Groupe La Poste // CSR REPORT 2022

Developing digital trust services 4 FOSTERING ETHICAL, INCLUSIVE AND FRUGAL DIGITAL SERVICES ■

The security of the group’s information systems (IS), users, equipment and subsidiaries is managed by the Group Cyber Department , as part of the “4x100%” strategic plan (2022-2025) . The Group Cyber Department builds and monitors the progress indicators for each of the four programmes of this plan: ■ supervision of 100% of critical IS: all critical information systems, within the meaning of the Risk Appetite of CDC, must be supervised; ■ enrolment of 100% of subsidiaries in a cybersecurity system so that their IS exposed on the Internet, their internal IS and their messaging systems are protected; ■ protect 100% of connected equipment: all equipment used to connect to the IS of the group or its subsidiaries must benefit from security solutions guaranteeing their protection, including during remote working phases; ■ awareness of 100% of employees: all employees of the group and its subsidiaries must be subject to an annual awareness raising session on cyber risks and threats. Within La Poste Groupe, 140 people are employed in the three security operation centres (SOC) set up at the levels of the group, its subsidiary Docaposte and La Banque Postale. These structures, which operate 24 hours a day, seven days a week, ensure information security for the three entities. They are equipped with security information event management (SIEM), which enables them to manage information systems events. The group’s SOC is in the process of being certified as a security incident detection service provider (Prestataire de détection d’incidents de sécurité - PDIS) by the French National Cybersecurity Agency (Agence nationale de la sécurité des systèmes d’information - ANSSI). All SOCs are coordinated by the Operations Department of the group’s Cybersecurity Department. The group’s cyberdefence organisation is currently undergoing a transformation process that should result in the creation of a group cyberdefence centre whose operations will be aligned with market standards.

Every year, two annual internal audit plans for the SOCs and SIEMs are rolled out for the group and La Banque Postale. In 2022, 350 audits were carried out, including 248 on subsidiaries. These plans are approved by the Chairman and Chief Executive Officer of the group and by the Chairman of the Management Board of La Banque Postale. Penetration tests are carried out internally by the group SOC or by the group’s IT Audit Department. In addition to these tests, La Banque Postale’s General Inspectorate commissions internal and external penetration tests and the entire group uses “Yeswehack” to carry out bug bounty monitoring campaigns (1) . On average, 90% of sites and applications are tested every year. Lastly, La Poste Groupe conducts several anti-phishing campaigns per year and information campaigns in the event of security alerts, including when its service providers/suppliers are affected. The populations handling sensitive information are the subject of an annual awareness-raising programme, and the group is developing an internal training programme, “the Group’s Cybersecurity School”, to guide some of its employees towards cyber jobs. All employees have access to an incident reporting tool, including those related to cybersecurity. In 2022, 18 cyber incidents were identified: ■ 3 major incidents including the attack on La Poste Mobile, which exposed the personal data of 400,000 customers; ■ 12 GDPR incidents resulting in notifications to the French National Commission for Information Technology and Liberties ( Commission nationale de l’informatique et des libertés - CNIL); ■ 3 major incidents impacting the availability of the group’s IT services. These incidents were the subject of crisis management, feedback and action plans are underway, managed by the group’s Cybersecurity Department.

4.2 DEVELOPING DIGITAL TRUST SERVICES

Docaposte is the digital trust leader in France.

■ be certified for the excellence of its customer relations: its three sites certified ISO 18295-1 and one other certified NF 345, attest to the quality of its customer experience, in particular that of its customer contact centres; ■ hold labels or certifications that are a benchmark in the market and in the areas specific to its business lines: electronic archiving systems, accurate digitisation of documents, production of standardised check forms, hosting of health data, electronic signature, digital identification and authentication, etc.; ■ be eIDAS qualified for its entire range of trusted digital services and also benefit from the highest certifications for its data centres.

Supported by the Executive Management of La Poste’s digital subsidiary, quality of services, compliance with service commitments, continuous improvement and compliance with regulations are commitments that are rolled out at all levels of Docaposte to ensure customer satisfaction.

These commitments have led Docaposte to:

■ implement a Quality Management System, ISO 9001 certified since 2010, then extend its scope of certification to Occupational Health and Safety and the Environment in 2015. At 1 March 2022, 32 of its sites were ISO 9001 certified, 13 were ISO 14001 certified and 12 were ISO 45001 certified;

(1) A bug bounty is a programme that provides financial compensation to users who find security breaches or vulnerabilities in an organisation’s application, website or any digital service.

CSR Report 2022/ LA POSTE GROUPE 65

Made with FlippingBook flipbook maker