Articles
>
RGS

RGS

The General Security Reference Framework (RGS) is a set of rules, standards, and best practices developed by the French government in February 2010. Its goal? To guarantee the security of information systems used by public administrations, as well as by digital service providers working with them. The aim is to ensure data protection, confidentiality, integrity, availability, and authenticity—the ultimate goal being to strengthen user confidence in electronic exchanges with public services. Let's take a closer look.

August 30, 2024
Table of Contents
Discover how Tenacy structures your cybersecurity
Schedule a demo

The RGS was designed in a context wherethe French administration is becoming increasingly digitized: online services are becoming—for better or worse—a preferred channel for interactions between the state and citizens, businesses, and other public entities. This digital transformation has made it necessary to establish a robust security framework to protect sensitive data from cyberattacks, data leaks, and falsification.

This standard is mandatory for all public administrations in France. It applies to:

  • all government departments,
  • local authorities,
  • public institutions,
  • digital service providers that process data on behalf of these entities.

The whole point of the RGS is to define the minimum IT security requirements that these entities must comply with.

It is part of a broader approach to securing the government's digital ecosystem.

What does the General Security Reference Guide contain?

The RGS is structured around four main areas, often referred to by the acronym DICA.

  1. Availability: ensuring that the services concerned are accessible and operational whenever necessary. This requirement involves implementing measures to prevent service interruptions, such as the well-known denial-of-service (DDoS) attacks.
  2. Integrity: ensuring that information is not modified or altered in an unauthorized manner. Please note: this applies to both data in transit and stored data!
  3. Confidentiality: protecting sensitive information from unauthorized access through data encryption and strict access management.
  4. Authenticity: verify the identity of the actors (users, systems) involved in exchanges to ensure that the information does indeed come from the stated source.

The issue of security levels

The RGS establishes several security levels based on the criticality of the information systems and data processed. Each level is then associated with a set of specific technical and organizational requirements.

These requirements cover a (very) wide range of areas: identity and access management, communications protection, security incident management, business continuity, etc.

This security level classification system allows administrations to choose the measures best suited to their needs based onthe potential impact of a compromise of their information system.

How to comply with the RGS?

RGS certification is issued bythe French National Cybersecurity Agency (ANSSI), which is the authority responsible for implementing the standard. This certification attests that the solutions in question comply with RGS security requirements.

Good news: RGS is now available in Tenacy! You can now get guidance on compliance thanks to automatically generated action plans and easy tracking of your initiatives.

Other articles

You may be interested in

PCI-DSS: definition and explanations
Glossary
PCI DSS

The Payment Card Industry Data Security Standard (also known as PCI-DSS for short) is a set of security standards designed to ensure that all companies accepting, processing, storing, or transmitting credit card information maintain a secure environment.

August 30, 2024
SOC 2 standard and certification: definition
Compliance
Glossary
SOC 2

In today's cyber landscape, it is no longer enough to simply implement protection solutions. Compliance with standards and regulations has quickly become an essential factor in ensuring information security—and therefore user confidence.

Among these standards is SOC 2 (Service Organization Control 2). Less well known in France than in the US, it is nevertheless an essential reference framework for companies, including those in France. Let's take a closer look.

August 30, 2024
Military Programming Law (LPM): focus on cybersecurity
Glossary
LPM

The Military Programming Law (or LPM) is becoming increasingly well known in the world of cybersecurity —but not only there. This French legislation defines all of the priorities, objectives, and resources allocated to the armed forces for a given period. These objectives certainly concern the security of information systems, but they also relate to equipment, research efforts, and personnel.

However, it is the "cyber" aspect of this law that interests us here. Here is an overview of the requirements of the LPM in terms of IT security —and how to implement them.

June 7, 2024