Security
Information security, the strongest link in security
Clearly identified security standards
Client data are confidential by definition and are governed by protection rules that restrict processing and transmission to the sole purpose for which the data were provided according to contract.
An awareness programme promotes information security among staff members by establishing a security culture that makes them accountable. The programme reinforces our information security by reminding people of the importance of applying ethical values and principles of conduct, and of the rules to follow and sanctions that can be incurred. A training programme on security provides courses for various staff categories: Managers, Sales and Pre-Sales Officers, Developers, Administrators, CIOs, etc.
Security perimeters define security levels that may be specific, and depending on the identified risks are partitioned with physical and logical security measures that help to restrict access according to clearance rules.
Access to information systems is managed according to zones that are both physical and logical. Access management is based on the “least privilege” principle and limited it to what is strictly necessary. Clearances are reviewed regularly, taking into account who has arrived, who has been transferred, and who has left.
Security and compliance needs are studied from the moment a new activity is set up internally or for the benefit of clients. The necessary organisation can then be established to ensure security in the Build and Run of the activity.
Security measures are applied in a comprehensive manner – for premises, people, networks and IT equipment. Workstations are secured with a tool that shows the security level of each device and restricts its access to networks (NAC solution). Equipment and connections used for tele- and mobile working are protected with mobile device management (MDM) and secure communication tunnels in the form of virtual private networks (VPN). All network flows are filtered and monitored.
These services and products are safeguarded by integrating measures in applications to ensure a state-of-the-art security level. The principle aim of these measures is to guarantee the resilience of services, the integrity of processing, and the protection of data. Developments are done to protect software against known security loopholes listed in the main standards such as OWASP.
Operational security is ensured by the geographic distribution of Group premises where numerous similar activities make it possible to operate from a distance. Client system redundancy is based on defined contractual requirements. All continuity measures are described in business continuity plans (BCP) for each site and project.
To maintain the expected level of trust, Inetum stakeholders keep abreast of new technologies and regulations. Publications and alerts from CERTs and expert groups enable them to do this.
A specific organisational structure and procedures guarantee responsiveness in the identification and resolution of incidents. These are analysed in order to define actions to improve security. Clients are informed of security incidents that may impact them, according to the conditions defined in the security assurance plan (SAP). A crisis unit is activated to handle critical security incidents.
Inetum’s security governance complies with the ISO 27001 standard based on an ongoing improvement process at 3 levels: • Operations: in response to security incidents • Security processes: with an annual internal audit programme • Security strategy, with Management reviews