BPCE - 2019 RISK REPORT Pillar III

First page Table of contents Previous page 210 Next page Last page

11

NON-COMPLIANCE AND SECURITY RISKS

INFORMATION SYSTEM SECURITY (ISS)

Information System Security (ISS) 11.4

Organization

The Group Compliance and Security division (DS-G) establishes and adapts Group Information System Security policies. It provides continuous and consolidated oversight of information system security, along with technical and regulatory oversight. It initiates and coordinates Group projects aimed at reducing risks in its field. It also represents Groupe BPCE vis-à-vis banking industry groups and public authorities. Groupe BPCE has established a groupwide Information System Security function comprising the Head of Group Information System Security (RSSI-G), who coordinates the function, and the Heads of IT System Security for all Group entities. The heads of Information System Security for parent company affiliates, direct subsidiaries and EIGs are functionally subordinate to the RSSI-G through coordinated actions. This means that: the RSSI-G is notified of the appointment of any heads of • information system security; the Group information system security policy is adopted by • individual entities in accordance with application procedures subject to validation by the Head of Group ISS; a report on the institutions’ compliance with the Group’s • information system security policy, permanent controls, risk

level, primary incidents and actions is submitted to the Group Head of IT System Security.

HIGHLIGHTS The Group Level 2 ISS permanent control database was rolled out to all institutions on the Archer platform (governance/risk management/group controls). Three major projects were also launched: formulation of Group Security guidelines aimed at defining its • ambitions in terms of cybersecurity, while taking into consideration information system security, IT continuity and the IT legal compliance projects (GDPR, DSP2, etc.); preparation of a Group identity and authorization management • (IAM) roadmap with the following goals: establishing a Group database of individuals, applications – and organizations, implementing Group IAM governance, – including, if possible, all Group applications in the IAM – roadmap, with automatic provisioning and an overview of authorizations; mapping out all Group information systems, including the • private systems used by the institutions.

210

RISK REPORT PILLAR III 2019 | GROUPE BPCE

www.groupebpce.com

Made with FlippingBook - professional solution for displaying marketing and sales documents online