PASSI Qualification
We will detail the PASSI qualification, its purpose, its fields of action and the importance of choosing a service provider with this security VISA.
The constant increase in dematerialization and interconnectivity of networks and sites have increased cyber risks such as the theft or destruction of sensitive data.
Businesses must protect themselves against such risks. It is to help businesses that the French government, via ANSSI, the National Agency for Information Systems Security, created a security VISA, the PASSI qualification.
This qualification allows the sponsor to have guarantees on the competence of the service provider and its staff, on the quality of its service and on the trust that the sponsor can place in them, particularly in terms of confidentiality.
In this article, we will detail the PASSI qualification, its purpose, its fields of action and the importance of choosing a service provider with this security VISA.
What is the PASSI qualification?
The abbreviation PASSI means “Qualified Information Systems Security Audit Service Providers”. This qualification is a security VISA and was set up by ANSSI, the National Agency for Information Systems Security.
This certificate, part of the general safety regulations, testifies:
- Skills and expertise as auditors of a company
- Attention paid to protecting the integrity of confidential information entrusted and provided.
The requirements framework relating to Information Systems Security Audit Service Providers is a set of rules imposed on service providers wishing to obtain qualification for their services in this area.
It covers requirements relating to the audit service provider, its staff and the conduct of audits.
The qualification can be issued to audit providers for the following activities:
- Architecture audit.
- Configuration audit.
- Code auditing.
- Penetration test.
- Organizational and physical audit.
The 5 qualification activities
Configuration Audit
The objective of the configuration audit is to confirm that security protocols have been put in place and comply with the latest industry standards, as well as compliance with the auditee’s internal guidelines and requirements.
This is achieved by examining the hardware and software devices used in setting up an information system.
Network equipment, operating systems for servers or workstations, applications and security products are all examples of devices that can be referred to in this context.
Code auditing
A source code audit is an audit that examines all or part of the source code, or compilation conditions of an application, to reveal vulnerabilities related to poor programming techniques or logical errors that can affect security.
Organizational and physical audit
The audit of the logical and physical security organization aims to ensure that:
- The security policies and procedures defined by the auditee to ensure the maintenance in operational and security conditions of an application or all or part of the information system comply with the security needs of the audited organization, state of the art or current standards;
- They correctly complement the technical measures put in place;
- They are effectively put into practice;
- The physical aspects of the security of the application or information system are correctly covered.
The objective of the audit of the physical and logical security organization is to ensure that:
- The auditee’s security policies and procedures are put in place to ensure the continued operation and security of an application or the entire information system, and must meet the security requirements of the audited organization , as well as the standards and best practices in force.
- Implemented technical measures are considered successful when they are correctly executed and used.
- This involves ensuring that these measures are implemented correctly and effectively.
- The proper safeguarding of the physical aspects of the application or information system is carefully taken into account.
Architecture audit
Architectural audits include verification of compliance with security practices related to the selection, location and implementation of hardware and software devices deployed in advanced information systems, as well as the requirements of the audited and internal rules.
The audit can extend to interconnections with third-party networks, notably the Internet.
Penetration test
The concept of pentest revolves around the detection of weaknesses in the audited information system.
This involves testing system vulnerabilities, verifying their potential for exploitation, and assessing the extent of damage they can cause in a real attack. These vulnerabilities may be identified during other audit activities.
The pentest can be carried out both from inside and outside the audited information system, such as from the Internet or the interconnected network of a third party.
It should be noted, however, that a pentest alone cannot be considered exhaustive.
It should be used in conjunction with other audit activities to improve efficiency or to demonstrate the feasibility of exploiting detected flaws and vulnerabilities for information purposes.
Although vulnerability testing, including automated testing, is useful, it does not constitute an audit activity within the meaning of the framework.
The progress of an audit
Each stage of an audit must comply with the recommendations and regulations requested by ANSSI.
So the steps are:
- Establishment of an agreement
- Preparation and initiation of the service
- Execution of the service
- Restitution
- Preparation of the audit report
- Closing of the service
Step 1 – Establishment of the agreement
The agreement must be established by the service provider before the start of the service, it must be signed by both parties.
The agreement must include many elements, here are some of them (for the exact list, we refer you to the link to the requirements framework). Thus, the agreement must:
- Describe the scope of the service, the general audit approach, the activities and the terms of the service.
- Describe the technical and organizational means implemented.
- Describe the communication methods that will be used.
- Define the rules for ownership of elements protected by intellectual property.
- Specify the names, roles, responsibilities as well as the rights and needs to know of the people designated by the service provider, the sponsor and the auditee.
- Stipulate that the sponsor and service provider fulfills all legal and regulatory obligations necessary for audit activities.
- Provide for the non-disclosure to a third party, by the service provider and by the auditors, of any information relating to the audit and the auditee, unless authorized in writing.
- Stipulate that the service provider anonymizes and decontextualizes (deletion of any information allowing the sponsor to be identified, any personal information, etc.) all the information that the sponsor authorizes it to keep.
Step 2 – Preparation and initiation of the service
- The service provider must appoint an audit team leader.
- The audit team leader must constitute a team of auditors with the skills appropriate to the nature of the audit.
- The audit team leader must establish contact with the correspondent.
- The audit team leader ensures with the sponsor and the auditee that the legal representatives of the entities impacted by the audit have been informed in advance and that they have given their agreement.
- The audit team leader develops an audit plan.
- The objectives, scope, criteria and schedule of the audit must be defined between the service provider and the sponsor.
- The audit team must obtain all existing documentation from the auditee.
- A formal meeting must be held to confirm agreement on all the terms of the service.
- The service provider must educate its client before the audit on the benefit of saving and preserving the data, applications and systems present on the audited machines.
- An authorization form must be signed by the sponsor, the auditee and any third parties.
Step 3 – Execution of the service
- The audit team leader must keep the sponsor informed of critical vulnerabilities discovered during the audit.
- The audit must be carried out with respect for the personnel and physical and logical infrastructures of the auditee.
- The findings and observations made by the auditors must be factual and based on evidence.
- Auditors must report audit findings to the audit team leader.
- Any modification made to the audited information system must be traced.
- The audit findings must be documented, traced, and kept by the service provider for the duration of the audit.
- The service provider and auditors must take all necessary precautions to preserve the confidentiality of documents and information.
- The actions and results of the service provider’s auditors on the audited information system, as well as their dates of completion, should be traced.
Depending on the service chosen, here are the requirements for service providers.
Configuration Audit
- The configuration elements of the audited targets must be provided to the service provider. It is recommended that the service provider verifies the security of the configurations.
- The service provider must be able to organize interviews with staff involved in the implementation and administration of the audited target.
Code auditing
- The source code, documentation relating to the implementation, test methods and reports and the architecture of the audited information system must be provided to the service provider.
- It is recommended to conduct interviews with a developer or the person responsible for implementing the audited source code.
- It is recommended that the code audit first be subject to a security analysis of the audited application.
- It is recommended that the service provider verifies the security of the code.
- It is recommended that the service provider searches for the most vulnerabilities.
- Source code audits can be carried out manually or automatically by specialized tools.
Organizational and physical audit
- The service provider must analyze the organization of information systems security.
- The organizational and physical audit must make it possible to measure the conformity of the audited information system in relation to the standards.
- The organizational and physical audit can integrate the analysis of elements related to the security of the physical aspects of information systems.
Architecture audit
- The service provider must review the following documents when they exist:
- level 2 and 3 architecture diagrams of the OSI model;
- flow matrices;
- filtering rules;
- configuration of network equipment (routers and switches);
- interconnections with third-party networks or the Internet;
- system risk analyses;
- technical architecture documents related to the target.
- The service provider must be able to organize interviews with staff involved in the implementation and administration of the audited target.
Penetration test
- The audit team in charge of carrying out an intrusion test can carry out:
- Black Box Audit: the audit team responsible for carrying out a penetration test on a given target can carry out one or more of the following phases.
- Gray Box Audit: auditors have the knowledge of a standard user of the information system.
- White Box Audit: auditors have as much technical information as possible.
- The service provider and the sponsor must define a simulated attacker profile.
- The service provider must have permanent contact with the auditee and the auditor must warn the sponsor and the auditee before any action that could lead to a malfunction.
- When they are known to make the audited target unstable or even cause a denial of service, the discovered vulnerabilities should not be exploited.
- Non-public vulnerabilities discovered during the audit must be communicated to ANSSI.
Step 4 – Return
At the end of the audit, the audit team leader must inform the auditee and the sponsor of the findings and initial conclusions of the audit.
Step 5 – Preparing an audit report
- The service provider must prepare an audit report and send it to the sponsor.
- The service provider must indicate whether the service provided is a qualified service.
- The audit report must contain in particular a summary, understandable by non-experts, a summary table of the audit results, a description of the linear progress of the intrusion tests and the methodology used to detect vulnerabilities and a security analysis of the audited information system.
- The audit report must be adapted according to the audit activity carried out by the service provider.
- Vulnerabilities must be classified according to their impact on the security of the information system and their difficulty of exploitation.
- Each vulnerability must be associated with one or more recommendations adapted to the information system of the auditee.
- The audit report must mention the reservations relating to the completeness of the audit results or the relevance of the audited target.
- The audit report must mention the names and contact details of the auditors, audit team leaders and sponsors of the audit.
Step 6 – Closing of the service
- A summary meeting is recommended.
- The audit team leader must ask the auditee to sign a document attesting that the information system that was audited is in a state whose security is not degraded compared to the initial state.
- All information or documents obtained by the service provider must be returned to the auditee or destroyed.
- The service is considered completed when all planned activities have been carried out and the sponsor has received and certified, formally and in writing, that the audit report complies with the objectives set out in the agreement.
Why is it important to choose a PASSI qualified service provider?
The PASSI qualification ensures advantages for auditees:
A framed methodology
The methodology of the audits carried out by the audit teams complies with the quality requirements imposed by ANSSI.
The aspects required by ANSSI are legal, regulatory, contractual and ethical.
Thus, certified auditors will only use methods, tools and techniques validated by the service provider; these methods comply with the ISO 19011 standard.
Qualified auditors
PASSI qualified auditors have proven their know-how and skills. They received training in Information Systems technologies meeting VISA criteria.
Auditors master good practices and the methodology present in the ISO 19011 standard.
Their skills are continually updated, ensuring continued mastery.
Legal and confidential respect
The PASSI qualification provides the service provider with increased protection of information, thanks to secure distribution channels, a Restricted Dissemination room and compliance with a confidentiality charter and an ethical charter.
The audit company and its auditors comply with French legislation and regulations.
And Ziwit?
At Ziwit, we are PASSI qualified. Thus, our auditors have proven that their methodologies and know-how meet the standards for French regulations.
The PASSI qualification certifies:
- The competence of our auditors.
- Mastery of good practices and audit methodology.
- Constant updating of auditors’ knowledge and skills.
- The editorial and oral qualities of our listeners.
- The good content of the audit report.
- Confidentiality of sensitive data entrusted and exposed.
- Our respect for the ISO 19011 standard.
- Compliance with French legislation.
- The guarantee of the information transmitted.
- Loyalty, discretion and impartiality of the services offered.