Articles
>
How to develop a PSSI in four steps?

How to develop a PSSI in four steps?

What steps are involved in drafting a PSSI? What elements should it contain? And what pitfalls should be avoided? The answer in four steps.

December 20, 2023
Table of Contents
Discover how Tenacy structures your cybersecurity
Schedule a demo

1. Define your security objectives and operational requirements

The first step in developing an ISSP is to clearly define your company's internal security objectives and operational requirements.

Before you begin the drafting phase, you need to identify the motivations and requirements associated with implementing this PSSI. To do this, ask yourself the following questions.

  • Is compliance the main objective? Does the company have to comply with specific regulations such as the GDPR or industry standards such as TISAX?
  • Do customer requirements influence the need for an ISSP?
  • Do business partners require evidence of cybersecurity robustness in order to establish or continue business relationships?
  • To what extent should the company secure sensitive information against the risk of leaks or breaches?
  • How can security policy help strengthen the organization's governance and overall cybersecurity posture?

The answers to these questions are part of the company's strategic vision. That's why the IT team can't be the only one involved in drafting the ISSP! Setting up work meetings and consulting regularly with management are essential levers for the success of this project.

This synergy offers several advantages:

  • it promotes the involvement and awareness of managers in cyber issues and the risks faced by the company;
  • it ensures that this action plan does not interfere with the overall vision of the Executive Committee;
  • Obtaining strong support from management is essential to ensure the effective implementation of the security policy!

2. Conduct a security audit

This initial audit is not just a simple analysis: it is a fundamental step in identifying vulnerabilities in your information system.

The security audit covers not only the company's tangible and intangible assets, but also its sensitive data. Its purpose? To assess and highlight the current risks to which the company is exposed.

It enables a precise assessment of the current situation to be made, providing a solid basis for drafting the PSSI.

What does a security audit involve?

  • An assessment of physical and logical controls :
    • verify the mechanisms for accessing the company's IT assets and data;
    • analyze authentication methods, access permissions granted, firewall configurations, and detection solutions in place (antivirus, EDR, etc.).
  • A review of policies and procedures: The audit must review current security policies and operational procedures to ensure they comply with industry standards and regulatory requirements.
  • A risk analysis :
    • identify potential threats;
    • assess the potential impact of the latter on the company;
    • measure the overall security level of the company.

Based on this analysis, the company can prioritize risks according to their probability and severity.

3. Establish the safety principles of the PSSI

Once the scope has been defined, the next step is to carefully select which security principles should be applied. Although each PSSI is unique, the ANSSI guide groups these principles into three main categories.

The organizational principle

Here, we are interested in the structure of security within the organization. This particularly concerns the definition of each person's responsibilities in relation to the implementation and management of the IT security plan.

Two examples among many others:

  • the criterion for disseminating information within the company;
  • classification of employee access levels.

The goal: to ensure the protection of sensitive data, accessible only to authorized persons.

The implementation principle 

This principle concerns the practical application of PSSI through concrete actions. It includes:

  • cybersecurity awareness and training for employees;
  • the implementation of technological solutions;
  • the development of a business continuity plan...

The technical principle

Last but not least, this principle concerns the technical aspects of information system security (ISS), such as identification, authentication, and logging of user activities. These measures are essential for monitoring and detecting potential security incidents.

4. Implement and monitor the PSSI

After defining the security principles, the next step is to oversee the implementation of the action plan: monitor the progress of actions, ensure that they comply with security rules, etc.

And that's where Tenacy comes in! By centralizing the management of all cybersecurity processes, the platform provides a consolidated view that facilitates day-to-day management for information system security managers. It includes:

  • risk management;
  • the level of compliance;
  • monitoring security performance through visual indicators and interactive dashboards.

It should be noted that the information system security policy is never a static document! It may need to evolve, whether due to major changes in the operational context or a simple adjustment to security requirements.

If you would like to learn more about how Tenacy can help you manage cybersecurity within your organization, please contact us!

‍

Other articles

You may be interested in

NIS 2: what changes for your organization?
Compliance
NIS 2: Changes to Expect

The NIS Directive is the first European legislative act dedicated to cybersecurity.  Faced with a series of upheavals in the economic and security context of European Union member countries, the current directive is evolving to respond to these new challenges. What does the reform of this new version consist of? How will this directive be transposed into French legislation? Are you affected by the requirements relating to the security of networks and information systems? In this article, we will break down the changes to come.

February 14, 2023
Automate your compliance with Tenacy
Compliance
How to automate compliance with Tenacy?

Monitoring compliance, raising awareness of cyber risks, risk analysis, and day-to-day management... Year after year, CISOs are being given more and more responsibilities—a trend that is unfortunately likely to continue with the upcoming introduction of new regulations.

To the question: how can you manage your work time effectively? The answer may lie in automating certain tasks, particularly those related to compliance.

This raises several questions: Is it possibleto automate certification management? To what extent? How can the Tenacy platform simplify the implementation, maintenance, and assessment of compliance? Let's start at the beginning.

March 13, 2024
Banking, mutual insurance, insurance: compliance at the heart of the challenges
Compliance
Mutual insurance, banking, and insurance: how IT compliance has become a systemic issue

Mutuelle du Mans Assurance (MMA) in July 2020, Mutuelle Nationale des Hôpitaux in February 2021, Axa in May 2021, AssurOne in July 2021, April, Verlingue, Génération and Coverlife in November 2021, Caisse Centrale de Réassurance in July 2022, Emoa Mutuelle du Var in August 2022... The list of cyberattacks against insurers and mutual insurance companies continues to grow.

With the daily management of our personal and medical data, IT security is more than ever a major issue in the functioning of these industries. But what level of IT compliance must these sectors adhere to? And what are the challenges? Our IT compliance expert breaks it down.

March 14, 2023