information - Réseau Qualité en Recherche - CNRS

qualite.en.recherche.cnrs.fr

information - Réseau Qualité en Recherche - CNRS

3ème Rencontre du Réseau Qualité en Recherche

(MRCT-CNRS)

Management des systèmes

d’information -

Déploiement de la PSSI au

sein de la délégation

régionale et des

laboratoires de recherche

alsaciens -

05 mai 2011 – Délégation Alsace

Marc Herrmann –

Coordinateur régional de la sécurité des systèmes d’information


SOMMAIRE

1 I Les normes ISO 270xx

1.1 I Famille des 270xx

1.2 I Normes ISO/IEC 27001 et 27002

1.3 I Les certifications

2 I Au début était l’informatique…

3 I Pourquoi une démarche SMSI au CNRS ?

4 I Comment qu’on fait ?


Les normes ISO 270xx


JTC 1/SC 27 - Techniques de sécurité

des technologies de l'information

GRATUITE


JTC 1/SC 27 - Techniques de sécurité

des technologies de l'information

publication conjointe de l'Organisation

internationale de normalisation (ISO) et la

Commission électrotechnique internationale

(CEI, ou IEC en anglais).

- Systèmes de gestion de la

sécurité des informations-

- Exigences-

ISO/IEC 27001

2005

- Codes de bonne pratique pour la

gestion

de la sécurité de l’information -

ISO/IEC 27005

2008

- Gestion des risques -

ISO/IEC 27006

2007

ISO/IEC 27002

2007

ISO/IEC 27003

2010

Implémentation d’un

SMSI

ISO/IEC 27033

2009

Sécurité des réseaux

ISO/IEC 27004

2009

Indicateurs et tableaux de

bord

ISO/IEC

27032 / 034 / 035

en préparation

27032 : Cybersécurité

27034 : sécurité applicative

27035 : gestion des incidents

Certification des systèmes de

management

de la sécurité de l'information


ISO 27001

2005

Chap. 4.2

Etablissement et management du SMSI

13 pages et 2 annexes

Etablissement

d’un SMSI

Mise à jour et

amélioration du

SMSI

ACT

PLAN

DO

Mise en œuvre

du SMSI

CHECK

Surveillance et

réexamen du

SMSI

Documentation (4.3) – Implication de la direction (5.1) – Ressources, formation &

sensibilisation (5.2) – Audits internes (6) – Revue de direction (7) – Améliorations du SMSI (8)


ISO 27002

(anciennement ISO 17799)

ISO 27001

Notes préliminaires

15 pages

Articles

ou Clauses

10 pages

ET

Annexe A

Objectifs de sécurité

et mesures de

sécurité

23 pages

Description

détaillée

des

mesures de

sécurité

109 pages

11 chapitres

39 objectifs de sécurité

(control objectives)

133 mesures de sécurité

pouvant être appliquées

(security controls)


ISO 27002

A.5/6

Politique et

organisation

de la sécurité

11 chapitres

39 objectifs de sécurité

133 mesures de sécurité

pouvant être appliquées

A.15

Conformité aux

exigences

légales

A.14

Continuité de service

A.8

Sécurité liée

aux personnels

A.9

Sécurité physique et

environnementale

11 chapitres

A.7

Gestion

des actifs

A.11

Contrôle

d'accès

A.13

Gestion des incidents

A.12

Intégration, administration et

développement des systèmes

et applications

A.10

Gestion de l'exploitation et

des télécom.


ISO 27002

exemples

11 chapitres A5 -> A15

A8 Sécurité lié aux personnels

A10 Gestion de l’exploitation et

des telecom

39 objectifs de sécurité

A.8

Sécurité liée

aux personnels

A.10

Gestion de l'exploitation et

des télécom.

A8.2 Veiller à ce que tous les

salariés soient conscients des

menaces pesant sur le SI

A10.6 Assurer la protection des

informations sur les réseaux

133 mesures de sécurité

A8.2.2 L’ensemble des salariés

doivent suivre une formation

adaptée à la sensibilisation

A10.6.1 Les réseaux doivent

être gérés et contrôlés de

manière adéquate pour qu’ils

soient protégés des menaces


Certifications ISO/CEI 27001: 2005

Certification entreprises

Certificat valable 3 ans, visite tous les 6 à 9 mois

Certification de personnes : Les implémenteur et les auditeurs

Implementer ISO/CEI 27001

Mise en place d’un SMSI en tant que membre d’une équipe projet ou seul

Lead Implementer ISO/CEI 27001

Mise en place d’un SMSI en tant que chef d’une équipe projet

Auditor ISO/CEI 27001

Conduite d’un audit ISO/CEI 27001 en tant que en tant que membre d'équipe d'audit ou seul

Lead Auditor ISO/CEI 27001

Direction d’un audit ISO/CEI 27001 en tant que responsable d'une équipe d'audit.


Au début était l’informatique …


Au début, était l’informatique…

100 % TECHNIQUE

Informatique

Sécurité informatique

Sécurité de l’information

Système de management

de la sécurité de

l’information (SMSI)

Système global de

management

Formation SIARS (2001)

Publication de la PSSI du CNRS (2006)

Formation ISO/IEC 27001(2009)

Démarche qualité ISO9001 /

Contrat de services (2008)

100 % ORGANISATION


CNRS et PSSI

15 novembre 2006 :

publication de la Politique de Sécurité des Systèmes d’Information (PSSI) du CNRS

À partir de 2007

Mise en place des coordinations régionales (CRSSI) dans les délégations

Mise en place d’un réseau de chargés de sécurité des SI (CSSI) dans les laboratoires

An de grâce 2008

Formations nationales et certifications Lead Implementer ISO27001

An de grâce 2009

Formations régionales des CSSI

À partir de mi-fin 2009

Mise en place des PSSI dans les laboratoires


Bilans SSI 2010

P. 02

Coordinateurs régionaux nommés : 18 /19

CSSI :

594 /env.1000

CSSI (unités sensibles) 315 /env.400

CSSI (autres unités) 279 /env. 600

PSSI installées ou en cours

PSSI en place et en œuvre 10 ?

154 /env.1000


Pourquoi une PSSI au CNRS ?


Les scientifiques…

Prestige…

Production

scientifique …

Equipements …

Collaborations et partenariats …

La mémoire …

16


Le système d’information

P. 02

Définition

Un ensemble organisé de moyens qui produisent, manipulent

stockent et transportent l’information.

Moyens

matériels, logiciels, données, réseaux, procédures, personnes


Le système d’information

logiciels

données

internet

messagerie

Protéger son système d’information,

c’est protéger son patrimoine

équipements

organisation

Règles d’utilisation

Procédure d’exploitation

Plan de continuité d’activité

Gestion des incidents

Accueil des utilisateurs

Sensibilisation et formation

. . .


Protéger son système d’information,

c’est protéger son patrimoine

Objectif : Maîtriser l’état et la sécurité de son système d’information pour garantir :

• La disponibilité de l’outil de travail

• La protection des informations sensibles :

1. données scientifiques (expérimentales, savoir-faire interne, publications, valorisation, coopérations…)

2. données de gestion (finance, RH, authentification, documents contractuels …)

3. données nominatives (vie privée, enseignements…)

4. données stratégiques (informations d’ordre politique ou stratégique ou touchant des questions de

défense, informations sécurité …)

• La protection de l’image du CNRS et du laboratoire

• La protection juridique : risques administratifs et risques pénaux


Comment qu’on fait-on ??


Sensibilisation, information,

explications …


L’homme honorable commence à appliquer

ce qu’il veut enseigner (Confucius)


3 niveaux d’implication

Inventaire des actifs primordiaux

à protéger

Analyse de risques et

Planification des actions

Rédaction de la PSSI

Mise en œuvre

des actions


Espionnage

Infection

virale

Vol de

matériel

Dégât des

eaux

Incendie

Compromission

des informations

Sinistres

physiques

Sinistre

majeur

Disponibilité

Intégrité

Confidentialité

Défaillance

technique

Dysfonctionnement

logiciel

Panne

matérielle

Défaillance

humaine

Perte de services

essentiels

Disponibilité du

personnel

Erreur de

manipulation

Usurpation de

droits

Panne

électrique

Perte des moyens

de communication

24


Exigences de protection + Etapes de la PSSI

1

Exigences légales

et règlementaires

2

Exigences métiers

SSI

Activités

de l’organisme

3

Loi - Charte

Bonnes pratiques

Liste des actifs

primordiaux

étape

1

Diagnostic initial du niveau de protection

étape

2a

Analyse de risques

étape

2b

Choix des

niveaux de

protection

étape

Implementation guidance Verification checks should take into account all relevant privacy, protection of personal data and/or employment based legislation, and should, where permitted, include the following a) availability of satisfactory character references, e.g. one business and ne personal;b) a check (for completeness and accuracy) of the applicant’s curriculum vitae;c) confirmation of claimed academic and

professional qualifications;d) independent identity check (passport or similar document);e) more detailed checks, such as credit checks or checks of riminal records.Where a job, either on initial appointment or on promotion, involves the person having access toinformation processing facilities, and in particular if these are handling sensitive information, e.g.financial information or highly confidential information, the

organization hould also consider further,more detailed checks.Procedures should define criteria and limitations for verification checks, e.g. who is eligible to screenpeople, and how, when and why verification checks are carried out.A screening process should also be carried out for contractors, nd third party users. Wherecontractors are provided through an agency the contract with the agency should clearly specify

theagency’s responsibilities for screening and the notification procedures they need to follow if screeninghas not been completed or if the results give cause or doubt or concern. In the same way, theagreement with the third party (see also 6.2.3) should clearly specify all responsibilities andnotification procedures for screening.Information on all candidates being considered for positions within the organization should

becollected and andled in accordance with any appropriate legislation existing in the relevantjurisdiction. Depending on applicable legislation, the candidates should be informed beforehand aboutthe screening activities.8.1.3 Terms and conditions of employmentControlAs part of their ontractual obligation, employees, contractors and third party users should agree andsign the terms and conditions of their

employment contract, which should state their and theorganization’s responsibilities for information security.Implementation guidanceThe terms and onditions f employment should reflect the organization’s security policy in additionto clarifying and stating:a) that all employees, contractors and third party users who are given access to sensitiveinformation should sign a confidentiality or non-disclosure agreement prior

to being givenaccess to information processing facilities;b) the employee’s, contractor’s and any other user’s legal responsibilities and rights, e.g.regarding copyright laws or data protection legislation (see also 15.1.1 and 15.1.2);c) responsibilities for the classification of information and anagement of organizationalassets associated with information systems and services handled by the employee,contractor or third

party user (see also 7.2.1 and 10.7.3);d) responsibilities of the employee, contractor or third party user for the handling ofnformation received from ther companies or external parties;ISO/IEC 17799:2005€24 © ISO/IEC 2005 – All rights reservede) responsibilities of theétape

3

organization for the handling of personal information, includingpersonal information created as a result of, or in the course of, employment with

theorganization (see also 15.1.4);f) responsibilities that are extended outside the organization’s premises and outside normalworking hours, e.g. in the case of home-working (see also 9.2.5 and 11.7.1);g) actions to be taken if the employee, contractor or third party user disregards heorganization’s security requirements (see also 8.2.3).The organization should ensure that employees, contractors and third party users

agree to terms andconditions concerning information security appropriate to the nature and extent of access they willhave to the rganization’s ssets associated with information systems and services.Where appropriate, responsibilities contained within the terms and conditions of employment shouldcontinue for a defined period after the end of the employment (see also 8.3).Other InformationA code of conduct may be

sed to cover the employee’s, contractor’s or third party user’sresponsibilities regarding confidentiality, data protection, ethics, appropriate use of the organization’sequipment and facilities, as well as reputable practices expected by the organization. The contractoror third party 4sers ay be associated with an external organization that may in turn be required toenter in contractual arrangements on behalf of the

contracted individual.8.2 During employmentObjective: To ensure that employees, contractors and third party users are aware of informationsecurity hreats and concerns, their responsibilities and liabilities, and are equipped to supportorganizational security policy in the course of their normal work, and to reduce the risk of humanerror.Management responsibilities should be defined to ensure that security is applied

throughout nindividual’s employment within the organization.An adequate level of awareness, education, and training in security procedures and the correct use ofinformation processing facilities should be provided to all employees, contractors and third party usersto minimize possible ecurity risks. A formal disciplinary process for handling security breachesshould be established.8.2.1 Management

responsibilitiesControlManagement should require employees, contractors and third party users to apply security inaccordance with established policies and rocedures of the organization.Implementation guidanceManagement responsibilities should include ensuring that employees, contractors and third partyusers:a) are properly briefed on their information security roles and responsibilities prior to beinggranted

access to sensitive nformation or information systems;b) are provided with guidelines to state security expectations of their role within theorganization;c) are motivated to fulfil the security policies of the organization;ISO/IEC 17799:2005۩ ISO/IEC 2005 РAll rights reserved 25d) achieve a level of wareness on security relevant to their roles and responsibilities withinthe organization (see also 8.2.2);e) conform to the

terms and conditions of employment, which includes the organization’sinformation security policy and appropriate methods of working;f) continue to have the ppropriate skills and qualifications.Other InformationIf employees, contractors and third party users are not made aware of their security responsibilities,they can cause considerable damage to an organization. Motivated personnel are likely to be morereliable

and cause less nformation security incidents.Poor management may cause personnel to feel undervalued resulting in a negative security impact tothe organization. For example, poor management may lead to security being neglected or potentialmisuse of the organization’s assets.8.2.2 nformation security awareness, education, and trainingControlAll employees of the organization and, where relevant,

Implementation guidance Verification checks should take into account all relevant privacy, protection of personal data and/or employment based legislation, and should, where permitted, include the following a) availability of satisfactory character references, e.g. one business and ne personal;b) a check (for completeness and accuracy) of the applicant’s curriculum vitae;c) confirmation of claimed academic and

professional qualifications;d) independent identity check (passport or similar document);e) more detailed checks, such as credit checks or checks of riminal records.Where a job, either on initial appointment or on promotion, involves the person having access toinformation processing facilities, and in particular if these are handling sensitive information, e.g.financial information or highly confidential information, the

organization hould also consider further,more detailed checks.Procedures should define criteria and limitations for verification checks, e.g. who is eligible to screenpeople, and how, when and why verification checks are carried out.A screening process should also be carried out for contractors, nd third party users. Wherecontractors are provided through an agency the contract with the agency should clearly specify

theagency’s responsibilities for screening and the notification procedures they need to follow if screeninghas not been completed or if the results give cause or doubt or concern. In the same way, theagreement with the third party (see also 6.2.3) should clearly specify all responsibilities andnotification procedures for screening.Information on all candidates being considered for positions within the organization should

becollected and andled in accordance with any appropriate legislation existing in the relevantjurisdiction. Depending on applicable legislation, the candidates should be informed beforehand aboutthe screening activities.8.1.3 Terms and conditions of employmentControlAs part of their ontractual obligation, employees, contractors and third party users should agree andsign the terms and conditions of their

employment contract, which should state their and theorganization’s responsibilities for information security.Implementation guidanceThe terms and onditions f employment should reflect the organization’s security policy in additionto clarifying and stating:a) that all employees, contractors and third party users who are given access to sensitiveinformation should sign a confidentiality or non-disclosure agreement prior

to being givenaccess to information processing facilities;b) the employee’s, contractor’s and any other user’s legal responsibilities and rights, e.g.regarding copyright laws or data protection legislation (see also 15.1.1 and 15.1.2);c) responsibilities for the classification of information and anagement of organizationalassets associated with information systems and services handled by the employee,contractor or third

party user (see also 7.2.1 and 10.7.3);d) responsibilities of the employee, contractor or third party user for the handling ofnformation received from ther companies or external parties;ISO/IEC 17799:2005€24 © ISO/IEC 2005 – All rights reservede) responsibilities of the organization for the handling of personal information, includingpersonal information created as a result of, or in the course of, employment with

theorganization (see also 15.1.4);f) responsibilities that are extended outside the organization’s premises and outside normalworking hours, e.g. in the case of home-working (see also 9.2.5 Mise and 11.7.1);g) en actions to be taken if the employee, contractor or third party user disregards heorganization’s security requirements (see also 8.2.3).The organization Traitement should ensure that employees, des contractors and third party users

agree to terms andconditions concerning information security appropriate to the nature and extent of access they willhave to the rganization’s ssets associated with information systems and services.Where appropriate, responsibilities contained within the terms and conditions of employment shouldcontinue for a defined period after the end of the employment (see also 8.3).Other InformationA code of conduct may be

sed to cover the employee’s, contractor’s or third party user’sresponsibilities regarding confidentiality, data protection, ethics, appropriate use of the organization’sequipment and facilities, as well as reputable practices expected by the organization. The contractoror third party sers ay be associated with an external organization that may in turn be required toenter in contractual arrangements on behalf of the

contracted individual.8.2 During employmentObjective: To ensure that employees, contractors and third party users are aware of informationsecurity hreats and concerns, their responsibilities conformité Plan d’action

and liabilities, and are equipped to supportorganizational security policy in the course of their normal work, and to reduce the risk of humanerror.Management responsibilities risques

should be defined to ensure that security is applied

throughout nindividual’s employment within the organization.An adequate level of awareness, education, and training in security procedures and the correct use ofinformation processing facilities should be provided to all employees, contractors and third party usersto minimize possible ecurity risks. A formal disciplinary process for handling security breachesshould be established.8.2.1 Management

responsibilitiesControlManagement should require employees, contractors and third party users to apply security inaccordance with established policies and rocedures of the organization.Implementation guidanceManagement responsibilities should include ensuring that employees, contractors and third partyusers:a) are properly briefed on their information security roles and responsibilities prior to beinggranted

access to sensitive nformation or information systems;b) are provided with guidelines to state security expectations of their role within theorganization;c) are motivated to fulfil the security policies of the organization;ISO/IEC 17799:2005۩ ISO/IEC 2005 РAll rights reserved 25d) achieve a level of wareness on security relevant to their roles and responsibilities withinthe organization (see also 8.2.2);e) conform to the

terms and conditions of employment, which includes the organization’sinformation security policy and appropriate methods of working;f) continue to have the ppropriate skills and qualifications.Other InformationIf employees, contractors and third party users are not made aware of their security responsibilities,they can cause considerable damage to an organization. Motivated personnel are likely to be

morereliaImplementation guidance Verification checks should take into account all relevant privacy, protection of personal data and/or employment based legislation, and should, where permitted, include the following a) availability of satisfactory character references, e.g. one business and ne personal;b) a check (for completeness and accuracy) of the applicant’s curriculum vitae;c) confirmation of claimed academic

and professional qualifications;d) independent identity check (passport or similar document);e) more detailed checks, such as credit checks or checks of riminal records.Where a job, either on initial appointment or on promotion, involves the person having access toinformation processing facilities, and in particular if these are handling sensitive information, e.g.financial information or highly confidential information, the

organization hould also consider further,more detailed checks.Procedures should define criteria and limitations for verification checks, e.g. who is eligible to screenpeople, and how, when and why verification checks are carried out.A screening process should also be carried out for contractors, nd third party users. Wherecontractors are provided through an agency the contract with the agency should clearly specify

theagency’s responsibilities for screening and the notification procedures they need to follow if screeninghas not been completed or if the results give cause or doubt or concern. In the same way, theagreement with the third party (see also 6.2.3) should clearly specify all responsibilities andnotification procedures for screening.Information on all candidates being considered for positions within the organization should

becollected and andled in accordance with any appropriate legislation existing in the relevantjurisdiction. Depending on applicable legislation, the candidates should be informed beforehand aboutthe screening activities.8.1.3 Terms and conditions of employmentControlAs part of their ontractual obligation, employees, contractors and third party users should agree andsign the terms and conditions of their

employment contract, which should state their and theorganization’s responsibilities for information security.Implementation guidanceThe terms and onditions f employment should reflect the organization’s security policy in additionto clarifying and stating:a) that all employees, contractors and third party users who are given access to sensitiveinformation should sign a confidentiality or non-disclosure agreement prior

to being givenaccess to information processing facilities;b) the employee’s, contractor’s and any other user’s legal responsibilities and rights, e.g.regarding copyright laws or data protection legislation (see also 15.1.1 and 15.1.2);c) responsibilities for the classification of information and anagement of organizationalassets associated with information systems and services handled by the employee,contractor or third


PSSI Délégation Alsace : les actifs primordiaux

Service Financier

• Gestion des archives papier

Service RH

• Processus de paye

• Données du personnel

Direction

• Gestion de crise

Service système d’information

• Hotline

Service médical

• Dossiers médicaux

Service valorisation

• Gestion des brevets

26


étape

1

Liste des actifs

primordiaux

Quelles sont mes activités les plus importantes en terme

de service, d’image, de stratégie, d’avenir ?

Quelles sont mes obligation contractuelles ?

Quelles informations sensibles ?

1- Informations personnelles protégées par la loi « informatique et liberté »

2- Documents administratifs ne devant pas être communiqués au public :

- dont la communication porterait atteinte à la protection de la vie privée, au secret médical

- portant une appréciation ou un jugement de valeur sur une personne physique, nommément

désignée ou facilement identifiable ;

-faisant apparaître le comportement d'une personne, dès lors que la divulgation de ce

comportement pourrait lui porter préjudice.

3- Informations liées à la recherche, dont l'altération ou la divulgation serait de

nature à nuire aux intérêts du CNRS :

Les informations constitutives du patrimoine scientifique, industriel et technologique.

Les informations soumises à l'obligation de réserve ou de discrétion professionnelle

Analyse de risques

Choix des

niveaux de

protection

27


étape

2a

Bonnes pratiques

informatiques

Sécurité physique des locaux

• empêcher tout accès physique non autorisé aux locaux hébergeant les informations sensibles de l’unité.

• menaces d'ordre « environnementale » : inondation, incendie, défaut de climatisation

Sauvegarde des informations

• Toutes les informations destinées à la conservation sont dupliquées.

Contrôle d'accès réseau

• Le réseau local (LAN) héberge tous les postes individuels, les serveurs et les services internes proposés aux

utilisateurs. Cette zone est sensible : accès extérieurs interdits, accès internes contrôlés

• La robustesse des mots de passe est adaptée au risque encouru

Gestion de Parc et des moyens nomades

• Les postes de travail fixes sont installés avec une sécurité minimale : parefeu, antivirus, mises à jour

périodique des systèmes et des applications

• Les droits d’administrateur sont utilisés avec modération

• Chaque logiciel commercial installé doit disposer d’une licence acquise en bonne et due forme

• Les postes de travail nomades sont chiffrés

Transferts de données sensibles

• Le transfert de données avec un haut degré de sensibilité doit être chiffré.

28


étape

2a

Bonnes pratiques

juridiques

Triptyque « INFORMATION - CONTROLE – ACTION »

• INFORMER

Emettre des alertes et des mises en garde sur des risques - Diffuser une charte de bonne utilisation des services

informatiques et de l'internet - Informer les utilisateurs de la nature des traces journalisées et archivées

• CONTROLER

activité des systèmes et du réseau (FAI)

Activités des services et leur utilisation : obligation de conservation des preuves

identification des comportements illicites (virus, botnet, P2P…)

• AGIR

L’ASR doit assurer la sécurité système du site = bonnes pratiques SSI

L’ASR peut (en cas de crise ou d'urgence) agir et réagir rapidement pour assurer la continuité du service et dispose du droit

de refuser des demandes qui mettraient le S.I. en danger.

Vie privée résiduelle, principe de base

•« L’employeur ne peut, sans violation du secret des correspondances (liberté fondamentale), prendre connaissance des

messages personnels et ceci même au cas où il aurait interdit l’usage non professionnel de l’ordinateur »

Présomption « professionnel » - Marquer les mails et les dossiers « privé » ou « personnel »

Site web

• Site web : intégrer la notice légale

• Directeur de la publication (direction du labo) : approuve le contenu (et donc en répond)

• Hébergeur (ASR) : pas d'obligation générale de surveillance, mais obligation spéciale de surveillance (point de la négligence

fautive).

ASR tenus au secret professionnel, mais avec obligation de dénoncer des actes délictueux tel les contenus illicites

(diffamatoire, pédopornographie, délits, crimes…)

29


étape

3

P S S I

• Un document pédagogique d’une dizaine de pages approuvé par la direction

• Un document diffusable aux partenaires

• Un résumé succinct des mesures de sécurité mises en œuvre dans l’unité

• Une déclinaison et une adaptation locale de la PSSI du CNRS

• Un outil de sensibilisation et d’information des personnels

• Une œuvre collective impliquant la direction, le CSSI et l’ensemble des services

30


étape

4

Plan d’action

Mise en

conformité

Traitement des

risques

1. Liste d’actions ordonnées et hiérarchisées

2. 1 action = 1 responsable

3. Elaboration d’un planning

4. Moyens humains et financiers

PLAN

ACT

DO

CHECK

31

More magazines by this user
Similar magazines