At Publicis Groupe, information security is everybody’s responsibility. This involves protecting sensitive information, particularly that of clients. The entire security program is led by a dedicated team from the Global Security Office (GSO), which brings together highly experienced professionals whose expertise is certified in CISSP, CISA, CISM, CRISC, etc.
The GSO is responsible for policies, guidelines and standards applied throughout the Groupe. The entire program is based on a logic of continuous improvement, with an ongoing assessment of security risks and monitoring of the application of Groupe rules. The work of the GSO is managed and monitored by the Groupe’s Top Management. The GSO oversees a number of programs such as compliance, risk management, security or vulnerability testing, technical reviews, service continuity plans and educating employees about these risks. Particular attention is paid to training all teams using different methods (blogs, articles, videos, tests, graphics, etc.) in six languages (French, English, Spanish, Chinese, Portuguese, German) to build a culture of security across the entire Groupe. All employees must complete a mandatory module on data and information security each year, in addition to on‑demand training such as code security. The GSO team coordinates regular communication with all employees, recalling best security practices and detailing existing threats.
A dedicated team, the SOC (Security Operations Center) monitors cybercrime risks (ransomware, malware, phishing, etc.). The SOC is operational 24/7 and ready to intervene to protect infrastructure, systems, information and data and, where necessary, activate business continuity plans and disaster recovery plans.
The GSO program is subject to multiple independent external audits throughout the year. These audits are conducted by third parties, but also at the request of our clients and partners, in order to maintain the highest levels of assurance and to continue improving the systems year after year. GSO teams work closely with agency project teams to ensure compliance with client expectations. This means following external certifications such as ISO 27001 or ISO 22301, as well as more specific standards such as Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability Accounting Act (HIPAA) for healthcare or Service Organization Control (SOC) Trust Criteria. Groupe information security policies are aligned with ISO 27001 standards; the Groupe’s largest entities in the United States, India, the United Kingdom and Latin America are ISO 27001‑certified. The GSO ensures the monitoring of these ISO 27001 certifications for entities, agencies and departments where it is imperative, such as shared service centers, with IT and systems infrastructures, general services, HR and security (GSO) representing more than 11,000 people in the Groupe. This team prepares and monitors external audits in order to ensure that the standards are respected and ensured in order to be in compliance. Some entities are ISO 22301‑certified for specific business continuity plans.
Data security issues are centralized and each employee can contact the GSO and its help desk teams directly at: askgso@publicisgroupe.com.
Suppliers working with the Groupe must meet security criteria, which are an integral part of the contract. The GSO manages the Security Risk Management program in cooperation with the Groupe Procurement Department (see Section 4.3.9). These are formal security risk assessments to review various administrative, technical and physical security controls. These assessments are regular and contractual, in order to protect the Groupe’s information systems.
The Information Systems Security policy is an integral part of the Janus Code of Conduct and Ethics; it is publicly available in the CSR library of the Groupe’s website.
The Groupe complies with the provisions of the French law known as “Sapin 2". The Groupe has implemented a compliance program as provided for by law, including the Janus Code of Conduct and Ethics and the anti‑bribery and anti‑corruption policy, illustrating acts and behaviors relating to corruption or influence peddling that are prohibited. The Groupe is also in compliance with the other anti‑corruption laws applicable where it operates.