the recommended information security approaches - ipa.go.jp · 5) is the policy or rule...

1

Copyright © 2018 Information-technology Promotion Agency, Japan (IPA)

The Recommended Information Security Approaches

This document is revised in reference to ISO/IEC 27001:2013, marked with (*).

1. Organizational approaches to information security

Explanation:

To make them suit your company’s situation, it is important to consider your company’s business

and operational risk when you establish security policies and rules, rather than just applying a

simple copy of a sample or template. In addition, to ensure the enforcement of those policies and

rules, you need to make them known to everyone within the company, check the state of

implementation, and review them on an as-needed basis.

Tips for the Measures Q1-(1):

1) Does your company have any policies or rules for information

security?

2) Is the policy or rule based on your company’s business and

operational risk, rather than just applying a simple copy of a

sample or template? And did you give a due consideration and

discussion upon developing it?

3) Does the policy cover the whole organization?

4) Is the policy or rule approved by your company’s president and

senior executive officers?

5) Is the policy or rule communicated to all employees (including

temporary staff) and relevant external parties?

6) Does your company have any procedures for reviewing the policy or rule on a regular basis?

7) Does your company review the policy or rule at planned intervals or if significant changes occur?

1. Organizational approaches to information security

2. Physical (Environmental) security countermeasures

3. Operation and maintenance controls over information systems and communication

networks

4. Information system access control and security countermeasures during the development

and maintenance phases

5. Information security incident response and BCM (Business Continuity Management)

Q1-(1) Does your company have any policies or rules for information security and implement

them? (It is important to establish policies/rules based on your company’s business and

operational risk, rather than just applying a simple copy of a sample or template. To ensure the

enforcement of those policies and rules, you need to make them known to everyone within the

company, check the state of implementation, and review them on an as-needed basis.)

2


8) Is the revision approved by your company’s president and senior executive officers, and then

communicated to employees?

9) Does your company have any procedures for checking and auditing compliance with the policy

or rule?

10) Does your company promote such activities as checking and auditing the state of information

system and compliance with security measures?

11) Does your company take any measures to prevent the company’s information system from being

used for a purpose other than business purposes?

12) Does your company monitor the state of implementation of the information system security

policy such as by checking the network status and monitoring the system?

Explanation:

By assessing that is the risk in the acceptance level, you can clarify the asset for to be protected (to

be managed). Such procedure (analyzing and assessment and consideration) is named "risk

assessment". It is necessary for saving the cost and decision about priority of security

countermeasure.


1） Identify risk of information assets in your company.

2） Evaluate whether the identified risk is in range of acceptance

level for organization.

3） Decide priority of countermeasure to the unacceptable risk.

4） Consider and implement security countermeasure to reduce the

risk in order of priority.

Explanation:

To build a framework to promote information security, it is important for the management to

exercise their leadership, set up a team to coordinate each section’s activities, and clearly state the

responsibilities assigned to each person in charge, including auditors. To ensure the enforcement of

those policies and rules, everybody within the company needs to understand them fully and clearly.

In addition, company’s activities should be recorded and the records kept in an appropriate manner,

Q1-(2) Does your company evaluate dangers and vulnerabilities regarding the security of vital

information assets within your organization in deciding security rules and countermeasures?

(Such procedure is named "risk assessment". It is important to establish procedures for

information security risk assessment and review the risk and countermeasures regularly for

implementing cost-effective and efficient countermeasures.)

Q1-(3) Does your company have an organizational framework which includes the management to

promote information security and compliance with law and rules? (To build a framework to

promote information security, it is important for the management to exercise their leadership and

clearly state the responsibilities assigned to each person in charge, including auditors. To ensure

the enforcement of those policies and rules, everybody within the company needs to understand

them fully and clearly.)

3


so you can achieve accountability for them.


1) Does your company have a committee (such as information security committee) that performs

tasks such as defining your company’s information security policy and coordinating the

activities of each section?

2) Is the person in charge of the committee (mentioned in the above item 1) a member of your

company’s management?

3) Does the committee consider and implement appropriate allocation of

information security responsibilities and resources?

4) Does your company appropriately segregate duties and scope of

authority as a preventive measure against unauthorized activities

performed by a malicious user?

5) Does your company have a network to ensure appropriate contacts

with relevant authorities and information security specialists?

6) Does your company have a clear, full understanding of legislation, standards, and regulations

that should be followed when doing their business?

7) Does your company have any procedures for protecting intellectual property rights belonging to

others and implement them? (For example, the procedures should cover preventive measures

against unauthorized copying of software products)

8) Does your company establish measures to protect personal information and implement them?

9) Does your company understand the requirements of the unfair competition prevention law so

that the company’s trade secrets will be protected by the law?(Note: The unfair competition

prevention law is Japanese law and one of the law requirementｓ is that the security measures

should be in place to secure the company’s trade secrets.)

10) Does your company have a framework to record activities performed in your organization?

11) Does your company place strict controls on legal archives and other important documents?

12) Does your company address information security in project management, regardless of the type

of project? (*)

Explanations:

To implement efficient, cost-effective security measures, it is necessary to classify information

assets into multiple groups based on the level of importance and manage them according to the

levels. Assigning a person responsible for information asset management and limiting users who

can access a specific asset can prevent a sloppy management. Remember that not only information

systems but information itself (including electronic media and printed materials) should be

considered as assets to be protected.

Q1-(4) Are the key information assets (information and information systems) classified based on

the level of importance? And are there any rules to manage and present such assets based on the

level? (To manage information assets in an appropriate manner, the assets should be classified

into multiple groups based on the level of importance, rules have to be established to manage and

present such assets, and a person in charge of information management needs to be assigned.)

4



1) Does your company develop an inventory of all important information assets?

2) Is a person responsible for information assets assigned?

3) Does your company have any policy for classifying and handling

important information based on their importance?

4) Does your company clearly define importance-based classification and

handling methods for not only the information stored in the

information systems but also output from the systems?

5) Is information classified based on the information classification policy

and then labeled and handled properly in accordance with the level of

importance?

6) Does your company clearly define the scope of departments and personnel who can use a

specific information asset?

Explanations:

Appropriate information management includes clarifying operating procedures (for acquiring,

creating, utilizing, saving, exchanging, providing, deleting, and disposing of information) and the

persons responsible for such operations, limiting operators who can perform a specific operation,

recording operational history and checking operations.


1) Does your company clearly define operating procedures and assign a person responsible for

each business process? And are the operations performed based on the defined procedures?

2) Does your company properly assign operators who can perform a specific business process and

review the access right and authorization status given to them?

3) Does your company check the operational status of the implemented

security measures, such as by recoding and maintaining access logs,

checking for unauthorized operations to the important information

etc?

4) Does your company have any rules and procedures for exchanging

information within or outside your company and perform tasks

based on them?

5) Does your company define operational procedures to prevent

improper use of important information, including accidentally deleting, modifying, or misusing

such information?

6) Does your company implement measures to protect important information from being leaked or

abused?

Q1-(5) Does your company exercise appropriate security measures to protect key information

(including personal data and confidential information) in each phase of the information life cycles,

including acquisition, creation, utilization, saving, exchange, provision, deletion and disposal?

(Appropriate information management includes clarifying operating procedures and the person

responsible for the operation, limiting operators who can perform a specific operation, recording

operational history and checking operations etc. These tasks need to be implemented regardless of

whether the operation is performed manually or by means of information systems.)

5


Explanations:

The contract for business operation or information system management should include information

security requirements necessary to prevent information leakage or loss of data, misuse of

information and information systems and so on. They should cover the work contents, required level

of services that has to be reached, and safety controls that should be implemented in each phase.

You also need to request your subcontractor to submit reports and records pertaining to the job, so

you can ensure that things are in progress as planed, in pursuance of the terms of the contract.


1) Does your company’s written contract, which is exchanged when you

outsource your business operation, state clearly work contents, required

services level, safety control measures for important information

supplied to contractors, and liability including nondisclosure

agreement?

2) Does your company check records and reports submitted by your

subcontractor to see whether contracted business is being undertaken by them and information

security measures implemented in line with the terms and conditions?

3) Does your company observe and record any changes in commissioned business?

4) Does your company include, in agreements with suppliers, requirements to address the

information security risks associated with information and communication technology services

and product supply chain? (*)

Explanation:

When a person joins or leaves your company, pledge him (or her) to comply with the company’s

security requirements and rules (such as not leaking any of confidential information they have

learned during the work period even after resigned (retired) from the job), so you can ensure that all

the employees are aware of due care for information security. In addition, state clearly these

requirements in the company rule and service regulations to ensure the implementation of such

security measures. When a person leaves the company for some reasons (such as retirement, job

change etc), make sure that he (or she) has returned company-owned information assets, and then

delete his access right.

Q1-(6) Are information security requirements included in your company’s written contract, which

is exchanged when you outsource your business operation or information system management?

(These requirements should be satisfied to prevent information leakage or loss of data, misuse of

information and information systems and so on.)

Q1-(7) Does your company make the security obligations clear to your employees (including

temporary staff), for example, nondisclosure agreements signed when they enter or leave your

company? (To ensure that everybody within the company satisfy information security

requirements, you need to assign a person responsible for it, make clear the rules that should be

followed, and let everybody know them.)

6



1) Prior to employing a person (including temporary staff), does your company check the person’s

career, qualification, etc. to see if the person is suitable for the job, and have him (or her) sign

nondisclosure agreements.

2) Are security roles and responsibilities clearly stated in your

company’s terms and conditions of employment?

3) Are the rules that should be followed by employees clearly stated

in your company’s rule-book and service disciplines?

4) Upon termination of a person’s employment, does your company

make sure that the person has returned the company’s information assets in his (or her)

possession and then remove his (or her) access right in an appropriate manner?

5) Does your company pledge a person going to leave the company to satisfy requirements for

confidentiality or non-disclosure agreements, which are still valid after the termination of his

(or her) employment?

6) Does your company have a formal disciplinary proceeding for employees who have committed a

security breach?

7) Does your company have a framework for managing employees from their recruitment and

employment to the termination of their employment? And are these responsibilities clearly

defined?

Explanations:

Educating employees is mandatory to enhance the effectiveness of information security

countermeasures. You can expect a synergy effect with technical security countermeasures by

conducting adequate security education/training and confirming the effect achieved. Especially, it is

important to perform thorough controls on passwords and keys so you can properly control access to

the information assets that should be protected.


1) Does your company give all employees (including temporary staff) proper education on

organizational policies and rules so they can clearly understand and follow them?

2) Does your company give all employees proper education on the

management of passwords and cryptographic keys?

3) Does your company have appropriate educational materials that are

based on the company’s situation and not copies of samples or

templates?

4) Does your company give all employees information security

education on a regular basis?

5) Does your company have any methods to check the effectiveness of

information security education?

Q1-(8) Does your company give your employees (including management and temporary staff)

security education and training regularly to teach them your company’s approaches and

associated rules regarding information security? (It is important to regularly give all the

employees security education and training, covering security requirements, prohibited matters,

information security threats and countermeasures.)

7


2. Physical (Environmental) security countermeasures

Explanations:

As for those places where important information and the relevant facilities are being located, it is

necessary to consider a particular level of security countermeasure. With regard to those places

(buildings and offices), it is necessary to restrict people coming in and going out to enhance

countermeasures against intruders. Countermeasures include separating the site from outside

using a gate or wall, performing access controls, setting up alarm devices etc. It is also important to

have a delivery-and-receipt room and a working area for outside contractors, and to keep the

records on the date and time of visitors’ arrival and departure.


1) Does your company identify physical areas where security needs to be enhanced and establish

security rules that should be followed in and around the areas?

2) Does your company establish any guidelines for protecting your offices, rooms,

and facilities etc against intrusion, such as by installing alarm systems?

3) Does your company limit access to your premises, offices, rooms, and facilities

etc?

4) Does your company have any measures to identify those who may or may not

enter the restricted areas mentioned above?

5) Does your company record the date and time of entry and departure of

visitors and then keep the records in an appropriate manner?

6) Does your company clearly define areas where people including visitors, cleaners, etc. can

enter?

Explanations:

There exist number of information and relevant facilities in offices and building. As for those

external contractors who may have a chance to access these information or relevant facilities, it is

necessary to establish certain rules based on the status of each risk and conduct proper operation to

comply with the rules.

Q2-(1) Does your company implement security countermeasures required for the buildings and

sites where you want to improve security? (Countermeasures include separating the site from

outside using a gate or wall, performing access controls, setting up alarm devices etc. It is also

important to divide the area into multiple sections (for example, a delivery-and-receipt room, a

working area for outside contractors etc) from the aspect of security.

Q2-(2) Does your company formulate and enforce any security-related rules for the people moving

in and out from your company, including clients, vendors, common carriers, cleaners etc? (More

people than you imagine can visit your company. It is important to establish security rules that

should be followed by the visitors)

8



1) Does your company identify the risks posed by external parties entering

your premises, offices, rooms, and facilities etc, and implement

appropriate controls to avid those risks?

2) Does your company manage and control works carried out by external

parties in your premises, offices, rooms, and facilities etc?

3) Does your company take any measures to prevent a security breach by

visitors, cleaners, etc. who are permitted to enter a specific area?

4) Does your company have separate spaces for meeting and have

procedures specifying how to guide customers to the meeting space so

that the company’s sensitive information will be out of their sight?

Explanations:

As for important information devices and wiring, it is necessary to consider correct and secure

placement and setup to prevent damages from deliberate/accidental events (such as shoulder

hacking, breaking devices). To avoid such damages, clarifying events which are likely to occur

around devices and conducting effective measures such as overturning prevention, water leakage

prevention, prohibition of eating/drinking around that important information devices and

wires/cables, step-on/pulling-up prevention for wires/cables are important. Furthermore, to prevent

damages caused by malicious acts (such as shoulder hacking, breaking devices), it is also important

to place devices and wires/cables in an area not easily accessible.


1) Does your company install mission-critical task systems and other information systems

containing sensitive information in secure areas where only authorized people can enter?

2) Is information-processing equipment placed in an appropriate location so that it cannot be

looked over by a third party from the entrance of the office?

3) Does your company take any measures to prevent screen messages

from being looked over by a third party?

4) Does your company place power and telecommunications cabling in

an appropriate manner so that data is protected from accidental

damage or interception?

5) To protect important information systems, does your company take

any steps to prevent information system equipment from overturning in the case of earthquake,

to protect such equipment against water leakage, and have alternate power source used in the

case of electric power failure?

Q2-(3) Are the important information equipment and wires/cables correctly placed and set up in

safety so they can be protected against natural and man-made disasters? (Safety placement and

setup refer to placing information equipment and wires/cables in a safe place to protect against

unauthorized access and tapping, putting wires/cables underground or under floor, installing

devices and systems in a safe place so they can be protected against natural disasters such as

water leakage, fire, earthquake etc.)

9


Explanations:

There occurs number of information leakage accidents via documents and electrical storage media.

It is necessary to adequately manage those documents and storage media in which important

information is recorded; appropriate management refers to lockable filing cabinets, taking printed

documents off from printers or other output devices immediately, breaking up storage media for

secure disposal etc. To prevent important documents from going missing or being misplaced, make

it a habit to put your office and meeting rooms in order.


1) Does your company appropriately manage important documents, mobile PCs, storage media

etc?

2) Does your company appropriately dispose of important documents, mobile PCs, and storage

media etc, by physically destroying them or using any other means?

3) When disposing of devices and storage media containing sensitive data and/or licensed software,

does your company completely erase them prior to disposal?

4) Does your company implement a clear desk, clear book room, clear

meeting room policy?

5) Does your company use lockable offices, lockable desks and filing

cabinets, and then check whether employees are properly locking such

items?

6) Does your company protect mails, faxes, printed papers in an

appropriate manner, such as by forbidding leaving such materials in

an area where anybody can look at?

7) Does your company treat information-system-related documents as important documents and

keep them in lockable desks or filing cabinets?

8) Does your company protect media containing information against unauthorized access, misuse

or corruption during transportation? (*)

Q2-(4) Does your company handle important documents, mobile PCs, and removable storage

media in an appropriate manner? Appropriate management refers to lockable filing cabinets,

taking printed documents off from printers or other output devices immediately, breaking up

storage media for secure disposal etc. Important documents include information-system-related

documents.

10


3. Operation and maintenance controls over information systems and communication

networks

Explanations:

As a number of operators are involved in the system development, there exists a larger risk in

system development processes than daily business operations. It is important to implement certain

measures in the system development processes such as conducting thorough acceptance tests,

separating the development systems from the actual operational systems, establishing change

control procedures for the systems, restricting the use of actual data (including personal

information and other important data) in the development systems etc.


1) Does your company separate operational environment from development and test

environments of information systems?

2) Does your company establish any rules to protect important data

(including personal information) from being used carelessly for testing

purposes?

3) Does your company establish any rules to control changes in

operational environment?

4) When making changes in operational environment, does your

company follow the rules established and recode the changing

processes and results?

5) Does your company monitor and control information systems performance and capacity?

6) Does your company conduct thorough tests for the company’s information systems to be

accepted?

Explanations:

Security countermeasures required for the operations of information systems and communication

network include developing operational manuals (containing security requirements and other

important rules and procedures), operating in accordance with the rules and procedures,

monitoring the state of implementation, recording and checking security logs etc. It is also

important to monitor the performance and capacity of the systems to ensure stable operations.

Q3-(1) Does your company protect information systems and data used in the actual operational

environment in an appropriate manner? (Appropriate protection refers to separating the

development systems from the actual operational systems, implementing change control,

restricting the use of actual data in the development systems etc.)

Q3-(2) Does your company implement security countermeasures required for information system

operation? (Appropriate security countermeasures include developing operational manuals,

operating in accordance with the rules and procedures, monitoring the state of implementation,

recording and checking security logs etc.)

11



1) Does your company clearly define security requirements for system operations?

2) Does your company document and update information systems operational procedures?

3) Does your company take any steps to reduce the risk of inadvertent operations?

4) Does your company monitor system operation status?

5) Does your company record information-security event logs?

6) Does your company monitor and recode the use of information processing

facilities?

7) Does your company periodically review records on the use of information

processing facilities and event logs?

8) Does your company take any steps to prevent system logs and other

records from being altered or deleted for the purpose of hiding the

evidence of unauthorized activities?

9) Does your company make appropriate settings for the clocks of the servers and terminals

within the system to be synchronized?

Explanations:

It is important to make backup plan and system for quick recovery from loss of data and failure of

system. In addition, it is necessary to monitor and test to backup system in order to work properly.

If important data or associated system is not stored to backup system, it may cause seriously affect

the business, because it cannot restore during a system failure.


1) Periodical backup

2) Check a backup data for available to restore properly

3) Manage a backup data securely for prevention to information leaking

(loss, theft)

4) Delete a backup data completely, if no longer needed

Explanations:

Countermeasures against malware include installing antivirus software, updating pattern files on

a regular basis etc. It is also important to encourage your employees to scan their computers for

viruses on a regular basis, and let them know what they should do if any security-related problem

arises.

Q3-(3) Does your company have documented procedures for the backup of vital business data and

related systems, and implemented them? (Scheduled and systematic data backup is very

important, as the backup data supports quick recovery from data loss, system failure or incident.

If you fail to back up vital business data and related systems on a regular basis, you cannot

restore such data in the event of system failure etc, which may result in serious adverse effect on

your business.)

Q3-(4) Does your company take countermeasures against malware (such as computer viruses,

Worms, Trojan horses, Bots, Spyware etc.) (Countermeasures against malware include installing

antivirus software, updating pattern files on a regular basis, applying security patches, etc)

12



1) Does your company use appropriate antivirus software?

2) Does your company properly update pattern files?

3) Does your company scan servers and client PCs for viruses on a regular basis?

4) Do users of information system have a clear understanding of what they should do to protect

the system against viruses and how to cope with security problems?

5) Does your company perform a virus scan on mobile PCs used off-site

and clean the viruses detected before connecting them to the

company’s network?

6) Does your company apply security patches to prevent the company’s

system from being attacked by malicious programs?

Explanations:

Appropriate countermeasures to mitigate vulnerabilities include obtaining information on

vulnerabilities and threats on a regular basis, stopping unnecessary services, configuring your

systems in consideration of information security, applying security patches, managing versions,

changes, and system configuration.


1) Does your company collect information on vulnerabilities and threats on a regular basis?

2) When the nature of a vulnerability or threat to the system has big changes, does your company

perform risk assessments again and take necessary steps including applying security patches

to the software in use?

3) Are security patches tested and applied in an appropriate manner?

4) Does your company configure information systems in consideration of

information security, including stopping unnecessary services?

5) For Web sites, does your company perform appropriate settings and make

sure that no vulnerability remains unfixed so that the Web pages will not

be defaced or accessed by unauthorized persons?

6) Does your company establish and implement rules governing the installation of software by

users? (*)

Explanations:

Appropriate protective measures include using VPN, SSL, or other secure protocols. It is effective to

encrypt important data sent by email.

Q3-(5) Does your company take countermeasures to mitigate vulnerabilities of the information

systems used in your company? (Appropriate countermeasures include configuring your system in

consideration of information security, applying security patches, managing versions, changes, and

system configuration.)

Q3-(6) Does your company take appropriate protective measures (such as encryption) for data

being transferred across communication networks and data stored on a public server?

(Appropriate protective measures include using VPN, SSL or other secure protocols.)

13



1) For access from external network to internal network or information

systems, does your company use a communication tunnel encrypted by

using VPN or other methods?

2) For access to Web sites, does your company encrypt data by using SSL or

other protocols if required?

3) Does your company encrypt important data sent by email?

Explanations:

Mobile PCs, USB memories, and other storage media can be used not only in your office but other

areas such as public spaces outside your company, remote offices, users’ homes etc. Remember that

when you take out such media, there is a higher risk of being stolen or lost, compared to when used

in your home or office. To avoid this, establish rules for taking them out, and then take necessary

steps, such as implementing robust authentication, encrypting data etc.


1) Does your company establish any rules for the use of Mobile PCs, USB memories, CDs and

other storage media outside the company’s premises?

2) Does your company implement measures to prevent the loss or theft of

storage media (including Mobile PCs, USB memories, CDs) used outside

the company’s premises?

3) When an attempt is made to log on to your company’s mobile PCs, do they

conduct authentication using user IDs and passwords?

4) Does your company encrypt data stored on mobile PCs in accordance with

the level of importance?

4. Information system access control and security countermeasures during the

development and maintenance phases

Explanations:

Q3-(7) Does your company implement appropriate security countermeasures to protect storage

media such as mobile PCs, USB memories, floppy disks etc in case of their loss, theft and so on?

(Mobile PCs, USB memories, and other storage media can be used not only in your office but other

areas such as public spaces outside your company, remote offices, users’ homes etc. When you take

out such media, there is a higher risk of being stolen or lost, compared to when used in your home

or office. Taking this into account, implement appropriate countermeasures.)

Q4-(1) Does your company implement necessary measures to restrict access to information (data)

and information systems, including appropriate management of user IDs, adequate user

identification and authentication etc? (Appropriate user ID management includes reviewing user

IDs on a regular basis to remove unnecessary ones, restricting the use of shared IDs, forbidding

the use of simple passwords etc.)

14


Appropriate user ID management include establishing rules to manage user IDs, reviewing user

IDs on a regular basis to remove unnecessary ones, restricting the use of shared IDs, searching for

IDs whose privilege is higher than necessary and granting an adequate right to the IDs, forbidding

the use of simple passwords etc.


1) Does your company establish any rules for the registration and

deletion of user IDs and review these IDs on a regular basis?

2) Does your company periodically check whether all user IDs no longer

needed are disabled and not used by an unauthorized person?

3) Does your company request users not to use space character(s) only or

a simple combination of characters for their password?

4) Does your company assign unique IDs and passwords to each user

and use them for user identification and authentication?

Explanations:

Appropriate access controls include setting an access-control policy, restricting access to

information (data) and information systems using the different levels of access privileges, limiting

functions that can be used by each user, reviewing access rights granted to users etc.


1) Does your company establish access control policy and grant different levels of access rights to

users so that information (data) and information systems, business applications and services,

etc. are available only to authorized users?

2) Does your company properly allocate access privileges to users and

periodically review those privileges, including checking for any user

having a higher-than-necessary privilege?

3) As for information systems containing information of special

importance, does your company make access conditions including

allowable connection time for each access?

4) Does your company implement access rights to all formal users for all

systems and services to assign or revoke access rights? (*)

Explanations:

When your computer network is connected to the Internet, there is a larger risk of unauthorized

Q4-(2) Does your company implement appropriate access controls over information (data),

information systems, and business applications, including granting users adequate access rights

for such resources? (Appropriate access controls include restricting access to information (data)

and information systems using the different levels of access privileges, limiting functions that can

be used by each user, reviewing access rights granted to users etc.)

Q4-(3) Does your company implement appropriate access controls over the network? (Appropriate

access controls include separating networks, conducting authentication for an access from outside

of your company etc.)

15


access from outside of your network. To reduce such risks, appropriate network access controls

should be implemented. Appropriate access controls include separating networks, conducting

authentication for an access from outside of your company etc.


1) Does your company perform user authentication to control access to internal systems by remote

users (including the case where mobile PCs are used).

2) Does your company logically segregate networks and/or restrict access to the networks for the

purpose of limiting users who can access their services and information

systems?

3) Does your company forbid setting up unauthorized wireless access points?

4) Does your company implement security countermeasures against

unauthorized access to the company’s network using external wireless

LAN?

5) Does your company authenticate terminal equipment attempting to connect

to the company’s network?

Explanations:

Once the business system development has been completed, it is difficult and costly to modify it. It

is necessary to consider information security in the initial phase of planning and design, accordingly.

For this reason, regardless of developing a system internally or outsourcing the system

development, security requirements should be included in the specifications, the system has to be

designed and developed properly to avoid the creation of vulnerabilities, thorough system tests need

to be conducted so that vulnerabilities do not remain unfixed.


1) Does your company specify security requirements in specifications?

2) Does your company incorporate input-data validation functions into

applications?

3) Does your company design and implement business processes in an

appropriate manner?

4) Does your company incorporate information protection functions into

applications?

5) Does your company check the validity of data output from applications

and the accuracy of messages displayed?

6) Upon developing programs, does your company exercise precautions so as not to create

vulnerabilities?

Q4-(4) Does your company define security requirements for business application development and

satisfy them in the design and implementation phases? (Regardless of developing a system

internally or outsourcing the system development, security requirements should be included in

the specifications, the system has to be designed and developed properly to avoid the creation of

vulnerabilities, thorough system tests need to be conducted so that vulnerabilities do not remain

unfixed.)

16


Explanations:

It is important to properly manage the system development so that no security problems will be

incorporated into the developed software. Upon selecting or purchasing a software product, it is

desirable to confirm who the software developer is, and upon developing and maintaining the

system, it is important to review the development records and the state of implementation of

security measures (including access control to the source code.)


1) Does your company establish procedures for installing or changing software products used for

information systems?

2) Does your company restrict access to program source code?

3) Does your company establish procedures for changing system

configuration and implement them?

4) Does your company scan information systems for malicious programs

such as Trojan horse?

5) When outsourcing software development, does your company establish

any rules regarding licensing arrangements, intellectual property

rights etc. that should be followed by subcontractors taking on the

development work?

6) Does your company have written contract and the statement of mutual agreement covering

required quality level, work scope etc, which are exchanged when you outsource software

development?

7) Does your company have a framework to check the security controls of subcontracts that takes

on system development and maintenance?

8) Does your company carry out testing of security functionality during development? (*)

Q4-(5) Does your company perform security controls over the selection and purchase of software

products and/or the development and maintenance of systems? (If your company is outsourcing

the selection and purchase of software products, and/or the development and maintenance of

systems, please answer to this question from the aspect of whether you can check the security

controls of your subcontractor.)

17


5. Information security incident response and BCM

(Business Continuity Management)

Explanations:

An event which will give the largest impact to "Availability", one of the most important factors of

information security, must be information system failure. To ensure the "Availability" of

information systems, it is mandate to incorporate adequate measures against system failures.


1) Does your company define requirements for the availability of information systems in a clear

and appropriate manner?

(Ensuring availability means enabling users having the privilege to

use the information systems whenever they want)

2) Does your company take back-up copies of information, which are

used in the event of system failure, and keep operation records in an

appropriate manner?

3) In the event of system failure, functions for separating the damaged

part from the system and switching to degraded operation,

recovering information (data) and restoring information systems are

required. Does your company incorporate such functions into

information systems and check whether the functions work properly?

(Degraded operation is an operation to ensure that minimum-required services are provided in

the event of system failure, such as by making fewer main functions available to certain

number of users.)

4) Does your company establish system-failure response procedures and develop countermeasures

against such incidents?

5) Does your company educate and train employees so they can develop skills to cope with

system-failure?

6) When outsourcing the operation of information systems, does your company pledge the

subcontractor to guarantee certain service level even in the event of system failure and check

for their compliance?

7) Does your company record and maintain various types of logs?

8) Does your company assess and properly evaluate information security events to classify as

information security incidents? (*)

Q5-(1) Does your company take appropriate measures for the case of information system failures?

(Appropriate measures include implementing redundant systems, backing up the systems,

keeping operational logs, clarifying procedures that should be followed when a system failure

occurs, signing a service level agreement with the service providers etc.)

18


Explanations:

To prevent the expansion of damage and minimize it when a security incident occurs, it is necessary

to give an immediate, adequate organization-wide response. For a proper incident response, it is

necessary to establish procedures and rules for incident response activities so that those activities

can be carried out smoothly by the personnel on that site at a critical moment. You also need to

develop procedures that should be followed when any important data (such as personal data) is

compromised, including procedures for notifying people who might be affected by the incident,

reporting it to a competent minister, and publicizing the fact relevance and preventative measures.


1) Does your company establish information security event and incident reporting procedures?

2) Does your company communicate to relevant parties how to respond to information security

events and incidents?

3) Does your company build a framework to respond to information

security events and incidents, including a point of contact for the

reporting of such events and incidents?

4) Does your company have resources and tools required to address

information security events and incidents?

(The resources and tools should include incident response staff,

enough disc space to hold incident records, incident-reporting feature

and analysis feature etc.)

5) Does your company implement information processing facilities with redundancy sufficient to

meet availability requirements? (*)

Explanations:

If facilities / system devices / business applications or data are damaged due to natural disasters

(such as earthquake, typhoon, water damage etc), it can cause a system halt that might not be

recovered in a short time. To ensure business continuity even in such situation, it is necessary to set

up a backup center for the entire information systems, back up software assets / business data and

keep it safely, and establish procedures for manually performing the tasks implemented by the

system. Organizations depending heavily on information systems to carry out a major part of their

business activities should thoroughly review the business continuity approaches.

Q5-(2) Does your company have written procedures for security incident responses that determine

how to act in a quick-and-appropriate manner when such an incident occurs? (To respond quickly

and appropriately to security incidents, you need to examine steps that should be taken against

such incidents, put the result of the study into writing, make concerned parties know about it,

develop a telephone tree for emergency communications, and secure resources (including human

resources) and equipment required.)

Q5-(3) Does your company have a company-wide framework for BCM（Business Continuity

Management）for the case of system down? (You need to prepare for a possible system down, such

as by establishing procedures for manually performing the tasks implemented by the systems and

securing a place, resources, and equipment for conducting such activities. It is also important to

educate and train your employees so they can manually implement those tasks.)

19



1) Does your company assess possible impacts brought by a system halt on their business

continuity?

2) Does your company understand the importance of each task and how problems in the

information systems might affect your business continuity?

3) Does your company establish business continuity policy and scenarios that

should be followed when the company’s information systems stop for long

periods of time?

4) If information systems stop for long periods of time, you may have to use your

backup center or manually perform tasks undertaken by the systems. Does

your company establish procedures for such operations and communicate

them to relevant parties and give them good training?

5) Does your company consider actions to be taken against a long stoppage of

the information system (including reporting the incident to relevant parties) and define how to

implement them?

the recommended information security approaches - ipa.go.jp · 5) is the policy or rule...

Documents