Upload
cleopatra-gilmore
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
All rights reserved Copyright © CICC 2003 All rights reserved Copyright © CICC 2003 All rights reserved Copyright © CICC 2003
e-Government in Japan
From the view points of its strategy and security
19 November 200319 November 2003at Science Park, Pathumthani, Thailandat Science Park, Pathumthani, Thailand
Nagatani MitsuyukiNagatani MitsuyukiCICCCICC
Seminar on Information Security Technologies
All rights reserved Copyright © CICC 2003
Contents
1 Two viewpoints of e-Gov. in Japan
2 e-Government
3 e-Japan / e-Japan II
4 Information Security Management
All rights reserved Copyright © CICC 2003
(1) Japan’s Challenge
a) Japan’s rank on e-Gov. survey 2003 b) Strategies e-Japan strategy / e-Japan strategy II
(2) Security
c) Information Security Management Information Security Management System (ISMS)
d) Biometrics
Two viewpoints of e-Gov. in Japan1
All rights reserved Copyright © CICC 2003
E-Gov. surveys
UN World Public Sector Report 2003: E-Government at the Crossroads (4 Nov. 2003)
UN Global E-government Survey 2003
- About 91% of UN member states are using the Internet services
- E-Readiness US, SE, AU, DK, UK (GB), CA, NO, CH, DE, FI
- E-Participation UK (GB), US, CA, CL, EE, NZ, PH,FR, NL, AU, MX Source: United Nation
1. Japan’s Challenge
All rights reserved Copyright © CICC 2003
15th: AccentureResearched in 22 selected economies in April 2003
18th: United Nation (readiness)Among 191 UN member states in November 2003
a) Japan’s rank on E-Gov. surveys – 2003
All rights reserved Copyright © CICC 2003
b) Strategies
e-Japan Strategy (Jan. 2001)
Improvement of the ICT Infrastructure- Make Japan the world’s most advanced
IT nation by 2005
e-Japan Strategy II (July 2003) Expanded IT utilization- Maintain the most advanced
IT nation in the world
Reviewed and revised
All rights reserved Copyright © CICC 2003
2. Security
The Internet
Payment acceptance
Your site
Encryption Authentication Certification
Electronic Signature
The Internet is an open public network, that means anyone can access. One of the most serious problems in using the Internet are attacks.
The Internet is an open public network, that means anyone can access. One of the most serious problems in using the Internet are attacks.
Firewall (Proxy)
Virus CheckerFile Back-upOutsourcing
AttacksDoS / ID Fraud /
Eavesdropping / Virus / Unauthorized Access / Natur
al Disaster
Cryptography
All rights reserved Copyright © CICC 2003
Number of incidents reported worldwide by attack
Once your system has received an attack;
- Lose social confidence
- Financial damage for rebuilding the system
- Also give a damage to third parties (use as a
stepping stone)
Once your system has received an attack;
- Lose social confidence
- Financial damage for rebuilding the system
- Also give a damage to third parties (use as a
stepping stone)
As of Oct. 2003 Source: CERT
20000
10000
20000
1990 1995 2003(1-3Q)
30000
40000
50000
60000
70000
80000
90000
100000
110000
All rights reserved Copyright © CICC 2003
Security Infrastructure
RequiredFunctions
Illegal modification, Tapping, Repudiation, Masquerade, Leak of Privacy Information,. . . - Virtual Private Network
- Encryption Algorithm
- Settlement Protocol
- Visual Authentication:- Water Mark- Internet Marks
- Electronic Stamps
- Cryptographic Programming Library
- Biometrics
- Monitoring- Firewall- Certification Authority (CA)- PKI- Security Policy
- Smartcard- Cryptographic Equipment- Biometric Equipment
SystemTechnologies
SystemTechnologies
HardwareTechnologies
HardwareTechnologies
Software TechnologiesSoftware TechnologiesProtect from security threats:
All rights reserved Copyright © CICC 2003
c) Information Security Management
- Ensuring of security is one of the five priority areas on e-Japan strategy / e-Japan strategy II
-Information Security Management System
BS7799-1 (ISO/IEC 17799:2000) BS7799-2:2002 ISMS Ver.2.0 (on April 2003, Japan)
All rights reserved Copyright © CICC 2003
d) Biometrics
The US government will require to hold biometric capable passports or to get visas to foreigners to enter the country from 26 Oct. 2004
- The Enhanced Border Security and Visa Entry Reform Act 2002- The Homeland Security Act of 2002 (The US DOH)
US-VISIT Program (Beginning in 2004) (U.S. Visitor and Immigrant Status Indicator Technology)
CAPPSII (Computer Assisted Passenger Prescreening System II)
All rights reserved Copyright © CICC 2003
Popular biometric methods
Eye Iris
FingerFingerprint
Finger Vein
HandHand shape
Signature
Face Face shape
Voice Voice
All rights reserved Copyright © CICC 2003
SettlementSettlement Certification(to corporate)Certification(to corporate)
ApplicationsApplications
Information disclosureInformation disclosure
Certification(to individuals)Certification
(to individuals)
B2C
・・
B2B
State GovernmentMinistry / Agency
State GovernmentMinistry / Agency
G2GG2G
G2B G2CFunctions of e-Government
The InternetThe Internet
Local GovernmentLocal Government
G2G
Financial Co.Financial Co.EnterpriseEnterprise CitizensCitizens
ApplicationsApplications
One stop serviceOne stop serviceOne stop serviceOne stop service
e-Procuremente-Procurement
NotaryNotaryCertificationCertification PrivacyPrivacy
Concept of e-Government
2 e-Government
All rights reserved Copyright © CICC 2003
The term “e-Government” is initially used in the US government report “Reengineering Through Information Technology” in 1993. But the concept matured for administrative services in about 1995.
Dissociation between government and citizen
Efficiency Improvement
Information Disclosure
Serviceability Improvement
1993 1995 2000 2005 2010
Remove a barrier among public administrations
High quality services of public administrations to citizens
High
Low
Remove a barrier between public Administration and citizens
Steps to maturity of e-Government
e-Democracy
Hitachi Research Institute
All rights reserved Copyright © CICC 2003
Digitization of In house Administrative process - Non-digitized information such as p such as papers (size, quality, thickness), drawings, pictures - Use same terminologies by state/local government, agency - Government PKI
Information Disclosure to citizens Such as offering administrative information to citizens through the Internet Homepage
All rights reserved Copyright © CICC 2003
Online applications of administrative services - Citizens are not necessary to visit administration counters for the service - Administrative applications (Japanese government) Number: More than 10 Thousand Volume : More than 1 Trillion / Year
Utilization of IT for government and citizens - Seamless : 24 Hr, 365 Days, One Stop, Non Stop - Paperless : Digital administration - Disclosure: Internet Portal, FOIA in US - Open : e-procurement
All rights reserved Copyright © CICC 2003
Vision make Japan the world's most advanced IT nation
IT basic lawOn the formation of an Advanced Information and TelecommunicationsNetwork Society (Force on Jan. 2001)
Strategy- Consolidation of IT infrastructures (e-Japan)- Practical use of IT (e-Japan II)
Driving Organization IT Strategy Headquarter
Priority Policies- World’s most advanced Network- Education and HRD- e-Commerce- Utilization of IT in public sector- Security and reliability
e-Japan / e-Japan II3
e-Japan / e-Japan II
All rights reserved Copyright © CICC 2003
2003 ~ 2002 2001 2000 1999
- Aug. 1994 Headquarters for Promotion of Advanced Information and Communications Society - Dec. 1999 Millennium Project - Jul. 2000/7 IT Strategy Headquarters - Jan. 2001 e-Japan Strategy - Mar. 2001 e-Japan Priority Policy Program - Jun. 2002 e-Japan Priority Policy Program - 2002 - Jul. 2003 e-Japan Strategy II - Aug. 2003 e-Japan Priority Policy Program – 2003(e-Japan) by 2005 Being the world’s highest-level country(e-Japan II) 2006 Keeping up to be the world’s highest-level country
- Aug. 1994 Headquarters for Promotion of Advanced Information and Communications Society - Dec. 1999 Millennium Project - Jul. 2000/7 IT Strategy Headquarters - Jan. 2001 e-Japan Strategy - Mar. 2001 e-Japan Priority Policy Program - Jun. 2002 e-Japan Priority Policy Program - 2002 - Jul. 2003 e-Japan Strategy II - Aug. 2003 e-Japan Priority Policy Program – 2003(e-Japan) by 2005 Being the world’s highest-level country(e-Japan II) 2006 Keeping up to be the world’s highest-level country
Aug. 1999 Law of the Basic Resident Registers amended Aug. 1999 Law of Prohibition of Illegal Access enacted Nov. 2000 Basic IT Law enacted Apr. 2001 Digital Signature law enforced (Aug. 2002 Basic resident registry network system enacted) Dec. 2002 Law about Signatures and Certification Services enforced Feb. 2003 Three laws related to administrative procedure enforced (about 52,000 procedures)
E-GovernmentE-GovernmentProjectsProjects
EstablishmentEstablishment
E-GovernmentE-GovernmentProjectsProjects
EstablishmentEstablishment
EstablishmentEstablishmentof Law of Law
EnvironmentsEnvironments
EstablishmentEstablishmentof Law of Law
EnvironmentsEnvironments
1994
Milestones
All rights reserved Copyright © CICC 2003
e-Japan Strategies, Policies and Programs
Basic IT StrategyBasic IT Strategy
e-Japan Strategye-Japan Strategy
e-Japan Priority Policy Program
e-Japan Priority Policy Program
e-Japan Priority Policy Program - 2002
e-Japan Priority Policy Program - 2002
Make Japan the world’s most advanced IT nation within 5 years by following 4 policies:
1) Building an ultra high-speed Internet network and providing constant Internet access at the earliest date possible
2) Establishing rules on electronic commerce
3) Realizing an electronic government
4) Nurturing high-quality human resources for the new era.
Make Japan the world’s most advanced IT nation within 5 years by following 4 policies:
1) Building an ultra high-speed Internet network and providing constant Internet access at the earliest date possible
2) Establishing rules on electronic commerce
3) Realizing an electronic government
4) Nurturing high-quality human resources for the new era.
e-Japan Strategy IIe-Japan Strategy II
e-Japan Priority PolicyProgram - 2003
e-Japan Priority PolicyProgram - 2003
(27 Nov. 2000)
(22 Jan. 2001)
(29 Mar. 2001)
(26 Jun. 2001)
(2 July 2003)
(8 Aug. 2003)
All rights reserved Copyright © CICC 2003
1) Enable everyone to enjoy the benefits of IT
2) Reform economic structure and strengthen industrial competitiveness
3) Realize affluent national line and creative community with vitality
4) Contribute to the formation of an advanced information & Telecommunications network society on a global scale
1) Enable everyone to enjoy the benefits of IT
2) Reform economic structure and strengthen industrial competitiveness
3) Realize affluent national line and creative community with vitality
4) Contribute to the formation of an advanced information & Telecommunications network society on a global scale
IT Basic Law (6 January 2001)Basic IT StrategyBasic IT Strategy
e-Japan Strategye-Japan Strategy
e-Japan Priority Policy Program
e-Japan Priority Policy Program
e-Japan Priority Policy Program - 2002
e-Japan Priority Policy Program - 2002
e-Japan Strategy IIe-Japan Strategy II
e-Japan Priority PolicyProgram - 2003
e-Japan Priority PolicyProgram - 2003
(27 Nov. 2000)
(22 Jan. 2001)
(29 Mar. 2001)
(26 Jun. 2001)
(2 July 2003)
(8 Aug. 2003)
All rights reserved Copyright © CICC 2003
Structure of e-Japan Priority Policy Program (2001)
5 Priority Policy Areas Crosscutting Issues
Ensuring security and reliability on advanced information & telecommunication networks
Ensuring security and reliability on advanced information & telecommunication networks
11
22
44
33
55
Digitization of administration and application of IT in other public areasDigitization of administration and application of IT in other public areas
Facilitation of e-commerceFacilitation of e-commerce
Promotion of education anddevelopment of human resourcesPromotion of education anddevelopment of human resources
Formation of the world’s most advanced information & telecom networks
Formation of the world’s most advanced information & telecom networks
Promotion of R&D
Improvement of digital divide
Environment and other issues
International cooperation
11 22 4433 55
11
44
22
33
All rights reserved Copyright © CICC 2003
Ensuring of security and reliability on advanced information & telecommunications networks
Ensuring of security and reliability on advanced information & telecommunications networks
55
44 Promotion of full utilization of IT in the public sectorPromotion of full utilization of IT in the public sector
33 Promotion of e-commercePromotion of e-commerce
22 Promotion of education anddevelopment of human resourcesPromotion of education anddevelopment of human resources
11 Formation of the world’s most advanced information & telecom networks
Formation of the world’s most advanced information & telecom networks
Correspondence to an employment problem etc.44
Promotion of R&D11
International cooperation and contribution22
Improvement of digital divide33
Measure of deepening an understanding of people55
11 22 4433 55
5 Priority Policy Areas (210 measures) Crosscutting Issues (59 measures)
Structure of e-Japan Priority Policy Program - 2003
All rights reserved Copyright © CICC 2003
Structure of e-Japan Priority Policy Program - 2003
Healthcare Food Life
Financing to SM Enterprise Knowledge Work / Labor
PublicAdministration
Leading areas to accelerate practical use of IT (97 measures)
Total 366 measures)
5 Priority Policy Areas (210 measures) Crosscutting Issues (59 measures)
based on a document of prime minister office
All rights reserved Copyright © CICC 2003
1. Healthcare / Medical treatment Electronic patient chart, Telemedicine, Hospital administration
2. Food Traceability of food distribution, IT in food business, IT to agricultural and fishing industries
3. Life Taking care of human life warmly in various area, Communication network for disaster or emergency
4. Financing to Small-Medium Enterprises Low risk money loan, Repayment scheme
5. Knowledge e-Learning, Competitive digital contents, Digital archives
6. Work / Labor Human resource development, Telework, Entrepreneurship
7. Public administration services User-oriented administrative services Simple government with high budget efficiency
Leading areas to accelerate practical use of IT
All rights reserved Copyright © CICC 2003
e-Japan Priority Policy Program - 2003
e-Japan Strategy (Jan. 2001)
Phase 1: Consolidation of IT infrastructures (Make Japan the world’s most advanced IT nation by 2005)
e-Japan Priority Policy Program - 2003366 concrete priority strategies what the government
have to implement rapidly and intensivelyMake Japan the world’s most advanced IT nation by 2005 and
Continue to be the world’s most advanced IT nation after 2006
e-Japan Strategy II (Jul. 2003)Phase 2: Practical use of IT
(Aim at to be a nation of healthy, safety, inspiring and convenient
society)- Leading areas to accelerate (7 areas)
- Consolidation of infrastructures towered new IT rich society
e-Japan Priority Policy Program (Mar. 2001)
5 Priority Policy AreasCrosscutting Issues
e-Japan Priority Policy Program- 2002 (Jun. 2002)
5 Priority Policy AreasCrosscutting Issues
based on a document of prime minister office
All rights reserved Copyright © CICC 2003
Some Examples of International Cooperation
IT Engineers Examination The Government of Japan has agreed with 7 Asian countries (China, India, Korea, Philippines, Singapore, Thailand and Vietnam) about mutual recognition of IT Engineers Examination.
Asia Open Source Software (OSS) ForumCurrently 18 Asian economies are participating to the Asia OSS Forum. The first forum was held in Phuket in Mar. 2003 and the second forum was held in Singapore in Nov. 2003.
Asia Public Key Infrastructure (PKI) ForumAsia PKI Forum was established in June 2001 with the purpose of promoting inter-operability of PKI in Asia and Oceania and the use of PKI in e-Commerce.
All rights reserved Copyright © CICC 2003
Information Security Management4
Security
Security becomes more serious topics nowadays - Terrorist attacks in New York, the US on Sept. 11 2001 - Hansin earthquake in Kobe, Japan on Jan. 17 1995 - Cable fire stops computer system operation in the area - Increment of cyber attack
If your system has a security hole, your system is no longer free from a clacker’s attack
- How to secure the system from disasters- How to protect the system from attack
All rights reserved Copyright © CICC 2003
What is Information Security
Confidentiality: ensuring that information is accessible only to those authorized to have access
Integrity: safeguarding the accuracy and completeness of information and processing methods
Availability: ensuring that authorized users have access to information and associated assets when required ISMS Guideline : JIPDIC
All rights reserved Copyright © CICC 2003
Security PolicySecurity Policy is a document that describes direction and criteria of an organization’s policy on information security management
- An organizational basic rule of the security measurements
- To be invested with the legal binding power to the organization members
- The rules depend on the policy of the organization’s (no common rule)
Procedures, Manuals
Organization’s standard of Security measures
Security Policy
All rights reserved Copyright © CICC 2003
Security Policy development Process
- What to protect from what - User friendly - Concrete idea - Must be realistic - Cost effective
Start
PlanningSecurity Policy
End process
Reviewing the plan
Realistic ?
Putting it into operation
Yes
No
Physical level security
Security Policy
Technical level security
Operationallevel security
All rights reserved Copyright © CICC 2003
PLAN - Development of the security policy - Definition of scope - Information assets, risk analysis
Check - Review the execution - Monitor the potential risks
DOImplementation and
execution of the security management
ACT - Review by the management - Improvement of the activity
Security ManagementCycle
All rights reserved Copyright © CICC 2003
Why Security Policy is necessary
1. Leveling - Making an efficient security level of the organization - Minimize the cost for maintaining security
A B C D E Department
Security level
Security level that the organization determined
All rights reserved Copyright © CICC 2003
- ISO 17799: 2000 (Code of practice for information security management) - BS 7799 (British Standard) - JIS X 5080 (Japan Industrial Standard)
- ISO 15408 (Common Criteria) - ISO/IEC TR 13335 (GMITS: Guidelines for the Management of IT Security) - OECD Recommendation Guideline (on 25 July 2002)
- ISMS (Information Security Management System, Japan)
Information Security Management Guideline and Standards
All rights reserved Copyright © CICC 2003
ISMS Scheme Transition
2001 2002 2003 20042000
BS7799-1
BS7799-2
ISO/IEC 17799:2000Dec. 2000
JIS X 5080:2002(Feb. 2002)
BS7799-2:2002Sep. 2002
ISMS (Ver.0.8)Apr. 2001
ISMS (Ver.1.0)Apr. 2002
ISMS (Ver.2.0)Apr. 2003BS7799-2
Revised
ISO
JIS
Modified from ISMS Guideline : JIPDIC
All rights reserved Copyright © CICC 2003
10 essential key controls for providing effective information security 1 Security policy 2 Organizational security 3 Assets classification and control 4 Personnel security 5 Physical and environmental security 6 Communications and operations management 7 Access control 8 Systems development and maintenance 9 Business continuity management 10 Compliance BS7799-2:1999, ISMS
ISMS Certification Standard security
Essential key controls (10 controls)
Possible purposes of the management (36 purposes)
Possible measures for the management (127 measures)
All rights reserved Copyright © CICC 2003
Process to establishment of the ISMS (Ver.2.0)
Organization Development
Step 1 Determine the scope of the ISMS Step 2 Define an ISMS policy Step 3 Define a systematic approach to risk AssessmentStep 4 Identify risksStep 5 Undertake risk assessment Step 6 Undertake risk treatmentStep 7 Select control objectives and controlsStep 8 Prepare a statement of applicabilityStep 9 Approve residual risks and permit the introduction of the ISMS
RiskTreatment
RiskAssessment
Scope
List of risks
SecurityPolicy
Standards of measures for risks
ISMS Framework
Step 10 Execution of security measures based on the policyStep 11 Operation and recordsStep 12 Internal auditing and lesson learned
Step 13 Apply for the certification examination
Examination and Certification
ISMSExecution
Certification
All rights reserved Copyright © CICC 2003
Security Policy
What should be described at least
(1) Statement by the top management (2) Scope of the activity (3) Purpose of the activity on information security (4) Definition of the information security and appeal of its importance (5) Declaration that the activity is ordered into all members of the organization (6) Determination of the policy - Penalty, Familiarize to members, Responsibility, Compliance
All rights reserved Copyright © CICC 2003
An simple example of a security policy document
To: All company staff - date –
From the Managing Director
The world is now facing problems of computer attacking, data leaking of company’s secrets or trespasses of privacy. They are no longer other party’s problem but are also our problem. I sincerely concern about the impact of those problems to the company, I would like to emphasize the importance of security measurements in order to protect our-self from such fears.
(1) We will take an action of security measures to our properties based on their importance and secret level. (2) All staff must be in compliance with the security measurement that we will determine separately. (3) The security measurement must review time to time in accordance with the necessity and its technology enhancement. (4) All staff are required to understand the Policy. (5) I appoint the IT director for the security administrator and all board of directors for the security policy steering committee members.
All rights reserved Copyright © CICC 2003
Effects of the ISMS (1) Internal effects - Standardized security level in the organization - Helping to boost members morale - Minimize the cost for maintaining security - Being able to apply the certification under the certification scheme (e.g. JIPDEC* in Japan, UKAS** in UK)
(2) External effects - Being able to appeal to be a certificated organization in operation and management based on security policy - Improve the trust of society * JIPDEC: Japan Information Processing Development Corporation ** UKAS : United Kingdom Accreditation Service
All rights reserved Copyright © CICC 2003
1) Awareness Participants should be aware of the need for security of information systems and networks and what they can do to enhance security
2) Responsibility All participants are responsible for the security of information systems and networks
3) Response Participants should act in a timely and co-operative manner to prevent, detect and respond to security incidents
4) Ethics Participants should respect the legitimate interests of others.
5) Democracy The security of information systems and networks should be compatible with essential values of a democratic society
6) Risk assessment Participants should conduct risk assessments.
7) Security design and implementation
Participants should incorporate security as an essential element of information systems and networks.
8) Security management
Participants should adopt a comprehensive approach to security management
9) Reassessment Participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, practices, measures and procedures
OECD Guidelines for the Security of Information Systems and Networks
Source OECD