the recommended information security approaches - ipa.go.jp · 5) is the policy or rule...
TRANSCRIPT
1
Copyright © 2018 Information-technology Promotion Agency, Japan (IPA)
The Recommended Information Security Approaches
This document is revised in reference to ISO/IEC 27001:2013, marked with (*).
1. Organizational approaches to information security
Explanation:
To make them suit your company’s situation, it is important to consider your company’s business
and operational risk when you establish security policies and rules, rather than just applying a
simple copy of a sample or template. In addition, to ensure the enforcement of those policies and
rules, you need to make them known to everyone within the company, check the state of
implementation, and review them on an as-needed basis.
Tips for the Measures Q1-(1):
1) Does your company have any policies or rules for information
security?
2) Is the policy or rule based on your company’s business and
operational risk, rather than just applying a simple copy of a
sample or template? And did you give a due consideration and
discussion upon developing it?
3) Does the policy cover the whole organization?
4) Is the policy or rule approved by your company’s president and
senior executive officers?
5) Is the policy or rule communicated to all employees (including
temporary staff) and relevant external parties?
6) Does your company have any procedures for reviewing the policy or rule on a regular basis?
7) Does your company review the policy or rule at planned intervals or if significant changes occur?
1. Organizational approaches to information security
2. Physical (Environmental) security countermeasures
3. Operation and maintenance controls over information systems and communication
networks
4. Information system access control and security countermeasures during the development
and maintenance phases
5. Information security incident response and BCM (Business Continuity Management)
Q1-(1) Does your company have any policies or rules for information security and implement
them? (It is important to establish policies/rules based on your company’s business and
operational risk, rather than just applying a simple copy of a sample or template. To ensure the
enforcement of those policies and rules, you need to make them known to everyone within the
company, check the state of implementation, and review them on an as-needed basis.)
2
Copyright © 2018 Information-technology Promotion Agency, Japan (IPA)
8) Is the revision approved by your company’s president and senior executive officers, and then
communicated to employees?
9) Does your company have any procedures for checking and auditing compliance with the policy
or rule?
10) Does your company promote such activities as checking and auditing the state of information
system and compliance with security measures?
11) Does your company take any measures to prevent the company’s information system from being
used for a purpose other than business purposes?
12) Does your company monitor the state of implementation of the information system security
policy such as by checking the network status and monitoring the system?
Explanation:
By assessing that is the risk in the acceptance level, you can clarify the asset for to be protected (to
be managed). Such procedure (analyzing and assessment and consideration) is named "risk
assessment". It is necessary for saving the cost and decision about priority of security
countermeasure.
Tips for the Measures Q1-(2):
1) Identify risk of information assets in your company.
2) Evaluate whether the identified risk is in range of acceptance
level for organization.
3) Decide priority of countermeasure to the unacceptable risk.
4) Consider and implement security countermeasure to reduce the
risk in order of priority.
Explanation:
To build a framework to promote information security, it is important for the management to
exercise their leadership, set up a team to coordinate each section’s activities, and clearly state the
responsibilities assigned to each person in charge, including auditors. To ensure the enforcement of
those policies and rules, everybody within the company needs to understand them fully and clearly.
In addition, company’s activities should be recorded and the records kept in an appropriate manner,
Q1-(2) Does your company evaluate dangers and vulnerabilities regarding the security of vital
information assets within your organization in deciding security rules and countermeasures?
(Such procedure is named "risk assessment". It is important to establish procedures for
information security risk assessment and review the risk and countermeasures regularly for
implementing cost-effective and efficient countermeasures.)
Q1-(3) Does your company have an organizational framework which includes the management to
promote information security and compliance with law and rules? (To build a framework to
promote information security, it is important for the management to exercise their leadership and
clearly state the responsibilities assigned to each person in charge, including auditors. To ensure
the enforcement of those policies and rules, everybody within the company needs to understand
them fully and clearly.)
3
Copyright © 2018 Information-technology Promotion Agency, Japan (IPA)
so you can achieve accountability for them.
Tips for the Measures Q1-(3):
1) Does your company have a committee (such as information security committee) that performs
tasks such as defining your company’s information security policy and coordinating the
activities of each section?
2) Is the person in charge of the committee (mentioned in the above item 1) a member of your
company’s management?
3) Does the committee consider and implement appropriate allocation of
information security responsibilities and resources?
4) Does your company appropriately segregate duties and scope of
authority as a preventive measure against unauthorized activities
performed by a malicious user?
5) Does your company have a network to ensure appropriate contacts
with relevant authorities and information security specialists?
6) Does your company have a clear, full understanding of legislation, standards, and regulations
that should be followed when doing their business?
7) Does your company have any procedures for protecting intellectual property rights belonging to
others and implement them? (For example, the procedures should cover preventive measures
against unauthorized copying of software products)
8) Does your company establish measures to protect personal information and implement them?
9) Does your company understand the requirements of the unfair competition prevention law so
that the company’s trade secrets will be protected by the law?(Note: The unfair competition
prevention law is Japanese law and one of the law requirements is that the security measures
should be in place to secure the company’s trade secrets.)
10) Does your company have a framework to record activities performed in your organization?
11) Does your company place strict controls on legal archives and other important documents?
12) Does your company address information security in project management, regardless of the type
of project? (*)
Explanations:
To implement efficient, cost-effective security measures, it is necessary to classify information
assets into multiple groups based on the level of importance and manage them according to the
levels. Assigning a person responsible for information asset management and limiting users who
can access a specific asset can prevent a sloppy management. Remember that not only information
systems but information itself (including electronic media and printed materials) should be
considered as assets to be protected.
Q1-(4) Are the key information assets (information and information systems) classified based on
the level of importance? And are there any rules to manage and present such assets based on the
level? (To manage information assets in an appropriate manner, the assets should be classified
into multiple groups based on the level of importance, rules have to be established to manage and
present such assets, and a person in charge of information management needs to be assigned.)
4
Copyright © 2018 Information-technology Promotion Agency, Japan (IPA)
Tips for the Measures Q1-(4):
1) Does your company develop an inventory of all important information assets?
2) Is a person responsible for information assets assigned?
3) Does your company have any policy for classifying and handling
important information based on their importance?
4) Does your company clearly define importance-based classification and
handling methods for not only the information stored in the
information systems but also output from the systems?
5) Is information classified based on the information classification policy
and then labeled and handled properly in accordance with the level of
importance?
6) Does your company clearly define the scope of departments and personnel who can use a
specific information asset?
Explanations:
Appropriate information management includes clarifying operating procedures (for acquiring,
creating, utilizing, saving, exchanging, providing, deleting, and disposing of information) and the
persons responsible for such operations, limiting operators who can perform a specific operation,
recording operational history and checking operations.
Tips for the Measures Q1-(5):
1) Does your company clearly define operating procedures and assign a person responsible for
each business process? And are the operations performed based on the defined procedures?
2) Does your company properly assign operators who can perform a specific business process and
review the access right and authorization status given to them?
3) Does your company check the operational status of the implemented
security measures, such as by recoding and maintaining access logs,
checking for unauthorized operations to the important information
etc?
4) Does your company have any rules and procedures for exchanging
information within or outside your company and perform tasks
based on them?
5) Does your company define operational procedures to prevent
improper use of important information, including accidentally deleting, modifying, or misusing
such information?
6) Does your company implement measures to protect important information from being leaked or
abused?
Q1-(5) Does your company exercise appropriate security measures to protect key information
(including personal data and confidential information) in each phase of the information life cycles,
including acquisition, creation, utilization, saving, exchange, provision, deletion and disposal?
(Appropriate information management includes clarifying operating procedures and the person
responsible for the operation, limiting operators who can perform a specific operation, recording
operational history and checking operations etc. These tasks need to be implemented regardless of
whether the operation is performed manually or by means of information systems.)
5
Copyright © 2018 Information-technology Promotion Agency, Japan (IPA)
Explanations:
The contract for business operation or information system management should include information
security requirements necessary to prevent information leakage or loss of data, misuse of
information and information systems and so on. They should cover the work contents, required level
of services that has to be reached, and safety controls that should be implemented in each phase.
You also need to request your subcontractor to submit reports and records pertaining to the job, so
you can ensure that things are in progress as planed, in pursuance of the terms of the contract.
Tips for the Measures Q1-(6):
1) Does your company’s written contract, which is exchanged when you
outsource your business operation, state clearly work contents, required
services level, safety control measures for important information
supplied to contractors, and liability including nondisclosure
agreement?
2) Does your company check records and reports submitted by your
subcontractor to see whether contracted business is being undertaken by them and information
security measures implemented in line with the terms and conditions?
3) Does your company observe and record any changes in commissioned business?
4) Does your company include, in agreements with suppliers, requirements to address the
information security risks associated with information and communication technology services
and product supply chain? (*)
Explanation:
When a person joins or leaves your company, pledge him (or her) to comply with the company’s
security requirements and rules (such as not leaking any of confidential information they have
learned during the work period even after resigned (retired) from the job), so you can ensure that all
the employees are aware of due care for information security. In addition, state clearly these
requirements in the company rule and service regulations to ensure the implementation of such
security measures. When a person leaves the company for some reasons (such as retirement, job
change etc), make sure that he (or she) has returned company-owned information assets, and then
delete his access right.
Q1-(6) Are information security requirements included in your company’s written contract, which
is exchanged when you outsource your business operation or information system management?
(These requirements should be satisfied to prevent information leakage or loss of data, misuse of
information and information systems and so on.)
Q1-(7) Does your company make the security obligations clear to your employees (including
temporary staff), for example, nondisclosure agreements signed when they enter or leave your
company? (To ensure that everybody within the company satisfy information security
requirements, you need to assign a person responsible for it, make clear the rules that should be
followed, and let everybody know them.)
6
Copyright © 2018 Information-technology Promotion Agency, Japan (IPA)
Tips for the Measures Q1-(7):
1) Prior to employing a person (including temporary staff), does your company check the person’s
career, qualification, etc. to see if the person is suitable for the job, and have him (or her) sign
nondisclosure agreements.
2) Are security roles and responsibilities clearly stated in your
company’s terms and conditions of employment?
3) Are the rules that should be followed by employees clearly stated
in your company’s rule-book and service disciplines?
4) Upon termination of a person’s employment, does your company
make sure that the person has returned the company’s information assets in his (or her)
possession and then remove his (or her) access right in an appropriate manner?
5) Does your company pledge a person going to leave the company to satisfy requirements for
confidentiality or non-disclosure agreements, which are still valid after the termination of his
(or her) employment?
6) Does your company have a formal disciplinary proceeding for employees who have committed a
security breach?
7) Does your company have a framework for managing employees from their recruitment and
employment to the termination of their employment? And are these responsibilities clearly
defined?
Explanations:
Educating employees is mandatory to enhance the effectiveness of information security
countermeasures. You can expect a synergy effect with technical security countermeasures by
conducting adequate security education/training and confirming the effect achieved. Especially, it is
important to perform thorough controls on passwords and keys so you can properly control access to
the information assets that should be protected.
Tips for the Measures Q1-(8):
1) Does your company give all employees (including temporary staff) proper education on
organizational policies and rules so they can clearly understand and follow them?
2) Does your company give all employees proper education on the
management of passwords and cryptographic keys?
3) Does your company have appropriate educational materials that are
based on the company’s situation and not copies of samples or
templates?
4) Does your company give all employees information security
education on a regular basis?
5) Does your company have any methods to check the effectiveness of
information security education?
Q1-(8) Does your company give your employees (including management and temporary staff)
security education and training regularly to teach them your company’s approaches and
associated rules regarding information security? (It is important to regularly give all the
employees security education and training, covering security requirements, prohibited matters,
information security threats and countermeasures.)
7
Copyright © 2018 Information-technology Promotion Agency, Japan (IPA)
2. Physical (Environmental) security countermeasures
Explanations:
As for those places where important information and the relevant facilities are being located, it is
necessary to consider a particular level of security countermeasure. With regard to those places
(buildings and offices), it is necessary to restrict people coming in and going out to enhance
countermeasures against intruders. Countermeasures include separating the site from outside
using a gate or wall, performing access controls, setting up alarm devices etc. It is also important to
have a delivery-and-receipt room and a working area for outside contractors, and to keep the
records on the date and time of visitors’ arrival and departure.
Tips for the Measures Q2-(1):
1) Does your company identify physical areas where security needs to be enhanced and establish
security rules that should be followed in and around the areas?
2) Does your company establish any guidelines for protecting your offices, rooms,
and facilities etc against intrusion, such as by installing alarm systems?
3) Does your company limit access to your premises, offices, rooms, and facilities
etc?
4) Does your company have any measures to identify those who may or may not
enter the restricted areas mentioned above?
5) Does your company record the date and time of entry and departure of
visitors and then keep the records in an appropriate manner?
6) Does your company clearly define areas where people including visitors, cleaners, etc. can
enter?
Explanations:
There exist number of information and relevant facilities in offices and building. As for those
external contractors who may have a chance to access these information or relevant facilities, it is
necessary to establish certain rules based on the status of each risk and conduct proper operation to
comply with the rules.
Q2-(1) Does your company implement security countermeasures required for the buildings and
sites where you want to improve security? (Countermeasures include separating the site from
outside using a gate or wall, performing access controls, setting up alarm devices etc. It is also
important to divide the area into multiple sections (for example, a delivery-and-receipt room, a
working area for outside contractors etc) from the aspect of security.
Q2-(2) Does your company formulate and enforce any security-related rules for the people moving
in and out from your company, including clients, vendors, common carriers, cleaners etc? (More
people than you imagine can visit your company. It is important to establish security rules that
should be followed by the visitors)
8
Copyright © 2018 Information-technology Promotion Agency, Japan (IPA)
Tips for the Measures Q2-(2):
1) Does your company identify the risks posed by external parties entering
your premises, offices, rooms, and facilities etc, and implement
appropriate controls to avid those risks?
2) Does your company manage and control works carried out by external
parties in your premises, offices, rooms, and facilities etc?
3) Does your company take any measures to prevent a security breach by
visitors, cleaners, etc. who are permitted to enter a specific area?
4) Does your company have separate spaces for meeting and have
procedures specifying how to guide customers to the meeting space so
that the company’s sensitive information will be out of their sight?
Explanations:
As for important information devices and wiring, it is necessary to consider correct and secure
placement and setup to prevent damages from deliberate/accidental events (such as shoulder
hacking, breaking devices). To avoid such damages, clarifying events which are likely to occur
around devices and conducting effective measures such as overturning prevention, water leakage
prevention, prohibition of eating/drinking around that important information devices and
wires/cables, step-on/pulling-up prevention for wires/cables are important. Furthermore, to prevent
damages caused by malicious acts (such as shoulder hacking, breaking devices), it is also important
to place devices and wires/cables in an area not easily accessible.
Tips for the Measures Q2-(3):
1) Does your company install mission-critical task systems and other information systems
containing sensitive information in secure areas where only authorized people can enter?
2) Is information-processing equipment placed in an appropriate location so that it cannot be
looked over by a third party from the entrance of the office?
3) Does your company take any measures to prevent screen messages
from being looked over by a third party?
4) Does your company place power and telecommunications cabling in
an appropriate manner so that data is protected from accidental
damage or interception?
5) To protect important information systems, does your company take
any steps to prevent information system equipment from overturning in the case of earthquake,
to protect such equipment against water leakage, and have alternate power source used in the
case of electric power failure?
Q2-(3) Are the important information equipment and wires/cables correctly placed and set up in
safety so they can be protected against natural and man-made disasters? (Safety placement and
setup refer to placing information equipment and wires/cables in a safe place to protect against
unauthorized access and tapping, putting wires/cables underground or under floor, installing
devices and systems in a safe place so they can be protected against natural disasters such as
water leakage, fire, earthquake etc.)
9
Copyright © 2018 Information-technology Promotion Agency, Japan (IPA)
Explanations:
There occurs number of information leakage accidents via documents and electrical storage media.
It is necessary to adequately manage those documents and storage media in which important
information is recorded; appropriate management refers to lockable filing cabinets, taking printed
documents off from printers or other output devices immediately, breaking up storage media for
secure disposal etc. To prevent important documents from going missing or being misplaced, make
it a habit to put your office and meeting rooms in order.
Tips for the Measures Q2-(4):
1) Does your company appropriately manage important documents, mobile PCs, storage media
etc?
2) Does your company appropriately dispose of important documents, mobile PCs, and storage
media etc, by physically destroying them or using any other means?
3) When disposing of devices and storage media containing sensitive data and/or licensed software,
does your company completely erase them prior to disposal?
4) Does your company implement a clear desk, clear book room, clear
meeting room policy?
5) Does your company use lockable offices, lockable desks and filing
cabinets, and then check whether employees are properly locking such
items?
6) Does your company protect mails, faxes, printed papers in an
appropriate manner, such as by forbidding leaving such materials in
an area where anybody can look at?
7) Does your company treat information-system-related documents as important documents and
keep them in lockable desks or filing cabinets?
8) Does your company protect media containing information against unauthorized access, misuse
or corruption during transportation? (*)
Q2-(4) Does your company handle important documents, mobile PCs, and removable storage
media in an appropriate manner? Appropriate management refers to lockable filing cabinets,
taking printed documents off from printers or other output devices immediately, breaking up
storage media for secure disposal etc. Important documents include information-system-related
documents.
10
Copyright © 2018 Information-technology Promotion Agency, Japan (IPA)
3. Operation and maintenance controls over information systems and communication
networks
Explanations:
As a number of operators are involved in the system development, there exists a larger risk in
system development processes than daily business operations. It is important to implement certain
measures in the system development processes such as conducting thorough acceptance tests,
separating the development systems from the actual operational systems, establishing change
control procedures for the systems, restricting the use of actual data (including personal
information and other important data) in the development systems etc.
Tips for the Measures Q3-(1):
1) Does your company separate operational environment from development and test
environments of information systems?
2) Does your company establish any rules to protect important data
(including personal information) from being used carelessly for testing
purposes?
3) Does your company establish any rules to control changes in
operational environment?
4) When making changes in operational environment, does your
company follow the rules established and recode the changing
processes and results?
5) Does your company monitor and control information systems performance and capacity?
6) Does your company conduct thorough tests for the company’s information systems to be
accepted?
Explanations:
Security countermeasures required for the operations of information systems and communication
network include developing operational manuals (containing security requirements and other
important rules and procedures), operating in accordance with the rules and procedures,
monitoring the state of implementation, recording and checking security logs etc. It is also
important to monitor the performance and capacity of the systems to ensure stable operations.
Q3-(1) Does your company protect information systems and data used in the actual operational
environment in an appropriate manner? (Appropriate protection refers to separating the
development systems from the actual operational systems, implementing change control,
restricting the use of actual data in the development systems etc.)
Q3-(2) Does your company implement security countermeasures required for information system
operation? (Appropriate security countermeasures include developing operational manuals,
operating in accordance with the rules and procedures, monitoring the state of implementation,
recording and checking security logs etc.)
11
Copyright © 2018 Information-technology Promotion Agency, Japan (IPA)
Tips for the Measures Q3-(2):
1) Does your company clearly define security requirements for system operations?
2) Does your company document and update information systems operational procedures?
3) Does your company take any steps to reduce the risk of inadvertent operations?
4) Does your company monitor system operation status?
5) Does your company record information-security event logs?
6) Does your company monitor and recode the use of information processing
facilities?
7) Does your company periodically review records on the use of information
processing facilities and event logs?
8) Does your company take any steps to prevent system logs and other
records from being altered or deleted for the purpose of hiding the
evidence of unauthorized activities?
9) Does your company make appropriate settings for the clocks of the servers and terminals
within the system to be synchronized?
Explanations:
It is important to make backup plan and system for quick recovery from loss of data and failure of
system. In addition, it is necessary to monitor and test to backup system in order to work properly.
If important data or associated system is not stored to backup system, it may cause seriously affect
the business, because it cannot restore during a system failure.
Tips for the Measures Q3-(3):
1) Periodical backup
2) Check a backup data for available to restore properly
3) Manage a backup data securely for prevention to information leaking
(loss, theft)
4) Delete a backup data completely, if no longer needed
Explanations:
Countermeasures against malware include installing antivirus software, updating pattern files on
a regular basis etc. It is also important to encourage your employees to scan their computers for
viruses on a regular basis, and let them know what they should do if any security-related problem
arises.
Q3-(3) Does your company have documented procedures for the backup of vital business data and
related systems, and implemented them? (Scheduled and systematic data backup is very
important, as the backup data supports quick recovery from data loss, system failure or incident.
If you fail to back up vital business data and related systems on a regular basis, you cannot
restore such data in the event of system failure etc, which may result in serious adverse effect on
your business.)
Q3-(4) Does your company take countermeasures against malware (such as computer viruses,
Worms, Trojan horses, Bots, Spyware etc.) (Countermeasures against malware include installing
antivirus software, updating pattern files on a regular basis, applying security patches, etc)
12
Copyright © 2018 Information-technology Promotion Agency, Japan (IPA)
Tips for the Measures Q3-(4):
1) Does your company use appropriate antivirus software?
2) Does your company properly update pattern files?
3) Does your company scan servers and client PCs for viruses on a regular basis?
4) Do users of information system have a clear understanding of what they should do to protect
the system against viruses and how to cope with security problems?
5) Does your company perform a virus scan on mobile PCs used off-site
and clean the viruses detected before connecting them to the
company’s network?
6) Does your company apply security patches to prevent the company’s
system from being attacked by malicious programs?
Explanations:
Appropriate countermeasures to mitigate vulnerabilities include obtaining information on
vulnerabilities and threats on a regular basis, stopping unnecessary services, configuring your
systems in consideration of information security, applying security patches, managing versions,
changes, and system configuration.
Tips for the Measures Q3-(5):
1) Does your company collect information on vulnerabilities and threats on a regular basis?
2) When the nature of a vulnerability or threat to the system has big changes, does your company
perform risk assessments again and take necessary steps including applying security patches
to the software in use?
3) Are security patches tested and applied in an appropriate manner?
4) Does your company configure information systems in consideration of
information security, including stopping unnecessary services?
5) For Web sites, does your company perform appropriate settings and make
sure that no vulnerability remains unfixed so that the Web pages will not
be defaced or accessed by unauthorized persons?
6) Does your company establish and implement rules governing the installation of software by
users? (*)
Explanations:
Appropriate protective measures include using VPN, SSL, or other secure protocols. It is effective to
encrypt important data sent by email.
Q3-(5) Does your company take countermeasures to mitigate vulnerabilities of the information
systems used in your company? (Appropriate countermeasures include configuring your system in
consideration of information security, applying security patches, managing versions, changes, and
system configuration.)
Q3-(6) Does your company take appropriate protective measures (such as encryption) for data
being transferred across communication networks and data stored on a public server?
(Appropriate protective measures include using VPN, SSL or other secure protocols.)
13
Copyright © 2018 Information-technology Promotion Agency, Japan (IPA)
Tips for the Measures Q3-(6):
1) For access from external network to internal network or information
systems, does your company use a communication tunnel encrypted by
using VPN or other methods?
2) For access to Web sites, does your company encrypt data by using SSL or
other protocols if required?
3) Does your company encrypt important data sent by email?
Explanations:
Mobile PCs, USB memories, and other storage media can be used not only in your office but other
areas such as public spaces outside your company, remote offices, users’ homes etc. Remember that
when you take out such media, there is a higher risk of being stolen or lost, compared to when used
in your home or office. To avoid this, establish rules for taking them out, and then take necessary
steps, such as implementing robust authentication, encrypting data etc.
Tips for the Measures Q3-(7):
1) Does your company establish any rules for the use of Mobile PCs, USB memories, CDs and
other storage media outside the company’s premises?
2) Does your company implement measures to prevent the loss or theft of
storage media (including Mobile PCs, USB memories, CDs) used outside
the company’s premises?
3) When an attempt is made to log on to your company’s mobile PCs, do they
conduct authentication using user IDs and passwords?
4) Does your company encrypt data stored on mobile PCs in accordance with
the level of importance?
4. Information system access control and security countermeasures during the
development and maintenance phases
Explanations:
Q3-(7) Does your company implement appropriate security countermeasures to protect storage
media such as mobile PCs, USB memories, floppy disks etc in case of their loss, theft and so on?
(Mobile PCs, USB memories, and other storage media can be used not only in your office but other
areas such as public spaces outside your company, remote offices, users’ homes etc. When you take
out such media, there is a higher risk of being stolen or lost, compared to when used in your home
or office. Taking this into account, implement appropriate countermeasures.)
Q4-(1) Does your company implement necessary measures to restrict access to information (data)
and information systems, including appropriate management of user IDs, adequate user
identification and authentication etc? (Appropriate user ID management includes reviewing user
IDs on a regular basis to remove unnecessary ones, restricting the use of shared IDs, forbidding
the use of simple passwords etc.)
14
Copyright © 2018 Information-technology Promotion Agency, Japan (IPA)
Appropriate user ID management include establishing rules to manage user IDs, reviewing user
IDs on a regular basis to remove unnecessary ones, restricting the use of shared IDs, searching for
IDs whose privilege is higher than necessary and granting an adequate right to the IDs, forbidding
the use of simple passwords etc.
Tips for the Measures Q4-(1):
1) Does your company establish any rules for the registration and
deletion of user IDs and review these IDs on a regular basis?
2) Does your company periodically check whether all user IDs no longer
needed are disabled and not used by an unauthorized person?
3) Does your company request users not to use space character(s) only or
a simple combination of characters for their password?
4) Does your company assign unique IDs and passwords to each user
and use them for user identification and authentication?
Explanations:
Appropriate access controls include setting an access-control policy, restricting access to
information (data) and information systems using the different levels of access privileges, limiting
functions that can be used by each user, reviewing access rights granted to users etc.
Tips for the Measures Q4-(2):
1) Does your company establish access control policy and grant different levels of access rights to
users so that information (data) and information systems, business applications and services,
etc. are available only to authorized users?
2) Does your company properly allocate access privileges to users and
periodically review those privileges, including checking for any user
having a higher-than-necessary privilege?
3) As for information systems containing information of special
importance, does your company make access conditions including
allowable connection time for each access?
4) Does your company implement access rights to all formal users for all
systems and services to assign or revoke access rights? (*)
Explanations:
When your computer network is connected to the Internet, there is a larger risk of unauthorized
Q4-(2) Does your company implement appropriate access controls over information (data),
information systems, and business applications, including granting users adequate access rights
for such resources? (Appropriate access controls include restricting access to information (data)
and information systems using the different levels of access privileges, limiting functions that can
be used by each user, reviewing access rights granted to users etc.)
Q4-(3) Does your company implement appropriate access controls over the network? (Appropriate
access controls include separating networks, conducting authentication for an access from outside
of your company etc.)
15
Copyright © 2018 Information-technology Promotion Agency, Japan (IPA)
access from outside of your network. To reduce such risks, appropriate network access controls
should be implemented. Appropriate access controls include separating networks, conducting
authentication for an access from outside of your company etc.
Tips for the Measures Q4-(3):
1) Does your company perform user authentication to control access to internal systems by remote
users (including the case where mobile PCs are used).
2) Does your company logically segregate networks and/or restrict access to the networks for the
purpose of limiting users who can access their services and information
systems?
3) Does your company forbid setting up unauthorized wireless access points?
4) Does your company implement security countermeasures against
unauthorized access to the company’s network using external wireless
LAN?
5) Does your company authenticate terminal equipment attempting to connect
to the company’s network?
Explanations:
Once the business system development has been completed, it is difficult and costly to modify it. It
is necessary to consider information security in the initial phase of planning and design, accordingly.
For this reason, regardless of developing a system internally or outsourcing the system
development, security requirements should be included in the specifications, the system has to be
designed and developed properly to avoid the creation of vulnerabilities, thorough system tests need
to be conducted so that vulnerabilities do not remain unfixed.
Tips for the Measures Q4-(4):
1) Does your company specify security requirements in specifications?
2) Does your company incorporate input-data validation functions into
applications?
3) Does your company design and implement business processes in an
appropriate manner?
4) Does your company incorporate information protection functions into
applications?
5) Does your company check the validity of data output from applications
and the accuracy of messages displayed?
6) Upon developing programs, does your company exercise precautions so as not to create
vulnerabilities?
Q4-(4) Does your company define security requirements for business application development and
satisfy them in the design and implementation phases? (Regardless of developing a system
internally or outsourcing the system development, security requirements should be included in
the specifications, the system has to be designed and developed properly to avoid the creation of
vulnerabilities, thorough system tests need to be conducted so that vulnerabilities do not remain
unfixed.)
16
Copyright © 2018 Information-technology Promotion Agency, Japan (IPA)
Explanations:
It is important to properly manage the system development so that no security problems will be
incorporated into the developed software. Upon selecting or purchasing a software product, it is
desirable to confirm who the software developer is, and upon developing and maintaining the
system, it is important to review the development records and the state of implementation of
security measures (including access control to the source code.)
Tips for the Measures Q4-(5):
1) Does your company establish procedures for installing or changing software products used for
information systems?
2) Does your company restrict access to program source code?
3) Does your company establish procedures for changing system
configuration and implement them?
4) Does your company scan information systems for malicious programs
such as Trojan horse?
5) When outsourcing software development, does your company establish
any rules regarding licensing arrangements, intellectual property
rights etc. that should be followed by subcontractors taking on the
development work?
6) Does your company have written contract and the statement of mutual agreement covering
required quality level, work scope etc, which are exchanged when you outsource software
development?
7) Does your company have a framework to check the security controls of subcontracts that takes
on system development and maintenance?
8) Does your company carry out testing of security functionality during development? (*)
Q4-(5) Does your company perform security controls over the selection and purchase of software
products and/or the development and maintenance of systems? (If your company is outsourcing
the selection and purchase of software products, and/or the development and maintenance of
systems, please answer to this question from the aspect of whether you can check the security
controls of your subcontractor.)
17
Copyright © 2018 Information-technology Promotion Agency, Japan (IPA)
5. Information security incident response and BCM
(Business Continuity Management)
Explanations:
An event which will give the largest impact to "Availability", one of the most important factors of
information security, must be information system failure. To ensure the "Availability" of
information systems, it is mandate to incorporate adequate measures against system failures.
Tips for the Measures Q5-(1):
1) Does your company define requirements for the availability of information systems in a clear
and appropriate manner?
(Ensuring availability means enabling users having the privilege to
use the information systems whenever they want)
2) Does your company take back-up copies of information, which are
used in the event of system failure, and keep operation records in an
appropriate manner?
3) In the event of system failure, functions for separating the damaged
part from the system and switching to degraded operation,
recovering information (data) and restoring information systems are
required. Does your company incorporate such functions into
information systems and check whether the functions work properly?
(Degraded operation is an operation to ensure that minimum-required services are provided in
the event of system failure, such as by making fewer main functions available to certain
number of users.)
4) Does your company establish system-failure response procedures and develop countermeasures
against such incidents?
5) Does your company educate and train employees so they can develop skills to cope with
system-failure?
6) When outsourcing the operation of information systems, does your company pledge the
subcontractor to guarantee certain service level even in the event of system failure and check
for their compliance?
7) Does your company record and maintain various types of logs?
8) Does your company assess and properly evaluate information security events to classify as
information security incidents? (*)
Q5-(1) Does your company take appropriate measures for the case of information system failures?
(Appropriate measures include implementing redundant systems, backing up the systems,
keeping operational logs, clarifying procedures that should be followed when a system failure
occurs, signing a service level agreement with the service providers etc.)
18
Copyright © 2018 Information-technology Promotion Agency, Japan (IPA)
Explanations:
To prevent the expansion of damage and minimize it when a security incident occurs, it is necessary
to give an immediate, adequate organization-wide response. For a proper incident response, it is
necessary to establish procedures and rules for incident response activities so that those activities
can be carried out smoothly by the personnel on that site at a critical moment. You also need to
develop procedures that should be followed when any important data (such as personal data) is
compromised, including procedures for notifying people who might be affected by the incident,
reporting it to a competent minister, and publicizing the fact relevance and preventative measures.
Tips for the Measures Q5-(2):
1) Does your company establish information security event and incident reporting procedures?
2) Does your company communicate to relevant parties how to respond to information security
events and incidents?
3) Does your company build a framework to respond to information
security events and incidents, including a point of contact for the
reporting of such events and incidents?
4) Does your company have resources and tools required to address
information security events and incidents?
(The resources and tools should include incident response staff,
enough disc space to hold incident records, incident-reporting feature
and analysis feature etc.)
5) Does your company implement information processing facilities with redundancy sufficient to
meet availability requirements? (*)
Explanations:
If facilities / system devices / business applications or data are damaged due to natural disasters
(such as earthquake, typhoon, water damage etc), it can cause a system halt that might not be
recovered in a short time. To ensure business continuity even in such situation, it is necessary to set
up a backup center for the entire information systems, back up software assets / business data and
keep it safely, and establish procedures for manually performing the tasks implemented by the
system. Organizations depending heavily on information systems to carry out a major part of their
business activities should thoroughly review the business continuity approaches.
Q5-(2) Does your company have written procedures for security incident responses that determine
how to act in a quick-and-appropriate manner when such an incident occurs? (To respond quickly
and appropriately to security incidents, you need to examine steps that should be taken against
such incidents, put the result of the study into writing, make concerned parties know about it,
develop a telephone tree for emergency communications, and secure resources (including human
resources) and equipment required.)
Q5-(3) Does your company have a company-wide framework for BCM(Business Continuity
Management)for the case of system down? (You need to prepare for a possible system down, such
as by establishing procedures for manually performing the tasks implemented by the systems and
securing a place, resources, and equipment for conducting such activities. It is also important to
educate and train your employees so they can manually implement those tasks.)
19
Copyright © 2018 Information-technology Promotion Agency, Japan (IPA)
Tips for the Measures Q5-(3):
1) Does your company assess possible impacts brought by a system halt on their business
continuity?
2) Does your company understand the importance of each task and how problems in the
information systems might affect your business continuity?
3) Does your company establish business continuity policy and scenarios that
should be followed when the company’s information systems stop for long
periods of time?
4) If information systems stop for long periods of time, you may have to use your
backup center or manually perform tasks undertaken by the systems. Does
your company establish procedures for such operations and communicate
them to relevant parties and give them good training?
5) Does your company consider actions to be taken against a long stoppage of
the information system (including reporting the incident to relevant parties) and define how to
implement them?