Information System Security Policy (ISSP)

Introduction – Novelis Security Policy :

Novelis is a technology player created in 2017, at the forefront of AI research, specializing in innovative architectures and operational efficiency of business processes.

Our expertise is based on the work of our internal research laboratory, created in collaboration with the Ecole Polytechnique, in which doctors work daily on fundamental and experimental research on AI and NLP.

    Safety is at the heart of our business. We devote a lot of resources and energy to :

  • Securing our information system;
  • Build secure web solutions for our customers from the design phase;
  • Define, implement, operate and improve all human, organizational, technical and legal means to protect Novelis services and information systems.

Building a long-lasting and trusting relationship with our clients is essential to us. With the increasing exposure of web platforms to IT security threats, we take our role in protecting our infrastructure very seriously and work daily to strengthen our services.

That’s why Novelis has set up a security approach with the aim of achieving market reference labels and certifications, which are a guarantee of quality and confidence for you.

Our employees are committed to this approach and contribute to it actively on a daily basis. They are responsible for ensuring that the security regulations are known, understood and applied within their area of responsibility and within their mission. Vigilant, they are constantly on the alert during their various uses of the information systems, in order to detect possible incidents and adopt the appropriate behavior in a risky situation.

This Information Systems Security Policy is applicable to the subcontracting relationship between Novelis and its Clients, to the web solutions Novelis develops for its clients, and to the data that the Client subcontracts to Novelis.

  • Security and our employees

At Novelis, the learning and application of security measures starts when employees are recruited, so that the security culture is spread throughout the company. Every employee is aware of the threats to the information systems and therefore knows their responsibilities towards them. This enables them to take on the role of a permanent player.

To this end, training in the proper use of IT resources is provided to each employee as soon as he or she joins Novelis and is regularly supplemented by additional training.

Novelis employees who develop and build our clients’ solutions are regularly trained in web security best practices, including the OWASP Top Ten.

  • Property and Asset Management

Effectively ensuring the security of our information systems requires knowledge of security needs. This is why each asset – hardware, workstation, server, etc. – is subject to a detailed inventory and then classified with an associated owner.

A disposal procedure is formalized and implemented when an asset is removed or disposed of from the information system.

  • Access management

One of the essential factors in the security of the Information System is the management of physical and logical access: this is based on effective processes that allow for the proper management of identities, their permanent updating and robust authentication mechanisms.

Thus, each user accessing the Novelis Information System is duly identified and authenticated. Each account is linked to a unique individual in order to guarantee the traceability of accesses and actions.

The rights and authorizations issued to users are defined according to their business profile and in compliance with the principles of least privilege and separation of powers in order to guarantee data confidentiality. A review of accounts is carried out every 6 months to ensure the legitimacy of all accounts.

  • Documentation

Documenting methodologies, processes and actions is an essential element for their proper application.

Therefore, documentation is regularly updated. It standardizes practices within Novelis and is used and implemented at all levels of the company..

  • Physical security

At Novelis, we actively implement physical security policies at both our facilities.

A variety of physical protection measures are implemented including:

  • Remote surveillance and anti-intrusion systems in our premises;
  • A unique access badge for each employee;
  • A policy of access management according to the type of profile of the collaborators and contributors.

Each user of the Information System also participates in physical security by respecting good practices, such as the closing of offices, the “clean desk” policy, the lock-down of workstations during absences, or the reinforced protection of sensitive documentation.

  • Terminal security

Access to the workstation is only possible after a mandatory authentication phase (password or biometrics). Each workstation is equipped with a regularly updated antivirus software.

  • Subcontracting management

All contracts with our subcontractors include strict security requirements that apply and the means to monitor compliance with these requirements.

The requirements we have for our subcontractors are at least equivalent to our own internal security requirements, in order to meet our commitment to a high level of information systems security.

  • Network security

A network partitioning and containment policy is in place within Novelis networks. This partitioning is accompanied by an internal and external filtering policy to fight against malicious codes.

Our solutions hosted in our partners’ datacenters are protected (firewall & hardening) and there is no direct connection with Novelis internal environments.

Remote access to Novelis’ information system is done via an encrypted VPN and 2MFA.

 

Privacy and data encryption

Several encryption measures are implemented to ensure the confidentiality of the information and data processed.

First, all workstations and terminals are password-protected to ensure that information is inaccessible to unauthorized persons.

Media containing information are protected against unauthorized access by physical and hardware safeguards.

Novelis never accesses or uses your data except as expressly stated in our contracts, or as documented by your instruction. Your data is also never sold to third parties.

 

Security of our web solutions

At Novelis, we are aware of the various threats that constantly plague web applications. For this reason, we have taken the necessary security measures to ensure the protection of the data processed by our sites.

We systematically apply several principles for the security of our clients’ environments:

  • Hardening of our servers: minimum of open ports, minimum of tools per machine, monitoring & regular application of security patches, no backdoor, etc… ;
  • Https only and automatic testing of SSL quality. Daily configuration verification by OpenVas;
  • Periodic penetration tests;
  • Automated configuration & deployment;
  • Logging of all events and automatic reporting of anomalies to the teams;
  • Harware monitoring with email alerts when tolerance thresholds are exceeded (alerts are repeated at regular intervals until they are corrected);
  • Monitoring of security events by a Siem, with email alerts in case of an attack.
  • Application monitoring with email alert in case of unavailability of an application (repetition of the alert at regular intervals until it is corrected);
  • Daily backups of all production systems stored on tapes in other datacenters;
  • Subscription to various newsletters and RSS feeds on security and CVE reports.

In the design of our solutions, we also systematically apply strong safety principles:

  • Webs Services and api authenticated by default;
  • Isolated silo session management;
  • Encryption: default password hashing, use of secure exchange tokens;
  • Automated intrusion testing;
  • Training & regular awareness of the OWASP Top Ten;
  • Regular monitoring and patching of libraries and middleware used;
  • Cross-code review;