japanese government’s efforts to address information security issues october, 2007 national...

Japanese Government’s Efforts to Japanese Government’s Efforts to Address Information Security IssuesAddress Information Security Issues

October, 2007

National Information Security Center (NISC)

http://www.nisc.go.jp/eng/

http://www.bits.go.jp/

Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved. 2

The issue of Cyber attackThe issue of Cyber attack

Cyber attack is “electric attack to Critical Infrastructures using information communications networks and information system”

“Inter-ministry coordination” and “Government Private Partnership” are needed to improve preparedness, and response and recovery capability for large cyber attack


Brief history of Information security policy frameworkBrief history of Information security policy framework

Developing

P

olicy F

rame

work

Restru

cturing

Org

anizations

Defacing Web site of Government 911

BlasterWorm

19991999 20002000 200200 １１ 20022002 20032003 20042004 20052005 20062006 20072007

2003.082003.08

Implementation 1Implementation 1stst Phase PhaseRestructuring

PhaseImplementation Implementation

22ndnd Phase Phase

　　　 Information Security Policy GuidelinesInformation Security Policy Guidelines

　 Special Action Plan on Countermeasures Special Action Plan on Countermeasures to cyber-terrorism for Critical Infrastructures to cyber-terrorism for Critical Infrastructures

Cabinet Secretariat IT Security Office

1. National Information Security Center 1. National Information Security Center 2. Information Security Policy Council2. Information Security Policy Council

Standards for Information Security Standards for Information Security Measures for the Central Measures for the Central

Government Computer Systems Government Computer Systems

Action Plan on Action Plan on Information Security Measures Information Security Measures

for Critical Infrastructuresfor Critical Infrastructures

The First National StrategyThe First National Strategy on Information Security on Information Security

2005.052005.05

2006.022006.02

2005.122005.122005.122005.12

2005.042005.042000.022000.02

2000.012000.01

2000.072000.07

2000.122000.12

2001.092001.09

OrganizationOrganization

Major policiesMajor policies


Establishment of the ‘Information Security Policy Council (ISPC)’ and Establishment of the ‘Information Security Policy Council (ISPC)’ and the ‘National Information Security Center (NISC)’the ‘National Information Security Center (NISC)’

The National Information Security Center (NISC) was established on April 25, 2005 based on the decision under the IT Strategic Headquarters on December 7, 2004

Information Security Policy Council (ISPC) was set up in IT Strategic Headquarters on May 30, 2005

NISC serves as a coordinator of cross-departmental information security issues

NISC consists of both government officials from related ministries and agencies, and experts from the private sector

Est. Feb 2000 July 2004 Apr 2006 -Aug 2007

8 8 personspersons 1818 5252 6363

Organizational Transition of staff in Cabinet Secretariat

NISC set up in April 2005

Set up ‘IT Security Office’ in Cabinet

Secretariat


Information Security Policy Council (ISPC) & National Information Security Center (NISC)

Governmental Agencies Governmental Agencies Critical InfrastructuresCritical Infrastructures IndividualsIndividuals

(2) Promote comprehensive measures (2) Promote comprehensive measures taken by central governmenttaken by central governmentss

(3) Help central (3) Help central each each government government agencyagency deal with individual deal with individual incidentsincidents

(4) Information security measures for critical (4) Information security measures for critical infrastructuresinfrastructures

- Centralize of information exchange and cooperate with foreign countries

- Make International confidence-building

- Based on “Review of the Role and Functions of the Government in terms of Measures to Address Information Security Issues (decided by the IT Strategic Headquarters on December 7, 2004),” the government is developing essential functions and frameworks toward strengthening its core functions to address information security issues.

Central government agencies concerning information security

Min

istry of Intern

al A

ffairs and

Com

mu

nications

Nation

al P

olice A

gency

Min

istry of E

conomy,

Trade an

d Indu

stry

Min

istry of D

efense

Decision on fundamental Decision on fundamental matters such as basic strategy matters such as basic strategy

for information security for information security

Agencies overseeing critical infrastructure

Min

istry of L

and,

Infrastructu

re and

Transp

ort

Fin

ancial

Services

Agen

cy

Min

istry of E

conomy,

Trade an

d Indu

stry

Min

istry of Intern

al A

ffairs and

Com

mu

nications

Min

istry of H

ealth, L

abour and

W

elfare

National Information Security Center (NISC)Information Security Policy Council (ISPC)

IT Strategic Headquarters

Gather experts Gather experts from the public from the public

and private sectorsand private sectors

* NISC is in Cabinet Secretariat

Cabinet Secretariat

(1) Formulate basic strategies for information security measures(1) Formulate basic strategies for information security measures

BusinessesBusinesses


Structure and Functions of NISC

Director of N

ISC

(A

ssistant Chief C

abinet Secretary)

Deputy Director of NISCDeputy Director of NISC

Development of Fundamental Strategy

Development of Fundamental Strategy

Comprehensive measures for governmental agencies

Comprehensive measures for governmental agencies

Development of Response Capability

Development of Response Capability

Critical Information Infrastructure Protection

Critical Information Infrastructure Protection

Advisor onInformation Security

Advisor onInformation Security

Critical InfrastructuresCritical Infrastructures

Governmental AgenciesGovernmental Agencies

BusinessesBusinesses IndividualsIndividuals

International StrategyInternational Strategy

Deputy Director of NISCDeputy Director of NISC

Foreign OrganizationsForeign Organizations


Overall Picture of “The First National Strategy on Information Security”

Basic principlesBasic principles

1Information security for providing the introduction of Japan as an economic state

2Information security for more safe, secure, and better lives for the people

3 Information security from a new Information security from a new perspective of ensuring national securityperspective of ensuring national security

A quarter of Japan’s economic base and commercial transactions depends on IT.

Japan is the world’s largest broadband communication power with 80 million Internet users.

There is a growing need for safety and security measures including disaster control manners.

It is necessary to recognize both new threats to It is necessary to recognize both new threats to national security regarding IT and strength of Japan.national security regarding IT and strength of Japan.

<Points to be realized>

To make Japan an “information security advanced nation”GoalsGoals

Establish a “new public-private partnership model” in whichboth public and private play their roles appropriately

Primary goal to be achieved in the next three years


“The First National Strategy on Information Security”

Central and local Central and local governmentsgovernments

Critical Critical infrastructuresinfrastructures

BusinessesBusinesses IndividualsIndividuals

　

Standards for MeasuresCritical Infrastructures

Action Plan

Promoting information security technology strategy

Developing human resources

Promoting international cooperation and collaboration

Crime control and protection/remedial measures

for rights and interests

Giving “Best Practice” for information

security measures

Ensuring stable supply of their services as the basis

of people’s social lives and economic activities

Implementing information security measures so as to be highly regarded by the

market

Raising awareness as main players of

IT society

Measures promoted byMinistries and Agencies

Measures promoted by Ministries and Agencies

[Sectoral Plan]

Role

Priority policies for 2006-2008

(2)

(cross-sectoral issues)


Overall Picture of Milestones in the FY 2006 - 2008

Take measures for government agencies

Take measures for critical infrastructures

Formulate cross-sectoral information security infrastructure

for businesses and individuals

Achieve continuous improvement according to the overall plan

- Through combination of the “overall process schedule” (National Strategy) and the “sectoral overall process schedule” (National Strategy) and the “sectoral planplan,” the government aims to develop Japan into an “information security advanced nationdevelop Japan into an “information security advanced nation,” with clearly identified milestones to be achieved in each fiscal year.

FY2006 FY2007 FY2008

[Businesses] [Businesses] All All publicpublic companies should companies should take appropriate measures take appropriate measures depending on risk.depending on risk.[Individual][Individual]The number of “individuals who The number of “individuals who feel feel insecure about insecure about IT IT use” use” as as close as possible to zero.close as possible to zero.

[Central Government][Central Government]All governmentAll government agencies agencies should should take measures according totake measures according to the the “Standards for Measures“Standards for Measures

[Critical Infrastructure][Critical Infrastructure]The number of IT-malfunctions The number of IT-malfunctions should be reducedshould be reduced as close as as close as possible to zero.possible to zero.


Central government agencies

Standards for Information Security Measures for the Central Standards for Information Security Measures for the Central Government Computer SystemsGovernment Computer Systems

○ To achieve sectoral plan for raising the information security level of the whole government, the government formulates the “Standards for Information Security Measures for the Central Government Computer Systems”

○ Each government agency implements measures according to the Standards for Measures, and the National Information Security Center (NISC) inspects and evaluates the implementation status at the central offices . The Information Security Policy Council (ISPC) makes recommendations for improvement based on the inspection/evaluation results.

Information Security Information Security Policy Council (ISPC)Policy Council (ISPC)

National Information National Information Security Center (NISC)Security Center (NISC)

Make recommendations

・ Review standards of government agency according to the Standards for Measures

Inspect and evaluate the implementation status

Plan

DoAct

Check

Standards for Measures

Recommendations for improvement

Plan

DoAct

Check


Framework of Information Security Measures of the Government

Implementation framework

　

Standards for Measures

Set of individual manuals (Provided by the NISC)

Policies of central government

Guidelines for Formulation and Implementation of Standards for Measures

Policy for Enhancement of Information Security Measures for the Central Government Computer Systems

Formulating the “standards of the government agency” completed by all government agencies in April, 2006.

Each Government agency

To be established by around the To be established by around the end of the first quarter of end of the first quarter of

FY2006 so that self-inspection FY2006 so that self-inspection can get started from the second can get started from the second

quarter.quarter.

Basic policies of the government

agency

Standards for measures implemented

by the government agency

Operation procedures by the government agency

Policies of the government agency


Critical Infrastructures Action Plan

- The Action Plan aims to protect critical infrastructuresprotect critical infrastructures from (1) cyber attacks but also from (2) suspended services and reduced function caused by dysfunction of IT arising from unintentional factors and (3) those arising from disasters (IT-malfunctionsIT-malfunctions).

CEPTOAR-Council CEPTOAR CEPTOARCEPTOAR

New framework to be built under the Action Plan (supported by the four policies)

分野 B

Govern-ment

Flow of Flow of informationinformation

Reflecting the Reflecting the analysis resultsanalysis results

Improving IT-malfunctions response capabilities

Sector A

Strengthening measures at ordinary times

Comprehensive inspections and improvements

4. Cross-sectoral exercises

3. Analyses of interdependency

1. Safety Standards, Guidelines, etc.

2. Information sharing frameworks

Sector B Sector C Sector D ・・・・・・

10 Sectors10 Sectors

Telecommunications Telecommunications

FinanceFinance

Civil aviationCivil aviation

RailwaysRailways

ElectricityElectricity

GasGas

Administrative Administrative servicesservices

Medical servicesMedical services

Water worksWater works

LogisticsLogistics


Cyber attacks

IT-malfunctions (unintentional

factors)

IT-malfunctions

(disasters)Realization of more solid and truly Realization of more solid and truly dependable IT infrastructures in dependable IT infrastructures in critical infrastructures through the critical infrastructures through the organic coordination of four measuresorganic coordination of four measures

Action Plan on Information Security MeAction Plan on Information Security Measures for Critical Infrastructuresasures for Critical Infrastructures

(Adopted by the ISPC on Dec. 13, 2005)(Adopted by the ISPC on Dec. 13, 2005)

1. “Safety Standards, Guidelines, etc.”2. Information sharing framework3. Analysis of interdependence4. Cross-sector exercises

[Four policies]

[Objectives] The central government will make efforts aiming to reduce the number of occurrence of IT-malfunctions in critical infrastructures as close as possible to zero by the beginning of FY2009

Framework of Critical Infrastructure MeasuresFramework of Critical Infrastructure Measures　～　～ Promotion through Organic Coordination of Four MeasuresPromotion through Organic Coordination of Four Measures ～～

PlanDo Act

CheckYearly improvement in a

spiral manner


Thank you !Thank you !

Contact Information National Information Security Center (NISC)

Cabinet Secretariat, Government of Japan

URL: http://www.nisc.go.jp/

Contact Person: Masayuki OGATA, Mr.

e-Mail: [email protected]

japanese government’s efforts to address information security issues october, 2007 national...

Documents