Sustainability Report - FY 2023

Social and societal information Information System Protection

The CISO & CTO has full authority over the entire security infrastructure of the Group, both at their level and in the countries in which the Group operates. Combining CISO and CTO functions in the same person ensures an efficient deployment of policy and associated security systems, as well as proximity between IT and security teams.

The CISO & CTO reports directly to the Chief Information Officer, a member of the Group’s Executive Committee, who is regularly informed of threats (see below the “ Protection of Information Systems ” section 7.9.2, “reporting” paragraph of this Universal Registration Document).

Security Teams & Responsibilities

SOC Team

SSG Team

• Security Monitoring

• IT Governance, Risk & Compliance • Identity & Access Management

• Incident Response

• Vulnerability Management

Governance

• Security Awareness

Global security

• Security Strategy & Design

operation center

Security Strategy &

The Cyber Defence Council Although the Group’s Cyber Defence Council is primarily aimed at staff trained in technical functions (IT managers) in order to support them in security initiatives, the Group has made structural changes to improve team cooperation. The Digital Infrastructure and Workplace teams, which previously reported to the CTO, have been consolidated under the leadership of the CISO. This reorganisation has enabled the teams to improve their synergies and accelerate collaboration between security and technology, with cross-functional collaboration of teams and workgroups to improve and develop cybersecurity resilience overall. Certification of the Global Security Operations Center The Group’s Global Security Operations Centre was officially certified at the end of 2023, as assessed and recognised by Trusted Introducer. The Trusted Introducer Service (TI) was created by the European Computer Emergency Response Team (CERT) in 2000, to address common needs and set up a service infrastructure that provides essential support to all IT security and incident response teams. It is a not-for profit organisation that lists, accredits, and certifies security teams in accordance with their demonstrated and verified maturity levels. In order to be certified, a team’s maturity level is audited against the Security Incident Management Maturity Model (SIM3).

This industry-recognised standard evaluates the four areas of action of the teams responsible for responding to and handling security incidents: Organisation, Human, Tools and Procedures. Information System Protection In 2023, the Group rolled out its Information Security Risk Management procedure. It defines how the Group manages information security risks in order to adequately protect information and its information assets. This management is structured around the following main steps: identification, prioritisation, management and monitoring of the Group’s risks concerning its information assets, operations and projects. Through the IT risk management process, stakeholders will be consulted to oversee and control risk treatment and monitoring to ensure its effectiveness. This procedure ensures the confidentiality, integrity and availability of the Group’s systems, information and services. The scope of this procedure applies to the Group, its subsidiaries and its departments, and is aligned with the scope of the new Information Security Management System (ISMS) that has been deployed since the beginning of 2024. This procedure complies with the best practices and rules defined by the ISO/IEC 27005:2022 standard - Information Security Risk Management, which deepens the general concepts of risk management specified in the ISO/IEC 27001 standard. 7.9.2

55

Exclusive Networks SA

2023 Sustainability Report