Influence of Information security in Economic growth using ... · International Certificate...
Transcript of Influence of Information security in Economic growth using ... · International Certificate...
Influence of Information security in Economic growth using ISMS standard as a tool
Koji Nakao
KDDI, Information Security Fellow(supported by Prof. Yamassaki & JIPDEC)
Agenda
1) Current status of ISMS in Japanincluding statistical data
2) Examples of implementation of ISMS for successful case studies
3) Important aspects of Information Security in Japan
4) Influence of Information security by using ISMS standard as a tool
Agenda
1) Current status of ISMS in Japanincluding statistical data
2) Examples of implementation of ISMS for successful case studies
3) Important aspects of Information Security in Japan
4) Influence of Information security by using ISMS standard as a tool
Purpose of the ISMS Conformity
Assessment Scheme
• The Conformity Assessment Scheme for Information Security Management Systems (ISMS) is a third party conformity assessment/ certification scheme for information security management with international harmonization.
• This scheme is intended to contribute to raising the overall level of information security in Japan and to provide confidence in the level of information security to other organizations in Japan and in other countries.
5
Operation of the ISMS Conformity
Assessment Scheme (as of Oct. 2010)
Auditor training
bodies
Certification bodies
Accreditation bodyInformation Management Systems Promotion Center, JIPDEC
Applicant organizations
Personnel Certification bodies
Applicants for auditors
Apply
Personnel Certification schemeCertification scheme
Assess
(certify)
ApplyAssess
(accredit)Apply
Assess
(accredit)
Apply
Apply
Attend a
training course
Evaluate
Issue
certificates of
successful
completion
Approve
Copyright JIPDEC ISMS, 2010
ISMS Certification Bodies in Japan
25 accredited ISMS certification bodies (13th October, 2010)
Number Name Number Name
ISR001 Japan Quality Assurance Organization (JQA) ISR016Management System Assessment Center Co., Ltd. (MSA)
ISR002 JIC Quality Assurance Ltd. (JICQA) ISR017 Japan Value-Added Certification Co.,Ltd (J-VAC)
ISR004 BSI Group Japan K.K. (BSI-J) ISR018 Bureau Veritas Japan Co.,Ltd. (BV Certification)
ISR005Union of Japanese Scientists and Engineers ISO Center (JUSE-ISO Center)
ISR019Defense Procurement Structure Improvement Foundation System Assessment Center (BSK System Assessment Center)
ISR006Japanese Standards Association Management Systems Enhancement Department (JSA)
ISR020Lloyd's Register Quality Assurance Limited (LRQA Japan)
ISR007Japan Audit and Certification Organization for Environment and Quality (JACO)
ISR021 SGS Japan Inc. (SGS)
ISR008 DNV Business Assurance Japan KK (DNV) ISR022 SGS Japan Inc. (SGS)
ISR010International Certificate Authority of Management System (ICMS)
ISR023NIPPON KAIJI KENTEI QUALITY ASSURANCE Ltd. (NKKKQA)
ISR011 JMA QA Registration Center (JMAQA) ISR024 ISA Co., Ltd (ISA)
ISR012 Perry Johnson Registrars, Inc. of JAPAN (PJRJ) ISR025 ASR Co.,Ltd (ASR)
ISR013Japan Approvals Institute for Telecommunications Equipment (JATE)
ISR026 JAPAN CHEMICAL QUALITY ASSURANCE LTD. (JCQA)
ISR014Deloitte-Tohmatsu Evaluation and Certification Organization Co.,Ltd (Deloitte-TECO)
ISR027UL DQS Japan Inc. Management Systems Solutions (UL DQS)
ISR015 TUV Rheinland Japan Ltd. (TUV RJ)
24 28 30 62 46 52 79 102 68 66 101200 141 152 190
251135 110
171 172 120 104 131 127 113 117173 132
77 76 108 60 49 6812
4 52 82 144
190
242 321 423 491
557 658
858 999 1151 1341
1592 1727
1837 2008 2180
2300
2404
2535 2662
2775
2892 3065
3197
3274
3350
3458
3518
3567
3635
3636
0
200
400
600
800
1000
1200
1400
1600
1800
2000
2200
2400
2600
2800
3000
3200
3400
3600
3800
4000
4-6
7-9
10-1
2
1-3
4-6
7-9
10-1
2
1-3
4-6
7-9
10-1
2
1-3
4-6
7-9
10-1
2
1-3
4-6
7-9
10-1
2
1-3
4-6
7-9
10-1
2
1-3
4-6
7-9
10-1
2
1-3
4-6
7-9
10-1
2
1-3
4-6
7-9
10-1
2
Sum Total
Quarterly Total
Month
2002 2003 2004 2005 2006 2007 2008 2009 2010
Transition of the Number of
ISMS Certificates in Japan
3,636(15 Oct, 2010)
Number of Certificates per Country (http://www.iso27001certificates.com/)
As of 2010
The total number of ISO/IEC 27001 certificates is now 6826.
Please note that not all certificates could be displayed in register.
Japan 3632 Hong Kong 32 Singapore 12 Peru 4 Belarus 1
India 492 Greece 30 Indonesia 11 Qatar 4 Denmark 1
China 483 Romania 30 Bulgaria 10 Chile 3 Dominican Republic
1
UK 453 Australia 29 Kuwait 10 Egypt 3 Jersey 1
Taiwan 371 Mexico 24 Norway 10 Gibraltar 3 Kyrgyzstan 1
Germany 139 Brazil 23 Russian Federation
10 Macau 3 Lebanon 1
Korea 106 Slovakia 21 Sweden 9 Portugal 3 Luxembourg 1
USA 96 Turkey 21 Colombia 8 Argentina 2 Macedonia 1
Czech Republic 86 UAE 20 Bahrain 7 Belgium 2 Mauritius 1
Hungary 71 France 19 Iran 7 Bosnia Herzegovina
2 Moldova 1
Italy 60 Slovenia 17 Switzerland 7 Cyprus 2 New Zealand 1
Poland 56 Philippines 15 Canada 6 Isle of Man 2 Sudan 1
Spain 54 Pakistan 14 Croatia 6 Kazakhstan 2 Uruguay 1
Malaysia 40 Vietnam 14 South Africa 5 Morocco 2 Yemen 1
Ireland 37 Iceland 13 Sri Lanka 5 Ukraine 2
Thailand 36 Saudi Arabia 13 Lithuania 4 Armenia 1
Austria 35 Netherlands 12 Oman 4 Bangladesh 1 Total 6826
Agenda
1) Current status of ISMS in Japanincluding statistical data
2) Examples of implementation of ISMS for successful case studies
3) Important aspects of Information Security in Japan
4) Influence of Information security by using ISMS standard as a tool
(1) A-Securities firm
ISMS scopeIS (Information Systems) department
Organizational size10 departments, 200 employees
Period8 months
Implementation steps (main)Project formation establishment, ISMS policy,
risk assessment, controls selection and implementation, internal audit, management review
Employee and Contractors
CISO
the organization line management
Internal Audit team
ISMS Core Team
External support
:ISMS implementation
team
1’st audit
• Set the ISMS objectives of
security management in the
organization
• Set the ISMS commitment and
lead in the organization
• Review the ISMS results
• Review information security
incidents, and manage them
• Lead ISMS operations in each
organization
• Cooperate ISMS
implementation with Core team
Updated
(3 years)
Maintain
(Yearly)
Certific
atio
n B
ody
Support
Establish ISMS Certification Project
(2) B-bank
ISMS scopeHeadquarter divisions of Bank
Organizational size30 departments, 1,000 employees
Period11 months
Implementation steps(main)Total project planning, ISMS policy, risk
assessment, controls selection and implementation, internal audit, management review, measurements, training and awareness
Master schedule (by implementation task)
400:education
fulfillment
600:Information System
development
700:Business continuity
management
500:Physical
environment
fulfillment200:Policy, standards,
procedures fulfillment
100:Organization
establishment
Plan Check ActDo
Mgmt
impleScope &
policy
Risk assess
Select controls
Treatment
planImplement
controls
Monitor/Aud
it/ ReviewsImproveOperate
Esta
blis
hm
en
t for in
form
atio
n s
ec
urity
800:Audit & self
assessment
establishment
x/200x x/200x
Gap
analysis
x/200x
300: Asset
management
Phase 1
Phase 3
Phase 2
Security policy
arrangements
Preparation
for risk
analysis
900:Mgmt implement.
Implementation
plans
Project Master schedule
13
(3) C-Telecommunication
ISMS scopeBusiness unit of products and services development
Organizational size5 departments, 200 employees
Period9 months
Implementation steps (main)ISMS policy, risk assessment including gap analysis based on 27002 controls, controls selection and implementation, internal audit, management review, measurements
1
2 3 4
5
6
7
8
911
Gap analysis is performed using evaluation criteria
( A – E ).
1
23 4
5
6
7
89
10
Security level to be conformed
Interviewee
Security organization
Owner/user/provider
Outsource
Vendor etc.
Security reviews
Interviews
Document reviewsl Security policy
l Current guidelines
l Network configuration
l Operation procedures
l User guides etc.
Site reviewsl Computer center
l office
l Network
l System
l Etc.
11
10
E. (0)
D. (25)
C. (50)
B. (75)
A.(100)
Scaled score
Information Security Tub
Security
policy
Organizational
Security Asset
classification
and control
Personnel
Security Physical
and
environmental
Security
Communications
and
operations
management
Access
control
Systems
development
& maintenance
Business
Continuity
management Compliance
Information
Security
Incident
management
Evaluation Criteria
A – Excellent: Management cycle and improvement activities are performing for controls to be effective.
B - Above average: There exists standardized documentations/procedures, which are in operations.
C - About average done: There exists standardized documentations/procedures which are not in
operations.
D - little done: There does not exist standardized documentations/procedures, and operations are by
oral basis or by each person.
E - Nothing done
Security Gap analysis by 27002 control
(4) D-Consulting company
ISMS scopeWhole company
Organizational size30 departments, 2,000 employees
Period9 months
Implementation steps (main)ISMS policy, risk assessment, controls
selection and implementation, internal audit, management review, measurements scheme
PC Security ( one of Objectives )
Objectives : All of PC of the Organization shall be secured based on the organization’s regulated setting and maintenance.
Measure
Conformed PCs / total PCs
Targets : 100%
Indicators
Green zone : 100% - 99%
Yellow zone : 99% - 95%
Red zone : 95% - 0%
Controls to be implemented
A9.2/A.9.2.5, A.9.2.7
A10.4/A.10.4.1, A10.4.2
A11.3/A.11.3.1, A.11.3.2, A.11.3.3
A11.7A.11.7.1, A.11.7.2
A15.1/A.15.1.5
A15.2/A.15.2.1
(Actions by Indicators)①In case of Yellow zone, some
individuals do not conform.
→Reassess inconformity items and
identify the causes.
→Identify the controls relating the
causes ( For example Screen
saver) and re-define the
safeguards.
②In case of Red zone, it is totally risky
situation for the organization.
→Identify the weak department and
request improvement actions
from CISO.
ISMS measurements scheme establishment
(5) E-Manufacturing (group)
ISMS scope
Unified ISMS certifications by total group companies
Organizational size
20 group companies + 100 departments,
30,000 employees
Period
10 months
Implementation steps(main)
ISMS objectives setting, ISMS policy, risk assessment, controls selection and implementation, internal audit, management review, measurements, integrating privacy
Management’s
Directions on Business
(Security
Objectives/
Targets)
Protected
Information
Mechanism
Security results of
Operations
(Example PC lost)
(CEO’s Business
Directions )
(CISO’s Security
Directions,
ISMS Policy)
NDA with
Customer
PIP with
Customer
Physical
Security
PC
Security
Education,
Awareness
Asset
Mgmt at
Retirement
Incident
Management
What objectives are developed from Business/Security directions?What targets are set to evaluate to achieve objectives?
Management’s
Directions on Security
Project
Requireme
nts
ISMS Objectives Establishment
Security Committee
CISO
CEO
ManagementCommittee
Dept group
Committee
Member
Committee
Member
Dept
Committee
Member
SecurityStaff
Organization
Measure
Collect
Calculate
Analyze
Evaluate
Report
Indicate
actions
ReportRecommend improvement
actions
Report
Webpublish
Indicate actions
Report
Indicate
actions
ISMS improvement process
Agenda
1) Current status of ISMS in Japanincluding statistical data
2) Examples of implementation of ISMS for successful case studies
3) Important aspects of Information Security in Japan
4) Influence of Information security by using ISMS standard as a tool
Motivation
Many governmental and public businesses consider and select companies which have already obtained ISMS certification and such condition is clearly stated in their bidding conditions.
This is a good motivation to start development of ISMS for organizations.
Examples (1)
☆人事院事務総局http://www.jinji.go.jp/tyoutatu/061030_1.nyusatsu.txt
☆厚生労働省労働局http://www.mhlw.go.jp/sinsei/chotatu/chotatu/pdf/roudou_sys-1a.pdf
☆独立行政法人国際観光振興機構http://www.jnto.go.jp/jpn/downloads/bid_080218_shinsei.pdf
☆独立行政法人日本芸術文化振興会http://www.ntj.jac.go.jp/updata/20080414ntj1.pdf
☆独立行政法人 新エネルギー・産業技術総合開発機構http://www.nedo.go.jp/informations/koubo/191207_11/191207_11.html
☆三重県会計支援室http://www.pref.mie.jp/NYUSATSU/2008040033.htm
☆滋賀県県民文化生活部情報政策課IT企画室http://www.pref.shiga.jp/nyusatsu/koukoku/ce00/20071122.html
☆宮城県環境生活部環境政策課http://www.pref.miyagi.jp/kankyo-s/report/H19_report/koukoku.ecoinfo.pdf
☆大分県総務部総務事務センターhttp://www.pref.oita.jp/11850/nyusatsu/2080402.html
etc.
Example (2)
Open Bidding System
3 競争に参加できる者 (Organizations who can join the open bid)
(1) 予算決算及び会計令第70条の規定に該当しない者であること。なお、未成年者、被保佐 人又は被補助人であって、契約締結のために必要な同意を得ている者については、同条中、 特別な理由がある場合に該当する。
(2) 予算決算及び会計令第71条の規定に該当しない者であること。
(3) 平成16・17・18年度内閣府競争参加資格(全省庁統一資格)において、関東甲信越地 域「役務の提供等」の「B」、「C」又は「D」の等級に格付けされている者であること。
(4) 契約担当官等から取引停止の措置を受けている期間中の者ではないこと。
(5) 情報セキュリティマネジメントシステム(ISMS)認証を取得している者又はJISQ15001 に準拠したプライバシーマーク使用許諾を有する者であること。(You must be an organization who has already obtained ISMS certification, or Privacy Mark based on JIS Q.15001.)
Comparison between ISMS and P-mark (privacy-mark)
財務部経理部
総務部
営業部保全部
Operation
Department
戦略部企画部
技術部
Privacy dataPrivacy dataPrivacy data
Type o
f Assets
Application and scope
ISMS
P mark
Application of ISMS (or ISM)
• Applied to Standards for Information Security Measures for the Central Government Computer Systems;
• Applied to Telecommunication based on ISO/IEC 27002:2005. (ITU-T X.1051, ISO/IEC 27011)
• Applied to Information Security Audit.(JASA has been actively working in this area)…
• etc.
Governmental
Agencies
- To achieve sectoral plan for raising the information security level of the whole government, the government formulates the “Standards for Information Security Measures for the Central Government Computer Systems” („Standards for Measures‟).
- Each government agencies implements measures according to the Standards for Measures, and the NISC inspects and evaluates the implementation status at the central governments. The ISPC makes recommendations for improvement based on the inspection/evaluation results.
Information Security
Policy Council (ISPC)
National Information
Security Center (NISC)
• Formulate the Standards for Measures
• Make recommendations for improvement based on the results of evaluation on the measures taken by the central government agencies. • Review standards of
government agencies according to the Standards for Measures
Inspect and evaluate the
implementation statusThe NISC inspects and evaluates
the implementation status at the
central government agencies, and
the ISPC makes recommendations
for improvement based on the
inspection/evaluation results.
(Present)
Standards of government agency
(Future)
Standards of government agency
Agency A
Agency A
Defects in information security measures
(absence or insufficiency)
Review of standards of government agency in compliance with the Standards for Measures
(1) Supplement standards of government agencies
with the Standards for Measures
Current
lowest level
(2) Raise each agency‟s information security level
(Present)
(Future)
Achievement
of higher level
Agency A Agency B Agency CAgency D Agency E Agency F
Raise the
lowest level
Minimum
required level
Info
rmati
on
secu
rity
lev
el
Plan
DoAct
Check
Standards for MeasuresProviding for the minimum
required standards for the
measures to be taken by the
central government agencies.
Recommendations for
improvement
Plan
DoAct
Check
Info
rmati
on
secu
rity
lev
el
Agency A Agency B Agency CAgency D Agency E Agency F
Review of standards of government agency in compliance with the Standards for Measures
Outline of “Standards for Information Security Measures for
the Central Government Computer Systems”
ITU-T X.1051=ISO/IEC 27011
Agenda
1) Current status of ISMS in Japanincluding statistical data
2) Examples of implementation of ISMS for successful case studies
3) Important aspects of Information Security in Japan
4) Influence of Information security by using ISMS standard as a tool
Information Security Controls inISO/IEC 27002 can be a key component
Security policy
Organising information security
Asset management
Human resources security
Physical & environmental security
Communications & operations management
Access control
Information systems acquisition, development and maintenance
Business continuity management
Compliance
Information security incident management
ISO/IEC 27002:2005
Security Governance
Asset Classification, etc.
Education and Training
Entrance Control, etc.
Network Security,Security Operation, etc.
Authentication, IdM, etc.
Application & System Security, etc.
Security strategy
Incident Handling, etc.
Disaster Recovery and BCM, etc
Compliance to Regulation, etc
Clause 5
Clause 6
Clause 7
Clause 8
Clause 9
Clause 10
Clause 11
Clause 12
Clause 13
Clause 14
Clause 15
I
S
O
/
I
E
C
2
7
0
0
2
Information security management guidelines
for the use of cloud computing services based on ISO/IEC27002
WG1:security management based on the whole controls of 27002 WG4: specialized in
the specific controls
ISO/IEC 27031ICT readiness for BC
ISO/IEC 27033Network security
ISO/IEC 27034Application security
ISO/IEC 27036Outsourcing
ISO/IEC 27035Incident management
CloudGuide
CloudGuide
CloudGuide
CloudGuide
CloudGuide
CloudGuide
CloudGuide
CloudGuide
CloudGuide
CloudGuide
CloudGuide
Other examples: 27011,27015 etc.
Application to a work on Clouddiscussed in Japan
31
Current & Future Perspective
• ISMS certification will lead to gaining client confidence and enhancing business competitiveness, as well as it will meet the requirements for trade such as bidding conditions for governmental and public businesses.
• Regarding internal control, the management process of ISMS can be effectively utilized with respect to the business risk control.(according to the statistical data in Japan)
• Although there are many security technologies existed nowadays, ISMS has been successfully binding many technologies in a consistent way. It is true in Japan that Information security is much influenced by the concept of ISMS and ISM throughout many sectors. (maybe connecting to the economic growth.)
Guides on ISMS published by
JIPDEC in Japan
• ISMS User’s Guide - JIS Q 27001:2006 (ISO/ IEC 27001:2005) compliant-
• ISMS User’s Guide - Risk Management
• ISMS User’s Guide for Medical Organizations
• ISMS User’s Guide for Payment Card Industry
• ISMS User’s Guide on Legal Compliance
• How to utilize the ISMS Conformity Assessment Scheme in Outsourcing
• Guide on Compliance with PCI DSS/ISMS
• Others
DesignSecurity*
Implement & use Security*
Monitor & review
Security*
Maintain & improve Security*