Achieving a rich, safe, and secure “Advanced
Achieving a rich, safe, and secure “Advanced
Information Society”
Information Society”
Overview: Interim Report of the “Study Forum for
Dependability & Security of Information Systems & Software
参考資料2
epe dab ty & Secu ty o
o
at o Syste s & So t a e
in the Advanced Information Society”
March 2009
Information Service Industry Division &
IT Security Policy Office,
Commerce and Information Policy Bureau,
Ministry of Economy, Trade and Industry
Achieving a rich, safe, and secure “Advanced Information Society”
−Overview: Interim Report of “Study Forum for Dependability & Security of Information Systems & Software in the Advanced Information Society”−The information systems & software have been ... a part of daily life.
the information systems bear the core functions in our social infrastructure such as electricity systems, financial systems, etc.
realizing various services & products.
bigger and bigger; more and more complicated.
Issues in the Advanced Information Society
“Visualizing & Measurement” of dependability & security of information systems & software will achieve ...
Sharing the goals of dependability & security that should be prepared (achieving social consensus).
Accelerating innovations by achieving these goals.
Achieving a creative, safe, secure society with strong infrastructure.
The “Visualizing & Measurement ” approach
Achieving a new society where people can put various interconnected IT services
and products to practical use.
Preventing “damage beyond that assumed” in the “Advanced Information Society”
where risk has been expanding along with IT is also important.
1
Achieving a rich, secure, safe advanced information society.
Achieving a rich, secure, safe advanced information society.
(出典:http://takama.jugem.jp/)(出典:http://takama.jugem.jp/) (出典:http://takama.jugem.jp/)
Damage from assumption sometimes happens.
e.g.・Stock exchange systems’ failure ・Traffic paralysis
Developing software metrics to evaluate and manage the dependability & security of information systems & software.
Gathering, analyzing, and sharing knowledge on trouble-shooting for information systems. Maintenance of rules and systems such as drawing up guidelines.
Promoting the development of advanced technologies for dependability and security. Building up international
cooperation.
However, the invisible risk increases.
Acceleration of combination of services & products realizes various creative services.
Outline of the Interim Report
We should achieve social consensus on dependability & security levels of ISs with a good balance of service level,
risk, and cost by “visualizing & measuring.” Then we should accelerate innovations by going forward to the goals.
Efforts on various
issues
Achieving social consensus & everybody achieving the advanced information society together
“Visualizing & Measuring” of dependability & security
and
Achieving social consensus
Strengthening IT Management
Software metrics to evaluate and
Improving Business Practice & Contracts
Improving IS Management System & Sharing Information
Improving Business with Visualizing & Measurement of IT Impact IT Investment with Quantitative Metrics
Forming Mutual Understanding between User and Vendor based on Metrics Making a Contract with Clear Responsibility between User and Vendor
Establishing a framework to share trouble-shooting info. and Best Practices of IS management Prevailing Best Practices about Business Continuity Plan (BCP)
Proposing a model of what dependability & security should be in the Advanced Information Society, by making good
use of Japanese core competence, by promoting international cooperation with each country, and by promoting
international standardization of the “Visualizing & Measuring” method as collaboration between Industry and Academy. 2
International contribution for achieving the Advanced Information Society
Software metrics to evaluate and manage the dependability & security of information systems
& software.
Drawing up standards to estimate dependability & security levels for executives.
Setting the items and requirements for persons in charge.
Developing quantitative software metrics to evaluate and manage dependability & security.
Establishing evaluation systems for interoperability, security, etc.
Research and Development
Improvement and demonstration of architecture description language, formal method or other new development technology.
Development of solid system architecture (foundation of cloud computing systems, autonomic computers, etc.)
Keeping up with more complex and multi-layered architecture of information system.
Studying a Framework for New IT Services e.g., Cloud
“Visualizing & Measuring” of service level and responsibility regarding new IT service such as cloud computing.
Achievement of interoperable services and flexible trouble-shooting utilizing ADR, etc.
Human capital development
Reinforcement of human capital development under Industry-University-Government cooperation and with the user side.
Participants’ roles in information systems & software
Information
System
Vender
End
User
Unclear function,
dependability or security
of information systems.
Executive InformationIs it OK?
Doesn’t know how
safe and secure it is.
Doesn’t know what systems
or services the owner want.
3
Classifying the dependability & security levels into 4 types. (System Profiling)
IT manager
Unclear responsibility
between user and vendor
Provision of
“Visualizing & Measuring”
of dependability & security
Executive
officers System User
Doesn’t know
business changes and
their influence.
Doesn’t know how to
evaluate or manage.
WorkersDrawing up quantitative software metrics to evaluate or manage the information systems. Developing method for defining requirements so both user and vendor can communicate correctly.
Refinement of objective evaluation framework about interoperability, security, etc.
Making a contract with clear responsibility between User and Vendor. (Utilization of “Model Trade and Contracts for Information Systems”)
System Vendors
An Empirical Framework for improving Dependability & Security
of Information Systems, and Future Tasks
説明責任 正確な理解の醸成
System Profiling
Evaluating System Characteristics and classifying ISs into 4 types
Project Profiling
Analyzing the characteristics of IT projects systematically
プロダクト品質指標
(設計書ボリューム率)
非機能要求グレード表等
TypeⅠ TypeⅡ TypeⅢ TypeⅣ
TypeⅠ TypeⅡ TypeⅢ TypeⅣ Definition of Quality Goals
Defining Quality Goals by using software metrics on product & process quality
Future tasks
Refining through feasibility studies in each business domain End Users System Users
4
国
民
重要インフラサービス最終受益者 対策コストの負担者 プロセス品質指標 (設計レビュー作業充当率) ST-SESMIC ScaleRefining Quality Goals by applying ST-SESMIC scale evaluation in the case of real problems with ISs
Quality Control
Future tasks
Establishing a method to protect or minimize problems in
Information Systems
Future tasks
Reaching national consensus on risks of Information Systems
Evaluation of Dependability & Security level for ISs
Establishing a common method and software metrics for evaluating Dependability & Security level for ISs and reference values
Users
IC Card for Digital Appliance .
Business Equipment
Building Systems for providing objective evaluations of IT Security
For safe use of information systems, it is important to guarantee that the information and services
are provided only to persons permitted access.
For safe use of information systems, it is important to guarantee that the information and services
are provided only to persons permitted access.
IC Card for Bank, Payment
N
k
IC Card for Electronic Toll Collection
IC Card for Transportation
Business Use
TrustAnchor of information
• Building a system to evaluate and certify the
security of information technology in Japan.
• Studying e-authentication guidance for the private sector
based on efforts of e-government and foreign countries.
Security evaluation of system LSI
Guidance for e-authentication
Login ID METI・・ ***** PW E-authentication
Private Use
Network
IC Card for Identification
Information-sharing framework to enhance operation and
maintenance process, and diffuse BCP
Almost 70% of system problems come from operation and maintenance process.
It is necessary to establish an information-sharing framework where a public organization
gathers and analyze information on a case bases and shares knowhow appropriately.
We promote the development of a BCP and promote it to various companies.
Almost 70% of system problems come from operation and maintenance process.
It is necessary to establish an information-sharing framework where a public organization
gathers and analyze information on a case bases and shares knowhow appropriately.
We promote the development of a BCP and promote it to various companies.
Private Community
Overview of the information-sharing framework
Public community
Sharing Best Practices of operation process & IS trouble-shooting measures with members
Gathering,
analyzing, and
sharing
information
Announcement,
News Release,
Report, etc.
(Problem vulnerability virus info )
6
Public
Organization
Company A Company B Company C An information-sharing framework in the entire society should be established.Furthering awareness and providing support to formulate BCP
Accumulation of each operation’s know-how & trouble-shooting for IS
(Problem, vulnerability, virus info.)
Companies, Individuals
It is necessary to formulate BCP to minimize damage caused by information system failure.
Through various seminars, METI will promote “Guidelines for the Formulation of a Business Continuity Plan” to the
business sector through continuing education
Government, Media, etc
Dependability & Security in systems such as cloud computing
Cloud computing is the network-based use of many resources for information-processing
such as the servers and storage media at our disposal.
There is the possibility that it will become the infrastructure for the Advanced Information
Society that will bring us many benefit such as the effective use of resources. But, there
are many problems to be solved for business use.
Cloud computing is the network-based use of many resources for information-processing
such as the servers and storage media at our disposal.
There is the possibility that it will become the infrastructure for the Advanced Information
Society that will bring us many benefit such as the effective use of resources. But, there
are many problems to be solved for business use.
Benefits that cloud brings
Lower initial cost
Concerns on service use
Insufficient SLA
7
Cloud computing
Rapid availability
Flexible availability on demand
Lower TCO
High energy efficiency
Developing the technologies necessary for service quality control maintenance, etc.
Promoting SLA containing dependability and security
Promoting ADR as a rapid and flexible means of settling disputes
Creating systems for appropriate data centers, etc.
Developing the technologies necessary for service quality control maintenance, etc.
Promoting SLA containing dependability and security
Promoting ADR as a rapid and flexible means of settling disputes
Creating systems for appropriate data centers, etc.
For safe and secure uses of cloud computing
Insufficient dependability
Insufficient security
Data storage site
Responsibility for
problems
Service link
Data migration
International contributions for improving Dependability & Security
of Information Systems & Software
Proposing Dependability & Security models in the Advanced Information Society, by
making good use of Japanese competitive “high-quality” information systems
Proposing Dependability & Security models in the Advanced Information Society, by
making good use of Japanese competitive “high-quality” information systems
The OECD-METI-RIETI Conference on
Innovation in the Software Sector was organized in the context of an ongoing OECD project on this topic (October 2008, Tokyo). Japanese activities on improving Dependability were introduced.
Cooperation with USA
Software EngineeringPromoting cooperation between IPA/Software Engineering Center (IPA/SEC) and Carnegie Mellon University/Software Engineering Institute (CMU/SEI) (2004-)
Information Security
Continuous implementation of “IPA/METI/AIST--NIST Meeting”
Cooperation with ASEAN
Information SecurityLast year METI proposed the "Asia Knowledge
8
Strengthening Policy Dialogues with each country
Standardizing software metrics and evaluation systems as collaborations
between Industry and Academy
Promoting international cooperation among certification organizations in
order to evaluate Software Interoperability
Strengthening Policy Dialogues with each country
Standardizing software metrics and evaluation systems as collaborations
between Industry and Academy
Promoting international cooperation among certification organizations in
order to evaluate Software Interoperability
Cooperation with EU
Software EngineeringPromoting cooperation between IPA/SEC and the Fraunhofer IESE(2004-)
Policy Dialogue
Building on the 2004 EU-Japan Joint Statement on Cooperation on ICT2004(2004)
2008 EU-Japan Cooperation Forum on ICT Research
The EU-Japan Business Dialogue Round Table (BDRT)(1999-)
Last year, METI proposed the Asia Knowledge Economy Initiative" including measures for information security. Then in February, the 1st ASEAN-Japan Information Security Policy Meeting was held in Tokyo.
In ERIA, a research project to establish a common information security measurement benchmark was conducted, based on IPA's "Information Security Management Benchmark".
Schedule of the study forum and future tasks
Leading issues of the forum Main points of the interim Draft of the interim reportFinal draft of the interim report
2008
November December
2009
January February March April and later
Nov. 27 Dec. 25 Feb. 19 Mar. 23
①
Achieving Social Consensus
②
Carrying out concrete
plans to resolve issues
③
Establishing an international
cooperation system
−
OECD report (June, 2009)
−
Policy dialogue with EU, etc.
Fi
na
l Dr
a
ft
1
sts
tud
y
for
um
2
nds
tud
y
fo
rum
3
rds
tud
y
for
um
4
ths
tud
y
fo
rum
9
9
9
report te epo t te epo ty
g
,
Members of the study forum
Chairperson Tomokazu Hamaguchi
Japan Information Technology Services Industry Association/ Chairman (NTT Data Corporation/Senior corporate adviser) Kunio Ishihara Japan Users’ Association of Information Systems/Chairman (Tokio
Marine & Nichido Fire Insurance Co., Ltd./Chairman of the Board) Isao Ono Hitachi Software Engineering Co., Ltd./President, Chief Executive
Officer and Director Shigeru Kamiyama JASTEC Co., Ltd./President
Hirotoshi Kanba IBM Japan, Ltd./ICP Sr. Executive Project Manager Fuminori Kozono Nippon Telegraph and Telephone East Corporation
Senior Executive Vice President
Senior Executive Manager, Network Business Headquarters Norihito Shiga JTB Corp.
Managing Director
Corporate Strategy, Research & Development CIO (Chief Information Officer)
Takashi Shigematsu Toyota Motor Corporation/Managing Officer Osamu Sudoh, Ph .D The University of Tokyo/Professor
Waichi Sekiguchi Nikkei Inc./Editorial Writer, Business News Department
Masaru Takei Tokyo Electric Power Company/Managing Director Koji Nishigaki Information-Technology Promotion Agency/Chairman Botaro Hirosaki NEC Corporation/Senior Executive Vice President and
Member of the Board Koichi HIronishi Fujitsu Ltd.
Member of the Board
Corporate Senior Executive Vice President in charge of service business
Hiroshi Motoyama Mizuho Financial Group, Inc Managing Director
Member of the Board of Directors Chief Strategy Officer
Chief Information Officer
Suguru Yamaguchi, Ph .D Nara Institute of Science and Technology/Professor Yoshikazu Yamamoto
Ph .D
Keio University Faculty of Science and Technology/ Professor
Masao Yoshida Miki & Yoshida Law and Patent Office/Attorney At Law Shigefumi Wada Computer Software Association of Japan/Chairman
An action plan to improve Dependability & Security of
Information Systems and Software
FY2009 FY2010 FY2011 FY2012 and more
◆Development of objective software metrics P “ V is u aliz in g & M ◆Establishment of method IT T
rends Rapid expansionof LOC (Lines of
Code) Emerging and spreading Cloud Computing Spreading online services
Today Embedded Software is over 15M steps, while it was 1M steps in
2000.
Refer to the Interim Report
Safe and secure
2ndphase of Cloud Computing (maturity of technologies) (2010-2013)
3rdphase of Cloud Computing (Commodity) (2012-2015)
1stphase of Cloud Computing (limited usage) (-2011)
Developing objective software metrics
Driving to develop global standards Achieving social consensus
The online usage rate of application procedures for the government in 2013 will be more
than 72%.
Achieving an advanced information society where
people can put various interconnected IT services and
products to practical use.
The embedded software in a car will increase to 100M steps in about 2015.
Refer to the Interim Report
10
Gathering, analyzing, and sharing trouble-shooting romot io n of V is u aliz in g & M ea s u rin g “ Im p ro v ing Co n tr act Ad v a n ce d o p er at i on a n d ma in te na n c e Ne w te c h no lo g ical is su e s ◆Evaluation scheme ◆TrustAnchor of information ◆Establishment of method for non-functional requirement definition
◆Promotion of model trade
and contracts
◆Adoption of emerging
new type of contracts
◆Analysis of
trouble-shooting measures
◆Highly dependable “cloud infrastructure”
Security evaluation of system LSI Promotion
Creating and sharing trouble-shooting databases Research for evaluation system Preparing for an interoperability
Testbed Promotion
◆Feasibility studies for formal methods, development methods, or test methods
◆Design tools for highly
dependable networking systems
In te r na tio na l c oop er at io n
Research for basic specifications Development and Feasibility Studies Establishment of system
◆Promotion of policy
dialogue
Promotion
Promoting model trade and contracts for ISs
Developing model contracts for performance-based transactions or agile software development Guidance for e-authentication
Highly dependable and secure Information
Systems which is becoming huge and more
complicated International cooperation with US,
EU, and ASEAN
society with clear Dependability & Security level Promotion
Feasibility study for
non-functional requirements Advancing the method and develop the tools
Strengthening international policy dialogue
IT industry structure with clear responsibility
of User and Vendor
Preparing for international policy dialogue
METI’s Approaches to Improve the Dependability of Information Systems
2004.10
Established
IPA
/
Software
Engineering Center
Industrial Structure Council Information Services Software
Subcommittee 2005.8
2005.winter
y
Establishment of guidelines for improving the dependability of
information systems 2006.6
2006.9 Information Services Software Subcommittee
System problem of Stock Exchange
Study forum on model
contract
Trial introduction of COBRA
I t d d COBRA t j t
White Paper on software development data
:Collects and analyzes
software development project data :Explains how to use the data
11
2007.4Model Trade and Contracts for Information Systems
Information System, Model Trade and Contracts Supplement
Interim Report
(Information services and software industrial restoration)
2008.4 2007.8
2007.5 System problem of airplane reservation system
Emergency check-up to improve the dependability of information
system and future responses
:Introduced COBRA to some projects
※COBRA (Cost Estimating, Benchmarking, and Risk Assessment) is a method to estimate the cost of software development Projects which was invented by IESE (Institute for Experimental Software Engineering, Germany).
Software Life Cycle Process-Japan Common Frame 2007
:Suggested the roles of vendors and users
:Defined the words for contracts
EPM(Empirical Project Monitor)
Tool:Developed a tool to visualize a process of software development project.
Study Forum for Dependability & Security of Information Systems and Software in an Advanced Information Society
∼2001
2002
2003
2004
Improving Security Management
Improving Security Management Early Warning PartnershipEarly Warning PartnershipInformation SecurityInformation Security Improving Security Technology
Improving Security Technology Awareness, Training and EducationAwareness, Training and Education
Internet safety use seminar (METI) Framework of Software Vulnerability-Related Information Security Management System(ISMS) (METI)
Information Security Audit System(METI)
Computer Virus Incident Reporting Program
(METI) :1990
CRYPTREC
(METI,IPA,MIC):2001 Unauthorized Computer Access
Reporting Program (METI) :1996 Evaluation of cryptography (IPA ):1997 JISEC (METI,IPA):2001
Internet Scan Data Acquisition System
(METI,JPCERT/CC)
METI’s Approaches to Improve Information Security
2005 2004
2008 2007
2006 ・poster, web page, etc.
Team for electronic application(NISC)
Study for security evaluation of system LSI Study for e-authentication CHECK PC! Campaign (METI) Information Transfer (METI,IPA,JPCERT/CC)
Anti-Bot Measures Project
(METI)
Research Group of Information Security Governance for Business
Organization(METI)
Report of e-authentication for e-government (METI,JIPDEC)
Beginning of the New-Generation Information Security Technologies R&D
project(METI)
・Discussion of Information Security Risk in Outsourcing Process Discussion of conflicts between Information Security Management and Compliance Requirements
・Information Security Management Benchmark
・Model for Information Security Reports ・Guideline for Business Continuity Plans
Beginning of a Promotion Project of Information Security
Governance(METI)
Council of Anti-Phishing Japan
(METI)
Guidance for Information Security Governance(tentative name)
Published Continuing awarenessContinuing awareness Improvement of Information
Security Early-Warning Partnership
12
fundamental information security counter measure development