The law “Informatique et Libertés” requires that the organizations implementing files guarantee the cyber security of the data processed. This requirement translates into a set of measures that file holders must implement. Mainly through their information systems department (DSI) or IT manager.
-
Adopt a firm password policy
Access to a computer workstation or a file by username and password is the first form of protection. The password must be individual, difficult to guess, and kept secret. It should, therefore, not be written on any medium. The DSI or the IT manager must implement a strict password management policy: a password must contain at least eight characters, including numbers, letters, and special symbols, and must be renewed frequently (for example, every three months). The system must force the user to choose a different password from the three he used previously. Generally assigned by the system administrator, the user must change the password on the first connection. Finally,
-
Design a procedure for creating and deleting user accounts
Access to workstations and applications must be made using nominative user accounts and not “generic” (account1, account2, etc.) to be able to trace the actions performed on a file and, thus, empower all stakeholders. Indeed, “generic” accounts do not allow a person to be precisely identified. This rule must also apply to the system’s accounts, network administrators, and other agents responsible for operating the information system.
-
Securing workstations
Must configure agent sets to lock automatically after a period of inactivity (10 minutes maximum); users must also be encouraged to lock their extension whenever they leave their desk systematically. These provisions are likely to limit the risks of fraudulent use of an application in the event of the temporary absence of the agent of the position concerned. In addition, controlling the use of USB ports on “sensitive” workstations, for example, prohibiting copying all the data contained in a file, is strongly recommended.
-
Identify precisely who can have access to the files
Must limit access to personal data processed in a file to those who can legitimately access it to perform the tasks entrusted to them. This analysis determines the “authorization profile” of the agent or employee concerned. For each movement or new assignment of an employee to a position, the line manager involved must identify the file(s) to which he needs to access and update his access rights. Periodic verification of application profiles and access rights to the servers’ directories is, therefore, necessary to ensure the adequacy of the privileges offered and the reality of the functions occupied by each.
-
Ensure the confidentiality of data vis-à-vis service providers
The interventions of the various subcontractors of the information system of a data controller must present sufficient guarantees in terms of security and confidentiality concerning the data to which they may, if necessary, have access. The law thus requires that a confidentiality clause be included in subcontracting contracts. Any service provider interventions on databases must occur in the presence of an IT department employee and be recorded in a register. Data that may be considered “sensitive” under the law, for example, health data or data relating to means of payment, must also be encrypted.
“Note”: the system and network administrator is not necessarily authorized to access all of the organization’s data. However, he needs access to platforms or databases to administer and maintain them. By encrypting the data with a key of which he is unaware and which is held by a person who does not have access to this data (the security manager, for example), the administrator can carry out his missions, and confidentiality is respected.
-
Securing the local network
An information system must be secure against external attacks. The first level of protection must be provided by specific logical security devices such as filtering routers (ACLs), firewalls, anti-intrusion probes, etc. Reliable protection against viruses and spyware requires constant monitoring to update these tools on the server and the agent workstations. E-mail must be the subject of particular vigilance. Must make connections between the sometimes remote sites of a company or a local authority securely via private links or channels secured by the technique of “tunneling” or VPN (a virtual private network). It is also essential to ensure wireless networks given the possibility of remotely intercepting the information circulating there: use of encryption keys, control of the physical addresses of authorized client workstations, etc. Finally, mobile workstations’ remote access to the information system must first be subject to user and workstation authentication. Internet access to electronic administration tools also requires strong security measures, mainly through IPsec, SSL/TLS, or even HTTPS protocols. Mobile workstations’ remote access to the information system must first be subject to user and workstation authentication. Internet access to electronic administration tools also requires strong security measures, mainly through IPsec, SSL/TLS, or even HTTPS protocols. Mobile workstations’ remote access to the information system must first be subject to user and workstation authentication. Internet access to electronic administration tools also requires strong security measures, mainly through IPsec, SSL/TLS, or even HTTPS protocols.
“Note”: A general security reference system relating to electronic exchanges between users and the administrative authorities (ordinance 2005-1516) should be released soon. It will impose specific security measures on each of the players.
-
Secure physical access to premises
Access to sensitive premises, such as rooms housing computer servers and network elements, must be limited to authorized personnel. These premises must be subject to exceptional security: verification of authorizations, guarding, locked doors, digicode, access control by name badge, etc. The DSI or the IT manager must ensure that the technical documentation, network addressing plans, contracts, etc. are also protected.
-
Anticipate the risk of data loss or disclosure
The loss or disclosure of data can have several origins:
- Error or malice of an employee or agent
- Theft of a laptop
- Hardware failure
- Even the consequence of water damage or fire
Must take care to store the data on server spaces provided for this purpose and subject to regular backups. , must keep the backup media in a room separate from that which hosts the servers, ideally in a fireproof safe. Servers hosting sensitive or essential data for the activity of the organization concerned must be backed up and may be equipped with a fault-tolerance device. It is recommended to write an “emergency–rescue” procedure describing how to quickly reassemble these servers in case of a breakdown or major disaster. Mobile media (laptops, USB keys, personal assistants, etc.) must be subject to exceptional security, by encryption, concerning the sensitivity of the files or documents they may store. End-of-life computer equipment, such as computers or copiers, must be physically destroyed before being thrown away or erased from their hard drives before being donated to associations. Hard drives and removable storage devices being repaired, repurposed, or recycled must first be low-level formatted to erase any data that may store on them. Concerning the sensitivity of the files or documents, they may accumulate. End-of-life computer equipment, such as computers or copiers, must be physically destroyed before being thrown away or erased from their hard drives before being donated to associations. Hard drives and removable storage devices being repaired, repurposed, or recycled must first be low-level formatted to erase any data that may store on them. Concerning the sensitivity of the files or documents they may keep.
-
Anticipate and formalize an information system security policy
Must formalize all the rules relating to computer security in a document accessible to all agents or employees. Its drafting requires the prior inventory of possible threats and vulnerabilities that weigh on an information system. This document should be updated regularly concerning changes in the IT systems and tools used by the organization concerned. Finally. Must take the “security” parameter into account upstream of any project related to the information system.
-
Make users aware of “IT risks” and the “Informatique et Libertés” law
The leading IT security risk is human error. Users of the information system must therefore be particularly aware of the IT risks associated with using databases. This awareness can take the form of training, distribution of memorandums, or the periodic sending of practice sheets. It will also be formalized in a document of the “IT charter” type, which may specify the rules to be respected in terms of IT security, but also those relating to the proper use of telephony, electronic messaging, or the Internet. This document should also recall the conditions under which an employee or agent can create a file containing personal data, for example, after obtaining the agreement of his manager, the legal department, or the CIL of the company or organization in which he works. This document must be accompanied by a commitment of responsibility to be signed by each user.
Note: ensure that users regularly clean up their old documents and electronic messages on their workstations. Similarly, periodically clean the exchange directory shared between the various departments so that it does not become a “catch-all” space (personal files of agents mixed with sensitive files)
Lexicon
Authorization profile
An authorization profile defines their rights to a set of data and applications for a group of users.
Filtering router and ACL
A router is a piece of equipment that allows information to be routed between two networks. Some routers incorporate a traffic filtering function, such as firewalls, which implement a list of addresses and ports authorized or prohibited from access (Access Control List).
Firewall (or “firewall” )
Software and hardware equipment used to partition networks. It implements incoming and outgoing traffic filtering rules and must prohibit the use of unsecured communication protocols (Telnet, for example).
“tunneling” or VPN(a virtual private network)
A VPN makes it possible to secure “extranet” type data exchanges. For this, it implements a data authentication and encryption mechanism. This is called data encapsulation using a “tunneling” protocol.
Encryption
Method of encoding/decoding data generally implementing a mechanism of logical key(s) to make it impossible for third parties to read a file who do not have the key(s).
IPsec, SSL/TLS, HTTPS
Network protocols used to secure remote access by encrypting transmitted data.
Fault tolerance
Security device implemented in particular at the level of hard disks, which makes it possible to guard against the failure of a disk by avoiding the stopping of applications or the damage of stored data.
BIOS
system executing when a computer is powered up, elementary operations such as controlling hardware elements, the scheduling of peripheral start-up, and the reading of a sector on a disk.