Interministerial instruction n ° 901 / SGDSN / ANSSI (II 901) of January 28, 2015 defines the objectives and minimum security measures relating to the protection of sensitive information, in particular those falling under the Restricted Diffusion (DR) level. This guide provides recommendations for the design of the architecture of information systems (IS) that host sensitive information or DR. In general, it provides technical advice for the practice of II 901.
II 901 applies:
- State administrations which implement sensitive information systems;
- public or private entities subject to regulations relating to the protection of the nation's scientific and technical potential (PPST) which implement sensitive information systems;
- to any other public or private entity that implements Diffusion Restreinte information systems.
The recommendations in this guide are intended primarily for these different entities, to which II 901 fully applies. As II 901 has the value of a recommendation for any other public or private entity that implements sensitive information systems, these good practices could be usefully applied to all sensitive IS types (eg IS hosting protected information at title of business secrecy, IS hosting information covered by professional secrecy, etc.).
This guide has been designed as a tool intended to help an entity to implement an IS architecture conforming to II 901. Be careful, however, because certain fields of II 901 are intentionally not covered in this guide.
This version of the guide does not address the issue of protecting sensitive data or DR when it is hosted in a cloud.
A spreadsheet file completes this guide. It lists all of the guide's recommendations. Also designed as a tool, this spreadsheet file is intended to provide those in charge of the implementation and approval of a sensitive IS with a concrete and simple means of:
- distinguish the safety measures imposed by law from those which fall under good practice;
- justify deviations if certain measures are not retained or must be adapted to the context of the entity;
- assess the level of actual implementation of the regulatory requirements selected.