• No results found

Overview: Interim Report of the Study Forum for. in the Advanced Information Society

N/A
N/A
Protected

Academic year: 2021

Share "Overview: Interim Report of the Study Forum for. in the Advanced Information Society"

Copied!
13
0
0

Loading.... (view fulltext now)

Full text

(1)

Achieving a rich, safe, and secure “Advanced

Achieving a rich, safe, and secure “Advanced

Information Society”

Information Society”

Overview: Interim Report of the “Study Forum for

Dependability & Security of Information Systems & Software

参考資料2

epe dab ty & Secu ty o

o

at o Syste s & So t a e

in the Advanced Information Society”

March 2009

Information Service Industry Division &

IT Security Policy Office,

Commerce and Information Policy Bureau,

Ministry of Economy, Trade and Industry

(2)

Achieving a rich, safe, and secure “Advanced Information Society”

Overview: Interim Report of “Study Forum for Dependability & Security of Information Systems & Software in the Advanced Information Society”

The information systems & software have been ... a part of daily life.

the information systems bear the core functions in our social infrastructure such as electricity systems, financial systems, etc.

realizing various services & products.

bigger and bigger; more and more complicated.

Issues in the Advanced Information Society

“Visualizing & Measurement” of dependability & security of information systems & software will achieve ...

Sharing the goals of dependability & security that should be prepared (achieving social consensus).

Accelerating innovations by achieving these goals.

Achieving a creative, safe, secure society with strong infrastructure.

The “Visualizing & Measurement ” approach

Achieving a new society where people can put various interconnected IT services

and products to practical use.

Preventing “damage beyond that assumed” in the “Advanced Information Society”

where risk has been expanding along with IT is also important.

1

Achieving a rich, secure, safe advanced information society.

Achieving a rich, secure, safe advanced information society.

(出典:http://takama.jugem.jp/)

(出典:http://takama.jugem.jp/) (出典:http://takama.jugem.jp/)

Damage from assumption sometimes happens.

e.g.・Stock exchange systems’ failure ・Traffic paralysis

Developing software metrics to evaluate and manage the dependability & security of information systems & software.

Gathering, analyzing, and sharing knowledge on trouble-shooting for information systems. Maintenance of rules and systems such as drawing up guidelines.

Promoting the development of advanced technologies for dependability and security. Building up international

cooperation.

However, the invisible risk increases.

Acceleration of combination of services & products realizes various creative services.

(3)

Outline of the Interim Report

We should achieve social consensus on dependability & security levels of ISs with a good balance of service level,

risk, and cost by “visualizing & measuring.” Then we should accelerate innovations by going forward to the goals.

Efforts on various

issues

Achieving social consensus & everybody achieving the advanced information society together

“Visualizing & Measuring” of dependability & security

and

Achieving social consensus

Strengthening IT Management

Software metrics to evaluate and

Improving Business Practice & Contracts

Improving IS Management System & Sharing Information

Improving Business with Visualizing & Measurement of IT Impact IT Investment with Quantitative Metrics

Forming Mutual Understanding between User and Vendor based on Metrics Making a Contract with Clear Responsibility between User and Vendor

Establishing a framework to share trouble-shooting info. and Best Practices of IS management Prevailing Best Practices about Business Continuity Plan (BCP)

Proposing a model of what dependability & security should be in the Advanced Information Society, by making good

use of Japanese core competence, by promoting international cooperation with each country, and by promoting

international standardization of the “Visualizing & Measuring” method as collaboration between Industry and Academy. 2

International contribution for achieving the Advanced Information Society

Software metrics to evaluate and manage the dependability & security of information systems

& software.

Drawing up standards to estimate dependability & security levels for executives.

Setting the items and requirements for persons in charge.

Developing quantitative software metrics to evaluate and manage dependability & security.

Establishing evaluation systems for interoperability, security, etc.

Research and Development

Improvement and demonstration of architecture description language, formal method or other new development technology.

Development of solid system architecture (foundation of cloud computing systems, autonomic computers, etc.)

Keeping up with more complex and multi-layered architecture of information system.

Studying a Framework for New IT Services e.g., Cloud

“Visualizing & Measuring” of service level and responsibility regarding new IT service such as cloud computing.

Achievement of interoperable services and flexible trouble-shooting utilizing ADR, etc.

Human capital development

Reinforcement of human capital development under Industry-University-Government cooperation and with the user side.

(4)

Participants’ roles in information systems & software

Information

System

Vender

End

User

Unclear function,

dependability or security

of information systems.

Executive Information

Is it OK?

Doesn’t know how

safe and secure it is.

Doesn’t know what systems

or services the owner want.

3

Classifying the dependability & security levels into 4 types. (System Profiling)

IT manager

Unclear responsibility

between user and vendor

Provision of

“Visualizing & Measuring”

of dependability & security

Executive

officers System User

Doesn’t know

business changes and

their influence.

Doesn’t know how to

evaluate or manage.

Workers

Drawing up quantitative software metrics to evaluate or manage the information systems. Developing method for defining requirements so both user and vendor can communicate correctly.

Refinement of objective evaluation framework about interoperability, security, etc.

Making a contract with clear responsibility between User and Vendor. (Utilization of “Model Trade and Contracts for Information Systems”)

(5)

System Vendors

An Empirical Framework for improving Dependability & Security

of Information Systems, and Future Tasks

説明責任 正確な理解の醸成

System Profiling

Evaluating System Characteristics and classifying ISs into 4 types

Project Profiling

Analyzing the characteristics of IT projects systematically

プロダクト品質指標

(設計書ボリューム率)

非機能要求グレード表等

TypeⅠ TypeⅡ TypeⅢ TypeⅣ

TypeⅠ TypeⅡ TypeⅢ TypeⅣ Definition of Quality Goals

Defining Quality Goals by using software metrics on product & process quality

Future tasks

Refining through feasibility studies in each business domain End Users System Users

4

重要インフラサービス最終受益者 対策コストの負担者 プロセス品質指標 (設計レビュー作業充当率) ST-SESMIC Scale

Refining Quality Goals by applying ST-SESMIC scale evaluation in the case of real problems with ISs

Quality Control

Future tasks

Establishing a method to protect or minimize problems in

Information Systems

Future tasks

Reaching national consensus on risks of Information Systems

Evaluation of Dependability & Security level for ISs

Establishing a common method and software metrics for evaluating Dependability & Security level for ISs and reference values

Users

(6)

IC Card for Digital Appliance .

Business Equipment

Building Systems for providing objective evaluations of IT Security

For safe use of information systems, it is important to guarantee that the information and services

are provided only to persons permitted access.

For safe use of information systems, it is important to guarantee that the information and services

are provided only to persons permitted access.

IC Card for Bank, Payment

N

k

IC Card for Electronic Toll Collection

IC Card for Transportation

Business Use

TrustAnchor of information

• Building a system to evaluate and certify the

security of information technology in Japan.

• Studying e-authentication guidance for the private sector

based on efforts of e-government and foreign countries.

Security evaluation of system LSI

Guidance for e-authentication

Login ID METI・・ ***** PW E-authentication

Private Use

Network

IC Card for Identification

(7)

Information-sharing framework to enhance operation and

maintenance process, and diffuse BCP

Almost 70% of system problems come from operation and maintenance process.

It is necessary to establish an information-sharing framework where a public organization

gathers and analyze information on a case bases and shares knowhow appropriately.

We promote the development of a BCP and promote it to various companies.

Almost 70% of system problems come from operation and maintenance process.

It is necessary to establish an information-sharing framework where a public organization

gathers and analyze information on a case bases and shares knowhow appropriately.

We promote the development of a BCP and promote it to various companies.

Private Community

Overview of the information-sharing framework

Public community

Sharing Best Practices of operation process & IS trouble-shooting measures with members

Gathering,

analyzing, and

sharing

information

Announcement,

News Release,

Report, etc.

(Problem vulnerability virus info )

6

Public

Organization

Company A Company B Company C An information-sharing framework in the entire society should be established.

Furthering awareness and providing support to formulate BCP

Accumulation of each operation’s know-how & trouble-shooting for IS

(Problem, vulnerability, virus info.)

Companies, Individuals

It is necessary to formulate BCP to minimize damage caused by information system failure.

Through various seminars, METI will promote “Guidelines for the Formulation of a Business Continuity Plan” to the

business sector through continuing education

Government, Media, etc

(8)

Dependability & Security in systems such as cloud computing

Cloud computing is the network-based use of many resources for information-processing

such as the servers and storage media at our disposal.

There is the possibility that it will become the infrastructure for the Advanced Information

Society that will bring us many benefit such as the effective use of resources. But, there

are many problems to be solved for business use.

Cloud computing is the network-based use of many resources for information-processing

such as the servers and storage media at our disposal.

There is the possibility that it will become the infrastructure for the Advanced Information

Society that will bring us many benefit such as the effective use of resources. But, there

are many problems to be solved for business use.

Benefits that cloud brings

Lower initial cost

Concerns on service use

Insufficient SLA

7

Cloud computing

Rapid availability

Flexible availability on demand

Lower TCO

High energy efficiency

Developing the technologies necessary for service quality control maintenance, etc.

Promoting SLA containing dependability and security

Promoting ADR as a rapid and flexible means of settling disputes

Creating systems for appropriate data centers, etc.

Developing the technologies necessary for service quality control maintenance, etc.

Promoting SLA containing dependability and security

Promoting ADR as a rapid and flexible means of settling disputes

Creating systems for appropriate data centers, etc.

For safe and secure uses of cloud computing

Insufficient dependability

Insufficient security

Data storage site

Responsibility for

problems

Service link

Data migration

(9)

International contributions for improving Dependability & Security

of Information Systems & Software

Proposing Dependability & Security models in the Advanced Information Society, by

making good use of Japanese competitive “high-quality” information systems

Proposing Dependability & Security models in the Advanced Information Society, by

making good use of Japanese competitive “high-quality” information systems

The OECD-METI-RIETI Conference on

Innovation in the Software Sector was organized in the context of an ongoing OECD project on this topic (October 2008, Tokyo). Japanese activities on improving Dependability were introduced.

Cooperation with USA

Software Engineering

Promoting cooperation between IPA/Software Engineering Center (IPA/SEC) and Carnegie Mellon University/Software Engineering Institute (CMU/SEI) (2004-)

Information Security

Continuous implementation of “IPA/METI/AIST--NIST Meeting”

Cooperation with ASEAN

Information Security

Last year METI proposed the "Asia Knowledge

8

Strengthening Policy Dialogues with each country

Standardizing software metrics and evaluation systems as collaborations

between Industry and Academy

Promoting international cooperation among certification organizations in

order to evaluate Software Interoperability

Strengthening Policy Dialogues with each country

Standardizing software metrics and evaluation systems as collaborations

between Industry and Academy

Promoting international cooperation among certification organizations in

order to evaluate Software Interoperability

Cooperation with EU

Software Engineering

Promoting cooperation between IPA/SEC and the Fraunhofer IESE(2004-)

Policy Dialogue

Building on the 2004 EU-Japan Joint Statement on Cooperation on ICT2004(2004)

2008 EU-Japan Cooperation Forum on ICT Research

The EU-Japan Business Dialogue Round Table (BDRT)(1999-)

Last year, METI proposed the Asia Knowledge Economy Initiative" including measures for information security. Then in February, the 1st ASEAN-Japan Information Security Policy Meeting was held in Tokyo.

In ERIA, a research project to establish a common information security measurement benchmark was conducted, based on IPA's "Information Security Management Benchmark".

(10)

Schedule of the study forum and future tasks

Leading issues of the forum Main points of the interim Draft of the interim report

Final draft of the interim report

2008

November December

2009

January February March April and later

Nov. 27 Dec. 25 Feb. 19 Mar. 23

Achieving Social Consensus

Carrying out concrete

plans to resolve issues

Establishing an international

cooperation system

OECD report (June, 2009)

Policy dialogue with EU, etc.

Fi

na

l Dr

a

ft

1

st

s

tud

y

for

um

2

nd

s

tud

y

fo

rum

3

rd

s

tud

y

for

um

4

th

s

tud

y

fo

rum

9

9

9

report te epo t te epo t

y

g

,

Members of the study forum

Chairperson Tomokazu Hamaguchi

Japan Information Technology Services Industry Association/ Chairman (NTT Data Corporation/Senior corporate adviser) Kunio Ishihara Japan Users’ Association of Information Systems/Chairman (Tokio

Marine & Nichido Fire Insurance Co., Ltd./Chairman of the Board) Isao Ono Hitachi Software Engineering Co., Ltd./President, Chief Executive

Officer and Director Shigeru Kamiyama JASTEC Co., Ltd./President

Hirotoshi Kanba IBM Japan, Ltd./ICP Sr. Executive Project Manager Fuminori Kozono Nippon Telegraph and Telephone East Corporation

Senior Executive Vice President

Senior Executive Manager, Network Business Headquarters Norihito Shiga JTB Corp.

Managing Director

Corporate Strategy, Research & Development CIO (Chief Information Officer)

Takashi Shigematsu Toyota Motor Corporation/Managing Officer Osamu Sudoh, Ph .D The University of Tokyo/Professor

Waichi Sekiguchi Nikkei Inc./Editorial Writer, Business News Department

Masaru Takei Tokyo Electric Power Company/Managing Director Koji Nishigaki Information-Technology Promotion Agency/Chairman Botaro Hirosaki NEC Corporation/Senior Executive Vice President and

Member of the Board Koichi HIronishi Fujitsu Ltd.

Member of the Board

Corporate Senior Executive Vice President in charge of service business

Hiroshi Motoyama Mizuho Financial Group, Inc Managing Director

Member of the Board of Directors Chief Strategy Officer

Chief Information Officer

Suguru Yamaguchi, Ph .D Nara Institute of Science and Technology/Professor Yoshikazu Yamamoto

Ph .D

Keio University Faculty of Science and Technology/ Professor

Masao Yoshida Miki & Yoshida Law and Patent Office/Attorney At Law Shigefumi Wada Computer Software Association of Japan/Chairman

(11)

An action plan to improve Dependability & Security of

Information Systems and Software

FY2009 FY2010 FY2011 FY2012 and more

Development of objective software metrics P V is u aliz in g & MEstablishment of method IT T

rends Rapid expansionof LOC (Lines of

Code) Emerging and spreading Cloud Computing Spreading online services

Today Embedded Software is over 15M steps, while it was 1M steps in

2000.

Refer to the Interim Report

Safe and secure

2ndphase of Cloud Computing (maturity of technologies) (2010-2013)

3rdphase of Cloud Computing (Commodity) (2012-2015)

1stphase of Cloud Computing (limited usage) (-2011)

Developing objective software metrics

Driving to develop global standards Achieving social consensus

The online usage rate of application procedures for the government in 2013 will be more

than 72%.

Achieving an advanced information society where

people can put various interconnected IT services and

products to practical use.

The embedded software in a car will increase to 100M steps in about 2015.

Refer to the Interim Report

10

Gathering, analyzing, and sharing trouble-shooting romot io n of V is u aliz in g & M ea s u rin g Im p ro v ing Co n tr act Ad v a n ce d o p er at i on a n d ma in te na n c e Ne w te c h no lo g ical is su e sEvaluation schemeTrustAnchor of informationEstablishment of method for non-functional requirement definition

Promotion of model trade

and contracts

Adoption of emerging

new type of contracts

Analysis of

trouble-shooting measures

Highly dependable “cloud infrastructure”

Security evaluation of system LSI Promotion

Creating and sharing trouble-shooting databases Research for evaluation system Preparing for an interoperability

Testbed Promotion

Feasibility studies for formal methods, development methods, or test methods

Design tools for highly

dependable networking systems

In te r na tio na l c oop er at io n

Research for basic specifications Development and Feasibility Studies Establishment of system

Promotion of policy

dialogue

Promotion

Promoting model trade and contracts for ISs

Developing model contracts for performance-based transactions or agile software development Guidance for e-authentication

Highly dependable and secure Information

Systems which is becoming huge and more

complicated International cooperation with US,

EU, and ASEAN

society with clear Dependability & Security level Promotion

Feasibility study for

non-functional requirements Advancing the method and develop the tools

Strengthening international policy dialogue

IT industry structure with clear responsibility

of User and Vendor

Preparing for international policy dialogue

(12)

METI’s Approaches to Improve the Dependability of Information Systems

2004.10

Established

IPA

/

Software

Engineering Center

Industrial Structure Council Information Services Software

Subcommittee 2005.8

2005.winter

y

Establishment of guidelines for improving the dependability of

information systems 2006.6

2006.9 Information Services Software Subcommittee

System problem of Stock Exchange

Study forum on model

contract

Trial introduction of COBRA

I t d d COBRA t j t

White Paper on software development data

:Collects and analyzes

software development project data :Explains how to use the data

11

2007.4

Model Trade and Contracts for Information Systems

Information System, Model Trade and Contracts Supplement

Interim Report

(Information services and software industrial restoration)

2008.4 2007.8

2007.5 System problem of airplane reservation system

Emergency check-up to improve the dependability of information

system and future responses

:Introduced COBRA to some projects

※COBRA (Cost Estimating, Benchmarking, and Risk Assessment) is a method to estimate the cost of software development Projects which was invented by IESE (Institute for Experimental Software Engineering, Germany).

Software Life Cycle Process-Japan Common Frame 2007

:Suggested the roles of vendors and users

:Defined the words for contracts

EPM(Empirical Project Monitor

Tool:Developed a tool to visualize a process of software development project.

Study Forum for Dependability & Security of Information Systems and Software in an Advanced Information Society

(13)

∼2001

2002

2003

2004

Improving Security Management

Improving Security Management Early Warning PartnershipEarly Warning PartnershipInformation SecurityInformation Security Improving Security Technology

Improving Security Technology Awareness, Training and EducationAwareness, Training and Education

Internet safety use seminar (METI) Framework of Software Vulnerability-Related Information Security Management System(ISMS) (METI)

Information Security Audit System(METI)

Computer Virus Incident Reporting Program

(METI) :1990

CRYPTREC

(METI,IPA,MIC):2001 Unauthorized Computer Access

Reporting Program (METI) :1996 Evaluation of cryptography (IPA ):1997 JISEC (METI,IPA):2001

Internet Scan Data Acquisition System

(METI,JPCERT/CC)

METI’s Approaches to Improve Information Security

2005 2004

2008 2007

2006 ・poster, web page, etc.

Team for electronic application(NISC)

Study for security evaluation of system LSI Study for e-authentication CHECK PC! Campaign (METI) Information Transfer (METI,IPA,JPCERT/CC)

Anti-Bot Measures Project

(METI)

Research Group of Information Security Governance for Business

Organization(METI)

Report of e-authentication for e-government (METI,JIPDEC)

Beginning of the New-Generation Information Security Technologies R&D

project(METI)

・Discussion of Information Security Risk in Outsourcing Process Discussion of conflicts between Information Security Management and Compliance Requirements

・Information Security Management Benchmark

・Model for Information Security Reports ・Guideline for Business Continuity Plans

Beginning of a Promotion Project of Information Security

Governance(METI)

Council of Anti-Phishing Japan

(METI)

Guidance for Information Security Governance(tentative name)

Published Continuing awarenessContinuing awareness Improvement of Information

Security Early-Warning Partnership

12

fundamental information security counter measure development

References

Related documents