René Saint Germain is Technical Director of Certi-Trust France’s assessment center programs. A graduate of HEC Montréal, he has been an entrepreneur and expert in information security and standardization for over 22 years. He has founded several companies active in the information security standardization sector. He is also an active member and editor of various ISO committees, including the co-editor of the ISO27034 application security standard.
In this interview, René discusses the PAMS standard for secure administration and maintenance service providers, providing brief, concise details of the information that any service provider/contractor needs to know in order to comply with the requirements of this new standard.
1. What is PAMS?
This is the standard published by the French Information Systems Security Agency (ANSSI) concerning the requirements applicable to
P
restataires d’Administrationet de Maintenance Sécurisées.
To fully understand PAMS, we need to clarify the meaning of 3 key terms:
- Provider: The entity that delivers a secure administration and maintenance service to the client.
- The client: The entity that requires the service.
- Service: All the technical, organizational and human resources used by the service provider to provide secure administration and maintenance services.
In order to assess the quality of outsourcing services offered, the PAMS standard has been designed to provide clients with substantial guarantees in terms of security and confidence in their service providers.
2. What activities are generally covered by a PAMS qualification?
The scope of qualification includes all types of information system administration activities, including installation, deletion, modification and consultation.
Administration can include technical services such as :
- Installing or uninstalling ;
- Changing configuration or settings ;
- Updating systems or components ;
- Backup management ;
- Managing user access rights ;
- Allocation of network resources.
3. What needs does the PAMS standard meet?
The requirements of the standard meet the needs expressed in a number of French and European regulations, such as the Network and Information Security (NIS) directive, the French Military Planning Act (LPM) and the French government’s information systems security policy (PSSIE). For the customer, using a PAMS-qualified service provider means better compliance with some of the requirements imposed by these regulations. This standard can also be used on a voluntary basis, as a best practice, outside the strictly regulatory context. This is why the standard can potentially also be used by outsourcers in countries other than France.
4. How does PAMS qualify?
The PAMS program is currently in an experimental phase. Certi-Trust is one of two assessment centers selected by ANSSI to launch and monitor this phase. Over the course of 2021, we will evaluate two control providers. The scheme will be open to public qualification from 2022. The request for qualification of service providers will cover three types of services:
- External administration ;
- Internal administration department ;
- Administration service for non-remotely manageable information systems.
5. What requirements must qualified service providers meet?
The version 0.9 of the PAMS repository is available on the ANSSI website. This is the version used for the experimental phase. It contains all the requirements and recommendations for secure administration and maintenance service providers. The standard also makes recommendations to sponsors. These recommendations are not subject to verification for qualification purposes. At the end of the experimental phase, a new version of the standard will be published by ANSSI.
The PAMS standard currently comprises three main categories of requirements:
- General requirements relating to the service provider’s legal obligations, in particular his duties towards the customer, his guarantees, etc. ;
- Information protection requirements, including administration network security and partitioning, security of administration workstations and tools, and secure interconnections and exchange systems;
- Requirements relating to the service provider’s organization and the governance of the service, including the implementation of an ethics and recruitment charter, the content of operational and strategic committees, etc.
