Security

Security

Information security, the strongest link in security

Information security, the strongest link in security

At Inetum, information security is a central axis to increase and perpetuate the trust of our clients. This is why we are committed to guaranteeing the security of our clients' data, services and applications, while ensuring the compliance of our information system and those of our clients. The implementation of our commitments is based on an agile and efficient security management system which, with our employees who are trained and aware, enables us to be highly responsive to security incidents.

Under the responsibility of the security department, the Group ensures the consistent deployment of security measures at all levels. Security is thus implemented in the production entities with security managers for the main business lines as well as site correspondents. A security correspondent is systematically appointed for each project. The application of security also involves the integrity of our subcontractors, who are contractually bound by confidentiality and security clauses. Their services are strictly controlled according to the client's requirements.

Clearly identified security standards

Client data are confidential by definition and are governed by protection rules that restrict processing and transmission to the sole purpose for which the data were provided according to contract.

An awareness programme promotes information security among staff members by establishing a security culture that makes them accountable. The programme reinforces our information security by reminding people of the importance of applying ethical values and principles of conduct, and of the rules to follow and sanctions that can be incurred. A training programme on security provides courses for various staff categories: Managers, Sales and Pre-Sales Officers, Developers, Administrators, CIOs, etc.

Security perimeters define security levels that may be specific, and depending on the identified risks are partitioned with physical and logical security measures that help to restrict access according to clearance rules.

Access to information systems is managed according to zones that are both physical and logical. Access management is based on the “least privilege” principle and limited it to what is strictly necessary. Clearances are reviewed regularly, taking into account who has arrived, who has been transferred, and who has left.

Security and compliance needs are studied from the moment a new activity is set up internally or for the benefit of clients. The necessary organisation can then be established to ensure security in the Build and Run of the activity.

Security measures are applied in a comprehensive manner – for premises, people, networks and IT equipment. Workstations are secured with a tool that shows the security level of each device and restricts its access to networks (NAC solution). Equipment and connections used for tele- and mobile working are protected with mobile device management (MDM) and secure communication tunnels in the form of virtual private networks (VPN). All network flows are filtered and monitored.

These services and products are safeguarded by integrating measures in applications to ensure a state-of-the-art security level. The principle aim of these measures is to guarantee the resilience of services, the integrity of processing, and the protection of data. Developments are done to protect software against known security loopholes listed in the main standards such as OWASP.

Operational security is ensured by the geographic distribution of Group premises where numerous similar activities make it possible to operate from a distance. Client system redundancy is based on defined contractual requirements. All continuity measures are described in business continuity plans (BCP) for each site and project.

To maintain the expected level of trust, Inetum stakeholders keep abreast of new technologies and regulations. Publications and alerts from CERTs and expert groups enable them to do this.

A specific organisational structure and procedures guarantee responsiveness in the identification and resolution of incidents. These are analysed in order to define actions to improve security. Clients are informed of security incidents that may impact them, according to the conditions defined in the security assurance plan (SAP). A crisis unit is activated to handle critical security incidents.

Inetum’s security governance complies with the ISO 27001 standard based on an ongoing improvement process at 3 levels: • Operations: in response to security incidents • Security processes: with an annual internal audit programme • Security strategy, with Management reviews  

Customized trust zones for clients

In order to meet the security obligations that are required by specific organizations for the provision of services, Inetum sets out a compliance perimeter. In agreement with the client, this trust zone includes the following provisions:

  • Establishing a framework of security requirements that apply to the perimeter. Any derogation must be approved by the client;

  • Appointing a person in charge of the Inetum compliance perimeter;

  • Keeping a log to ensure traceability;

  • Reinforcing physical and logical security rules according to the defined requirements. For example: dedicated premises, encoded workstations, strong authentication, blocked USB ports, server surveillance, etc.

  • Raising awareness among managers and employees, specifically with regard to the security requirements of the perimeter;

  • Regularly signing up employees for security training programmes that concern them;

  • Producing indicators of the level of compliance with requirements, and specifically regarding security management for outside service providers.