Intended for all SNCF GPU entities, the purpose of this consultation is to set up a framework agreement, constituting a contractual vehicle for the referencing of IT intellectual services, for the use of ISS players.

The purpose of this framework agreement is to cover the entire life cycle of cybersecurity activities: emergence and strategy phases, design and implementation, support and maintenance in operational security conditions, as well as services complementary and expertise specific to the SSI function.

Lot 1 includes the professions contributing to the management of the security approach, as well as the professions aiming to implement IS security projects.

This package includes missions to cover the operations of the emergence of projects (identification of risks, definition of safety requirements, regulatory compliance, contractual framework, test strategy, acceptance), to design solutions adapted to needs (urban planners, architects), to intervene in expertise on the solutions implemented or to evaluate market solutions (engineer, experts). Business support missions (awareness-raising, training, methodology, posture) are also covered.

This lot will also include all Project Management Assistance activities from a governance perspective (strategy design, risk mapping, creation of benchmarks, evolution of the ISSP, certification assistance, etc.) and from a technical and functional perspective (ISS tools and solutions in the context of acquisition, integration or development projects, etc.). Sustainment in Operational Condition).

Assignments result in one or more deliverables.

These missions can be punctual, or cover a long-term need by implementing a dedicated system (Service and/or Expertise Center) in order to reduce costs and optimize response times to requests from the Group's internal customers and its subsidiaries.

Lot 2 includes the technical professions that ensure that security is taken into account in the design of information systems, expertise in the security of a particular field, the definition of secure architecture, the administration of security solutions, etc.

This package includes missions taking into account IS security aspects in the context of the design (architecture design, configurations, choice of technical solutions, publishers, suppliers and testing strategies) and the realization of an IT or business project, business and/or IT support and training missions in order to verify that the proposed technical and functional solutions meet the identified security requirements.

This package also includes consulting, assistance, information, training and alerting missions, which can intervene directly on all or part of a project that falls within a field of expertise (system, network, workstations, industrial components, IoT, Active Directory and IAM, code and development solutions, cloud, Artificial Intelligence, etc.) whether in the study phases, to implement or maintain in safe conditions.

There will also be audits and control missions of security processes ensuring compliance with internal policies and regulations that apply to the organization; missions monitoring defined security policies and rules to ensure that security maintenance is implemented, respected and effective; missions identifying vulnerabilities and proposing remedial actions; missions collaborating with the lawyers and the DPO if the project includes the processing of personal data.

Assignments result in one or more deliverables.

These missions can be punctual, or cover a long-term need by implementing a dedicated system (Service and/or Expertise Center) in order to reduce costs and optimize response times to requests from the Group's internal customers and its subsidiaries."

It may be requested to cover an on-call duty for certain missions.

Lot 3 includes missions to identify threats and vulnerabilities on a conventional IS technical object (Web Application, Mobile Application, Platform, environments, etc.) hosted OnPremise, in the Cloud, or with a partner hosting provider, throughout the Group and its subsidiaries.

These missions are based on the performance of application SSI audits, process audits and/or configuration of a target or perimeter agreed in advance during a scoping meeting with the project(s) concerned, at the request of the CISO/RCS responsible for the SSI perimeter.

The missions give rise to one or more deliverables, designating the threats and vulnerabilities identified on the technical object targeted by the audit, the CVSS score, the criticality, the priority, the usability and the impact of each of them, as well as the associated recommendation(s) to proceed with the implementation of the remediations.

These missions can be punctual, or cover a long-term need by implementing a dedicated system (Service and/or Expertise Center) in order to reduce costs and optimize response times to requests from the Group's internal customers and its subsidiaries.

Lot 4 includes the professions that can be found within companies specializing in cybersecurity: consulting companies, training companies, evaluation laboratories, security product publishers, security product integrators, laboratories and research institutes.

These missions are part of the "Operational Security" division of the Cybersecurity Department. They include anticipation (threat intelligence, vulnerability and attack surface management), detection (supervision and detection of cybersecurity events, qualification and prioritization of events based on alerts or reports, contributing to the continuous improvement of detection) and reaction (emergency response, handling of cybersecurity incidents, forensic, etc.) production of incident reports, intervention within the framework of technical crisis units)

It may be requested to be on call during the mission.

Lot 5 includes the professions that contribute to the cybersecurity certification process, the implementation of SSI prequalifications, SSI risk analyses, the monitoring of requirements and the implementation of the method for integrating cybersecurity into industrial projects as well as the performance of Cyber Industrial audits.

This lot includes missions to pre-qualify the DICT cybersecurity needs of a project, to the classification of Data through a "risk factors" questionnaire as well as support respecting the issues and SSI processes and/or requiring assistance in the drafting of specific SSI clauses.

These missions are based on a risk analysis that defines the additional cybersecurity requirements that projects must meet in order to reduce risks.

The missions give rise to one or more deliverables, such as the Risk Analysis document fed as the interviews are conducted, the document listing cybersecurity requirements, the updated risk mapping, the dashboards containing all the information necessary for the monitoring of the project, reference frameworks, and the risk matrix consolidating all the risks of the scope concerned,

These missions can be punctual, or cover a long-term need by implementing a dedicated system (Service and/or Expertise Center) in order to reduce costs and optimize response times to requests from the Group's internal customers and its subsidiaries.