The ISM-Benchmark and its effects on secure business ...€¦ · on secure business environment (ISM-Benchmark = Information Security Management Benchmark) ... Self-Assessment System

Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)

The ISM-Benchmark and its effects on secure business environment(ISM-Benchmark = Information Security Management Benchmark)

http://www.ipa.go.jp/security/

January 09, 2009

Yasuko KannoChief Advisor, IPA Security Center

Information-technology Promotion Agency, Japan (IPA)

2Copyright © 2008 Information-technology Promotion Agency, Japan (IPA) 2

Today’s Contents

1. About IPA2. Background – Needs for information

Security3. What is the ISM-Benchmark4. How to use ISM-Benchmark-Demo5. Progress of the ISM-Benchmark

- How well is the ISM-Benchmark being used?- Why so many users?

3Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)

What is IPA

started 1990. Center established 1997. 103 researchers and staffs.

established 1970. 10 departments & centers.

IT Security Center

Open Software Center

Software Engineering Center

Chair: Mr. Nishigaki

Executive Director

Virus & Unauthorized Access Countermeasures Group

Information Security Economics Laboratory

Information Security Certification Office (=JISEC)Security Engineering Laboratory (Vulnerability Handling)

Cryptography Research GroupCryptographic Module Validation Office

Planning Group, Global Alliance Group

IT Human Resource Development

IT Examination


IPA/IT Security Center’s Activities

– Vulnerability-related Information Handling– Computer Virus, Bot / Unauthorized

Computer Access counter-measures– Common Criteria Certification– Cryptographic Module Validation Program– Cryptographic Techniques– Information Security Economics Laboratory – R&D, Awareness, Self-Assessment System– Study on Biometrics Security Evaluation


2. Background-Needs for Information Securityand ISM-Benchmark


Importance of End-to-End security

Most important information usually shared among companies within a value chain

Every company in the chain needs to establish security management to reduce and maintain risks under allowable level

not only technology measuresnot only technology measures

6To be competitive, we need security


Security is one of the Criteria Security is one of the Criteria Selecting the ContractorsSelecting the Contractors

The head of information security officers must establish The head of information security officers must establish the procedure to evaluate the information security level of the procedure to evaluate the information security level of the contractor based on the international standards in the contractor based on the international standards in order to select a contractor more stringently. order to select a contractor more stringently. *** From clause 6.1.2 “Japanese Standards for Information Security

Measures for Central Government Computer Systems”http://www.nisc.go.jp/eng/index.html

Guideline to Evaluate the Information Security Level of ContractorsTo evaluate information security level of contractors, you can use;• ISMS Conformity Assessment• Information Security Management Benchmark• Information Security Audit


Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities.

What is Information Security?

◆Confidentiality：ensuring that information is accessible only to those authorized to have access;

◆Integrity： safeguarding the accuracy and completeness ofinformation and processing method;

◆Availability： ensuring that authorized users have access to information and associated assets when required.

Information security is characterized as the preservation of ;

Defined in ISO/IEC 27002, the International Standard of Information Security Management (code of practice), as follows;

And, what we should do in order to be secure???


InternetExternal NetworkSecurity

Access ControlAccess Control

Safe StorageSafe Storageshredder shredder

Network SecurityWi-Fi SecurityNetwork SecurityWi-Fi Security

prevent computer abuseEncryptionprevent computer abuseEncryption

fireproof installationseismic isolatorfireproof installationseismic isolator

Organizational and Human Security

Technical Security

Client SecurityMediaSecurity

Host Security災害対策

Sensitive Document Secure Data Disposal

Office Space

VirusUnauthorized AccessData protectionLog ManagementVulnerability HanldlingApplication securityOS Security

VirusUnauthorized AccessData protectionLog ManagementVulnerability HanldlingApplication securityOS Security

Server Room

WebSecurityAgainst Unauthorized AccessAgainst DDoS

WebSecurityAgainst Unauthorized AccessAgainst DDoS

Organizational Structure Education and TrainingSecurity Policy and Rules Contract (NDA etc.)Secure Operation Business Continuity

Organizational Structure Education and TrainingSecurity Policy and Rules Contract (NDA etc.)Secure Operation Business Continuity

Internal NetworkSecurity

Physical Security


Do

Spiral UpSpiral Up by PDCA Cycleby PDCA Cycle

Plan

Check

Act Risk AssessmentSelect Controls

Security PolicyOverseeing/

Monitoring

Review by management

C o n t i n u o u s C o n t i n u o u s I m p r o v e m e n tI m p r o v e m e n t

ImplementationOperation

SourceSource：：JIPDEC (Japan Information Processing Development Corporation )JIPDEC (Japan Information Processing Development Corporation )

PDCA Cycle of ISMS


？？

？

Isn’t it difficult to be secure,if there are such a plenty of security controls?

Who does it? How much we must spend to be secure ?

From where we can start ???

Have we enough money to do so?


1. It is difficult to make appropriate investments in information security because the security risks that will occur are unclear.

2. Existing measures and efforts toward information security are not directly linked to corporate value.

3. The need to ensure business continuity is not fully understood.

Problems hindering companies’ investments in information security

1. Information Security Management Benchmark

2. Model for Information Security Reports

3. Guideline for Business Continuity Plans

Improving awareness at the management level through self-check “Gateway” to assessment/certification by third party

Promotes fair evaluation by stakeholders Provides basis for assessments/certification by third parties

Realize importance of business continuity Promote development of BCP

Tools for establishing “information security governance”

Tools recommended at METI’s study group(METI: Ministry of Economy, Trade and Industry, Japan)


3. What is Information SecurityManagement Benchmark?(Abbr:ISM-Benchmark)


(IPA)ISM(IPA)ISM--Benchmark (English)Benchmark (English)http://www.ipa.go.jp/security/english/benchmark_system.htmlhttp://www.ipa.go.jp/security/english/benchmark_system.html

Tools for establishing “information security governance.”The concept was proposed by METI in March 2005.IPA developed it’s as web-based self-assessment tool .Providing on IPA Web page since Aug. 2005. Self-assessment tool to visually checks where the level of theuser’s company‘s security measures resides.Aimed SME to improve their security level .

What is the ISM-Benchmark?

Free of charge.Provided by the government agency.Organizational, technical, physical and human security controls are assessed in good balance


What you can do with ISM-Benchmark?

• Use to grasp your company’s security level– Where to start? – Plan: What controls should be considered?– Consider which security level you should aim?– Do and Check : Analyze your weakness comparing

with other companies.– Act: Use for further improvement.

• Use to show your business partners your security level in order to be competitive.

• Use to provide consultation– can be used as educational materials


Corporate Profile（15 Items）・Number of employees, sale figures, number of basis ・Number of people whose information is held, degree of dependence on Information Technology

Information Security Measures (25 Items)・Organizational security

・Physical and environmental security

・Communications and operations management

・Access control, Systems development and maintenance

・Security incidents and malfunctions

Assessment Items (40 Items in Total)

Input

Provides answers to 40 questions on the Webi.e. Does your company have any policies or rules for information security and implement them?

Self Assessment Result

1.Displays your company’s position using a scatter chart. 2.Compares your organization’s score with the desirable security level and the average in your business industry, using a radar chart.3.Shows your score4.Displays recommended security approaches.

Example of Self Assessment Result (Scatter Chart)

Categorized into 3 groups:Categorized into 3 groups:

Group I : High level IT security measures are required. Group I : High level IT security measures are required. Group II : Medium level IT security measures are required. Group II : Medium level IT security measures are required. Group Group ⅢⅢ : Not thorough IT security measures are required. : Not thorough IT security measures are required.

Your companyYour company’’s positions position

Outline of the ISM-Benchmark


The 25 questions of ISM-Benchmark based on 133 security controls in ISO/IEC 27001:2005, Annex A (ISO/IEC 27002:2005).Characteristics of this questions are:・Developed by a working group of security specialists・Uses simple and easy-to-understand expressions・Number of questions(= evaluation items) is limited to25 so that it is notdifficult for SMEs to conduct self-assessment

Consists of 5 sections, each of which has 3 to 7 questions, 25 questions in total.(a) Organizational Approaches to Information Security （7 questions）(b) Physical (Environmental) Security Countermeasures （4 questions）(c) Operation and Maintenance Controls over Information Systems and Communication

Networks （6 questions ）(d) Information System Access Control and Security Countermeasures during the

Development and Maintenance Phases （5 questions ）(e) Information Security Incident Response and BCM (Business Continuity Management)（3 questions ）

25 questions about security measures

146 Tips for the Security Measures


１The management is not aware of its necessity or no rule and control has been establishedeven though they are aware of its necessity.

２The management is aware of its necessity and they are proceeding to formulate and disseminate the rules and controls, but only some part of them is implemented.

３rules and controls have been established with the approval of the management, and they are disseminated and implemented company-wide, but the state of implementation has not been reviewed.

４The rules and controls have been established under the leadership and approval of the management, and they are disseminated and implemented company-wide with its status reviewed on a regular basis by the responsible person.

５In addition to those described in item 4 above, your company has improved it to become a good example for other companies by dynamically reflecting the changes of security environment.

Not implemented

Implemented

For each answer, the user selects the most appropriate level from the five levels below (PDCA-conscious).

PP

DD

C C AA

How to Answer 25 questions


If you click this button, you will see tips for the security measures and recommended approaches.

25 questions and 146 tips for the measures

146 tips for the security measures in Total


2

Displays your company’s position using a scatter chart.

X-Axis：Information Security Risk Index

25 questions of security measures：

each answer is assessed with five grades: 5 x 25 Items = 125 Points

Based on the risk index，organizations are classified into three groups: Group I, Group II, and Group III．

Total Score

Total Score

The dot in red indicates your organization’s position

Each group is displayed using the corresponding color

Y-Axis：Total Score（125 points）

Assessment Result: Scatter Chart

Index: indicating the risk level calculated based on the answers of Corporate Profile （number of employees, sales figure, etc)


Your diagnosis result is shown in a radar chart

As the line comes closer to the center, your security level indicates lower.

Your score is indicated in the red line

Ideal Level

Average

Assessment Result: Radar Chart

22Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)0点

125点

トータルスコア

全体平均値に達していない企業の暫定的目標

全体平均値

上位1/3

目標

上位1/3における平均値

Average of Top Average of Top 1/31/3

Average

Goal to achieveGoal to achieve

Interim goal that should be achieved as Interim goal that should be achieved as early as possibleearly as possible

Average for all Average for all the organizations the organizations in the groupin the group

What is the Ideal Level?

Ideal Level


Assessment Result:frequency distribution and T-score of total score

The T- Score is derived by using the equation below.(Your organization’s total score – the average total score of the group) / standard deviation x 10 + 50

T - Score is a score converted to an equivalent standard score in a normal distribution with a mean of 50 and a standard deviation (σ) of 10.As shown in this figure on the left, 68.26% of organizations are within the range of ±1σ(40 to 60). That is to say, if your organization’s T-score is 60, it means that your organization has been ranked in around 15.87% from the top.


Assessment Result: Score Chart


Distribution of total scores and position are shown in a scatter chart・Shows two types of information: 3 groups or company-size-based・Can compare current position and past two positions

Rader chart shows scores in the following four different forms:・ Risk based group (classified by IS Risk Index)・ Company-size based (Large company and SME)・ Business industry based・ Your company’s current position and past two positions

Shows frequency distribution and T-score of total scores Shows a list of scoresDisplays recommended approaches

Assessment Result： Summary

Results can be shown both in Html & PDF formatsAssessment results can be used to provide information to contractors etc

Both comparative and quantitative assessments with vwith various comparative functions


The My Page function

If you apply to issue logIf you apply to issue log--in account in account

Then you can use Then you can use ““my page functionmy page function””! !


The My Page function


4. How to use ISM-Benchmark-Demo


How to start your self-assessment

Click here Click here

IPA ISM-Benchmark Portal Sitehttp://www.ipa.go.jp/security/english/benchmark_system.html

Now dNow demonstratemonstratee:: ISMISM--Benchmark vBenchmark verer.3.1.3.1


5. Progress of the ISM-Benchmark- How well is the ISM-Benchmark being used?- Why so many users?


New stage of the ISM-Benchmark

From ver. 3.1, statistic information for basic data that is used for the diagnosis is made available to the public.To increase trust level and transparency to diagnosis

Statistic information is available at:http://www.ipa.go.jp/security/benchmark/benchmark_tokuchover31.html#toukei

If you would like to take a look of the statistic data, please let me know.


0

2

4

6

8

10

12

14

25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100 105 110 115 125

トータルスコア

度数(%)

中小企業（300名以下1306社)　大企業（300名超　859社）

Frequency Distribution of Total Scores

Statistic Information from Diagnostic Data of Benchmark An Example: Organization-Size-Based Comparison

Employee more than 300 80.35

Employee up to 300 70.34

Number of Employees

Organization

Ratio of organization diagnosed)

Ratio of establishments

More than 300 859 39.68% 0.20%

20 to 300 1040 48.04% 8.80%

20 or less 266 12.29% 91.00%

2165cases:2006/3/20-2007/12/17

859 companies

1306 companies


You can download the handbook (Japanese only) at:http://www.ipa.go.jp/security/benchmark/benchmark-katsuyou.html

Handbook of the ISMHandbook of the ISM--Benchmark Benchmark (132 pages)(132 pages)

【Committee chief】 Prof. Eijiro Ooki 【Member of Committee】

IPA (Provides ISM-Benchmark)JIPDEC (Conducts ISMS Conformity Assessment)JASA (Conducts Information Security Audit)

【Observer】 METI, JAB (ISMS Conformity Assessment)

Another Challenge of the ISM-Benchmark

Provides ideas on how to make use of the ISM-Benchmark.Various organization involved in the project to make the handbook.


Benchmark is being Benchmark is being usedused by more than 16by more than 16,,0000 companies00 companies!!

Based on the 40 responses given to the Part 1 and Part 2 questionnaires, you will be mapped to this chart..Dots represent data provided by other enterprises.

Number of Access: ca. 16,000 casesNumber of Access: ca. 16,000 cases(Aug. 4, 2005 (Aug. 4, 2005 –– DecDec.. 19, 2008)19, 2008)

Tot

al S

core

Tot

al S

core

Group I : High level IT security measures are required. Group I : High level IT security measures are required. Group II : Medium level IT security measures are required. Group II : Medium level IT security measures are required. Group Group ⅢⅢ : Not thorough IT security measures are required. : Not thorough IT security measures are required. Your companyYour company’’s position s position

Categorized into 3 groups:Risk Indicator for Information SecurityRisk Indicator for Information Security

How many companies use the ISM-Benchmark?


Why so many users?

Because…

Conforms to international standards ISO/IEC 27001:2005Free of charge.Provided by the government agency.Organizational, technical, physical and human security measures are assessed in good balanceCan compare your company’s position with that of other companiesTo Improve awareness at the management level“Gateway” to assessment/certification by third partyProvides ideas on how to make use of it (Handbook released:Jan, 2008)In addition to 25 security measures, 146 tips displayed in pop-up etc…


IPA http://www.ipa.go.jp/Email : [email protected] Hon-KomagomeBunkyo-ku, Tokyo 113-6591, Japan

Thank you!

Documents

The ISM-Benchmark and its effects on secure business ...€¦ · on secure business environment (ISM-Benchmark = Information Security Management Benchmark) ... Self-Assessment System