Download presentation
Presentation is loading. Please wait.
Published byCameron Owens Modified over 9 years ago
1
METI Realizing a World-Class “Highly Reliable Society” November 25, 2004 Yutaka Hayami Director, Office of IT Security Policy Ministry of Economy, Trade and Industry (METI) JAPAN
2
METI 1 Contents Background Comprehensive Strategy on Information Security METI Cyber-Security Policy –Improving Security Technology –Improving Security Management –Information Security Early Warning Partnership –Critical Infrastructure Protection Closing
3
METI Background
4
3 Background Efficient work style, competitiveness 2000 Users National security, calculation use Reliability of systems E-commerce Economic infrastructure Lifelines for society, economy, and daily life Exclusive systemsBig, host typesC/S typesPC, InternetBroadband Government Banking, transportation, energy sectors Large enterprises Small/medium enterprises Personal use Role of information systems Direction of IT security Protection of military data. Availability for critical infrastructure Availability for IT systems in corporations Network security for e-commerce Security for e-government Safe/reliable society 1950
5
METI 4 # of Vulnerability Release of vulnerability information and remedy Appearance of Exploit Code Attack day of virus, etc. MS02-039 2002/7/292 months2002/9/25 4 months 2003/1/25 SQL Slammer MS03-026 2003/7/1710 days2003/7/2716 days 2003/8/12 Blaster MS03-039 2003/9/114 days2003/9/15 5 months 2004/2/11 Welchia.B MS03-043 2003/10/163 days2003/10/19 ?? MS03-049 2003/11/121 day2003/11/13 2 months 2004/2/11 Welchia.B MS04-007 2004/2/113 days2004/2/14 ?? MS04-011 2004/4/1411 days2004/4/256 days 2004/5/1 Sasser Attacks targeting vulnerabilities happen more and more rapidly. Background
6
METI 5 Background 【 Source: Information-Technology Promotion Agency, Japan ( IPA )】 0 5,00 0 10,00 0 15,00 0 20,00 0 25,00 0 19981999200020012002 2003 2004 ( through August ) 30,00 0 Number of Virus Reports Sasser, Netsky, etc. Blaster, etc.
7
METI 6 Background 【 Source: Japan Computer Emergency Response Team Coordination Center ( JPCERT/CC )】 ( through September ) Number of Unauthorized Access Reports
8
METI 7 Background In recent years, IT has developed rapidly and diffused widely. The economy and society are highly dependent on IT systems, which are becoming increasingly complex, global, and interdependent. “nervous system” IT has already become the “nervous system” of the economy and society. We need to make extensive efforts: (1)to prevent IT incidents (2)to keep damage to a minimum (3)to implement immediate recovery measures “IT incidents will inevitably occur”
9
METI Comprehensive Strategy on Information Security
10
METI 9 Where does it come from? 【 June 2003 】 “Information Security Committee” established under Industrial Structure Council (METI’s Advisory Council), and began discussions on realizing a “Highly Reliable Society.” 【 October 2003 】 Information Security Committee concluded its “Comprehensive Strategy on Information Security.”
11
METI 10 “Comprehensive Strategy on Information Security” Basic Goal: Development of world-class “Highly Reliable Society” Strategy 1: Development of self-recoverable “social system prepared for accident/incident occurrences" (assurance of outstanding recoverability and localization of damage) Reinforcement of preventive measures Exhaustive reinforcement of measures to address accidents/incidents Strategy 2: Public-sector action aimed at taking advantage of "High Reliability" as strength Strategy 3: Coordinated action to empower the Cabinet Office Basic goal: Development of world-class “highly reliable society” Strategy 1 Development of self-recoverable “social system prepared for accident/incident occurrences” ( assurance of outstanding recoverability & localization of damage ) Strategy 2 Public-sector action aimed at taking advantage of “high reliability” as strength Strategy 3 Coordinated action to empower Cabinet Office
12
METI 11 Relationship between Past and Future Measures Preventive measures Measures to address accidents/ incidents Foundation for general support National/local governments Critical infrastructure Businesses and private individuals Existing preventive measures Reinforcement of foundation supporting entire nation from the national-interest perspective Exhaustive reinforcement of measures to prevent “impending accidents” in national/local govts. and key infrastructures New preventive measures for businesses and private individuals Reinforcement of preventive measures of international/local governments and key infrastructures Exhaustive reinforcement of measures to prevent “impending accidents” for business and private individuals Enrichment and reinforcement Strategy 1(1) Strategy 1(2) Strategy 2 Segments
13
METI METI Cyber-Security Policy -Overview-
14
METI 13 Normal Status Emergency Status Computer Viruses, Unauthorized Access, DoS Attack… METI Cyber-Security Policy 4. Critical Infrastructure Protection Information Security Measures in the Electricity Sector Plan to execute a cyber-exercise to prevent cyber-terrorism in the electricity sector. 2. Improving Security Management Conformity Assessment Scheme for Information Security Management System (ISMS) Information Security Audit Promotion of IT Security Governance within companies 1. Improving Security Technology ISO/IEC15408 (IT Security Evaluation) Cryptography Evaluation & PKI R&D 3. Information Security Early Warning Partnership (1) Incident Response, (2) Traffic Monitoring, and (3) Vulnerability Handling Development of a world-class “highly reliable society” (1) Prevent IT incidents (2) keep damage to a minimum, and (3) implement immediate recovery measures
15
METI Improving Security Technology
16
METI 15 Security Technology ISO/IEC 15408 IT Security Evaluation/Certification scheme –Member of CCRA since October 2003 –Recommendation of evaluated/certified products for gov’t procurement Cryptography Research and Evaluation Committees (CRYPTREC) –Maintain a list of recommended cryptographic algorithms for gov’t procurement. –Discuss CMVP scheme (Cryptographic Module Validation Program) PKI (Public Key Infrastructure), etc. –Verification experiments on actual services –Study of authentication gateway R&D –Next-generation technology (forecasting incidents, new access control methods, etc.)
17
METI Improving Security Management
18
METI 17 ISMS Conformity Assessment Scheme ISMS: Information Security Management System JIPDEC: Japan Information Processing Development Corporation Promotes continuous improvement to information security management of organizations Based on ISO/IEC 17799:2000 and BS 7799-2 JIPDEC began Conformity Assessment Scheme in April 2002 Certified organizations: 522 (as of 5 October 2004)
19
METI 18 IT Security Audits Independent auditors audit IT security measures in a company. Standards are prescribed objectively. IT security audits have two types of evaluation: assurance and suggestion. Started in April 2003. JASA (Japan Association of Security Audits) will provide qualified auditors to maintain high quality of audits. Auditor Audit report Info Security Mgmt. Std. Info Security Audit Std. Assurance Auditees (natl. govt., local govt., companies) Clients Customers General Public Trust Improvements Improved IT security measures Suggestion Standards
20
METI 19 IT security standards (METI’s notice) Standards which include management items and details on the improvement process when auditors perform audit. Information Security Management Standards Standards which prescribe rules for auditors such as independence, evaluation of audit trails, and so on. Information Security Audit Standards Although they are not legal rules like audits for financial accounting, METI provides “standards,” which help promote the reliability of audit results. These standards facilitate accumulation of IT security audit practices, and help clarify legal responsibilities.
21
METI 20 Information Security Governance “To develop and promote a coherent governance framework to drive implementation of effective information security programs” (Corporate Governance Task Force Report, April 2004) The Committee of Information Security Governance at METI (established September 2004) –Goal: To promote information security governance within corporate management –Measures (under discussion): IT security benchmarks for effective security investment by CIOs/CEOs A guideline for Business Continuity Plan to prevent security incidents/unauthorized access An appropriate format for Information Security Report to stakeholders etc.
22
METI Information Security Early Warning Partnership
23
METI 22 Information Security Early Warning Partnership METI has responded to security breaches in cooperation with IPA & JPCERT/cc since 1990. However, Exploit Codes come out in a shorter time after disclosure of vulnerability information than before. Therefore, just keeping the damage to a minimum is not enough. (1) Incident Response: Computer viruses and unauthorized access reports (begun in 1990s) Keep damage to a minimum Need to prevent damage proactively (2) Traffic Monitoring (begun in 2003) Gather information about damage caused by computer viruses, and announce it to the public right after the incident Grasp the current situation by observing traffic on the Internet, and detecting trouble on a network simultaneously (3) Vulnerability Handling Framework (begun in July 2004) Information Security Early Warning Partnership
24
METI 23 Outline of the Partnership Reporting ReceivingOrganization Discoverer (JPCERT/CC) CoordinatingOrganizations Notification Users [Web Applications] Reporting Notification [Software Products] Vendors Coordination Website Operation Manager Foreign CERTs SystemIntegrators Coordinate SPREAD Publicity Portal Site (JPN: JP Vendor Status Notes) Publicity* (IPA) (IPA) Analysis AnalyzingOrganization - Governments - Companies - Individuals *: When personal data has leaked.
25
METI Critical Infrastructure Protection
26
METI 25 Information Security Measures in Electricity Sector The Federation of Electric Power Companies (FEPC) and the Central Research Institute of the Electric Power Industry (CRIEPI) will conduct simulated cyber-attacks on the information systems of electric companies starting in November 2004. Construct a model office network system including interfaces with control systems for electric power plants. Create scenarios of attacks on the model system. Try to access the model system to see whether the interface with the control systems can be reached, according to the scenarios. Accumulate expertise to protect electric power infrastructure systems. Construct a model office network system including interfaces with control systems for electric power plants. Create scenarios of attacks on the model system. Try to access the model system to see whether the interface with the control systems can be reached, according to the scenarios. Accumulate expertise to protect electric power infrastructure systems.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.