externis-owned/leased/rented and on-loan facilities.
  • To all private systems, owned/leased/rented/on-loan, when connected to the Externis network directly, or indirectly.
  • To all Externis-owned/licensed data/programs, on Externis and on private systems.
  • To all data/programs provided to Externis by sponsors or external agencies.

1.9 The objectives of the Information Systems Security Policy and supporting policies are to:

  • Ensure that information is created used and maintained in a secure environment.
  • Ensure that all of Externis’s computing facilities, programs, data, network and equipment are adequately protected against loss, misuse or abuse.
  • Ensure that all users are aware of and fully comply with the Policy Statement and the relevant supporting policies and procedures.
  • Ensure that all users are aware of and fully comply with the relevant French and European Community legislation.
  • Create awareness that appropriate security measures must be implemented as part of the effective operation and support of Information Security.
  • Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data they handle.
  • Ensure all Externis owned assets have an identified owner/administrator.

1.10 The Externis Board has approved the Information Security Policy and supporting technical policy. The Board has delegated the implementation of the Information Security Policy, to the heads of technical and administrative areas. The Director of Information Systems Services and his/her delegated agents will enforce the Information Security Policy and associated supporting policy.

2. IT Security Governance

2.1 Governance outline
Security of Externis IT and data assets cannot be achieved without a coherent governance model that ensures that all IT systems are operated in accordance with approved policy and best practice. 
The Externis Governance model seeks to clearly define who is authorized to operate key IT systems and services and how individuals and groups wishing to operate new systems or services are approved and subsequently governed.

2.2 Externis Data network
This is the main Externis network serving the entire staff. This network is operated by IT Services and provides central services and support to all users.

2.3 Services to the Externis Team
Only IT Services and the defined autonomous networks may operate central key central services including but not limited to Email, Internet Proxy, DNS, DHCP, Firewall, General Purpose Servers, Web Servers, Domain Services. 
IT Support Representatives may operate specific applications and supporting servers which they should register with their IT managers.

2.4 The Network Perimeter
IT Services acts as single point of contact for all Externis staff.
Access through the network perimeter firewall is managed and operated by IT Services.
Individuals located in the main Externis network may make direct application for access through the firewall.
 

3. IT Management Roles and Responsabilities

3.1 The Externis Board 
The Externis Board is responsible for approving the Information Security Policy, and for supporting the Director of IT Services in the enforcement of the policies where necessary.

3.2 Heads of IT and Administrative Areas 
Heads of IT and Administrative areas are required to familiarize themselves with the policies. Where a policy breach is highlighted heads of IT and Administrative areas must co-operate in ensuring that appropriate action is taken. Heads of IT and Administrative areas are obliged to ensure that all IT systems under their remit are formally administered by an administrator appointed centrally by IT Services. The duties of the administrator are set out in the associated supporting policy.

3.3 The Director of IT Services 
The Director of IT Services or his/her deputy is responsible for the management of Externis Network and for the provision of support and advice to all nominated individuals with responsibility for discharging these policies.

3.4 Information Systems Users
It is the responsibility of each individual Information Systems user to ensure his/her understanding of and compliance with this Policy and the associated Codes of Practice.
All individuals are responsible for the security of Externis Information Systems assigned to them. This includes but is not limited to infrastructure, networks, hardware and software. Users must ensure that any access to these assets, which they grant to others, is for professional use only, is not excessive and is maintained in an appropriate manner.

3.5 Purchasing, Commissioning, Developing an Information System 
All individuals who purchase, commission or develop an Information System for Externis are obliged to ensure that this system conforms to necessary security standards as defined in this Information Security Policy and supporting policies.
Individuals intending to collect, store or distribute data via an Information System must ensure that they conform to Externis defined policies and all relevant legislation.

3.6 Third Parties 
Prior to being allowed to work with Externis Information systems, satisfactory references from reliable sources should be obtained and verified for all third parties which includes but is not limited to; administrative staff, software support companies, engineers, cleaners, contract and temporary appointments. Data processing, service and maintenance contracts should contain an indemnity clause that offers cover in case of fraud or damage. Independent third-party review of the adequacy of and compliance with information system controls must be periodically obtained.

3.7 Reporting of Security Incidents 
All suspected information security incidents must be reported as quickly as possible through the appropriate channels. All Externis staff have a duty to report information security violations and problems to the Director of IT Services on a timely basis so that prompt remedial action may be taken. The Director of IT Services will be responsible for setting up an Incident Management Team to deal with all incidents. 

3.8 Security Controls 
All Externis Information Systems are subject to the information security standards as outlined in this and related policy documents. No exceptions are permitted unless it can be demonstrated that the costs of using a standard exceed the benefits, or that use of a standard will clearly impede Externis activities.

3.9 Compliance with Legislation 
Externis has an obligation to abide by all French legislation and relevant legislation of the European Community. The relevant acts, which apply in French law to Information Systems Security, include but are not limited to:

  • The General Data Protection Regulation (GDPR)
  • European Communities Data Protection Regulations, (2001)
  • European Communities (Data Protection and Privacy in Telecommunications) Regulations (2002)
  • Data Protection EU Directive 95/46/EC
  • Child Trafficking and Pornography Act (1998)
  • Intellectual Property Miscellaneous Provisions Act (1998)
  • Copyright and Related Rights Act (2000)
  • Non-Fatal Offences Against the Person Act (1997)
  • Electronic Commerce Act (2000)
  • ECommerce Directive (2000/31/EC)
  • Regulations entitled European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003)

The requirement for compliance devolves to all users as defined in (1.7) above, who may be held personally responsible for any breach of the legislation. Summaries of the legislation most relevant to Externis’s IT policies may be found in the Guidelines accompanying the Policies. 

4. Breaches of security

4.1 Monitoring 
IT Services will monitor network activity and take action/make recommendations consistent with maintaining the security of Externis information system.

4.2 Incident Reporting 
Any individual suspecting that there has been, or is likely to be, a breach of information systems security should inform the Director of IT Services immediately who will advise Externis on what action should be taken.

4.3 Enforcement
In the event of a suspected or actual breach of security, the Director of IT Services, his/her delegated agent may, after consultation with the relevant Administrator make inaccessible/remove any unsafe user accounts, data and/or programs on the system from the network.

4.4 Legal Implications
Any breach of security of an Information System could lead to loss of security of personal information. This would be an infringement of the General Data Protection Regulation (GDPR) and could lead to civil or criminal proceedings and/or regulator fines. All Externis staff is advised to familiarize themselves with and comply with this policy and with the Externis Data Protection Policy.

4.5 Disciplinary Procedures 
Failure of a member of Externis to comply with this policy may lead to the instigation of the relevant disciplinary procedures and, in certain circumstances, legal action may be taken.
Failure of a contractor to comply could lead to the cancellation of a contract.

5. Policy Awareness and Distribution

5.1 New Staff 
This Policy Statement will be available from IT Services on request. New staff will be notified of the relevant policy documents on commencement of employment.

5.2 Existing Staff 
Existing staff of Externis, authorized third parties and contractors given access to the Externis network will be advised of the existence of this policy statement. They will also be advised of the availability of the associated policies and procedures.

5.3 Updates 
Updates to Policies and procedures will be made periodically.

6. Risk Assessment and Compliance

6.1 Risk Assessment 
Risk assessments must be carried out periodically on the business value of the information users are handling and the information systems security controls currently in place. This is to take into account changes to operating systems, business requirements, and Externis priorities, as well as relevant legislation and to revise their security arrangements accordingly.

6.2 Heads of IT and Administrative areas 
Heads of IT and administrative areas must establish effective contingency plans appropriate to the outcome of any risk assessment.

6.3 Director of IT Services
The Director of IT Services will carry out risk assessments, review all risk assessments completed by other parties and highlight any measures needed to reduce risk in Information Security areas.

6.4 Third Party Audit 
Third Party Audits will be carried out at intervals, as deemed necessary by the Director of IT Services.

7. Supporting Policies, Review Documentation and Guidance Notes

Supporting Policies amplifying this Policy Statement and Codes of Practice associated with these policies are published in an accompanying document and are available on request from the IT Services.

Staff and any third parties authorized to access the Externis Network to use the systems and facilities are required to familiarize themselves with the policies and to work in accordance with them.

  • Network Security Policy
  • Internet Use Policy
  • Email Use Policy
  • Password Policy
  • Virus and Spam Policy
  • Software Security Policy
  • Data Backup Policy
  • Disaster Recovery Policy
  • Remote Access Policy
  • Incident Response
  • RGPD
Groupe Externis

Externis, éditeur de eCOS® Blue Eagle, la première suite SaaS dédiée au retail execution des acteurs de l’univers du retail (marques, distributeurs, grossistes, …), tous canaux de distribution confondus

Solution conçue, développée et hébergée en France

© 2015-2022 EXTERNIS GROUP, Tous droits réservés | Mentions légales