{"id":8347,"date":"2024-06-24T11:19:26","date_gmt":"2024-06-24T09:19:26","guid":{"rendered":"https:\/\/www.certi-trust.com\/uncategorized\/referentiel-des-exigences-applicables-aux-prestataires-dadministration-et-de-maintenance-securisees-pams\/"},"modified":"2024-06-24T11:19:26","modified_gmt":"2024-06-24T09:19:26","slug":"referentiel-des-exigences-applicables-aux-prestataires-dadministration-et-de-maintenance-securisees-pams","status":"publish","type":"post","link":"https:\/\/www.certi-trust.com\/en\/news\/certi-news-2nd-edition\/referentiel-des-exigences-applicables-aux-prestataires-dadministration-et-de-maintenance-securisees-pams\/","title":{"rendered":"Requirements for Secure Administration and Maintenance Service Providers (PAMS)"},"content":{"rendered":"<p><span style=\"color: #000000;\"><strong>Ren\u00e9 Saint Germain<\/strong> is Technical Director of Certi-Trust France&#8217;s assessment center programs. A graduate of HEC Montr\u00e9al, he has been an entrepreneur and expert in information security and standardization for over 22 years. He has founded several companies active in the information security standardization sector. He is also an active member and editor of various ISO committees, including the co-editor of the <a style=\"color: #000000;\" href=\"https:\/\/www.linkedin.com\/feed\/hashtag\/?keywords=iso27034&amp;highlightedUpdateUrns=urn%3Ali%3Aactivity%3A6739901311610822656\">ISO27034<\/a> application security standard.<\/span><\/p>\n<p><span style=\"color: #000000;\">In this interview, Ren\u00e9 discusses the PAMS standard for secure administration and maintenance service providers, providing brief, concise details of the information that any service provider\/contractor needs to know in order to comply with the requirements of this new standard.<\/span><\/p>\n<h3><span style=\"color: #333399;\"><strong>  1. What is PAMS?<\/strong><\/span><\/h3>\n<p><span style=\"color: #000000;\">This is the standard published by the French Information Systems Security Agency (ANSSI) concerning the requirements applicable to <strong><br \/>\n  <em><br \/>\n    <u>P<\/u><br \/>\n  <\/em><br \/>\n<\/strong><em>restataires d&#8217;<strong><u>Administration<\/u><\/strong>et de <strong><u>Maintenance<\/u><\/strong> <strong><u>S\u00e9curis\u00e9es<\/u><\/strong><\/em>.<\/span><\/p>\n<p><span style=\"color: #000000;\">To fully understand PAMS, we need to clarify the meaning of 3 key terms:<\/span><\/p>\n<ul>\n<li><span style=\"color: #000000;\"><strong>Provider<\/strong>: The entity that delivers a secure administration and maintenance service to the client.<\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>The client<\/strong>: The entity that requires the service.<\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>Service<\/strong>: All the technical, organizational and human resources used by the service provider to provide secure administration and maintenance services.<\/span><\/li>\n<\/ul>\n<p><span style=\"color: #000000;\">In order to assess the quality of outsourcing services offered, the PAMS standard has been designed to provide clients with substantial guarantees in terms of security and confidence in their service providers.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h3><span style=\"color: #333399;\"><strong>  2. What activities are generally covered by a PAMS qualification?<\/strong><\/span><\/h3>\n<p><span style=\"color: #000000;\">The scope of qualification includes all types of information system administration activities, including installation, deletion, modification and consultation.<\/span><\/p>\n<p><span style=\"color: #000000;\">Administration can include technical services such as :<\/span><\/p>\n<ul>\n<li><span style=\"color: #000000;\">Installing or uninstalling ;<\/span><\/li>\n<li><span style=\"color: #000000;\">Changing configuration or settings ;<\/span><\/li>\n<li><span style=\"color: #000000;\">Updating systems or components ;<\/span><\/li>\n<li><span style=\"color: #000000;\">Backup management ;<\/span><\/li>\n<li><span style=\"color: #000000;\">Managing user access rights ;<\/span><\/li>\n<li><span style=\"color: #000000;\">Allocation of network resources.<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><span style=\"color: #333399;\"><strong>  3. What needs does the PAMS standard meet?<\/strong><\/span><\/h3>\n<p><span style=\"color: #000000;\">The requirements of the standard meet the needs expressed in a number of French and European regulations, such as the Network and Information Security (NIS) directive, the French Military Planning Act (LPM) and the French government&#8217;s information systems security policy (PSSIE). For the customer, using a PAMS-qualified service provider means better compliance with some of the requirements imposed by these regulations. This standard can also be used on a voluntary basis, as a best practice, outside the strictly regulatory context. This is why the standard can potentially also be used by outsourcers in countries other than France.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h3><span style=\"color: #333399;\"><strong>  4. How does PAMS qualify?<\/strong><\/span><\/h3>\n<p><span style=\"color: #000000;\">The PAMS program is currently in an experimental phase. Certi-Trust is one of two assessment centers selected by ANSSI to launch and monitor this phase. Over the course of 2021, we will evaluate two control providers. The scheme will be open to public qualification from 2022. The request for qualification of service providers will cover three types of services:<\/span><\/p>\n<ol>\n<li><span style=\"color: #000000;\">External administration ;<\/span><\/li>\n<li><span style=\"color: #000000;\">Internal administration department ;<\/span><\/li>\n<li><span style=\"color: #000000;\">Administration service for non-remotely manageable information systems.<\/span><\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<h3><span style=\"color: #333399;\"><strong>  5. What requirements must qualified service providers meet?<\/strong><\/span><\/h3>\n<p><span style=\"color: #000000;\">The <span style=\"color: #333399;\"><a style=\"color: #333399;\" href=\"https:\/\/www.ssi.gouv.fr\/uploads\/2020\/09\/anssi-pams-referentiel-v1.0.pdf\">version 0.9 of the PAMS repository<\/a> <\/span>is available on the ANSSI website. This is the version used for the experimental phase. It contains all the requirements and recommendations for secure administration and maintenance service providers. The standard also makes recommendations to sponsors. These recommendations are not subject to verification for qualification purposes. At the end of the experimental phase, a new version of the standard will be published by ANSSI.<\/span><\/p>\n<p><span style=\"color: #000000;\">The PAMS standard currently comprises three main categories of requirements:<\/span><\/p>\n<ol>\n<li><span style=\"color: #000000;\"><strong>General requirements relating to the service provider&#8217;s legal obligations<\/strong>, in particular his duties towards the customer, his guarantees, etc. ;<\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>Information protection requirements<\/strong>, including administration network security and partitioning, security of administration workstations and tools, and secure interconnections and exchange systems;<\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>Requirements relating to the service provider&#8217;s organization and the governance of the service<\/strong>, including the implementation of an ethics and recruitment charter, the content of operational and strategic committees, etc.<\/span><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Ren\u00e9 Saint Germain is Technical Director of Certi-Trust France&#8217;s assessment center programs. A graduate of HEC Montr\u00e9al, he has been an entrepreneur and expert in information security and standardization for over 22 years. He has founded several companies active in the information security standardization sector. He is also an active member and editor of various&hellip;<\/p>\n","protected":false},"author":27,"featured_media":3598,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[269],"tags":[],"class_list":["post-8347","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-certi-news-2nd-edition","category-269","description-off"],"jetpack_featured_media_url":"https:\/\/www.certi-trust.com\/wp-content\/uploads\/2021\/04\/Copy-of-Certi-News-1.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.certi-trust.com\/en\/wp-json\/wp\/v2\/posts\/8347","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.certi-trust.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.certi-trust.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.certi-trust.com\/en\/wp-json\/wp\/v2\/users\/27"}],"replies":[{"embeddable":true,"href":"https:\/\/www.certi-trust.com\/en\/wp-json\/wp\/v2\/comments?post=8347"}],"version-history":[{"count":1,"href":"https:\/\/www.certi-trust.com\/en\/wp-json\/wp\/v2\/posts\/8347\/revisions"}],"predecessor-version":[{"id":8348,"href":"https:\/\/www.certi-trust.com\/en\/wp-json\/wp\/v2\/posts\/8347\/revisions\/8348"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.certi-trust.com\/en\/wp-json\/wp\/v2\/media\/3598"}],"wp:attachment":[{"href":"https:\/\/www.certi-trust.com\/en\/wp-json\/wp\/v2\/media?parent=8347"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.certi-trust.com\/en\/wp-json\/wp\/v2\/categories?post=8347"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.certi-trust.com\/en\/wp-json\/wp\/v2\/tags?post=8347"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}