diff --git a/backend/library/libraries/3cf-v2.yaml b/backend/library/libraries/3cf-v2.yaml new file mode 100644 index 000000000..4ed3e381b --- /dev/null +++ b/backend/library/libraries/3cf-v2.yaml @@ -0,0 +1,4839 @@ +urn: urn:intuitem:risk:library:3cf-v2 +locale: fr +ref_id: 3CF-v2 +name: "Cadre de Conformit\xE9 Cyber France (3CF) pour l'aviation civile - v2" +description: "Ce document, \xE9tabli par la direction de la s\xE9curit\xE9 de l'aviation\ + \ civile (DSAC), pr\xE9sente le Cadre de Conformit\xE9 Cyber France (3CF) pour l'aviation\ + \ civile.\nversion 2 du 30 avril 2024\nhttps://meteor.dsac.aviation-civile.gouv.fr/meteor-externe/api/file/attachment/12d47db0-e8a9-4be4-b243-50bd8cc835f1" +copyright: "Ce document peut \xEAtre utilis\xE9 librement, sous r\xE9serve de mentionner\ + \ sa paternit\xE9." +version: 1 +provider: "Direction de la s\xE9curit\xE9 de l'aviation civile" +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:c3cf-v2 + ref_id: 3CF-v2 + name: "Cadre de Conformit\xE9 Cyber France (3CF) pour l'aviation civile - v2" + description: "Ce document, \xE9tabli par la direction de la s\xE9curit\xE9 de\ + \ l'aviation civile (DSAC), pr\xE9sente le Cadre de Conformit\xE9 Cyber France\ + \ (3CF) pour l'aviation civile.\nversion 2 du 30 avril 2024\nhttps://meteor.dsac.aviation-civile.gouv.fr/meteor-externe/api/file/attachment/12d47db0-e8a9-4be4-b243-50bd8cc835f1" + implementation_groups_definition: + - ref_id: sec + name: "s\xE9curit\xE9 a\xE9rienne" + description: "\xC9tat dans lequel les risques li\xE9s aux activit\xE9s a\xE9\ + ronautiques concernant, ou appuyant directement, l\u2019exploitation des a\xE9\ + ronefs sont r\xE9duits et ma\xEEtris\xE9s \xE0 un niveau acceptable " + - ref_id: sur + name: "suret\xE9 a\xE9rienne" + description: "Combinaison des mesures ainsi que des moyens humains et mat\xE9\ + riels visant \xE0 prot\xE9ger l\u2019aviation civile contre les actes d\u2019\ + interventions illicites." + requirement_nodes: + - urn: urn:intuitem:risk:req_node:c3cf-v2:3 + assessable: false + depth: 1 + ref_id: '3' + name: Gouvernance + - urn: urn:intuitem:risk:req_node:c3cf-v2:3.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:3 + ref_id: '3.1' + name: Engagement du Dirigeant Responsable + - urn: urn:intuitem:risk:req_node:c3cf-v2:node4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:3.1 + description: "Le Dirigeant Responsable de l\u2019organisme s\u2019engage \xE0\ + \ mettre en \u0153uvre des moyens adapt\xE9s de protection contre l\u2019\ + atteinte \xE0 la confidentialit\xE9, l\u2019int\xE9grit\xE9, la disponibilit\xE9\ + \ et l\u2019authenticit\xE9 des informations qui pourraient entrainer des\ + \ probl\xE8mes de s\xE9curit\xE9 a\xE9rienne. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:3.1 + description: "Pour ce faire, le Dirigeant Responsable s\u2019engage \xE0 mettre\ + \ en place un Syst\xE8me de Management de la S\xE9curit\xE9 de l\u2019Information\ + \ (SMSI) visant \xE0 \xE9tablir, mettre en \u0153uvre, exploiter, surveiller,\ + \ r\xE9examiner, tenir \xE0 jour et am\xE9liorer la gestion des risques li\xE9\ + s \xE0 la s\xE9curit\xE9 de l\u2019information sur la s\xFBret\xE9 et ou s\xE9\ + curit\xE9 a\xE9rienne. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:3.1 + description: "La lettre formalisant cet engagement du Dirigeant Responsable\ + \ est int\xE9gr\xE9e ou r\xE9f\xE9renc\xE9e dans : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node6 + description: "le manuel du syst\xE8me de management de la s\xE9curit\xE9 de\ + \ l\u2019information, ou ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node6 + description: "le manuel de l\u2019organisme approuv\xE9/certifi\xE9." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:3.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:3 + ref_id: '3.2' + name: "Politique de s\xE9curit\xE9 de l\u2019information" + - urn: urn:intuitem:risk:req_node:c3cf-v2:3.2.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:3.2 + ref_id: 3.2.1 + name: "Strat\xE9gie et objectifs de s\xE9curit\xE9 de l\u2019information" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node11 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:3.2.1 + description: "Le Dirigeant Responsable d\xE9finit et approuve une politique\ + \ de s\xE9curit\xE9 de l\u2019information dont d\xE9coule : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node12 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node11 + description: "une strat\xE9gie qui d\xE9crit les intentions et l\u2019orientation\ + \ en mati\xE8re de s\xE9curit\xE9 de l\u2019information relative \xE0 la s\xE9\ + curit\xE9 a\xE9rienne ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node13 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node11 + description: "les objectifs de s\xE9curit\xE9 de l\u2019information qu\u2019\ + il s\u2019est fix\xE9 afin de mettre en \u0153uvre cette strat\xE9gie ; -\ + \ les \xE9tapes et le plan d\u2019actions pour atteindre ces objectifs. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:3.2.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:3.2 + ref_id: 3.2.2 + name: "Coh\xE9rence de la strat\xE9gie et des objectifs" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node15 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:3.2.2 + description: "Le Dirigeant Responsable s\u2019assure de la coh\xE9rence entre\ + \ : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node16 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node15 + description: "la strat\xE9gie et les objectifs de s\xE9curit\xE9 de l\u2019\ + information d\u2019une part et ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node17 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node15 + description: "la strat\xE9gie et les objectifs globaux de l\u2019organisme et\ + \ ceux plus sp\xE9cifiques \xE0 la s\xE9curit\xE9 a\xE9rienne d\u2019autre\ + \ part. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:3.2.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:3.2 + ref_id: 3.2.3 + name: "Int\xE9gration ou articulation entre les syst\xE8mes de gestion " + - urn: urn:intuitem:risk:req_node:c3cf-v2:node19 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:3.2.3 + description: "Le Dirigeant Responsable pr\xE9cise l\u2019int\xE9gration ou l\u2019\ + articulation entre le SMSI et le(s) syst\xE8me(s) de gestion existant(s) de\ + \ l\u2019organisation. Notamment : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node20 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node19 + description: "le Syst\xE8me de Gestion de la S\xE9curit\xE9 a\xE9rienne (SGS\ + \ ou en anglais SMS Safety Management System) ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node21 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node19 + description: "le cas \xE9ch\xE9ant d\u2019autres Syst\xE8mes de Management de\ + \ la S\xE9curit\xE9 de l'Information, en interaction avec le SMSI a\xE9ronautique\ + \ objet de ce document, tel qu\u2019un SMSI mutualis\xE9 au sein d\u2019un\ + \ groupe de soci\xE9t\xE9s, r\xE9pondant \xE0 d'autres objectifs r\xE9glementaires,\ + \ et/ou internes et/ou \xE9conomiques. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:3.2.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:3.2 + ref_id: 3.2.4 + name: "Communication de la politique de s\xE9curit\xE9 de l\u2019information" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node23 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:3.2.4 + description: "Le Dirigeant Responsable s\u2019assure que la politique de s\xE9\ + curit\xE9 de l\u2019information est :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node24 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node23 + description: " diffus\xE9e et promue de mani\xE8re appropri\xE9e :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node25 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node24 + description: 'au sein de son organisation ; ' + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node26 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node24 + description: "aupr\xE8s de ses partenaires, notamment ses sous-traitants, ses\ + \ prestataires de services et ses fournisseurs d\u2019\xE9quipement. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node27 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node23 + description: "formalis\xE9e et int\xE9gr\xE9e ou r\xE9f\xE9renc\xE9e dans : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node28 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node27 + description: "le manuel du syst\xE8me de management de la s\xE9curit\xE9 de\ + \ l\u2019information, ou ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node29 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node27 + description: "le manuel de l\u2019organisme approuv\xE9/certifi\xE9. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:3.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:3 + ref_id: '3.3' + name: "Gestion des ressources, r\xF4les et responsabilit\xE9s " + - urn: urn:intuitem:risk:req_node:c3cf-v2:node31 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:3.3 + description: 'Le Dirigeant Responsable : ' + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node32 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node31 + description: "est capable de d\xE9montrer sa connaissance du r\xE8glement Part-IS\ + \ ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node33 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node31 + description: "s\u2019assure que les ressources financi\xE8res, mat\xE9rielles\ + \ et humaines n\xE9cessaires pour assurer la gestion des risques li\xE9s \xE0\ + \ la s\xE9curit\xE9 de l\u2019information relative \xE0 la s\xE9curit\xE9\ + \ a\xE9rienne sont disponibles et suffisantes ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node34 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node31 + description: "d\xE9finit et attribue les r\xF4les et les responsabilit\xE9s\ + \ en mati\xE8re de gestion de l\u2019information relative \xE0 la s\xE9curit\xE9\ + \ a\xE9rienne. Notamment, il veille \xE0 : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node35 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node34 + description: "d\xE9signer une personne ou un groupe de personnes responsables\ + \ : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node36 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node35 + description: "de la mise en \u0153uvre du r\xE8glement Part-IS, qui : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node37 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node36 + description: "a un acc\xE8s direct au Dirigeant Responsable ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node38 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node36 + description: "dispose de l\u2019autorit\xE9 et des comp\xE9tences suffisantes\ + \ pour exercer ses fonctions et ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node39 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node36 + description: "pour lequel une ou des personnes assurant l\u2019int\xE9rim sont\ + \ pr\xE9vues en cas d\u2019absence." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node40 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node35 + description: "de la conformit\xE9 au r\xE8glement Part-IS, qui : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node41 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node40 + description: "est ind\xE9pendant vis-\xE0-vis de la personne ou du groupe de\ + \ personnes responsables de la mise en \u0153uvre du r\xE8glement Part-IS. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node42 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node34 + description: "formaliser la d\xE9signation de ces personnes ou groupes de personnes,\ + \ en pr\xE9cisant : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node43 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node42 + description: 'leur(s) titre(s), leur(s) nom(s) et leurs missions ; ' + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node44 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node42 + description: "leur lien direct avec le Dirigeant Responsable, leurs responsabilit\xE9\ + s, leurs pouvoirs et leurs moyens, au travers d\u2019un organigramme ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node45 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node42 + description: 'leurs obligations de rendre compte. ' + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node46 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node31 + description: "s\u2019assure que les r\xF4les et responsabilit\xE9s sont communiqu\xE9\ + s et connus \xE0 tous les niveaux de l\u2019organisation, aussi bien par le\ + \ personnel interne que par les partenaires ext\xE9rieurs concern\xE9s. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node47 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:3.3 + description: "Les \xE9l\xE9ments relatifs \xE0 la gestion des ressources, aux\ + \ r\xF4les et responsabilit\xE9s sont : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node48 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node47 + description: "formalis\xE9s ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node49 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node47 + description: "int\xE9gr\xE9s ou r\xE9f\xE9renc\xE9s dans :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node50 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node49 + description: "le manuel du syst\xE8me de management de la s\xE9curit\xE9 de\ + \ l\u2019information, ou ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node51 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node49 + description: "le manuel de l\u2019organisme approuv\xE9/certifi\xE9." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:4 + assessable: false + depth: 1 + ref_id: '4' + name: "Gestion des risques de s\xE9curit\xE9 de l\u2019information " + - urn: urn:intuitem:risk:req_node:c3cf-v2:node53 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4 + description: "Dans le cadre des activit\xE9s de la gestion des risques de s\xE9\ + curit\xE9 de l\u2019information relative \xE0 la s\xFBret\xE9 et/ou \xE0 la\ + \ s\xE9curit\xE9 a\xE9rienne, l\u2019organisme : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node54 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node53 + description: "d\xE9finit les responsabilit\xE9s des diff\xE9rents participants\ + \ internes et externes ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node55 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node53 + description: "d\xE9finit l\u2019articulation avec l\u2019organisation d\xE9\ + j\xE0 en place pour la gestion des risques relatifs \xE0 la s\xFBret\xE9 et/ou\ + \ \xE0 la s\xE9curit\xE9 a\xE9rienne ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node56 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node53 + description: "pr\xE9cise la m\xE9thodologie ou le standard utilis\xE9e pour\ + \ mener \xE0 bien ces activit\xE9s :" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node57 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node56 + description: "Il est recommand\xE9 de mettre en \u0153uvre une des normes ou\ + \ m\xE9thodes suivantes : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node58 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node57 + description: "ISO/CEI 27005 [15], Norme relative \xE0 la Gestion des risques\ + \ li\xE9s \xE0 la s\xE9curit\xE9 de l\u2019information ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node59 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node57 + description: "EBIOS Risk Manager [16] m\xE9thode d'appr\xE9ciation et de traitement\ + \ des risques num\xE9riques publi\xE9e par l\u2019ANSSI ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node60 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node57 + description: "toute autre m\xE9thode conforme \xE0 la norme ISO/CEI 31000 [17],\ + \ norme relative \xE0 la gestion des risques. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node61 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node56 + description: "Dans le cas o\xF9 l\u2019organisme met en \u0153uvre une autre\ + \ m\xE9thodologie ou standard, il apporte la preuve que celle ou celui-ci\ + \ : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node62 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node61 + description: "produit des r\xE9sultats : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node63 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node62 + description: "reproductibles sur la base d\u2019\xE9l\xE9ments d\u2019entr\xE9\ + e similaires ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node64 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node62 + description: comparables dans le temps. + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node65 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node61 + description: "prend en consid\xE9ration des \xE9l\xE9ments d\u2019entr\xE9e\ + \ pertinents et valides ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node66 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node61 + description: "permet un affinement des r\xE9sultats it\xE9ratifs au fil du temps\ + \ et des \xE9l\xE9ments d\u2019entr\xE9e disponibles. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node67 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node53 + description: "formalise les proc\xE9dures relatives \xE0 la gestion des risques,\ + \ notamment \xE0 :" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node68 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node67 + description: "l\u2019appr\xE9ciation et au traitement des risques ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node69 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node67 + description: "la gestion des incidents de s\xE9curit\xE9 de l\u2019information\ + \ ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node70 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node67 + description: 'la gestion des organismes en interface ; ' + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node71 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node67 + description: "la gestion des sous-traitants r\xE9alisant une ou des activit\xE9\ + s du SMSI." + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node72 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node53 + description: "int\xE8gre ou fait r\xE9f\xE9rence \xE0 ces proc\xE9dures dans\ + \ :" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node73 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node72 + description: "le manuel du syst\xE8me de management de la s\xE9curit\xE9 de\ + \ l\u2019information, ou ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node74 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node72 + description: "le manuel de l\u2019organisme approuv\xE9/certifi\xE9, et/ou ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node75 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node72 + description: "le programme de s\xFBret\xE9. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node76 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4 + description: "Pour la suite, l\u2019organisme s\u2019appuie sur la m\xE9thodologie\ + \ de gestion des risques qu\u2019il a choisie pour aboutir aux conclusions. " + - urn: urn:intuitem:risk:req_node:c3cf-v2:node77 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4 + description: "N\xE9anmoins, sont pr\xE9cis\xE9es ci-apr\xE8s les diff\xE9rentes\ + \ \xE9tapes et documents attendus pour \xEAtre conformes aux r\xE8glements. " + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4 + ref_id: '4.1' + name: "\xC9tablissement du contexte " + - urn: urn:intuitem:risk:req_node:c3cf-v2:node79 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.1 + description: "Afin de d\xE9finir le p\xE9rim\xE8tre de son analyse de risques\ + \ et/ou de son SMSI, l\u2019organisme identifie la liste des fonctions relatives\ + \ \xE0 ses missions de s\xFBret\xE9 et/ou de s\xE9curit\xE9 a\xE9rienne. Pour\ + \ y parvenir, il peut s\u2019appuyer sur : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node80 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node79 + description: "les listes de fonctions relatives \xE0 la s\xFBret\xE9 et/ou s\xE9\ + curit\xE9 a\xE9rienne disponibles en annexe ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node81 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node79 + description: "une pr\xE9-\xE9valuation des risques qui identifie les fonctions\ + \ les plus critiques \xE0 prendre en compte au regard de la distance et de\ + \ la vraisemblance de propagation jusqu\u2019\xE0 l\u2019impact sur la s\xFB\ + ret\xE9 et/ou s\xE9curit\xE9 a\xE9rienne dont on cherche \xE0 se pr\xE9munir" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node82 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.1 + description: "De plus, l\u2019organisme d\xE9finit des \xE9chelles : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node83 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node82 + description: "de gravit\xE9 relative aux cons\xE9quences en mati\xE8re de s\xFB\ + ret\xE9 et/ou de s\xE9curit\xE9 a\xE9rienne ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node84 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node82 + description: "de probabilit\xE9 d\u2019occurrence (ou vraisemblance) du risque\ + \ ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node85 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node82 + description: "les crit\xE8res d\u2019acceptation du risque propre \xE0 l\u2019\ + organisme. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4 + ref_id: '4.2' + name: "Appr\xE9ciation des risques" + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.2.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.2 + ref_id: 4.2.1 + name: Identification des risques + - urn: urn:intuitem:risk:req_node:c3cf-v2:node88 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.2.1 + description: "Sur la base de la liste des fonctions relatives \xE0 la s\xFB\ + ret\xE9 et/ou s\xE9curit\xE9 a\xE9rienne de l\u2019organisation, l\u2019organisme\ + \ identifie :" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node89 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node88 + description: 'les fonctions : ' + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node90 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node89 + description: "dont il a la responsabilit\xE9 et qui sont r\xE9alis\xE9es par\ + \ lui-m\xEAme et pour son propre compte et/ou ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node91 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node89 + description: "qu\u2019il met en \u0153uvre pour le compte d\u2019un partenaire\ + \ ext\xE9rieur (interface) et/ou; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node92 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node89 + description: "dont il a la responsabilit\xE9 et qui sont r\xE9alis\xE9es par\ + \ un partenaire ext\xE9rieur pour le compte de l\u2019organisme consid\xE9\ + r\xE9 (interface). " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node93 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node88 + description: "les \xE9l\xE9ments qui contribuent \xE0 la r\xE9alisation de chacune\ + \ des fonctions identifi\xE9es pr\xE9c\xE9demment, notamment les \xE9quipements,\ + \ syst\xE8mes, donn\xE9es et informations. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node94 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.2.1 + description: "Puis, pour chaque fonction et chaque \xE9l\xE9ment identifi\xE9\ + s pr\xE9c\xE9demment, l\u2019organisme : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node95 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node94 + description: 'associe une description ; ' + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node96 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node94 + description: "identifie une ou des personnes et/ou entit\xE9s responsables,\ + \ qui peuvent aussi bien \xEAtre internes qu\u2019externes ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node97 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node94 + description: "pr\xE9cise le cas \xE9ch\xE9ant si celui-ci dispose d\u2019une\ + \ interface avec un tiers ainsi que la nature de cette derni\xE8re : \no \ + \ prestation de service ; \no sous-traitance ; \no fourniture d\u2019\xE9\ + quipements ; \no prestation autre, \xE0 pr\xE9ciser. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node98 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.2.1 + description: "L\u2019organisme dispose d\u2019une interface avec un autre organisme,\ + \ lorsque la r\xE9alisation d\u2019une des fonctions n\xE9cessite : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node99 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node98 + description: "d\u2019\xE9changer des donn\xE9es et/ou des informations avec\ + \ ce tiers ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node100 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node98 + description: "de fournir et/ou de mettre \xE0 disposition un syst\xE8me, un\ + \ \xE9quipement et/ou un service num\xE9rique pour ce tiers ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node101 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node98 + description: "d\u2019utiliser un syst\xE8me d\u2019information, un \xE9quipement\ + \ et/ou un service num\xE9rique fourni par ce tiers. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node102 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.2.1 + description: "Enfin, l\u2019organisme : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node103 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node102 + description: "d\xE9termine pour chaque fonction identifi\xE9e, seul ou en lien\ + \ avec le ou les organismes en interface concern\xE9s :" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node104 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node103 + description: "les \xE9v\xE9nements redout\xE9s, notamment les effets n\xE9fastes\ + \ sur la s\xFBret\xE9 et/ou s\xE9curit\xE9 a\xE9rienne cons\xE9cutifs \xE0\ + \ une atteinte \xE0 la disponibilit\xE9, l\u2019int\xE9grit\xE9, la confidentialit\xE9\ + \ et l\u2019authenticit\xE9 de la fonction ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node105 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node103 + description: "les impacts en mati\xE8re de s\xFBret\xE9 et/ou de s\xE9curit\xE9\ + \ a\xE9rienne associ\xE9s \xE0 ces \xE9v\xE9nements redout\xE9s. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node106 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node102 + description: "\xE9tablit la liste des organismes en interface pr\xE9c\xE9demment\ + \ identifi\xE9s. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.2.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.2 + ref_id: 4.2.2 + name: 'Analyse de risques ' + - urn: urn:intuitem:risk:req_node:c3cf-v2:node108 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.2.2 + description: "Ensuite, l\u2019organisme : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node109 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node108 + description: "d\xE9finit une \xE9chelle de vraisemblance (ou de probabilit\xE9\ + \ d\u2019occurrence) prenant en compte : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node110 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node109 + description: "la vraisemblance de r\xE9alisation de l\u2019\xE9v\xE9nement redout\xE9\ + \ au niveau de l\u2019\xE9l\xE9ment du ou des syst\xE8mes d\u2019information\ + \ concern\xE9(s) ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node111 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node109 + description: "l\u2019efficacit\xE9 des processus m\xE9tier de s\xFBret\xE9 et/ou\ + \ s\xE9curit\xE9 a\xE9rienne mis en place au sein de l\u2019organisme et pouvant\ + \ bloquer, limiter ou favoriser la r\xE9alisation de l\u2019\xE9v\xE9nement\ + \ redout\xE9. Par exemple, les barri\xE8res de protection d\xE9j\xE0 mises\ + \ en place vis-\xE0-vis de l\u2019\xE9v\xE9nement redout\xE9. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node112 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node108 + description: "identifie ses risques sur la base de l\u2019analyse d\u2019impacts\ + \ en associant aux \xE9v\xE8nements redout\xE9s :" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node113 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node112 + description: "un niveau de gravit\xE9 selon l\u2019\xE9chelle pr\xE9d\xE9finie\ + \ ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node114 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node112 + description: "un niveau de vraisemblance selon l\u2019\xE9chelle pr\xE9d\xE9\ + finie ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node115 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node112 + description: "une ou des personnes et/ou entit\xE9s responsables qui peuvent\ + \ \xEAtre au sein de l\u2019organisme ou bien un partenaire ext\xE9rieur,\ + \ notamment pour les fonctions qu\u2019il re\xE7oit. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.2.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.2 + ref_id: 4.2.3 + name: "\xC9valuation des risques" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node117 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.2.3 + description: "Enfin, l\u2019organisme : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node118 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node117 + description: "associe \xE0 chaque risque identifi\xE9 son niveau de risque selon\ + \ l\u2019\xE9chelle pr\xE9d\xE9finie sur la base : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node119 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node118 + description: "des r\xE9sultats de son analyse de risques ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node120 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node118 + description: "des informations d\u2019analyse de risques transmises dans le\ + \ cadre d\u2019une fonction r\xE9alis\xE9e par un tiers. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node121 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node117 + description: "\xE9tablit la liste des organismes en interface pr\xE9sentant\ + \ un risque pour la s\xFBret\xE9 et/ou la s\xE9curit\xE9 a\xE9rienne. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.2.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.2 + ref_id: 4.2.4 + name: "R\xE9sultats de l\u2019appr\xE9ciation des risques" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node123 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.2.4 + description: "L\u2019organisme : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node124 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node123 + description: 'formalise :' + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node125 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node124 + description: "la liste des risques relatifs \xE0 la s\xFBret\xE9 et/ou \xE0\ + \ la s\xE9curit\xE9 a\xE9rienne identifi\xE9s en pr\xE9cisant pour chacun\ + \ d\u2019entre eux : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node126 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node125 + description: "la fonction associ\xE9e et la ou les \xE9ventuelles interfaces\ + \ ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node127 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node125 + description: "les \xE9quipements, syst\xE8mes, donn\xE9es et informations qui\ + \ contribuent \xE0 la r\xE9alisation de la fonction associ\xE9e ainsi que\ + \ la ou les \xE9ventuelles interfaces ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node128 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node125 + description: "l\u2019\xE9v\xE9nement redout\xE9 associ\xE9 ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node129 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node125 + description: "une ou des personnes et/ou entit\xE9s responsables ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node130 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node125 + description: le niveau de risque. + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node131 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node124 + description: "la liste des organismes en interface pr\xE9sentant un risque pour\ + \ la s\xFBret\xE9 et/ou la s\xE9curit\xE9 a\xE9rienne ; o le cas \xE9ch\xE9\ + ant, la liste des syst\xE8mes d\u2019information critiques au regard de la\ + \ s\xFBret\xE9. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node132 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node123 + description: "fait approuver la liste des risques relatifs \xE0 la s\xFBret\xE9\ + \ et/ou la s\xE9curit\xE9 a\xE9rienne identifi\xE9s par son Dirigeant Responsable\ + \ et/ou ses responsables des risques identifi\xE9s selon son organisation\ + \ de gestion des risques ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node133 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node123 + description: "conserve des informations document\xE9es comme preuves des r\xE9\ + sultats d\u2019appr\xE9ciation des risques. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4 + ref_id: '4.3' + name: Traitement des risques + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.3.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.3 + ref_id: 4.3.1 + name: Mesures pour le traitement du risque + - urn: urn:intuitem:risk:req_node:c3cf-v2:node136 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.3.1 + description: "Sur la base des r\xE9sultats de l\u2019appr\xE9ciation des risques,\ + \ l\u2019organisme : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node137 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node136 + description: "d\xE9finit et justifie pour chacun des risques relatifs \xE0 la\ + \ s\xFBret\xE9 et/ou \xE0 la s\xE9curit\xE9 a\xE9rienne s\u2019il :\n- maintient\ + \ le risque \xE0 condition qu\u2019il soit acceptable en l\u2019\xE9tat ;\n\ + - r\xE9duit le niveau de risque par l\u2019introduction, la suppression ou\ + \ la modification des mesures de s\xE9curit\xE9 de l\u2019information ;\n\ + - refuse le risque en \xE9vitant l\u2019activit\xE9 ou la situation qui donne\ + \ lieu \xE0 un risque ; \n- partage le risque avec une autre partie capable\ + \ de g\xE9rer de mani\xE8re plus efficace le risque." + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node138 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node136 + description: "d\xE9termine la ou les mesures permettant de traiter le risque\ + \ conform\xE9ment \xE0 l\u2019action choisie et s\u2019assure que celle ou\ + \ celles-ci n\u2019entrainent pas de nouveaux risques ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node139 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node136 + description: "met en \u0153uvre en temps utile et v\xE9rifie l\u2019efficacit\xE9\ + \ de ces mesures conform\xE9ment aux \xA76.1. et \xA76.2.3. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node140 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.3.1 + description: "Pour d\xE9finir les mesures de s\xE9curit\xE9 de l\u2019information,\ + \ l\u2019organisme peut notamment s\u2019appuyer sur les r\xE9f\xE9rentiels\ + \ suivants : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node141 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node140 + description: "Guide d\u2019hygi\xE8ne informatique de l\u2019ANSSI [21] ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node142 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node140 + description: Norme internationale ISO/IEC 27002:2022 [22] ; + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node143 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node140 + description: 'Norme internationale ISO/ISA/IEC 62443 [23]. ' + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.3.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.3 + ref_id: 4.3.2 + name: "\xC9laboration du plan de traitement des risques" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node145 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.3.2 + description: "L\u2019organisme \xE9labore un plan de traitement des risques\ + \ relatifs \xE0 la s\xFBret\xE9 et/ou \xE0 la s\xE9curit\xE9 a\xE9rienne permettant\ + \ d\u2019identifier pour chaque mesure de s\xE9curit\xE9 de l\u2019information\ + \ d\xE9termin\xE9e supra : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node146 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node145 + description: "le ou les risques qu\u2019elle traite ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node147 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node145 + description: "la priorit\xE9 de mise en \u0153uvre; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node148 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node145 + description: "le d\xE9lai de mise en \u0153uvre recommand\xE9 ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node149 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node145 + description: "le cas \xE9ch\xE9ant, les raisons ne permettant pas de les mettre\ + \ en \u0153uvre. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.3.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.3 + ref_id: 4.3.3 + name: "\xC9valuation des risques r\xE9siduels" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node151 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.3.3 + description: "L\u2019organisme \xE9value les risques r\xE9siduels, apr\xE8s\ + \ l\u2019application des mesures de s\xE9curit\xE9 de l\u2019information d\xE9\ + finies dans le plan de traitement des risques. Si un risque r\xE9siduel demeure\ + \ non acceptable, l\u2019organisme le traite \xE0 nouveau, conform\xE9ment\ + \ au \xA74.3.1, jusqu\u2019\xE0 ce que celui-ci soit acceptable. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.3.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.3 + ref_id: 4.3.4 + name: "R\xE9sultats du traitement des risques" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node153 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.3.4 + description: "L\u2019organisme : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node154 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node153 + description: 'formalise :' + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node155 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node154 + description: "le plan de traitement des risques relatifs \xE0 la s\xFBret\xE9\ + \ et/ou \xE0 la s\xE9curit\xE9 a\xE9rienne ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node156 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node154 + description: "la liste des risques r\xE9siduels apr\xE8s application du plan\ + \ de traitement des risques relatifs \xE0 la s\xFBret\xE9 et/ou \xE0 la s\xE9\ + curit\xE9 a\xE9rienne. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node157 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node153 + description: "fait approuver ces documents par le Dirigeant Responsable et/ou\ + \ la (ou les) personne()s et/ou entit\xE9(s) responsable(s) des risques selon\ + \ son organisation de gestion des risques ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node158 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node153 + description: "conserve des informations document\xE9es comme preuves des r\xE9\ + sultats d\u2019appr\xE9ciation des risques. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4 + ref_id: '4.4' + name: "Gestion des incidents de s\xE9curit\xE9 de l\u2019information" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node160 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4 + description: "L\u2019organisme d\xE9finit et met en \u0153uvre des mesures techniques\ + \ et organisationnelles visant \xE0 : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node161 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node160 + description: "d\xE9tecter les types d\u2019incidents de s\xE9curit\xE9 de l\u2019\ + information et identifier ceux ayant un potentiel impact sur la s\xFBret\xE9\ + \ et /ou la s\xE9curit\xE9 a\xE9rienne ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node162 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node160 + description: "r\xE9agir \xE0 la suite d\u2019un incident de s\xE9curit\xE9 de\ + \ l\u2019information ayant un potentiel impact sur la s\xFBret\xE9 et /ou\ + \ la s\xE9curit\xE9 a\xE9rienne d\xE9tect\xE9 ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node163 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node160 + description: "se r\xE9tablir \xE0 la suite d\u2019un incident de s\xE9curit\xE9\ + \ de l\u2019information ayant un potentiel impact sur la s\xFBret\xE9 et /ou\ + \ la s\xE9curit\xE9 a\xE9rienne. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node164 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4 + description: "Pour y parvenir, l\u2019organisme peut s\u2019appuyer, par exemple\ + \ sur : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node165 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node164 + description: "les guides et bonnes pratiques publi\xE9s par l\u2019ANSSI ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node166 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node164 + description: "les mesures pr\xE9cis\xE9es dans la norme ISO/CEI 27002 [22]. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node167 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4 + description: "De plus dans le cadre de la gestion des incidents de s\xE9curit\xE9\ + \ de l\u2019information relatifs \xE0 la s\xE9curit\xE9 a\xE9rienne, l\u2019\ + organisme prend en compte les dispositions pr\xE9cis\xE9es ci-apr\xE8s. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4 + ref_id: 4.4.1 + name: "D\xE9tection des incidents de s\xE9curit\xE9 de l\u2019information" + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1 + ref_id: 4.4.1.1 + name: "Identification des incidents redout\xE9s de s\xE9curit\xE9 de l\u2019\ + information" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node170 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1.1 + description: "L\u2019organisme identifie la liste des types d\u2019incidents\ + \ redout\xE9s de s\xE9curit\xE9 de l\u2019information ayant un potentiel impact\ + \ sur la s\xE9curit\xE9 a\xE9rienne et des impacts et cons\xE9quences associ\xE9\ + s sur la base des r\xE9sultats de l\u2019appr\xE9ciation et du traitement\ + \ des risques r\xE9alis\xE9s au \xA74.2. et \xA74.3. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node171 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1.1 + description: "L\u2019organisme peut \xE9galement s\u2019appuyer sur un ou plusieurs\ + \ r\xE9f\xE9rentiels, tels que : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node172 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node171 + description: "Prestataires de d\xE9tection des incidents de s\xE9curit\xE9,\ + \ s\xE9curit\xE9 - R\xE9f\xE9rentiel d\u2019exigences [24] - IV.2.1. b) ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node173 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node171 + description: "5 standards sur la d\xE9tection des incidents de s\xE9curit\xE9\ + \ [25] ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node174 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node171 + description: Annexe B de la norme internationale ISO/IEC 27035:2022 [26] ; + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node175 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node171 + description: "ED Decision 2023/009/R - Appendix I \u2014 Examples of threat\ + \ scenarios with a potential harmful impact on safety [27]. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1.2. + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1 + ref_id: 4.4.1.2. + name: "Collecte des \xE9v\xE9nements" + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1.2.1 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1.2. + ref_id: 4.4.1.2.1 + name: "Strat\xE9gie de collecte " + - urn: urn:intuitem:risk:req_node:c3cf-v2:node178 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1.2.1 + description: "Sur la base des incidents redout\xE9s de s\xE9curit\xE9 de l\u2019\ + information ayant un potentiel impact sur la s\xE9curit\xE9 a\xE9rienne, l\u2019\ + organisme : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node179 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node178 + description: "identifie les sources de collecte pertinentes au sein de son syst\xE8\ + me d\u2019information ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node180 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node178 + description: "met en place une veille sur les vuln\xE9rabilit\xE9s pouvant affecter\ + \ son syst\xE8me d\u2019information ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node181 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node178 + description: "journalise les \xE9v\xE9nements pertinents \xE0 la d\xE9tection\ + \ parmi les sources de collecte identifi\xE9es et la veille sur les vuln\xE9\ + rabilit\xE9s. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node182 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1.2.1 + description: "Pour y parvenir, l\u2019organisme peut s\u2019appuyer sur : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node183 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node182 + description: "les sections IV.2.2. c) & d) du r\xE9f\xE9rentiel d\u2019exigences\ + \ Prestataires de d\xE9tection des incidents de s\xE9curit\xE9 [24] ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node184 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node182 + description: "sur l\u2019annexe A des Recommandations de s\xE9curit\xE9 pour\ + \ la mise en \u0153uvre d\u2019un syst\xE8me de journalisation [28]. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1.2.2 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1.2. + ref_id: 4.4.1.2.2 + name: "Notification interne d\u2019\xE9v\xE9nements " + - urn: urn:intuitem:risk:req_node:c3cf-v2:node186 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1.2.2 + description: "L\u2019organisme : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node187 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node186 + description: "met en place une proc\xE9dure de collecte des \xE9v\xE9nements\ + \ qui peuvent lui \xEAtre notifi\xE9s et qui satisfait aux exigences du r\xE8\ + glement (UE) 376/2014 [29] ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node188 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node186 + description: "en pr\xE9cise le fonctionnement, notamment :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node189 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node188 + description: "les \xE9v\xE9nements qui doivent \xEAtre notifi\xE9s, \xE0 savoir\ + \ les \xE9v\xE9nements de s\xE9curit\xE9 de l\u2019information ayant un potentiel\ + \ impact sur la s\xE9curit\xE9 a\xE9rienne ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node190 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node188 + description: "les moyens mis \xE0 disposition pour notifier un \xE9v\xE9nement\ + \ ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node191 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node188 + description: "les d\xE9lais de notification ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node192 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node188 + description: "les conditions d\u2019archivage, notamment au moins 5 ans." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node193 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node186 + description: "rend cette proc\xE9dure et les moyens de notification associ\xE9\ + s accessibles aux personnes ayant besoin d\u2019en connaitre parmi : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node194 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node193 + description: son personnel interne ; + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node195 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node193 + description: "les tiers pertinents dans le contexte, identifi\xE9s au \xA74.2.4\ + \ ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node196 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node193 + description: tous les interlocuteurs pertinents. + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node197 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1.2.2 + description: "L\u2019organisme : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node198 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node197 + description: "peut int\xE9grer ce syst\xE8me de notification interne d\u2019\ + \xE9v\xE9nements \xE0 un syst\xE8me existant ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node199 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node197 + description: "formalise la description de ce syst\xE8me et l\u2019int\xE8gre\ + \ ou y fait r\xE9f\xE9rence dans : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node200 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node199 + description: "le manuel du syst\xE8me de management de la s\xE9curit\xE9 de\ + \ l\u2019information, ou ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node201 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node199 + description: "le manuel de l\u2019organisme approuv\xE9/certifi\xE9." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1 + ref_id: 4.4.1.3 + name: "Strat\xE9gie de d\xE9tection" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node203 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1.3 + description: "L\u2019organisme met en place une strat\xE9gie de d\xE9tection\ + \ qui permet de d\xE9tecter les incidents redout\xE9s de s\xE9curit\xE9 de\ + \ l\u2019information ayant un potentiel impact sur la s\xE9curit\xE9 a\xE9\ + rienne sur la base des sources de collecte pr\xE9c\xE9dentes. Aussi, l\u2019\ + organisme :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node204 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node203 + description: "d\xE9finit :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node205 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node204 + description: "une classification par ordre de gravit\xE9 des incidents redout\xE9\ + s de s\xE9curit\xE9 de l\u2019information ayant un potentiel impact sur la\ + \ s\xE9curit\xE9 a\xE9rienne ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node206 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node204 + description: "des r\xE8gles de d\xE9tection en : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node207 + assessable: false + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node206 + description: "s\u2019appuyant sur : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node208 + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node207 + description: "la liste des incidents de s\xE9curit\xE9 redout\xE9s de s\xE9\ + curit\xE9 de l\u2019information ayant un potentiel impact sur la s\xE9curit\xE9\ + \ a\xE9rienne ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node209 + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node207 + description: "des bases de connaissances acquises aupr\xE8s des partenaires\ + \ ext\xE9rieurs ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node210 + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node207 + description: "des bases de connaissances internes (audits, tests de vuln\xE9\ + rabilit\xE9s et d\u2019intrusion) ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node211 + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node207 + description: "une veille sur la menace et les vuln\xE9rabilit\xE9s ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node212 + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node207 + description: "l\u2019identification d\u2019\xE9cart de bon fonctionnement par\ + \ rapport au comportement \xE0 d\xE9tecter ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node213 + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node207 + description: 'les impacts sur les performances ; ' + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node214 + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node207 + description: "les incidents de s\xE9curit\xE9 de l\u2019information connus aupr\xE8\ + s d\u2019autres organismes. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node215 + assessable: false + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node206 + description: "en pr\xE9cisant pour chaque r\xE8gle :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node216 + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node215 + description: "les moyens mis en \u0153uvre ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node217 + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node215 + description: 'une description ; ' + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node218 + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node215 + description: "Le ou les incidents redout\xE9s associ\xE9s ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node219 + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node215 + description: "Le niveau de gravit\xE9. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node220 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node203 + description: "assure la centralisation et la corr\xE9lation des \xE9v\xE9nements\ + \ et des vuln\xE9rabilit\xE9s remont\xE9es ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node221 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node203 + description: "identifie les \xE9v\xE9nements ou combinaison d\u2019\xE9v\xE8\ + nements pouvant mener \xE0 un incident ayant un potentiel impact sur la s\xE9\ + curit\xE9 a\xE9rienne. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1.4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1 + ref_id: 4.4.1.4 + name: 'Qualification ' + - urn: urn:intuitem:risk:req_node:c3cf-v2:node223 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1.4 + description: "Lorsqu\u2019un \xE9v\xE8nement pouvant mener \xE0 un incident\ + \ de s\xE9curit\xE9 de l\u2019information ayant un potentiel impact sur la\ + \ s\xE9curit\xE9 a\xE9rienne est d\xE9tect\xE9, l\u2019organisme le qualifie\ + \ en incident de s\xE9curit\xE9 de l\u2019information, notamment il : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node224 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node223 + description: "en d\xE9termine la v\xE9racit\xE9 afin d\u2019\xE9liminer les\ + \ faux positifs ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node225 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node223 + description: "identifie les \xE9quipements, syst\xE8mes, donn\xE9es et informations\ + \ concern\xE9s par l\u2019incident d\xE9tect\xE9 ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node226 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node223 + description: "identifie les cons\xE9quences en mati\xE8re de s\xE9curit\xE9\ + \ a\xE9rienne et en d\xE9termine :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node227 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node226 + description: "les impacts et la gravit\xE9 de l\u2019incident d\xE9tect\xE9\ + \ ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node228 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node226 + description: "les causes de l\u2019incident. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node229 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node223 + description: "identifie les \xE9ventuelles parties prenantes en interne et/ou\ + \ les partenaires ext\xE9rieurs concern\xE9s par l\u2019incident ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node230 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node223 + description: "formalise la qualification de la d\xE9tection ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node231 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node223 + description: "conserve des informations document\xE9es au moins jusqu\u2019\xE0\ + \ la prochaine qualification. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1.5 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1 + ref_id: 4.4.1.5 + name: ' Notification' + - urn: urn:intuitem:risk:req_node:c3cf-v2:node233 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.1.5 + description: "Pour chaque \xE9v\xE9nement qualifi\xE9 en incident de s\xE9curit\xE9\ + , l\u2019organisme notifie : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node234 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node233 + description: "les personnes pertinentes au sein de son organisation pour activer\ + \ les r\xE9actions appropri\xE9es ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node235 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node233 + description: "le cas \xE9ch\xE9ant :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node236 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node235 + description: "les partenaires externes concern\xE9s selon le cadre d\xE9fini\ + \ au \xA74.5.1;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node237 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node235 + description: "l\u2019autorit\xE9 selon le cadre d\xE9fini au \xA74.4.5." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4 + ref_id: 4.4.2 + name: "R\xE9ponse aux incidents de s\xE9curit\xE9 de l\u2019information" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node239 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.2 + description: "L\u2019organisme d\xE9finit un m\xE9canisme de r\xE9ponse \xE0\ + \ incident qui :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node240 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node239 + description: "pr\xE9cise : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node241 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node240 + description: "les r\xF4les et les responsabilit\xE9s des personnes qui activent\ + \ les r\xE9actions en cas d\u2019incident qualifi\xE9 ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node242 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node240 + description: "les modalit\xE9s d\u2019information de ces personnes \xE0 la suite\ + \ de la qualification d\u2019un incident, notamment les outils et les d\xE9\ + lais." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node243 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node239 + description: "d\xE9finit les actions imm\xE9diates \xE0 mettre en \u0153uvre,\ + \ notamment en identifiant pour chaque type d\u2019incident redout\xE9 relatifs\ + \ \xE0 la s\xE9curit\xE9 a\xE9rienne : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node244 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node243 + description: "les ressources \xE0 activer au sein de l\u2019entreprise et \xE0\ + \ l\u2019ext\xE9rieur de l\u2019entreprise, notamment dans le cadre d\u2019\ + un contrat avec un Prestataire de R\xE9ponse \xE0 Incident de S\xE9curit\xE9\ + \ (PRIS) ou de l\u2019adh\xE9sion \xE0 un CERT ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node245 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node243 + description: "les mesures organisationnelles et techniques pouvant \xEAtre mises\ + \ en \u0153uvre pour limiter la propagation d\u2019une attaque et \xE9viter\ + \ la mat\xE9rialisation du ou des incidents redout\xE9s. Ce r\xE9f\xE9rentiel\ + \ de mesures est tenu \xE0 jour en fonction de l\u2019\xE9volution du contexte\ + \ ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node246 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node243 + description: "les d\xE9lais de mise en \u0153uvre de ces mesures. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node247 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node239 + description: "met en place une surveillance des \xE9quipements, syst\xE8mes,\ + \ donn\xE9es et informations de son syst\xE8me d\u2019information associ\xE9\ + s \xE0 l\u2019incident d\xE9tect\xE9, et met \xE0 jour si n\xE9cessaire ce\ + \ p\xE9rim\xE8tre \xE0 surveiller. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4 + ref_id: 4.4.3 + name: "Rem\xE9diation " + - urn: urn:intuitem:risk:req_node:c3cf-v2:node249 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.3 + description: "L\u2019organisme d\xE9finit des plans de rem\xE9diation \xE0 actionner\ + \ en cas d\u2019incident, qui : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node250 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node249 + description: "pr\xE9cise les r\xF4les et les responsabilit\xE9s des personnes\ + \ qui g\xE8rent les actions de rem\xE9diation ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node251 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node249 + description: "d\xE9finit un ou des plans de rem\xE9diation pour chaque type\ + \ d\u2019incident redout\xE9 relatifs \xE0 la s\xE9curit\xE9 a\xE9rienne qui\ + \ :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node252 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node251 + description: "identifie les ressources \xE0 activer au sein de l\u2019organisme\ + \ et \xE0 l\u2019ext\xE9rieur de l\u2019entreprise si applicable, notamment\ + \ dans le cadre d\u2019un contrat avec un Prestataire de R\xE9ponse \xE0 Incident\ + \ de S\xE9curit\xE9 (PRIS) ou de l\u2019adh\xE9sion \xE0 un CERT ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node253 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node251 + description: "pr\xE9cise les actions \xE0 mettre en \u0153uvre pour : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node254 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node253 + description: "identifier le p\xE9rim\xE8tre du syst\xE8me d\u2019information\ + \ impact\xE9 ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node255 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node253 + description: "r\xE9aliser la rem\xE9diation du syst\xE8me d\u2019information\ + \ impact\xE9 ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node256 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node253 + description: "s\u2019assurer que le syst\xE8me d\u2019information a retrouv\xE9\ + \ un \xE9tat s\xFBr et peut \xEAtre remis en service. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node257 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node251 + description: "pr\xE9voit la d\xE9termination des d\xE9lais de remise en service\ + \ en fonction du niveau de gravit\xE9, de la nature et du contexte de l\u2019\ + incident. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node258 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node249 + description: "produit un rapport d\u2019incident qui sera communiqu\xE9 \xE0\ + \ l\u2019autorit\xE9 selon les modalit\xE9s d\xE9finies au \xA74.4.5. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4 + ref_id: 4.4.4 + name: "R\xE9sultat de la gestion des incidents de s\xE9curit\xE9 de l\u2019\ + information" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node260 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.4 + description: "L\u2019organisme formalise la liste des mesures techniques et\ + \ organisationnelles visant \xE0 : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node261 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node260 + description: "d\xE9tecter les incidents de s\xE9curit\xE9 de l\u2019information\ + \ ayant un potentiel impact sur la s\xFBret\xE9 et /ou la s\xE9curit\xE9 a\xE9\ + rienne ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node262 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node260 + description: "r\xE9agir \xE0 la suite d\u2019une incident de s\xE9curit\xE9\ + \ de l\u2019information ayant un potentiel impact sur la s\xFBret\xE9 et /ou\ + \ la s\xE9curit\xE9 a\xE9rienne d\xE9tect\xE9 ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node263 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node260 + description: "se r\xE9tablir \xE0 la suite d\u2019un incident de s\xE9curit\xE9\ + \ de l\u2019information ayant un potentiel impact sur la s\xFBret\xE9 et /ou\ + \ la s\xE9curit\xE9 a\xE9rienne. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node264 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.4 + description: "De plus dans le cadre de la gestion des incidents de s\xE9curit\xE9\ + \ relatifs \xE0 la s\xE9curit\xE9 a\xE9rienne, l\u2019organisme formalise\ + \ : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node265 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.4 + description: "la liste des incidents redout\xE9s relatifs \xE0 la s\xE9curit\xE9\ + \ a\xE9rienne; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node266 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.4 + description: "la liste des sources de collecte, le syst\xE8me de veille des\ + \ vuln\xE9rabilit\xE9s et les \xE9v\xE9nements journalis\xE9s ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node267 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.4 + description: "la liste des r\xE8gles de d\xE9tection mises en \u0153uvre ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node268 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.4 + description: "les actions imm\xE9diates \xE0 mettre en \u0153uvre pour chaque\ + \ type d\u2019incident redout\xE9 relatifs \xE0 la s\xE9curit\xE9 a\xE9rienne\ + \ ; - les plans de rem\xE9diation. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node269 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.4 + description: "Enfin l\u2019organisme conserve des informations document\xE9\ + es appropri\xE9es comme preuves de la gestion des incidents de s\xE9curit\xE9\ + \ de l\u2019information. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4 + ref_id: 4.4.5 + name: "Notification \xE0 l\u2019autorit\xE9 " + - urn: urn:intuitem:risk:req_node:c3cf-v2:node271 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.4.5 + description: 'A paraitre dans la prochaine version du 3CFv2 ' + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.5 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4 + ref_id: '4.5' + name: Gestions des risques induits par les tiers + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.5.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.5 + ref_id: 4.5.1 + name: Organismes en interface + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.5.1.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.5.1 + ref_id: 4.5.1.1 + name: "Organismes pr\xE9sentant un risque pour la s\xFBret\xE9 a\xE9rienne" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node275 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.5.1.1 + description: "Sur la base de la liste des organismes en interface pr\xE9sentant\ + \ un risque pour la s\xFBret\xE9 a\xE9rienne \xE9tablie au \xA74.2, l\u2019\ + organisme d\xE9finit un cadre de travail avec ces derniers qui : " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node276 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node275 + description: "pr\xE9voit des r\xE8gles d\u2019\xE9change d\u2019information\ + \ visant \xE0 pr\xE9server l\u2019authenticit\xE9, la confidentialit\xE9 et\ + \ l\u2019int\xE9grit\xE9 des informations \xE9chang\xE9es ainsi que l\u2019\ + anonymat des interlocuteurs s\u2019ils le souhaitent ; " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node277 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node275 + description: "pr\xE9cise les exigences \xE0 leur faire appliquer. Elles sont\ + \ d\u2019ordre :" + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node278 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node277 + description: "r\xE8glementaire, notamment celles en mati\xE8re de : " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node279 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node278 + description: "v\xE9rification des ant\xE9c\xE9dents ; " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node280 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node278 + description: "sensibilisation et de formation \xE0 la s\xE9curit\xE9 de l\u2019\ + information. " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node281 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node277 + description: 'contractuel, notamment : ' + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node282 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node281 + description: "la mise en \u0153uvre de mesures de s\xE9curit\xE9 de l\u2019\ + information d\xE9finies par l\u2019organisme[1] ;" + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node283 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node281 + description: "une surveillance adapt\xE9e au contexte des activit\xE9s du tiers.\ + \ " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node284 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.5.1.1 + description: "L\u2019organisme conserve des informations document\xE9es comme\ + \ preuves de la gestion des organismes en interface pr\xE9sentant un risque\ + \ pour la s\xFBret\xE9 a\xE9rienne. " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.5.1.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.5.1 + ref_id: 4.5.1.2 + name: "Organismes pr\xE9sentant un risque pour la s\xE9curit\xE9 a\xE9rienne" + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.5.1.2.1 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.5.1.2 + ref_id: 4.5.1.2.1 + name: "Organismes en interface d\xE9tenant un agr\xE9ment ou un certificat de\ + \ s\xE9curit\xE9" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node287 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.5.1.2.1 + description: "Sur la base de la liste des organismes en interface pr\xE9sentant\ + \ un risque pour la s\xE9curit\xE9 a\xE9rienne \xE9tablie au \xA74.2.4, l\u2019\ + organisme : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node288 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node287 + description: "identifie les tiers pr\xE9sentant un risque pour la s\xE9curit\xE9\ + \ a\xE9rienne et devant \xEAtre conformes aux r\xE8glements Part-IS, appel\xE9\ + es aussi contractants ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node289 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node287 + description: "d\xE9finit un cadre de travail avec ces derniers, qui pr\xE9voit\ + \ :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node290 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node289 + description: "la d\xE9finition des responsabilit\xE9s pour la gestion des risques\ + \ partag\xE9s ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node291 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node289 + description: "un partage des hypoth\xE8ses et des objectifs de s\xE9curit\xE9\ + \ sur les p\xE9rim\xE8tres concern\xE9s ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node292 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node289 + description: "la notification des \xE9v\xE9nements de s\xE9curit\xE9 de l\u2019\ + information et des vuln\xE9rabilit\xE9s ayant un potentiel impact sur la s\xE9\ + curit\xE9 a\xE9rienne conform\xE9ment au \xA74.4.1.2.2 ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node293 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node289 + description: "des r\xE8gles d\u2019\xE9change d\u2019information visant \xE0\ + \ pr\xE9server l\u2019authenticit\xE9, la confidentialit\xE9 et l\u2019int\xE9\ + grit\xE9 des informations \xE9chang\xE9es ainsi que l\u2019anonymat des interlocuteurs\ + \ s\u2019ils le souhaitent." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node294 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.5.1.2.1 + description: "L\u2019organisme conserve des informations document\xE9es comme\ + \ preuves de la gestion des organismes agr\xE9\xE9s ou certifi\xE9s en interfaces\ + \ pr\xE9sentant un risque pour la s\xE9curit\xE9 a\xE9rienne. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.5.1.2.2 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.5.1.2 + ref_id: 4.5.1.2.2 + name: "Organismes en interface ne d\xE9tenant pas d\u2019agr\xE9ment ou de certificat\ + \ de s\xE9curit\xE9" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node296 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.5.1.2.2 + description: "Sur la base de la liste des organismes en interface pr\xE9sentant\ + \ un risque pour la s\xE9curit\xE9 a\xE9rienne \xE9tablie au \xA74.2.4, l\u2019\ + organisme : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node297 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node296 + description: "identifie les tiers pr\xE9sentant un risque pour la s\xE9curit\xE9\ + \ a\xE9rienne et n\u2019ayant pas d\u2019obligation d\u2019\xEAtre conformes\ + \ aux r\xE8glements Part-IS ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node298 + assessable: false + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node296 + description: "d\xE9finit :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node299 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node298 + description: "Lorsque cela est possible, un cadre de travail avec ces derniers\ + \ qui pr\xE9voit : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node300 + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node299 + description: "la notification d'\xE9v\xE9nements de s\xE9curit\xE9 de l\u2019\ + information et de vuln\xE9rabilit\xE9 ayant un potentiel impact sur la s\xE9\ + curit\xE9 a\xE9rienne conform\xE9ment au \xA74.4.1.2.2 ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node301 + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node299 + description: "des r\xE8gles d\u2019\xE9change d\u2019information visant \xE0\ + \ pr\xE9server l\u2019authenticit\xE9, la confidentialit\xE9 et l\u2019int\xE9\ + grit\xE9 des informations \xE9chang\xE9es ainsi que l\u2019anonymat des interlocuteurs\ + \ s\u2019ils le souhaitent ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node302 + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node299 + description: "la mise en \u0153uvre de mesures de s\xE9curit\xE9 de l\u2019\ + information d\xE9finies par l\u2019organisme7 ainsi qu\u2019une surveillance\ + \ adapt\xE9e au contexte des activit\xE9s du tiers ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node303 + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node299 + description: "Le cas \xE9ch\xE9ant, un contr\xF4le de la fiabilit\xE9 du personnel\ + \ conform\xE9ment \xE0 la politique de contr\xF4le de la fiabilit\xE9 d\xE9\ + finie par l\u2019organisme (\xA75.2). " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node304 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node298 + description: "Sinon, l\u2019organisme traite ce risque dans le cadre du \xA7\ + 4.3. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node305 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.5.1.2.2 + description: "L\u2019organisme conserve des informations document\xE9es comme\ + \ preuves de la gestion des organismes non-agr\xE9\xE9s ou noncertifi\xE9\ + s en interface pr\xE9sentant un risque pour la s\xE9curit\xE9 a\xE9rienne. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:4.5.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.5 + ref_id: 4.5.2 + name: "Sous-traitance des activit\xE9s du SMSI" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node307 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.5.2 + description: "L\u2019organisme identifie les sous-traitants \u0153uvrant pour\ + \ une ou plusieurs activit\xE9s de son SMSI. Il s\u2019agit notamment des\ + \ tiers participant aux activit\xE9s de : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node308 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node307 + description: "gestion des risques (appr\xE9ciation, traitement des risques et\ + \ gestion des incidents ) ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node309 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node307 + description: fonctionnement du SMSI. + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node310 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.5.2 + description: "Dans le cas o\xF9 l\u2019organisme fait appel \xE0 un sous-traitant\ + \ qualifi\xE9 par l\u2019ANSSI[2] alors ce dernier est consid\xE9r\xE9 comme\ + \ conforme aux exigences des r\xE8glements Part-IS (IS.OR.250) \xE0 condition\ + \ que soient pr\xE9vues : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node311 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node310 + description: "la possibilit\xE9 pour l\u2019autorit\xE9 comp\xE9tente d\u2019\ + avoir acc\xE8s au sous-traitant ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node312 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node310 + description: "la notification \xE0 l\u2019organisme d'\xE9v\xE9nements de s\xE9\ + curit\xE9 de l\u2019information et de vuln\xE9rabilit\xE9 ayant un potentiel\ + \ impact sur la s\xE9curit\xE9 a\xE9rienne conform\xE9ment au \xA74.4.1.2.2. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node313 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.5.2 + description: "Dans le cas contraire, l\u2019organisme : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node314 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node313 + description: "m\xE8ne une analyse de risque relative \xE0 la contractualisation\ + \ d\u2019une ou plusieurs de ces activit\xE9s bas\xE9e sur une \xE9valuation\ + \ : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node315 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node314 + description: "des comp\xE9tences du sous-traitant ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node316 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node314 + description: "de l'exp\xE9rience du sous-traitant pour la ou les activit\xE9\ + s concern\xE9es ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node317 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node314 + description: "la fiabilit\xE9 \xE9conomique et technique du sous-traitant." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node318 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node313 + description: "\xE9labore un contrat pr\xE9cisant :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node319 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node318 + description: "l\u2019organisation de la prestation :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node320 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node319 + description: "les r\xF4les et responsabilit\xE9s entre l\u2019organisme et le\ + \ sous-traitant ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node321 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node319 + description: "un sch\xE9ma de reporting clair entre l\u2019organisme et le sous-traitant\ + \ ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node322 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node319 + description: "la m\xE9thode et les outils de suivi de la prestation. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node323 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node318 + description: "le p\xE9rim\xE8tre de la prestation ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node324 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node318 + description: "les exigences applicables pour la ou les activit\xE9s du SMSI\ + \ concern\xE9es ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node325 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node318 + description: "la gestion des autorisations d'acc\xE8s aux informations de l\u2019\ + organisme ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node326 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node318 + description: "les clauses de confidentialit\xE9 ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node327 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node318 + description: les actions possibles en cas de non-respect du contrat ; + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node328 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node318 + description: "la possibilit\xE9 de mener des contr\xF4les par l\u2019organisme\ + \ ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node329 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node318 + description: "la possibilit\xE9 pour l\u2019autorit\xE9 comp\xE9tente d\u2019\ + avoir acc\xE8s au sous-traitant ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node330 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node318 + description: "la notification \xE0 l\u2019organisme d'\xE9v\xE9nements de s\xE9\ + curit\xE9 de l\u2019information et de vuln\xE9rabilit\xE9 ayant un potentiel\ + \ impact sur la s\xE9curit\xE9 a\xE9rienne conform\xE9ment au \xA74.4.1.2.2. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node331 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:4.5.2 + description: "Enfin, l\u2019organisme : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node332 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node331 + description: "formalise la liste des sous-traitants \u0153uvrant pour une ou\ + \ plusieurs activit\xE9s de son SMSI ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node333 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node331 + description: "conserve des informations document\xE9es comme preuves de la gestion\ + \ des sous-traitants des activit\xE9s du SMSI. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:5 + assessable: false + depth: 1 + ref_id: '5' + name: "Personnels et comp\xE9tences " + - urn: urn:intuitem:risk:req_node:c3cf-v2:5.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5 + ref_id: '5.1' + name: "V\xE9rification des ant\xE9c\xE9dents et contr\xF4le de la fiabilit\xE9\ + \ " + - urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5.1 + ref_id: 5.1.1 + name: "V\xE9rification des ant\xE9c\xE9dents pour les personnels de s\xFBret\xE9\ + \ a\xE9rienne" + - urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.1.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.1 + ref_id: 5.1.1.1 + name: "Personnel de s\xFBret\xE9 a\xE9rienne" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node338 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.1.1 + description: "Sur la base de son analyse de risques, l\u2019organisme identifie\ + \ ou fait identifier par les tiers d\xE9termin\xE9s au \xA74.2.4,les personnes\ + \ :" + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node339 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node338 + description: "ayant des droits d'administrateur ou un acc\xE8s non surveill\xE9\ + \ et illimit\xE9 aux donn\xE9es et syst\xE8mes de technologies de l'information\ + \ et de la communication critiques utilis\xE9s aux fins de la s\xFBret\xE9\ + \ a\xE9rienne, identifi\xE9s au \xA74.2., et/ou ;" + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node340 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node338 + description: "qui ont \xE9t\xE9 identifi\xE9es lors de l'\xE9valuation des risques\ + \ relative \xE0 la s\xFBret\xE9 a\xE9rienne au \xA74.2." + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node341 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.1.1 + description: "Il s\u2019agit notamment : " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node342 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node341 + description: "des \xE9quipes manag\xE9riales, \xE0 savoir les personnes organisant,\ + \ pilotant, contr\xF4lant ou participant \xE0 la gestion des risques de s\xE9\ + curit\xE9 de l\u2019information pouvant affecter la s\xFBret\xE9 a\xE9rienne;\ + \ (RSSI, DSI, Auditeur interne, responsable s\xFBret\xE9, etc.) ;" + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node343 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node341 + description: "des \xE9quipes op\xE9rationnelles, \xE0 savoir les personnes d\xE9\ + finissant, planifiant et mettant en \u0153uvre les mesures de s\xE9curit\xE9\ + \ de l\u2019information d\xE9finies au \xA74.3. sur les syst\xE8mes d\u2019\ + information critiques \xE0 la s\xFBret\xE9 identifi\xE9s au \xA74.2 ; " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node344 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node341 + description: "des administrateurs des syst\xE8mes d\u2019information critiques\ + \ \xE0 la s\xFBret\xE9 identifi\xE9s au \xA74.2 " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node345 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node341 + description: "des utilisateurs ayant un acc\xE8s non surveill\xE9 et illimit\xE9\ + \ aux donn\xE9es et syst\xE8mes d\u2019information critiques \xE0 la s\xFB\ + ret\xE9 identifi\xE9s au \xA74.2 ; " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node346 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node341 + description: "Le cas \xE9ch\xE9ant, des personnes et/ou entit\xE9s responsables\ + \ des risques relatifs \xE0 la s\xFBret\xE9 a\xE9rienne identifi\xE9es au\ + \ \xA74.2. " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node347 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.1.1 + description: "L\u2019organisme conserve des informations document\xE9es appropri\xE9\ + es comme preuves de l\u2019identification des personnels de s\xFBret\xE9 a\xE9\ + rienne. " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.1.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.1 + ref_id: 5.1.1.2 + name: "V\xE9rification renforc\xE9e des ant\xE9c\xE9dents pour les personnels\ + \ de s\xFBret\xE9 a\xE9rienne " + - urn: urn:intuitem:risk:req_node:c3cf-v2:node349 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.1.2 + description: "L\u2019organisme applique ou fait appliquer par les tiers identifi\xE9\ + s au \xA74.2.4., une v\xE9rification renforc\xE9e des ant\xE9c\xE9dents des\ + \ personnels de s\xFBret\xE9 a\xE9rienne identifi\xE9s pr\xE9c\xE9demment.\ + \ Ainsi, il met en \u0153uvre les actions suivantes, ou s\u2019assure de cette\ + \ mise en \u0153uvre par les tiers. L\u2019organisme : " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node350 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node349 + description: "s\u2019assure que ces personnes disposent d\u2019une habilitation\ + \ pr\xE9fectorale pr\xE9vue par l\u2019article L6342-3 du code des transports,\ + \ \xE0 savoir : " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node351 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node350 + description: "qu\u2019ils disposent d\u2019un titre d\u2019acc\xE8s en zone\ + \ de s\xFBret\xE9 \xE0 acc\xE8s r\xE9glement\xE9 valide dont la d\xE9livrance\ + \ n\xE9cessite la d\xE9tention de l\u2019habilitation pr\xE9fectorale susmentionn\xE9\ + e, ou bien ; " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node352 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node350 + description: "qu\u2019ils disposent d\u2019une habilitation sans badge valide. " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node353 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node349 + description: "prend en consid\xE9ration les emplois, \xE9tudes et interruptions[3]\ + \ \xE9ventuelles de ces personnes dans les \xC9tats o\xF9 elles ont r\xE9\ + sid\xE99 au cours des 5 derni\xE8res ann\xE9es ; " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node354 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node349 + description: "renouvelle ces v\xE9rifications \xE0 intervalles r\xE9guliers\ + \ ne d\xE9passant pas 12 mois ; " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node355 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node349 + description: "porte une vigilance particuli\xE8re sur les interruptions6 injustifi\xE9\ + es de ces personnes en leur demandant des explications ou justificatifs et\ + \ trace le fait que cette v\xE9rification a bien \xE9t\xE9 effectu\xE9e. " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node356 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.1.2 + description: "L\u2019organisme : " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node357 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node356 + description: "tient \xE0 jour une liste des personnels de s\xFBret\xE9 ayant\ + \ fait l\u2019objet d\u2019une v\xE9rification d\u2019identit\xE9 et d\xE9\ + tenant une habilitation valide ; " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node358 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node356 + description: "formalise sa proc\xE9dure de v\xE9rification des ant\xE9c\xE9\ + dents pour les personnels de s\xFBret\xE9 ; " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node359 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node356 + description: "int\xE8gre ou fait r\xE9f\xE9rence \xE0 cette proc\xE9dure dans\ + \ le programme de s\xFBret\xE9; " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node360 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node356 + description: "conserve des informations document\xE9es appropri\xE9es comme\ + \ preuves de la v\xE9rification des ant\xE9c\xE9dents. " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5.1 + ref_id: 5.1.2 + name: "Contr\xF4le de la fiabilit\xE9 des personnels de s\xE9curit\xE9 a\xE9\ + rienne" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node362 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.2 + description: "Sur la base de son analyse de risques, l\u2019organisme d\xE9\ + finit sa politique de contr\xF4le de la fiabilit\xE9 des personnes, dans laquelle\ + \ le contr\xF4le auquel est soumis chaque personne est proportionnel \xE0\ + \ l\u2019impact qu\u2019elle pourrait avoir sur la s\xE9curit\xE9 a\xE9rienne\ + \ par compromission de l\u2019int\xE9grit\xE9, de la confidentialit\xE9 ou\ + \ de la disponibilit\xE9 des donn\xE9es. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node363 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.2 + description: 'Cette politique identifie : ' + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node364 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node363 + description: "des cat\xE9gories de personnes en fonction du risque pour la s\xE9\ + curit\xE9 a\xE9rienne ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node365 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node363 + description: "des mesures de contr\xF4le de la fiabilit\xE9 qui :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node366 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node365 + description: "\xE9tablissent a minima l\u2019identit\xE9 de la personne au travers\ + \ de la v\xE9rification d\u2019un document d\u2019identit\xE9 ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node367 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node365 + description: "peuvent, selon les cat\xE9gories pr\xE9c\xE9demment identifi\xE9\ + es et leur niveau de risque pour la s\xE9curit\xE9 a\xE9rienne : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node368 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node367 + description: "prendre en consid\xE9ration les emplois, \xE9tudes et interruptions\ + \ \xE9ventuelles de ces personnes dans les \xC9tats o\xF9 elles ont r\xE9\ + sid\xE9 au cours des 5 derni\xE8res ann\xE9es ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node369 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node367 + description: "amener \xE0 r\xE9aliser une v\xE9rification des ant\xE9c\xE9dents\ + \ selon des modalit\xE9s \xE0 pr\xE9ciser, telles que : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node370 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node369 + description: "l\u2019habilitation pr\xE9fectorale vis\xE9es supra ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node371 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node369 + description: "la fourniture de l\u2019extrait de casier judiciaire (bulletin\ + \ num\xE9ro 3) ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node372 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node369 + description: "le dispositif de protection des secrets de D\xE9fense Nationale\ + \ ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node373 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node369 + description: "tout autre dispositif existant et r\xE9pondant aux objectifs de\ + \ v\xE9rification des ant\xE9c\xE9dents. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node374 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.2 + description: "L\u2019organisme : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node375 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node374 + description: "applique ou fait appliquer par les tiers identifi\xE9s au \xA7\ + 4.2.4, sa politique de contr\xF4le de la fiabilit\xE9 des personnes ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node376 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node374 + description: "tient \xE0 jour une liste des personnels de s\xE9curit\xE9 a\xE9\ + rienne ayant fait l\u2019objet d\u2019une v\xE9rification d\u2019identit\xE9\ + \ et d\u2019un contr\xF4le de leur fiabilit\xE9, en pr\xE9cisant duquel il\ + \ s\u2019agit en fonction des risques sur la s\xE9curit\xE9 a\xE9rienne ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node377 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node374 + description: "formalise la politique de contr\xF4le de la fiabilit\xE9 du personnel\ + \ ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node378 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node374 + description: "int\xE8gre ou fait r\xE9f\xE9rence \xE0 cette politique dans :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node379 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node378 + description: "le manuel du syst\xE8me de management de la s\xE9curit\xE9 de\ + \ l\u2019information, ou ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node380 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node378 + description: "le manuel de l\u2019organisme approuv\xE9/certifi\xE9." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node381 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node374 + description: "conserve des informations document\xE9es appropri\xE9es comme\ + \ preuves du contr\xF4le de la fiabilit\xE9 du personnel :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node382 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node381 + description: "tant que le personnel concern\xE9 doit faire l'objet d'une v\xE9\ + rification d'ant\xE9c\xE9dent, et ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node383 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node381 + description: "un an apr\xE8s la fin de l\u2019activit\xE9 justifiant le contr\xF4\ + le de la fiabilit\xE9." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5.1 + ref_id: 5.1.3 + name: 'Cas particuliers ' + - urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.3.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.3 + ref_id: 5.1.3.1 + name: "Personnels soumis aux exigences de s\xFBret\xE9 et de s\xE9curit\xE9\ + \ " + - urn: urn:intuitem:risk:req_node:c3cf-v2:node386 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.3.1 + description: "Dans le cas o\xF9 une personne est soumise aux exigences de v\xE9\ + rification des ant\xE9c\xE9dents pour la s\xFBret\xE9 et la s\xE9curit\xE9\ + \ a\xE9rienne, alors il doit se soumettre au dispositif le plus exigeant,\ + \ \xE0 savoir celui de la s\xFBret\xE9. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.3.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.3 + ref_id: 5.1.3.2 + name: "Personnels \xE0 l\u2019\xE9tranger" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node388 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5.1.3.2 + description: "Dans le cas o\xF9 l\u2019organisme emploie du personnel de nationalit\xE9\ + \ \xE9trang\xE8re ne r\xE9sidant pas en France pour lequel il documente qu\u2019\ + il ne lui est pas l\xE9galement possible de r\xE9aliser une v\xE9rification\ + \ des ant\xE9c\xE9dents, alors l\u2019organisme : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node389 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node388 + description: "\xE9tablit l\u2019identit\xE9 de ces personnes au travers de la\ + \ v\xE9rification d\u2019un document d\u2019identit\xE9 ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node390 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node388 + description: "exige de ces personnes un engagement sign\xE9 de bonne conduite\ + \ lors de la r\xE9alisation de missions pour le compte de l\u2019organisme\ + \ ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node391 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node388 + description: "tient \xE0 jour une liste des personnels \xE9trangers pour lesquels\ + \ la v\xE9rification des ant\xE9c\xE9dents n\u2019a pu \xEAtre r\xE9alis\xE9\ + e. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:5.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5 + ref_id: '5.2' + name: 'Sensibilisation ' + - urn: urn:intuitem:risk:req_node:c3cf-v2:node393 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5.2 + description: "L\u2019organisme met en \u0153uvre une campagne de sensibilisation\ + \ ou s\u2019assure de cette mise en \u0153uvre par les tiers identifi\xE9\ + s au \xA74.2.4., notamment il :" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node394 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node393 + description: "pr\xE9cise :" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node395 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node394 + description: "les moyens et ressources mis en \u0153uvre ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node396 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node394 + description: "la fr\xE9quence de renouvellement de la campagne de sensibilisation. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node397 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node393 + description: "s\u2019assure que les personnes identifi\xE9es au \xA75.1.1.1.et\ + \ au travers de l\u2019analyse de risques relatifs \xE0 la s\xE9curit\xE9\ + \ a\xE9rienne (\xA74.2.4) sont sensibilis\xE9es \xE0 la s\xE9curit\xE9 de\ + \ l\u2019information ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node398 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node393 + description: "formalise le suivi de la sensibilisation et la proc\xE9dure associ\xE9\ + e ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node399 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node393 + description: "int\xE8gre ou fait r\xE9f\xE9rence \xE0 cette proc\xE9dure dans\ + \ :" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node400 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node399 + description: "le manuel du syst\xE8me de management de la s\xE9curit\xE9 de\ + \ l\u2019information, ou ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node401 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node399 + description: "le manuel de l\u2019organisme approuv\xE9/certifi\xE9, et/ou ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node402 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node399 + description: "le programme de s\xFBret\xE9. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node403 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node393 + description: "conserve des informations document\xE9es appropri\xE9es comme\ + \ preuves suivi de la sensibilisation de son personnel. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:5.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5 + ref_id: '5.3' + name: 'Formation ' + - urn: urn:intuitem:risk:req_node:c3cf-v2:node405 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:5.3 + description: "L\u2019organisme met en \u0153uvre un programme de formation ou\ + \ s\u2019assure de cette mise en \u0153uvre par les tiers identifi\xE9s au\ + \ \xA74.2.4., notamment il : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node406 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node405 + description: 'identifie les besoins au sein de son entreprise, notamment que + :' + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node407 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node406 + description: " les \xE9quipes manag\xE9riales soient form\xE9es \xE0 la gestion\ + \ de la s\xE9curit\xE9 de l\u2019information en coh\xE9rence avec les t\xE2\ + ches qui leur sont confi\xE9es ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node408 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node406 + description: "les \xE9quipes op\xE9rationnelles soient form\xE9es \xE0 la mise\ + \ en \u0153uvre des mesures de s\xE9curit\xE9 de l\u2019information \xE0 l\u2019\ + \xE9tat de l\u2019art, en coh\xE9rence avec les t\xE2ches qui leur sont confi\xE9\ + es . " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node409 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node405 + description: "pr\xE9cise les moyens et ressources mis en \u0153uvre ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node410 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node405 + description: "formalise le suivi des comp\xE9tences et la proc\xE9dure associ\xE9\ + e ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node411 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node405 + description: "int\xE8gre ou fait r\xE9f\xE9rence \xE0 cette proc\xE9dure dans\ + \ :" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node412 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node411 + description: "le manuel du syst\xE8me de management de la s\xE9curit\xE9 de\ + \ l\u2019information, ou ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node413 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node411 + description: "le manuel de l\u2019organisme approuv\xE9/certifi\xE9, et/ou ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node414 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node411 + description: "le programme de s\xFBret\xE9." + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node415 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node405 + description: "conserve des informations document\xE9es appropri\xE9es comme\ + \ preuves de suivi de la formation de son personnel. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:6 + assessable: false + depth: 1 + ref_id: '6' + name: "D\xE9finition et fonctionnement du SMSI " + - urn: urn:intuitem:risk:req_node:c3cf-v2:6.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6 + ref_id: '6.1' + name: 'Suivi de la gestion des risques ' + - urn: urn:intuitem:risk:req_node:c3cf-v2:6.1.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.1 + ref_id: 6.1.1 + name: 'Organisation du suivi de la gestion des risques ' + - urn: urn:intuitem:risk:req_node:c3cf-v2:node419 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.1.1 + description: "L\u2019organisme d\xE9finit l\u2019organisation du suivi de la\ + \ gestion des risques et en pr\xE9cise : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node420 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node419 + description: 'la structure et le positionnement ; ' + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node421 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node419 + description: "les responsabilit\xE9s des diff\xE9rents participants ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node422 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node419 + description: "l\u2019articulation avec l\u2019organisation d\xE9j\xE0 en place\ + \ pour le suivi de la gestion des risques relatifs \xE0 la s\xFBret\xE9 et/ou\ + \ \xE0 la s\xE9curit\xE9 a\xE9rienne ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node423 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node419 + description: "la p\xE9riodicit\xE9 et/ou les \xE9v\xE9nements significatifs\ + \ activant cette organisation, notamment lorsque : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node424 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node423 + description: "il y a un changement dans les \xE9l\xE9ments expos\xE9s \xE0 des\ + \ risques li\xE9s \xE0 la s\xE9curit\xE9 de l\u2019information ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node425 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node423 + description: "il y a un changement dans les interfaces entre l\u2019organisme\ + \ et d\u2019autres organismes, ou dans les risques communiqu\xE9s par les\ + \ autres organismes ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node426 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node423 + description: "il y a un changement dans les informations ou connaissances utilis\xE9\ + es pour le recensement, l\u2019analyse et la classification des risques ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node427 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node423 + description: "l\u2019analyse des incidents de s\xE9curit\xE9 de l\u2019information\ + \ a permis de tirer des enseignements. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:6.1.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.1 + ref_id: 6.1.2 + name: Missions du suivi de la gestion des risques + - urn: urn:intuitem:risk:req_node:c3cf-v2:node429 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.1.2 + description: "P\xE9riodiquement et/ou lors des \xE9v\xE9nements significatifs,\ + \ l\u2019organisme : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node430 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node429 + description: "planifie, met en \u0153uvre, contr\xF4le :" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node431 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node430 + description: "les activit\xE9s de gestion des risques : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node432 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node431 + description: "appr\xE9ciation des risques (\xA74.2) ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node433 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node431 + description: "traitement des risques (\xA74.3) ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node434 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node431 + description: "gestion des incidents de s\xE9curit\xE9 de l\u2019information\ + \ (\xA74.4) ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node435 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node431 + description: "gestion des risques induits par les tiers (\xA74.5). " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node436 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node430 + description: "la gestion des personnels et des comp\xE9tences (\xA75) ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node437 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node430 + description: "la mise en \u0153uvre des mesures techniques et organisationnelles\ + \ : " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node438 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node437 + description: 'du plan de traitement des risques ; ' + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node439 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node437 + description: "de d\xE9tection, de r\xE9action et de r\xE9ponse \xE0 un incident\ + \ de s\xE9curit\xE9 ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node440 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node437 + description: "notifi\xE9es par l\u2019autorit\xE9 comp\xE9tente. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node441 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node429 + description: "assure le suivi des \xE9v\xE9nements et incidents de s\xE9curit\xE9\ + \ de l\u2019information. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:6.1.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.1 + ref_id: 6.1.3 + name: "R\xE9sultats du suivi de la gestion des risques" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node443 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.1.3 + description: "L\u2019organisme: " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node444 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node443 + description: "produit et tient \xE0 jour des tableaux de bord de suivi :" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node445 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node444 + description: "des activit\xE9s de gestion des risques ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node446 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node444 + description: "des personnels et des comp\xE9tences ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node447 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node444 + description: "d\u2019avancement de mise en \u0153uvre des mesures techniques\ + \ et organisationnelles ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node448 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node444 + description: "des \xE9v\xE9nements et incidents de s\xE9curit\xE9 de l\u2019\ + information." + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node449 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node443 + description: "informe le Dirigeant Responsable et les personnes ou entit\xE9\ + s responsables de risques des conclusions du suivi de la gestion des risques\ + \ ; " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node450 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node443 + description: "formalise la proc\xE9dure relative au suivi de la gestion des\ + \ risques ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node451 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node443 + description: "int\xE8gre ou fait r\xE9f\xE9rence \xE0 cette proc\xE9dure dans\ + \ :" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node452 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node451 + description: "le manuel du syst\xE8me de management de la s\xE9curit\xE9 de\ + \ l\u2019information, ou ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node453 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node451 + description: "le manuel de l\u2019organisme approuv\xE9/certifi\xE9, et/ou ;" + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node454 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node451 + description: "le programme de s\xFBret\xE9." + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node455 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node443 + description: "conserve des informations document\xE9es comme preuves du suivi\ + \ de la gestion des risques. " + implementation_groups: + - sec + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:6.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6 + ref_id: '6.2' + name: "\xC9valuation du SMSI " + - urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.2 + ref_id: 6.2.1 + name: "\xC9valuation de la conformit\xE9 du SMSI" + - urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.1.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.1 + ref_id: 6.2.1.1 + name: "Organisation de l\u2019\xE9valuation de la conformit\xE9 du SMSI" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node459 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.1.1 + description: "L\u2019organisme d\xE9finit l\u2019organisation en charge de l\u2019\ + \xE9valuation de la conformit\xE9 et en pr\xE9cise : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node460 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node459 + description: 'la structure et le positionnement ; ' + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node461 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node459 + description: "les responsabilit\xE9s des diff\xE9rents participants ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node462 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node459 + description: "l\u2019articulation avec l\u2019organisation d\xE9j\xE0 en place\ + \ pour l\u2019\xE9valuation de la conformit\xE9 relative \xE0 la s\xE9curit\xE9\ + \ a\xE9rienne ; - la p\xE9riodicit\xE9 et/ou les \xE9v\xE9nements significatifs\ + \ activant cette organisation. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.1.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.1 + ref_id: 6.2.1.2 + name: "Missions de l\u2019\xE9valuation de la conformit\xE9 du SMSI" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node464 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.1.2 + description: "P\xE9riodiquement et/ou lors des \xE9v\xE9nements significatifs\ + \ et en s\u2019appuyant sur les r\xE9sultats : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node465 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node464 + description: 'des audits internes ; ' + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node466 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node464 + description: "des audits des autorit\xE9s comp\xE9tentes. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node467 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.1.2 + description: "l\u2019organisme : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node468 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node467 + description: "\xE9value la conformit\xE9 et ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node469 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node467 + description: "identifie les \xE9carts de son SMSI par rapport aux dispositions\ + \ du pr\xE9sent document ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node470 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node467 + description: "corrige ces \xE9carts afin de se mettre en conformit\xE9 avec\ + \ les exigences de la Part-IS. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.1.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.1 + ref_id: 6.2.1.3 + name: "R\xE9sultats de l\u2019\xE9valuation de la conformit\xE9 du SMSI" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node472 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.1.3 + description: "L\u2019organisme : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node473 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node472 + description: "produit et tient \xE0 jour un tableau de bord de suivi de la conformit\xE9\ + \ et les \xE9ventuels \xE9carts associ\xE9s ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node474 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node472 + description: "informe le Dirigeant Responsable et les personnes ou entit\xE9\ + s responsables des risques des conclusions de l\u2019\xE9valuation de la conformit\xE9\ + \ du SMSI ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node475 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node472 + description: "formalise la proc\xE9dure relative \xE0 l\u2019\xE9valuation de\ + \ la conformit\xE9 du SMSI ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node476 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node472 + description: "int\xE8gre ou fait r\xE9f\xE9rence \xE0 cette proc\xE9dure dans\ + \ :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node477 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node476 + description: "le manuel du syst\xE8me de management de la s\xE9curit\xE9 de\ + \ l\u2019information, ou ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node478 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node476 + description: "le manuel de l\u2019organisme approuv\xE9/certifi\xE9." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node479 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node472 + description: "conserve des informations document\xE9es comme preuves des r\xE9\ + sultats d\u2019\xE9valuation de la conformit\xE9 du SMSI. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.2 + ref_id: 6.2.2 + name: "R\xE9ponse aux constatations notifi\xE9es par l\u2019autorit\xE9 comp\xE9\ + tente" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node481 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.2 + description: "L\u2019organisme r\xE9agit aux constatations notifi\xE9es par\ + \ l\u2019autorit\xE9 comp\xE9tente au travers du processus de traitement des\ + \ constatations pr\xE9vus dans le cadre de son certificat/agr\xE9ment. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.2 + ref_id: 6.2.3 + name: "\xC9valuation de l\u2019efficacit\xE9 et de la maturit\xE9 du SMSI" + - urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.3.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.3 + ref_id: 6.2.3.1 + name: "Organisation de l\u2019\xE9valuation de l\u2019efficacit\xE9 et de la\ + \ maturit\xE9 du SMSI " + - urn: urn:intuitem:risk:req_node:c3cf-v2:node484 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.3.1 + description: "L\u2019organisme d\xE9finit l\u2019organisation en charge de l\u2019\ + \xE9valuation de l\u2019efficacit\xE9 et de la maturit\xE9 du SMSI et en pr\xE9\ + cise : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node485 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node484 + description: la structure et le positionnement ; + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node486 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node484 + description: "les responsabilit\xE9s des diff\xE9rents participants ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node487 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node484 + description: "l\u2019articulation avec l\u2019organisation d\xE9j\xE0 en place\ + \ pour l\u2019\xE9valuation du syst\xE8me de gestion de la s\xE9curit\xE9\ + \ a\xE9rienne ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node488 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node484 + description: "la p\xE9riodicit\xE9 et/ou les \xE9v\xE9nements significatifs\ + \ activant cette organisation ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node489 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node484 + description: "les indicateurs d\u2019efficacit\xE9 associ\xE9s aux objectifs\ + \ de s\xE9curit\xE9 d\xE9finis dans la politique de s\xE9curit\xE9 de l\u2019\ + information ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node490 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node484 + description: "le mod\xE8le de maturit\xE9 du SMSI vis\xE9." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.3.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.3 + ref_id: 6.2.3.2 + name: "Missions de l\u2019\xE9valuation de l\u2019efficacit\xE9 et de la maturit\xE9\ + \ du SMSI" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node492 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.3.2 + description: "P\xE9riodiquement et/ou lors des \xE9v\xE9nements significatifs\ + \ et en s\u2019appuyant sur : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node493 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node492 + description: "la politique de s\xE9curit\xE9 de l\u2019information ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node494 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node492 + description: "les \xE9l\xE9ments relatifs \xE0 la gestion des ressources, aux\ + \ r\xF4les et responsabilit\xE9s ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node495 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node492 + description: "les tableaux de bord de suivi des activit\xE9s de gestion des\ + \ risques, des personnels et des comp\xE9tences, et des \xE9v\xE9nements et\ + \ incidents de s\xE9curit\xE9 de l\u2019information ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node496 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node492 + description: "des \xE9ventuels audits techniques et organisationnels ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node497 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node492 + description: "son retour d\u2019exp\xE9rience, aliment\xE9 notamment par la\ + \ gestion des incidents. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node498 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.3.2 + description: "L\u2019organisme :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node499 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node498 + description: "\xE9value :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node500 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node499 + description: "l\u2019efficacit\xE9 de son SMSI par rapport aux objectifs de\ + \ s\xE9curit\xE9 d\xE9finis dans la politique de s\xE9curit\xE9 de l\u2019\ + information ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node501 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node499 + description: "la maturit\xE9 de son SMSI par rapport au mod\xE8le de maturit\xE9\ + \ vis\xE9.Lors de ces \xE9valuations, l\u2019organisme porte une attention\ + \ particuli\xE8re aux processus relatifs : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node502 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node501 + description: "\xE0 la gouvernance (\xA73) ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node503 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node501 + description: "aux activit\xE9s de gestion des risques ( \xA74) ainsi que leur\ + \ suivi (\xA76.1) ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node504 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node501 + description: "\xE0 la gestion des personnels et des comp\xE9tences (\xA75) ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node505 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node501 + description: "\xE0 l\u2019\xE9valuation de la conformit\xE9, de l\u2019efficacit\xE9\ + \ et de la maturit\xE9 du SMSI (\xA76.2) ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node506 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node501 + description: "Au pilotage de l\u2019am\xE9lioration continue (\xA76.3)." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node507 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node498 + description: 'identifie :' + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node508 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node507 + description: "les \xE9carts et/ou les manques par rapport aux objectifs de s\xE9\ + curit\xE9 ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node509 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node507 + description: "les axes d\u2019am\xE9lioration \xE9ventuels afin d\u2019atteindre\ + \ les niveaux de maturit\xE9 du mod\xE8le vis\xE9." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.3.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.3 + ref_id: 6.2.3.3 + name: "R\xE9sultats de l\u2019\xE9valuation de l\u2019efficacit\xE9 et de la\ + \ maturit\xE9 du SMSI" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node511 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.3.3 + description: "L\u2019organisme : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node512 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node511 + description: "produit et tient \xE0 jour des tableaux de bord de suivi de : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node513 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node512 + description: "l\u2019efficacit\xE9 de son SMSI et des \xE9carts associ\xE9s\ + \ ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node514 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node512 + description: "la maturit\xE9 de son SMSI et des \xE9ventuels axes d\u2019am\xE9\ + lioration associ\xE9s. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node515 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node511 + description: "informe le Dirigeant Responsable et les personnes ou entit\xE9\ + s responsables des risques des conclusions de l\u2019\xE9valuation de l\u2019\ + efficacit\xE9 et de la maturit\xE9 du SMSI ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node516 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node511 + description: "formalise la proc\xE9dure relative \xE0 l\u2019\xE9valuation de\ + \ l\u2019efficacit\xE9 et de la maturit\xE9 du SMSI ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node517 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node511 + description: "int\xE8gre ou fait r\xE9f\xE9rence \xE0 cette proc\xE9dure dans\ + \ : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node518 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node517 + description: "le manuel du syst\xE8me de management de la s\xE9curit\xE9 de\ + \ l\u2019information, ou ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node519 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node517 + description: "le manuel de l\u2019organisme approuv\xE9/certifi\xE9." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node520 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node511 + description: "conserve des informations document\xE9es comme preuves des r\xE9\ + sultats de l\u2019\xE9valuation de l\u2019efficacit\xE9 et de la maturit\xE9\ + \ du SMSI. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node521 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.2.3.3 + description: "Les mod\xE8les de maturit\xE9 suivants peuvent \xEAtre pris pour\ + \ r\xE9f\xE9rence : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node522 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node521 + description: 'Cybersecurity Capability Maturity Model (C2M2), version 1.1 ' + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node523 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node521 + description: "Systems Security Engineering \u2013 Capability Maturity Model\ + \ (SSE-CMM) " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node524 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node521 + description: 'NIST Cybersecurity Framework (NIST CSF), version 1.1 - ATM Cybersecurity + Maturity Model, edition 1 ' + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:6.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6 + ref_id: '6.3' + name: "Am\xE9lioration continue du SMSI " + - urn: urn:intuitem:risk:req_node:c3cf-v2:6.3.1.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.3 + ref_id: 6.3.1.1 + name: "Organisation du pilotage de l\u2019am\xE9lioration continue du SMSI " + - urn: urn:intuitem:risk:req_node:c3cf-v2:node527 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.3.1.1 + description: "L\u2019organisme d\xE9finit l\u2019organisation du pilotage de\ + \ l\u2019am\xE9lioration continue et en pr\xE9cise : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node528 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node527 + description: 'la structure et le positionnement ; ' + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node529 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node527 + description: "les responsabilit\xE9s des diff\xE9rents participants ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node530 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node527 + description: "l\u2019articulation avec l\u2019organisation d\xE9j\xE0 en place\ + \ pour le pilotage de l\u2019am\xE9lioration continue du syst\xE8me de gestion\ + \ de la s\xE9curit\xE9 a\xE9rienne ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node531 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node527 + description: "la p\xE9riodicit\xE9 et/ou les \xE9v\xE9nements significatifs\ + \ activant cette organisation, notamment : o au moins 1 fois entre 2 audits\ + \ de l\u2019autorit\xE9, et/ou ; o les \xE9v\xE9nements significatifs d\xE9\ + clenchant la revue de direction (incident, changement de contexte etc.). " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:6.3.1.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.3 + ref_id: 6.3.1.2 + name: "Missions du pilotage de l\u2019am\xE9lioration continue du SMSI " + - urn: urn:intuitem:risk:req_node:c3cf-v2:node533 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.3.1.2 + description: "P\xE9riodiquement et/ou lors des \xE9v\xE9nements significatifs\ + \ et sur la base : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node534 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node533 + description: "des changements de contexte de l\u2019organisme, notamment :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node535 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node534 + description: "l\u2019\xE9volution de la menace ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node536 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node534 + description: "un changement dans l\u2019organisation." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node537 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node533 + description: 'des tableaux de bord de suivi :' + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node538 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node537 + description: "de la conformit\xE9 du SMSI et des \xE9carts associ\xE9s ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node539 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node537 + description: "de l\u2019efficacit\xE9 du SMSI et des \xE9carts associ\xE9s ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node540 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node537 + description: "de la maturit\xE9 du SMSI et des \xE9ventuels axes d\u2019am\xE9\ + lioration associ\xE9s ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node541 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node537 + description: "des non-conformit\xE9s notifi\xE9es par l\u2019autorit\xE9 et\ + \ des actions correctives associ\xE9es ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node542 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node537 + description: "des actions issues du pilotage de l\u2019am\xE9lioration continue." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node543 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.3.1.2 + description: "L\u2019organisme : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node544 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node543 + description: 'identifie :' + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node545 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node544 + description: "les modifications \xE0 apporter au SMSI : organisation, processus,\ + \ etc. ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node546 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node544 + description: "les actions correctives et pr\xE9ventives \xE0 mettre en \u0153\ + uvre ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node547 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node544 + description: "des opportunit\xE9s d\u2019am\xE9lioration continue." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node548 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node543 + description: "d\xE9cide de les mettre en \u0153uvre ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node549 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node543 + description: "pr\xE9cise les d\xE9lais de mises en \u0153uvre. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:6.3.1.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.3 + ref_id: 6.3.1.3 + name: "Conclusions du pilotage de l\u2019am\xE9lioration continue du SMSI " + - urn: urn:intuitem:risk:req_node:c3cf-v2:node551 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.3.1.3 + description: "L\u2019organisme : " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node552 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node551 + description: "produit et tient \xE0 jour un tableau de bord de suivi des actions\ + \ issues du pilotage de l\u2019am\xE9lioration continue ; " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node553 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node551 + description: "formalise la proc\xE9dure relative \xE0 l\u2019am\xE9lioration\ + \ continue ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node554 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node551 + description: "int\xE8gre ou fait r\xE9f\xE9rence \xE0 cette proc\xE9dure dans\ + \ :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node555 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node554 + description: "le manuel du syst\xE8me de management de la s\xE9curit\xE9 de\ + \ l\u2019information, ou ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node556 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node554 + description: "le manuel de l\u2019organisme approuv\xE9/certifi\xE9." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node557 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node551 + description: "conserve des informations document\xE9es comme preuves du pilotage\ + \ de l\u2019am\xE9lioration continue. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:6.4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6 + ref_id: '6.4' + name: "Modification du syst\xE8me de management de la s\xE9curit\xE9 de l\u2019\ + information " + - urn: urn:intuitem:risk:req_node:c3cf-v2:node559 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:6.4 + description: 'A paraitre dans la prochaine version du 3CFv2 ' + - urn: urn:intuitem:risk:req_node:c3cf-v2:7 + assessable: false + depth: 1 + ref_id: '7' + name: 'Documentation ' + - urn: urn:intuitem:risk:req_node:c3cf-v2:7.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7 + ref_id: '7.1' + name: 'Gestion documentaire ' + - urn: urn:intuitem:risk:req_node:c3cf-v2:node562 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.1 + description: 'A paraitre dans la prochaine version du 3CFv2 ' + - urn: urn:intuitem:risk:req_node:c3cf-v2:7.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7 + ref_id: '7.2' + name: "Manuel du syst\xE8me de gestion de la s\xE9curit\xE9 de l\u2019information " + - urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2 + ref_id: 7.2.1 + name: 'Gestion du manuel SMSI ' + - urn: urn:intuitem:risk:req_node:c3cf-v2:node565 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.1 + description: 'A paraitre dans la prochaine version du 3CFv2 ' + - urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2 + ref_id: 7.2.2 + name: "\xC9l\xE9ments du manuel" + - urn: urn:intuitem:risk:req_node:c3cf-v2:node567 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + description: "L\u2019organisme int\xE8gre ou fait r\xE9f\xE9rence aux \xE9l\xE9\ + ments suivants dans :" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node568 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node567 + description: "le manuel du syst\xE8me de management de la s\xE9curit\xE9 de\ + \ l\u2019information, ou ;" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node569 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node567 + description: "le manuel de l\u2019organisme approuv\xE9/certifi\xE9." + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node570 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + description: "La lettre d\u2019engagement du Dirigeant Responsable " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node571 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + description: "La politique de s\xE9curit\xE9 de l\u2019information " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node572 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + description: "le(s) titre(s), le(s) nom(s), les missions, les obligations de\ + \ rendre compte, les responsabilit\xE9s et les pouvoirs des personnes vis\xE9\ + es au 3.3. " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node573 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + description: "un organigramme montrant les rapports hi\xE9rarchiques en mati\xE8\ + re d\u2019obligation de rendre compte et de responsabilit\xE9 entre les personnes\ + \ vis\xE9es aux 3.3 " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node574 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + description: "une description g\xE9n\xE9rale des ressources humaines, en termes\ + \ d\u2019effectifs et de cat\xE9gories, et du syst\xE8me qui est en place\ + \ pour planifier la mise \xE0 disposition du personnel " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node575 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + description: "La description du sch\xE9ma de notification interne " + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node576 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + description: "La proc\xE9dure de gestion des incidents de s\xE9curit\xE9 de\ + \ l\u2019information / Mis \xE0 disposition" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node577 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + description: "La proc\xE9dure de notification \xE0 l\u2019autorit\xE9 (\xE0\ + \ venir) / Mis \xE0 disposition" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node578 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + description: "La proc\xE9dure de gestion des organismes en interface / Mis \xE0\ + \ disposition" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node579 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + description: "La proc\xE9dure de gestion des sous-traitants r\xE9alisant des\ + \ activit\xE9s du SMSI / Mis \xE0 disposition" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node580 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + description: "La politique de contr\xF4le de fiabilit\xE9 du personnel / Mis\ + \ \xE0 disposition" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node581 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + description: "La proc\xE9dure de suivi de la sensibilisation / Mis \xE0 disposition" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node582 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + description: "La proc\xE9dure de suivi de la formation / Mis \xE0 disposition" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node583 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + description: "La proc\xE9dure d\u2019\xE9valuation de la conformit\xE9 du SMSI\ + \ / Mis \xE0 disposition" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node584 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + description: "La proc\xE9dure d\u2019\xE9valuation de l\u2019efficacit\xE9 et\ + \ de la maturit\xE9 du SMSI / Mis \xE0 disposition" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node585 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + description: "La proc\xE9dure d\u2019am\xE9lioration continue / Mis \xE0 disposition" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node586 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + description: "La proc\xE9dure de gestion des changements du SMSI (\xE0 venir)\ + \ / Approuv\xE9" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node587 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + description: "La proc\xE9dure de gestion documentaire / Mis \xE0 disposition" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:node588 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.2.2 + description: "La proc\xE9dure de modification du manuel SMSI (\xE0 venir) /\ + \ Mis \xE0 disposition" + implementation_groups: + - sec + - urn: urn:intuitem:risk:req_node:c3cf-v2:7.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7 + ref_id: '7.3' + name: "Programme de s\xFBret\xE9 " + - urn: urn:intuitem:risk:req_node:c3cf-v2:node590 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:7.3 + description: "L\u2019organisme int\xE8gre ou fait r\xE9f\xE9rence dans son programme\ + \ de s\xFBret\xE9 aux \xE9l\xE9ments suivants : " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node591 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node590 + description: "La liste des risques au regard de la s\xFBret\xE9 " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node592 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node590 + description: "La liste des syst\xE8mes d\u2019information critiques \xE0 la\ + \ s\xFBret\xE9 " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node593 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node590 + description: 'Le plan de traitement des risques ' + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node594 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node590 + description: "La liste des organismes en interface pr\xE9sentant un risque pour\ + \ la s\xFBret\xE9 " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node595 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node590 + description: "La liste des mesures techniques et organisationnelles visant \xE0\ + \ d\xE9tecter, r\xE9agir et se r\xE9tablir \xE0 la suite d\u2019un incident\ + \ de s\xE9curit\xE9 de l\u2019information " + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node596 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node590 + description: "La proc\xE9dure de gestion des risques (appr\xE9ciation, traitement\ + \ et suivi des risques)" + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node597 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node590 + description: "La proc\xE9dure de gestion des organismes en interface" + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node598 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node590 + description: "La proc\xE9dure de v\xE9rification des ant\xE9c\xE9dents" + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node599 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node590 + description: "La proc\xE9dure de suivi de la sensibilisation" + implementation_groups: + - sur + - urn: urn:intuitem:risk:req_node:c3cf-v2:node600 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:c3cf-v2:node590 + description: "La proc\xE9dure de suivi de la formation " + implementation_groups: + - sur diff --git a/tools/3cf/3cf-v2.xlsx b/tools/3cf/3cf-v2.xlsx new file mode 100644 index 000000000..6e72e186a Binary files /dev/null and b/tools/3cf/3cf-v2.xlsx differ