The security policy of the information systems (PSSI) is an action plan defined to maintain a certain security level. It reflects the strategic vision of the direction of organization (SME, SME, industry, administration, State, unions of States…) as regards Information system security (SSI).

Dependence and dissociation

The Security policy of the information systems is intrisèquement related to the Sécurité of information.

Also, a Information system not being limited to the Computing system, a security policy of the information systems is not limited to the computer security.

Description

The PSSI constitutes the principal reference document as regards SSI of the organization. It is an element founder defining the objectives to be reached and the means granted to reach that point.

The step of realization of this policy is based on a Analyze of the risks as regards information system security.

After validation by the various actors of the Safety of information of the organization, the PSSI must be diffused with the whole of the actors of the information system (users, owners, subcontractors, people receiving benefits…). It then constitutes genuine communications tools on the organization and the responsibilities SSI, risks SSI and the means available to secure itself some.

The information system security traditionally bases on the implementation of infrastructures to public keys (Public key infrastructure - PKI).

In the opinion of expert, the implementation of a Infrastructure to public keys in an open world is not truly effective without some care. In the large organizations in network, it is necessary to integrate the analysis of the Data security in a broader reflection on the legal framework and the implementation of Registres of metadata.

For example, for all that touches with the industrial applications of research (see Dictionnaire of metadata for the reference frame of publications CNRS), a thorough reflection takes a lead in the use of the electronic Certificat, compared to the elements and refinements employed.

Development of a security policy of the information system

In France, DCSSI worked out between 2002 and 2004 a guide for the security policy of the information system. It is composed of four sections:

1. Introduction
2. Methodology
3. Principles of safety
4. References SSI

This document is an update of documents going back to 1994.

Introduction

See details: Section 1 - Introduction

The guide defines the concepts, in addition to the PSSI:

• principles of safety,
• safety regulations.

It defines the field of application and the actors for which the guide is intended:

• Civils servant of information system security (FSSI) in the administrations,
• Responsible for the information system security (RSSI) in the companies).

It takes note of the new nature of the Menace S: total and transborder because of interconnection of the networks Internet.

It defines three types of inheritance to be protected:

• material Inheritance,
• Immaterial patrimony
• Relative informations with the people, physics and morals.

It defines the place of the PSSI in the reference frame, as a particuier:

• bonds between the PSSI and the guiding lines of the OECD,
• bonds between the PSSI and the common Criteria.

It indicates the bases of legitimacy of the rules of a PSSI:

• Laws, regulations, Standard S, and recommendations resulting from international authorities, main roads, or professional.

the rules also find their justification in the components of the Culture of the organization (traditions, internal payments).

• Rules of ethical:

• international Principles,
• Codes of ethics by professional sectors,
• Codes of ethics of the trades of information technologies.

• Principles of protection of the vital interests of the State:

• the protection of the not classified elements of defense,
• information concerned with the secret of defense:
• Protection of the secrecy and information concerning the National defense and the state security (IGI 1300)
• the information system security which are the subject of a classification of defense for themselves or the processed data (IGI 900),
• the protection of the secrecy between the foreign France and States (II 50),
• the protection of the secrecy for the protection of the markets and other contracts (II 2000).

• Principles of safeguarding of the interests of the organization, in particular the Requirement S opposite:

• of the suppliers,
• of the service providers,
• of subcontracting,
• of the other organizations.

Methodology

See details: Section 2 - Methodology

Principles of safety

See details: Section 3 - Principles of safety

Section 3 approaches the various fields of safety generally covered by a PSSI:

; Organisational principles

• Security policy
• Organization of safety
• Risk management SSI
• Safety and Life cycle
• Insurance and certification

; Principles of implementation

• human Aspects
• Planning of the continuity of the activities
• Management of the incidents
• Sensitizing and Formation
• Exploitation
• Physical aspects and environment

; Technical principles

• Identification/Authentification
• logical Access control to the goods
• Journalizing
• Infrastructures of management of the cryptographic keys
• compromising Signals

References SSI

See details: Section 4 - References SSI

The common Criteria for the evaluation of the safety of information technologies

Guiding lines of OECD

Codes of ethics of the trades of the information technology

Attacks with the Nobody S

Attacks with the well S

Attacks with the fundamental interests of the nation, Terrorism and reached with the public Confidence

Attacks with the Intellectual property

Relative tendencies with the Cryptology

Relative tendencies with the electronic Signature

Variations

total Safety and data-processing interworking

A very serious problem that one meets with the arrival of the semantic Web is that the Donnée S which describe events (safety, countable management), are not managed for interopérer in a way Sémantique.

The passage to the semantic Web requires to differently bring closer the events than by the only temporal bond. It is thus necessary to have a méta Framework which provides the semantics of the data and the languages of description.

Technically, that amounts carrying out the bond routers of network - Databases, by introducing the semantics of the data and the languages of description (for example the Langages of description of the formats of documents).

This initial awakening is necessary before articulating the total PSSI in technical security policies.

To pass from the principles of total SSI to specialized policies

Once the most serious Risk S identified, one can put the question to decline the total PSSI in technical security policies by trade, activities or systems. The total PSSI will be used also basic as coherence between these policies and all the safety studies.

Thus, one can find like various types of security policies related to the Sécurité of information or the given:

• data-processing Security policy
• Security policy of the data-processing network
• Security policy system

Appendices

See too

• Safety of information

• Information system security
• Security policy
• Responsible for the information system security

External bond

• DCSSI : Guide development of security policies of the information systems

• Guide of sensitizing of MEDEF to the computer security and the protection of the informational inheritance

Random links:

Konakdere | Greta Van Susteren | BoDoï | Semolina of manioc | Mathieu Heijboer