LEGRAND / 2018 Registration document
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
INTERNAL CONTROL AND RISK MANAGEMENT RISK FACTORS AND CONTROL MECHANISMS IN PLACE
3.6.2 – Operational risks
R 3.6.2.1 CYBERSECURITY, CONTINUITY
include server back-up and virtualization arrangements, user access management via Active Directory, the management of IT hardware, LANs and WANs, co-ordination of outsourced services and contract management. Applications used by the Group are also managed centrally. However, certain domestic applications are managed locally. Legrand is deploying a cybersecurity masterplan which aims to strengthen and supplement all the protection, detection and response measures already implemented as part of its security policy. This masterplan is structured around the following seven components: W a detailed analysis of IT risks; W an IT systems security policy, based on applicable standards and best practice (ISO 27002, recommendations of the French National Cybersecurity Agency, etc.); W making security an integral part in IT projects through a specific methodology; W an employee cybersecurity awareness program; W a structured incident handling process involving a Computer Emergency Response Team (CERT) and a Managed Service Security Provider (MSSP); W a legal, regulatory and standards monitoring system; W a specific program dedicated to personal data security and processing for Eliot connected objects and the related cloud. Critical applications are covered by a 24/7 maintenance system and quality indicators are monitored to measure application performance. A single support hotline is available in all countries and for all employees. Relationships with outsourced IT service providers are also governed by contracts that include continuity and security clauses and by a governance arrangement designed for this purpose. IT audits are carried out by external consultants or internally by the internal audit team. In the event of any damage, an insurance policy covers damage to hardware, business interruption and data recovery or reconstitution costs. Cyber risk insurance is also taken out.
AND PERFORMANCE OF INFORMATION SYSTEMS
Because of the scale and number of its international operations, processes and sites, Legrand’s business activity requires multiple and often interconnected information systems. In addition, the development of connected products (Eliot program) potentially exposes the Group to specific risks related to cybercrime and data security. The failure of systems (networks, cloud, infrastructure and applications) used by the Group (either directly or via service providers) or security breaches could slow or partially disrupt the Group’s industrial and commercial activity, impact the quality of customer service, or compromise the level of security and confidentiality expected by stakeholders. Such failures could originate from inside the Group (configuration error, system obsolescence, lack of infrastructure maintenance, poor IT project management, malicious acts) or from outside (viruses, cybercrime, etc.). IT related risks are managed through a specific governance system (monthly, quarterly and annual committee meetings, with oversight by the Group Risk Committee). IT system is centrally managed by the Corporate IT department. The following skill sets are deployed within the Information Systems Department: W a Head of Information Systems Security and his team, who work on improving system quality and security, are in charge of defining and implementing policies and projects specific to these areas, such as the IT security plan, personal data protection, guidelines on the use of information systems to all employees, and data back- ups. This department is also responsible for conducting regular security audits and intrusion tests on the Group’s information systems, with the support of external service providers; W the Projects and Architecture & Expertise teams implement systems and infrastructure based on the established governance structures; W the Support teams are responsible for continuity of service of infrastructure and applications. They define the necessary investment and maintenance programs and oversee the change management process; W a specific team assists and monitors the subsidiaries, as regards both structures and application projects. Infrastructure and information systems management is centralized and overseen through specific governance arrangements. They
3
65
LEGRAND
REGISTRATION DOCUMENT 2018
Made with FlippingBook Annual report