Comment élaborer une PSSI en quatre étapes ?

1. Définissez vos objectifs de sécurité et vos besoins opérationnels

La première étape dans l’élaboration d’une PSSI, c’est la définition précise des objectifs de sécurité internes et des besoins opérationnels de votre entreprise.

Before you begin the drafting phase, you need to identify the motivations and requirements associated with implementing this PSSI. To do this, ask yourself the following questions.

• Is compliance the main objective? Does the company have to comply with specific regulations such as the GDPR or industry standards such as TISAX?
• Les exigences des clients influencent-elles la nécessité d’une PSSI ?
• Do business partners require evidence of cybersecurity robustness in order to establish or continue business relationships?
• To what extent should the company secure sensitive information against the risk of leaks or breaches?
• How can security policy help strengthen the organization's governance and overall cybersecurity posture?

Les réponses à ces questions relèvent de la vision stratégique de l’entreprise. C’est pourquoi l’équipe informatique ne peut être la seule impliquée dans la rédaction de la PSSI ! Concevoir des réunions de travail et se concerter régulièrement avec la direction sont des leviers essentiels pour la réussite de ce projet.

This synergy offers several advantages:

• it promotes the involvement and awareness of managers in cyber issues and the risks faced by the company;
• it ensures that this action plan does not interfere with the overall vision of the Executive Committee;
• Obtaining strong support from management is essential to ensure the effective implementation of the security policy!

2. Réalisez un audit de sécurité

This initial audit is not just a simple analysis: it is a fundamental step in identifying vulnerabilities in your information system.

The security audit covers not only the company's tangible and intangible assets, but also its sensitive data. Its purpose? To assess and highlight the current risks to which the company is exposed.

Il permet de dresser un état des lieux précis, offrant une base solide à la rédaction de la PSSI.

What does a security audit involve?

• An assessment of physical and logical controls :
  • verify the mechanisms for accessing the company's IT assets and data;
  • analyze authentication methods, access permissions granted, firewall configurations, and detection solutions in place (antivirus, EDR, etc.).
• A review of policies and procedures: The audit must review current security policies and operational procedures to ensure they comply with industry standards and regulatory requirements.
• A risk analysis :
  • identify potential threats;
  • assess the potential impact of the latter on the company;
  • measure the overall security level of the company.

Based on this analysis, the company can prioritize risks according to their probability and severity.

3. Établissez les principes de sécurité de la PSSI

Après avoir défini le périmètre, il s’agit maintenant de (bien) choisir quels principes de sécurité devront être appliqués. Bien que chaque PSSI soit unique, le guide de l’ANSSI regroupe ces principes en trois grandes catégories.

The organizational principle

Here, we are interested in the structure of security within the organization. This particularly concerns the definition of each person's responsibilities in relation to the implementation and management of the IT security plan.

Two examples among many others:

• the criterion for disseminating information within the company;
• classification of employee access levels.

The goal: to ensure the protection of sensitive data, accessible only to authorized persons.

The implementation principle 

Ce principe porte sur l’application pratique de la PSSI à travers des actions concrètes. Il inclut :

• cybersecurity awareness and training for employees;
• the implementation of technological solutions;
• the development of a business continuity plan...

The technical principle

Last but not least, this principle concerns the technical aspects of information system security (ISS), such as identification, authentication, and logging of user activities. These measures are essential for monitoring and detecting potential security incidents.

4. Mettez en œuvre et assurez un suivi de la PSSI

After defining the security principles, the next step is to oversee the implementation of the action plan: monitor the progress of actions, ensure that they comply with security rules, etc.

And that's where Tenacy comes in! By centralizing the management of all cybersecurity processes, the platform provides a consolidated view that facilitates day-to-day management for information system security managers. It includes:

• risk management;
• the level of compliance;
• monitoring security performance through visual indicators and interactive dashboards.

It should be noted that the information system security policy is never a static document! It may need to evolve, whether due to major changes in the operational context or a simple adjustment to security requirements.

If you would like to learn more about how Tenacy can help you manage cybersecurity within your organization, please contact us!

‍