HOW TO

AIM OF THE DOCUMENT

The aim of this document is to perform a cyber-security assessment to allow Valeo know your level of maturity in terms of information
protection and make sure it is aligned with its ISSP (Information System Security Policy) and requirements (certifications…).
Once filled in, please send this document with the evidence to: valeo.cybersecurity-assessment.mailbox@valeo.com

HOW TO FILL IT

Only the "3rd Party Information" and "Cyber Security Self-Assessment" tabs have to be filled in.

TAB "3rd PARTY INFORMATION"

Fill in all the fields.

TAB "CYBER SECURITY SELF ASSESSMENT"

You just have to fill in 3 columns:

- "Current level"
- "Evidence Reference(s)"
- "Comments"
And provide the evidence.

#1 CURRENT LEVEL
For each "CONTROL" you have to indicate your level of maturity following the below definitions:

The process is in a continuous

Level 5 improvement and has already been
OPTIMIZED improved.

Level 4
The process is followed with KPIs.
MANAGED

Level 3 The process is completely defined and known

DEFINED internally the company. It is followed by everyone.

Level 2 The process exists, is written but only a few

REPEATABLE persons follow it.

Level 1 The process doesn't exist. People

INITIAL proceed the way they want.

Level 0
NOTHING Nothing is done.

Warnings: If these levels are not respected, the result will be invalidated by Valeo.
If "n/a" is selected, you must give the evidence the control is not applicable.

"EXPECTED LEVEL" corresponds to the minimum level of maturity expected by Valeo.

"LEVEL" corresponds to the maturity level kept and taken into account by Valeo in its analysis.
It is capped by the "EXPECTED LEVEL" if your level of maturity is above.

#2 EVIDENCE REFERENCE(S)
Indicate the reference/name of the different documents provided in response of the control.

#3 COMMENTS
This field is free but has to be filled in to explain why a control is not applicable.

Note: A few examples are given in the "Example" tab.

TAB "RESULTS"
The "Results" tab will be updated automatically. It will display (red line) your level of maturity in comparison of the one
expected by Valeo (Green part).
 THIRD PARTY CYBER SECURITY SELF-ASSESSMENT

CURRENT EXPECTED
REF. CONTROL LEVEL EVIDENCE REFERENCE(S) COMMENTS
LEVEL LEVEL

Example

Nomination note.pdf
SEC-ORG-001 Precise if a supplier Security Officer is defined, and provide the evidence 3 3 3 3 There is one Security Officer per site
Job description.pdf

If supplier is working with personal or company device, provide your hardening policy regarding the
SEC-ORG-003 n/a n/a n/a n/a The team working for Valeo only uses Valeo devices
mobile devices
 THIRD PARTY INFORMATION

Assessment Date

Company Name

Company Country

Supplier ID (SupID)

Assessor Name

Assessor Function

Assessor eMail

Assessor Fix Phone

 THIRD PARTY CYBER SECURITY SELF-ASSESSMENT

CURRENT EXPECTED
REF. CONTROL LEVEL EVIDENCE REFERENCE(S) COMMENTS
LEVEL LEVEL

Information security policies

6 0.0 6 3.0 0.0 0.0 6.0 3.0 0.0
Indicate your level of maturity regarding the ISO/IEC 27001:2013 certification, and provide the
SEC-DOC-001 0 3 0 3
evidence

Indicate your level of maturity regarding the ISO/IEC 27017:2015 certification, and provide the
SEC-DOC-002 0 3 0 3
evidence

Indicate your level of maturity regarding the ISO/IEC 27018:2015 certification, and provide the
SEC-DOC-003 0 3 0 3
evidence

Indicate your level of maturity regarding the SOC 1 or ISAE 3402 certifications, and provide the
SEC-DOC-004 0 3 0 3
evidence

SEC-DOC-005 Provide the SOC 2 report (to be checked by Valeo security organization) 0 3 0 3

SEC-DOC-006 Provide your ISSP (to be checked by Valeo security organization) 0 3 0 3

Organization of information security

5 0.0 5 3.2 0.0 0.0 5.0 3.2 0.0

SEC-ORG-001 Precise if a supplier Security Officer is defined, and provide the evidence 0 3 0 3

SEC-ORG-002 Describe your security organization (including responsibilities), and provide the evidence 0 3 0 3

SEC-ORG-003 Provide your hardening policy regarding the mobile devices 0 3 0 3

Indicate how you manage the external devices, describe the corresponding policy, and provide the
SEC-ORG-004 0 3 0 3
evidence

Describe how you manage major changes in organization and process in terms of security, and
SEC-ORG-005 0 4 0 4
provide the evidence

Human resource security

3 0.0 3 3.3 0.0 0.0 3.0 3.3 0.0

SEC-HUM-001 Describe how you manage secret information, and provide the evidence (e.g. Specific NDA...) 0 4 0 4

Describe how you manage your employees' security awareness and training (particularly regarding
SEC-HUM-002 0 3 0 3
security staff, confidential and secret information handling..), and provide the evidence

Indicate how you make sure your employees are engaged in a non disclosure agreement to
SEC-HUM-003 0 3 0 3
protect confidential or secret information, and provide the evidence

Asset management
7 0.0 7 3.1 0.0 0.0 7.0 3.1 0.0

SEC-AST-001 Describe how you manage the confidentiality in your suppliers' contracts, and provide the evidence 0 3 0 3

Describe how you manage the assets handling Valeo data/information (classification,
SEC-AST-002 0 3 0 3
responsibility...), and provide the evidence

SEC-AST-003 Precise how you manage the classification of your assets, and provide the evidence 0 2 0 2

Describe how you master the protection of the information depending on its classification, and
SEC-AST-004 0 3 0 3
provide the evidence

Describe how you guaranty the destruction of the Valeo information (process, techniques...), for
SEC-AST-005 0 4 0 4
instance on Valeo request, and provide the evidence

Describe how you manage an end of a contract (process, information destruction techniques...),
SEC-AST-006 0 3 0 3
and provide the evidence

Describe how you manage the protection, incident detection for the assets, and provide the
SEC-AST-007 0 4 0 4
evidence

Access management
10 0.0 10 3.2 0.0 0.0 10.0 3.2 0.0
Describe how you manage access to the platforms from external localization, and provide the
SEC-ACC-001 0 4 0 4
evidence

Indicate how you manage the 'Identity' and provisioning in your user access process, detail when it
SEC-ACC-002 0 3 0 3
is related to third parties, and provide the evidence.

Indicate how you manage the 'Role' and provisioning in your user access process, detail when it is
SEC-ACC-003 0 3 0 3
related to third parties, and provide the evidence.
 Indicate how you manage the 'Authentication' in your user access process, detail when it is related
SEC-ACC-004 0 4 0 4
to third parties, and provide the evidence.

Indicate how you manage the privileged accounts in your user access process, detail when it is
SEC-ACC-005 0 3 0 3
related to third parties, and provide the evidence.

Describe how you master the access to sensitive platforms or information, and provide the
SEC-ACC-006 0 3 0 3
evidence

SEC-ACC-007 Describe your password policy, and provide the evidence 0 3 0 3

SEC-ACC-008 Describe how you master the protection of the secret information, and provide the evidence 0 3 0 3

Describe your data access management when the access is not handled by an application, and
SEC-ACC-009 0 3 0 3
provide the evidence

SEC-ACC-010 Describe how you manage the access to data received from a transfert, and provide the evidence 0 3 0 3

Cryptography
3 0.0 3 3.3 0.0 0.0 3.0 3.3 0.0

SEC-CRY-001 Indicate how you can authorize safenet or Valeo encryption techniques, and provide the evidence 0 4 0 4

SEC-CRY-002 Precise how you manage the encryption, and provide the evidence 0 3 0 3

Describe how you manage the backups (including encryption) containing confidential or secret
SEC-CRY-003 0 3 0 3
information, and provide the evidence

Physical and environmental security

6 0.0 6 3.2 0.0 0.0 6.0 3.2 0.0

SEC-PHY-001 Indicate your level of hosting physical security, and provide the evidence (Datacenter certification) 0 4 0 4

Describe how you manage the different physical zones according to their level of criticity, and
SEC-PHY-002 0 3 0 3
provide the evidence

SEC-PHY-003 Describe how you manage the physical access to assets, and provide the evidence 0 3 0 3

Describe how you monitor the different physical zones according to their level of criticality, and
SEC-PHY-004 0 3 0 3
provide the evidence

SEC-PHY-005 Indicate how you are protected against natural threats, and provide the evidence 0 3 0 3

SEC-PHY-006 Describe how you manage the use 'off-premises' of the assets, and provide the evidence 0 3 0 3

Operations security
7 0.0 7 3.3 0.0 0.0 7.0 3.3 0.0
Indicate how the different environments (Development, testing, production) are organized, and
SEC-OPS-001 0 3 0 3
provide the evidence

SEC-OPS-002 Describe how you manage the endpoint protection, and provide the evidence 0 3 0 3

SEC-OPS-003 Describe how you manage the backups, and provide the evidence 0 3 0 3

Describe how you manage the event logs, the possibility for Valeo to access it, and provide the
SEC-OPS-004 0 3 0 3
evidence

SEC-OPS-005 Indicate how you monitor non-authorized administration activities, and provide the evidence 0 3 0 3

SEC-OPS-006 Describe your vulnerability management process, and provide the evidence 0 4 0 4

SEC-OPS-007 Describe your patch management process, and provide the evidence 0 4 0 4

Communications security
4 0.0 4 3.3 0.0 0.0 4.0 3.3 0.0
Describe how you manage access to Valeo data (including from external localization), and provide
SEC-COM-001 0 3 0 3
the evidence

SEC-COM-002 Describe how you manage your network protection, and provide the evidence 0 3 0 3

SEC-COM-003 Describe your network segregation strategy, and provide the evidence 0 4 0 4

Describe how you protect the data during a transfert (internal or external), and provide the
SEC-COM-004 0 3 0 3
evidence

Systems acquisition, development and maintenance

3 0.0 3 3.0 0.0 0.0 3.0 3.0 0.0
Indicate how you handle the different data needed in the different environments (Development,
SEC-ACQ-001 0 2 0 2
testing, production), and provide the evidence
SEC-ACQ-002 Describe how you manage security during the development lifecycle, and provide the evidence 0 3 0 3

SEC-ACQ-003 Confirm that no Valeo operational data is used for testing, and provide the evidence 0 4 0 4

Third party relationship

7 0.0 7 3.1 0.0 0.0 7.0 3.1 0.0
Indicate how you master the information and access segregation of your different customers, and
SEC-SUP-001 0 3 0 3
provide the evidence

Indicate how you can provide capability to dedicate environment to Valeo and limits (if any),
SEC-SUP-002 0 3 0 3
provide the evidence

SEC-SUP-003 Indicate how you can manage applications in Valeo environnement, and provide the evidence 0 3 0 3

Describe how you manage the changes linked to security (communication to users, renewal of
SEC-SUP-004 0 3 0 3
certifications...), and provide the evidence

Indicate if subcontractors are involved. If so, indicate how you choose your third parties, make sure
SEC-SUP-005 they are compliant with your customers' security rules and all of them have been declared. Provide 0 3 0 3
the evidence

Indicate how you make sure your subcontractors are engaged in a non disclosure agreement to be
SEC-SUP-006 0 4 0 4
compliant with your customers' security requirements, and provide the evidence

SEC-SUP-007 Provide the standard audit clause included in your subcontractors' contracts 0 3 0 3

Information security incident management

3 0.0 3 3.3 0.0 0.0 3.0 3.3 0.0
Describe how you handle the monitoring in the security incident management process, indicate
SEC-INC-001 0 3 0 3
how it is taken into account in the improvement, and provide the evidence

Describe how you handle the reporting in the security incident management process (especially
SEC-INC-002 0 4 0 4
to Valeo), indicate how it is taken into account in the improvement, and provide the evidence

Describe how you handle the incident response in the security incident management process,
SEC-INC-003 0 3 0 3
indicate how it is taken into account in the improvement, and provide the evidence

Business continuity management

1 0.0 1 4.0 0.0 0.0 1.0 4.0 0.0
Describe your Disaster Recovery Plan and Business Continuity Plan process, and provide the
SEC-BCP-001 0 4 0 4
evidence

Compliance
6 0.0 6 3.2 0.0 0.0 6.0 3.2 0.0

SEC-CMP-001 Describe your internal audit process, and provide the evidence 0 3 0 3

Describe how you manage personal data, and provide the evidence you are compliant with privacy
SEC-CMP-002 0 3 0 3
related laws or regulation (Europe)

Describe how you manage the compliance with the laws of the different involved countries, and
SEC-CMP-003 0 3 0 3
provide the evidence

Describe how you manage personal data, and provide the evidence you are compliant with privacy
SEC-CMP-004 0 4 0 4
related laws or regulation (Outside Europe)

Describe your ISMS audit process, including third parties review, and prove that it is in a PDCA
SEC-CMP-005 0 3 0 3
cycle, and provide the evidence

SEC-CMP-006 Describe your internal audit organization with a focus on the ISSP check, and provide the evidence 0 3 0 3
 CYBER SECURITY SELF-ASSESSMENT RESULTS

Company SupID Date

Information security policies

Compliance Organization of information security
5

4
Business continuity management Human resource security

Information security incident management Asset management

1

0.0
0.0 0.0
0.0 0.0
0
0.0 0.0
0.0

Third party relationship Access management

Systems acquisition, development and maintenance Cryptography

Legend
Communications security Physical and environmental security Supplier Level
Operations security Expected Level