Influence of Information security in Economic growth using ISMS standard as a tool

Koji Nakao

KDDI, Information Security Fellow(supported by Prof. Yamassaki & JIPDEC)

Agenda

1) Current status of ISMS in Japanincluding statistical data

2) Examples of implementation of ISMS for successful case studies

3) Important aspects of Information Security in Japan

4) Influence of Information security by using ISMS standard as a tool

Agenda

1) Current status of ISMS in Japanincluding statistical data

2) Examples of implementation of ISMS for successful case studies

3) Important aspects of Information Security in Japan

4) Influence of Information security by using ISMS standard as a tool

Purpose of the ISMS Conformity

Assessment Scheme

• The Conformity Assessment Scheme for Information Security Management Systems (ISMS) is a third party conformity assessment/ certification scheme for information security management with international harmonization.

• This scheme is intended to contribute to raising the overall level of information security in Japan and to provide confidence in the level of information security to other organizations in Japan and in other countries.

5

Operation of the ISMS Conformity

Assessment Scheme (as of Oct. 2010)

Auditor training

bodies

Certification bodies

Accreditation bodyInformation Management Systems Promotion Center, JIPDEC

Applicant organizations

Personnel Certification bodies

Applicants for auditors

Apply

Personnel Certification schemeCertification scheme

Assess

(certify)

ApplyAssess

(accredit)Apply

Assess

(accredit)

Apply

Apply

Attend a

training course

Evaluate

Issue

certificates of

successful

completion

Approve

Copyright JIPDEC ISMS, 2010

ISMS Certification Bodies in Japan

25 accredited ISMS certification bodies (13th October, 2010)

Number Name Number Name

ISR001 Japan Quality Assurance Organization (JQA) ISR016Management System Assessment Center Co., Ltd. (MSA)

ISR002 JIC Quality Assurance Ltd. (JICQA) ISR017 Japan Value-Added Certification Co.,Ltd (J-VAC)

ISR004 BSI Group Japan K.K. (BSI-J) ISR018 Bureau Veritas Japan Co.,Ltd. (BV Certification)

ISR005Union of Japanese Scientists and Engineers ISO Center (JUSE-ISO Center)

ISR019Defense Procurement Structure Improvement Foundation System Assessment Center (BSK System Assessment Center)

ISR006Japanese Standards Association Management Systems Enhancement Department (JSA)

ISR020Lloyd's Register Quality Assurance Limited (LRQA Japan)

ISR007Japan Audit and Certification Organization for Environment and Quality (JACO)

ISR021 SGS Japan Inc. (SGS)

ISR008 DNV Business Assurance Japan KK (DNV) ISR022 SGS Japan Inc. (SGS)

ISR010International Certificate Authority of Management System (ICMS)

ISR023NIPPON KAIJI KENTEI QUALITY ASSURANCE Ltd. (NKKKQA)

ISR011 JMA QA Registration Center (JMAQA) ISR024 ISA Co., Ltd (ISA)

ISR012 Perry Johnson Registrars, Inc. of JAPAN (PJRJ) ISR025 ASR Co.,Ltd (ASR)

ISR013Japan Approvals Institute for Telecommunications Equipment (JATE)

ISR026 JAPAN CHEMICAL QUALITY ASSURANCE LTD. (JCQA)

ISR014Deloitte-Tohmatsu Evaluation and Certification Organization Co.,Ltd (Deloitte-TECO)

ISR027UL DQS Japan Inc. Management Systems Solutions (UL DQS)

ISR015 TUV Rheinland Japan Ltd. (TUV RJ)

24 28 30 62 46 52 79 102 68 66 101200 141 152 190

251135 110

171 172 120 104 131 127 113 117173 132

77 76 108 60 49 6812

4 52 82 144

190

242 321 423 491

557 658

858 999 1151 1341

1592 1727

1837 2008 2180

2300

2404

2535 2662

2775

2892 3065

3197

3274

3350

3458

3518

3567

3635

3636

0

200

400

600

800

1000

1200

1400

1600

1800

2000

2200

2400

2600

2800

3000

3200

3400

3600

3800

4000

4-6

7-9

10-1

2

1-3

4-6

7-9

10-1

2

1-3

4-6

7-9

10-1

2

1-3

4-6

7-9

10-1

2

1-3

4-6

7-9

10-1

2

1-3

4-6

7-9

10-1

2

1-3

4-6

7-9

10-1

2

1-3

4-6

7-9

10-1

2

1-3

4-6

7-9

10-1

2

Sum Total

Quarterly Total

Month

2002 2003 2004 2005 2006 2007 2008 　 2009 2010

Transition of the Number of

ISMS Certificates in Japan

3,636(15 Oct, 2010)

Number of Certificates per Country (http://www.iso27001certificates.com/)

As of 2010

The total number of ISO/IEC 27001 certificates is now 6826.

Please note that not all certificates could be displayed in register.

Japan 3632 Hong Kong 32 Singapore 12 Peru 4 Belarus 1

India 492 Greece 30 Indonesia 11 Qatar 4 Denmark 1

China 483 Romania 30 Bulgaria 10 Chile 3 Dominican Republic

1

UK 453 Australia 29 Kuwait 10 Egypt 3 Jersey 1

Taiwan 371 Mexico 24 Norway 10 Gibraltar 3 Kyrgyzstan 1

Germany 139 Brazil 23 Russian Federation

10 Macau 3 Lebanon 1

Korea 106 Slovakia 21 Sweden 9 Portugal 3 Luxembourg 1

USA 96 Turkey 21 Colombia 8 Argentina 2 Macedonia 1

Czech Republic 86 UAE 20 Bahrain 7 Belgium 2 Mauritius 1

Hungary 71 France 19 Iran 7 Bosnia Herzegovina

2 Moldova 1

Italy 60 Slovenia 17 Switzerland 7 Cyprus 2 New Zealand 1

Poland 56 Philippines 15 Canada 6 Isle of Man 2 Sudan 1

Spain 54 Pakistan 14 Croatia 6 Kazakhstan 2 Uruguay 1

Malaysia 40 Vietnam 14 South Africa 5 Morocco 2 Yemen 1

Ireland 37 Iceland 13 Sri Lanka 5 Ukraine 2

Thailand 36 Saudi Arabia 13 Lithuania 4 Armenia 1

Austria 35 Netherlands 12 Oman 4 Bangladesh 1 Total 6826

Agenda

1) Current status of ISMS in Japanincluding statistical data

2) Examples of implementation of ISMS for successful case studies

3) Important aspects of Information Security in Japan

4) Influence of Information security by using ISMS standard as a tool

(1) A-Securities firm

ISMS scopeIS (Information Systems) department

Organizational size10 departments, 200 employees

Period8 months

Implementation steps (main)Project formation establishment, ISMS policy,

risk assessment, controls selection and implementation, internal audit, management review

Employee and Contractors

CISO

the organization line management

Internal Audit team

ISMS Core Team

External support

：ISMS implementation

team

1’st audit

• Set the ISMS objectives of

security management in the

organization

• Set the ISMS commitment and

lead in the organization

• Review the ISMS results

• Review information security

incidents, and manage them

• Lead ISMS operations in each

organization

• Cooperate ISMS

implementation with Core team

Updated

（3 years）

Maintain

(Yearly)

Certific

atio

n B

ody

Support

Establish ISMS Certification Project

(2) B-bank

ISMS scopeHeadquarter divisions of Bank

Organizational size30 departments, 1,000 employees

Period11 months

Implementation steps(main)Total project planning, ISMS policy, risk

assessment, controls selection and implementation, internal audit, management review, measurements, training and awareness

Master schedule (by implementation task)

４００：education

fulfillment

６００：Information System

development

７００：Business continuity

management

５００：Physical

environment

fulfillment２００：Policy, standards,

procedures fulfillment

１００：Organization

establishment

Plan Check ActDo

Mgmt

impleScope &

policy

Risk assess

Select controls

Treatment

planImplement

controls

Monitor/Aud

it/ ReviewsImproveOperate

Esta

blis

hm

en

t for in

form

atio

n s

ec

urity

８００：Audit & self

assessment

establishment

x/200x x/200x

Gap

analysis

x/200x

３００： Asset

management

Phase 1

Phase 3

Phase 2

Security policy

arrangements

Preparation

for risk

analysis

９００:Mgmt implement.

Implementation

plans

Project Master schedule

13

(3) C-Telecommunication

ISMS scopeBusiness unit of products and services development

Organizational size5 departments, 200 employees

Period9 months

Implementation steps (main)ISMS policy, risk assessment including gap analysis based on 27002 controls, controls selection and implementation, internal audit, management review, measurements

1

2 3 4

5

6

7

8

911

Gap analysis is performed using evaluation criteria

( A – E ).

1

23 4

5

6

7

89

10

Security level to be conformed

Interviewee

Security organization

Owner/user/provider

Outsource

Vendor etc.

Security reviews

Interviews

Document reviewsl Security policy

l Current guidelines

l Network configuration

l Operation procedures

l User guides etc.

Site reviewsl Computer center

l office

l Network

l System

l Etc.

11

10

E. (0)

D. (25)

C. (50)

B. (75)

A．(100)

Scaled score

Information Security Tub

Security

policy

Organizational

Security Asset

classification

and control

Personnel

Security Physical

and

environmental

Security

Communications

and

operations

management

Access

control

Systems

development

& maintenance

Business

Continuity

management Compliance

Information

Security

Incident

management

Evaluation Criteria

A – Excellent: Management cycle and improvement activities are performing for controls to be effective.

B - Above average: There exists standardized documentations/procedures, which are in operations.

C - About average done: There exists standardized documentations/procedures which are not in

operations.

D - little done: There does not exist standardized documentations/procedures, and operations are by

oral basis or by each person.

E - Nothing done

Security Gap analysis by 27002 control

(4) D-Consulting company

ISMS scopeWhole company

Organizational size30 departments, 2,000 employees

Period9 months

Implementation steps (main)ISMS policy, risk assessment, controls

selection and implementation, internal audit, management review, measurements scheme

PC Security ( one of Objectives )

Objectives : All of PC of the Organization shall be secured based on the organization’s regulated setting and maintenance.

Measure

Conformed PCs / total PCs

Targets : 100%

Indicators

Green zone : 100% - 99%

Yellow zone : 99% - 95%

Red zone : 95% - 0%

Controls to be implemented

A9.2/A.9.2.5, A.9.2.7

A10.4/A.10.4.1, A10.4.2

A11.3/A.11.3.1, A.11.3.2, A.11.3.3

A11.7A.11.7.1, A.11.7.2

A15.1/A.15.1.5

A15.2/A.15.2.1

（Actions by Indicators）①In case of Yellow zone, some

individuals do not conform.

→Reassess inconformity items and

identify the causes.

→Identify the controls relating the

causes ( For example Screen

saver） and re-define the

safeguards.

②In case of Red zone, it is totally risky

situation for the organization.

→Identify the weak department and

request improvement actions

from CISO.

ISMS measurements scheme establishment

(5) E-Manufacturing (group)

ISMS scope

Unified ISMS certifications by total group companies

Organizational size

20 group companies + 100 departments,

30,000 employees

Period

10 months

Implementation steps(main)

ISMS objectives setting, ISMS policy, risk assessment, controls selection and implementation, internal audit, management review, measurements, integrating privacy

Management’s

Directions on Business

（Security

Objectives/

Targets)

Protected

Information

Mechanism

Security results of

Operations

（Example PC lost）

（CEO’s Business

Directions ）

（CISO’s Security

Directions,

ISMS Policy）

NDA with

Customer

PIP with

Customer

Physical

Security

PC

Security

Education,

Ａｗａｒｅｎｅｓｓ

Asset

Mgmt at

Retirement

Incident

Management

What objectives are developed from Business/Security directions?What targets are set to evaluate to achieve objectives?

Management’s

Directions on Security

Project

Requireme

nts

ISMS Objectives Establishment

Security Committee

CISO

CEO

ManagementCommittee

Dept group

Committee

Member

Committee

Member

Dept

Committee

Member

SecurityStaff

Organization

Measure

Collect

Calculate

Analyze

Evaluate

Report

Indicate

actions

ReportRecommend improvement

actions

Report

Webpublish

Indicate actions

Report

Indicate

actions

ISMS improvement process

Agenda

1) Current status of ISMS in Japanincluding statistical data

2) Examples of implementation of ISMS for successful case studies

3) Important aspects of Information Security in Japan

4) Influence of Information security by using ISMS standard as a tool

Motivation

Many governmental and public businesses consider and select companies which have already obtained ISMS certification and such condition is clearly stated in their bidding conditions.

This is a good motivation to start development of ISMS for organizations.

Examples (1)

☆人事院事務総局http://www.jinji.go.jp/tyoutatu/061030_1.nyusatsu.txt

☆厚生労働省労働局http://www.mhlw.go.jp/sinsei/chotatu/chotatu/pdf/roudou_sys-1a.pdf

☆独立行政法人国際観光振興機構http://www.jnto.go.jp/jpn/downloads/bid_080218_shinsei.pdf

☆独立行政法人日本芸術文化振興会http://www.ntj.jac.go.jp/updata/20080414ntj1.pdf

☆独立行政法人 新エネルギー・産業技術総合開発機構http://www.nedo.go.jp/informations/koubo/191207_11/191207_11.html

☆三重県会計支援室http://www.pref.mie.jp/NYUSATSU/2008040033.htm

☆滋賀県県民文化生活部情報政策課IT企画室http://www.pref.shiga.jp/nyusatsu/koukoku/ce00/20071122.html

☆宮城県環境生活部環境政策課http://www.pref.miyagi.jp/kankyo-s/report/H19_report/koukoku.ecoinfo.pdf

☆大分県総務部総務事務センターhttp://www.pref.oita.jp/11850/nyusatsu/2080402.html

etc.

Example (2)

Open Bidding System

３ 競争に参加できる者 (Organizations who can join the open bid)

(1) 予算決算及び会計令第７０条の規定に該当しない者であること。なお、未成年者、被保佐 人又は被補助人であって、契約締結のために必要な同意を得ている者については、同条中、 特別な理由がある場合に該当する。

(2) 予算決算及び会計令第７１条の規定に該当しない者であること。

(3) 平成１６・１７・１８年度内閣府競争参加資格(全省庁統一資格)において、関東甲信越地 域「役務の提供等」の「Ｂ」、「Ｃ」又は「Ｄ」の等級に格付けされている者であること。

(4) 契約担当官等から取引停止の措置を受けている期間中の者ではないこと。

(5) 情報セキュリティマネジメントシステム(ＩＳＭＳ)認証を取得している者又はＪＩＳＱ１５００１ に準拠したプライバシーマーク使用許諾を有する者であること。(You must be an organization who has already obtained ISMS certification, or Privacy Mark based on JIS Q.15001.)

Comparison between ISMS and P-mark (privacy-mark)

財務部経理部

総務部

営業部保全部

Operation

Department

戦略部企画部

技術部

Privacy dataPrivacy dataPrivacy data

Type o

f Assets

Application and scope

ISMS

P mark

Application of ISMS (or ISM)

• Applied to Standards for Information Security Measures for the Central Government Computer Systems;

• Applied to Telecommunication based on ISO/IEC 27002:2005. (ITU-T X.1051, ISO/IEC 27011)

• Applied to Information Security Audit.(JASA has been actively working in this area)…

• etc.

Governmental

Agencies

- To achieve sectoral plan for raising the information security level of the whole government, the government formulates the “Standards for Information Security Measures for the Central Government Computer Systems” („Standards for Measures‟).

- Each government agencies implements measures according to the Standards for Measures, and the NISC inspects and evaluates the implementation status at the central governments. The ISPC makes recommendations for improvement based on the inspection/evaluation results.

Information Security

Policy Council (ISPC)

National Information

Security Center (NISC)

• Formulate the Standards for Measures

• Make recommendations for improvement based on the results of evaluation on the measures taken by the central government agencies. • Review standards of

government agencies according to the Standards for Measures

Inspect and evaluate the

implementation statusThe NISC inspects and evaluates

the implementation status at the

central government agencies, and

the ISPC makes recommendations

for improvement based on the

inspection/evaluation results.

(Present)

Standards of government agency

(Future)

Standards of government agency

Agency A

Agency A

Defects in information security measures

(absence or insufficiency)

Review of standards of government agency in compliance with the Standards for Measures

(1) Supplement standards of government agencies

with the Standards for Measures

Current

lowest level

(2) Raise each agency‟s information security level

(Present)

(Future)

Achievement

of higher level

Agency A Agency B Agency CAgency D Agency E Agency F

Raise the

lowest level

Minimum

required level

Info

rmati

on

secu

rity

lev

el

Plan

DoAct

Check

Standards for MeasuresProviding for the minimum

required standards for the

measures to be taken by the

central government agencies.

Recommendations for

improvement

Plan

DoAct

Check

Info

rmati

on

secu

rity

lev

el

Agency A Agency B Agency CAgency D Agency E Agency F

Review of standards of government agency in compliance with the Standards for Measures

Outline of “Standards for Information Security Measures for

the Central Government Computer Systems”

ITU-T X.1051=ISO/IEC 27011

Agenda

1) Current status of ISMS in Japanincluding statistical data

2) Examples of implementation of ISMS for successful case studies

3) Important aspects of Information Security in Japan

4) Influence of Information security by using ISMS standard as a tool

Information Security Controls inISO/IEC 27002 can be a key component

Security policy

Organising information security

Asset management

Human resources security

Physical & environmental security

Communications & operations management

Access control

Information systems acquisition, development and maintenance

Business continuity management

Compliance

Information security incident management

ISO/IEC 27002:2005

Security Governance

Asset Classification, etc.

Education and Training

Entrance Control, etc.

Network Security,Security Operation, etc.

Authentication, IdM, etc.

Application & System Security, etc.

Security strategy

Incident Handling, etc.

Disaster Recovery and BCM, etc

Compliance to Regulation, etc

Clause 5

Clause 6

Clause 7

Clause 8

Clause 9

Clause 10

Clause 11

Clause 12

Clause 13

Clause 14

Clause 15

I

S

O

/

I

E

C

2

7

0

0

2

Information security management guidelines

for the use of cloud computing services based on ISO/IEC27002

WG1:security management based on the whole controls of 27002 WG4: specialized in

the specific controls

ISO/IEC 27031ICT readiness for BC

ISO/IEC 27033Network security

ISO/IEC 27034Application security

ISO/IEC 27036Outsourcing

ISO/IEC 27035Incident management

CloudGuide

CloudGuide

CloudGuide

CloudGuide

CloudGuide

CloudGuide

CloudGuide

CloudGuide

CloudGuide

CloudGuide

CloudGuide

Other examples: 27011,27015 etc.

Application to a work on Clouddiscussed in Japan

31

Current & Future Perspective

• ISMS certification will lead to gaining client confidence and enhancing business competitiveness, as well as it will meet the requirements for trade such as bidding conditions for governmental and public businesses.

• Regarding internal control, the management process of ISMS can be effectively utilized with respect to the business risk control.(according to the statistical data in Japan)

• Although there are many security technologies existed nowadays, ISMS has been successfully binding many technologies in a consistent way. It is true in Japan that Information security is much influenced by the concept of ISMS and ISM throughout many sectors. (maybe connecting to the economic growth.)

Guides on ISMS published by

JIPDEC in Japan

• ISMS User’s Guide - JIS Q 27001:2006 (ISO/ IEC 27001:2005) compliant-

• ISMS User’s Guide - Risk Management

• ISMS User’s Guide for Medical Organizations

• ISMS User’s Guide for Payment Card Industry

• ISMS User’s Guide on Legal Compliance

• How to utilize the ISMS Conformity Assessment Scheme in Outsourcing

• Guide on Compliance with PCI DSS/ISMS

• Others

DesignSecurity＊

Implement & use Security＊

Monitor & review

Security＊

Maintain & improve Security＊