To lead an effective and efficient Security program, companies should manage the security with a strategic vision, business objectives, regulatory compliance and industry best practices. Also, the management of the security must be integrated in the business processes to improve the corporate processes, implement a framework, artifacts and organizational culture.

European Security Expertise Center (ESEC)

Sogeti ESEC is composed of Information security expertise centers, IT security, system, network and telecom administration. It is composed of consultants and experts who work in Europe, on behalf of the entire SOGETI GROUP. The main objectives include the reinforcement of the SOGETI Group’s operational forces, project technical leadership, coordination and maintenance of SLA agreements (Service Level Agreement), definition and organization of high added value offers. Each expertise centre carries the Group's activity to which it is dedicated, and becomes the best guarantee of work quality and of our commitment.

To help Companies in the different steps to implement and deploy security, Sogeti ESEC will provide the following expertise:

Process:

• Security Maturity evaluation of the company
• Security governance definition
• Security awareness
• Functional Security Testing

Architecture:

• Definition of secure architecture;
• Definition of security policy (company's target);
  
• Monitoring and evaluation of secure architecture risk levels via performance of Penetration testing;
• Tests and comparison of offers that are available on the market, network security solution benchmarking;
• Technological and vulnerability monitoring.
  

Security solutions:

• Firewalls and Proxy Server, secure remote access (RAS and VPN);
• VPN and backbone encryption ;
• Certificates and PKI, logical and physical strong authentication;
• Centralized directory (RADIUS and LDAP);
• Antivirus protection and content check, URL filtering;
• Administration, follow up and Reporting;

The Security Expertise Center (ESEC) is, for the Group, the representative and coordinator for all strategic partnerships with security product vendors and security equipment builders. These partnerships are systematically decided upon at the level of the Group and for the entire European area.

Security study and consulting

Security of a company's information system’s logical access does not consist in a simple qualification of techniques and products. SOGETI believes that a general frame of this security must necessarily be defined for the company. Considering this, our study offers allow the company to better apprehend the security project as such and come to the right choice for the right need.

• Study of the security context which can be coupled with an audit of the current context;
• Consulting in technologies that are available on the market, product comparison / multi-vendor solutions and qualification of the functionalities that respond to the company's needs;
• Definition of a security policy for the company; and
• Elaboration of a security solution that responds to these needs.

Security qualification

SOGETI has designed an offer fully adjustable to the company's needs in terms of security level qualification:

• Targeted audit / general audit;
• Logical audit / physical audit;
• Penetration testing / Denial of service testing;
• Technical audit / organizational audit / global audit;
• Unitary audit / recurring audit.

These evaluations rely on a tried internal reference framework and methodology, as well as on standard audit and management methodologies in the field of security:

• MARION and MEHARI methods(CLUSIF);
• British Standard 7799 (ISO17799), ISO 27001;
• Common Criteria (ISO 15408);
• ISO/CEI 13335-5:

Occasional audits provide an instant view of the situation. Consistent security evaluation provides the company with a way to qualify its architecture three or four times per year (qualification after each significant change or periodically) in order to follow up on the changes performed, in the best possible way. Audits enable the qualification of technical security aspects (rules, filtering, active hardware, etc.) and organizational aspects that the company has set up (follow up and monitoring of security via exploitation or subcontracting to a service provider, administrator's reactivity, etc.).

Elaboration and integration of security solutions

The integration of the different technological solutions requires that the company's existing context, its technical choices, and organizational aspects be taken into account. Our offers include a transfer of skills to internal teams:

• Integration of the different products that make up the overall solution;
  
• Elaboration composed of different steps, from prototyping to putting into production, including user validation of a solution during the pre-production phase.

The ESEC Security Lab (SLAB)

SOGETI has put in place real technical and technological structures dedicated to the expertise of our offers in highly sensitive contexts. These laboratories enable the qualification of listed risks, benchmark of the solutions on the market, logical penetration simulation and elaboration of massive attacks to check on IT processes and telecommunication stability.

SOGETI e-security technical and technological laboratory relies on a set of tests and powerful tools to simulate dangers, to identify risks and to anticipate counter-attacks. It consistently considers security alerts that are listed by international surveillance organisms and worldwide reference services in this field. This technological laboratory dedicated to security is located in Paris on ESEC premises and allows the consultants to perform their technological watch, specific developments, prototypes of the specific environment and external penetration audits.

The Security Lab is:

• A set of offices with controlled access, specially secured and under surveillance;
• A network physically isolated from SOGETI networks, with several dedicated and external, Firewall protected Internet accesses (an SDSL connection and associated routers);
• A set of stations and dedicated servers to achieve developments and the various prototypes, all physically protected against unauthorized access (locks/encryption);
• Security equipment dedicated to technological watch, the setting up of prototypes and support:
  
• Firewalls Cisco PIX, Checkpoint, Nokia, Linux, …
• IDS sensors: Snort, ISS, etc.
• Proxy: Bluecoat, ISA server, Squid, etc.
• Other: TrendMicro, ActiveCard, Calyx, etc.
• WarDialing equipment that uses Telesweep commercial software and telephone lines, enabling tests and automatic penetration attempts on over 300 phone numbers every hour.