Home
Patent Search
IMT Blog
REGISTER
|
SIGN IN
United States Patent Application
20010049793
Kind Code
A1
Sugimoto, Takahiro
December 6, 2001
Method and apparatus for establishing a security policy, and method and apparatus for supporting establishment of security policy
Abstract
There are provided a method of efficiently establishing a security policy and an apparatus for supporting preparation of a security policy. According to a method of establishing a security policy in six steps, a simple security policy draft is first prepared. The security policy draft is adjusted so as to match realities of an organization, as required, thus completing a security policy stepwise. Therefore, a security policy can be established in consideration of a schedule or budget of the organization.
Inventors:
Sugimoto; Takahiro
(Chuo-ku, JP)
Correspondence Name and Address:
P.O. BOX 19928
OLIFF & BERRIDGE, PLC
ALEXANDRIA
VA
22320
US
Series Code:
853708
Filed:
May 14, 2001
U.S. Current Class:
713/200
U.S. Class at Publication:
713/200
Intern'l Class:
G06F 011/30
Claims
What is claimed is:
1. A method of establishing a security policy for a predetermined organization, the method comprising: a draft preparation step of preparing a security policy draft; an analysis step of examining a difference between the security policy draft and realities of the organization; and an adjustment step of adjusting the security policy draft on the basis of the difference or adjusting operation rules of an actual information system belonging to the organization on the basis of the difference.
2. The method of establishing a security policy according to claim 1, wherein the draft preparation step comprises: a preparation step of preparing inquiries to be submitted to members of an organization; an inquiry step of submitting the prepared inquiries to the members; an answer acquisition step of acquiring from the members answers to the inquiries; and a drafting step of preparing a security policy draft on the basis of the answers.
3. The method of establishing a security policy according to claim 2, wherein the preparation step involves preparation of inquiries on the basis of job specifications of members to be inquired.
4. The method of establishing a security policy according to claim 2, wherein the answer acquisition step includes at least one of the steps of: integrating the answers acquired from a single member from among the acquired answers and storing the integrated answers into storage means as answers of a single member to be inquired; re-submitting inquiries to members if contradictory answers are included in the answers, to thereby resolve contradiction, and storing the answers into the storage means; and assigning weights to answers according to job specifications of the members to be inquired if contradictory answers are included in the answers, to thereby estimate answers and show the estimated answers.
5. The method of establishing a security policy according to claim 2, wherein the analysis step comprises at least one of: a contradiction inspection step of inspecting whether or not contradictory answers are included in the answers; a first difference detection step of inspecting a difference between an information system virtually designed on the basis of the answers and the security policy, by means of comparison; and a second difference detection step of verifying the virtually-designed information system by means of examination of a real information system and inspecting a difference between the verified information system and the security policy draft by means of comparison.
6. The method of establishing a security policy according to claim 5, further comprising a measurement step of devising measures addressing the inspected difference in conjunction with the priority of the measures.
7. The method of establishing a security policy according to claim 1, further comprising a diagnosis step of diagnosing the security state of the organization, wherein a result of diagnosis performed in the diagnosis step is submitted to the organization, wherewith the organization can become conscious of a necessity for a security policy.
8. The method of establishing a security policy according to claim 6, further comprising: a priority planning step of planning, in sequence of priority, implementation of the security measures which have been devised with priority, thereby embodying a budget of the organization.
9. The method of establishing a security policy according to claim 8, wherein the security measures comprise constructing a system for managing the establishing a security policy: introduction of a security system; training for compelling employees to respect a security policy; analysis of system logs; monitoring of a network; auditing operations on the basis of the security policy; and reviewing the security policy.
10. The method of establishing a security policy according to claim 8, further comprising: a security enhancement measures implementation step of implementing the security measures in accordance with the plan.
11. A method of establishing a security policy comprising: a preparation step of preparing inquiries to be submitted to members of an organization; an inquiry step of submitting the prepared inquiries to the members; an answer acquisition step of acquiring from the members answers to the inquiries; and an establishment step of establishing a security policy on the basis of the answers.
12. The method of establishing a security policy according to claim 11, wherein the preparation step involves preparation of inquiries on the basis of job specifications of members to be inquired.
13. The method of establishing a security policy according to claim 11, wherein the answer acquisition step includes at least one of the steps of: integrating the answers acquired from a single member from among the acquired answers and storing the integrated answers into storage means as answers of a single member to be inquired; re-submitting inquiries to members if contradictory answers are included in the answers, to thereby resolve contradictions and storing the answers into the storage means; and assigning weights to answers according to job specifications of the members to be inquired if contradictory answers are included in the answers, to thereby estimate answers and display the estimated answers.
14. The method of establishing a security policy according to claim 11, wherein the establishment step involves establishment of three levels of security policies: namely, an executive-level security policy which describes the organization's concept and policy concerning information security, in conformity with global guidelines; a corporate-level security policy which describes an information security system embodying the executive-level security policy; and a product-level security policy which describes measures to implement the executive-level security policy with reference to the corporate-level security policy.
15. The method of establishing a security policy according to claim 14, wherein the corporate-level security policy describes standards for the information security system of the overall organization; and standards for individual equipments constituting the information security system of the organization.
16. The method of establishing a security policy according to claim 14, wherein the product-level security policy includes two types of product-level policies; namely, a first-level security policy describing settings of individual equipment constituting the information security system in natural language; and a second-level security policy describing settings of individual equipment constituting the information security system in specific language used in specific equipments.
17. The method of establishing a security policy according to claim 11, further comprising an analysis step of examining a difference between the security policy draft and realities of the organization; the analysis step further comprising at least one of a contradiction inspection step of inspecting whether or not contradictory answers are included in the answers; a first difference detection step of inspecting a difference between the security policy and an information system virtually designed on the basis of the answers, by means of comparison; and a second difference detection step of verifying the virtually-designed information system by means of examination of a real information system and inspecting a difference between the verified information system and the security policy draft, by means of comparison.
18. The method of establishing a security policy according to claim 17, further comprising a measurement step of devising measures to the inspected difference, in conjunction with the priority of the measures.
19. An apparatus of establishing a security policy comprising: inquiry preparation means for preparing inquiries to be submitted to members of an organization; storage means for storing answers to the inquiries; answer archival storage means for acquiring from the members the answers to the inquiries and storing the answers into the storage means; and establishment means for establishing a security policy on the basis of the answers stored in the storage means.
20. The apparatus for establishing a security policy according to claim 19, wherein the inquiry preparation means prepares inquiries to be submitted to the members to be inquired, on the basis of job specifications of the members to be inquired.
21. The apparatus for establishing a security policy according to claim 19, wherein the answer archival storage means integrates the answers acquired from a single member from among the acquired answers and stores the integrated answers into the storage means as answers of a single member to be inquired; or re-submits inquiries to members if contradictory answers are included in the answers, to thereby resolve contradiction, and stores the answers into the storage means; or assigns weights to answers according to job specifications of the members to be inquired if contradictory answers are included in the answers, to thereby estimate answers and display the estimated answers.
22. The apparatus for establishing a security policy according to claim 19, wherein the establishment means establishes three levels of security policies: namely, an executive-level security policy which describes the organization's concept and policy concerning information security, in conformity with global guidelines; a corporate-level security policy which describes an information security system embodying the executive-level security policy; and a product-level security policy which describes measures to implement the executive-level security policy with reference to the corporate-level security policy.
23. The apparatus for establishing a security policy according to claim 22, wherein the corporate-level security policy describes standards for the information security system of the overall organization; and standards for individual equipments constituting the information security system of the organization.
24. The apparatus for establishing a security policy according to claim 22, wherein the product-level security policy includes two types of product-level policies; namely, a first-level security policy describing settings of individual equipments constituting the information security system in natural language; and a second-level security policy describing settings of individual equipments constituting the information security system in specific language used in specific equipments.
25. A method of assessing the state of security of an organization, the method comprising: an inquiry preparation step of preparing inquiries to be submitted to members of an organization; an inquiry step of submitting the prepared inquiries to the members; an answer acquisition step of acquiring from the members answers to the inquiries; and a security state assessment step of assessing the state of security on the basis of the answers.
26. The method of assessing the state of security of an organization according to claim 25, wherein the inquiry preparation step involves preparation of inquiries on the basis of job specifications of members to be inquired.
27. The method of assessing the state of security of an organization according to claim 25, wherein the answer acquisition step involves integration of previous answers and acquired answers in a case where the answers are provided by an member to be inquired who has provided answers before, and involves storage of the integrated answers into storage means as answers from a single member to be inquired.
28. The method of assessing the state of security of an organization according to claim 25, wherein the assessment of a security state includes assessment of security of the organization; average assessment of security of the other organizations included in an industry to which the organization pertains; and the highest security assessment which is considered to be attainable by organizations in the industry to which the organization pertains.
29. The method of assessing the state of security of an organization according to claim 25, wherein the assessment of a security state includes scores assigned to the following items; namely, understanding and attitude concerning security; a security system of the organization; response to unexpected accidents; preparation of a budget for security; and measures to improve security.
30. An apparatus of assessing the state of security of an organization, the apparatus comprising: preparation means of preparing inquiries to be submitted to members of the organization; storage means for storing answers to the inquiries; answer archival storage means of acquiring from the members the answers to the inquiries and storing the answers into the storage means; and security maturity preparation means for preparing a security maturity report representing the degree of maturity of security, on the basis of the answers stored in the storage means.
31. The apparatus for assessing the state of security of an organization according to claim 30, wherein the answer archival storage means integrates previous answers and acquired answers in a case where the answers are provided by a member to be inquired who has provided answers before, and stores the integrated answers into the storage means as answers from a single member to be inquired.
32. The apparatus for assessing the state of security of an organization according to claim 30, wherein the security maturity report includes the degree of maturity of the organizations security; the average degree of maturity of security of other organizations included in an industry to which the organization pertains; and the highest degree of maturity of security which is considered to be attainable by organizations in the industry to which the organization pertains.
33. The apparatus for assessing the state of security of an organization according to claim 30, wherein the security maturity report includes scores assigned to the following items; namely, understanding and attitude concerning security; a security system of the organization; response to unexpected accidents; preparation of a budget for security; and measures to improve security.
34. An analyzer for analyzing a difference between a security policy and an information system of an organization, comprising contradiction inspection means for inspecting whether or not contradiction exists between individual answers in response to inquiries submitted to members of the organization; and contradiction output means for outputting information about the inspected contradiction.
35. The analyzer for analyzing a difference between a security policy and an information system of an organization according to claim 34, further comprising: indicating means for indicating the contradiction on the basis of the information about contradiction; establishment means for virtually establishing an information system for the organization on the basis of the answers free of contradiction; and difference output means for outputting a difference between the configuration of the virtually-established information system and a security policy, by means of comparison.
36. The analyzer for analyzing a difference between a security policy and an information system of an organization according to claim 35, further comprising: real system input means for examining the information system of the organization and entering the configuration of the information system; and difference output means which verifies the virtually-established information system by reference to the configuration of the information system and outputs a difference between a security policy and the configuration of the virtually-established information system which has been verified, by means of comparison.
37. The method of establishing a security policy according to claim 2, wherein, in the inquiry preparation step, the inquiries are generated in accordance with the line of business of the organization.
38. The method of establishing a security policy according to claim 11, wherein, in the inquiry preparation step, the inquiries are generated in accordance with the line of business of the organization.
39. The security policy establishment apparatus according to claim 19, wherein the inquiry preparation means generates inquiries to be submitted to an interviewee in accordance with the line of business of the organization.
40. The method of establishing a security policy according to claim 2, wherein, in the drafting step, a security policy is established on the basis of recommendations or regulations aimed at a specific line of business.
41. The method of establishing a security policy according to claim 11, wherein, in the establishment step, a security policy is established on the basis of recommendations or regulations aimed at a specific line of business.
42. The security policy establishment apparatus according to claim 19, wherein the establishment means establishes a security policy on the basis of items of recommendations or regulations aimed at a specific line of business.
43. The method of establishing a security policy according to claim 2, wherein, in the drafting step, a security policy is established on the basis of items of global guidelines of one or a plurality of types prescribed by a user.
44. The method of establishing a security policy according to claim 43, wherein, in the inquiry preparation step, inquiries are generated on the basis of items of global guidelines of one or a plurality of types prescribed by a user.
45. The method of establishing a security policy according to claim 11, wherein, in the establishment step, a security policy is established on the basis of items of global guidelines of one or a plurality of types prescribed by a user.
46. The method of establishing a security policy according to claim 45, wherein, in the inquiry preparation step, inquiries are generated on the basis of items of global guidelines of one or a plurality of types prescribed by a user.
47. The security policy establishment apparatus according to claim 19, wherein the establishment means establishes a security policy on the basis of items of global guidelines of one or a plurality of types prescribed by a user.
48. The security policy establishment apparatus according to claim 47, wherein the inquiry preparation means generates inquiries to be submitted to interviewees, on the basis of items of global guidelines of one or a plurality of types prescribed by a user.
49. The method of establishing a security policy according to claim 2, wherein, in the establishment step, a security policy is established on the basis of an indicator of rigorousness of security policy prescribed by the user.
50. The method of establishing a security policy according to claim 49, wherein, in the inquiry preparation step, the inquiries are generated on the basis of an indicator of rigorousness of security policy prescribed by the user.
51. The method of establishing a security policy according to claim 11, wherein, in the establishment step, a security policy is established on the basis of an indicator of rigorousness of security policy prescribed by the user.
52. The method of establishing a security policy according to claim 51, wherein, in the inquiry preparation step, the inquiries are generated on the basis of an indicator of rigorousness of security policy prescribed by the user.
53. The security policy establishment apparatus according to claim 19, wherein the establishment means establishes a security policy on the basis of an indicator of rigorousness of security policy prescribed by the user.
54. The security policy establishment apparatus according to claim 53, wherein the inquiry preparation means generates inquiries, on the basis of an indicator of rigorousness of security policy prescribed by the user.
55. A security policy rigorousness adjustment method for adjusting the level of rigorousness of a security policy, comprising: a rigorousness adjustment step of replacing the rules which have been determined not to match the indicator of rigorousness prescribed by a user with rules matching the indicator; and a merge and output step of merging the rules matching the indicator of rigorousness from the beginning with the rules that in the rigorousness adjustment step have replaced the rules not matching the indicator and of outputting the merged rules.
56. A security policy rigorousness adjustment apparatus for adjusting the level of rigorousness of a security policy, comprising: rigorousness adjustment means for replacing the rules which have been determined not to match the indicator of rigorousness prescribed by a user with rules matching the indicator; and merge and output means for merging the rules matching the indicator of rigorousness from the beginning with the rules which in the rigorousness adjustment means have replaced the rules not matching the indicator and for outputting the merged rules.
57. A method of establishing a security policy of a predetermined organization, comprising: an inquiry preparation step of generating inquiries which pertain to items required for establishing a security policy of the organization and are to be submitted to members of the organization; an inquiry step of submitting the generated inquiries to the members; an answer acquisition step of acquiring from the members answers to the inquiries; and an establishment step of establishing a security policy draft on the basis of the answers, wherein, in the establishment step, a security policy with in a range of establishment prescribed by the user is established.
58. The method of establishing a security policy according to claim 57, wherein, in the inquiry preparation step, inquiries pertaining to the range of establishment prescribed by the user are generated.
59. A security policy establishment apparatus for establishing a security policy of a predetermined organization, comprising: inquiry preparation means for generating inquiries which pertain to items required for establishing a security policy of the organization and are to be submitted to members of the organization; storage means for storing answers to the generated inquiries; answer archival storage means for acquiring answers to the generated inquiries and storing the answers into the storage means; and establishment means for establishing a security policy within the range of establishment prescribed by the user.
60. The security policy establishment apparatus according to claim 59, wherein the inquiry preparation means generates inquiries pertaining to the range of establishment prescribed by the user.
61. A computer-readable recording medium having recorded thereon a program for causing a computer to perform: inquiry preparation procedures for generating inquiries which pertain to items required for establishing a security policy of the organization and are to be submitted to members of the organization; answer archival procedures for entering answers to the generated inquiries and storing the answers into storage means; and establishment procedures for establishing a security policy on the basis of the answers stored in the storage means.
62. The recording medium according to claim 61, wherein, in the inquiry preparation procedures, inquiries to be submitted to interviewees are generated on the basis of job specifications of the interviewees.
63. The recording medium according to claim 61, wherein, in the answer archival procedures, the answers acquired from a single member from among the acquired answers are integrated, and the integrated answers are stored into the storage means as answers of a single member to be inquired; or weights are assigned to answers according to job specifications of the members to be inquired if contradictory answers are included in the answers, to thereby estimate final answers and display the estimated final answers.
64. The recording medium according to claim 61, wherein, in the inquiry preparation procedures, inquiries to be submitted to the interviewees are generated on the basis of the line of business of the organization.
65. The recording medium according to claim 61, wherein, in the establishment procedures, a security policy is established on the basis of items of global guidelines of one or a plurality of types prescribed by a user.
66. The recording medium according to claim 61, wherein, in the inquiry preparation procedures, the inquiries are generated on the basis of an indicator of rigorousness of security policy prescribed by the user.
67. The recording medium according to claim 61, wherein, in the establishment procedures, a security policy within a range of establishment prescribed by the user is established.
68. A computer-readable recording medium having recorded thereon a program for causing a computer to perform: inquiry preparation procedures for outputting inquiries which pertain to items required for evaluating the degree of maturity of security of a predetermined organization and are to be submitted to members of the organization; answer archival procedures for entering answers to the outputted inquiries and storing the answers into storage means; and security maturity preparation procedures for preparing a security maturity report representing the degree of maturity of security, on the basis of the answers stored in the storage means.
69. The recording medium according to claim 68, wherein the inquiry preparation means generates inquiries to be submitted to interviewees, on the basis of job specifications of the interviewees.
70. A computer-readable recording medium having recorded thereon a program for causing a computer to perform: contradiction inspection procedures for inspecting whether or not contradiction exists between individual answers submitted in response to inquiries which pertain to items required for ascertaining a difference between a security policy of the predetermined organization and an information system of the organization and which have been submitted to members of a predetermined organization; and contradiction output procedures for outputting information about the inspected contradiction.
71. The recording medium according to claim 70, further comprising: indicating procedures for indicating the contradictions on the basis of the information about contradiction; establishment procedures for virtually establishing the configuration of an information system of the organization, on the basis of the answers free of contradictions; and difference output procedures for outputting a difference between the configuration of the virtually-established information system and the security policy, obtained by means of comparison.
72. A computer-readable recording medium having recorded thereon a program for causing a computer to perform: rigorousness adjustment procedures for replacing the rules which have been determined not to match the indicator of rigorousness prescribed by a user with rules matching the indicator of rigorousness; and merge and output procedures for merging the rules matching the indicator of rigorousness from the beginning with the rules which in the rigorousness adjustment procedure have replaced the rules not matching the indicator and for outputting the merged rules.
73. A program for causing a computer to perform: inquiry preparation procedures for generating inquiries which pertain to items required for establishing a security policy of a predetermined organization and are to be submitted to members of the organization; answer archival procedures for entering answers to the generated inquiries and storing the answers into storage means; and establishment procedures for establishing a security policy on the basis of the answers stored in the storage means.
74. The program according to claim 73, wherein, in the inquiry preparation procedures, inquiries to be submitted to interviewees are generated on the basis of job specifications of the interviewees.
75. The program according to claim 73, wherein, in the answer archival procedures, the answers acquired from a single member from among the acquired answers are integrated, and the integrated answers are stored into the storage means as answers of a single member to be inquired; or weights are assigned to answers according to job specifications of the members to be inquired if contradictory answers are included in the answers, to thereby estimate final answers and display the estimated final answers.
76. The program according to claim 73, wherein, in the inquiry preparation procedures, inquiries to be submitted to the interviewees are generated on the basis of the line of business of the organization.
77. The program according to claim 73, wherein, in the establishment procedures, a security policy is established on the basis of items of global guidelines of one or a plurality of types prescribed by a user.
78. The recording medium according to claim 73, wherein, in the inquiry preparation procedures, the inquiries are generated on the basis of an indicator of rigorousness of security policy prescribed by the user.
79. The recording medium according to claim 73, wherein, in the establishment procedures, a security policy within a range of establishment prescribed by the user is established.
80. A program for causing a computer to perform: inquiry preparation procedures for outputting inquiries which pertain to items required for evaluating the degree of maturity of security of a predetermined organization and are to be submitted to members of the organization; answer archival procedures for entering answers to the outputted inquiries and storing the answers into storage means; and security maturity preparation procedures for preparing a security maturity report representing the degree of maturity of security, on the basis of the answers stored in the storage means.
81. A program for causing a computer to perform: contradiction inspection procedures for inspecting whether or not contradiction exits between individual answers in response to inquiries which pertain to items required for ascertaining a difference between a security policy of the predetermined organization and an information system of the organization and which have been submitted to members of a predetermined organization; and contradiction output procedures for outputting information about the inspected contradiction.
82. The program according to claim 81, further comprising: matching procedures for matching the answers on the basis of the information about contradiction, thus producing answers free of contradiction; establishment procedures for virtually establishing the configuration of an information system of the organization, on the basis of the answers produced by the matching procedure; and difference output procedures for outputting a difference between the configuration of the virtually-established information system and the security policy, obtained by means of comparison.
83. A program for causing a computer to perform: level-of-rigorousness inspection procedures for inspecting whether or not individual rules of the security policy match an indicator of rigorousness prescribed by a user; rigorousness adjustment procedures for replacing the rules which have been determined not to match the indicator in the level-of-rigorousness inspection procedure with rules matching the indicator of rigorousness; and merge and output procedures for merging the rules matching the indicator of rigorousness from the beginning with the rules which in the rigorousness adjustment procedure have replaced the rules not matching the indicator and for outputting the merged rules.
Description
BACKGROUND OF THE INVENTION
[0001] 1. Field of the Invention
[0002] The present invention relates to establishment of a so-called security policy. More particularly, the present invention relates to a method and apparatus which enable immediate establishment of a security policy suitable for an individual organization, as well as to a method and apparatus for supporting establishment of a security policy.
[0003] 2. Background Art
[0004] In association with development of information technology, the importance of information security increases. Every organization takes various measures for protecting internal information.
[0005] For example, a firewall is set at an interface for establishing connection with an external network, thereby preventing unauthorized intrusion of the outsider into an internal network of the organization, or unauthorized access to internal information.
[0006] In order to combat computer viruses or the like, virus detection/combat software is employed for monitoring computers disposed in the organization. Throughout the specification, the expression "organization" signifies an enterprise, a federal or municipal agency, a corporation such as a legally-incorporated foundation, or any other party or organized group.
[0007] As mentioned above, various measures have hitherto been taken for ensuring information security.
[0008] If such measures are independently or separately discussed or reviewed, ensuring the security level of the entire organization becomes difficult.
[0009] For instance, no matter how well a firewall is enhanced, if third parties can freely enter the organization's building and have an opportunity to operate a terminal, the security level of the entire organization is considerably deteriorated.
[0010] Even if virus detection software is used, if updating of software for opposing new viruses is neglected, the software cannot combat newly created computer viruses.
[0011] In order to enhance the information security level of the entire organization, there must be devised a method for designing and implementing information security of the entire organization. Such a designing and implementation method (or a group of designing and implementation methods) is generally called a security policy.
[0012] Various proposals concerning basic headings and contents for establishing a standard security policy have already been put forward as international guidelines. As a matter of course, the headings and contents must be individually tailored to the organization.
[0013] Therefore, there still remains a necessity for establishing a security policy on a per-organization basis; security policies cannot be mass-produced. Thus, establishment of an individual security policy involves consumption of much time and effort.
[0014] Further, contents of a security policy must be changed with elapse of time. For instance, in a case where a corporate organizational structure has been changed, usage value and risk assessment of existing information must be changed correspondingly.
[0015] A common method concerning establishment of a security policy and making periodic amendments to the security policy has not been known. For this reason, individual systems engineer has had to establish or amend a security policy through experience and guess work. As a result, establishment of or making amendments to a security policy consumes an enormous amount of manpower. It is assumed that amendments may fail to catch up with a change in the actual circumstances (hereinafter called "reality") of an organization.
[0016] It has often bee seen that a wide difference arises between a security policy and the reality of an organization, thereby imposing difficulty in establishing and sustaining enhanced information security.
[0017] The present invention has been conceived in light of the foregoing drawbacks of the background art and is aimed at providing a method of efficiently establishing a security policy, as well as an apparatus for supporting establishment of a security policy.
SUMMARY OF THE INVENTION
[0018] To this end, the present invention provides a method of establishing a security policy for a predetermined organization, the method comprising:
[0019] a draft preparation step of preparing a security policy draft;
[0020] an analysis step of examining a difference between the security policy draft and realities of the organization; and
[0021] an adjustment step of adjusting the security policy draft on the basis of the difference or adjusting operation rules of an actual information system belonging to the organization on the basis of the difference.
[0022] By means of such a configuration, a security policy can be established stepwise, thereby enabling efficient establishment of a security policy.
[0023] Preferably, the draft preparation step comprises: a preparation step of preparing inquiries to be submitted to members of an organization;
[0024] an inquiry step of submitting the prepared inquiries to the members;
[0025] an answer acquisition step of acquiring from the members answers to the inquiries; and
[0026] a drafting step of preparing a security policy draft on the basis of the answers.
[0027] By means of such a configuration, a security policy draft can be prepared on the basis of inquiries.
[0028] Preferably, the preparation step involves preparation of inquiries on the basis of job specifications of members to be inquired.
[0029] Since inquiries are prepared according to a job specification of an member to be inquired, inquiries can be submitted efficiently.
[0030] Preferably, the answer acquisition step includes at least one of the steps of:
[0031] integrating the answers acquired from a single member from among the acquired answers and storing the integrated answers into storage means as answers of a single member to be inquired;
[0032] re-submitting inquiries to members if contradictory answers are included in the answers, to thereby resolve contradiction, and storing the answers into the storage means; and
[0033] assigning weights to answers according to job specifications of the members to be inquired if contradictory answers are included in the answers, to thereby estimate answers and display the estimated answers.
[0034] Such a configuration enables integration of answers in a case where a plurality of inquirers separately submit inquiries to members to be inquired.
[0035] Preferably, the analysis step comprises at least one of:
[0036] a contradiction inspection step of inspecting whether or not contradictory answers are included in the answers;
[0037] a first difference detection step of inspecting a difference between an information system virtually designed on the basis of the answers and the security policy by means of comparison; and
[0038] a second difference detection step of verifying the virtually-designed information system by means of examination of a real information system and inspecting a difference between the verified information system and the security policy draft by means of comparison.
[0039] Such a configuration enables finding of contradiction between answers and detection of a difference between a real information system and a security policy.
[0040] Preferably, the method of establishing a security policy further comprises a measurement step of devising measures addressing the inspected difference, in conjunction with the priority of the measures.
[0041] Such a configuration enables devising of measures with assigned priorities.
[0042] Preferably, the method of establishing a security policy further comprises a diagnosis step of diagnosing the security state of the organization, wherein a result of diagnosis performed in the diagnosis step is submitted to the organization, wherewith the organization can be come conscious of a necessity for a security policy.
[0043] Such a configuration enables ascertainment of security status of the organization.
[0044] Preferably, the method of establishing a security policy further comprises a priority planning step of planning, in sequence of priority, implementation with priority of the security measures which have been devised, thereby embodying a budget of the organization.
[0045] Such a configuration enables implementation of security measures in a premeditated manner, thereby facilitating preparation of a budget.
[0046] Preferably, the security measures comprise constructing a system for managing the establishing a security policy;
[0047] introduction of a security system;
[0048] training for compelling members respect a security policy;
[0049] analysis of system logs;
[0050] monitoring of a network;
[0051] auditing operations on the basis of the security policy; and
[0052] reviewing the security policy.
[0053] Since the security measures involve training of members as well as introduction of information security equipment, thereby enabling attainment of a higher degree of information security.
[0054] Preferably, the method of establishing a security policy further comprises a security enhancement measures implementation step of implementing the security measures in accordance with the plan.
[0055] Such a configuration enables smooth implementation of security measures.
[0056] The present invention also provides a method of establishing a security policy comprising:
[0057] a preparation step of preparing inquiries to be submitted to members of an organization;
[0058] an inquiry step of submitting the prepared inquiries to the members;
[0059] an answer acquisition step of acquiring from the members answers to the inquiries; and
[0060] an establishment step of establishing a security policy on the basis of the answers.
[0061] By means of such a configuration, a security policy draft can be prepared on the basis of inquiries.
[0062] Preferably, the preparation step involves preparation of inquiries on the basis of job specifications of members to be inquired.
[0063] Since inquiries are prepared according to a job specification of an member to be inquired, inquiries can be submitted efficiently.
[0064] Preferably, the answer acquisition step includes at least one of the steps of:
[0065] integrating the answers acquired from a single member from among the acquired answers and storing the integrated answers into storage means as answers of a single member to be inquired;
[0066] re-submitting inquiries to members if contradictory answers are included in the answers, to thereby resolve contradiction, and storing the answers into the storage means; and
[0067] assigning weights to answers according to job specifications of the members to be inquired if contradictory answers are included in the answers, to thereby estimate answers and display the estimated answers.
[0068] Such a configuration enables integration of answers in a case where a plurality of inquirers separately submit inquiries to members to be inquired.
[0069] Preferably, the establishment step involves establishment of three levels of security policies; namely,
[0070] an executive-level security policy which describes the organization's concept and policy concerning information security in conformity with global guidelines;
[0071] a corporate-level security policy which describes an information security system embodying the executive-level security policy; and
[0072] a product-level security policy which describes measures to implement the executive-level security policy with reference to the corporate-level security policy.
[0073] Since three levels of security policies are established, a hierarchical security policy can be obtained. Here, the measures to implement the executive-level security policy with reference to the corporate-level security policy includes operation rules for utilizing the security policies, as well as hardware and software.
[0074] Preferably, the corporate-level security policy describes standards for the information security system of the overall organization; and standards for individual equipments constituting the information security system of the organization.
[0075] Such a configuration clarifies a security policy for the entire organization and a security policy for individual pieces of equipment. Here, equipment is a concept including networks, hosts, and applications.
[0076] Preferably, the product-level security policy includes two types of product-level policies; namely,
[0077] a first-level security policy describing settings of individual equipments constituting the information security system in natural language; and
[0078] a second-level security policy describing settings of individual equipments constituting the information security system in specific language used in specific equipments.
[0079] The first-level product-level security policy enables a human to understand a security policy. The second-level product-level security policy facilitates setting of individual equipment. Here, equipment includes both hardware and software constituting the information security system.
[0080] Preferably, the analysis step comprises
[0081] a contradiction inspection step of inspecting whether or not contradictory answers are included in the answers; and
[0082] a difference detection step of inspecting whether or there is a difference between an information system virtually designed on the basis of the answers and a real information system of the organization.
[0083] Such a configuration enables efficient detection of contradiction or difference.
[0084] Preferably, the method of establishing a security policy further comprises a measurement step of devising measures addressing the inspected difference, in conjunction with the priority of the measures.
[0085] Since measures are devised in conjunction with priorities thereof, planning for implementing information security is facilitated.
[0086] The present invention also provides an apparatus of establishing a security policy comprising:
[0087] inquiry preparation means of preparing inquiries to be submitted to members of an organization;
[0088] storage means for storing answers to the inquiries;
[0089] answer archival storage means for acquiring from the members the answers to the inquiries and storing the answers into the storage means; and
[0090] establishment means for establishing a security policy on the basis of the answers stored in the storage means.
[0091] Since inquiries to be submitted to members are prepared, inquiry operations are facilitated. Here, the expression "member" signifies any individual associated with an information system of the organization. Therefore, members include part-time employees and employees of affiliated corporations, as well as employees of an organization of interest.
[0092] Preferably, the inquiry preparation means prepares inquiries to be submitted to the members to be inquired, on the basis of job specifications of the members to be inquired.
[0093] Since inquiries are prepared according to a job specification of an member to be inquired, inquiries can be submitted efficiently.
[0094] Preferably, the answer archival storage means integrates the answers acquired from a single member from among the acquired answers and stores the integrated answers into the storage means as answers of a single member to be inquired; or
[0095] re-submits inquiries to members if contradictory answers are included in the answers, to thereby resolve contradiction, and stores the answers into the storage means; or
[0096] assigns weights to answers according to job specifications of the members to be inquired if contradictory answers are included in the answers, to thereby estimate answers, and display the estimated answers.
[0097] Such a configuration enables integration of answers while ensuring a match among the answers in a case where a plurality of inquirers separately submit inquiries to members to be inquired.
[0098] Preferably, the establishment means establishes three levels of security policies; namely,
[0099] an executive-level security policy which describes the organization's concept and policy concerning information security in conformity with global guidelines;
[0100] a corporate-level security policy which describes an information security system embodying the executive-level security policy; and
[0101] a product-level security policy which describes measures to implement the executive-level security policy with reference to the corporate-level security policy.
[0102] Since three levels of security policies are established, a hierarchical security policy can be obtained. Here, the measures for implementing the executive-level security policy with reference to the corporate-level security policy include operation rules for utilizing the security policies, as well as hardware and software.
[0103] Preferably, the corporate-level security policy describes standards for the information security system of the overall organization; and standards for individual equipments constituting the information security system of the organization.
[0104] Such a configuration clarifies a security policy for the entire organization and a security policy for individual pieces of equipment. Here, equipment is a concept including networks, hosts, and applications.
[0105] Preferably, the product-level security policy includes two types of product-level policies; namely,
[0106] a first-level security policy describing settings of individual equipments constituting the information security system in natural language; and
[0107] a second-level security policy describing settings of individual equipments constituting the information security system in specific language used in specific equipments.
[0108] The first-level product-level security policy enables a human to understand a security policy. The second-level product-level security policy facilitates setting of individual equipment. Here, equipment includes both hardware and software constituting the information security system.
[0109] The present invention also provides a method of assessing the state of security of an organization, the method comprising:
[0110] an inquiry preparation step of preparing inquiries to be submitted to members of an organization;
[0111] an inquiry step of submitting the prepared inquiries to the members;
[0112] an answer acquisition step of acquiring from the members answers to the inquiries; and
[0113] a security state assessment step of assessing the state of security on the basis of the answers.
[0114] By means of such a configuration, the security state of an organization can be ascertained on the basis of answers to inquiries.
[0115] Preferably, the inquiry preparation step involves preparation of inquiries on the basis of job specifications of members to be inquired.
[0116] Since inquiries are prepared according to a job specification of an member to be inquired, inquiries can be submitted efficiently.
[0117] Preferably, the answer acquisition step involves integration of previous answers and acquired answers in a case where the answers are provided by a member to be inquired who has provided answers before, and involves storage of the integrated answers into storage means as answers from a single member to be inquired.
[0118] Such a configuration enables integration of answers while ensuring a match among the answers in a case where a plurality of inquirers submit separately inquiries to members to be inquired.
[0119] Preferably, the assessment of a security state includes
[0120] assessment of security of the organization;
[0121] average assessment of security of the other organizations included in an industry to which the organization pertains; and
[0122] the highest security assessment which is considered to be attainable by organizations in the industry to which the organization pertains.
[0123] Such a configuration enables assessment of an organization in comparison with similar organizations. Further, display of a theoretical highest value assists manager to set a goal to be attained.
[0124] Preferably, the assessment of a security state includes scores assigned to the following items; namely,
[0125] understanding and attitude concerning security;
[0126] a security system of the organization;
[0127] a response to unexpected accidents;
[0128] preparation of a budget for security; and
[0129] measures to improve security.
[0130] Such a configuration enables an organization to ascertain assessment of information security on a per-item basis in respect of manager's concept.
[0131] The present invention also provides an apparatus for assessing the state of security of an organization, the apparatus comprising:
[0132] preparation means for preparing inquiries to be submitted to members of an organization;
[0133] storage means for storing answers to the inquiries;
[0134] answer archival storage means for acquiring the answers to the inquiries from the members and storing the answers into the storage means; and
[0135] security maturity preparation means for preparing a security maturity report representing the degree of maturity of security, on the basis of the answers stored in the storage means.
[0136] Inquiries are submitted to members, and an organization can as certain its security on the basis of answers to the inquiries.
[0137] Preferably, the answer archival storage means integrates previous answers and acquired answers in a case where the answers are provided by an member to be inquired who has provided answers before, and stores the integrated answers into the storage means as answers from a single member to be inquired.
[0138] Such a configuration enables integration of answers while ensuring a match among the answers in a case where a plurality of inquirers submit separately inquiries to members to be inquired.
[0139] Preferably, the security maturity report includes
[0140] the degree of maturity of the organizations security;
[0141] the average degree of maturity of security of other organizations included in an industry to which the organization pertains; and
[0142] the highest degree of maturity of security which is considered to be attainable by organizations in the industry to which the organization pertains.
[0143] Such a configuration enables assessment of an organization in comparison with other organizations in respect of average degree. Further, display of a theoretical highest value facilitates setting of a goal to be attained.
[0144] Preferably, the security maturity report includes scores assigned to the following items; namely,
[0145] understanding and attitude concerning security;
[0146] a security system of the organization;
[0147] response to unexpected accidents;
[0148] preparation of a budget for security; and
[0149] measures to improve security.
[0150] Such a configuration enables an organization to ascertain assessment of information security on a per-item basis in respect of manager's concept.
[0151] The present invention also provides an analyzer for analyzing a difference between a security policy and an information system of an organization, comprising
[0152] contradiction inspection means for inspecting whether or not contradiction exists between individual answers in response to inquiries submitted to members of the organization; and
[0153] contradiction output means for outputting information about the inspected contradiction.
[0154] Such a configuration enables ascertainment of contradiction included in answers.
[0155] Preferably, the analyzer for analyzing a difference between a security policy and an information system of an organization further comprises
[0156] indicating means for indicating the contradiction on the basis of the information about contradiction;
[0157] establishment means for virtually establishing an information system for the organization on the basis of the answers produced by the matching means; and
[0158] difference output means for outputting a difference between the configuration of the virtually-established information system and a security policy, by means of comparison.
[0159] Such a configuration enables ascertainment of a difference between a security policy and realities of an organization.
[0160] Preferably, the analyzer for analyzing a difference between a security policy and an information system of an organization further comprises
[0161] real system input means for examining the information system of the organization and entering the configuration of the information system; and
[0162] difference output means which verifies the virtually-established information system by reference to the configuration of the information system and outputs a difference between a security policy and the configuration of the virtually-established information system which has been verified, by means of comparison.
[0163] Such a configuration enables comparison between an information system which has been verified by means of actual examination of an information system and a security policy, thereby enabling accurate analysis of a difference.
[0164] An invention according to a second embodiment will now be described.
[0165] To solve the previously-described problem, in the inquiry preparation step, the inquiries are prepared in accordance with the line of business of the organization.
[0166] Preferably, the inquiry preparation means generates inquiries to be submitted to an interviewee in accordance with the line of business of the organization.
[0167] According to the present invention, the line of business of an organization is taken into account. Hence, a security policy corresponding to a line of business can be established.
[0168] An invention according to a third embodiment will now be described.
[0169] According to the present invention, in the drafting step, a security policy is drafted on the basis of recommendations or regulations aimed at a specific line of business.
[0170] According to the present invention, the establishment means establishes a security policy on the basis of items of recommendations or regulations aimed at a specific line of business.
[0171] Such a configuration enables establishment of a security policy for items which are of greater detail than general-purpose global guidelines, in connection with a specific line of business.
[0172] An invention according to a fourth embodiment will be described hereinbelow.
[0173] According to the present invention, in the establishment step, a security policy is established on the basis of items of global guidelines of one or a plurality of types prescribed by a user.
[0174] According to the present invention, the establishment means establishes a security policy on the basis of items of global guidelines of one or a plurality of types prescribed by a user.
[0175] By means of the configuration of the invention, a user can select a global guidelines to be employed.
[0176] According to the present invention, in the inquiry preparation step, inquiries are generated on the basis of items of global guidelines of one or a plurality of types prescribed by a user.
[0177] Similarly, the inquiry preparation means generates inquiries to be submitted to interviewees, on the basis of items of global guidelines of one or a plurality of types prescribed by a user.
[0178] By means of such a configuration, inquiries complying with a global guideline prescribed by the user are submitted, thereby enabling efficient inquiries.
[0179] An invention according to a fifth embodiment will now be described.
[0180] According to the present invention, in the establishment step, a security policy is established on the basis of an indicator of rigorousness of security policy prescribed by the user.
[0181] According to the present invention, the establishment means establishes a security policy on the basis of an indicator of rigorousness of security policy prescribed by the user.
[0182] By means of the configuration according to the present invention, the user can freely specify the level of rigorousness of security policy through use of security policy.
[0183] According to the present invention, in the inquiry preparation step, the inquiries are generated on the basis of an indicator of rigorousness of security policy prescribed by the user.
[0184] Similarly, according to the present invention, the inquiry preparation means generates inquiries, on the basis of an indicator of rigorousness of security policy prescribed by the user.
[0185] By means of such a configuration, inquiries are generated in accordance with the level of rigorousness prescribed by the user. As will be described later, if a higher level of rigorousness is prescribed, the number of general inquiries is increased, so that inquiries concerning detailed items are generated. In contrast, if a lower level of rigorousness is prescribed, the number of general inquiries is reduced, and inquiries become less elaborate. Since inquiries according to the level of rigorousness are generated, inquiries can be made more efficiently.
[0186] The present invention provides a security policy rigorousness adjustment method for adjusting the level of rigorousness of a security policy, comprising:
[0187] a rigorousness adjustment step of replacing the rules which have been determined not to match the indicator of rigorousness prescribed by a user with rules matching the indicator of rigorousness; and
[0188] a merge and output step of merging the rules matching the indicator of rigorousness from the beginning with the rules which in the rigorousness adjustment step have replaced the rules not matching the indicator and of outputting the merged rules.
[0189] Further, the present invention provides a security policy rigorousness adjustment apparatus for adjusting the level of rigorousness of a security policy, comprising:
[0190] rigorousness adjustment means for replacing the rules which have been determined not to match the indicator of rigorousness prescribed by a user with rules matching the indicator of rigorousness; and
[0191] Merge and output means for merging the rules matching the indicator of rigorousness from the beginning with the rules which in the rigorousness adjustment step have replaced the rules not matching the indicator and for outputting the merged rules.
[0192] By means of these configurations according to the present invention, the level of rigorousness of security policy can be adjusted such that a level of rigorousness prescribed by the user is achieved.
[0193] An invention according to a sixth embodiment will now be described.
[0194] The present invention provides a method of establishing a security policy of a predetermined organization, comprising:
[0195] an inquiry preparation step of generating inquiries which pertain to items required for establishing a security policy of the organization and are to be submitted to members of the organization;
[0196] an inquiry submission step of submitting the generated inquiries to the members;
[0197] an answer acquisition step of acquiring from the members answers to the inquiries; and
[0198] a preparation step of preparing a security policy draft on the basis of the answers, wherein, in the establishment step, a security policy within a range of establishment prescribed by the user is established.
[0199] By means of the configuration set forth, a security policy falling within the range prescribed by the user is obtained.
[0200] According to the present invention, in the inquiry preparation step, inquiries pertaining to the range of establishment prescribed by the user are generated.
[0201] By means of such a configuration according to the present invention, only inquiries about the range prescribed by the user are generated. Hence, submission of inquiries irrelevant to the range is prevented.
[0202] The present invention provides a security policy establishment apparatus for establishing a security policy of a predetermined organization, comprising:
[0203] inquiry preparation means for generating inquiries which pertain to items required for establishing a security policy of the organization and are to be submitted to members of the organization;
[0204] storage means for storing answers to the generated inquiries;
[0205] answer archival storage means for acquiring answers to the generated inquiries and storing the answers into the storage means; and
[0206] establishment means for establishing a security policy within the range of establishment prescribed by the user.
[0207] By means of such a configuration, there is obtained a security policy falling within the range prescribed by the user.
[0208] According to the present invention, the inquiry preparation means generates inquiries pertaining to the range of establishment prescribed by the user.
[0209] Such a configuration enables generation of only inquiries pertaining to a range prescribed by the user. Hence, submission of inquiries irrelevant to the range is prevented.
[0210] An invention according to an seventh embodiment will be described.
[0211] The seventh embodiment describes programs for causing a computer to perform the operations which have been described thus far and a recording medium (hard disk drive) having the programs recorded thereon. Hence, operations of the programs and operation of the recording medium having the programs recorded thereon are identical with those of the inventions which have been described thus far.
[0212] The present invention provides a computer-readable recording medium having recorded thereon a program for causing a computer to perform:
[0213] inquiry preparation procedures for generating inquiries which pertain to items required for establishing a security policy of the organization and are to be submitted to members of the organization;
[0214] answer archival procedures for entering answers to the generated inquiries and storing the answers into storage means; and
[0215] establishment procedures for establishing a security policy on the basis of the answers stored in the storage means.
[0216] According to the present invention, in the inquiry preparation procedures, inquiries to be submitted to interviewees are generated on the basis of job specifications of the interviewees.
[0217] According to the present invention, in the answer archival procedures, the answers acquired from a single member from among the acquired answers are integrated, and the integrated answers are stored into the storage means as answers of a single member to be inquired; or weights are assigned to answers according to job specifications of the members to be inquired if contradictory answers are included in the answers, to thereby estimate final answers and display the estimated final answers.
[0218] According to the present invention, in the inquiry preparation procedures, inquiries to be submitted to the interviewees are generated on the basis of the line of business of the organization.
[0219] According to the present invention, in the establishment procedures, a security policy is established on the basis of items of global guide lines of one or a plurality of types prescribed by a user.
[0220] According to the present invention, in the inquiry preparation procedures, the inquiries are generated on the basis of an indicator of rigorousness of security policy prescribed by the user.
[0221] According to the present invention, in the establishment procedures, a security policy within a range of establishment prescribed by the user is established.
[0222] The present invention provides a computer-readable recording medium having recorded thereon a program for causing a computer to perform:
[0223] inquiry preparation procedures for generating inquiries which pertain to items required for evaluating the degree of maturity of security of a predetermined organization and are to be submitted to members of the organization;
[0224] answer archival procedures for entering answers to the prepared inquiries and storing the answers into storage means; and
[0225] security maturity preparation procedures for preparing a security maturity report representing the degree of maturity of security, on the basis of the answers stored in the storage means.
[0226] The present invention provides a computer-readable recording medium having recorded thereon a program for causing a computer to perform:
[0227] contradiction inspection procedures for inspecting whether or not contradiction exists between individual answers submitted in response to inquiries which pertain to items required for ascertaining a difference between a security policy of the predetermined organization and an information system of the organization and which have been submitted to members of a predetermined organization; and
[0228] contradiction output procedures for outputting information about the inspected contradiction.
[0229] Preferably, the recording medium further comprises:
[0230] matching procedures for matching the answers on the basis of the information about contradiction, thus producing answers free of contradiction;
[0231] establishment procedures for virtually establishing the configuration of an information system of the organization, on the basis of the answers produced by the matching means; and
[0232] difference output procedures for outputting a difference between the configuration of the virtually-established information system and the security policy, obtained by means of comparison.
[0233] The present invention provides a computer-readable recording medium having recorded thereon a program for causing a computer to perform:
[0234] level-of-rigorousness inspection procedures for inspecting whether or not individual rules of the security policy match an indicator of rigorousness prescribed by a user;
[0235] rigorousness adjustment procedures for replacing the rules which have been determined not to match the indicator in the level-of-rigorousness inspection step with rules matching the indicator of rigorousness; and
[0236] merge and output procedures for merging the rules matching the indicator of rigorousness from the beginning with the rules which in the rigorousness adjustment step have replaced the rules not matching the indicator and for outputting the merged rules.
[0237] The inventions set forth relate to a recording medium. Next, an invention related to a program will be described.
[0238] The present invention provides a program for causing a computer to perform:
[0239] inquiry preparation procedures for generating inquiries which pertain to items required for establishing a security policy of a predetermined organization and are to be submitted to members of the organization;
[0240] answer archival procedures for entering answers to the prepared inquiries and storing the answers into storage means; and
[0241] establishment procedures for establishing a security policy on the basis of the answers stored in the storage means.
[0242] According to the present invention, in the inquiry preparation procedures, inquiries to be submitted to interviewees are generated on the basis of job specifications of the interviewees.
[0243] According to the present invention, in the answer archival procedures, the answers acquired from a single member from among the acquired answers are integrated, and the integrated answers are stored into the storage means as answers of a single member to be inquired; or
[0244] weights are assigned to answers according to job specifications of the members to be inquired if contradictory answers are included in the answers, to thereby estimate final answers and display the estimated final answers.
[0245] According to the present invention, in the inquiry preparation procedures, inquiries to be submitted to the interviewees are generated on the basis of the line of business of the organization.
[0246] According to the present invention, in the establishment procedures, a security policy is established on the basis of items of global guidelines of one or a plurality of types prescribed by a user.
[0247] According to the present invention, in the inquiry preparation procedures, the inquiries are generated on the basis of an indicator of rigorousness of security policy prescribed by the user.
[0248] According to the present invention, in the establishment procedures, a security policy within a range of establishment prescribed by the user is established.
[0249] The present invention provides a program for causing a computer to perform:
[0250] inquiry preparation procedures for generating inquiries which pertain to items required for evaluating the degree of maturity of security of a predetermined organization and are to be submitted to members of the organization;
[0251] answer archival procedures for entering answers to the generated inquiries and storing the answers into storage means; and
[0252] security maturity preparation procedures for preparing a security maturity report representing the degree of maturity of security, on the basis of the answers stored in the storage means.
[0253] The present invention provides a program for causing a computer to perform:
[0254] contradiction inspection procedures for inspecting whether or not contradiction exists between individual answers in response to inquiries which pertain to items required for ascertaining a difference between a security policy of the predetermined organization and an information system of the organization and which have been submitted to members of a predetermined organization; and
[0255] contradiction output procedures for outputting information about the inspected contradiction.
[0256] According to the present invention, the program further comprises:
[0257] matching procedures for matching the answers on the basis of the information about contradiction, thus producing answers free of contradiction;
[0258] establishment procedures for virtually establishing the configuration of an information system of the organization, on the basis of the answers produced by the matching means; and
[0259] difference output procedures for outputting a difference between the configuration of the virtually-established information system and the security policy, obtained by means of comparison.
[0260] The present invention provides a program for causing a computer to perform:
[0261] level-of-rigorousness inspection procedures for inspecting whether or not individual rules of the security policy match an indicator of rigorousness prescribed by a user;
[0262] rigorousness adjustment procedures for replacing the rules which have been determined not to match the indicator in the level-of-rigorousness inspection step with rules matching the indicator of rigorousness; and
[0263] merge and output procedures for merging the rules matching the indicator of rigorousness from the beginning with the rules which in the rigorousness adjustment step have replaced the rules not matching the indicator and for outputting the merged rules.
BRIEF DESCRIPTION OF THE DRAWINGS
[0264] FIG. 1 is a flowchart representing the principle of a business model according to a preferred embodiment of the present invention;
[0265] FIG. 2 is a block diagram showing the configuration of an appraisal device;
[0266] FIG. 3 is a flowchart representing preparation of an appraisal report;
[0267] FIG. 4 is a block diagram showing the configuration of an apparatus for preparing a security policy draft;
[0268] FIG. 5 is a flowchart showing establishment of a security policy draft through use of a security policy draft establishment apparatus;
[0269] FIG. 6 is a listing of types representing job specifications;
[0270] FIG. 7 is a block diagram showing the configuration of an analyzer;
[0271] FIG. 8 is a block diagram showing the configuration of a security policy draft preparation apparatus according to a second embodiment of the present invention;
[0272] FIG. 9 is a block diagram showing the configuration of a security policy draft preparation apparatus according to a third embodiment of the present invention;
[0273] FIG. 10 is a block diagram showing the configuration of a security policy draft preparation apparatus according to a fourth embodiment of the present invention;
[0274] FIG. 11 is a block diagram showing the configuration of a security policy draft preparation apparatus according to a fifth embodiment of the present invention;
[0275] FIG. 12 is a block diagram showing the configuration of a security policy rigorousness adjustment apparatus according to the fifth embodiment of the present invention;
[0276] FIG. 13 is a flowchart showing operation of the security policy rigorousness adjustment apparatus according to the fifth embodiment;
[0277] FIG. 14 is a block diagram showing the configuration of a security policy draft preparation apparatus according to a sixth embodiment of the present invention; and
[0278] FIG. 15 is a descriptive view showing a computer and a hard disk drive provided therein according to an seventh embodiment.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
[0279] A preferred embodiment of the present invention will now be described hereinbelow by reference to the accompanying drawings.
[0280] First Embodiment
[0281] There will be described a business model concerning a round of operations from establishment of a security policy of a certain organization to maintenance of the security policy. Preferably, the business model is implemented by a system engineer through use of a predetermined expert system.
[0282] The principle of the business model according to a first embodiment of the present invention will first be described. FIG. 1 shows a flowchart representing the principle of such a business model. As illustrated by the drawing, the business model according to the present invention is basically made up of the following six steps.
[0283] Step 1: Assessment of security maturity
[0284] Step 2: Preparation of a security policy draft
[0285] Step 3: System, and inspection and analysis of the system
[0286] Step 4: Coordination between a policy and rules
[0287] Step 5: Priority Planning
[0288] Step 6: Implementation of measures to enhance security.
[0289] According to the security establishment method consisting of six steps, an interview-based security policy draft is first established. If necessary, the security policy draft is re-adjusted so as to reflect the reality of an organization. Since the security policy is completed stepwise, the security policy can be established in accordance with the schedule or budget of an organization.
[0290] Step 1 is for evaluating the current state of information security of an organization. Through assessment of information security, the organization can ascertain the goal to be attained in respect of manager's concept.
[0291] Step 2 is for preparing an elementary security policy draft by means of submitting inquiries to members of the organization. The security policy draft is prepared by means of simple interview, and hence a security policy can be prepared at relatively low cost.
[0292] Step 3 is for reviewing a difference between the virtually constructed information system and the reality of the organization. Since the virtually constructed information system is prepared on the basis of mere answers to the inquiries, a difference may arise between the virtually constructed information system and the reality of the organization.
[0293] Step 4 is for adjusting, in accordance with a difference, a security policy or rules about security products which have already been introduced.
[0294] Step 5 is for establishing a future information security plan, taking into consideration precedence in adopting means or measures.
[0295] Step 6 is for performing required security protection measures according to the information security plan.
[0296] Since the security policy is established stepwise as mentioned above, a security policy can be established in accordance with realities of each organization; that is, the budget or concept of each organization.
[0297] For instance, it depends on the company's way of thinking or budget that a security policy draft is sufficient or not. Priority planning makes a future plan specific, and hence there will be yielded an advantage of easy development of a budget for the organization.
[0298] The dominant steps of the business model according to the present embodiment reside particularly in steps 2 through 4. In step 2, an elementary security policy draft is prepared. In step 3, a difference between the security policy draft and the realities of an organization is analyzed. In step 4, a security policy or rules for security products which have already been introduced are adjusted. So long as a business model includes at least steps 2 through 4, the business model enables systematic establishment of a security policy. Such a business model enables an increase in productivity and quality relative to a conventional method based on experience and intuition.
[0299] In order to implement such stepwise establishment of a security policy, various expert systems are used in the first embodiment.
[0300] Steps 1 through 6 will now be described individually, including a method of using expert systems.
[0301] A. Step 1: Assessment of Security Maturity
[0302] In this step, maturity of current information security of an organization is objectively assessed. Through such an appraisal, the organization can be rated in terms of security. More specifically, assessment of information security is performed by means of preparing the security maturity appraisal report.
[0303] In the first embodiment, security maturity is assessed on the basis of a Software Capability Maturity Model developed by Carnegie Mellon University in the U.S. According to this model, security maturity is quantitatively assessed with regard to five headings. In other words, scores are assigned for each of the five headings.
[0304] The five headings are as follows:
[0305] a: Comprehension and posture of an administrator regarding information security
[0306] b: Security status of an organization
[0307] c: Response to an unexpected disaster
[0308] d: Budgeting for security
[0309] e: Measures to improve security
[0310] Here, an unexpected disaster mean an event which threatens information security; for example, a wiretapping activity or faulty operation of equipment. Entry "c"; i.e., response to unexpected disaster, represents whether or not the organization can address unexpected disaster. Entry "d"; i.e., budgeting for security, represents whether or not a sufficient budget is ensured for information security. Entry "e"; i.e., measures to improve security, represents the extent to which a schedule or plan for security improvement is made.
[0311] In the first embodiment, a maturity assessment report is prepared with regard to the above-described five headings, and includes scores. By means of such a report, the objective estimation of manager's understanding for information system security of an organization can be ascertained.
[0312] A specific method of preparing the security maturity assessment report will now be described.
[0313] In the first embodiment, inquiries are submitted to the organization's manager(CEO, president, etc . . . ) and an maturity assessment report is prepared on the basis of answers to the inquiries. More specifically, an appraisal device 10 shown in FIG. 2 performs preparation of inquiries, collection of answers, and preparation of the security maturity assessment report. FIG. 3 shows a flowchart representing operations for preparing the security maturity assessment report. The flowchart shown in FIG. 3 shows, in more detail, processing pertaining to step S1-1 shown in FIG. 1.
[0314] As shown in FIG. 2, the appraisal device 10 has inquiry preparation means 12 for preparing inquiries to be submitted to managers to be inquired.
[0315] A variety of inquiries are stored beforehand in the storage means 14, and the inquiry preparation means 12 extracts inquiries required for a member to be inquired.
[0316] The appraisal device 10 has answer archival storage means 16. Answers submitted by managers in response to inquiries which have been prepared in the manner as mentioned above are supplied to the answer archival storage means 16. The answer archival storage means 16 preserves answers in the storage means 14.
[0317] The first embodiment is also characterized in that the answer archival storage means 16 has an answer integration function. In a case where inquiries are submitted by a plurality of systems engineers, answers to the inquiries are collectively stored in the storage means 14
according to the answer integration function. In a case where a large number of managers are to be inquired, answers can be immediately acquired by means of a plurality of systems engineers sharing the load of submitting inquiries to the managers through interview. In such a case, the resultant answers are accumulated in a plurality of computers. Therefore, these answers must be integrated into a single database.
[0318] As a matter of course, the answer integration function can be utilized for integrating answers submitted by a single manager to be inquired as a result of inquiries having been submitted to the manager and answers having been acquired from the manager on several occasions, for reasons that submitting inquiries to the manager and receiving answers to the inquires from the member could not be performed on a single occasion.
[0319] The appraisal device 10 has security maturity preparation means 18, which prepares the security maturity report, or an assessment report about information security of an organization, on the basis of the group of answers stored in the storage means 14.
[0320] This appraisal device 10 is a so-called expert system.
[0321] There is employed the appraisal device 10 having the function of integrating collected answers. Consequently, the security maturity assessment report can be prepared efficiently and precisely.
[0322] By reference to the flowchart shown in FIG. 3, there will be described an operation for preparing the security maturity assessment report.
[0323] In step S3-1, inquiries to be submitted to the member are prepared by the inquiry preparation means 12.
[0324] In step S3-2, a systems engineer submits the thus-prepared inquiries to the manager.
[0325] In step S3-3, answers to the inquiries are acquired from the manager and delivered to the answer archival storage means 16 of the appraisal device 10. As set forth, the answer archival storage means 16
has the answer integration function and sends the answers to the storage means 14 after having integrated them into a single database.
[0326] In step S3-4, the security maturity report preparation means 18
prepares the security maturity assessment report including scores assigned to five respective headings, on the basis of the group of answers stored in the storage means 14.
[0327] As mentioned above, the security maturity assessment report is prepared through use of the appraisal device 10.
[0328] Comparison between Industry Standard and Scores Described in Security maturity Assessment Report
[0329] As mentioned previously, scores (points) are assigned to five respective headings described in the security maturity assessment report.
[0330] The first embodiment is characterized particularly in that an average of scores assigned to all the organizations and the highest score in an industry to which the organization pertains are displayed along with a score assigned to the security maturity assessment report. Here, the expression "highest score" is the top score (a theoretical value) which can be attained by any organization belonging to the industry.
[0331] As a result, the ranking of efforts made by the organization for ensuring information security in the industry can be readily ascertained. Such a mean value and the maximum value in an individual industry are stored in the storage means 14 beforehand. Further, an average value is updated periodically.
[0332] Report on the Progress of Implementation of Security Measures
[0333] In the first embodiment, the security maturity assessment report is prepared to the manager's understanding for information security of an organization is investigated prior to establishment of a security policy. However, so long as the security maturity report is prepared during the course of sequential implementation of measures for information security, the progress of implementing measures for information security can be ascertained. Accordingly, a step of preparing the security maturity report also serves as a step of reporting the progress of implementation of security.
[0334] In the appraisal device 10 according to the first embodiment, all the inquiries and corresponding answers are stored in the storage means 14. However, it may be the case that inquiries are stored in one storage means and answers are stored in another storage means.
[0335] B. Step 2: Preparation of Security Policy Draft
[0336] In this step, a simple security policy draft of an organization is prepared. The draft corresponds to a security policy based on answers are submitted by members of the organization in response to inquiries. Since an actual information system of the organization has not yet been investigated, a security policy cannot be established immediately.
[0337] Various basic headings and contents used for establishing a standard security policy have already been known as international guidelines. These guidelines are hereinafter called global guidelines. In the present embodiment, a security policy draft is prepared by means of extracting principles from the global guidelines and combining the thus-extracted principles, as required.
[0338] In the first embodiment, a security policy draft preparation apparatus 20 is used for preparing a security policy draft. FIG. 4 is a block diagram showing the configuration of the security policy draft preparation apparatus 20.
[0339] As shown in FIG. 4, the security policy draft preparation apparatus 20 has inquiry preparation means 22 for preparing inquiries to be submitted to an member to be inquired, in accordance with job specifications of the member to be inquired. Inquiries are changed in accordance with job specifications of a member to be inquired for acquiring useful answers, as determined by the inquiry preparation means 12 of the appraisal device 10.
[0340] A variety of inquiries are stored beforehand in storage means 24
provided in the security policy draft preparation apparatus 20, as in the case of the storage means 14 shown in FIG. 2. The inquiry preparation means 22 extracts appropriate inquiries from the storage means 24 in accordance with job specifications of a member.
[0341] The security policy draft preparation apparatus 20 is further equipped with answer archival storage means 26. The answer archival storage means 26 stores answers into the storage means 24, as does the answer archival storage means 16. Further, the answer archival storage means 26 has an answer integration function.
[0342] Integration Function
[0343] An integration function includes the following features:
[0344] (1) A plurality of systems engineers separately conduct interviews with individual members and collect the resultant answers. For instance, if a plurality of systems engineers conduct an interview with a single member, the resultant answers are integrated into a single database. More specifically, a series of inquiries of the same type are submitted to a plurality of members, and the resultant answers are integrated into a single database.
[0345] (2) There may be a case where a single inquiry is submitted to different members through interviews. In such a case, a contradiction may arise in answers. There are two measures to eliminate the contradiction. A first measure is a re-interview. In the event that respondents have submitted incorrect answers with regard to the contradiction, it is thought that such a contradiction can be resolved by means of conducting a re-interview or inspection (or both). A second measure is to determine answers by means of assigning weights to answers in accordance with the types (job specifications) of the members.
[0346] In the present embodiment, the user can freely select either the first measure or the second measure.
[0347] The security policy draft preparation apparatus 20 has draft preparation means 28 for preparing a security policy draft. The draft preparation means 28 prepares a security policy on the basis of the group of answers stored in the storage means 24.
[0348] The security policy draft preparation apparatus 20 is a so-called expert system, as is the appraisal device 10. In fact, the previously-described individual means are preferably embodied as software which is executed on a computer.
[0349] By reference to a flowchart shown in FIG. 5, there will be described an operation for preparing a security policy draft. FIG. 5
shows a flowchart representing an operation for preparing a security policy draft through use of the security policy draft preparation apparatus 20.
[0350] In step S5-1, job specifications of members who are to be inquired are supplied to the inquiry preparation means 22, and inquiries are submitted to the members.
[0351] As set forth, in the first embodiment, inquiries to be prepared are determined in accordance with job specifications of the members. Consequently, appropriate inquiries to be submitted to members to be inquired can be prepared.
[0352] A so-called course of inquiries is determined in accordance with job specifications of a member. Actual inquiries to be submitted in each course are changed in response to an answer submitted by a member. For example, if in response to an inquiry about use of VPN a member has answered that VPN is not used, detailed inquiries about VPN are skipped. In contrast, if the member has answered that VPN is used, detailed inquiries about VPN are submitted to the member.
[0353] Such a control operation is implemented by utilization of, a so-called knowledge-based expert system.
[0354] In step S5-2, the thus-prepared inquiries are submitted to members.
[0355] In step S5-3, answers to the inquiries are submitted by the members, and the answers are entered to the answer archival storage means 26 of the security policy draft preparation apparatus 20. Preferably, the answers are entered by the interviewers. As a matter of course, there may be employed a form in which individual members answer inquiries by way of a screen of the policy draft preparation apparatus 20. The answer archival storage means 26 has an answer integration function, as mentioned above, and integrates answers acquired by a plurality of interviewers into a single database and stores the single database into the storage means 24.
[0356] In step S5-4, on the basis of the group of answers stored in the storage means 24, the draft preparation means 28 prepares a security policy draft by combination of various principles extracted from the global guidelines.
[0357] As set forth, a security policy draft is prepared through use of the security policy draft preparation apparatus 20.
[0358] In the first embodiment, there are prepared three levels of (drafts of) security policy: that is, an executive-level security policy (draft), a corporate-level security policy (draft), and a product-level security policy (draft). These three levels of security policy drafts will be described later in section B-5.
[0359] B-1: Inquiries (for an interview)
[0360] Inquiries (often called an "interview") will be described hereinbelow.
[0361] Headings of an interview are as follows:
[0362] 1. Organization
[0363] 2. Network
[0364] 3. Server and host
[0365] 4. Application and database
[0366] 5. Security items of great importance
[0367] 6. Other security Items
[0368] Individual headings will now be described.
[0369] (1) Organization
[0370] In connection with heading "organization" an interview is conducted for the outline and system of an "organization". From answers to the inquiries, there can be derived an information security administration system, policy principles, and analysis of vulnerability (analysis of differences).
[0371] Heading "organization" is followed by the following sub-headings.
[0372] 1.1 Management system
[0373] 1.2 Employees
[0374] 1.3 Outline of enterprise
[0375] 1.4 Venders
[0376] 1.5 Clients
[0377] 1.6 Consultants
[0378] 1.7 Outsourcing
[0379] 1.8 Application
[0380] 1.9 Network
[0381] 1.10 Security profile
[0382] 1.11 Business category
[0383] 1.12 Organization policy
[0384] Inquiry headings may change according to job specifications. For instance, inquiry heading "host" is not provided for a chief executive officer. Thus, the present embodiment is characterized in that inquiries change according to job specifications. Thus, inquiries tailored to job specifications can be submitted to a member, thus enabling efficient conduct of an interview.
[0385] (2) Network
[0386] In connection with heading "network," inquiries about the outline, operation, and settings of a network are submitted through an interview. From answers to these inquiries, there can be derived the vulnerability of the network, a corporate-level policy pertaining to the network, or the like.
[0387] Heading "network" is followed by the following sub-headings.
[0388] 2.1 Operation environment
[0389] 2.2 Network properties
[0390] 2.3 Authentication and identification
[0391] 2.4 Audit and logs
[0392] 2.5 Access control
[0393] 2.6 Modification procedures
[0394] 2.7 Disaster recovery
[0395] 2.8 Operation reliability
[0396] 2.9 Physical security
[0397] 2.10 Modem
[0398] 2.11 Workstation security
[0399] (3) Server and Host
[0400] In connection with heading "server and host," inquiries about the outline, operation, and settings of a host are submitted through an interview. From answers to the inquiries, there are derived the weakness of a host and a corporate-level policy pertaining to a host and a server.
[0401] Heading "server and host" is followed by the following sub-headings.
[0402] 3.1 Properties of server and host
[0403] 3.2 Authentication and identification
[0404] 3.3 Audit and logs
[0405] 3.4 Access control
[0406] 3.5 Modification procedures
[0407] 3.6 Disaster recovery and back-up
[0408] 3.7 Operation reliability
[0409] 3.8 Physical security
[0410] (4) Application and database
[0411] In connection with heading "application and database," inquiries about the outline, operation, and settings of an application are submitted through an interview. From answers to the inquiries, there are derived the vulnerability of an application and a corporate-level policy pertaining to an application.
[0412] Heading "application and database" is followed by the following sub-headings.
[0413] 4.1 Properties of application and database
[0414] 4.2 Authentication and identification
[0415] 4.3 Audit and logs
[0416] 4.4 Access control
[0417] 4.5 Modification procedures
[0418] 4.6 Disaster recovery and back-up
[0419] 4.7 Operation reliability
[0420] 4.8 Physical security
[0421] (5) Security items of great importance
[0422] In connection with heading "security items of great importance" inquiries about information usually required for establishing a firewall are submitted through an interview. From answers to the inquiries, there are derived a corporate-level policy and a product-level policy.
[0423] Heading "security items of great importance" is followed by the following sub-headings.
[0424] 5.1 Management of firewall
[0425] 5.2 Packet filtering
[0426] 5.3 NAT (network address transfer)
[0427] 5.4 SMTP content filtering
[0428] 5.5 FTP content filtering
[0429] 5.6 HTTP content filtering
[0430] 5.7 Logs and alert
[0431] (6) Other Security Items
[0432] In connection with heading "other security items" inquiries about information usually required for establishing VPN are submitted through an interview. From answers to the inquiries, there are derived a corporate-level policy and a product-level policy.
[0433] Heading "other security items" is followed by the following sub-headings.
[0434] 6.1 VPN properties
[0435] 6.2 VPN management
[0436] 6.3 Key delivery
[0437] 6.4 Logs and audit
[0438] B-2 Interview Style
[0439] Contents of an interview are as set forth, and the interview is conducted in any of various forms, such as a description form or a multiple-choice.
[0440] B-3 Interviewee
[0441] The security policy draft preparation apparatus 20 according to the first embodiment changes inquiries according to a member who is an interviewee. In short, inquiries are controlled according to job specifications of an interviewee.
[0442] Consequently, appropriate inquiries to be submitted to an interviewee can be prepared.
[0443] In more detail, a so-called course of inquiries is determined in accordance with job specifications of a member. Inquiries to be submitted in each course are changed in response to an answer submitted by a member. For example, if in response to an inquiry about use of VPN a member has answered that VPN is not used, detailed inquiries about VPN are skipped. In contrast, if the member has answered that VPN is used, detailed inquiries about VPN are submitted to the member.
[0444] Such a control operation is implemented by utilization of a so-called knowledge-based expert system.
[0445] Prior to conduct of an actual interview, job specifications of an interviewee must be entered into the security policy preparation apparatus 20. More specifically, data pertaining to the following entries are input.
[0446] * Name
[0447] * Department
[0448] * Title
[0449] Postal Code
[0450] Address
[0451] Country
[0452] Phone Number
[0453] E-mail Address
[0454] *Type
[0455] Of these entries, entries prefixed by asterisks are required entries. Here, the expression "type" denotes a symbol representing a job specification. In the present embodiment, symbols shown in FIG. 6 are used for expressing a job specification. Simply put, the "type" denotes a job specification. Inquiries to be submitted are determined on the basis of a type. A listing of types to be handled in the present embodiment is shown in FIG. 6.
[0456] Inquiries which are actually submitted to an interviewee change according to answers. Such control of inquiries is performed on the basis of a knowledge-based operation. For instance, an inquiry about an "expiration date of a password" is not submitted to members who have answered that no expiration is imposed on a password in response to an inquiry as to whether or not an expiration data is set for a password. In contrast, an inquiry about an expiration date of a password may be submitted to members who have answered that an expiration date is set for a password.
[0457] B-4 Information Assets to be Managed
[0458] In the first embodiment, information assets for which security must be ensured are classified into five categories; namely, network, host, application, user group, and others. In a case where information assets are entered into the security policy draft preparation apparatus 20
according to the present embodiment, data pertaining to the following four entries are to be input. Here, in a case where information assets belong to either category "host" or category "network," data pertaining to two additional entries; i.e., "IP address" and "sub-net mask," are to be entered.
[0459] Asset ID
[0460] *Asset type
[0461] *Name of asset
[0462] Details
[0463] Of these entries, entry "asset type" covers five types.
[0464] A application
[0465] H Host
[0466] N Network
[0467] U User group
[0468] W Others, including URL, domain names, and file names
[0469] The expression "user group" designates a logical set of users possessing a common characteristic. For example, users who handle, amend, analyze, and report accounting information are collectively called a "accounting group." Each user group is formed from one user or two or more users. The word "user" designates a human who uses information assets.
[0470] B-5 Preparation of Security Policy Draft
[0471] A security policy is established by means of entering into the security policy draft preparation apparatus 20 answers to the foregoing inquiries. This device is a so-called expert system. By means of entry of answers to inquiries into a system, the system produces and outputs a security policy. Such a device which produces data of some kind in response to entry of answers to inquiries has already been known as an expert system, and hence its detailed explanation is omitted.
[0472] In the first embodiment, three levels of security policies are produced; i.e., an executive-level security policy, a corporate-level security policy, and a product-level security policy. Similarly, there are prepared three levels of security policy drafts corresponding to the respective security policies.
[0473] (1) Executive-level Security Policy
[0474] An executive-level security policy consists of descriptions of the organization's "concept" and "policy" concerning security.
[0475] An executive-level policy includes the following items.
[0476] Access Control
[0477] An owner of information assets must manage and control the right to access information assets. In order to implement control of the access right, an access control mechanism of a control system used for preserving or processing information assets must be used. Item "access control" describes the organization's concept and policy concerning control of the access right.
[0478] Accuracy of Information
[0479] It is extremely important to maintain the contents of information assets accurately as it is. Because information assets is indispensable for making business decisions. Item "accuracy of information" describes the organization's concept and policy concerning the guarantee of accuracy of information assets content.
[0480] Guarantee
[0481] An organization must employ appropriate measures to ensure suitable safety of information resources or security. Item "guarantee" describes the organization's concept and policy concerning measures to ensure safety.
[0482] Accountability
[0483] All systems must enable recording and analysis of user activities, and an individual user must have responsibility for his own acts. Item "accountability" describes the organization's concept and policy concerning personal responsibility of an individual user.
[0484] Identification and Verification
[0485] All users must be appropriately identified in accordance with the security level of information assets. Items "identification and verification" used herein describe the organization's concept and policy concerning such identification.
[0486] Emergency Response Plan
[0487] An organization must prepare a detailed plan and procedures for ensuring appropriate response to obstacle in a system and a network. Item "emergency response plan" describes the organization's concept and policy concerning a plan and procedures for response to an emergency.
[0488] Awareness of Security
[0489] Top executives and other employees must become conscious of requirements for the organization's information security, as well as of their personal responsibility. Item "awareness of security" describes the organization's concept and policy concerning personal responsibility.
[0490] Categorization of Information
[0491] Information security is for protecting information assets. For this reason, information assets which are objects of protection must be categorized and appropriately protected according to categories. Item "categorization of information" describes the organization's concept and policy concerning information assets.
[0492] Vocational Ethics
[0493] A user must obey the determined rule for action and handle information assets ethically. In the event a user handles information assets without ethic, breaks a law and rule, or handles information assets for his private benefit, the user