Is su
e 1 Safety of the Grand Paris Express structures
Consideration and management of security and safety risks that may arise during the construction and operation phases of the Grand Paris Express structures (with regard to malicious actions by third parties, including cyber security).
R is
ks
Worksite safety Cyber security of the Grand Paris Express systems Société du Grand Paris IT security
The risk relates to the potential failure of systems designed to ensure perimeter security and to the protective measures for the Grand Paris Express worksites. The cause of such a failure could be any external or malicious intrusion (theft, damage, sabotage). The risk also relates to the possibility of inadequate safety on worksites. In terms of safety, an accident could cause physical injury or damage to property that could lead to a worksite stoppage or a significant delay in the progress of the work.
As a Vital Information System (VIS), Société du Grand Paris must be able to meet the challenges and security levels imposed by the Military Planning Act, the aim of which is to strengthen the security of operational information systems. The risk covers the effective control of the entire process of ensuring compliance with the cyber security reference framework, including:
defining the guidelines applicable to all systems deployed as part of the Grand Paris Express; adapting cyber security requirements to the systems; ensuring consistency with the Grand Paris Express approval documentation; deploying and integrating the approved rules into the Grand Paris Express systems.
This risk is accentuated by the prevailing geopolitical or background context, which may prove hostile to infrastructure projects that are exposed to significant media coverage and represent the interests of the French government, such as the Grand Paris Express.
This relates to the risk that the integrity, availability or confidentiality of the data in Société du Grand Paris s information systems may be compromised, making it impossible to continue the project. Exposure to this risk is increasing for all companies, particularly with the recent rise in remote working. The causes may be technical (e.g. system sizing), material (e.g. server breakdowns) or human (e.g. errors in migrations or version upgrades, or possible modelling defects in the tools used to represent information geographically or spatially). The risk also includes malicious intent (intrusion into the programme manager s information systems).
A ct
io n
P la
ns
Strengthening of risk management and organisational measures
Implementation of an audit contract for worksite safety Safety and security charter for worksites Clarification of the organisational structure and responsibilities of the chain for monitoring and handling damage to third parties Strengthening the presence of programme management on the worksites through the recruitment of safety officers
Implementation of measures to cover the risk Insurance cover against damage
Strengthening of existing risk management measures Committee for aligning Société du Grand Paris s information systems security policies Cyber security programme management assistant responsible for preparing for compliance with the Military Planning Act Security policy for the Grand Paris Express information systems Setting up a tripartite cyber security working group with Île-de-France Mobilités and RATP-GI Assistance from the French National Agency for Information Systems Security
Scope realignment Société du Grand Paris s compliance with the provisions of the General Data Protection Regulation Awareness raising/internal communications (phishing tests, communication campaign on ISS rules) Data centre outsourcing Information systems security manager (ISSM) reporting to the information systems department and an operational manager for day-to-day monitoring Strengthening of legal assistance to protect against attacks
Strengthening of existing measures IT security charter and ISS policy IT recovery plan and crisis management processes Implementation of the recommendations of the cyber security mission
IDENTITY
RISKS AND CHALLENGES
Risks
CSR APPROACH
2020 ACTIVITY