Transcript スライド 1 - NECTEC

Seminar on Information Security Technologies
e-Government in Japan
From the view points of
its strategy and security
19 November 2003
at Science Park, Pathumthani, Thailand
Nagatani Mitsuyuki
CICC
All rights reserved Copyright © CICC 2003
Contents
1
2
3
4
Two viewpoints of e-Gov. in Japan
e-Government
e-Japan / e-Japan II
Information Security Management
All rights reserved Copyright © CICC 2003
1 Two viewpoints of e-Gov. in Japan
(1) Japan’s Challenge
a) Japan’s rank on e-Gov. survey 2003
b) Strategies
e-Japan strategy / e-Japan strategy II
(2) Security
c) Information Security Management
Information Security Management
System (ISMS)
d) Biometrics
All rights reserved Copyright © CICC 2003
1. Japan’s Challenge
E-Gov. surveys
UN World Public Sector Report 2003:
E-Government at the Crossroads (4 Nov. 2003)
UN Global E-government Survey 2003
- About 91% of UN member states are using the
Internet services
- E-Readiness
US, SE, AU, DK, UK (GB), CA, NO, CH, DE, FI
- E-Participation
UK (GB), US, CA, CL, EE, NZ, PH,FR, NL, AU, MX
Source: United Nation
All rights reserved Copyright © CICC 2003
a) Japan’s rank on E-Gov. surveys – 2003
15th: Accenture
Researched in 22 selected
economies in April 2003
18th: United Nation
(readiness)
Among 191 UN member
states in November 2003
All rights reserved Copyright © CICC 2003
b) Strategies
e-Japan Strategy (Jan. 2001)
Improvement of the ICT Infrastructure
- Make Japan the world’s most advanced
IT nation by 2005
Reviewed and
revised
e-Japan Strategy II (July 2003)
Expanded IT utilization
- Maintain the most advanced
IT nation in the world
All rights reserved Copyright © CICC 2003
2. Security
Attacks
The
Internet
DoS / ID Fraud /
Eavesdropping
/ Virus /
Payment acceptance
Unauthorized Access /
Natural Disaster
Cryptography
Encryption
Authentication
Certification
Electronic Signature
Your
site
Firewall
(Proxy)
Virus Checker
File Back-up
Outsourcing
The Internet is an open public network, that means anyone can access.
One of the most serious problems in using the Internet are attacks.
All rights reserved Copyright © CICC 2003
Number of incidents reported worldwide by attack
110000
100000
90000
Once your system has
received an attack;
80000
- Lose social confidence
70000
- Financial damage for
rebuilding the system
60000
- Also give a damage to
third parties (use as a
stepping stone)
50000
40000
30000
20000
10000
0
1990
As of Oct. 2003 Source: CERT
1995
2000
2003(1-3Q)
All rights reserved Copyright © CICC 2003
Security Infrastructure
Required
Functions
Protect from security threats:
Illegal modification, Tapping, Repudiation,
Masquerade, Leak of Privacy Information,. . .
Software Technologies
- Virtual Private Network
- Encryption Algorithm
- Settlement Protocol
System
Technologies
- Monitoring
- Firewall
- Certification
Authority (CA)
- PKI
- Security Policy
Hardware
Technologies
- Smartcard
- Cryptographic
Equipment
- Biometric
Equipment
- Visual Authentication:
- Water Mark
- Internet Marks
- Electronic Stamps
- Cryptographic
Programming Library
- Biometrics
All rights reserved Copyright © CICC 2003
c) Information Security Management
- Ensuring of security is one of the five priority
areas on e-Japan strategy / e-Japan strategy II
-Information Security Management System
BS7799-1 (ISO/IEC 17799:2000)
BS7799-2:2002
ISMS Ver.2.0 (on April 2003, Japan)
All rights reserved Copyright © CICC 2003
d) Biometrics
The US government will require to hold biometric
capable passports or to get visas to foreigners to
enter the country from 26 Oct. 2004
- The Enhanced Border Security and Visa Entry
Reform Act 2002
- The Homeland Security Act of 2002 (The US DOH)
US-VISIT Program (Beginning in 2004)
(U.S. Visitor and Immigrant Status Indicator Technology)
CAPPSII
(Computer Assisted Passenger Prescreening System II)
All rights reserved Copyright © CICC 2003
Popular biometric methods
Eye
Finger
Hand
Iris
Fingerprint
Finger Vein
Hand shape
Signature
Face
Face shape
Voice
Voice
All rights reserved Copyright © CICC 2003
2 e-Government
Concept of e-Government
State Government
Ministry / Agency
Local Government
G2G
G2G
G2G
Information disclosure
Functions of e-Government
Settlement
Certification
(to corporate)
Applications
e-Procurement
Certification
Applications
Notary
One stop service
B2B
Financial Co.
・・
Certification
(to individuals)
Privacy
The Internet
One stop service
B2C
Enterprise
Citizens
All rights reserved Copyright © CICC 2003
Steps to maturity of e-Government
The term “e-Government” is initially used in the US government
report “Reengineering Through Information Technology” in 1993.
But the concept matured for administrative services in about 1995.
e-Democracy
Low
Serviceability Improvement
Dissociation
between
government
and citizen
Information Disclosure
High
2000
Remove a barrier between
public Administration and
citizens
Remove a barrier among
public administrations
Efficiency Improvement
1993 1995
High quality services of
public administrations
to citizens
2005
2010
Hitachi Research Institute
All rights reserved Copyright © CICC 2003
Digitization of In house Administrative process
- Non-digitized information such as papers (size, quality,
thickness), drawings, pictures
- Use same terminologies by state/local government, agency
- Government PKI
Information Disclosure to citizens
Such as offering administrative information to citizens
through the Internet Homepage
All rights reserved Copyright © CICC 2003
Online applications of administrative services
- Citizens are not necessary to visit administration counters
for the service
- Administrative applications (Japanese government)
Number: More than 10 Thousand
Volume : More than 1 Trillion / Year
Utilization of IT for government and citizens
- Seamless : 24 Hr, 365 Days, One Stop, Non Stop
- Paperless : Digital administration
- Disclosure: Internet Portal, FOIA in US
- Open
: e-procurement
All rights reserved Copyright © CICC 2003
3 e-Japan / e-Japan II
Vision
make Japan the world's
most advanced IT nation
Driving Organization
IT basic law
IT Strategy
Headquarter
On the formation of an Advanced
Information and Telecommunications
Network Society (Force on Jan. 2001)
Priority Policies
Strategy
- World’s most advanced Network
- Education and HRD
- e-Commerce
- Utilization of IT in public sector
- Security and reliability
- Consolidation of IT
infrastructures (e-Japan)
- Practical use of IT (e-Japan II)
e-Japan / e-Japan II
All rights reserved Copyright © CICC 2003
Milestones
1994
1999 2000 2001 2002
2003～
- Aug. 1994 Headquarters for Promotion of Advanced Information
and Communications Society
- Dec. 1999 Millennium Project
- Jul. 2000/7 IT Strategy Headquarters
- Jan. 2001 e-Japan Strategy
- Mar. 2001 e-Japan Priority Policy Program
E-Government
- Jun. 2002 e-Japan Priority Policy
Projects
Program - 2002
Establishment
- Jul. 2003 e-Japan Strategy II
- Aug. 2003 e-Japan Priority
Policy Program – 2003
(e-Japan) by 2005 Being the world’s highest-level country
(e-Japan II) 2006 Keeping up to be the world’s highest-level country
Establishment
of Law
Environments
Aug. 1999 Law of the Basic Resident Registers amended
Aug. 1999 Law of Prohibition of Illegal Access enacted
Nov. 2000 Basic IT Law enacted
Apr. 2001 Digital Signature law enforced
(Aug. 2002 Basic resident registry network system enacted)
Dec. 2002 Law about Signatures and Certification Services enforced
Feb. 2003 Three laws related to administrative procedure enforced
(about 52,000 procedures)
All rights reserved Copyright © CICC 2003
e-Japan Strategies, Policies and Programs
Basic IT Strategy
(27 Nov. 2000)
e-Japan Strategy
(22 Jan. 2001)
e-Japan Priority Policy
Program
(29 Mar. 2001)
e-Japan Priority Policy
Program - 2002
(26 Jun. 2001)
e-Japan Strategy II
(2 July 2003)
Make Japan the world’s most
advanced IT nation within 5
years by following 4 policies:
1) Building an ultra high-speed
Internet network and providing
constant Internet access at the
earliest date possible
2) Establishing rules on electronic
commerce
3) Realizing an electronic
government
4) Nurturing high-quality human
resources for the new era.
e-Japan Priority Policy
Program - 2003
(8 Aug. 2003)
All rights reserved Copyright © CICC 2003
Basic IT Strategy
IT Basic Law (6 January 2001)
(27 Nov. 2000)
e-Japan Strategy
(22 Jan. 2001)
e-Japan Priority Policy
Program
(29 Mar. 2001)
e-Japan Priority Policy
Program - 2002
(26 Jun. 2001)
e-Japan Strategy II
(2 July 2003)
1) Enable everyone to enjoy the
benefits of IT
2) Reform economic structure and
strengthen industrial
competitiveness
3) Realize affluent national line and
creative community with vitality
4) Contribute to the formation of
an advanced information &
Telecommunications network
society on a global scale
e-Japan Priority Policy
Program - 2003
(8 Aug. 2003)
All rights reserved Copyright © CICC 2003
Structure of e-Japan Priority Policy Program (2001)
5 Priority Policy Areas
Crosscutting Issues
１
Promotion of R&D
2 Improvement of digital divide
１
2
3
4
3 Environment and other issues
5
International cooperation
Formation of the world’s most
１ advanced information & telecom
networks
of education and
2 Promotion
development of human resources
4
Digitization of administration and
application of IT in other public areas
5
Ensuring security and reliability
on advanced information &
telecommunication networks
3 Facilitation of e-commerce
All rights reserved Copyright © CICC 2003
Structure of e-Japan Priority Policy Program - 2003
5 Priority Policy Areas (210 measures)
１
2
3
4
１ Formation of the world’s most
advanced information & telecom
networks
2 Promotion of education and
development of human resources
3 Promotion of e-commerce
Crosscutting Issues (59 measures)
5
１
Promotion of R&D
2
International cooperation
and contribution
3
Improvement of digital divide
4
Correspondence to an
employment problem etc.
5
Measure of deepening
an understanding of people
4 Promotion of full utilization of IT in
the public sector
5 Ensuring of security and reliability
on advanced information &
telecommunications networks
All rights reserved Copyright © CICC 2003
Structure of e-Japan Priority Policy Program - 2003
Leading areas to accelerate practical use of IT (97 measures)
Healthcare
Financing to
SM Enterprise
Food
Knowledge
5 Priority Policy Areas (210 measures)
based on a document of prime minister office
Life
Work / Labor
Public
Administration
Crosscutting Issues (59 measures)
Total 366 measures)
All rights reserved Copyright © CICC 2003
Leading areas to accelerate practical use of IT
1. Healthcare / Medical treatment
Electronic patient chart, Telemedicine, Hospital administration
2. Food
Traceability of food distribution, IT in food business,
IT to agricultural and fishing industries
3. Life
Taking care of human life warmly in various area,
Communication network for disaster or emergency
4. Financing to Small-Medium Enterprises
Low risk money loan, Repayment scheme
5. Knowledge
e-Learning, Competitive digital contents, Digital archives
6. Work / Labor
Human resource development, Telework, Entrepreneurship
7. Public administration services
User-oriented administrative services
Simple government with high budget efficiency
All rights reserved Copyright © CICC 2003
e-Japan Priority Policy Program - 2003
e-Japan Priority Policy Program - 2003
366 concrete priority strategies what the government
have to implement rapidly and intensively
Make Japan the world’s most advanced IT nation by 2005 and
Continue to be the world’s most advanced IT nation after 2006
e-Japan Strategy II (Jul. 2003)
Phase 2: Practical use of IT
(Aim at to be a nation of healthy, safety,
inspiring and convenient society)
- Leading areas to accelerate (7 areas)
- Consolidation of infrastructures
towered new IT rich society
e-Japan Strategy
(Jan. 2001)
e-Japan Priority Policy Program
- 2002 (Jun. 2002)
5 Priority Policy Areas
Crosscutting Issues
e-Japan Priority Policy Program
(Mar. 2001)
5 Priority Policy Areas
Crosscutting Issues
Phase 1: Consolidation of IT infrastructures
(Make Japan the world’s most
advanced IT nation by 2005)
based on a document of prime minister office
All rights reserved Copyright © CICC 2003
Some Examples of International Cooperation
IT Engineers Examination
The Government of Japan has agreed with 7 Asian countries
(China, India, Korea, Philippines, Singapore, Thailand and
Vietnam) about mutual recognition of IT Engineers Examination.
Asia Open Source Software (OSS) Forum
Currently 18 Asian economies are participating to the Asia OSS
Forum. The first forum was held in Phuket in Mar. 2003 and
the second forum was held in Singapore in Nov. 2003.
Asia Public Key Infrastructure (PKI) Forum
Asia PKI Forum was established in June 2001 with the purpose
of promoting inter-operability of PKI in Asia and Oceania and
the use of PKI in e-Commerce.
All rights reserved Copyright © CICC 2003
4 Information Security Management
Security
Security becomes more serious topics nowadays
- Terrorist attacks in New York, the US on Sept. 11 2001
- Hansin earthquake in Kobe, Japan on Jan. 17 1995
- Cable fire stops computer system operation in the area
- Increment of cyber attack
- How to secure the system from disasters
- How to protect the system from attack
If your system has a security hole, your system
is no longer free from a clacker’s attack
All rights reserved Copyright © CICC 2003
What is Information Security
Confidentiality:
ensuring that information is accessible only to
those authorized to have access
Integrity:
safeguarding the accuracy and completeness of
information and processing methods
Availability:
ensuring that authorized users have access to
information and associated assets when required
ISMS Guideline : JIPDIC
All rights reserved Copyright © CICC 2003
Security Policy
Security Policy is a document that describes direction and
criteria of an organization’s policy on information security
management
Security Policy
Organization’s standard
of Security measures
- An organizational basic rule of the
security measurements
- To be invested with the legal binding
power to the organization members
- The rules depend on the policy of
the organization’s (no common rule)
Procedures, Manuals
All rights reserved Copyright © CICC 2003
Security Policy development Process
- What to protect from what
- User friendly
- Concrete idea
- Must be realistic
- Cost effective
Start
Planning
Security Policy
Reviewing
the plan
Physical
level security
No
Realistic ?
Yes
Security Policy
Technical
Operational
level security
level security
Putting it
into operation
End process
All rights reserved Copyright © CICC 2003
Security Management
Cycle
PLAN
- Development of the
security policy
- Definition of scope
- Information assets,
risk analysis
ACT
DO
- Review by the
management
- Improvement
of the activity
Implementation and
execution of the
security management
Check
- Review the execution
- Monitor the potential
risks
All rights reserved Copyright © CICC 2003
Why Security Policy is necessary
1. Leveling
- Making an efficient security level of the organization
- Minimize the cost for maintaining security
Security level
Security level that the
organization determined
A
B
C
D
E Department
All rights reserved Copyright © CICC 2003
Information Security Management Guideline and Standards
- ISO 17799: 2000
(Code of practice for information security management)
- BS 7799 (British Standard)
- JIS X 5080 (Japan Industrial Standard)
- ISO 15408 (Common Criteria)
- ISO/IEC TR 13335
(GMITS: Guidelines for the Management of IT Security)
- OECD Recommendation Guideline (on 25 July 2002)
- ISMS (Information Security Management System, Japan)
All rights reserved Copyright © CICC 2003
ISMS Scheme Transition
2000
ISO
2001
2002
2003
2004
ISO/IEC 17799:2000
Dec. 2000
BS7799-1
JIS
JIS X 5080:2002
(Feb. 2002)
ISMS
ISMS
(Ver.0.8) (Ver.1.0)
Apr. 2001 Apr. 2002
ISMS (Ver.2.0)
Apr. 2003
BS7799-2
Revised
BS7799-2:2002
Sep. 2002
Modified from ISMS Guideline : JIPDIC
All rights reserved Copyright © CICC 2003
ISMS Certification Standard security
Essential key controls (10 controls)
10 essential key controls for providing effective
information security
1 Security policy
2 Organizational security
3 Assets classification and control
4 Personnel security
5 Physical and environmental security
6 Communications and operations management
7 Access control
8 Systems development and maintenance
9 Business continuity management
10 Compliance
BS7799-2:1999, ISMS
Possible purposes of the management (36 purposes)
Possible measures for the management (127 measures)
All rights reserved Copyright © CICC 2003
Process to establishment of the ISMS (Ver.2.0)
Organization Development
ISMS
Framework
ISMS
Execution
Step
Step
Step
Step
Step
Step
Step
Step
Step
1
2
3
4
5
6
7
8
9
Scope
Security
Policy
Determine the scope of the ISMS
Define an ISMS policy
Define a systematic approach to risk Assessment
List of
Identify risks
Risk
risks
Undertake risk assessment
Risk
Assessment
Treatment
Undertake risk treatment
Standards of
Select control objectives and controls measures for risks
Prepare a statement of applicability
Approve residual risks and permit
the introduction of the ISMS
Step 10 Execution of security measures based on the policy
Step 11 Operation and records
Step 12 Internal auditing and lesson learned
Step 13 Apply for the certification examination
Certification
Examination and Certification
All rights reserved Copyright © CICC 2003
Security Policy
What should be described at least
(1)
(2)
(3)
(4)
Statement by the top management
Scope of the activity
Purpose of the activity on information security
Definition of the information security and appeal
of its importance
(5) Declaration that the activity is ordered into all
members of the organization
(6) Determination of the policy
- Penalty, Familiarize to members, Responsibility,
Compliance
All rights reserved Copyright © CICC 2003
An simple example of a security policy document
To: All company staff
- date –
From the Managing Director
The world is now facing problems of computer attacking, data leaking of
company’s secrets or trespasses of privacy. They are no longer other party’s
problem but are also our problem. I sincerely concern about the impact of
those problems to the company, I would like to emphasize the importance
of security measurements in order to protect our-self from such fears.
(1) We will take an action of security measures to our properties based on
their importance and secret level.
(2) All staff must be in compliance with the security measurement that we
will determine separately.
(3) The security measurement must review time to time in accordance with
the necessity and its technology enhancement.
(4) All staff are required to understand the Policy.
(5) I appoint the IT director for the security administrator and all board of
directors for the security policy steering committee members.
All rights reserved Copyright © CICC 2003
Effects of the ISMS
(1) Internal effects
- Standardized security level in the organization
- Helping to boost members morale
- Minimize the cost for maintaining security
- Being able to apply the certification under the
certification scheme
(e.g. JIPDEC* in Japan, UKAS** in UK)
(2) External effects
- Being able to appeal to be a certificated organization
in operation and management based on security
policy
- Improve the trust of society
* JIPDEC: Japan Information Processing Development Corporation
** UKAS : United Kingdom Accreditation Service
All rights reserved Copyright © CICC 2003
OECD Guidelines for the Security of Information Systems and Networks
1) Awareness
2) Responsibility
3) Response
4) Ethics
5) Democracy
6) Risk assessment
7) Security design
and implementation
8) Security
management
9) Reassessment
Participants should be aware of the need for security of
information systems and networks and what they can do to
enhance security
All participants are responsible for the security of information
systems and networks
Participants should act in a timely and co-operative manner to
prevent, detect and respond to security incidents
Participants should respect the legitimate interests of others.
The security of information systems and networks should be
compatible with essential values of a democratic society
Participants should conduct risk assessments.
Participants should incorporate security as an essential element of
information systems and networks.
Participants should adopt a comprehensive approach to security
management
Participants should review and reassess the security of information
systems and networks, and make appropriate modifications to
security policies, practices, measures and procedures
Source OECD
All rights reserved Copyright © CICC 2003