The security of information systems arrived in companies a few years after the opening of the Internet. Previously, it was limited to the management of accounts, rights and backups. The Internet has profoundly changed the situation. With the Internet, IT departments realized that being inside the company was no longer necessarily necessary to steal its secrets. New architectures and new technologies have been integrated into the infrastructure:
- Firewalls,
- Demilitarized Zones (better known by the acronym DMZ),
- Electronic certificates,
- ...
As the integration of these technologies was not sufficient in relation to the identified risk, security quickly became more complex with the creation of a new position: the CISO (Information Systems Security Manager), and sometimes a security department.
This new entity was perceived as a hindrance to the company's economic development. It was therefore often bypassed. Today, with the media coverage of cyber-attacks (ransomware, Saint-Gobain, Ukraine) and their consequences, the image of the IT security department has evolved, and is seen as a protector of the company's assets. The French government became aware in the 2000s that the heritage of companies is more and more digitized, and that a company without an Information System could only disappear. It also becomes aware that if there is an attack, it will first be digital, before being military. He will then reinforce and broaden the missions of the ANSSI.
The ANSSI, the National Agency for the Security of Information Systems, is the heir to a long series of bodies responsible for ensuring the security of sensitive information, particularly that of the State. The ANSSI was created on 7 July 2009 by decree n° 2009-834. This decree gives this agency, in addition to the security of State information systems, a mission of advice and support to administrations and to Operators of Vital Importance (OIV [*]), as well as that of contributing to the security of the information society, in particular by participating in research and development of security technologies and their promotion. ANSSI has just celebrated its 10th anniversary.
By decree of 18 December 2013, the French government promulgated the Military Programming Law (LPM) and entrusted ANSSI with its application. This law requires OIVs to secure their Industrial Information System (IIS, and by industrial, trade). France then became the first country in Europe to adopt this type of regulation. Germany will follow France by a law voted in December 2014.
Inspired by the LPM, Europe decided to protect itself with a legislative arsenal against cybercrime through NIS (Network and Information system Security). The European NIS directive will come into force on 6 July 2016. It will be transposed into French law on 25 May 2018. The Military Programming Law 2019 - 2025 reinforces ANSSI as a key player in digital security, and authorizes ANSSI to place probes in the Internet to better anticipate cyber attacks.
Patrick Quintreau-Belleux, Project Director - ITS Group
[*] OIV: Private or public enterprises, public services whose role is essential to the proper functioning of the country and the protection of the population. These include banks, electricity companies, telecommunications operators, hospitals, government institutions, etc.
