BPCE_PILLAR_III_2017

NON-COMPLIANCE RISKS, SECURITY AND OPERATIONAL RISKS IT System Security (ISS)

IT System Security (ISS) 11.6

Organization Created on September 1, 2017, the Group Security division (DS-G) establishes and adapts Group IT System Security policies. It provides continuous and consolidated monitoring of information system security, along with technical and regulatory monitoring. It initiates and coordinates Group projects aimed at reducingrisks inits field. Within its remit, DS-G represents Groupe BPCE with respect to banking industry groups and to public authorities. As a contributorto the permanentcontrol system, the Group Head of Security reports to the Compliance, Security and Operational Risks division. Within the central institution, the Group ISS division also maintains regular contact with the Group’s Inspection Générale division. Groupe BPCE has established a groupwide Information System Securitydepartment.It includesthe Head of Group IT SystemSecurity (RSSI-G), who coordinates the function and the Heads of IT System Security for all of the companies. Activities in 2017 The Group’s IT system security policy (PSSI-G) incorporates the Group’s security requirements. It is comprised of anIT System Security framework associated with the Group’s Risk, Compliance and Permanent Control Charter, 430 rules divided into 19 categories and three organizational instruction documents (1) . It is revised annually accordingto an ongoing process of improvement.The 2017 review of the PSSI-G examined legal and regulatory developments (French Military Spending Act, new directive on payment services, European Data Protection regulation) and changes in group structure and governance. Moreover, the information system security permanent control Group standards were also entirely revised and will be rolled out to all companies in2018. In 2017,IT System Security risk mapping was expandedto include:

The heads of IT System Security for parent company affiliates, direct subsidiaries and EIGs are functionally linked to the RSSI-G. This functional link is achieved through coordinated actions. This means that: the RSSI-G is notifiedof the appointmentof any heads of IT system ● security; the Group’s IT system security policy is adopted within the ● companies and that each company’s application methods of the Group IT system security policy must be presentedfor validationto the Group’s Head of IT System Security prior to approval by ExecutiveManagementand presentationto the Board of Directors or the Management Board; a report on the institutions’compliancewith the Group’s IT system ● securitypolicy, permanentcontrols,risk level, primaryincidentsand actions is submitted to theGroup Head of ITSystemSecurity. operational availability of the group’s Archer IT System Security ● risk-mapping platform to group companies; convergence of standards in the IT System Security function; ● coordination withoperationalrisks. ● The Group Security division also took over responsibility for overseeing the groupwide implementation of European Data Protection Regulation (EDPR) requirements. Twelve projects were identified for this purpose (overall organization and standards, creation of a consistent data processing register, incorporation of EDPR requirements inprojects, training and awareness-raising, etc.). As part of the Group’s digital transformation,an IT System Security support system for digital projects was introduced, specifically tailored to the agile development cycle.

11

Operating procedures of the Groupe BPCE IT System Security department, information system security permanent control, classification of sensitive IS assets. (1)

195

Risk Report Pillar III 2017