Carrefour

In partnership with Safescore, we helped Carrefour define its Security Action Plan (PAS), inspired by ISO 27001 IT compliance.

Coming across an existing non-compliant situation and working to bring it into conformity without impacting operations is a path strewn with pitfalls:
Heterogeneity of systems: As the organization uses a variety of technologies, platforms and systems, it was difficult to put in place a coherent security policy covering the entire IT environment.

Impact on productivity: If we hadn’t worked systematically on the switchover from pre-production mode, with adjustments and iterations until success was achieved, before applying the same to production mode, compliance could have led to temporary interruptions to operations, planned downtime and adjustments to work processes, which could have had an impact on productivity.

We covered three main areas: applications, infrastructure and data. Here is an overview of the projects covered in each of these areas:

1. Application security :

Secure development: Adoption of secure development practices such as the use of secure frameworks, user input validation, SQL injection prevention, session management, etc.
Identity and access management: Implement a robust authentication system and ensure that users are given only the necessary privileges.
Updates and patches: Keep applications up-to-date with the latest security patches to avoid known vulnerabilities.
Security testing: Perform regular security tests such as penetration tests and vulnerability scans to identify and resolve security issues.
Error handling: Customize error messages to avoid disclosing sensitive information, and ensure that errors are properly handled.
2. Infrastructure security :

Firewalls and packet filtering: Configure firewalls to control incoming and outgoing network traffic, and apply packet filtering rules.
Physical security: Protect physical access to your servers and network equipment to prevent physical intrusion.
Patch management: Regularly apply security patches to servers, operating systems and third-party software.
Network monitoring: Set up a network monitoring system to detect suspicious activity.
Password management: Apply a strong password management policy, encourage complex passwords and use two-factor authentication (where possible).

3. Data security :

Encryption: Use encryption to protect sensitive data in transit and at rest.
Data classification: Classify data according to its sensitivity and apply security policies accordingly.
Access management: Restrict access to sensitive data to authorized users only.
Backup and disaster recovery: Implement regular backup processes and disaster recovery plans to ensure data availability.
Secure deletion: Ensure that sensitive data is securely deleted when it is no longer required.
Data auditing: Perform data audits to track access to and modifications of sensitive data.