Developing a PSI in four steps

And since this is the working document for the entire SSI team, it must be:

• written collaboratively;
• approved by company management.

So, what are the steps involved in drafting a PSI? What elements should it contain? And what pitfalls should be avoided? The answer in four steps.

#1 Define your security objectives and operational needs

The first step in developing an ISSP is to precisely define your company's internal security objectives and operational needs.

Before you begin the drafting phase, you need to identify the motivations and requirements associated with implementing this PSSI. To do this, ask yourself the following questions.

• Is compliance the main objective? Does the company have to comply with specific regulations such as the GDPR or industry standards such as TISAX?
• Do customer requirements influence the need for a P.S.S.I.?
• Do business partners require evidence of cybersecurity robustness in order to establish or continue business relationships?
• To what extent should the company secure sensitive information against the risk of leaks or breaches?
• How can security policy help strengthen the organization's governance and overall cybersecurity posture?

The answers to these questions are part of the company's strategic vision. That is why the IT team cannot be the only one involved in drafting the ISSP! Organizing work meetings and consulting regularly with management are essential levers for the success of this project.

This synergy offers several advantages:

• it promotes the involvement and awareness of managers in cyber issues and the risks faced by the company;
• it ensures that this action plan does not interfere with the overall vision of the Executive Committee;
• Obtaining strong support from management is essential to ensure the effective implementation of the security policy!

#2 Conduct a security audit

This initial audit is not just a simple analysis: it is a fundamental step in identifying vulnerabilities in your information system.

The security audit covers not only the company's tangible and intangible assets, but also its sensitive data. Its purpose? To assess and highlight the current risks to which the company is exposed.

It allows for an accurate assessment of the current situation, providing a solid basis for drafting the P.S.S.I.

What does a security audit involve?

• An assessment of physical and logical controls :
  • verify the mechanisms for accessing the company's IT assets and data;
  • analyze authentication methods, access permissions granted, firewall configurations, and detection solutions in place (antivirus, EDR, etc.).
• A review of policies and procedures: The audit must review current security policies and operational procedures to ensure they comply with industry standards and regulatory requirements.
• A risk analysis :
  • identify potential threats;
  • assess the potential impact of the latter on the company;
  • measure the overall security level of the company.

Based on this analysis, the company can prioritize risks according to their probability and severity.

#3 Establish the safety principles of the P.S.S.I.

Once the scope has been defined, the next step is to carefully select which security principles should be applied. Although each ISSP is unique, the ANSSI guide groups these principles into three main categories.

The organizational principle

Here, we are interested in the structure of security within the organization. This particularly concerns the definition of each person's responsibilities in relation to the implementation and management of the IT security plan.

Two examples among many others:

• the criterion for disseminating information within the company;
• classification of employee access levels.

The goal: to ensure the protection of sensitive data, accessible only to authorized persons.

The implementation principle 

This principle concerns the practical application of the P.S.S.I. through concrete actions. It includes:

• cybersecurity awareness and training for employees;
• the implementation of technological solutions;
• the development of a business continuity plan...

The technical principle

Last but not least, this principle concerns the technical aspects of information system security (ISS), such as identification, authentication, and logging of user activities. These measures are essential for monitoring and detecting potential security incidents.

#4 Implement and monitor the P.S.S.I.

After defining the security principles, the next step is to oversee the implementation of the action plan: monitor the progress of actions, ensure that they comply with security rules, etc.

And that's where Tenacy comes in! By centralizing the management of all cybersecurity processes, the platform provides a consolidated view that facilitates day-to-day management for information system security managers. It includes:

• risk management;
• the level of compliance;
• monitoring security performance through visual indicators and interactive dashboards.

It should be noted that the information system security policy is never a static document! It may need to evolve, whether due to major changes in the operational context or a simple adjustment to security requirements.

If you would like to learn more about how Tenacy can help you manage cybersecurity within your organization, please contact us!

‍