Which ANSSI Recommendations and Certifications CISOs should know about?

ANSSI, France’s National Cybersecurity Agency reporting to the Secretariat-General for National Defense and Security (SGDSN), is a key player in France’s cybersecurity landscape. Its main mission is to secure government information systems, but it is also responsible for providing advice, and supporting administrations and businesses. As such, its recommendations and certifications are particularly valuable for all computer security professionals. Explanations.

 

Recommendations and best practices: Everything you need to know to secure your information systems

Given the increasing number of threats and risky employee behaviors, CISOs are hard-pressed to face them all. This is the reason why ANSSI provides many useful resources, available directly on its website (https://www.ssi.gouv.fr/).

ANSSI first provides useful information to understand major threats to businesses and administrations, as well as regulations (GDPR, NIS, protection of critical infrastructures), basic precautions and good practices depending on context (fixed or mobile workstation, company network, industrial systems, etc.).

These recommendations cover the most critical topics in cybersecurity, including the issue of digital nomadism.

All IT security professionals are now aware that employee smartphones are currently under increased attacks. For many users, smartphones have become their first and main screen, especially for mobile employees. Staying connected to a business therefore requires exchanging data and information using a phone. A habit that should be secured to avoid hacking and interceptions.

Securing remote access to the enterprise information systems is essential for managing privacy and data integrity, as well as ensuring user authentication. For this purpose, ANSSI offers practical guides and training to improve knowledge and accelerate skill transfer.

 

What is a security visa?

In addition to providing information on threats and best practices for security, ANSSI goes further to support CISOs in choosing which service providers and cybersecurity products they can trust.

ANSSI certifies around a hundred solutions every year. These include smart cards, network products, storage systems, firewalls, antivirus, secure messaging systems, etc.

For a Chief Information Security Officer (CISO), choosing a product certified by ANSSI is one of the best existing insurance. This means that the chosen solution provides a level of security that can withstand the attacks of most computer hackers. It also offers a quick way to identify secure alternatives to consumer applications and solutions that are sometimes used in organizations.

Cybersecurity solutions come in many forms, and do not offer the same level of efficiency, reliability and confidence. At the same time, organizations differ in terms of activity profiles and criticality of the information they handle (banking data, trade secrets, defense secrets, etc.). They therefore have different security and confidentiality requirements. To help CISOs differentiate solutions and choose the best one based to their context, ANSSI has defined a precise nomenclature of “security visa” that can be classified into 2 categories:

 

  • Certification: A certification is the evidence a product is reliable, based on compliance analysis and penetration tests carried out by a third party evaluator under the authority of ANSSI, according to a blue print and a baseline, suited to user security requirements and considering technological developments. There are two levels of certification:
    • CSPN (First Level Security Certification): Testifies to the resistance of a solution against attacks of low to moderate level.
    • CC (Common Criteria): A set of standards (ISO 15408) to impartially assess the security of computer systems and software. This certification classifies solutions according to 7 hierarchical levels, called EAL (Evaluation Assurance Level) ranging from EAL 1 (lowest level) to EAL 7 (highest level). It guarantees a product complies with a requirement or a precise technical specification.
  • Qualification: A qualification is the recommendation by the French government that a particular cybersecurity product (or service) is tested and approved by ANSSI. It testifies to the ability of a solution to withstand cyberattacks in a defined use case (including in regards to the sensitivity of processed information) and threat level. It also testifies to the supplier’s ability to comply with a set of commitments such as ensuring the confidentiality and protection of data entrusted by users of the solution, correcting vulnerabilities, etc., in the long run.

There are three levels of qualification:

  • Elementary: The product must withstand an attacker with basic technical skills and limited resources.
  • Standard: The product must withstand an attacker with advanced technical skills and significant resources.
  • Consolidated: The product must withstand an attacker with sophisticated technical skills and unlimited resources, as well as State-sponsored and/or criminal groups.

 

One or more certifications are often necessary to achieve the desired level of qualification. In this sense, certifications and qualifications can be complementary.

At least a certification at a reference level is required for a qualification.

One of the benefits of a qualification is that the level of security is necessarily relevant for government use and sensitive industries. For this purpose, ANSSI will gradually require critical infrastructure operators to use qualified solutions for securing their critical infrastructures.

 

What level of security for what need?

  • Generally, organizations exposed to normal cyber risk and not subject to specific industry regulations use CSPN solutions with a basic qualification.
  • Certain organizations such as critical infrastructure operators, administrations (Ministry of the Armed Forces, Interior, Foreign Affairs, etc.) or organizations subject to specific industry regulations, use Common Criteria EAL3/4 certified solutions with a Standard level qualification, especially for handling “Restricted distribution” data.
  • Finally, people who handle defense secrets use solutions with enhanced qualification.

 

For more information, see:

 

Subscribe to the newsletter