Cyber resilient across the organization
Information security is not the exclusive domain of our IT department – we want it to be everyone’s business. Building our cyber resilience is part of our corporate risk management approach and an ongoing effort.
Due to the ever-changing nature of cyber threats: we’re constantly reviewing and updating our policies and IT infrastructure to stay ahead.
We subject our information security framework to regular audits. Our IT system is ISO 9000 certified, follows best Information Technology Infrastructure Library (ITIL) practices and is aligned to ISO 27000 standards.
Our Security Baselines and IT controls are designed according to ISO27000 series. We apply best practices in information security, following CSA and NIST standards. We also incorporate MITRE and OWASP standards – among others.
We take an 'always-on' approach to cybersecurity. We run a 24/7 Security Operations Center (SOC), bringing together our own experts and those of external companies to ensure our information assets are always protected – so that we can take swift action in the event an incident is identified.
We’ve implemented a global vulnerability management system to track and assess our exposure to threats. We use Penetration Testing and Red Teaming to review our system’s resilience. To avoid complacency, we use the services of threat and risk monitoring services to get an independent and unbiased assessment of our strengths and weaknesses.
Tools are critical, but an organization is only as cyber resilient as its people – which is why we’re training our workforce to be cyber-savvy. Our employees have to complete several information security awareness trainings each year, while their vigilance is put to the test all year round through simulated phishing and social engineering attacks. Regular micro trainings are also provided to complement this approach.
We believe data privacy is a fundamental right. We follow closely data protection legislation and comply with the requirements for cybersecurity and data protection across jurisdictions, including the European Union’s General Data Protection Regulation (GDPR).
Recognizing the critical importance of this topic, our Supervisory and Strategy Committee (Executive Committee of the Board of Directors) is updated at least twice a year on cybersecurity matters.