ECLAIRION guarantees all of its clients a high degree of safety, security and cybersecurity.
The Security Insurance Plan represents an essential component of the protection of Eclairion’s own interests as well as those of its clients. It is therefore imperative that an Information System Security Policy is implemented, and that it takes into account the main risks incurred and identified:
– Risk of unavailability of information and applications and of the processing systems.
– Risk of disclosure, or loss of confidentiality, either unintentional or voluntary, of the information provided by our clients and for which we act as a subcontractor.
– Risk of alteration, or loss of integrity, which could lead to a loss of information for our clients.
The objectives of implementation of the Information System Security Policy are:
– To improve and formalise the management of the security of our tools.
– To ensure ECLAIRION’s compliance with its legal obligations with regard to the management of Personal Data (Data Protection Act, GDPR), and its ability to give evidence of this to its clients.
– To create a culture of security among the teams of ECLAIRION and its clients.
ECLAIRION wants the information security risks that could lead to unacceptable disruption of its services for clients to be managed on an ongoing basis.
A risk analysis was carried out according to the EBIOS method (Expression of Needs and Identification of Security Objectives), implemented by the ANSSI (National Agency for Information Systems Security).
Further to this risk analysis, the Information System Security Policy (ISSP) was updated and an action plan was devised for improving the security measures already in place.
On the site, the layout of the buildings and the physical protection devices of the facilities are based on the concept of defence in depth: it is reflected by an internal spatial organisation that is specific to ECLAIRION. The establishment of 3 successive lines of protection and detection around the buildings as part of the project will make it possible to deter and render more complex the development of a threat scenario.
In order to ascertain the risk factor for which it is responsible, ECLAIRION identified the main risks associated with all the services provided in order to implement preventive and mitigating measures to reduce them.
The levels of security are based on the concept of defence in depth. The concept of defence in depth is a principle of securing and protecting a site and a building with the implementation of robust protection lines of different kinds, which are successive, concentric and combined with detection equipment. The concept of defence in depth applies to the data centre and is reflected in a specific internal spatial organisation.
The security levels characterise for an area/volume/target/premises to be protected, the specific constructive provisions and the physical and technical means of protection to be implemented.
The implementation of the building(s) and the physical protection devices of the facilities are based on the concept of defence in depth. This concept requires taking into account the spatial zones (see the Zoning plan), which correspond to a graduation of the security levels (level 0 to level 4), and to put in place around the buildings located in the secure enclosure 2 successive lines of protection and detection in order to render complex and to delay the development of a threat scenario;
Any attempt at intrusion must be detectable and possible to delay by means of integrated devices. The data centre will therefore be protected by several limits and protection enclosures. The establishment of 3 successive lines of protection and detection around the buildings as part of the project will make it possible to deter and render more complex the development of a threat scenario.
- 1st line of protection: Upstream of the data centre, there is a set of devices to deter and prohibit access to rows and areas of concentration of pedestrians, or vehicles. In the peripheral area (outside the data centre) will be devices that can stop “hit and run” vehicles. This area will be under video-surveillance. The device must be operational and usable day and night by the PCS, whatever the climatic conditions. This first line of protection will ensure the protection of the rows in the vicinity of the data centre.
- 2nd line of protection: the external envelope of the data centre constitutes the second line of protection aimed at preventing intrusion on site (by stealth or by force). The strength of the doors must be in line with the operating procedures identified in the risk analysis. This line of protection must prohibit any forced entry into the site with one or more vehicles and limit the effects of use with weapons and explosives. This area will be under video-surveillance. The video surveillance system must be operational and usable day and night by the PCS, whatever the climatic conditions.
- 3rd line of protection: The delineation of each security zone within the data centre will be the final physical barrier against identified threat scenarios. Access to sensitive areas must be video-monitored and all doors will be equipped with intrusion detection.
The area between the first two lines of protection shall be reserved exclusively for duly authorised personnel.
A zoning plan is in force separating the spaces and for applying the security criteria and needs according to:
- Their level of criticality.
- The level of risk assessed.
- Functional services provided (essential goods and support goods).
- Their level of resilience and impact on continuity of the services.
- Their area of administration: Eclairion, Client, Subcontractor, Other
Each classification in a type of zone entails the following measures:
o Conditions of access.
o Uniqueness of passage and anti-passback
o Level of authorisation
o Level of entitlement
o Prior access request
o Inheritances of the rights of the underlying zone (e.g. the Controlled Technical Zone inherits the rights of the Technical Zone)
Level of surveillance
o Video surveillance – Type – Detection mode – Recordings
o Rounds or Agent Station
o Position Inspection Filtering
o Lighting condition
o Traceability of entries/exits
o Prohibited materials
o Prohibited substances
o Prohibited vehicles – Traffic and Parking.
o Fire permits (*)
o Environmental measures