Saint-Gobain // Universal Registration Document 2021

Risks and control Internal control

General doctrine on information 2.5.4 systems security The Information Systems Department compiles security rules and policies concerning the information systems and networks, based on four sets of compulsory minimum security rules in the following areas: infrastructure, with 23 minimum security rules ■ (31 control points, 94 entities) and SGTS Security Reporting (34 control points, 15 SGTS covering 776 entities); applications and websites, with the 25 minimum ■ security rules (50 control points, 28 expertise centers); industrial information technology systems, with at least ■ 28 security rules (68 control points, 891 entities, including 189 with critical or large industrial IT systems); Research and Development Centers, with at least ■ 7 security rules (13 control points, 16 R&D centers); the hosting of resources in the Datacenters or Cloud ■ solutions operated by partners led by the Group DSI or SGTS (99 control points, 17 Datacenters/private Cloud solutions, 33 Cloud Public security rules, 1 Cloud Public Azure solution). These rules are the operational application by area of another two key high-level documents in the new IT security document reference system: the General IT Security policy letter, ensuring the ■ importance of this issue and its sponsorship by top management; the Group IT Security Doctrine, the essential standards ■ that form the Information Systems Security policy; the reference framework for short and medium-term ■ actions to strengthen Saint-Gobain’s cyber-defense against new cyber-attacks. This framework is divided into four specific operational cyber-defense action plans covering global infrastructure, local infrastructure, applications and websites, and industrial systems. Technical standards are also issued as a supplement to these rules, and are updated periodically (25 new documents in 2021) to keep pace with technological advances and control infrastructure services. The Information Systems Department has notably defined and rolled out: a tool (RMT, Rights Management Tool) for controlling ■ SAP user rights and managing conflicting segregations of duties. This tool will be gradually integrated into all the Group’s SAP systems; a technical standard (SAP4SG) to improve the security ■ of SAP environments. A tool (SAP4SG) is being rolled out across 47 SAP environments hosted in the IBM (P1) Datacenter to monitor and check the points covered by this standard: the implementation of security patches in the SAP ■ Production environments,

the technical configuration of the environments to ■ improve security, the monitoring of technical roles, profiles and ■ accounts, as well as high privilege accounts; a technical standard to manage technical and business ■ accounts that access to applications (ATA/ABA, Application Technical Accounts/Application Business Accounts); a Web Application Secured Development (3.2) ■ standard (WASD); a technical standard to Secure the Hosting of Internet ■ Applications (SHIA); a technical standard for SaaS systems which defines ■ responsibilities and security measures for implementation; a series of security rules for the annual security control ■ of the central and regional datacenters (Datacenter Security Rules 4 SG) and the Public Cloud Security Rules; a technical standard for the security of applications ■ hosted by Saint-Gobain partners for publication on the internet; the methodology for the assessment of Cybersecurity ■ risks used to assess the measures to be implemented to integrate security into all projects from the first stage, and into contracts with suppliers. Moreover, the ITAC reference guide was published in 2012. As an addition to the Internal Control Reference Framework, which describes the automated and semi-automated controls used for 5 key processes (Purchasing, Sales, Inventory, Cash Management and Accounting), it covers the Group’s main ERP software and includes: a reference guide for SAP: ITAC4SAP with 143 control ■ points; a reference guide for MOVEX M3: ITAC4M3 with ■ 96 control points; a standard for EXACT: ITAC4EXACT with 85 control ■ points. The ITAC4SAP reference guide has been updated to ensure consistency with the updated Internal Control Reference Framework (143 control points including controls for the segregation of tasks). The controls are being gradually integrated into the Group’s information systems as follows: ITAC100 ITAC4SAP for SAP systems (deployed in 47 ■ SAP systems covering 323 Group companies) including specific updates for the Building Distribution activity; ITAC96 ITAC4M3 for MOVEX M3 systems (deployed in ■ 4 M3 systems covering 37 Group companies); ITAC85 ITAC4EXACT for EXACT systems (deployed in ■ 1 EXACT system covering 24 Group companies); the main ITACs deployed in 1 MS Dynamics system ■ covering 1 Group company, and the SAP Business One systems, covering 23 companies.

6

SAINT-GOBAIN UNIVERSAL REGISTRATION DOCUMENT 2021 249