# PSSI

#### Scope of the Information Systems Security (ISS) <a href="#h_01jdq3hqm6ypwjza45b1hq9twz" id="h_01jdq3hqm6ypwjza45b1hq9twz"></a>

The Information Systems Security (ISS) of Potions encompasses all the company’s information systems, reflecting the diversity of their uses, locations, access methods, and the people involved.

***

#### Security Requirements <a href="#h_01jdq3hqm6wyrr0g1zmm292ett" id="h_01jdq3hqm6wyrr0g1zmm292ett"></a>

The security of the Information System relies on the following criteria:

* **Confidentiality:** “Confidentiality is the property that information is not made available or disclosed to unauthorised individuals, entities, or processes” (ISO 7498-2, ISO90).
* **Availability:** Ensuring data and functions are accessible at the required time by authorised users.
* **Integrity:** “Integrity is the prevention of unauthorised modification of information” (ISO 7498-2, ISO90).

These security requirements apply to both the resources of the information system (computers, networks, applications) and the data they process. Data must be inventoried and classified (e.g., defence, scientific, administrative, personal, strategic) to determine their sensitivity level and the necessary protection measures.

***

#### Threats <a href="#h_01jdq3hqm6hyd4292abjhk89jq" id="h_01jdq3hqm6hyd4292abjhk89jq"></a>

To implement appropriate security measures, the EBIOS method (Expression of Needs and Identification of Security Objectives – DCSSI) recommends understanding threat types and their impacts. Threats can be categorised as follows:

* **Direct attacks on the information system:** Data theft, data modification, denial of service, etc.
* **Attacks on IT resources:** Resource theft, misuse, data alteration, malware distribution, etc.
* **Accidents:** Natural disasters, accidental data or resource alteration.

For each threat, risks must be assessed by considering the likelihood of occurrence and identifying potential aggravating factors (e.g., negligence, lack of information or procedures).

***

### Implementation of the ISSP <a href="#h_01jdq3hqm68a42zz2qgrevsy6n" id="h_01jdq3hqm68a42zz2qgrevsy6n"></a>

The ISSP (Information Systems Security Policy) of Potions outlines a set of organisational and technical principles. These principles are detailed further in technical guidelines or instructions, whose development, dissemination, and communication are managed by the ISS functional chain.

***

#### Organisation <a href="#h_01jdq3hqm62janqg0fh39e5102" id="h_01jdq3hqm62janqg0fh39e5102"></a>

**Access to IT Resources**

The provision of IT resources to a user must be formalised upon their arrival, change in role, and departure. Access to resources must be controlled (identification, authentication) and adapted to the user’s authorised rights (roles, privileges, and profiles).

**IT Usage Charter**

Before accessing IT tools, users must be informed of their rights and responsibilities through the "Good IT Usage Charter," integrated into Potions’ internal regulations.

**Data Protection**

* **Availability, Confidentiality, and Integrity of Data**\
  Data processing and storage, application and service access, and data exchanges between information systems must be conducted to prevent data loss, alteration, misuse, or unauthorised disclosure. Regular backups, with validated restoration processes, must be implemented. A distinction must be made between production backups (e.g., restoring specific data) and contingency backups (e.g., recovery on external systems following major incidents).
* **Sensitive Data Protection**\
  Sensitive data must be identified and classified based on their sensitivity level. This classification should be regularly reviewed, and appropriate protective measures (e.g., access control, encryption) applied during storage, processing, or exchange.
* **Personal Data**\
  Processing of personal data must comply with GDPR. Any required notifications or authorisations must be handled through the Data Protection Officer (DPO). Personal data, being sensitive, must be safeguarded as per GDPR requirements.
* **Encryption**\
  Encryption is mandatory for the storage and exchange of sensitive data.

***

#### Securing the Information System <a href="#h_01jdq3hqm6mdq5mnjvq1k1rgva" id="h_01jdq3hqm6mdq5mnjvq1k1rgva"></a>

**Server Administration**

Server administration is handled by the company’s DevOps team.

**Workstation Administration**

Individual workstation administration is also managed by the DevOps team, except in justified cases where users handle their administration due to specific needs and expertise.

**Workstation and Mobile Device Security**

Workstations and mobile devices must be secured by robust passwords, which are personal and confidential. Users are responsible for ensuring that security applications (antivirus, OS, and software updates) are functioning properly and reporting any issues to the security correspondent. Special measures must be taken for mobile devices used outside their secure zone (e.g., encryption, theft protection).

**Access Control**

Access to the information system requires user identification/authentication and authorisation checks. Authentication should, where possible, utilise the Potions directory. Permissions must be carefully defined, granting only necessary privileges. All access must be logged. Shared or anonymous accounts are to be exceptions and must be justified.

**Application Security**

Security must be considered at every stage of an IT project. Applications, whether internal or external, must align with the sensitivity of the data they process or exchange.

**Network Security**

Information systems must be protected from external threats through access filters applied to network gateways. Servers must be specifically safeguarded from workstations and other servers. For external server access, encrypted connections (e.g., SSH tunnels) must be used.

***

#### Maintaining Security Standards <a href="#h_01jdq3hqm6b1scn4pjpddhnfj7" id="h_01jdq3hqm6b1scn4pjpddhnfj7"></a>

Technical measures must ensure the ongoing security of hardware and software through updates, patches, and monitoring of vulnerabilities. Security logs must be analysed regularly to verify system security.

**Incident Management**

All information system users, including administrators, must report any incidents, real or suspected, to the ISS chain and hierarchical authorities. This includes theft of IT equipment or data storage devices.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.abtasty.com/recommendations-and-merchandising_deprecated/security-and-gdpr/pssi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.