Upload
trinhphuc
View
222
Download
1
Embed Size (px)
Citation preview
Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
The ISM-Benchmark and its effects on secure business environment(ISM-Benchmark = Information Security Management Benchmark)
http://www.ipa.go.jp/security/
January 09, 2009
Yasuko KannoChief Advisor, IPA Security Center
Information-technology Promotion Agency, Japan (IPA)
2Copyright © 2008 Information-technology Promotion Agency, Japan (IPA) 2
Today’s Contents
1. About IPA2. Background – Needs for information
Security3. What is the ISM-Benchmark4. How to use ISM-Benchmark-Demo5. Progress of the ISM-Benchmark
- How well is the ISM-Benchmark being used?- Why so many users?
3Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
What is IPA
started 1990. Center established 1997. 103 researchers and staffs.
established 1970. 10 departments & centers.
IT Security Center
Open Software Center
Software Engineering Center
Chair: Mr. Nishigaki
Executive Director
Virus & Unauthorized Access Countermeasures Group
Information Security Economics Laboratory
Information Security Certification Office (=JISEC)Security Engineering Laboratory (Vulnerability Handling)
Cryptography Research GroupCryptographic Module Validation Office
Planning Group, Global Alliance Group
IT Human Resource Development
IT Examination
4Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
IPA/IT Security Center’s Activities
– Vulnerability-related Information Handling– Computer Virus, Bot / Unauthorized
Computer Access counter-measures– Common Criteria Certification– Cryptographic Module Validation Program– Cryptographic Techniques– Information Security Economics Laboratory – R&D, Awareness, Self-Assessment System– Study on Biometrics Security Evaluation
5Copyright © 2008 Information-technology Promotion Agency, Japan (IPA) 5
2. Background-Needs for Information Securityand ISM-Benchmark
6Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
Importance of End-to-End security
Most important information usually shared among companies within a value chain
Every company in the chain needs to establish security management to reduce and maintain risks under allowable level
not only technology measuresnot only technology measures
6To be competitive, we need security
7Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
Security is one of the Criteria Security is one of the Criteria Selecting the ContractorsSelecting the Contractors
The head of information security officers must establish The head of information security officers must establish the procedure to evaluate the information security level of the procedure to evaluate the information security level of the contractor based on the international standards in the contractor based on the international standards in order to select a contractor more stringently. order to select a contractor more stringently. *** From clause 6.1.2 “Japanese Standards for Information Security
Measures for Central Government Computer Systems”http://www.nisc.go.jp/eng/index.html
Guideline to Evaluate the Information Security Level of ContractorsTo evaluate information security level of contractors, you can use;• ISMS Conformity Assessment• Information Security Management Benchmark• Information Security Audit
8Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities.
What is Information Security?
◆Confidentiality:ensuring that information is accessible only to those authorized to have access;
◆Integrity: safeguarding the accuracy and completeness ofinformation and processing method;
◆Availability: ensuring that authorized users have access to information and associated assets when required.
Information security is characterized as the preservation of ;
Defined in ISO/IEC 27002, the International Standard of Information Security Management (code of practice), as follows;
And, what we should do in order to be secure???
9Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
InternetExternal NetworkSecurity
Access ControlAccess Control
Safe StorageSafe Storageshredder shredder
Network SecurityWi-Fi SecurityNetwork SecurityWi-Fi Security
prevent computer abuseEncryptionprevent computer abuseEncryption
fireproof installationseismic isolatorfireproof installationseismic isolator
Organizational and Human Security
Technical Security
Client SecurityMediaSecurity
Host Security災害対策
Sensitive Document Secure Data Disposal
Office Space
VirusUnauthorized AccessData protectionLog ManagementVulnerability HanldlingApplication securityOS Security
VirusUnauthorized AccessData protectionLog ManagementVulnerability HanldlingApplication securityOS Security
Server Room
WebSecurityAgainst Unauthorized AccessAgainst DDoS
WebSecurityAgainst Unauthorized AccessAgainst DDoS
Organizational Structure Education and TrainingSecurity Policy and Rules Contract (NDA etc.)Secure Operation Business Continuity
Organizational Structure Education and TrainingSecurity Policy and Rules Contract (NDA etc.)Secure Operation Business Continuity
Internal NetworkSecurity
Physical Security
10Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
Do
Spiral UpSpiral Up by PDCA Cycleby PDCA Cycle
Plan
Check
Act Risk AssessmentSelect Controls
Security PolicyOverseeing/
Monitoring
Review by management
C o n t i n u o u s C o n t i n u o u s I m p r o v e m e n tI m p r o v e m e n t
ImplementationOperation
SourceSource::JIPDEC (Japan Information Processing Development Corporation )JIPDEC (Japan Information Processing Development Corporation )
PDCA Cycle of ISMS
11Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
??
?
Isn’t it difficult to be secure,if there are such a plenty of security controls?
Who does it? How much we must spend to be secure ?
From where we can start ???
Have we enough money to do so?
12Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
1. It is difficult to make appropriate investments in information security because the security risks that will occur are unclear.
2. Existing measures and efforts toward information security are not directly linked to corporate value.
3. The need to ensure business continuity is not fully understood.
Problems hindering companies’ investments in information security
1. Information Security Management Benchmark
2. Model for Information Security Reports
3. Guideline for Business Continuity Plans
Improving awareness at the management level through self-check “Gateway” to assessment/certification by third party
Promotes fair evaluation by stakeholders Provides basis for assessments/certification by third parties
Realize importance of business continuity Promote development of BCP
Tools for establishing “information security governance”
Tools recommended at METI’s study group(METI: Ministry of Economy, Trade and Industry, Japan)
13Copyright © 2008 Information-technology Promotion Agency, Japan (IPA) 13
3. What is Information SecurityManagement Benchmark?(Abbr:ISM-Benchmark)
14Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
(IPA)ISM(IPA)ISM--Benchmark (English)Benchmark (English)http://www.ipa.go.jp/security/english/benchmark_system.htmlhttp://www.ipa.go.jp/security/english/benchmark_system.html
Tools for establishing “information security governance.”The concept was proposed by METI in March 2005.IPA developed it’s as web-based self-assessment tool .Providing on IPA Web page since Aug. 2005. Self-assessment tool to visually checks where the level of theuser’s company‘s security measures resides.Aimed SME to improve their security level .
What is the ISM-Benchmark?
Free of charge.Provided by the government agency.Organizational, technical, physical and human security controls are assessed in good balance
15Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
What you can do with ISM-Benchmark?
• Use to grasp your company’s security level– Where to start? – Plan: What controls should be considered?– Consider which security level you should aim?– Do and Check : Analyze your weakness comparing
with other companies.– Act: Use for further improvement.
• Use to show your business partners your security level in order to be competitive.
• Use to provide consultation– can be used as educational materials
16Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
Corporate Profile(15 Items)・Number of employees, sale figures, number of basis ・Number of people whose information is held, degree of dependence on Information Technology
Information Security Measures (25 Items)・Organizational security
・Physical and environmental security
・Communications and operations management
・Access control, Systems development and maintenance
・Security incidents and malfunctions
Assessment Items (40 Items in Total)
Input
Provides answers to 40 questions on the Webi.e. Does your company have any policies or rules for information security and implement them?
Self Assessment Result
1.Displays your company’s position using a scatter chart. 2.Compares your organization’s score with the desirable security level and the average in your business industry, using a radar chart.3.Shows your score4.Displays recommended security approaches.
Example of Self Assessment Result (Scatter Chart)
Categorized into 3 groups:Categorized into 3 groups:
Group I : High level IT security measures are required. Group I : High level IT security measures are required. Group II : Medium level IT security measures are required. Group II : Medium level IT security measures are required. Group Group ⅢⅢ : Not thorough IT security measures are required. : Not thorough IT security measures are required.
Your companyYour company’’s positions position
Outline of the ISM-Benchmark
17Copyright © 2008 Information-technology Promotion Agency, Japan (IPA) 17
The 25 questions of ISM-Benchmark based on 133 security controls in ISO/IEC 27001:2005, Annex A (ISO/IEC 27002:2005).Characteristics of this questions are:・Developed by a working group of security specialists・Uses simple and easy-to-understand expressions・Number of questions(= evaluation items) is limited to25 so that it is notdifficult for SMEs to conduct self-assessment
Consists of 5 sections, each of which has 3 to 7 questions, 25 questions in total.(a) Organizational Approaches to Information Security (7 questions)(b) Physical (Environmental) Security Countermeasures (4 questions)(c) Operation and Maintenance Controls over Information Systems and Communication
Networks (6 questions )(d) Information System Access Control and Security Countermeasures during the
Development and Maintenance Phases (5 questions )(e) Information Security Incident Response and BCM (Business Continuity Management)(3 questions )
25 questions about security measures
146 Tips for the Security Measures
18Copyright © 2008 Information-technology Promotion Agency, Japan (IPA) 18
1The management is not aware of its necessity or no rule and control has been establishedeven though they are aware of its necessity.
2The management is aware of its necessity and they are proceeding to formulate and disseminate the rules and controls, but only some part of them is implemented.
3rules and controls have been established with the approval of the management, and they are disseminated and implemented company-wide, but the state of implementation has not been reviewed.
4The rules and controls have been established under the leadership and approval of the management, and they are disseminated and implemented company-wide with its status reviewed on a regular basis by the responsible person.
5In addition to those described in item 4 above, your company has improved it to become a good example for other companies by dynamically reflecting the changes of security environment.
Not implemented
Implemented
For each answer, the user selects the most appropriate level from the five levels below (PDCA-conscious).
PP
DD
C C AA
How to Answer 25 questions
19Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
If you click this button, you will see tips for the security measures and recommended approaches.
25 questions and 146 tips for the measures
146 tips for the security measures in Total
20Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
2
Displays your company’s position using a scatter chart.
X-Axis:Information Security Risk Index
25 questions of security measures:
each answer is assessed with five grades: 5 x 25 Items = 125 Points
Based on the risk index,organizations are classified into three groups: Group I, Group II, and Group III.
Total Score
Total Score
The dot in red indicates your organization’s position
Each group is displayed using the corresponding color
Y-Axis:Total Score(125 points)
Assessment Result: Scatter Chart
Index: indicating the risk level calculated based on the answers of Corporate Profile (number of employees, sales figure, etc)
21Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
Your diagnosis result is shown in a radar chart
As the line comes closer to the center, your security level indicates lower.
Your score is indicated in the red line
Ideal Level
Average
Assessment Result: Radar Chart
22Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)0点
125点
トータルスコア
全体平均値に達していない企業の暫定的目標
全体平均値
上位1/3
目標
上位1/3における平均値
Average of Top Average of Top 1/31/3
Average
Goal to achieveGoal to achieve
Interim goal that should be achieved as Interim goal that should be achieved as early as possibleearly as possible
Average for all Average for all the organizations the organizations in the groupin the group
What is the Ideal Level?
Ideal Level
23Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
Assessment Result:frequency distribution and T-score of total score
The T- Score is derived by using the equation below.(Your organization’s total score – the average total score of the group) / standard deviation x 10 + 50
T - Score is a score converted to an equivalent standard score in a normal distribution with a mean of 50 and a standard deviation (σ) of 10.As shown in this figure on the left, 68.26% of organizations are within the range of ±1σ(40 to 60). That is to say, if your organization’s T-score is 60, it means that your organization has been ranked in around 15.87% from the top.
24Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
Assessment Result: Score Chart
25Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
Distribution of total scores and position are shown in a scatter chart・Shows two types of information: 3 groups or company-size-based・Can compare current position and past two positions
Rader chart shows scores in the following four different forms:・ Risk based group (classified by IS Risk Index)・ Company-size based (Large company and SME)・ Business industry based・ Your company’s current position and past two positions
Shows frequency distribution and T-score of total scores Shows a list of scoresDisplays recommended approaches
Assessment Result: Summary
Results can be shown both in Html & PDF formatsAssessment results can be used to provide information to contractors etc
Both comparative and quantitative assessments with vwith various comparative functions
26Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
The My Page function
If you apply to issue logIf you apply to issue log--in account in account
Then you can use Then you can use ““my page functionmy page function””! !
27Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
The My Page function
28Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
4. How to use ISM-Benchmark-Demo
29Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
How to start your self-assessment
Click here Click here
IPA ISM-Benchmark Portal Sitehttp://www.ipa.go.jp/security/english/benchmark_system.html
Now dNow demonstratemonstratee:: ISMISM--Benchmark vBenchmark verer.3.1.3.1
30Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
5. Progress of the ISM-Benchmark- How well is the ISM-Benchmark being used?- Why so many users?
31Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
New stage of the ISM-Benchmark
From ver. 3.1, statistic information for basic data that is used for the diagnosis is made available to the public.To increase trust level and transparency to diagnosis
Statistic information is available at:http://www.ipa.go.jp/security/benchmark/benchmark_tokuchover31.html#toukei
If you would like to take a look of the statistic data, please let me know.
32Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
0
2
4
6
8
10
12
14
25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100 105 110 115 125
トータルスコア
度数(%)
中小企業(300名以下1306社) 大企業(300名超 859社)
Frequency Distribution of Total Scores
Statistic Information from Diagnostic Data of Benchmark An Example: Organization-Size-Based Comparison
Employee more than 300 80.35
Employee up to 300 70.34
Number of Employees
Organization
Ratio of organization diagnosed)
Ratio of establishments
More than 300 859 39.68% 0.20%
20 to 300 1040 48.04% 8.80%
20 or less 266 12.29% 91.00%
2165cases:2006/3/20-2007/12/17
859 companies
1306 companies
33Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
You can download the handbook (Japanese only) at:http://www.ipa.go.jp/security/benchmark/benchmark-katsuyou.html
Handbook of the ISMHandbook of the ISM--Benchmark Benchmark (132 pages)(132 pages)
【Committee chief】 Prof. Eijiro Ooki 【Member of Committee】
IPA (Provides ISM-Benchmark)JIPDEC (Conducts ISMS Conformity Assessment)JASA (Conducts Information Security Audit)
【Observer】 METI, JAB (ISMS Conformity Assessment)
Another Challenge of the ISM-Benchmark
Provides ideas on how to make use of the ISM-Benchmark.Various organization involved in the project to make the handbook.
34Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
Benchmark is being Benchmark is being usedused by more than 16by more than 16,,0000 companies00 companies!!
Based on the 40 responses given to the Part 1 and Part 2 questionnaires, you will be mapped to this chart..Dots represent data provided by other enterprises.
Number of Access: ca. 16,000 casesNumber of Access: ca. 16,000 cases(Aug. 4, 2005 (Aug. 4, 2005 –– DecDec.. 19, 2008)19, 2008)
Tot
al S
core
Tot
al S
core
Group I : High level IT security measures are required. Group I : High level IT security measures are required. Group II : Medium level IT security measures are required. Group II : Medium level IT security measures are required. Group Group ⅢⅢ : Not thorough IT security measures are required. : Not thorough IT security measures are required. Your companyYour company’’s position s position
Categorized into 3 groups:Risk Indicator for Information SecurityRisk Indicator for Information Security
How many companies use the ISM-Benchmark?
35Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
Why so many users?
Because…
Conforms to international standards ISO/IEC 27001:2005Free of charge.Provided by the government agency.Organizational, technical, physical and human security measures are assessed in good balanceCan compare your company’s position with that of other companiesTo Improve awareness at the management level“Gateway” to assessment/certification by third partyProvides ideas on how to make use of it (Handbook released:Jan, 2008)In addition to 25 security measures, 146 tips displayed in pop-up etc…
36Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)
IPA http://www.ipa.go.jp/Email : [email protected] Hon-KomagomeBunkyo-ku, Tokyo 113-6591, Japan
Thank you!