GDF SUEZ DECISION

Date: July 23, 2010

Reference: GDF SUEZ 2010 - 009

Issuer: Health, Safety and Management Systems Division

Contact: Michel DESCAZEAUX michel.descazeaux@gdfsuez.com Tel: +33 (0)1.57.04.31.31

Group Tangible and Intangible Assets Security Policy

Summary

This decision describes GDF SUEZ' objectives in terms of protecting its assets and covers site security
and information security via the deployment of risk-reduction solutions incorporating technical
(including IT), legal, managerial and organizational domains, and the acquisition of secure behavior
habits (vigilance, compliance with rules and best practices).

It dovetails with the Group's risk management procedure and the general framework of the Group's
policy on ethics (and its versions set out in the Ethics Charter and the Ethics Guidelines).

The Policy is based on two key elements:

o a security approach based on identifying and evaluating risks, making it possible to align security
measures with a group of risks that need covering;
o the deployment of a management procedure, making possible efficient steering of and continuous
improvement to the mechanisms in place.

This decision takes effect immediately.

Jean-François Cirelli Gérard Mestrallet

Vice-Chairman and President Chairman and Chief Executive Officer

Document(s) cancelled or amended: none

Attachment(s): Rule (GR11) on the classification and protection of information
Distribution: internal

GDF SUEZ HEAD OFFICE

22, rue du Docteur Lancereaux - 75392 Paris Cedex 08 - France
Tel. +33 1 57 04 00 00
GDF SUEZ - SA, CAPITAL OF €2 260 976 267 - RCS PARIS 542 107 651

www.gdfsuez.com
 Group Tangible and Intangible Assets Security Policy

Table of contents

INTRODUCTION 3

1. CONTEXT AND CHALLENGES 3

1.1. Definitions 3

1.2. Context 3

1.3. Scope 4

2. GROUP STRATEGY FOR THE SECURITY OF TANGIBLE AND INTANGIBLE ASSETS 4

2.1. Security principles applicable to the protection of assets 5

2.2. Implementation of a security management system 6

2.3. Application of best practices in international standards 7

3. ROLES AND RESPONSIBILITIES 7

3.1. A three-tier organization 7

3.2. A network of officers 8

3.3. An organization dedicated to intangible assets security 8

APPENDICES 11

Appendix 1: Mission of the Intangible Assets Security Officer (IASO) 11

Appendix 2: Glossary 12

2
 Group Tangible and Intangible Assets Security Policy

Introduction

The Group's tangible and intangible property are assets that must be protected.

The Group aims to empower each top executive, manager and employee as to the need
to protect our tangible and intangible assets and continuously improve our protection
system.

1. Context and challenges

1.1. Definitions

In this document:
 the word Group refers to the GDF SUEZ Group.
 the word entity refers to:
 at the Corporate level, all of the Functional Divisions that comprise it;
 a Business Line;
 a Business Unit (BU);
 a subsidiary.
Tangible property comprises industrial and tertiary assets which are the property of the Group
and assets which the Group uses or exploits for its business activities.
Intangible assets comprises all information and know-how available to the Group. The
protection of intangible assets in the sense of this Policy applies to all means and processes
which may protect this property, with the exception of specific processes relating to the
granting of patents and trademark or domain name protection.

1.2. Context

There are many threats to tangible and intangible assets .

The Group's industrial and services sites and installations can be exposed to malicious
acts of different kinds for a wide range of reasons:
 criminal acts or vandalism;
 action taken by political or ecological activists;
 terrorist attacks;
 intrusions for the purposes of economic espionage.

3
 Group Tangible and Intangible Assets Security Policy

Consequently, access to our premises must be controlled, as well as the flows of people who
may enter them.
Protecting our sites is closely linked to industrial security. Strong industrial security is not
possible without high-level protection. Maliciousness can have very serious human,
environmental and economic consequences.
Information, whether on a virtual (computerized) or physical medium (paper, etc.) or even
transmitted orally, is also under threat: increased competition, malicious intent towards the
interests of the Group, its staff, its customers, its facilities, third parties, intent to jeopardize its
credibility and damage its image, etc.
Malicious techniques are constantly changing. They include:
 intrusions into our IT systems;
 remote theft of information, facilitated by the wide range of communication
devices available;
 the alteration of information due to the increase in number and sophistication of
procedures for exploiting computer vulnerabilities.
Information theft, whatever the medium used (laptops, photocopier memories, USB sticks,
hard disks, files, etc.), encompasses further instances of breaches of confidentiality which
need to be prevented.
Our own business travels are another weak point which requires special attention.

1.3. Scope

The Policy is applicable to all entities in the GDF SUEZ Group, irrespective of their activity
and geographical location, and in accordance with local laws and regulations.
This Policy is applicable to all GDF SUEZ subsidiaries and affiliated companies controlled by
GDF SUEZ. For other affiliated companies, Group representatives at these companies must
endeavor to the best of their ability to introduce this Policy or a similar policy into these
affiliated companies.
This Policy is the compulsory minimum framework within which each entity ensures the
security of its tangible and intangible assets.

2. Group strategy for the protection of tangible and intangible assets

The Group's strategy is based on compliance with structuring principles (2.1) and the
deployment of a risk-management process (2.2). It is also based on international standards
(2.3).

4
 Group Tangible and Intangible Assets Security Policy

2.1. Security principles applicable to the protection of assets

2.1.1. Ensure compliance with legislation and regulations

The Group's entities must comply with the laws, regulations and contracts applicable to
them. They must remain up to date with any amendments and of any applicable specificities
relating to their geographical location or activity.
2.1.2. Include the protection of assets throughout the entire process : from the project stage
through to the end of the activity

To this end, questions must be asked. This must be an ongoing process and is related to
the following:
 procurement of skills;
 awareness of threats;
 identification and valuation of assets;
 identification of vulnerabilities (sites, zones, services, people, sensitive data);
 definition of an acceptable risk level;
 solutions to be commensurate with the value of the information to be protected;
 allocation of resources and ensuring compliance with necessary commitments.
2.1.3. Monitoring security levels and security development over time
Each entity must set up an appropriate monitoring system for the earliest possible
detection of deliberate, accidental or potential attacks against the security of its personnel
and assets.
Services outsourced to third parties must likewise be monitored, especially in the case of
suppliers which may have privileged access to premises and/or information (travel agencies
– remote operators – maintenance, cleaning, waste-disposal services – consultants –
translators, temping agencies, etc.), as well as interns and temporary staff.
Locally, the officers in charge of site security are regularly in contact with the security forces
in order to discuss analyses and implement, where necessary, formalized intervention
protocols. These contacts are based on mutual confidence.
The adequacy of each entity's management in implementing this Policy must be monitored
and assessed each year.
2.1.4. Limit the impact of breaches of sensitive sites or information
Entities must set up systems for the management of security incidents and the resulting
crisis situations. This requires that incidents be reported up to the relevant level.
Beyond immediate processing, security incidents must be analyzed and corrective action
taken to prevent them from recurring.
The Health, Safety and Management Systems Division (HSMSD) must be systematically
notified of significant events which occur at entity level, or which have had or nearly had an
impact on other entities or the Group as a whole.

5
 Group Tangible and Intangible Assets Security Policy

2.1.5. Classification and protection of information

Each entity identifies its information, classifies it by sensitivity level and protects it in line
with the methods set out in the Group Rule on the Classification and Protection of
Information (see GR 11 attached).

2.2. Implementation of a security management system

Achieving our goals is based on six core actions.

 Identifying threats and assessing risks: This involves analyzing and assessing
risks in terms of threat and impact (financial consequences, damage to the image
of the Group or entity). For industrial sites, this procedure requires close
collaboration between the individuals in charge of security issues and those in
charge of industrial processes.
 Processing risks: The identification of threats and the assessment of the
inadequacies of protective systems ultimately enable appropriate measures to be
implemented within the scope of an action plan for the processing of risks.
 Stakeholders involvement: It requires the involvement of management, a key
factor in success. Managers must be convinced of the importance of the
challenges involved in site security and information protection, provide
appropriate support to employees in charge of these issues, and set an example
in their own day-to-day practices.
 Creating awareness and providing training: It is through the education of
stakeholders that the principles can generate their full effect and enable a
corresponding reduction in involuntary mistakes and negligence, both of which
are sources of numerous incidents. But it is also necessary to train managers in
security issues. The action plan accompanying this Policy will include a training
component for managers. The Communications and Financial Communications
Division helps to create awareness among employees, especially for large-scale
actions.
 Establishing internal control procedures: The purpose of this action is to
ensure compliance with the principles of the Policy and the joint rules adopted
within the Group. The areas to be monitored must be jointly defined by HSMSD
and the Audit and Risk Management Division, which owns the internal control
standards.
 Continuously improving the system: Avenues of progress are determined by
agreement between the various levels and assessed in the course of an annual
review. The purpose of this action is to reduce residual risks to acceptable levels
for the most sensitive sites and information. Further to these annual reviews,
decisions are taken if applicable to improve the protection system.

6
 Group Tangible and Intangible Assets Security Policy

2.3. Application of best practices in international standards

The principles described in this Policy are guided by the best practices in international
standards (e.g., ISO 900X – ISO 1400X - ISO 2700X), concerning in particular risk
assessment, continuous improvement and management reviews, to ensure risk
management. Each entity must endeavor to develop its management system and evaluate it
in line with these standards.

3. Roles and responsibilities

The definition and implementation of the Policy are based on:

 a three-tier organization within the Group: Corporate, Business Lines and BUs
 a network of security officers
 a special organization for protecting intangible assets .

3.1. A three-tier organization

3.1.1. Corporate
The Health, Safety and Management Systems Division (HSMSD):
 Defines Group policy concerning the protection of tangible and intangible assets
and ensures it is adapted accordingly;
 Proposes strategic orientations in the form of action plans drawn up with the
Business Lines;
 Leads the Functional Line of security officers, in particular by encouraging the
sharing of best practices, organizing feedback and proposing general solutions in
order to guarantee the required responsiveness to changing regulations or
incidents;
 Makes available qualified risk-reduction solutions which integrate technical, legal,
managerial or organizational aspects;
 Manages the production of teaching aids and methodological or technical tools to
support the implementation of the Policy;
 Performs an annual assessment of the Policy and its adequacy in the course of a
general review with the Business Lines and the General Secretariat for Corporate
entities;
 Keeps up to date a group of reference documents comprising the texts setting out
this Policy, published on the Group intranet. This gives each stakeholder a full
overview of applicable documents whose use within the Group is mandatory
('Rules') or recommended ('Recommendations' or Best Practices').

The Security Division (SD) is in charge of economic intelligence (EI) and consequently, and
more generally, in the fight against any form of interference that could have an impact on

7
 Group Tangible and Intangible Assets Security Policy

the GDF SUEZ Group. Consequently, HSMSD and SD exchange information on the status
of the threat and on how to deal with attacks relating to the security of intangible assets
(section 3.3).

In addition, the Security Division is in charge of the Head Office and personnel on
assignment and/or expat personnel.
3.1.2. Business Line
The officers for the security of assets:
 Take part in drawing up the Group doctrine;
 Under the authority of management, coordinate the implementation of the Policy
within their Business Line in the form of annual action plans;
 Assess the action taken by the BUs within their perimeter, in the form of periodic
assessments and an annual review;
 Report to HSMSD the action results and progress.
3.1.3. BU
Each BU is responsible for implementing the Policy within its perimeter, which it does in line
with the specific nature of its activities.

3.2. A network of officers

The achievement of targets requires that a dedicated and matrixed1 functional line is created
at the various levels of the Group (entities).
To effectively play its role, the functional line meets several times a year in the form of select
meetings (Business Line managers) or plenary meetings (Convention). The purpose of
these meetings is:
 to suggest improvements to the reference documents (Policy, Rules,
Recommendations);
 to facilitate experience sharing;
 to prepare Group reviews.

3.3. An organization dedicated to intangible assets protection

3.3.1. Information Security Committee (ISC)

The policy governing all provisions taken by the GDF SUEZ Group to protect its intangible
assets is supervised by the Information Security Committee (ISC).

As per the Note “GDF SUEZ Organization and Management Principles”

8
 Group Tangible and Intangible Assets Security Policy

The ISC is chaired by the General Secretary and administrative duties are handled by the
Head of the Security Division.

The ISC members are the Heads of the following Functional Divisions:

 Health, Safety and Management Systems Division

 Information Systems Division
 Communications and Financial Communications Division
 Human Resources Division
 Business Ethics and Compliance Division
 Audit and Risk Management Division

The ISC is in charge of:

 defining and validating strategic guidelines;

 coordinating actions taken by the various Functional Divisions;
 examining dossiers on principles relating to the development of technologies and
individual and collective behavior;
 monitoring the application of provisions taken, specifically with regard to their
deployment in the Business Lines and Business Units.

The ISC meets at least twice a year and draws up an annual assessment of results
achieved. His/her report is sent to the members of the Executive Committee.

3.3.2. Collaboration between Divisions

HSMSD, the Security Division and the Information Systems Division (ISD) collaborate on an
ongoing basis to carry out all tasks:

 At all levels, they encourage cooperation between the Functional Line of

Intangible Assets Security Officers ( IASOs) and the Functional Line of IS
Security Officers (ISSOs).
 They keep up to date with breaches of information confidentiality so that they can
undertake the appropriate follow-up.
 They organize activities to raise employee awareness.

For the Corporate Functional Divisions, the Security Division leads the network of IASOs
and carries out the annual evaluation as well as providing the management maturity level in
this area. It is in charge of "processing" – with the support of HSMSD (placed under its
control), where appropriate – attempted breaches of information confidentiality when they
are clearly acts designed to harm the Group's image, damage its reputation, unlawfully
obtain information, destabilize the Group or, more generally, interfere.

The ISD defines and implements policies and standards, in particular in the area of
telecommunications, office automation, applications and operation. It heads the IS
Functional Line for the Group at Corporate, for the Business Line and BU level. It also
coordinates and steers Information System Security in a manner consistent with this Policy.

9
 Group Tangible and Intangible Assets Security Policy

The Communications and Financial Communications Division designs and implements the
measures taken to identify the protection level of documents and media used which involve
the Group's image. It also intervenes during the information and communications phases of
actions intended to increase stakeholder awareness and the dissemination of policies and
regulations issued by the Corporate.

The Business Ethics and Compliance Division is in charge of drafting a Code of Good
Conduct specifically regarding the use of information systems by personnel, Internet access
and involvement in social and/or professional networks.

The Human Resources Division is in charge of supporting the drafting of Charters and
Codes of Good Conduct and reporting these commitments to staff representative bodies.

The Audit and Risk Management Division is in charge of assessing the financial impact on
the Group of the risk of breaches of confidentiality and checking the actual implementation
of this Policy.

10
 Group Tangible and Intangible Assets Security Policy

APPENDICES

Appendix 1: Mission of the Intangible Assets Security Officer (IASO)

Within the scope of their mission, IASOs report to a level which gives them access to the top
manager of their entity. They must have strong recognition and time to devote to their
mission. They may also act as IASOs provided both workloads are compatible.

Their mission, delegated by the functional management, is to implement the Intangible Assets
Security Policy within the scope of a general plan validated by this authority, which is
assessed each year.

IASOs contribute to or provide methodological support in various ways.

 They contribute to the amendment, as required, of the Group's security policies
and standards, especially in the area of practices.
 They identify sensitive information within the entity, take part in assessing risks,
draw up a general assessment of the entity's situation and ensure that it is
updated annually.
 They ensure information security is taken into account in projects, their
development, and their maintenance.
 They ensure that all staff within their perimeter are aware of intangible assets
security issues, using the teaching materials available, and by initiating or relaying
communication actions.
 They ensure compliance with the applicable legislation and regulations.
 They define the threat level.
 They implement and update a crisis management system for the protection of
intellectual property.
 They advise the top executive and managers.
 They organize and take part in annual reviews.

11
 Group Tangible and Intangible Assets Security Policy

Appendix 2: Glossary

Confidentiality Characteristic of a piece of information according to which it is not

accessible or may not be disclosed to unauthorized entities, persons,
or processes
Integrity Characteristic of a piece of information, according to which it is
unaltered
Availability Characteristic of a piece of information or process, according to
which it may be accessed and used on demand by an authorized
entity
Traceability Characteristic of a piece of information or process which enables an
action or event to be checked and its author traced
HSMSD Health, Security and Management Systems Division
SD Security Division
DIRCOM Communications and Financial Communications Division
BU Business Unit
IASO Intangible Assets Security Officer
GISSP Group Information System Security Policy*
ISD Information Systems Division
ISSO IS Security Officer
ISC Information Security Committee
ISSC / ISSN Information Systems Security Committee / Information Systems
Security Network
ERM Enterprise-Wide Risk Management
ISGC Information Systems Governance Committee

12