The Information Security Management Benchmark (abbr: …€¦ · Group I : High level IT ......

Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)

The Information Security The Information Security Management BenchmarkManagement Benchmark

((abbr: ISM-Benchmark)

http://www.ipa.go.jp/security/

July 17, 2008

Yasuko KannoChief Advisor, IPA Security Center

Information-technology Promotion Agency, Japan (IPA)

2Copyright © 2008 Information-technology Promotion Agency, Japan (IPA) 2

Today’s Contents

1. What is the ISM-Benchmark2. How to use the ISM-Benchmark3. Assessment Result4. Progress of the ISM-Benchmark5. How well is the ISM-Benchmark being

used?6. Why so many users?

3Copyright © 2008 Information-technology Promotion Agency, Japan (IPA)

Officially it is called:Officially it is called:Information Security Measures BenchmarkInformation Security Measures Benchmark

You can understand this tool also as; You can understand this tool also as; Information Security Management BenchmarkInformation Security Management Benchmark

(IPA)ISM(IPA)ISM--Benchmark (English)Benchmark (English)http://www.ipa.go.jp/security/english/benchmark_system.htmlhttp://www.ipa.go.jp/security/english/benchmark_system.html

Tools for establishing “information security governance.”The concept was proposed by METI in March 2005.IPA developed it’s as web-based self-assessment tool .Providing on IPA Web page since Aug. 2005. Self-assessment tool to visually checks where the level of theuser’s company‘s security measures resides.Aimed SME to improve their security level .

What is the ISM-Benchmark?


Corporate Profile（15 Items）・Number of employees, sale figures, number of basis ・Number of people whose information is held, degree of dependence on Information Technology

Information Security Measures (25 Items)・Organizational security

・Physical and environmental security

・Communications and operations management

・Access control, Systems development and maintenance

・Security incidents and malfunctions

Assessment Items (40 Items in Total)

Input

Provides answers to 40 questions on the Webi.e. Does your company have any policies or rules for information security and implement them?

Self Assessment Result

1.Displays your company’s position using a scatter chart. 2.Compares your organization’s score with the desirable security level and the average in your business industry, using a radar chart.3.Shows your score4.Displays recommended security approaches.

Example of Self Assessment Result (Scatter Chart)

Categorized into 3 groups:Categorized into 3 groups:

Group I : High level IT security measures are required. Group I : High level IT security measures are required. Group II : Medium level IT security measures are required. Group II : Medium level IT security measures are required. Group Group ⅢⅢ : Not thorough IT security measures are required. : Not thorough IT security measures are required.

Your companyYour company’’s positions position

What is the ISM-Benchmark?


The 25 questions of ISM-Benchmark based on 133 security controls in ISO/IEC 27001:2005, Annex A (ISO/IEC 27002:2005).Characteristics of this questions are:・Developed by a working group of security specialists・Uses simple and easy-to-understand expressions・Number of questions(= evaluation items) is limited to25 so that it is notdifficult for SMEs to conduct self-assessment

Consists of 5 sections, each of which has 3 to 7 questions, 25 questions in total.(a) Organizational Approaches to Information Security （7 questions）(b) Physical (Environmental) Security Countermeasures （4 questions）(c) Operation and Maintenance Controls over Information Systems and Communication

Networks （6 questions ）(d) Information System Access Control and Security Countermeasures during the

Development and Maintenance Phases （5 questions ）(e) Information Security Incident Response and BCM (Business Continuity Management)（3 questions ）

25 questions about security measures

146 Tips for the Security Measures


１The management is not aware of its necessity or no rule and control has been establishedeven though they are aware of its necessity.

２The management is aware of its necessity and they are proceeding to formulate and disseminate the rules and controls, but only some part of them is implemented.

３rules and controls have been established with the approval of the management, and they are disseminated and implemented company-wide, but the state of implementation has not been reviewed.

４The rules and controls have been established under the leadership and approval of the management, and they are disseminated and implemented company-wide with its status reviewed on a regular basis by the responsible person.

５In addition to those described in item 4 above, your company has improved it to become a good example for other companies by dynamically reflecting the changes of security environment.

Not implemented

Implemented

For each answer, the user selects the most appropriate level from the five levels below (PDCA-conscious).

PP

DD

C C AA

Answer to 25 questions


If you click this button, you will see tips for the security measures and recommended approaches.

25 questions and 146 tips for the measures

146 tips for the security measures in Total


2

Displays your company’s position using a scatter chart.

X-Axis：Information Security Risk Index

25 questions of security measures：

each answer is assessed with five grades: 5 x 25 Items = 125 Points

Based on the risk index，organizations are classified into three groups: Group I, Group II, and Group III．

Total Score

Total Score

The dot in red indicates your organization’s position

Each group is displayed using the corresponding color

Y-Axis：Total Score（125 points）

Assessment Result: Scatter Chart

Index: indicating the risk level calculated based on the answers of Corporate Profile （number of employees, sales figure, etc)


Your diagnosis result is shown in a radar chart

As the line comes closer to the center, your security level indicates lower.

Your score is indicated in the red line

Ideal Level

Average

Assessment Result: Radar Chart


Assessment Result:frequency distribution and T-score of total score

The T- Score is derived by using the equation below.(Your organization’s total score – the average total score of the group) / standard deviation x 10 + 50

T - Score is a score converted to an equivalent standard score in a normal distribution with a mean of 50 and a standard deviation (σ) of 10.As shown in this figure on the left, 68.26% of organizations are within the range of ±1σ(40 to 60). That is to say, if your organization’s T-score is 60, it means that your organization has been ranked in around 15.87% from the top.


Assessment Result: Score Chart

Now dNow demonstratemonstratee:: ISMISM--Benchmark vBenchmark verer.3.1.3.1


New stage of the ISM-Benchmark

From ver. 3.1, statistic information for basic data that is used for the diagnosis is made available to the public.To increase trust level and transparency to diagnosis

Statistic information is available at:http://www.ipa.go.jp/security/benchmark/benchmark_tokuchover31.html#toukei

If you would like to take a look of the statistic data, please let me know.


You can download the handbook (Japanese only) at:http://www.ipa.go.jp/security/benchmark/benchmark-katsuyou.html

Handbook of the ISMHandbook of the ISM--Benchmark Benchmark (132 pages)(132 pages)

【Committee chief】 Prof. Eijiro Ooki 【Member of Committee】

IPA (Provides ISM-Benchmark)JIPDEC (Conducts ISMS Conformity Assessment)JASA (Conducts Information Security Audit)

【Observer】 METI, JAB (ISMS Conformity Assessment)

Another Challenge of the ISM-Benchmark

Provides ideas on how to make use of the ISM-Benchmark.Various organization involved in the project to make the handbook.


Benchmark is being Benchmark is being usedused by more than 14by more than 14,,0000 companies00 companies!!

Based on the 40 responses given to the Part 1 and Part 2 questionnaires, you will be mapped to this chart..Dots represent data provided by other enterprises.

Number of Access: ca. 14,000 casesNumber of Access: ca. 14,000 casesNumber of Data Provided: ca. 5,000 casesNumber of Data Provided: ca. 5,000 cases(Aug. 4, 2005 (Aug. 4, 2005 –– JulyJuly.. 11, 2008 11, 2008 ACCESSACCESS + Initial 885 Data included)+ Initial 885 Data included)

Tot

al S

core

Tot

al S

core

Group I : High level IT security measures are required. Group I : High level IT security measures are required. Group II : Medium level IT security measures are required. Group II : Medium level IT security measures are required. Group Group ⅢⅢ : Not thorough IT security measures are required. : Not thorough IT security measures are required. Your companyYour company’’s position s position

Categorized into 3 groups:Risk Indicator for Information SecurityRisk Indicator for Information Security

How many companies use the ISM-Benchmark?


Why so many users?

Because…

Conforms to international standards ISO/IEC 27001:2005Free of charge.Provided by the government agency.Organizational, technical, physical and human security measures are assessed in good balanceCan compare your company’s position with that of other companiesTo Improve awareness at the management level“Gateway” to assessment/certification by third partyProvides ideas on how to make use of it (Handbook released:Jan, 2008)In addition to 25 security measures, 146 tips displayed in pop-up etc…


How do you think the ISM-Benchmark

How do you think this nick-name? do you have any objection? or better idea?

Questions…

etc…

Please give me your input.


IPA http://www.ipa.go.jp/Email : [email protected] Hon-KomagomeBunkyo-ku, Tokyo 113-6591, Japan

Thank you!

The Information Security Management Benchmark (abbr: …€¦ · Group I : High level IT ......

Documents

Transcript of The Information Security Management Benchmark (abbr: …€¦ · Group I : High level IT ......