JSSM

Japanese Government’s Efforts to
Address Information Security Issues
October, 2007
National Information Security Center (NISC)
http://www.nisc.go.jp/eng/
The issue of Cyber attack
 Cyber attack is “electric attack to Critical Infrastructures
using information communications networks and
information system”
 “Inter-ministry coordination” and “Government Private
Partnership” are needed to improve preparedness, and
response and recovery capability for large cyber attack
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved.
1
Brief history of Information security policy framework
1999
Worm
911
2003.08
2001.09
2000
200１
2002
2003
Implementation 1st Phase
2004
Developing
Policy
Framework
2000.01
Blaster
Restructuring
Organizations
Defacing
Web site of
Government
2005
2006
Implementation
2nd Phase
Restructuring
Phase
2006.02
The First National Strategy
on Information Security
2000.07
Major policies
Information Security Policy Guidelines
2005.12
Standards for Information Security
Measures for the Central
Government Computer Systems
Special Action Plan on Countermeasures
to cyber-terrorism for Critical Infrastructures
2000.12
Organization
2000.02
Cabinet Secretariat
IT Security Office
2005.04
2007
Action Plan on
Information Security Measures
for Critical Infrastructures
1. National Information Security Center
2. Information Security Policy Council
2005.05
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved.
2
Establishment of the ‘Information Security Policy Council (ISPC)’ and
the ‘National Information Security Center (NISC)’
 The National Information Security Center (NISC) was established
on April 25, 2005 based on the decision under the IT Strategic
Headquarters on December 7, 2004
 Information Security Policy Council (ISPC) was set up in IT
Strategic Headquarters on May 30, 2005
 NISC serves as a coordinator of cross-departmental information
security issues
 NISC consists of both government officials from related ministries
and agencies, and experts from the private sector
 Organizational Transition of staff in Cabinet Secretariat
Est. Feb 2000
8 persons
Set up ‘IT Security Office’
in Cabinet Secretariat
July 2004
Apr 2006
18
52
-Aug 2007
63
NISC set up in
April 2005
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved.
3
Information Security Policy Council (ISPC)
& National Information Security Center (NISC)
- Based on “Review of the Role and Functions of the Government in terms of Measures to Address
Information Security Issues (decided by the IT Strategic Headquarters on December 7, 2004),”
the government is developing essential functions and frameworks toward strengthening its core
functions to address information security issues.
Cabinet
Secretariat
Gather experts
from the public
and private sectors
Information Security Policy Council (ISPC) National Information Security Center (NISC)
IT Strategic
Headquarters
* NISC is in
Cabinet Secretariat
Decision on fundamental
matters such as basic strategy
for information security
(1) Formulate basic strategies for information security measures
(4) Information security measures for critical
infrastructures
Ministry of
Economy, Trade
and Industry
Ministry of
Internal Affairs
and
Communications
Businesses
Ministry of
Defense
Critical Infrastructures
Ministry of
Economy, Trade
and Industry
Ministry of Land,
Infrastructure
and Transport
Ministry of
Health, Labour
and Welfare
Ministry of
Internal Affairs
and
Communications
Governmental Agencies
Agencies overseeing critical infrastructure
Financial
Services
Agency
(3) Help central each government agency
deal with individual incidents
Central government agencies
concerning information security
National Police
Agency
(2) Promote comprehensive measures
taken by central governments
- Centralize of information exchange and
cooperate with foreign countries
- Make International confidence-building
Individuals
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved.
4
Structure and Functions of NISC
Development of
Fundamental Strategy
Deputy Director of NISC
(Assistant Chief Cabinet Secretary)
Director of NISC
Advisor on
Information Security
Businesses
Individuals
Comprehensive measures
for governmental agencies
Governmental Agencies
Development of
Response Capability
Critical Infrastructures
Deputy Director of NISC
Critical Information
Infrastructure Protection
International Strategy
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved.
Foreign Organizations
5
Overall Picture of “The First National Strategy on Information Security”
Basic principles
<Points to be realized>
1
2
3
Information security for providing the
introduction of Japan as an economic state
Information security for more safe,
secure, and better lives for the people
Information security from a new
perspective of ensuring national security
 A quarter of Japan’s economic base and commercial
transactions depends on IT.
 Japan is the world’s largest broadband communication
power with 80 million Internet users.
 There is a growing need for safety and security
measures including disaster control manners.
It is necessary to recognize both new threats to
national security regarding IT and strength of Japan.
Primary goal to be achieved
in the next three years
Establish a “new public-private partnership model” in which
both public and private play their roles appropriately
Goals
To make Japan an “information security advanced nation”
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved.
6
“The First National Strategy on Information Security”
Central and local
governments
Role
[Sectoral
Plan]
Priority
policies for
2006-2008
Giving “Best
Practice” for
information
security measures
Standards for Measures
Critical
infrastructures
Businesses
Ensuring stable supply of Implementing information
their services as the basis security measures so as to
of people’s social lives
be highly regarded by the
and economic activities
market
Critical Infrastructures
Action Plan
Measures promoted by
Ministries and Agencies
Individuals
Raising awareness
as main players of
IT society
Measures promoted by
Ministries and Agencies
Promoting information security
technology strategy
Developing human resources
Promoting international cooperation
and collaboration
Crime control and
protection/remedial measures
for rights and interests
(2)
(cross-sectoral
issues)
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved.
7
Overall Picture of Milestones in the FY 2006 - 2008
- Through combination of the “overall process schedule” (National Strategy) and the “sectoral
plan,” the government aims to develop Japan into an “information security advanced nation,”
with clearly identified milestones to be achieved in each fiscal year.
[Central Government]
All government agencies should
take measures according to the
“Standards for Measures
[Critical Infrastructure]
The number of IT-malfunctions
should be reduced as close as
possible to zero.
[Businesses]
All public companies should
take appropriate measures
depending on risk.
[Individual]
The number of “individuals who
feel insecure about IT use” as
close as possible to zero.
FY2006
FY2007
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved.
FY2008
8
Standards for Information Security Measures for the Central
Government Computer Systems
○ To achieve sectoral plan for raising the information security level of the whole government, the government
formulates the “Standards for Information Security Measures for the Central Government Computer Systems”
○ Each government agency implements measures according to the Standards for Measures, and the National
Information Security Center (NISC) inspects and evaluates the implementation status at the central offices. The
Information Security Policy Council (ISPC) makes recommendations for improvement based on the
inspection/evaluation results.
Standards for Measures
Information Security
Policy Council
(ISPC)
Make recommendations
Recommendations for
improvement
Central government
agencies
Plan
Do
Act
・Review standards of
government agency
according to the
Standards for Measures
Plan
Check
Act
Inspect and evaluate the
implementation status
Do
Check
National Information
Security Center (NISC)
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved.
9
Framework of Information Security Measures of the Government
Policies of central government
Policy for Enhancement of Information
Security Measures for the Central
Government Computer Systems
Each Government agency
Implementation
framework
Guidelines for Formulation
and Implementation of
Standards for Measures
Policies of the
government agency
Basic policies of
the government
agency
Formulating the
“standards of the
government agency”
completed by all
government agencies
in April, 2006.
Standards for Measures
Standards for measures
implemented by the
government agency
Set of individual manuals
Operation procedures by
the government agency
(Provided by the NISC)
To be established by around the
end of the first quarter of
FY2006 so that self-inspection
can get started from the second
quarter.
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved.
10
Critical Infrastructures Action Plan
- The Action Plan aims to protect critical infrastructures from (1) cyber attacks but also from (2)
suspended services and reduced function caused by dysfunction of IT arising from unintentional
factors and (3) those arising from disasters (IT-malfunctions).
New framework to be built under the Action Plan (supported by the four policies)
Strengthening measures at ordinary times
Reflecting the
analysis results
10 Sectors
1. Safety Standards,
Guidelines, etc.
Telecommunications
Finance
3. Analyses of
interdependency
Sector A
分野B
Sector B
Sector C
Sector D
・・・・・・Civil
aviation
Railways
Electricity
Gas
CEPTOAR-Council
4. Cross-sectoral
exercises
CEPTOAR
CEPTOAR
Administrative
services
Medical services
2. Information
sharing frameworks
Government
Comprehensive inspections
and improvements
CEPTOAR
Flow of
information
Water works
Logistics
Improving IT-malfunctions
response capabilities
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved.
11
Framework of Critical Infrastructure Measures
～Promotion through Organic Coordination of Four Measures～
Action Plan on Information Security
Measures for Critical Infrastructures
(Adopted by the ISPC on Dec. 13, 2005)
[Four policies]
1. “Safety Standards, Guidelines, etc.”
2. Information sharing framework
3. Analysis of interdependence
4. Cross-sector exercises
IT-malfunctions
(unintentional
factors)
Cyber
attacks
Realization of more solid and truly
dependable IT infrastructures in
critical infrastructures through the
organic coordination of four measures
Yearly improvement in a
spiral manner
Do
Act
ITmalfunctions
(disasters)
Check
Plan
[Objectives]
The central government will make efforts aiming to reduce the number of occurrence of
IT-malfunctions in critical infrastructures as close as possible to zero by the beginning of FY2009
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved.
12
Thank you !
 Contact Information
National Information Security Center (NISC)
Cabinet Secretariat, Government of Japan
URL: http://www.nisc.go.jp/
Contact Person: Masayuki OGATA, Mr.
e-Mail: [email protected]
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved.
13

Download Report