PGSSI-S: General Security Policy for Health Information Systems Identification of health and community health actors

Transcription

1 PGSSI-S: General Security Policy for Health Information Systems Identification of health and community health actors V 1.0 December, 2014

2 Contents 1 Document Purpose Scope of application Goals of identifying health and community health actors Definitions National Identity Repositories Nationwide Operational Identifier Registration Authority Repository Manager Identifier Assigning Authority Identifier type Identity Data Identity Traits Identification methods for Individuals Levels of identification for medical and community health actors Identification levels for individuals Level Level Level Levels of identification for legal entities Level Level Summary of identification levels Industry relevance Impact on professional practices Appendix Processing of Identifiers Identifier type Link to the health domain Access to identity traits Glossary Referenced Documents Classification : Public 2 / 18

3 1 Document Purpose This document contains the reference specification for identification of health and community health actors as defined in the Politique générale de sécurité des systems d information de santé (PGSSI-S). It is part of the PGSSI-S technical reference documentation as illustrated in the document architecture below. Figure 1 PGSSI-S Reference Architecture The purpose of Identification is to determine the identity of an actor via an identifier that was assigned previously to him when checking and recording the actor s identity traits. In the context of security, identification is particularly related to authentication. For example, identification is used to determine the access rights of the actor to the information system. The French national security guideline (Référentiel Général de Sécurité (RGS)) states that: "Authentication is always preceded or combined with an identification event that allows that entity to be recognized by the system using a supplied identification element, i.e. an identifier. In summary, to identify means to communicate an identifier. To authenticate is to provide evidence that the entity was awarded this identifier." (Page 4/29 A.1.b of Annex B3 "Référentiel Général de Sécurité Version 2.0 June 2014).

4 The identification includes: registration of actor identity traits by a Registration Authority (verification of the truthfulness and completeness of the registration information, validation of the absence of duplicate registration, etc...) and their updates; assignment of an identifier to make the connection between the actor and identity traits recorded; management of the identity traits and their availability, especially for security purposes such as access control and traceability. The purpose of this specification is to define the different levels of implementation for the identification of health and community health actors. It recognizes several possible identifiers in the health and community health domain. Identifiers unrelated to being an actor in the health or community health are outside the scope of the specification (e.g., health insurance identifiers, or identifiers for individuals). This document is intended for those involved in the implementation of the health information systems security policy. It enables directors of operations to choose the identification method to be implemented based on the context of use and identity management features (type of identifier, identity traits collected upon registration, access policy to stored identity traits, etc). This document is also intended for suppliers of goods or services used in the context of health systems. These providers must offer solutions that use the different types of identifiers specified, and provide access to the associated identity traits either via access to a local directory, CPS card reading, or other methods. 2 Scope of application The table below summarizes the scope of application of the identification of health and community health actors. Clinical Care Comment Care provider support functions Care Coordination Health Public Health Research Screening and Prevention Community Health This version of the framework is applicable to all health and community health actors, within the limits of the existing registration procedures 1. This specification includes two types of health and community health actors: Actors who possess a national identifier which expresses their direct link with the field of health and/or community health, in which there are: o physical people with an assigned identifier that is inherently linked to their healthcare role (e.g. RPPS ADELI) 1 The scope of application of this specification is limited at this time to the scope of the PGSSI-S. It will be extended to the rest of the community domain once the PGSSI-S is extended. Classification : Public 4 / 18

5 o and legal entities for which the assigned identifier is inherently linked to their healthcare role (e.g. FINESS, RPPS-rank.); Actors, individuals or legal entities for which the identifier used does not indicate a direct link to the health field and/or the community health field that are related to health domains by their activities (such as medical secretaries, educators, community transport...) Some of these actors may have a national identifier, but this identifier may not have any connection to the health domain (e.g. SIRET for legal entities). 3 Goals of identifying health and community health actors The development of e-health services and reduction of paper-based medical and community health services will not be effective until the requirements for creating and maintaining the trust of stakeholders are met. The quality of the identification of health and community health actors is one of the pillars of obtaining this trust. This reliable identification of actors is the foundation for securing health information systems that necessitates: distribution of strong authentication devices to actors; control of access to information systems; auditability of systems. For example, implementation of personal health information exchange using secure messaging between health and/or community health actors will ensure that such exchanges are made only between actors whose identities are certified. 4 Definitions 4.1 National Identity Repositories As part of the PGSSI-S framework, the national identity repositories are defined as repositories that manage identity data for clearly defined national populations. Their existence and operating rules are enshrined in a legislative or regulatory text. Once an actor has submitted evidence of their identity and credentials and has undergone the process of registration and identity verification and is present in the identity repository, that actor no longer needs to provide proof of their identity to others in order to use their identifier. The burden of proof belongs to those who question the reliability of the identity attributes. The identity attributes contained in the national identity repositories are able to work this way as a result of the strong level of trust involved in the registration process, where the identity attributes are registered by duly authorized registration authorities 4.2 Nationwide Operational Identifier ID assigned nationally to fulfil a registration in a national repository but which is not a national identifier in itself as it is not part of the national repository. Classification : Public 5 / 18

6 "RPPS rank" and "ADELI rank" are examples of nationwide operational identifiers Registration Authority As part of the PGSSI-S, the agencies responsible for the collection, validation and registration of identity traits in an identity repository prior to the attribution of an identifier are designated in the PGSSI- S under the term Registration Authority (RA). The Registration Authorities are also responsible for updating and maintaining identification traits over the life of the identifier. The list of identity traits registered by the Registration Authorities and the method of verifying the identity of the actors during the recording are specific to each identity repository. The scope of action of Registration Authorities can be at the national level (e.g. the ARS for FINESS directory which is a national identity repository) or local level (e.g., a hospital registering its employees in a local directory). 4.4 Repository Manager As part of the PGSSI-S, the person responsible for processing and storage of identity data registered in connection with the implementation of an identity repository is referred to as a "repository manager." The rights and responsibilities of a repository manager are specific to each repository. They include: the implementation of the information system used to process the identity data registered by the Registration Authorities in compliance with: the rules laid down by law No of 6 January 1978 relating to computer, files and freedoms, known as a data protection act, and where applicable, the rules laid down in the legal framework for organizing the management of the repository. 4.5 Identifier An identifier is a given attribute to a person in connection with their identity. This attribute differentiates two people even if their identity traits are the same or similar. An identifier is created according to rules defined by the assigning authority defined in section 4.6. It may consist of a sequence of numeric or alphanumeric characters (such as a random number, a number constructed based on identity traits, concatenation of identity traits, etc). Identifier collision refers to when the same identifier has been assigned to two different people in the same identification domain. Identifier duplication refers to when multiple identifiers are assigned to the same person in the same identification domain. The objective of identification is to assign an identifier to each actor without duplication or collision. 4.6 Assigning Authority In the context of the PGSSI-S, the authority in charge of defining the format of an identifier and defining the rules of how to assign an identifier to a person is referred to as the assigning authority. As a general rule, the role of assigning authority is held by the identity 2 Classification : Public 6 / 18

7 repository manager in which the identifier is assigned (e.g. ASIP Santé, manager of the RPPS is also the assigning authority for the RPPS number). 4.7 Identifier type There are two types of identifiers, depending on the scope of the Registration Authority: national identifier ("public" identifier): the national identifier is an identifier assigned following registration in a national identity repository by an authorized Registration Authority (e.g., RPPS number. ). local identifier ("private" identifier): the local identifier is an identifier assigned following registration by a Registration Authority for a repository other than a national identity repository as defined in 4.1. Its use is limited to the repository purposes (e.g. Implementation in a healthcare organization s repository for use in assigning a registration number to each employee, for human resource management purposes). A "private" identifier must be unique at the local level but can be used in several different local repositories. 4.8 Identity Data As part of the PGSSI-S, identity data for an individual is defined as: the identifier assigned to that person; and all identity traits registered as part of the assignment of the identifier. 4.9 Identity Traits An identity trait is an element that characterizes a person but is usually not sufficient in itself to establish the identity of this person. As part of the PGSSI-S, identity traits are generally considered to correspond to the set of data collected during the recording of an individual or legal entity. For example, identity traits may include 3 : surname at birth (for individuals); first name (for individuals); date of birth (for individuals); address (for individuals or legal entities); type of structure (for legal entities); creation date (for legal entities); profession (for individuals). Depending on the identity repository, the number and diversity of identity traits collected may differ. In all cases, they must be sufficient to characterize the identity of a person, help differentiate it from other people especially those who share some of the same identity traits (e.g. homonyms) and thus make a clear link between an identifier and the identity of the person to which it was assigned Identification methods for Individuals Two identification methods are defined for an individual actor: direct identification: identification is called direct when the identifier is used directly without adding additional information; indirect identification: identification is called indirect when the identifier of the actor is a "private" identifier that is associated with the "public" identifier of the legal entity 3 For a more substantial identity traits list, refer to the Reference Document No. 1 Classification : Public 7 / 18

8 who played the role of Registration Authority in order to be able to be used as a national identifier. The Registration Authority is then responsible for providing the identity traits associated with the identifier if necessary. Indirect identification is only possible for an individual; it is not possible to indirectly identify a legal entity. This method of identification is limited to a relationship between a legal entity and an individual as it is impossible to have successive levels of indirect identification between legal entities. 5 Levels of identification for medical and community health actors The different levels defined for implementing the identification of medical and community health actors are documented below in order of increasing levels of assurance. The highest level of assurance defines identification schemes that allow the greatest number of health and community health actors to benefit from a public identifier, which in turn has benefited from the highest level of confidence since it was assigned via the registration in a national identity repository by a duly authorized Registration Authority. The levels of identification are focused on the identifiers that can be used for health and community health actors. The identification traits that were used to register the individual or legal entity for an identifier are not the focus of these levels. The processing schema for identifiers includes: identifier type coding; determining the link between a person and the healthcare domain from an identifier; access to identity traits corresponding to the identifier. For more information on the processing schema, please see appendix 9.1 of this document. The levels of identification of individuals and legal entities are based on the following logic: Level 1: local identifier; Level 2: National Identifier; (including the nationwide operational identifier) Level 3: National Identifier (where the nationwide operational identifier is not permitted for level 3) Please note that there is no nationwide operational identifier for individuals: as a result, level 2 and 3 for individuals are effectively the same. For legal entities, the creation of a legal entity automatically results in registration in a national identity repository and the consequent allocation of a national identifier. In this case, the allocation of local identifiers is not useful and therefore level 1 is not applicable to legal entities. 5.1 Identification levels for individuals Level 1 In level 1, identification is performed using a local identifier under the purview of the legal entity acting as Registration Authority and Assigning Authority. The Registration Authority has the responsibility to implement appropriate identity management processes, including at minimum: identity validation; registration of identity traits defined beforehand as necessary for the local management of identities; Classification : Public 8 / 18

9 allocation of local identifiers; maintenance of identity traits. These local identifiers are used within the information systems for which they have been allocated. Using these local identifiers outside this scope is done under the responsibility of the legal entity that assigned them, based on the principle of indirect identification. The format of local identifiers are defined by the legal entity as Registration Authority and Assigning Authority (i.e. whether the identifier is a number internal to the organization, names and surname of the person, etc.). A format such as "national identifier of the legal entity"/"local identifier of the individual" is recommended both externally as well as within the information system to which the identifier has been assigned in order to harmonize formats between local use and use of indirect identifiers outside of the information system. As part of Level 1, a legal entity can assign multiple IDs to a single individual based on the context of use (e.g. in the context of patient admissions, provision of care, administration, etc.) However use of multiple identifiers is not recommended because of the resulting complexity of identifier management and the risk of duplication, especially if it involves disparate registration processes. If using multiple identifiers for a single person, a standardized method of registration and formatting of identifiers should be used Level 2 Level 2 is based on the use of a public identifier for the health and community health actors in sectors that have them and failing that, to a local identifier under different conditions of the level 1 to give it a higher level of confidence Background To address challenges related to the development of e-health services, a quality improvement process was used to overhaul of the management of personal health actor s identities. This process relies on designated Registration Authorities (Professional Associations, Military Health Service or Regional Health Agency), which are responsible for registering healthcare actors in their respective national identity repository. The different stages of the redesign are: implementation of the national identity repository entitled "Répertoire Partagé des Professionnels de Santé (RPPS)" established by Order on February 6 th 2009 as the successor to the ADELI national identity repository established by Order on May 28 th 1998; integration of 4 healthcare professions (physician, pharmacist, dentist, midwife) into the RPPS from 2010 to 2011; gradual population of the RPPS with other professions required by regulation. As a result there are 2 major families of public identifiers for health and community health actors who are registered with a legally designated authority: the RPPS number; the ADELI number Using public identifiers in health and community health sectors In level 2, identification of health and community health actors who are registered with a legally designated authority must be direct and based on a public identifier assigned by a national identity repository. For the reasons given above, the RPPS number or ADELI number shall be used depending on the profession. The RPPS number is gradually replacing the historical ADELI identifier. The extension of the RPPS and the gradual replacement of ADELI directory does not impact this identification level. Classification : Public 9 / 18

10 Usage of a local identifier under certain conditions For professionals in health and community health sectors that do not have a public identifier, the legal entities that employ them play the role of Registration Authority in accordance with the rules described in level 1. However, unlike Level 1, the local identifier shall be unique regardless of its context of use Level 3 Since there is no nationwide operational identifier for individuals, the identification of individuals using level 3 is therefore based on the same credentials as level 2. (i.e. Level 2 and 3 identification requirements are the same for individuals) 5.2 Levels of identification for legal entities Level 1 of identification of legal entities would involve the assignment of local identifiers to legal entities under the responsibility of another legal entity. However, the creation of a legal entity automatically results in registration in a national identity repository (i.e. the SIRENE repository) and assignment of a national identifier (i.e. the SIREN number) so there is no point in assigning local identifiers to a legal entity. As a result, the identification of a legal entity begins at level 2 in the PGSSI-S Level 2 There are two ways to identify a corporation: identification of the corporation as its own legal entity; identification of its different geographic sites. Both approaches generate multiple possible identifiers for a single legal entity. For level 2, there are 4 types of identifiers used for legal entities: the FINESS numbers assigned by the FINESS directory. FINESS identifiers are organized based on a legal identification (also known as legal FINESS or FINESS EJ) and enable the identification of the geographic sites of facilities connected to the legal entity (also known as geographic FINESS or facility FINESS or FINESS ET) 4 ; the SIREN and SIRET numbers assigned by INSEE to legal entities (SIREN number for a legal entity and SIRET number for a geographic site); SIREN numbers and nationwide operational identifiers used to identify private health practices (i.e., private health professional practice numbers based on the identifier of the health professional also known as the RPPS-rank or ADELI-rank as it relates to the identifier of the health professional) that identify geographic sites 5. SIRET identifiers assigned to any association submitted to the SIRET. Otherwise, the RNA (Répertoire National des Associations) identifier is used Level 3 For level 3 identification of legal entities, only the identifiers assigned by a national identity repository during registration of the legal entity are used, specifically: 4 It should be noted that legal entities identified by FINESS numbers also possess SIREN and SIRET numbers. However, the FINESS numbers are preferred because they indicate that the organization has a link to the health and community health domain. 5 Private health practices also have SIRET numbers. However, these numbers are rarely used in the field. The RPPS rank and ADELI rank operational identifiers (assigned upon registration of the independent health and community health professionals in charge of the legal entity) can be used to identify private practices for level 2 identification of legal entities. Classification : Public 10 / 18

11 the FINESS numbers assigned by the FINESS directory. FINESS identifiers are organized based on a legal identification (also known as legal FINESS or FINESS EJ) and identify the geographic sites of facilities connected to the legal entity (also known as geographic FINESS or facility FINESS or FINESS ET); the SIREN and SIRET numbers assigned by INSEE to legal entities (SIREN number for a legal entity and SIRET number for a geographic site); the RNA (Répertoire National des Associations) identifier for associations not registered in the SIRENE repository. Classification : Public 11 / 18

12 6 Summary of identification levels Individual Registered in a national identity repository related to the health and community health domains Not registered in a national identity repository related to the health and community health domains Legal Entity Level 1 Level 2 Level 3 Local ID: Local or national identification: private identifier with the public identifier (RPPS or ADELI) possibility of multiple identifiers for one individual National identification: indirect identification (public identifier of the legal entity + private identifier of the individual) Local ID: private identifier with the possibility of multiple identifiers for one individual National identification: indirect identification (public identifier of the legal entity + private identifier of the individual) Not applicable Local Identification: unique private identifier National identification: indirect identification (public identifier for the legal entity + private identifier of the individual) Local or national identification: public identifier (FINESS EJ, FINESS ET, SIREN or SIRET) as well as nationwide operational identifiers (RPPSrank or ADELI-rank) Local or national identification: public identifier (FINESS EJ, FINESS ET, SIREN or SIRET)

13 7 Industry relevance This document provides a roadmap for the identification of health and community health actors which impacts health IT solutions by defining which identifier formats should be used and how to retrieve identity traits such as those necessary for access control decisions. Depending on the features implemented by technical solutions and the need for access to the identity traits of health and community health actors, access to CPS or CPE smartcard data may be sufficient if the CPS or CPE certificate is used to authenticate the smartcard holder 6. If the CPS or CPE certificate is not used to authenticate the smartcard holder, or if additional identity traits not stored in the CPS or CPE smartcard (such as the geographic location) are needed, then the architecture should include direct querying of national identity repositories, or integration of an extract of the national identity repository into a local repository to be queried locally. 8 Impact on professional practices The identification of health actors has little impact on professional practices. This identification is mainly used in support of security functionality such as the implementation of access rights or traceability. 6 For more information on the data contained in CPS or CPE smartcards, please refer to the CPS e- Health website : Classification : Public 13 / 18

14 9 Appendix 9.1 Processing of Identifiers Identifier type The different types of identifier used in the health and community health domains are listed below. For individuals: o RPPS number, o ADELI number, o local identifier using indirect identification; For legal entities: o Legal FINESS number, o Facility FINESS number, o SIREN number, o SIRET number, o RPPS-rank number, o ADELI-rank number, o NRA number. The identifier type must be known in order to process identifiers appropriately in order to use the identifier to perform actions such as querying for the associated identity traits (see section 4.9). The following sections describe the different ways to transmit the identifier type when using an identifier in a health information system Integration of the identifier type in the structure of transmitted data According to best practices for structured data, the identifier value should be associated with the identifier of the authority managing the identity repository to which the identifier is associated (also known as the assigning authority). XML structure example: In the case of the HL7 v3 id element that corresponds to an identifier: the id attribute is the identifier; id attribute is the identification of the assigning authority managing the identity repository that the identifier is associated with. Therefore <id extension = "ABCD" root = " " /> refers to the ABCD identifier assigned by the assigning authority and the ABCD identifier type is the identifier type assigned by authority. Example for a different type of structure: In the case of HL7 v2.5 XCN data type corresponding to a set of identity data: component 1 corresponds to the identifier; component 9 corresponds to the identifier of the assigning authority; component 13 is the identifier type. Classification : Public 14 / 18

15 Therefore ABCD^XXXXX^Xxxxxx^^^^^^& &ISO^X^^^1234 refers to the ABCD identifier assigned by authority and the identifier type of the ABCD identifier is the identifier type assigned by the authority (i.e. 1234). Note: If you are integrating a prefix to an identifier (see section ) in a format that also includes the identity of the assigning authority, then the identity of assigning authority points to the authority that defined the prefix being used and not to the authority that assigned the identifier. Therefore in the use of prefixes defined by ASIP Santé in the HIS Interoperability Framework (HIS-IF) for individuals, the identification of the assigning authority " "; refers to the authority of ASIP Santé who has defined prefixes for identifiers for individuals (see reference document #2 in appendix 9.3) Integration of the identifier type via a prefix In the event that data structures are not all known, it is easier to integrate the type of identifier directly into the value of the identifier in the form of prefixes whose meaning is shared by all partners. Each partner must then parse the identifier values in order to isolate the identifier itself as well as the prefix. Prefix example used in the CI-SIS: The second reference document in appendix 9.3 defines the prefixes used for identification of individuals or legal entities. For legal entities, the prefixes are: 0 for ADELI-rank identifier; 1 for a legal FINESS or institution identifier; 2 for SIREN identifier; 3 for a SIRET identifier; 4 for a RPPS-rank identifier. Thus refers to the corporation identifier , an RPPS-rank type identifier Interpretation of the identifier type Although it is possible in some cases to distinguish between different types of identifiers based on size, interpretation of identifier types based solely on their characteristics is discouraged because it does not effectively distinguish between identifier types that have the same number of characters. A good example of this are the ADELI number, the FINESS number and the SIREN number, all three of which have 9 characters which are usually numeric in nature Link to the health domain The fact that an individual or legal entity is linked to the health or community health domains and can be considered an actor in these domains supports filtering for preliminary access control purposes. This is however generally not sufficient and finer granularity access rights should be associated with the health or community health actor based on their identity traits (e.g. profession, specialty, etc), functional roles (e.g. administrator, head of admissions, etc) or designated authorization (e.g. authorized by the patient to access their data). Classification : Public 15 / 18

16 Intrinsic link between an actor and health or community health domain transmitted by the identifier type The following identifiers inherently bind the actors to whom they have been assigned to health and community health domains: For individuals: o RPPS number, o ADELI number; For legal entities: o Legal FINESS number, o FINESS establishment number, o RPPS-rank number o ADELI-rank number. It is therefore not necessary to access the corresponding identity repositories to determine if a person with one of these identifiers is a health or community health actor Validation of the relationship between an actor and the health or community health domains in the absence of intrinsic link transmitted by the identifier type The following identifiers do not inherently bind the actors to whom they have been assigned to the health or community health fields: For individuals: o local identifier via indirect identification; For legal entities: o SIREN number, o SIRET number. To determine whether an actor with one of these identifiers is a health or community health actor, it is necessary to consult the identity repository which assigned the identifier: the SIRENE repository for SIREN and SIRET numbers; the legal entity who played the role of Registration Authority for local identifiers after confirming that the legal entity itself is a health or community health actor. Analysis of identity traits recorded in these identity repositories should determine whether the person is a health or community actor. If in doubt and in the absence of further information, it is advisable to treat the actor as not being a health or community health actor. Note: In the case of the identifier included on a CDE or CPE card, verifying the health or community health nature of an actor has already been performed for legal entities by ASIP Santé, and for individuals by the legal entity acting as Registration Authority for those individuals. An individual carrier of a CDE or CPE card can therefore be considered as a health or community health actor even if the identifier assigned to them is a local identifier. Similarly, a legal entity whose legal representative has a CDE card or for whom some employees have CPE cards can be considered a health or community health actor even if it does not have a FINESS number, RPPS-rank or ADELI- rank. Classification : Public 16 / 18

17 9.1.3 Access to identity traits Knowledge of an identifier and its type helps determine which identity repository should be consulted in order to obtain all or part of the associated actor s identity traits: Identifier Type Legal entity legal FINESS number FINESS establishment number SIREN number SIRET number RPPS-rank number ADELI-rank number Individual RPPS ADELI Local identifier Identity Reference FINESS SIRENE RPPS CPS directory RPPS ADELI Local Repository The mechanisms and conditions for accessing the data for each of these identity repositories are available from the manager of that repository. Some identity traits can be repeated from one identity repository to another or integrated in the authentication mechanism. For example: identity traits of legal entities can be integrated as data describing the place of employment in an identity repository for individuals (e.g. population of the RPPS repository from a FINESS repository) identity traits from a national identity repository can be integrated into local identity management (e.g, supplementing the directory of an institution with excerpts from RPPS and/or ADELI repositories) identity traits from a national identity repository can be integrated with an authentication mechanism (e.g. integration of information from the RPPS repository such as identifier, name and surname, profession, activity data, etc into the CPS smartcard). Although this may allow for easier consultation of identity traits (local instead of remote consultation, consultation of a single national identity repository instead of two, etc), it should be kept in mind that the master identity repository is the original repository where identity traits were registered by the appropriate Registration Authority when assigning the identifier. Any update of identity traits must therefore be submitted to the Registration Authority identified for this repository; a local update is not sufficient. Similarly, in order to ensure that identity traits are up to date, they must be updated directly from the master Registration Authority rather than locally. 9.2 Glossary ADELI Acronym Automatisation DEs LIstes Name Classification : Public 17 / 18

18 FINESS RPPS SIREN SIRENE SIRET FIchier National des Etablissements Sanitaires et Sociaux Répertoire Partagé des Professionnels de Santé Système d Identification du Répertoire des ENtreprises Système Informatique pour le Répertoire des ENtreprises et de leurs Établissements Système d'identification du Répertoire des ETablissements 9.3 Referenced Documents Reference 1 : Reference 2 : Reference 3 : Nomenclature des Acteurs de Santé CI-SIS Annexe transversale Source of profession related data for individuals and organizations ( ( DONNEES-PERSONNES-STRUCTURES_V1.3.1.pdf) Collection of PGSSI-S documents (other reference documents and best practice guides) 7 7 When the set of PGSSI-S documents evolve, any updates to the PGSSI-S will be taken into account in future versions of this document. Specifically, this document may be updated to include references to best practices. Classification : Public 18 / 18