Presentation is loading. Please wait.

Presentation is loading. Please wait.

METI Realizing a World-Class “Highly Reliable Society” November 25, 2004 Yutaka Hayami Director, Office of IT Security Policy Ministry of Economy, Trade.

Published byCameron Owens Modified over 8 years ago

Similar presentations

Presentation on theme: "METI Realizing a World-Class “Highly Reliable Society” November 25, 2004 Yutaka Hayami Director, Office of IT Security Policy Ministry of Economy, Trade."— Presentation transcript:

1 METI Realizing a World-Class “Highly Reliable Society” November 25, 2004 Yutaka Hayami Director, Office of IT Security Policy Ministry of Economy, Trade and Industry (METI) JAPAN

2 METI 1 Contents Background Comprehensive Strategy on Information Security METI Cyber-Security Policy –Improving Security Technology –Improving Security Management –Information Security Early Warning Partnership –Critical Infrastructure Protection Closing

3 METI Background

4 3 Background Efficient work style, competitiveness 2000 Users National security, calculation use Reliability of systems E-commerce Economic infrastructure Lifelines for society, economy, and daily life Exclusive systemsBig, host typesC/S typesPC, InternetBroadband Government Banking, transportation, energy sectors Large enterprises Small/medium enterprises Personal use Role of information systems Direction of IT security Protection of military data. Availability for critical infrastructure Availability for IT systems in corporations Network security for e-commerce Security for e-government Safe/reliable society 1950

5 METI 4 # of Vulnerability Release of vulnerability information and remedy Appearance of Exploit Code Attack day of virus, etc. MS02-039 2002/7/292 months2002/9/25 4 months 2003/1/25 SQL Slammer MS03-026 2003/7/1710 days2003/7/2716 days 2003/8/12 Blaster MS03-039 2003/9/114 days2003/9/15 5 months 2004/2/11 Welchia.B MS03-043 2003/10/163 days2003/10/19 ?? MS03-049 2003/11/121 day2003/11/13 2 months 2004/2/11 Welchia.B MS04-007 2004/2/113 days2004/2/14 ?? MS04-011 2004/4/1411 days2004/4/256 days 2004/5/1 Sasser  Attacks targeting vulnerabilities happen more and more rapidly. Background

6 METI 5 Background 【 Source: Information-Technology Promotion Agency, Japan ( IPA )】 0 5,00 0 10,00 0 15,00 0 20,00 0 25,00 0 19981999200020012002 2003 2004 ( through August ) 30,00 0 Number of Virus Reports Sasser, Netsky, etc. Blaster, etc.

7 METI 6 Background 【 Source: Japan Computer Emergency Response Team Coordination Center ( JPCERT/CC )】 ( through September ) Number of Unauthorized Access Reports

8 METI 7 Background In recent years, IT has developed rapidly and diffused widely. The economy and society are highly dependent on IT systems, which are becoming increasingly complex, global, and interdependent. “nervous system” IT has already become the “nervous system” of the economy and society. We need to make extensive efforts: (1)to prevent IT incidents (2)to keep damage to a minimum (3)to implement immediate recovery measures “IT incidents will inevitably occur”

9 METI Comprehensive Strategy on Information Security

10 METI 9 Where does it come from? 【 June 2003 】  “Information Security Committee” established under Industrial Structure Council (METI’s Advisory Council), and began discussions on realizing a “Highly Reliable Society.” 【 October 2003 】  Information Security Committee concluded its “Comprehensive Strategy on Information Security.”

11 METI 10 “Comprehensive Strategy on Information Security” Basic Goal: Development of world-class “Highly Reliable Society”  Strategy 1: Development of self-recoverable “social system prepared for accident/incident occurrences" (assurance of outstanding recoverability and localization of damage)  Reinforcement of preventive measures  Exhaustive reinforcement of measures to address accidents/incidents  Strategy 2: Public-sector action aimed at taking advantage of "High Reliability" as strength  Strategy 3: Coordinated action to empower the Cabinet Office Basic goal: Development of world-class “highly reliable society” Strategy 1 Development of self-recoverable “social system prepared for accident/incident occurrences” ( assurance of outstanding recoverability & localization of damage ) Strategy 2 Public-sector action aimed at taking advantage of “high reliability” as strength Strategy 3 Coordinated action to empower Cabinet Office

12 METI 11 Relationship between Past and Future Measures Preventive measures Measures to address accidents/ incidents Foundation for general support National/local governments Critical infrastructure Businesses and private individuals Existing preventive measures Reinforcement of foundation supporting entire nation from the national-interest perspective Exhaustive reinforcement of measures to prevent “impending accidents” in national/local govts. and key infrastructures New preventive measures for businesses and private individuals Reinforcement of preventive measures of international/local governments and key infrastructures Exhaustive reinforcement of measures to prevent “impending accidents” for business and private individuals Enrichment and reinforcement Strategy 1(1) Strategy 1(2) Strategy 2 Segments

13 METI METI Cyber-Security Policy -Overview-

14 METI 13 Normal Status Emergency Status Computer Viruses, Unauthorized Access, DoS Attack… METI Cyber-Security Policy 4. Critical Infrastructure Protection  Information Security Measures in the Electricity Sector Plan to execute a cyber-exercise to prevent cyber-terrorism in the electricity sector. 2. Improving Security Management  Conformity Assessment Scheme for Information Security Management System (ISMS)  Information Security Audit  Promotion of IT Security Governance within companies 1. Improving Security Technology  ISO/IEC15408 (IT Security Evaluation)  Cryptography Evaluation & PKI  R&D 3. Information Security Early Warning Partnership (1) Incident Response, (2) Traffic Monitoring, and (3) Vulnerability Handling Development of a world-class “highly reliable society” (1) Prevent IT incidents (2) keep damage to a minimum, and (3) implement immediate recovery measures

15 METI Improving Security Technology

16 METI 15 Security Technology ISO/IEC 15408 IT Security Evaluation/Certification scheme –Member of CCRA since October 2003 –Recommendation of evaluated/certified products for gov’t procurement Cryptography Research and Evaluation Committees (CRYPTREC) –Maintain a list of recommended cryptographic algorithms for gov’t procurement. –Discuss CMVP scheme (Cryptographic Module Validation Program) PKI (Public Key Infrastructure), etc. –Verification experiments on actual services –Study of authentication gateway R&D –Next-generation technology (forecasting incidents, new access control methods, etc.)

17 METI Improving Security Management

18 METI 17 ISMS Conformity Assessment Scheme ISMS: Information Security Management System JIPDEC: Japan Information Processing Development Corporation Promotes continuous improvement to information security management of organizations Based on ISO/IEC 17799:2000 and BS 7799-2 JIPDEC began Conformity Assessment Scheme in April 2002 Certified organizations: 522 (as of 5 October 2004)

19 METI 18 IT Security Audits Independent auditors audit IT security measures in a company. Standards are prescribed objectively. IT security audits have two types of evaluation: assurance and suggestion. Started in April 2003. JASA (Japan Association of Security Audits) will provide qualified auditors to maintain high quality of audits. Auditor Audit report Info Security Mgmt. Std. Info Security Audit Std. Assurance Auditees (natl. govt., local govt., companies) Clients Customers General Public Trust Improvements Improved IT security measures Suggestion Standards

20 METI 19 IT security standards (METI’s notice)  Standards which include management items and details on the improvement process when auditors perform audit. Information Security Management Standards  Standards which prescribe rules for auditors such as independence, evaluation of audit trails, and so on. Information Security Audit Standards Although they are not legal rules like audits for financial accounting, METI provides “standards,” which help promote the reliability of audit results. These standards facilitate accumulation of IT security audit practices, and help clarify legal responsibilities.

21 METI 20 Information Security Governance “To develop and promote a coherent governance framework to drive implementation of effective information security programs” (Corporate Governance Task Force Report, April 2004) The Committee of Information Security Governance at METI (established September 2004) –Goal: To promote information security governance within corporate management –Measures (under discussion): IT security benchmarks for effective security investment by CIOs/CEOs A guideline for Business Continuity Plan to prevent security incidents/unauthorized access An appropriate format for Information Security Report to stakeholders etc.

22 METI Information Security Early Warning Partnership

23 METI 22 Information Security Early Warning Partnership METI has responded to security breaches in cooperation with IPA & JPCERT/cc since 1990. However, Exploit Codes come out in a shorter time after disclosure of vulnerability information than before. Therefore, just keeping the damage to a minimum is not enough. (1) Incident Response: Computer viruses and unauthorized access reports (begun in 1990s) Keep damage to a minimum Need to prevent damage proactively (2) Traffic Monitoring (begun in 2003) Gather information about damage caused by computer viruses, and announce it to the public right after the incident Grasp the current situation by observing traffic on the Internet, and detecting trouble on a network simultaneously (3) Vulnerability Handling Framework (begun in July 2004) Information Security Early Warning Partnership

24 METI 23 Outline of the Partnership Reporting ReceivingOrganization Discoverer (JPCERT/CC) CoordinatingOrganizations Notification Users [Web Applications] Reporting Notification [Software Products] Vendors Coordination Website Operation Manager Foreign CERTs SystemIntegrators Coordinate SPREAD Publicity Portal Site (JPN: JP Vendor Status Notes) Publicity* (IPA) (IPA) Analysis AnalyzingOrganization - Governments - Companies - Individuals *: When personal data has leaked.

25 METI Critical Infrastructure Protection

26 METI 25 Information Security Measures in Electricity Sector The Federation of Electric Power Companies (FEPC) and the Central Research Institute of the Electric Power Industry (CRIEPI) will conduct simulated cyber-attacks on the information systems of electric companies starting in November 2004.  Construct a model office network system including interfaces with control systems for electric power plants.  Create scenarios of attacks on the model system.  Try to access the model system to see whether the interface with the control systems can be reached, according to the scenarios.  Accumulate expertise to protect electric power infrastructure systems.  Construct a model office network system including interfaces with control systems for electric power plants.  Create scenarios of attacks on the model system.  Try to access the model system to see whether the interface with the control systems can be reached, according to the scenarios.  Accumulate expertise to protect electric power infrastructure systems.

Download ppt "METI Realizing a World-Class “Highly Reliable Society” November 25, 2004 Yutaka Hayami Director, Office of IT Security Policy Ministry of Economy, Trade."

Similar presentations

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
Jinhyun CHO Senior Researcher Korea Internet and Security Agency.

Jinhyun CHO Senior Researcher Korea Internet and Security Agency.
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
DHS, National Cyber Security Division Overview

DHS, National Cyber Security Division Overview
Submitted by- Mr. Avinash Sadaphule 20 November 2009 Management Trainee, MKCL.

Submitted by- Mr. Avinash Sadaphule 20 November 2009 Management Trainee, MKCL.
CIAO.0209 - July 99 - 1 Critical Infrastructure Assurance Office Protecting America’s Cyberspace: Version 1.0 of the National Plan Jeffrey Hunker National.

CIAO July Critical Infrastructure Assurance Office Protecting America’s Cyberspace: Version 1.0 of the National Plan Jeffrey Hunker National.
The Islamic University of Gaza

The Islamic University of Gaza
SECR 5140-FL Critical Infrastructure Protection Dr. Barry S. Hess Spring 2 Semester Week 3: 1 April 2006.

SECR 5140-FL Critical Infrastructure Protection Dr. Barry S. Hess Spring 2 Semester Week 3: 1 April 2006.
Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.

Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.
Centers for IBM e-Business Innovation :: Chicago © 2005 IBM Corporation IBM Project October 2005.

Centers for IBM e-Business Innovation :: Chicago © 2005 IBM Corporation IBM Project October 2005.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
National CIRT - Montenegro “Regional Development Forum” Bucharest, April 2015 Ministry for Information Society and Telecommunications.

National CIRT - Montenegro “Regional Development Forum” Bucharest, April 2015 Ministry for Information Society and Telecommunications.
Standards for Shared ICT Jeju, 13 – 16 May 2013 Gale Lightfoot Senior Staff Program Manager, Office of the CTO, SPB Cisco ATIS Cybersecurity Standards.

Standards for Shared ICT Jeju, 13 – 16 May 2013 Gale Lightfoot Senior Staff Program Manager, Office of the CTO, SPB Cisco ATIS Cybersecurity Standards.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
1 2003-05-19 Experiences from establishing a national Centre for Information Security in Norway TERENA Networking Conference 2003 Maria Bartnes Dahl &

Experiences from establishing a national Centre for Information Security in Norway TERENA Networking Conference 2003 Maria Bartnes Dahl &
IT Security Policy in Japan 23 September 2002 Office of IT Security Policy Ministry of Economy, Trade and Industry JAPAN.

IT Security Policy in Japan 23 September 2002 Office of IT Security Policy Ministry of Economy, Trade and Industry JAPAN.
BCP of Japanese Securities Industry July 5, 2007 Japan Securities Clearing Corporation.

BCP of Japanese Securities Industry July 5, 2007 Japan Securities Clearing Corporation.

Similar presentations

Ads by Google