PAM should not exclude SAP Before starting to play a board game, it’s customary to read the game rules. As part of an outsourcing service, it is also very important to establish the “rules of the game” between parties. In [01], the ANSSIAgence Nationale de la Sécurité des Systèmes d’Information. The National Cybersecurity Agency of France (ANSSI) is a French government organisation reporting to the Secretary General for Defence and National Security... More (French National Cybersecurity Agency) states that, when using managed services, security should not be incompatible with outsourcing. For an organization whose IS administration is handled by a service provider, the inherent risks are generally related to the loss of control of the IT system as well as to actions done remotely. For this reason, a Security Assurance Plan (SAP) must be written by the subcontractor according to a framework defined by the managed organization. The Security Assurance Plan defines the measures (contractual, methodological, technical, organizational and procedural) to meet the security requirements of the contractor. the Security Assurance Plan of the subcontractor providing outsourcing services to a company could be based on three main areas: Purpose of the outsourcing Presentation of the internal organization set up (both for security management and for the evolutions and application of the SAP) Security measures implemented for each requirement The definition of security measures shall include technical as well as organizational measures related to the subcontractor’s Human Resources. For example, a solution such as Systancia Cleanroom from Systancia (which combines VDI, PAMPrivileged Access Management. PAM is a technology for managing access and authentication of authorized users, usually information system administrators, to administrative resources or applications. The main objective is to secure... More, VPNVirtual Private Network. VPN is a technology that simulates a local area network between two trusted networks. In practice this allows two elements (workstations, servers, printers, etc.) to communicate with... More and SSO) provides a technical response to the risks identified for outsourcing ([02]). This solution provides technical responses to measures related to logical access management as well as to the privacy and integrity of administration flows. Moreover, it also technically supports the management (and protection) of passwords for access to managed resources. However, using Systancia Cleanroom should not exempt the outsourcer from establishing a document like a SAP in collaboration with the managed organization. The final objective is to control and manage all processes (technical or organizational) during the outsourcing of IS administration tasks. To conclude, note that a SAP can reassure the contractor with regard to his service provider, but this document must also be very closely linked to the managed organization’s Information System Security Policy). It represents a strategic document in the field of IT security and communication. Discover Systancia Cleanroom References [01] Outsourcing guide – Controlling the risks of managed services, ANSSI https://www.ssi.gouv.fr/uploads/IMG/pdf/2010-12-03_Guide_externalisation.pdf [02] The Cleanroom concept for a safe and secure administration, Antoine COUTANT, January 2019 https://www.systancia.com/en/the-cleanroom-concept-for-a-safe-and-secure-administration/