Policy

IT

January 27, 2016

Framework
LafargeHolcim’s IT Policy is an integral part of the LafargeHolcim policy landscape.
This policy should be read in close conjunction with the LafargeHolcim policies and directives
listed in Annex 2.

The IT Policy comprises:

● Scope
● Policy Principles
● Annex 1: Responsibilities
● Annex 2: LafargeHolcim policies and directives related to the IT Policy
● Annex 3: LafargeHolcim recommendations related to the IT Policy (none)
● Annex 4: Definitions and Abbreviations

1. Scope

1.1 Applicability

The scope of the IT Policy covers LafargeHolcim Ltd and its consolidated Group companies
(“LafargeHolcim Group”). The Group IT Organization (GIT), as responsible for the IT Function, is
committed to servicing the business needs of the entire LafargeHolcim Group. As IT is an integral
component of most business processes, the IT Function is an indispensable pillar for the business
leadership in their endeavors to achieve strategic and operational performance targets.

1.2 Content in scope

The purpose of the IT Policy is to provide guidance on main activities in the field of Information
Technology and its application within the LafargeHolcim Group. It shows how decisions for IT are
made by describing the LafargeHolcim governance structure.
Details on this structure can be found in Annex 1.

In order to cover all major IT topics in one single IT Policy, the principles for these 4 sub-topics are
also included in this IT Policy, each covered in a separate chapter:
● Enterprise Architecture (EA), chapter 3
● IT Security Management (ITSEC), chapter 4
● IT Service Management (ITSM), chapter 5
● IT Supplier Management, chapter 6

LafargeHolcim Document title © Month Date, Year 1

IT policy

2. Policy Principles
The governance structure and principles described in this policy aim to achieve global-regional
and business-IT alignment and to support our ambition for IT to create value as an innovation
business enabler and an efficiency driver.

2.1 Goal and strategy: “two speed IT”

The goal of LafargeHolcim IT is to provide “two speed IT”, meaning balancing two main strategic
objectives:

● Standardized and cost-efficient core and commodity applications as well as infrastructure

● Differentiating IT to provide flexible and fast customer- and market-centric innovative
solutions and support different business operating models

Further details of IT goals and strategic objectives can be found in the LafargeHolcim IT strategy
document (see Annex 1 for reference to the IT strategy document).

2.2 Organizational principles and operational model in IT

IT follows a strong global – regional model with local support at country level being part of the
regional ITSCs.

In order to support the above objectives, the following organizational units and principles are
established. Responsibilities and goals see Annex 1.

Global Level
● Corporate: Group IT (GIT)
● Global IT Service Center (GITSC)
● Infrastructure and Operations (I&O)
● In the major global business Functions, Global Business Process Owners (BPO) are
established

Regional Level
● Regional IT Service Center (ITSC)
● In the business, Regional Business Service Centers (BSC) and Regional Business
Process Owners (BPO) are established

Country Level
● IT Support in Countries is part of the regional ITSC

Plant Level
● Industrial IT, relevant control areas and topics

Convention: “IT Operational Units”

● As a convention, in this IT Policy and in the IT Directives, we often refer to the
combination of the regional IT Service Centers (ITSCs), the global ITSC (GITSC) and
Infrastructure & Operations (I&O) as “IT Operational Units”.

LafargeHolcim IT Policy January 27, 2016 2

IT policy

2.3 Balancing governance decisions

IT decisions need to balance the objectives of standardization and cost-efficiency and the
objectives of differentiating IT for flexible and fast customer- and market-centric innovative
solutions. Details to the decision processes can be found in the corresponding Directives.

Our core principles for IT governance decisions are:

● Efficiency or Differentiating: The first decision on new IT demand specifies whether this
demand is providing primarily (a) differentiating value or (b) potential for efficiency gains.
● Common view on new demand: New IT demand is overseen by Group IT to identify
synergy potential.
● Technology selection: The selection of IT tools, solutions, applications and providers is
the responsibility of IT, considering the requirements from business with consultation of
business and procurement.
● IT as sole provider: IT service centers are the only providers of IT solutions.
Implementation and operations of IT services is led by IT.

2.3.1 Governing business demand

Active and transparent Demand Management for new or changed IT solutions is a major lever to
drive investments and cost towards the desired target state.

Group IT Strategy, Planning and Governance establishes the common processes and a platform
which gives a complete view on all demands (global and regional) in order to avoid duplication of
efforts in the different regions. Demand Management is operated on this platform by the service
centers in a distributed mode, GIT ensures sufficient demand monitoring.

Group IT approves demands > CHF 100’000.- and gives Enterprise Architecture Guidance via the EA
Workgroup.

Thresholds for demands

1. Large Demands are defined as having a total cost of more than

CHF 100’000.- for project implementation and first year operation.
Such demands require Group IT approval before they can become projects.
Including the operations cost of the first year ensures that also Cloud/Software as a
Service (SaaS) services with low project cost but significant ongoing running cost are
covered. The considered cost must encompass all phases belonging to one topic, i.e.
partial projects count towards their parent project.

2. Demands between 30’000.- and 100’000.- should be entered into the system by the IT
Operational Units for Group IT and Enterprise Architecture (EA) to have visibility on the
pipeline. EA principles of solution selection and Project Portfolio Management principles
will have to be followed in all cases.

3. Requests for changes on existing services and systems with cost below 30’000.- follow
the Change Management process as described in the respective Directive.

Main steps of Demand Management

LafargeHolcim IT Policy January 27, 2016 3

IT policy

● Demand capture: Business (BPO) is responsible for capturing the demand.

● Demand evaluation: ITSCs are responsible to evaluate the demand considering
the input of the Architecture team
● Demand finalization: Demand prioritization and finalization through BPO, final
approval through Group IT for large demands.
● Demand Monitoring: Group IT oversees all demands

2.3.2 Prioritization of IT program/project portfolio

To balance the Global-view and Regional-view of IT decisions, IT programs/projects are prioritized

and aligned with budgets on a global level. This is to ensure the right balance of global and
regional programs/projects in the overall portfolio of LafargeHolcim.

Main steps of Portfolio Management

● Manage Portfolio: Consolidate information on programs/ projects across regional and
Global ITSC.
● Prioritize Portfolio: Regional prioritization of portfolio in close collaboration with business
and Group IT.
● IT Innovation Projects follow the Stage Gate Process defined by Growth & Innovation and
approved by Growth and Innovation Council.
● Finalize portfolio: Final approval of the portfolio through Group IT.

2.3.3 Steering towards the long-term IT target (Enterprise Architecture)

To achieve the goal and strategic objectives of IT, the steering towards the long-term IT target is
an important factor in IT decision making.
● Enterprise Architecture (EA) at LafargeHolcim is responsible to take architectural
decisions to ensure alignment with this long-term IT target.
● The IT Leadership Team (ITLT), which acts as Architecture Review Board (ARB),
approves architecture decisions. In case of conflict within the architecture team, the
Architecture Review Board will take the decision.
● Architecture decisions with strategic business impact are forwarded to IT Functional
Council (ITFC).
● See Annex 3.

Main steps of Enterprise Architecture Management

● Standards and roadmap: Global definition in collaboration with architects from the regions.
● Global solution, EA blueprint: Global development with regional consultation.
● Regional solution, EA blueprint: Regional development with collaboration of global EA.

2.3.4 Project Approvals

For project approvals, the financial guidelines apply:

● EXCO: approves projects > 2 mio CHF
● ITFC: approves projects if within approved budget and > 1 mio CHF and < 2 mio CHF
● Other projects are approved within budget responsibilities of IT Operational Units.

2.3.5 Decision making

To support the decision making process, the following criteria are considered:

LafargeHolcim IT Policy January 27, 2016 4

IT policy

● Qualitative and quantitative data on the cost and value associated with a decision (usually
through a business case).
● A recommendation on the alignment with the long-term target of IT (conducted by the
Enterprise Architecture Workgroup).
● A recommendation on the business and IT risks from an IT security perspective
(conducted by the IT Security Workgroup).
● A recommendation on efficiency from an IT service perspective (conducted by the IT
Service Management Workgroup).

2.4 Governance structure

Governance of IT decisions is done on global and regional level with the following governance
bodies and workgroups. See Annex 1 for further details of the governance structure.

2.4.1 Global governance structure

● IT Functional Council (ITFC)

Global Strategic IT Leadership and Alignment with Business is governed through the
ITFC, chaired by the ExCo member responsible for IT.
The ITFC decides on IT Strategy, IT Policies, global IT budget, global IT project portfolio,
priorities between IT investment areas, strategic initiatives and directions. It can act as
Steering Committee for major global initiatives.
Approves projects if within approved budget and > 1 mio CHF and < 2 mio CHF.

● IT Leadership Team (ITLT)

Global IT Leadership and Execution is done by the IT Leadership Team (ITLT),
chaired by the Group CIO, with his direct reports and the Heads of the ITSCs as
members. The ITLT focuses on IT–internal decisions and discussions. It decides on
technologies, tools, providers and acts as Architecture Review Board (ARB).

● Global Business Process Owners (Global BPO)

In major global business Functions, e.g. Cement Industrial Performance, Human
Resources and others, a global Business Process Owner is assigned. They shape,
optimize and standardize their business processes and raise demands for new or
changed global IT solutions.

● Workgroups
The Global IT Leadership governance is supported by four workgroups:
(1) Enterprise Architecture Workgroup (EAW)
(2) IT Security Workgroup (ITSECW),
(3) IT Service Management Workgroup (ITSMW)
(4) IT Innovation Workgroup (ITIW)
Details on these Workgroups can be found in Annex 1.

● Major Programs on a global level are governed through Steering Committees comprising
of business owners and IT leadership.

2.4.2 Regional governance structure

● Regional IT Council (RIC)

The Steering of Regional IT Implementation and Alignment with Business is governed
through the RIC. It is chaired by the ExCo member for the region or Area Manager.

LafargeHolcim IT Policy January 27, 2016 5

IT policy

Members are the Group CIO, country CEOs/CFOs and the Heads of the ITSC and the
BSC.

● Regional Business Process Owner Organization (BPO)

Defines and prioritizes regional demand and ensures standardization within business
processes across the region. Approves business decisions on master data and processes
regionally.

2.5 IT Controls

2.5.1 Risk Management, Compliance and IT Controls

● In order to cover the main risks related to IT, LafargeHolcim takes the standard approach
of the 3 lines of defense:
1. Operations following an established risk and control environment
2. Oversight functions setting directions, policies and procedures
3. Internal and external audit for independent assurance.
● IT aligns with Internal Control (IC), Internal Audit (IA) and Business Risk Management
(BRM) functions to ensure that the risk register covers all identified IT risks in a
compatible manner.
● IT, considering the requirements of these functions, further develops its IT frameworks (IT
Security and IT Service Management).
● New Group Internal Control Standards are under development in Internal Control. Please
refer to Internal Control Standards once published under the policy landscape.

2.5.2 Internal IT Audits

● Internal Audit on a yearly basis prepares and executes an internal IT audit program.
● The preparation and the selection of the audited IT Controls is done in collaboration with
Group IT considering the risks and the stage of the organization, services and projects.
● The internal IT audit program is communicated on a yearly basis to the IT Operational
Units.
● The final decision on the internal IT audit program is by Internal Audit in alignment with
the Audit Committee.

2.5.3 IT Key Controls for external Financial Audits

● IT is responsible for the first and second line of defense.
● External audit will use the 6 Key Controls for their yearly financial audits.
● The 6 IT Key Controls relate to the financially relevant ERP applications with the objective
to ensure documentation and implementation of the minimum standards as part of Swiss
Internal Control System (ICS).

LafargeHolcim IT Policy January 27, 2016 6

IT policy

● The 6 IT Key Controls are defined for all in-scope operating companies and cover the
areas of logical access, program changes and IT operations:

Key Description ex Holcim exLafarge

Control General Internal
Control Control
Logical Access
KC1 Approval of creation, change and ITGC.KC1 IT-C070
removal of access to the financially
relevant ERP application
KC2 Review of access rights ITGC.KC2 IT-C050
procedures to the financially
relevant ERP application
KC3 Configuration and maintenance of ITGC.KC3 IT-C080
the authentication and access
mechanism of the financially
relevant ERP application
Program Changes
KC4 Approval of ICS relevant changes ITGC.KC4 IT-C200
to the financially relevant ERP
application
IT Operations
KC5 Review of job scheduling ITGC.KC5 IT-C330
procedures related to the
financially relevant ERP application
KC6 Backup and restore to prevent loss ITGC.KC6 IT-C280
of financially relevant data of ERP
application

● ITSCs with Operating companies should document IT Key Controls according to the
requirements set forth in the Internal Control manual for the financially relevant ERP
applications identified as in-scope.
● ITSCs with Operating companies should ensure that IT Key Controls for in-scope
applications are implemented as defined and documented.
● The defined IT Key Controls are meant as a guideline. The actual implemented IT Key
Controls can vary from the above generic description of the 6 Key Controls, but have to
fulfill the defined control objectives, mitigating the related risks.

LafargeHolcim IT Policy January 27, 2016 7

IT policy

2.6 People management principles in IT

The IT function follows and uses the Human Resource (HR) Management framework, principles,
process and tools as given by the Global HR function (see related Policies).

In the context of IT Governance, the following principles apply:

● LafargeHolcim is heavily impacted by the global fight for IT talent.
Therefore LafargeHolcim wants to be the most attractive employer for IT personnel in our industry.
● In order to do so
● we foster global mobility and succession planning around the globe
● we support the global IT staff community with open communication via our
collaboration tools and culture
● job descriptions in IT are aligned, standardized and comparable around the globe
which supports mobility and internal succession
● career planning and a global succession pool includes opportunities for positions
in foreign countries for talented people with high potential
● required training of relevant technical, management, inter-cultural and soft skills is
proposed and offered to the IT staff

● On top of the usual line management responsibilities in the ITSCs for HR management,
the Group CIO
● is responsible for the selection of Heads of ITSCs in cooperation with the
responsible ExCo member
● approves all proposals for dismissals and hiring of Heads of ITSCs and is
consulted in all proposals and dismissals of their direct reports
● sets global goals and assesses the Heads of ITSCs with a weight of 50% in the
yearly performance management process
● has visibility and influence on the succession planning for Heads of ITSCs and
their direct reports

LafargeHolcim IT Policy January 27, 2016 8

IT policy

3. Enterprise Architecture Policy Principles

The purpose of the Enterprise Architecture Policy Principles is to provide guidance on main
activities in the field of governing architecture decisions within the LafargeHolcim Group.

Enterprise Architecture (EA) aims to align IT with the strategic intent of the business by improving
the selection and coherence – regionally and globally – of all required capabilities (from business
processes and information management to application solutions and technology standards) in
order to achieve the strategic goals of LafargeHolcim. The key responsibility of EA is to provide
the necessary information to enable sound IT architecture decision making. EA is one of the core
capabilities of the Group IT Organization (GIT).

3.1 Primary objectives

The primary objectives of EA are defined as:

● Enterprise Architecture (EA) at LafargeHolcim is responsible to take architectural

decisions to ensure alignment with the long-term IT target.
● Enable insights and quick decision making by providing transparency on the
components of the enterprise architecture (e.g. business processes, information/data,
applications used, technology assets)
● Align IT strategic objectives and Business strategic objectives by providing objective
evaluation criteria supporting the decision making process (e.g. objective evaluation of
cost and value of different IT solutions fitting to the business operating model).
● Guide and support significant technology transformations by providing insights and
developing roadmaps during the conceptual planning stages of projects, and by
governing architecture decisions during project implementations.
● Enable objective balance between cost-efficient global IT solutions and flexible, value-
creating regional IT solutions
● Enable innovative IT solutions through analysis and evaluation of new technologies
(i.e. IT and industry trends)
● Improve the quality of business outcomes (e.g. through new value driving IT solutions,
improvement of process automation, adherence to standards, and improvement of costs)

3.2 EA capabilities

EA is operationalized through the following EA capabilities, defined and lead by the Head of
Enterprise Architecture from IT Strategy, Planning and Governance function.

EA Capability Description
Manage Business Conduct Business Relationship Management (BRM) in
Engagement collaboration with strategic capability planning and
business architecture activities.
Plan Future State Architecture Develop Enterprise Architecture models and artifacts to
guide architectural decisions and evaluate possible
options of target architectures.
Select Enterprise Software Participate in the collection and analysis of business
requirements and support in the selection of and
alignment with technology solutions (including Supplier
Relationship Management to research and coordinate
opportunities for solutions).
Conduct innovation study Evaluate value and feasibility of new technologies as a

LafargeHolcim IT Policy January 27, 2016 9

IT policy

means to drive innovation within LafargeHolcim. Closely

interact with Head of Customer centric and innovative
solutions to avoid duplication of activities.
Manage reuse and Drive higher level of reuse, integration, and adherence to
standardization architecture standards through influencing architecture
decisions and implementation projects.
Manage the EA repository Setup and manage an Enterprise Architecture repository
to serve as data provider for all required EA analysis and
decisions.
Communicate on EA Actively communicate Enterprise Architecture objectives,
decisions and further supporting information to improve
Business-IT alignment.
Manage EA Program Manage the mandate of EA, including talent,
performance, and growth/maturity targets.

3.3 Enterprise Architecture Workgroup (EAW)

To operationalize EA and its activities and decisions, the Enterprise Architecture Workgroup is set
up, led by the Head of Enterprise Architecture from the Strategy, Planning and Governance
function and with participation of global and regional architects.

See Annex 1 for a description of the Enterprise Architecture Workgroup.

4. IT Security Policy Principles

The IT Security Policy chapter defines the capabilities and requirements to protect information and
systems from unauthorized access, use, disclosure, disruption, modification, data loss or
destruction. This is accomplished through organizational and technical measures in accordance
with business requirements and relevant laws and regulations.

4.1 Primary objectives

● Protect LafargeHolcim's business information by safeguarding its confidentiality, integrity

and availability.
● Establish safeguards to protect LafargeHolcim's information resources from theft, abuse,
misuse and any form of damage based on risk management.
● Establish responsibility and accountability for IT Security in LafargeHolcim.
● Encourage management and users to maintain an appropriate level of awareness,
knowledge and skills to allow them to minimise the occurrence and severity of IT Security
breaches.
● Ensure that LafargeHolcim is able to continue its commercial activities in the event of
significant IT Security breaches.

4.2 Protection of assets

All information and asset groups shall have a defined owner who is responsible to classify
information according to its sensitivity and criticality based on confidentiality, integrity and
availability (CIA) requirements. Information and asset owners are responsible for the proper
protection of the assets and ensure that data is sufficiently protected considering business, legal,
regulatory and contractual requirements. IT assets processing, dispatching, transporting, storing,

LafargeHolcim IT Policy January 27, 2016 10

IT policy

archiving or destructing of data must be protected according to the IT asset criticality. Assets shall
be identified and an inventory of relevant assets (including the associated criticality) is maintained.

Access to information and information processing facilities shall be controlled, restricted to

authorized persons and on a need-to-know basis. A formal process to request, evaluate and
approve access to applications will be in place. The user management process will also include
the revocation or modification of user rights.

IT assets must be protected against vulnerabilities via software patches and malware
protection/virus scanners, but also other solutions for new threats should be considered.

Development of information systems shall consider security and follow the system development
lifecycle (SDLC) model. Log files shall be protected from tampering and securely stored.

4.3 Risk management

Following a common group defined risk assessment methodology, IT assets shall be assessed
against potential risks on a regular basis. The risk owner must decide if the risk is to be mitigated,
accepted, transferred or avoided. The identified risks resulting from the assessment and related
decisions must be documented and stored in a central risk register. Risk acceptances need to be
reviewed on a periodic basis considering the changes of the threat landscape.

The risk register provides an up-to-date global view of the LafargeHolcim risk exposure and
enables an aggregation of risks on a regional to a group level. Aggregated risks are aligned with
business risk management and also reported to senior management showing the risk exposure of
the company versus its risk appetite.

Significant changes of an IT asset or introduction of new technologies must undergo a risk

assessment prior to the implementation.

In general, LafargeHolcim follows a risk-based approach. This means that critical IT assets are
more frequently and thoroughly assessed than non-critical ones and high risks require more
senior management attention than low risks, etc.

4.4 Information Security Management Systems (ISMS)

The Information Security Management System (ISMS) is designed to ensure the selection of
adequate / proportionate security controls that protect information assets, implementation and
management of controls taking into consideration LafargeHolcim’s information security risk
environments.
The ISMS and associated framework ensures information security is managed, sustained and
continuously improved according to international standard ISO 27’001 (the selected standard for
the Group).

4.5 Management of 3rd parties

Information security requirements to address the information security risks shall be established
and agreed with suppliers that may access, process, store, communicate, or provide IT
infrastructure components for the LafargeHolcim’s information. These requirements shall be
included in a contractual agreement with suppliers. Suppliers need to be assessed on a regular

LafargeHolcim IT Policy January 27, 2016 11

IT policy

basis to ensure their compliance with LafargeHolcim IT Security Policy. The assessments should
be integrated with Procurement's existing supplier review process and schedule.

4.6 User awareness and behaviour

LafargeHolcim management is aware that users’ behaviour is considered key to keep IT security
to a high and good standard. All users having access to LafargeHolcim IT systems (staff,
rd
management, contractors and 3 parties) need to be made aware of their duties and
responsibilities regarding data protection. Employees must attend training on their duties and
responsibilities in relation to information security on a regular basis (e.g. secure communication,
social engineering, etc.).

Human Resources and Communication functions shall support the deployment and the monitoring
of the user awareness trainings.

Users are responsible to adhere to the IT Security Policy and to seek support or advice by
management in case of doubt. Non-compliance will be subject to disciplinary action according to
local regulations.
With the support of HR, IT users have to accept the Information Systems User Directive which
defines the acceptable use rules in support of the IT Security Policy and sign the five security
rules during the on-boarding process.

Employees are responsible to report any security breaches, potential security incidents or
increasing risk exposures to their service desks.

4.7 IT Security Incident Response

Management responsibilities and procedures will be established to ensure a quick and effective
response to information security incidents across the group. Security incidents shall be captured in
a central repository, shared across ITSCs and reported to the management regularly. The global
security head shall immediately be informed when a high rated security incident occurs. A formal
report form shall be completed in the case of high rated security incidents.

4.8 Monitoring

LafargeHolcim reserves the right to monitor user activities on the internet and IT systems and
does so within the law in each jurisdiction in which the Group operates. Information obtained
through monitoring is confidential and will not be disclosed to any person or organisation external
rd
to LafargeHolcim, except to law enforcement where legally required or to 3 parties requesting
information to which they are entitled by law (e.g. under data protection acts).

4.9 Compliance to IT Security Policy

Global IT service center, infrastructure and operations and regional IT service centers (including
countries and plants) are responsible for the implementation and compliance of the IT Security
Policy and directives within their respective areas of responsibilities.

Assessment measures ensure IT compliance of the IT Security Policy and directives in the Global
IT service center, Infrastructure and operations and regional IT service centers (including
countries and plants).

LafargeHolcim IT Policy January 27, 2016 12

IT policy

LafargeHolcim management will have a sound knowledge on the content of the IT Security Policy
and complies with it. Mechanisms will be established to ensure that all staff also complies with the
IT Security Policy and any other approved security directive.

Legal and Compliance is responsible to identify legislations applicable for IT systems (e.g. data
privacy) and assess their impacts as well as to review the legislation regularly. Global IT service
center, infrastructure and operations and regional IT service centers (including countries and
plants) ensure compliance to local legal and regulatory requirements.

4.10 Enforcement and exceptions

Any exception or deviation to the IT Security Policy and supporting directives must be based upon
a unique legislative or business requirements. Requests for a policy exception shall be duly
documented, related risk assessed and submitted to the global security head or his/her delegate
before the waiver or exception may be implemented. All approved exceptions or deviations have
to be recorded and managed in the risk register and reviewed on an annual basis.

4.11 Auditing

An audit plan must be elaborated on an annual basis, driven by a risk assessment process
performed by independent auditors and accepted by the management. The audit plan covers the
assessment based on test of design and effectiveness of the Information Security Management
System (ISMS) and the implemented security controls in selected areas within LafargeHolcim.

4.12 Investigation

Any data stored in connection with the use of LafargeHolcim IT infrastructure can be made subject
to data screening procedures in connection with compliance investigations conducted or
mandated by the LafargeHolcim legal and compliance function. Such data screenings will adhere
to applicable personal and data protection laws, as well as to the professional and ethical
standards set out in the relevant LafargeHolcim investigation policies and regulations.

4.13 Performance and reporting

The IT security exposure, risks, performance and incidents must be reported on a regular basis to
senior management, considering internal and external factors. Based on these reports,
management is responsible to take corrective actions where required and provides resources and
budget for.

4.14 IT Security Workgroup (ITSECW)

To operationalize Information Security and its activities and decisions, the IT Security Workgroup
is set up, led by the global head of IT Security and with participation of global and regional IT
security heads.

See Annex 1 for a description of the IT Security Workgroup.

4.15 Security responsibilities of Business Management

Business management is responsible for:

LafargeHolcim IT Policy January 27, 2016 13

IT policy

● Maintaining a level of security awareness among their staff through security awareness
training.
● Ensuring that sufficient controls to ensure the confidentiality, availability and integrity of
the data are implemented.
● Classifying the information and identification of specific information which should be
treated as confidential.
● Ensuring business continuity strategies and planning.

4.16 Security responsibilities of IT Management

● Supporting the goals and principles of IT security in line with IT strategy and objectives.
● Actively supporting security within LafargeHolcim through clear direction, demonstrated
commitment and enforcement of IT Security.
● Providing resources and budget for IT security initiatives.

5. IT Service Management Policy Principles

IT Service Management principles described in this chapter define the expectations and needs of
the business in terms of functionality, quality and price of IT services provided by global and
regional IT service centers.

In order to comply with these expectations LafargeHolcim defines the following principles for IT
Service Management.

5.1 Primary objectives

The primary objectives of IT Service Management are defined as:

1. Customer Orientation – through an adequate IT customer relationship management on

strategic, tactical and operational level it is ensured that
● IT understands what services the business requires and
● The customer has access to the appropriate services to execute the business
functions.
2. IT Service Quality – to continually improve the quality of the IT services delivered
through a Plan, Do, Check, Act –cycle.
3. IT Service Efficiency – the IT services are delivered in an efficient manner.
4. Process Orientation – each ITSM process is defined, documented, communicated and
managed by a process manager.
5. Compliance – implemented ITSM processes adhere to legal and regulatory
requirements.

For this purpose an IT Service Management System is implemented to focus on enabling a better
performance across the LafargeHolcim Group through efficient and effective use of Information
and Technology leveraging Group presence and new delivery models.

5.2 ITSM Roadmap

● Both ex Lafarge and ex Holcim have implemented certain processes and systems
according to their differing priorities.
● By end of 2016 a common set of processes for LafargeHolcim will be defined and
implemented.

LafargeHolcim IT Policy January 27, 2016 14

IT policy

● By end of 2016 a common ITSM platform for LafargeHolcim will be defined and
implemented.

5.3 ITSM external Standards and ITSM Processes

To standardize methods and tools we use the following external standards:

● The adoption of an integrated IT Service Management process approach based on ITIL

V3 and according the international standard ISO 20’000 assures to effectively and
efficiently deliver managed IT services.
● The processes which are covered by ITSM in LafargeHolcim will follow the structure of
ISO 20’000 and will be covered by a corresponding Directive each.

5.4 Overview of IT Processes

Group IT SPG (Group IT Strategy, Planning and Governance) owns these IT processes:

Source file: Overview about IT Processes

5.5 ITIL Certifications

The responsible IT Service Managers in each ITSC must hold the ITIL Foundation Certification
(level 1). A plan to reach IT Service Manager Certification (Level 3) must be in place if the IT
Service Manager is not certified Level 3 yet.

5.6 IT Service Management performance

LafargeHolcim IT Policy January 27, 2016 15

IT policy

IT services and IT processes are regularly assessed from a performance perspective and through
the use of service management controls according to ISO 20’000 including Service Level
Agreements, Critical Success Factors (CSF) and Key Performance Indicators (KPI).

5.7 One global IT Service Management platform

Within LafargeHolcim there is one common IT Service Management platform to promote

standardized methods, tools and data to manage IT services.

5.8 IT Service Management Workgroup (ITSMW)

The IT Leadership Team (ITLT) is committed and has the mandate from the IT Functional Council
(ITFC) for setting the strategic direction in IT Service Management. This strategic direction is
covered in this policy and is endorsed by the ITFC. ITLT delegates tasks to the IT Service
Management Workgroup (ITSMW).

The ITSMW is responsible for the content and the development of the IT Service Management
System with a lead provided by the Head of IT Service Management. The Head of IT Service
Management has the mandate to further improve the IT Service Management System framework,
coordinate the tasks to be done and propose decisions to be taken by the ITSMW subject to
endorsement by the ITLT.

The Head of IT Service Management is supported by the Regional IT Service Managers. They are
responsible to drive the implementation of the IT Service Management System in the IT Service
Centers.

Regular reviews, assessments and audits are performed to identify gaps and actions for closing
them, as well as lead continuous improvements bringing the required maturity to the ITSM Global
Model.

See Annex 1 for a description of the IT Service Management Workgroup.

LafargeHolcim IT Policy January 27, 2016 16

IT policy

6. IT Supplier Management Policy Principles

IT Supplier Management principles described in this chapter establish rules and requirements
relating to management of the supplier relationship and selection process as well as oversight on
activities related to supplier management for any person or entity that supplies Information
Technology (IT) or IT services to LafargeHolcim.

In this chapter we consistently use the term “suppliers” to collectively denote suppliers, vendors,
service providers, contractors, consultants and information providers.

6.1 IT Category Management

In LafargeHolcim, Procurement is accountable for procuring 100% of third-party spend. According

to the Procurement Policy, this is done through Category Management, where IT constitutes one
of the Categories.

Procurement and IT Supplier Management jointly constitute the IT Category Management.

The IT Category includes all suppliers from the IT sector, independent of where the actual costs
are booked according to LafargeHolcim Accounting Principles.

Procurement and IT Supplier Management operate through a globally integrated “One Team”
approach for the IT Category, where IT Category Management is deployed through cross-
functional (IT and Procurement) and cross-regional teams.

IT Category Management brings Procurement together with IT Supplier Management at the

global, zonal and regional levels, providing complete management from sourcing strategy
definition to execution and management of contracts and relationship of the suppliers.

IT Category Management team is responsible to manage IT Supplier relationships on a global,

zonal and regional level including
● business reviews with key suppliers
● management of IT assets (e.g. licenses) related to each supplier
● compliance to contracts both
● on the supplier side for delivery of the service level agreements and
● on the LafargeHolcim side for compliance to the contract

See Annex 1 Section 5 for the split of responsibilities between Procurement and IT Supplier
Management.

The implementation of Supplier Management is based on ISO 20'000.

6.2 Primary Objectives

The objective of Supplier Management is to

● ensure suppliers are identified and evaluated in close collaboration
● get the required services at the best possible conditions
● maintain relationships through business reviews
● ensure service contracts and IT assets are in accordance to contractual terms to avoid
any major risks or compliance issues
● leverage our negotiated contracts and benefit from Service Level Agreements and targets

LafargeHolcim IT Policy January 27, 2016 17

IT policy

● leverage all information through category management required for planning and benefit
of better negotiations
● support complex multi-supplier environments including internal and external providers

6.3 Responsibilities in Category Management

Procurement and IT Supplier Management jointly constitute the IT Category Management with
clearly assigned activities. See Annex 1 Section 5.

Procurement and IT Supplier Management jointly:

● define the IT category strategy and approach
● define the main topics and suppliers to be tackled
● evaluate the market and supplier offerings
● plan and conduct supplier monitoring and risk assessment
● plan and define communication to the field regarding global contracts
● plan and execute regular and systematic supplier reviews
● plan and execute business reviews with key suppliers
● collect field information prior to a launch of Request for Information (RfI), Request for
Proposal (RfP), Request for Quotation (RfQ), collectively abbreviated Rfx
● prepare procurement by aligning of procurement, business and IT objectives
● conduct competitive assessments and define and manage preferred suppliers in the
enterprise-wide IT category to create efficiencies and drive synergies globally

Split Global - Regional:

The split global - zonal will be decided jointly later.

LafargeHolcim IT Policy January 27, 2016 18

IT policy

Split Procurement – IT Supplier Management:

Procurement IT Supplier Management

● Define global rules for procurement ● Close collaboration with business
(across categories) and manage the counterparts (via business relationship
supplier and sourcing methodology. management role) to receive their
feedback and requirements.
● Manage the rules and guidelines for the ● Define, prepare, monitor and manage
RfX process the total cost of ownership of IT
o Request for Information (RfI) services and goods.
o Request for Proposal (RfP)
o Request for Quotation (RfQ).
● Issue ● Support and help in preparation of RfIs,
o Request for Information (RfI) RfPs and RfQs.
o Request for Proposal (RfP)
o Request for Quotation (RfQ).
● Responsible for all commercial elements ● Responsible for all technical definition
and resolutions. and resolutions.
● Define objective criteria/structure for ● Evaluate and balance IT needs with
supplier selection. potential risk exposure and conducts
due diligence activities to ensure
compliance to the contract.
● Ensure objectivity in supplier selection ● Maintain a focus on supplier quality and
across the process in accordance to service and manage the supplier
LafargeHolcim rules and guidelines. performance through continuous
monitoring post contractual
arrangement.
● Manage compliance of IT assets.
Support any supplier audit request.

6.4 Compliance with other Directives

In accordance to the key rules of the Procurement Policy, all activities of IT Supplier Management
are fully compliant with the Group Business Code of Conduct, with the Group Health and Safety
Policy and Directives, and are aligned with the Group focus on sustainability. See Procurement
Policy.

6.5 Competitive Assessment and Preferred IT Suppliers

Competitive assessment and predetermined selection criteria are used to evaluate, select and
retain IT suppliers. It may include Request for Information (RfI), Request for Proposal (RfP) or
Request for Quotation (RfQ) and is a structured analysis of predetermined criteria which must be
used to in making the selection of the supplier.
Results of the competitive assessment lead to a list of preferred IT suppliers. In cases where a
preferred IT supplier is not a viable option as determined by IT Supplier, alternative suppliers shall
be selected by means of a competitive selection process in conjunction with procurement using
predetermined criteria for such selection.

6.6 Risk Assessment and Due Diligence

Potential risks of new IT suppliers, renewal of supplier contracts, and change in services with an
existing supplier are evaluated through a supplier risk assessment prior to entering into

LafargeHolcim IT Policy January 27, 2016 19

IT policy

negotiations. Preliminary supplier risk assessment identifies the risks inherent in the goods or
service that is being procured and aligns with procurement on the need to conduct additional due
diligence activities prior to contracting with the supplier.

In line with a risk based approach, a due diligence can be conducted to evaluate the effectiveness
of the IT supplier in managing inherent risks. These due diligence reviews and assessments can
include the following:

● IT risk assessment of supplier’s practices.

● Security vulnerability assessment.
● Business continuity and disaster recovery review.
● Financial due diligence and reputational risk review.
● Perform legal and compliance assessment.

6.7 Cloud Framework for Cloud Risk Assessment

In addition to above supplier related risks, special risks may arise with Cloud providers. On top of
the Procurement related assessments, LafargeHolcim also applies the LafargeHolcim Cloud
Framework to ensure Cloud suppliers and services are secure and safe from an IT point of view.

6.8 Ongoing Supplier Monitoring

IT Supplier Management is responsible for ongoing supplier monitoring and fulfilment of periodic
risk reviews. Such monitoring may include some or all of the following:

● Evaluation of key services level agreements and contract provisions.

● Financial condition, control environment and impact due to changes in external
environment.
● Contractual compliance and asset management.
● Assess compliance to IT Security Policy and Directives
● Conduct regular reviews of key audit reports with major suppliers

6.9 License Management

IT Supplier Management supports the IT Operational Units to set up proper license management
processes and systems for IT services and goods in a structured and regular approach. IT
Operational Units are responsible that legal and compliance requirements are met.

6.10 Supplier Termination/Off-boarding

Upon termination, IT Supplier Management ensures that the supplier is off-boarded in accordance
with IT Supplier Management requirements and remains in compliance with all relevant
contractual obligations.

LafargeHolcim IT Policy January 27, 2016 20

IT policy

This Policy was approved by Group Executive Committee on January 27, 2016 and will come into
force on January 27, 2016.

Original dated: Revision Dates:

Dec 11, 2015 January 27, 2016
Version dated:
January 27, 2016
Responsible Group Executive Committee Member: Urs Bleisch – Head of Performance &
Costs
Responsible Person: Khushnud Irani – Head of IT

LafargeHolcim IT Policy January 27, 2016 21

IT policy

Annex 1: Responsibilities

1. Corporate level
1.1. LafargeHolcim Group Executive Committee

● The Group Executive Committee approves creating, changing or suspending this IT

Policy.
● The Group Executive Committee member responsible for the area covered by the Policy
submits the creation, changes or suspension of this IT Policy to the Group Executive
Committee approval.

1.2. Central Function

● Corporate: Group IT (GIT)

GIT, managed by the Group CIO, manages the IT function strategically and executes the
IT Policy.
GIT provides direction to global and regional IT service centers.
Group IT is responsible for taking decisions related to IT technologies, tools and providers
considering the business requirements from functions and BPOs. Reason for this are the
goals
● to achieve manageable, sustainable IT services
● to guarantee the necessary security levels and controls, especially around Identity
and Access Management and
● to minimize the Total Cost of Ownership (TCO) including the cost for ongoing
maintenance and external services.

● Global IT Service Center (GITSC)

The Global Service Center provides global services
● to users across the whole company with a focus on communication and
collaboration and global HR solutions and
● to Corporate users with a focus on end user services, financial services and
reporting.
GITSC reports to the Group CIO.
The GITSC establishes and manages strong partnerships with few external providers.
This mainly outsourced unit is called Global Offshore Delivery and Support Center
(GDSC) and provides services to the ITSCs and GITSC for projects (application
development) and operations (application management and user support).

● Infrastructure and Operations (I&O)

All infrastructure services (data center, networks, end user environment, directory) are
provided from one global organization, reporting to the Group CIO. There is one
standardized service catalogue for infrastructure services. IT Infrastructure staff and
management, which are geographically distributed across different regions and countries,
report into the I&O Head. I&O establishes and manages strong partnerships with few
infrastructure service providers.

Global Business Process Owners (Global BPO)

In major global business Functions, including, but not limited to, Cement Industrial Performance,
Communication, Finance, Growth & Innovation, Organization & Human Resources and
Procurement, a global Business Process Owner and a Sponsor on Executive level is assigned.

LafargeHolcim IT Policy January 27, 2016 22

IT policy

They shape, optimize and standardize their business processes and can raise demands for new
or changed global IT solutions.

1.3. Regional Management

● Regional IT Service Center (ITSC)

ITSCs provide the main operational services to the countries and companies in their
scope. The Heads of ITSCs report into their regional ExCo member/area manager as well
as for functional authority and reporting into the Group CIO.
ITSCs strive for a lean organization by focusing on Business-to-IT alignment tasks and by
consuming infrastructure service from the I&O organization and by outsourcing application
development, management and support tasks to the Global Delivery and Support Center
to an as-high-as-reasonable degree.

ITSCs have a standardized organizational structure:

List of regions and countries, see Intranet.

● Regional Business Service Centers (BSC)

In each region a shared service center for business processes like order and invoice
processing, accounting, call center, HR etc. is established which provides standardized,
efficient services to the countries in the region.

● Regional Business Process Owners (BPO)

In each region, for every process, a Business Process Owner and a Sponsor on Executive
level is assigned. They shape, optimize and standardize their processes and can raise
demands for new or changed IT solutions.

2. Country level
2.1. Country CEO

● The business of a country is represented by the CEOs in the Regional IT Council (RIC),
see below.
● Delegates responsibilities for IT specific tasks to the regional ITSC.
● Countries have Service Level Agreements (SLAs) with the regional ITSC for IT services.

2.2. IT Support in Countries is part of the regional ITSC

LafargeHolcim IT Policy January 27, 2016 23

 IT policy

● The local IT organization in a country is part of the regional ITSC support organization. It
focuses on local support for end users and their devices and manages exceptional local
infrastructure which is not under I&O responsibility.

2.3. Plant Level

● Industrial IT
Historically there has been a clear distinction between standard IT, which was provided by
the ITSC, and industrial IT (information systems which steer the production systems, i.e.
real time plant automation) where the local production organization is responsible. This
led to inconsistent implementations and security issues among others.
LafargeHolcim strives to apply the same approaches between the commercial and operational IT
over time. The separation of the networks between the two worlds should follow a guideline, which
is still to be developed.

3. Governance Bodies
3.1. IT Functional Council (ITFC)

Purpose - Global strategic direction setting for LafargeHolcim IT and alignment between business
and IT.

Key responsibilities
● Directs the IT strategy and determines the appropriate investment levels and directions.
● Approve and execute the IT strategy and IT governance framework (including policies,
directives and charging mechanism)
● Approve the IT budget / mid-term plan (MTP), major investment requests, IT operating
plan and chargeback volumes for global and regional IT service centers
● Provide resolution on escalations of major programs
● Set performance objectives and review results of IT global and regional service centers
● Promote integration synergies and tracking
● Promote mobility of IT people
Mode of Operation
● Physical meetings: Half-yearly
● Virtual meetings: quarterly, and ad-hoc, in case of urgent decision requests (e.g.
escalations)

Participants & Roles

Participant Role
ExCo Member responsible for IT Chair
Co-Chair, ExCo representative and regional business
ExCo Member from one region
representative
Group CIO Overall IT Function representative
5 Heads of business from other ExCo/area manager, regional business
regions representatives
2 Heads of regional ITCSs ITSC representatives
Head of Strategy, Planning and
Group IT management representative
Governance
Head of Infrastructure &
Group IT management representative
Operations

LafargeHolcim IT Policy January 27, 2016 24

 IT policy

Participant – On Invitation Role

Functional Heads Global Function representatives
Global Business Process Owners Shape processes and raise demands for new or
(Global BPO) changed global IT solutions
Further line management Give expertise or be informed
Regional IT Service Center representatives,
Other Heads of regional ITCSs
rotational
Group IT Heads of workgroups Global IT workgroup representatives

3.2. IT Leadership Team (ITLT)

Purpose - Global IT leadership: operational execution and implementation of IT Strategy.

Key responsibilities
● Define IT objectives, metrics and measure the success.
● Discuss and define IT-internal technical topics (e.g. digital technologies): direction, tools,
delivery models, providers, alignment.
● Act as Architecture Review Board deciding on the roadmap, standards and approvals.
● Ratification/approval of tool / solution decisions based on proposal from Workgroups.
● Act as resolution body to major IT programs in case of conflicts.
● Joint decision making.
● Responsible for achieving synergy targets according to commitments

Mode of Operation
● Physical meetings: every 4 months
● Virtual meetings: every 6 weeks, and ad-hoc, in case of urgent decision requests (e.g.
escalations)

Participants & Roles

Participant Role
Group CIO Chair
ITSC Heads Regional ITSC representatives
Head of IT Strategy, Planning and Strategy, Architecture and Planning
Governance representative
Head Global IT Service Center Global services and projects representative
Head Infrastructure and Operations Infrastructure and Operations representative
Portfolio and Transformation Management
Head Transformation Office (TO)
representative
Customer-centric and innovative solutions
Head IT Innovation
representative

Participant – On Invitation Role

Group IT Heads of
Global IT workgroup representative
workgroups
Project Leaders Project representative
Further SMEs Give expertise

LafargeHolcim IT Policy January 27, 2016 25

 IT policy

3.3. Regional IT Council (RIC)

Purpose - Steering of Regional IT Implementation and alignment with business across the region.

Key responsibilities:
The Regional IT Council is the main body aligning business and IT in a region and it executes the
regional IT governance activities.
● Pre-approve the 3 years IT budget / mid-term plan (MTP), major investment requests and
IT operating plan for the regional service center, before it goes to ITFC for global
approval,
● Communicate and Implement the IT strategy and IT governance framework in the region.
● Operationalize performance objectives for regional service center and review the results
according to Group guidance

Mode of Operation
● Physical meetings: Quarterly
● Virtual meetings: on request

Participants & Roles

Participant Role
ExCo member region / Area
Chair
manager
Head ITSC Regional IT representative
CEO or CFO for each Country Country and business representatives
Group CIO Overall IT Function representative

Participant – On Invitation Role

Business Shared Service Center representative, permanent
Head regional BSC
guest
Guests from business,
Business experts, business process specialists
BPOs
Project Leaders Project representative

LafargeHolcim IT Policy January 27, 2016 26

 IT policy

4. Workgroups
4.1. Enterprise Architecture Workgroup (EAW)

Purpose - Competence team of Group IT and regional architects which direct, define and execute
the global Enterprise Architecture.

Key responsibilities
● Manage and execute EA Strategy (vision, objectives and roadmap to deliver) and
communicate regularly.
● Manage and Execute EA Policy (EA directives, EA standards, EA guidelines)
● Define business capability matrix with the business and drive business towards
standardized solutions.
● Continuous improvement of architectural coherence, regionally and globally
● Evaluate demand activation requests.
● Approve EA initiative results, new technologies or innovation proposals (and forward to
Functional Council if required).

Mode of Operation
● Physical meetings: Yearly, same week as other Workgroups to have common sessions
● Virtual meetings: Monthly

Participants & Roles

Participant Role
Global Head Enterprise Architecture Chair
Head of IT Strategy, Planning and
IT LT Representation
Governance
Group Enterprise Architects Provide EA expertise, proposals
Global ITSC Enterprise Architect Provide EA expertise, proposals
Regional Enterprise Architects Provide EA expertise, proposals
Represent I&O, provide IT infrastructure
IT Infrastructure Architect
expertise

Participant – On Invitation Role

Global Head IT Innovation Represent Innovation
Group IT Heads of workgroups Global IT workgroup representative
Project Leaders Project representative
Guests from business, global
Business experts, business roadmap specialist
or regional BPOs
Procurement IT Category management, negotiations
Legal Contract expert
Project and portfolio
Information update on portfolio
management
Topic-specific experts Provide topic-specific expertise

Agenda of the EAW

LafargeHolcim IT Policy January 27, 2016 27

IT policy

Agenda Item Description Note

Status of EA Overview on current status, key topics Presented by Chair.
and EA roadmap.
Escalations and Discuss required escalations and As required
decision requests decision making. Open forum for all
participants to voice requirements.
Solution Selection Discuss the current solution selection Content owners to
status and decisions process and first level design for major prepare and present.
solution initiatives.
New demand Provide architecture direction and Input from demand
ensure EA standards are adhered to management.
New technology and Understand the vision and direction of
Business direction Business. Explore new technologies
and map them to the vision and
business direction
EA opportunities and Discuss EA opportunities (e.g. new
ongoing activities innovation study requests) and ongoing
activities (e.g. on improving the EA
capability).

Approval Process
● EAW is empowered to take decisions related to tools and technology when a consensus
is reached. In the absence of a consensus, a fair recommendation will be approved by
Head of IT Strategy, Planning and Governance. Based on judgement by Head of EA or
Head of IT SPG, certain specific decisions may be referred to the Architecture Review
Board (or IT Leadership team).
● EAW members from region, group services and Infrastructure are empowered by their
respective management to actively contribute and take decisions. EAW members keep in
their turn the business and respective IT Management aligned on the various topics.
● In specific cases of technology and solutions related to Infrastructure only, Head of I&O
should approve recommendations from the EAW.
● I&O being a line function, Head of I&O can decide on technologies related to his area
including end user devices. Nevertheless, such decisions should be highlighted in the
EAW and recorded as a standard along with the defined roadmap.

LafargeHolcim IT Policy January 27, 2016 28

 IT policy

4.2. IT Security Workgroup (ITSECW)

Purpose - Competence team of Group IT and regional security specialists which direct, define
and execute the global security framework.

Key responsibilities
● Define and execute the IT security strategy (vision, objectives and roadmap to deliver)
and communicate regularly (cross-regional and cross-functional).
● Define and execute IT Security Policy (IT security directives, standards and
recommendations).
● Define and implement security methods and tools.
● Implement security framework based on ISO 27´000
● Coordination with Group Internal Control, Group Audit and external auditors.
● Define IT risk management strategy and align to business risk management.
● Monitor compliance to IT security policy globally.

Mode of Operation
● Physical meetings: Yearly, same week as other Workgroups to have common sessions
● Virtual meetings: Monthly

Participants & Roles

Participant Role
Global Head IT Security Chair
Head IT Strategy, Planning and
IT LT Representation
Governance
Regional Security Heads Expert, regional representative
Represent I&O, provide IT infrastructure security
Infrastructure Security Head
expertise

Participant – On Invitation Role

Other IT functions like architecture,
Provide expertise
applications
Group IT Heads of workgroups Global IT workgroup representative
Business Risk Management Link to BRM
Project Leaders Project representative
Guests from business Business experts
Topic-specific experts Provide topic-specific expertise

LafargeHolcim IT Policy January 27, 2016 29

IT policy

Approval process
● ITSECW is empowered to take decisions and approve IT security directives, guidelines,
tools and continuous improvements plans when a consensus is reached. In the absence
of a consensus, a fair recommendation will be approved by the Head IT Strategy,
Planning and Governance.
● Based on judgment by the Global Head of Security / Head IT Strategy, Planning and
Governance, certain decisions may be referred to IT Leadership Team or IT Functional
council.
● IT Security members from region, group services and Infrastructure will be empowered by
their respective management to actively contribute and take decisions. ITSECW
members will in their turn keep the business and respective IT Management (IT Head,
Head of Group and Global services or Head of I&O) aligned on the various topics.
● In specific cases of technology and solutions related to Infrastructure only, the Head of
I&O should approve recommendations from the ITSECW.

1. Global IT Security Head

● The Global IT Security Head is responsible to enforce the IT Security Policy and directives
in LafargeHolcim worldwide.
● He does this by working out and establishing the necessary structures, processes and
tools, by closely cooperating with business management and by having a functional link to
the regional and infrastructure IT Security Heads.

2. Regional and Infrastructure IT Security Heads

● IT Security heads of Global IT Service Center, Infrastructure & Operations and regional IT
Service Centers (including countries and plants) are responsible for the implementation
and the compliance to the security policy and directives within their respective areas of
responsibilities.

3. Regional IT Security Management body

● Global IT service center, infrastructure and regional IT service centers have to set up the
regional IT security management body to manage the implementation of the Information
Security Management System in their regions.

LafargeHolcim IT Policy January 27, 2016 30

 IT policy

4.3. IT Service Management Workgroup (ITSMW)

Purpose - Competence team of Group IT and regional IT Service Management specialists

which direct, define and execute the global service management framework.

Key responsibilities
● Define and execute the IT service management strategy (vision, objectives and roadmap
to deliver) and communicate regularly (cross-regional and cross-functional).
● Define and execute ITSM Policy (ITSM directives, standards and recommendations).
● Define and implement ITSM processes, methods and tools and framework based on ISO
20´000 and ITIL.
● Align global and regional IT service requirements, shape service landscape, drive towards
unified solutions.
● Regularly measure and improve IT service and IT process performance.
● Monitor compliance to ITSM directives globally.

Mode of Operation
● Physical meetings: Yearly, same week as other Workgroups to have common sessions
● Virtual meetings: Monthly

Participants & Roles

Participant Role
Global Head IT Service
Chair
Management
Head IT Strategy, Planning and
IT LT Representation
Governance
Regional ITSM Heads Expert, regional representative
Represent I&O, provide IT infrastructure service
Infrastructure ITSM head
management expertise

Participant – On Invitation Role

Group IT Heads of
Global IT workgroup representative
workgroups
Guests from business,
Business experts, business process specialists
BPOs
Project Leaders Project representative
Guests from BSCs Business Shared Service Center specialists

LafargeHolcim IT Policy January 27, 2016 31

 IT policy

4.4. IT Innovation Workgroup (ITIW)

Purpose - Competence team of Group IT and regional innovation points of contact who
brainstorm, share and exchange innovation opportunities and activities execution.

Key responsibilities
● Through close proximity with operations, identify innovation opportunities independently or
through partnership with other departments
● Engage, explore and exchange on emerging technologies and the potential practical use
cases within the organization
● Move quickly through ideation stages to resolve theory debates through execution
● Help to determine business models, focused on results
● Act as evangelists for innovation and build feedback loops within respective geographic
areas
● Help to build a collaborative community for solution brokering and idea exchange
● Closely align with the Growth & Innovation Function
● Ensure that the Stage Gate Process, defined by the Growth & Innovation Function, is
followed for IT innovation projects

Mode of Operation
● Physical meetings: Yearly, same week as other Workgroups to have common sessions
● Virtual meetings: Monthly

Participants & Roles

Participant Role
Global Head IT Innovation Chair
Head IT Strategy, Planning and Governance -
Architect representative
delegate
Service Center Innovation points of
Expert, ITSC representative
contact
Infrastructure Innovation point of contact Expert, Infrastructure representative

Participant – On Invitation Role

Growth & Innovation Function Innovation representative from business
Ensure alignment with Stage Gate Process
Growth & Innovation regional
Provide expertise
representatives or delegates
Guest from Risk, Group Internal Link to Risk, Internal Control, Audit when needed
Control, Group Internal Audit for advisory on planned pilots
Guests from other departments Business experts
Guests from I&O – operations expert Provide expertise as needed for
operational handoff
Topic-specific experts Provide topic-specific expertise

LafargeHolcim IT Policy January 27, 2016 32

IT policy

5. Responsibilities in Supplier Management

Description Activities Procure- Group ITSC
ment IT
Define rules and Define the global rules for R C I
methodology procurement.
Manage preferred Define rules and guidelines for R C I
supplier guidelines preferred supplier selection.
Initiation / Demand Information about upcoming I I R
request initiative.
Planning & Scope Develop scope and time plan, C C R
project/ engagement approach.
Strategic supplier Conduct initial supplier R C I
assessment assessment.
Strategy Solutions market intelligence, C R I
technical synergies identification,
existing / preferred suppliers, and
IT delivery models, explore long
term strategy.
Rfx structure Define structure and R C C
process for Rfx.
Rfx execution Execute the Rfx - issue request R C A
for proposal, gather supplier's
response and clarifications.
Functional Evaluation Evaluate from functional/technical I C R
perspective.
Commercial Short listing R C C
Evaluation Price comparison.
Final evaluation Joint final evaluation. A A R

Negotiation and Synthesize results, conduct R C C

Contracting negotiations, interface with legal,
and agree T&C’s.
Implementation / Implementation / operations and I A R
Operation monitoring.
Performance reviews Assess supplier’s performance i.e. I A R
SLA’s and contract adherence.
Termination / Trigger contract renewals / A R I
Renewal – global termination / amendments for
contracts global contracts.
Termination / renewal Trigger contract renewals / A I R
– regional contracts termination / amendments for
regional contracts.

R: Responsible, A: Accountable, C: Consult, I: Inform

LafargeHolcim IT Policy January 27, 2016 33

IT policy

Annex 2a: LafargeHolcim Policies related to IT policy

Link with Policy Definition / Description Responsibility

IT Procurement Policy Procurement
Business Code of Conduct Legal &
Compliance
Health and Safety Policy H&S

Compliance Policy Legal &

Compliance
Internal Audit Charter Internal Audit
Investigation Policy Legal &
Compliance
Information Retention Policy Legal &
Compliance
Business Risk Management Business Risk
Policy Management
Internal Control Internal Control
Standards/Policy

Annex 2b: LafargeHolcim Directives related to IT policy

Link to Directive Definition / Responsibility Reference

IT Policy Description
IT Security IT Security Directives Define global IT Global Head IT Para. 1
security measures (will Security
be developed until Q1
2016

IT Service IT Service Define global ITSM Global Head Para. 3

Management Management processes (will be Service
Directives developed until Q1 Management
2016)

Health and Health and Safety H&S

Safety Directives
Internal Control Internal Control Standards Group Internal
Control
Growth & Growth &
Stage Gate Process
Innovation Innovation
IS_D01 IT Security Completed and Group IT
Information Management Directive validated.
Security (ISMS)
Information IS_D02 Risk Management Work in progress. Group IT
Security Directive
Information IS_D03 Asset Work in progress. Group IT
Security Management Directive
IS_D04 Operations and Completed and Group IT
Information Infrastructure Security validated.
Security Directive
Information IS_D05 Information Completed and Group IT
Security Systems User Directive validated.

LafargeHolcim IT Policy January 27, 2016 34

IT policy

Link to Directive Definition / Responsibility Reference

IT Policy Description
Information IS_D06 IT Compliance and Completed and Group IT
Security Performance Directive validated.
Information IS_D07 Network Security Work in progress. Group IT
Security Management Directive
Information IS_D08 Mobile Computing Completed and Group IT
Security Security Directive validated.
Information IS_D09 Human Resources Completed and Group IT
Security Security Directive validated.
Information IS_D10 IT Supplier Work in progress. Group IT
Security Security Directive
Information IS_D11 Access Control Completed and Group IT
Security Directive validated.
IS_D12 Security System Work in progress. Group IT
Information Development Management
Security Directive
IT Service ITSM_D01 IT Incident Completed and
Management Management Directive validated. Group IT
IT Service ITSM_D02 IT Problem Completed and
Management Management Directive validated. Group IT
ITSM_D03 IT Service
IT Service Request Fulfilment Completed and
Management Directive validated. Group IT
IT Service ITSM_D04 IT Business
Management Relationship Management Work in progress. Group IT
IT Service ITSM_D05 IT Service
Management Catalogue Management Work in progress. Group IT
IT Service ITSM_D06 IT Release and
Management Deployment Management Work in progress. Group IT
IT Service ITSM_D07 IT Change Completed and
Management Management Directive validated. Group IT
ITSM_D08 IT Service
IT Service Asset and Configuration
Management Management Work in progress. Group IT
IT Service ITSM_D09 IT Transition
Management Planning & Support Work in progress. Group IT
IT Service ITSM_D10 IT Service
Management Validation & Testing Work in progress. Group IT
IT Service ITSM_D11 IT Service
Management Level Management Work in progress. Group IT
IT Service ITSM_D12 IT Availability
Management Management Work in progress. Group IT
IT Service ITSM_D13 IT Capacity
Management Management Work in progress. Group IT
IT Service ITSM_D14 IT Continuity
Management Management Work in progress. Group IT
IT Service ITSM_D15 IT Continuous
Management Service Improvement Work in progress. Group IT
IT Service ITSM_D16 IT Knowledge
Management Management Work in progress. Group IT

LafargeHolcim IT Policy January 27, 2016 35

 IT policy

Annex 3: LafargeHolcim recommendations related to the policy

Recommendation Definition / Description Reference

TBD TBD TBD

Annex 4: Definitions and Abbreviations

ARB Architecture Review Board

BPO Business Process Owner
BRM Business Risk Management
BSC Business Services Center
CAB Change Advisory Board
CEO Chief Executive Officer
CFO Chief Financial Officer
CIA Confidentiality, Integrity and Availability
CIO Chief Information Officer
CMDB Configuration Management Database
CRV Common Requirements Vision
CSF Critical Success Factor
EA Enterprise Architecture
EAW Enterprise Architecture Workgroup
ERP Enterprise Resource Planning
ExCo Executive Committee
GDSC Global Delivery and Support Center
GIT Group IT
GITSC Global IT Service Center
HR Human Resources
I&O Infrastructure and Operations
IA Internal Audit
IC Internal Control
ICS Internal Control System
ISMS Information Security Management System
ISO International Organization for Standardization
IT Information Technology
ITFC IT Functional Council
ITGC IT General Control
ITGC.KC IT General Control Key Control
ITIL IT Infrastructure Library
ITIW IT Innovation Workgroup
ITLT IT Leadership Team
IT Operational Refers to the combination of the regional IT Service Centers (ITSCs), the global
Unit ITSC (GITSC) and Infrastructure & Operations (I&O)
ITSC IT Service Center
ITSEC IT Security
ITSECW IT Security Workgroup
ITSM IT Service Management
ITSMW IT Service Management Workgroup
KC Key Control
KPI Key Performance Indicator
MTP Mid-Term Plan
PPM Portfolio and Project Management
RfI Request for Information
RfP Request for Proposal
RfQ Request for Quotation

LafargeHolcim IT Policy January 27, 2016 36

 IT policy

Rfx Collective abbreviation and umbrella term for RfI, RfP, RfQ
RIC Regional IT Council
SaaS Software as a Service
SDLC Software Development Life Cyle
SLA Service Level Agreement
SME Subject Matter Expert
SPG Strategy, Planning and Governance
SPoC Single Point of Contact
SWOT Strengths, Weaknesses, Opportunities, Threats
T&C’s Terms and Conditions
TCO Total Cost of Ownership
TO Transformation Office

BoD Board of Directors

CEO Chief Executive Officer
CFO Chief Financial Officer
CFT Corporate Financing and Treasury
CH Corporate Holding Companies, Corporate Holdings
Corporate Holding A Corporate Holding company is a company which main purpose is to hold
investments or provide financing for the Group. It is under the ultimate
responsibility of the Group CFO.
Front- and parallel- Front running is the practice of executing orders on a security for one’s own
running account before filling orders/performing investments for LafargeHolcim.
Parallel running is the practice of filling orders/performing investments for
one’s own account at the same time as for LafargeHolcim.
Group LafargeHolcim Group, referring to the consolidated Group including all
Corporate Holding and Operating Companies.
Group Refers to a company where LafargeHolcim has control, regardless of whether
company/subsidiary it is a Corporate Holding company or an Operating Company.
When it is referred to as a subsidiary, it comprises all its governing bodies,
including its board, board committees and executive management.
ICS Internal Control Standards

LafargeHolcim IT Policy January 27, 2016 37