PAM should not exclude SAP

PAS - Plan D'Assurance Sécurité
Before starting to play a board game, it’s customary to read the game rules. As part of an outsourcing service, it is also very important to establish the “rules of the game” between parties.
In [01], the ANSSI (French National Cybersecurity Agency) states that, when using managed services, security should not be incompatible with outsourcing. For an organization whose IS administration is handled by a service provider, the inherent risks are generally related to the loss of control of the IT system as well as to actions done remotely.
For this reason, a Security Assurance Plan (SAP) must be written by the subcontractor according to a framework defined by the managed organization. The Security Assurance Plan defines the measures (contractual, methodological, technical, organizational and procedural) to meet the security requirements of the contractor.
the Security Assurance Plan of the subcontractor providing outsourcing services to a company could be based on three main areas:

  1. Purpose of the outsourcing
  2. Presentation of the internal organization set up (both for security management and for the evolutions and application of the SAP)
  3. Security measures implemented for each requirement

The definition of security measures shall include technical as well as organizational measures related to the subcontractor’s Human Resources.
For example, a solution such as Systancia Cleanroom from Systancia (which combines VDI, PAM, VPN and SSO) provides a technical response to the risks identified for outsourcing ([02]).
This solution provides technical responses to measures related to logical access management as well as to the privacy and integrity of administration flows. Moreover, it also technically supports the management (and protection) of passwords for access to managed resources.
However, using Systancia Cleanroom should not exempt the outsourcer from establishing a document like a SAP in collaboration with the managed organization. The final objective is to control and manage all processes (technical or organizational) during the outsourcing of IS administration tasks.
To conclude, note that a SAP can reassure the contractor with regard to his service provider, but this document must also be very closely linked to the managed organization’s Information System Security Policy). It represents a strategic document in the field of IT security and communication.


[01]       Outsourcing guide – Controlling the risks of managed services, ANSSI
[02]        The Cleanroom concept for a safe and secure administration, Antoine COUTANT, January 2019