Japanese Government’s Efforts to Japanese Government’s Efforts to Address Information Security Issues Address Information Security Issues October, 2007 National Information Security Center (NISC) http://www.nisc.go.jp/eng/
Japanese Government’s Efforts to Japanese Government’s Efforts to Address Information Security IssuesAddress Information Security Issues
October, 2007
National Information Security Center (NISC)
http://www.nisc.go.jp/eng/
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved. 2
The issue of Cyber attackThe issue of Cyber attack
Cyber attack is “electric attack to Critical Infrastructures using information communications networks and information system”
“Inter-ministry coordination” and “Government Private Partnership” are needed to improve preparedness, and response and recovery capability for large cyber attack
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved. 3
Brief history of Information security policy frameworkBrief history of Information security policy framework
Developing
P
olicy F
rame
work
Restru
cturing
Org
anizations
Defacing Web site of Government 911
BlasterWorm
19991999 20002000 200200 11 20022002 20032003 20042004 20052005 20062006 20072007
2003.082003.08
Implementation 1Implementation 1stst Phase PhaseRestructuring
PhaseImplementation Implementation
22ndnd Phase Phase
Information Security Policy GuidelinesInformation Security Policy Guidelines
Special Action Plan on Countermeasures Special Action Plan on Countermeasures to cyber-terrorism for Critical Infrastructures to cyber-terrorism for Critical Infrastructures
Cabinet Secretariat IT Security Office
1. National Information Security Center 1. National Information Security Center 2. Information Security Policy Council2. Information Security Policy Council
Standards for Information Security Standards for Information Security Measures for the Central Measures for the Central
Government Computer Systems Government Computer Systems
Action Plan on Action Plan on Information Security Measures Information Security Measures
for Critical Infrastructuresfor Critical Infrastructures
The First National StrategyThe First National Strategy on Information Security on Information Security
2005.052005.05
2006.022006.02
2005.122005.122005.122005.12
2005.042005.042000.022000.02
2000.012000.01
2000.072000.07
2000.122000.12
2001.092001.09
OrganizationOrganization
Major policiesMajor policies
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved. 4
Establishment of the ‘Information Security Policy Council (ISPC)’ and Establishment of the ‘Information Security Policy Council (ISPC)’ and the ‘National Information Security Center (NISC)’the ‘National Information Security Center (NISC)’
The National Information Security Center (NISC) was established on April 25, 2005 based on the decision under the IT Strategic Headquarters on December 7, 2004
Information Security Policy Council (ISPC) was set up in IT Strategic Headquarters on May 30, 2005
NISC serves as a coordinator of cross-departmental information security issues
NISC consists of both government officials from related ministries and agencies, and experts from the private sector
Est. Feb 2000 July 2004 Apr 2006 -Aug 2007
8 8 personspersons 1818 5252 6363
Organizational Transition of staff in Cabinet Secretariat
NISC set up in April 2005
Set up ‘IT Security Office’ in Cabinet
Secretariat
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved. 5
Information Security Policy Council (ISPC) & National Information Security Center (NISC)
Governmental Agencies Governmental Agencies Critical InfrastructuresCritical Infrastructures IndividualsIndividuals
(2) Promote comprehensive measures (2) Promote comprehensive measures taken by central governmenttaken by central governmentss
(3) Help central (3) Help central each each government government agencyagency deal with individual deal with individual incidentsincidents
(4) Information security measures for critical (4) Information security measures for critical infrastructuresinfrastructures
- Centralize of information exchange and cooperate with foreign countries
- Make International confidence-building
- Based on “Review of the Role and Functions of the Government in terms of Measures to Address Information Security Issues (decided by the IT Strategic Headquarters on December 7, 2004),” the government is developing essential functions and frameworks toward strengthening its core functions to address information security issues.
Central government agencies concerning information security
Min
istry of Intern
al A
ffairs and
Com
mu
nications
Nation
al P
olice A
gency
Min
istry of E
conomy,
Trade an
d Indu
stry
Min
istry of D
efense
Decision on fundamental Decision on fundamental matters such as basic strategy matters such as basic strategy
for information security for information security
Agencies overseeing critical infrastructure
Min
istry of L
and,
Infrastructu
re and
Transp
ort
Fin
ancial
Services
Agen
cy
Min
istry of E
conomy,
Trade an
d Indu
stry
Min
istry of Intern
al A
ffairs and
Com
mu
nications
Min
istry of H
ealth, L
abour and
W
elfare
National Information Security Center (NISC)Information Security Policy Council (ISPC)
IT Strategic Headquarters
Gather experts Gather experts from the public from the public
and private sectorsand private sectors
* NISC is in Cabinet Secretariat
Cabinet Secretariat
(1) Formulate basic strategies for information security measures(1) Formulate basic strategies for information security measures
BusinessesBusinesses
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved. 6
Structure and Functions of NISC
Director of N
ISC
(A
ssistant Chief C
abinet Secretary)
Deputy Director of NISCDeputy Director of NISC
Development of Fundamental Strategy
Development of Fundamental Strategy
Comprehensive measures for governmental agencies
Comprehensive measures for governmental agencies
Development of Response Capability
Development of Response Capability
Critical Information Infrastructure Protection
Critical Information Infrastructure Protection
Advisor onInformation Security
Advisor onInformation Security
Critical InfrastructuresCritical Infrastructures
Governmental AgenciesGovernmental Agencies
BusinessesBusinesses IndividualsIndividuals
International StrategyInternational Strategy
Deputy Director of NISCDeputy Director of NISC
Foreign OrganizationsForeign Organizations
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved. 7
Overall Picture of “The First National Strategy on Information Security”
Basic principlesBasic principles
1Information security for providing the introduction of Japan as an economic state
2Information security for more safe, secure, and better lives for the people
3 Information security from a new Information security from a new perspective of ensuring national securityperspective of ensuring national security
A quarter of Japan’s economic base and commercial transactions depends on IT.
Japan is the world’s largest broadband communication power with 80 million Internet users.
There is a growing need for safety and security measures including disaster control manners.
It is necessary to recognize both new threats to It is necessary to recognize both new threats to national security regarding IT and strength of Japan.national security regarding IT and strength of Japan.
<Points to be realized>
To make Japan an “information security advanced nation”GoalsGoals
Establish a “new public-private partnership model” in whichboth public and private play their roles appropriately
Primary goal to be achieved in the next three years
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved. 8
“The First National Strategy on Information Security”
Central and local Central and local governmentsgovernments
Critical Critical infrastructuresinfrastructures
BusinessesBusinesses IndividualsIndividuals
Standards for MeasuresCritical Infrastructures
Action Plan
Promoting information security technology strategy
Developing human resources
Promoting international cooperation and collaboration
Crime control and protection/remedial measures
for rights and interests
Giving “Best Practice” for information
security measures
Ensuring stable supply of their services as the basis
of people’s social lives and economic activities
Implementing information security measures so as to be highly regarded by the
market
Raising awareness as main players of
IT society
Measures promoted byMinistries and Agencies
Measures promoted by Ministries and Agencies
[Sectoral Plan]
Role
Priority policies for 2006-2008
(2)
(cross-sectoral issues)
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved. 9
Overall Picture of Milestones in the FY 2006 - 2008
Take measures for government agencies
Take measures for critical infrastructures
Formulate cross-sectoral information security infrastructure
for businesses and individuals
Achieve continuous improvement according to the overall plan
- Through combination of the “overall process schedule” (National Strategy) and the “sectoral overall process schedule” (National Strategy) and the “sectoral planplan,” the government aims to develop Japan into an “information security advanced nationdevelop Japan into an “information security advanced nation,” with clearly identified milestones to be achieved in each fiscal year.
FY2006 FY2007 FY2008
[Businesses] [Businesses] All All publicpublic companies should companies should take appropriate measures take appropriate measures depending on risk.depending on risk.[Individual][Individual]The number of “individuals who The number of “individuals who feel feel insecure about insecure about IT IT use” use” as as close as possible to zero.close as possible to zero.
[Central Government][Central Government]All governmentAll government agencies agencies should should take measures according totake measures according to the the “Standards for Measures“Standards for Measures
[Critical Infrastructure][Critical Infrastructure]The number of IT-malfunctions The number of IT-malfunctions should be reducedshould be reduced as close as as close as possible to zero.possible to zero.
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved. 10
Central government agencies
Standards for Information Security Measures for the Central Standards for Information Security Measures for the Central Government Computer SystemsGovernment Computer Systems
○ To achieve sectoral plan for raising the information security level of the whole government, the government formulates the “Standards for Information Security Measures for the Central Government Computer Systems”
○ Each government agency implements measures according to the Standards for Measures, and the National Information Security Center (NISC) inspects and evaluates the implementation status at the central offices . The Information Security Policy Council (ISPC) makes recommendations for improvement based on the inspection/evaluation results.
Information Security Information Security Policy Council (ISPC)Policy Council (ISPC)
National Information National Information Security Center (NISC)Security Center (NISC)
Make recommendations
・ Review standards of government agency according to the Standards for Measures
Inspect and evaluate the implementation status
Plan
DoAct
Check
Standards for Measures
Recommendations for improvement
Plan
DoAct
Check
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved. 11
Framework of Information Security Measures of the Government
Implementation framework
Standards for Measures
Set of individual manuals (Provided by the NISC)
Policies of central government
Guidelines for Formulation and Implementation of Standards for Measures
Policy for Enhancement of Information Security Measures for the Central Government Computer Systems
Formulating the “standards of the government agency” completed by all government agencies in April, 2006.
Each Government agency
To be established by around the To be established by around the end of the first quarter of end of the first quarter of
FY2006 so that self-inspection FY2006 so that self-inspection can get started from the second can get started from the second
quarter.quarter.
Basic policies of the government
agency
Standards for measures implemented
by the government agency
Operation procedures by the government agency
Policies of the government agency
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved. 12
Critical Infrastructures Action Plan
- The Action Plan aims to protect critical infrastructuresprotect critical infrastructures from (1) cyber attacks but also from (2) suspended services and reduced function caused by dysfunction of IT arising from unintentional factors and (3) those arising from disasters (IT-malfunctionsIT-malfunctions).
CEPTOAR-Council CEPTOAR CEPTOARCEPTOAR
New framework to be built under the Action Plan (supported by the four policies)
分野 B
Govern-ment
Flow of Flow of informationinformation
Reflecting the Reflecting the analysis resultsanalysis results
Improving IT-malfunctions response capabilities
Sector A
Strengthening measures at ordinary times
Comprehensive inspections and improvements
4. Cross-sectoral exercises
3. Analyses of interdependency
1. Safety Standards, Guidelines, etc.
2. Information sharing frameworks
Sector B Sector C Sector D ・・・・・・
10 Sectors10 Sectors
Telecommunications Telecommunications
FinanceFinance
Civil aviationCivil aviation
RailwaysRailways
ElectricityElectricity
GasGas
Administrative Administrative servicesservices
Medical servicesMedical services
Water worksWater works
LogisticsLogistics
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved. 13
Cyber attacks
IT-malfunctions (unintentional
factors)
IT-malfunctions
(disasters)Realization of more solid and truly Realization of more solid and truly dependable IT infrastructures in dependable IT infrastructures in critical infrastructures through the critical infrastructures through the organic coordination of four measuresorganic coordination of four measures
Action Plan on Information Security MeAction Plan on Information Security Measures for Critical Infrastructuresasures for Critical Infrastructures
(Adopted by the ISPC on Dec. 13, 2005)(Adopted by the ISPC on Dec. 13, 2005)
1. “Safety Standards, Guidelines, etc.”2. Information sharing framework3. Analysis of interdependence4. Cross-sector exercises
[Four policies]
[Objectives] The central government will make efforts aiming to reduce the number of occurrence of IT-malfunctions in critical infrastructures as close as possible to zero by the beginning of FY2009
Framework of Critical Infrastructure MeasuresFramework of Critical Infrastructure Measures ~ ~ Promotion through Organic Coordination of Four MeasuresPromotion through Organic Coordination of Four Measures ~~
PlanDo Act
CheckYearly improvement in a
spiral manner
Copyright (c) 2007 National Information Security Center (NISC). All Rights Reserved. 14
Thank you !Thank you !
Contact Information National Information Security Center (NISC)
Cabinet Secretariat, Government of Japan
URL: http://www.nisc.go.jp/
Contact Person: Masayuki OGATA, Mr.
e-Mail: [email protected]