Investor Presentaiton
CYBER RISK MANAGEMENT: INTEGRATED IN THE OPERATIONAL
RISK MANAGEMENT APPROACH
INFORMATION SYSTEMS SECURITY GOVERNANCE BASED ON FOUR FUNDAMENTAL PRINCIPLES
1.
2.
Accountability, especially at business line level
Risk-based approach
Based on an IS Security risk-acceptance framework
Application of security policies based on a counter-factual analysis of activities and
projects
Proportionality: the security system is proportionate to the level of risk incurred
Operational risk map, updated regularly by the risk management function and
including information systems risks
3. Information systems security controls
Controls are defined and/or signed off by the Information Systems Security Officer
Any exceptions are documented and monitored by the Information Systems Security
Officer in accordance with the procedure
Instances of non-compliance are closely monitored and an escalation procedure is
implemented where necessary
4. Continuous improvement
Information systems security risks and the related management processes are
reviewed annually
Group Cybersecurity Officer reporting to the Operational Risk Director who in turn reports to the Risk Director
responsible for the area concerned: entire Group (including CNP Assurances)
LA
BANQUE
POSTALE
Implemented around
1. A Systems Security function deployed
across all business lines. Systems
Security Officers:
2.
Four committees:
3.
A Group-wide reference framework, approved
by the CPRG
Appointed within the risk management
functions of all business lines and
subsidiaries, trained in systems security,
to implement the roadmap
Investor presentation / December 2021
CSIT (information systems strategy)
COSSI (operational risks related to information
systems)
CRC métiers (risk monitoring at business line level)
CPRG (decision-making at Executive Board level)
Topic-based policies aligned with the business
lines, IS technical guidelines, defined processes
(exceptions, labels, etc.)
77View entire presentation