What are the regulations for OVI and OES? The multiplication of attacks and threats to organizations’ information systems has prompted the French government and the European Union to implement recommendations and rules for private companies and public administrations. The requirement level of these rules and recommendations varies according to the importance of the target organization. They are optional for organizations considered as non-sensitive, but, at different levels, mandatory for OVI (Operators of Vital Importance) and OES (Operators of Essential Services). Limiting the cyber risk of OVI and OES to guarantee the proper functioning of the nation In order to protect their ISVI (Information System of Vital Importance), the OVIs, operating in areas of activity that are sensitive for the integrity of the country and the population (sanitary (food, water management, health), regalian (civil activities of the State, judicial activities, military activities of the State), economic (energy, finance, transport), and technological (electronic communications, audiovisual and information, industry, space and research)) must comply with a set of rules issued by the French State, through the MPL (Military Programming Law). The OES must comply with the regulations issued by the European Union through the NIS (Network and Information Security) directive. An OES is defined as providing an essential service whose interruption would have a significant impact on the functioning of the economy or society, bearing in mind that an OVI operates or uses facilities deemed essential to the nation’s survival. More generally, all the organizations (including OVI and OES) must, as far as possible, comply with the recommendations of the ANSSIAgence Nationale de la Sécurité des Systèmes d’Information. The National Cybersecurity Agency of France (ANSSI) is a French government organisation reporting to the Secretary General for Defence and National Security (SGDSN), who is responsible for advising the Prime Minister in the exercise of his functions in the field of defence and national security. ANSSI is responsible for cybersecurity issues in France. The ANSSI provides its expertise and technical skills to organisations (administrations or companies) with a reinforced mission to the operators of vital importance (OIV), operating in areas of activity that are sensitive for the very integrity of the country and the population (health, regal, economic and technological fields). The scope of the Agency's action concerns the computer population as a whole. In particular, it intervenes in the following areas - monitoring and reacting to any incident relating to cybersecurity, - in the development of products for civil society, - as an information and advisory body, - as a training organisation, - as a reference organisation for the labelling of trusted products and service providers... (French National Cybersecurity Agency) issued in the document PA-022: Recommendations to secure administration of IT systems. In the event of non-compliance with the regulations, the OVI and OES, in addition to seriously exposing the organization’s information system, which could also lead to significant consequences for the Nation or the population, also expose themselves, ultimately, to financial sanctions. Respecting these rules is therefore essential for these sensitive organizations, and as good practices, are strongly recommended for other organizations, depending on their means and maturity in terms of cybersecurity. What are the security requirements for IS administration? In France, there are three standards that must be particularly respected by the OVI and OES: Recommendations to secure administration of IT systems (document PA-022 from the ANSSI).The Military Programming Law (MPL) sets 20 security rules for information systems of vital importance.The NIS Directive, enacting a series of rules aimed to ensure a high and common level of security for networks and information systems in the European Union and applying to OES. Among these standards, 5 major themes relating to the administration of information systems stand out: Governance, risks, compliance (GRC) and associated processesOperational use and security incident managementThe Administration Information System (AIS) and its architectureIdentity and Access Management (IAM)A set of processes that manage a user's identity on the network. Identity and Access Management (IAM) is the set of processes that manage a user's identity on the network. It includes the following different segments: access management (AM), authentication, privilege account management (PAM), identity administration and governance (IGA). It is generally misused to refer to IGA. The functional scope of IAM is very broad. It will include functionalities allowing - to authenticate a user on the network (primary authentication), - manage its authorizations, the life cycle of its identity and the accounts associated with it, - to guarantee the traceability of his rights, as well as the actions carried out by/on him. To illustrate, the IAM makes it possible to simply assign the rights of a collaborator and to make them evolve according to his current situation. The fact that they belong to the company, and the function that determines their access authorization to certain applications, are taken into account in real time and integrated into the information system.... and administration rights and privileged accounts (PAMPrivileged Access Management. PAM is a technology for managing access and authentication of authorized users, usually information system administrators, to administrative resources or applications. The main objective is to secure the information system by removing unauthorized access to sensitive resources. This protection is based on two main axes: management of the injection and life cycle of passwords used in administered resources and administration applications, the traceability of all the actions carried out when connecting users with a power of nuisance on the information system, in the form of audit or video traces. The users with malicious power concerned by the PAM may be internal users of the information system, such as system administrators or users handling sensitive data, as well as external users such as infomanagers or remote maintenance personnel....)The administration workstation A Europeanization of rules and entities Furthermore, in the last few years, we have seen a genuine Europeanization of the rules and entities governing information system security, with a direct impact on the French OVI and OES. The European NIS directive, adopted by the European institutions in 2016 and now incorporated into the French law, was in fact largely inspired by the French MPL, voted in 2013. The directive complements or adds new rules and circumvents some elements of the French LPM. The rules issued by the NIS directive must be respected by all EU OES in order to guarantee an increased security for these organizations considered as particularly sensitive. On the institutional side, the European cybersecurity has also evolved: the Cybersecurity Act, adopted in 2019, strengthens the European Cybersecurity Agency (ENISA) by assigning it a permanent mandate and additional resources. ENISA shall act as a “reference point for advice and expertise on cybersecurity for Union institutions, bodies, offices and agencies as well as for other relevant Union stakeholders.” The Cybersecurity Act also establishes a European framework for the certification of cybersecurity products and services in order to standardize the certification processes for cybersecurity products and services and their recognition in all EU countries.