Skip to main content

Introduction

This documentation provides a comprehensive overview of the essential requirements and best practices for the secure acquisition, development, and maintenance of information systems and software within Omnicom. It is derived from and aligns with Omnicom's stringent "Secure Development and Acquisition Policy" and "Secure Development and Acquisition Standard", which are foundational to safeguarding Omnicom's information assets worldwide.

These foundational documents underscore Omnicom’s commitment to ensuring the confidentiality, integrity, and availability of all systems and data. They are classified as Confidential and are applicable globally to Omnicom Group and all its Agencies, operating in compliance with local jurisdictional laws. The Policy itself is a critical component of Omnicom’s broader Information Security ‘Topic’ Policies, governed by the ‘Core Information Security Policy’.

Core Purpose and Scope

The primary objectives established by Omnicom's Policy and Standard are to:

  • Provide a clear framework for the security requirements involved in the entire lifecycle of information systems and software applications, from acquisition to development and ongoing maintenance.
  • Guarantee the delivery of secure, accessible, and high-quality systems and software, aligning with international standards such as ISO.
  • Embed privacy by design and by default into all development processes, supported by robust management controls over all related projects.
  • Extend these security mandates to all System, Asset, and Information Owners, Omnicom's Systems and Development teams, and crucially, to third-party vendors/suppliers providing services.

Key Principles and International Alignment

Omnicom's approach is rooted in internationally accepted standards and best practices. The directives in these documents align closely with:

  • ISO 27001 (2022) for information security management.
  • ISO 27701 for privacy by design and by default.
  • ISO 9001 for quality management.
  • ISO 30071-1 for digital accessibility.

A core philosophy guiding all system acquisition and secure development is a set of Overarching Security Engineering Principles. These principles advocate for:

  • Integrating security with architecture, considering the full range of controls required to protect information against identified threats.
  • Employing security architecture principles like "assume breach," "default deny," "defense in depth," "least privilege," and "security by design".
  • Adhering to "Zero Trust" principles, which involve assuming systems are already compromised, employing a "never trust and always verify" approach, encrypting requests end-to-end, and verifying every request as if from an external network. These principles also require strong authentication and dynamic access control based on contextual information.

The Secure Development Life Cycle (SDLC)

A central component of Omnicom’s secure development strategy is the Secure Development Life Cycle (SDLC), comprising eight distinct phases:

  1. Requirements Analysis: Defining and documenting high-level and detailed security and privacy requirements, including initial risk reviews.
  2. Architecture and Design: Developing detailed designs that incorporate security, privacy (Privacy Impact Assessments / DPIAs in OneTrust), accessibility, and quality management standards, along with detailed risk assessments and clear segregation of development and testing environments from production.
  3. Development: Executing the design through secure coding practices, using Infrastructure as Code (IaC), maintaining code in secure repositories, and conducting peer code reviews and early security vulnerability testing (SAST, SCA, IAST).
  4. Testing: Formalized integration and quality assurance testing, continued security vulnerability testing, and ensuring zero high and critical validated true-positive vulnerabilities are promoted to production. This phase also includes User Acceptance Testing (UAT) and validation of privacy-by-design and accessibility.
  5. Implementation: Deploying production infrastructure using validated IaC, enabling required security controls (e.g., Web Application Firewall for internet-facing apps), and conducting final security testing (DAST, API Testing, Penetration Testing) before activation. Crucially, no Critical or High vulnerabilities, nor End-of-Life (EOL) libraries, are permitted in production deployments.
  6. Operations/Maintenance: Ongoing security and operational assurance monitoring, including routine risk assessments, vulnerability scanning, annual penetration testing, log review, and quarterly user access reviews.
  7. Disposal: Securely managing the end-of-life of systems and assets, ensuring confidential data is transferred, archived, or deleted, and hardware/software is disposed of according to policy and legal requirements.
  8. System Approval Requirements: Ensuring all new solutions and changes are formally approved by leadership, maintaining segregation of duties, and documenting approvals consistently across all phases.

Each phase includes "Control Points" to ensure necessary approvals (financial, business, technical, security) are obtained before progressing. Agile and DevSecOps methodologies are strongly recommended, utilizing Continuous Integration/Continuous Delivery (CI/CD) pipelines.

Critical Security Practices and Considerations

Beyond the SDLC, this documentation addresses a range of vital security practices:

  • Secure Coding: Applying principles based on the OWASP Top 10 security risks to reduce vulnerabilities in custom, third-party, and Open-Source software. This includes maintaining a Software Bill of Materials (SBOM) to inventory all libraries and ensuring secure development and testing environments are strictly segregated from production.
  • Data Protection: Rigorous requirements for handling Personal Data, Confidential, and Restricted Information, including Privacy Impact Assessments and proper anonymization of test data.
  • Third-Party and Outsourced Development: Strict controls for vendor relationships, requiring appropriate contractual clauses, risk assessments (OMC GRC Supplier Risk Assessment), due diligence, and monitoring of security practices.
  • Cloud Services: Specific guidelines for the secure acquisition, use, management, and exit from cloud services, including defining roles and responsibilities and ensuring alignment with Omnicom's security requirements. Omnicom maintains standards for cloud hosting providers, with specific requirements for services like WPEngine for WordPress websites.
  • Low Code and Generative AI: Development and deployment of solutions involving these emerging technologies must comply with Omnicom's policies, including the Acceptable Use Policy.
  • End-of-Life (EOL) Management: Regular review and planned replacement of all applications, systems, software, and hardware to ensure continued security updates and patches.
  • Training: Mandatory secure software development training for development teams, and specialized training on ISO standards for architects, designers, and testers.

This documentation is intended for all Omnicom personnel involved in the lifecycle of information systems, including development teams, architects, system owners, and third-party relationship managers. It serves as a critical guide to fostering a secure and resilient technological environment in alignment with Omnicom's high standards.