サイバーセキュリティ経営ガイドライン...サイバーセキュリティ経営ガイドライン・概要 I.サイバーセキュリティは経営問題 企業のIT
サイバーセキュリティ経営ガイドライン Ver2.0(PDF形 · PDF...
If you can't read please download the document
Transcript of サイバーセキュリティ経営ガイドライン Ver2.0(PDF形 · PDF...
Ver 2.0
..................................................................................................................... 1
........................... 1 ................................................................... 4
......................................................................................... 5 ................................................................ 6
................................................. 7 ....... 7 ............................................ 8 ............... 9
........................................ 10 .. 10 ................. 11 PDCA .................. 12
............................................................. 13 .............................................. 13 ................................... 14
................................................... 15
................................................................................................. 15 .............. 16
........................................................................................................ 16
........................................................ 17 ..................................................... 21 ISO/IEC27001 27002 ................................................... 26 ......................................................................................................... 27
I
I
IT
IoT AI
IT
CISO
II
II
(1)
(2)
(3)
III
CISO
PDCA
1
1
1 2 2
1IPA CISO CSIRT 2016 2FireEye, Inc. M-Trends2017
2
3
3 4 3
IT
IT
IT
IT
3 KPMG 2017
3
4 Ver1.0 1.1
IPAVer2.0
NISC
5
4 (IPA) https://www.ipa.go.jp/security/keihatsu/sme/guideline/ 5 NISC http://www.nisc.go.jp/active/kihon/pdf/keiei.pdf
https://www.ipa.go.jp/security/keihatsu/sme/guideline/http://www.nisc.go.jp/active/kihon/pdf/keiei.pdf
4
CISO
CISO CISO
A
B C
D ISO/IEC2700127002 E
IPA6
IPA
6 IPA https://www.ipa.go.jp/files/000044615.pdf
A) B) C) D) ISO/IEC27001 27002 E)
https://www.ipa.go.jp/files/000044615.pdf
5
IT IT
CISO
6
CISO CISO
PDCA
7
8
CISO CISO
9
IT 7
8
7 () IPA 8 () IPA
10
11
12
PDCA
PDCAPlan[]Do[]Check[]Act[]
PDCA
Check A ISMS KPIKPI
CSR
PDCA
13
C
(
CSIRT
14
BCP
BCP
15
SECURITY ACTION9ISMS
9 https://www.ipa.go.jp/security/security-action/
PDCA
https://www.ipa.go.jp/security/security-action/
16
IPA JPCERT
CSIRT
IPA
JPCERT
J-CSIP
17
NIST 10
1 ()
(ID.GV-1)
(ID-GV-3) (DE.DP-2)
CISO
()
(ID.GV-2)
(ID-GV-4)
()
(PR.AT-2) (PR.AT-3) (PR.AT-4) (PR.AT-5)
(PR.AT-1)
()
(PR.AT-1)
10 Framework for Improving Critical Infrastructure Cybersecurity(NIST)
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
18
(ID.AM-1) (ID.AM-2) (ID.AM-3) (ID.AM-4) (ID.AM-5)
(ID.RA-3) (ID.RA-1) (ID.RM-1)
(ID.RA-4) (ID.RA-5) (ID.RM-2)
(ID.RA-6) (ID.RM-3)
(ID.RA-6) (ID.RM-3)
(PR.AC) (PR.DS)
(PR.IP-12)
(DE.AE-1) (DE.AE-5) (DE.DP-3)
(DE.AE-4) (DE.DP-1) (DE.DP-4)
(DE.DP-5)
(PR.AT-1)
19
PDCA
()
()
PDCA (PR.IP-7)
()
Web
(RS.CO-3) (RS.CO-4) (RS.CO-5)
(PR.IP-9) (RS.RP-1)
CSIRT (RS.CO-1)
(RS.CO-2)
(RS.IM-1) (RS.IM-2)
(PR.IP-10)
(ID.BE-5) (PR.IP-9) (RC.RP-1)
(RC.IM-1) (RC.IM-2)
(RC.CO-1) (RC.CO-2) (RC.CO-3)
(PR.IP-10)
20
(ID.BE-3) (ID.BE-4)
(ID.AM-6) (ID.BE-1) (PR.IP-8)
()
(ID.RA-2)
IPA JPCERT
(ID.RA-2)
21
URL
[Ver.1.0]IPA
https://www.ipa.go.jp/security/economics/csmgl-kaisetsusho.html
[ 2.1 ]IPA (
55
) https://www.ipa.go.jp/security/keihatsu/sme/guideline/
ISO/IEC 27002:2013ISO/IEC
Framework for Improving Critical Infrastructure Cybersecurity [Version 1.0]NIST
5 22
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
SP800-53 [Rev.4]NIST
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
SP800-171 [Rev.1]NIST CUI11
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf
11 Controlled Unclassified Information
https://www.ipa.go.jp/security/economics/csmgl-kaisetsusho.htmlhttps://www.ipa.go.jp/security/keihatsu/sme/guideline/https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdfhttp://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdfhttp://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf
22
IT [2015 5 ]IPA
https://www.ipa.go.jp/files/000039528.pdf
[2015 9 ]IPA
https://www.ipa.go.jp/files/000047872.pdf
[ 2.1 ]IPA
4
https://www.ipa.go.jp/security/keihatsu/sme/guideline/
[2014 9 ]IPA
https://www.ipa.go.jp/files/000046236.pdf
[1.0 ]JPCERT/CC
https://www.jpcert.or.jp/research/apt-loganalysis.html
[ 4 ]IPA 10
30
https://www.ipa.go.jp/files/000057060.pdf
[ 28 2 ]
http://www.meti.go.jp/policy/economy/chizai/chiteki/trade-secret.html
https://www.ipa.go.jp/files/000039528.pdfhttps://www.ipa.go.jp/files/000047872.pdfhttps://www.ipa.go.jp/security/keihatsu/sme/guideline/https://www.ipa.go.jp/files/000046236.pdfhttps://www.jpcert.or.jp/research/apt-loganalysis.htmlhttps://www.ipa.go.jp/files/000057060.pdfhttp://www.meti.go.jp/policy/economy/chizai/chiteki/trade-secret.html
23
ISMSJIPDEC
ISO/IEC27001
https://isms.jp/isms.html
CSMSJIPDEC
IEC62443-2
https://isms.jp/csms.html
ISO/IEC27001
http://www.meti.go.jp/policy/netsecurity/is-kansa/index.html
IPA Web
http://www.ipa.go.jp/security/benchmark/
[ 7 ]IPA Web
Web
https://www.ipa.go.jp/security/vuln/websecurity.html
JVNIPAJPCERT/CC
https://jvn.jp/
CSIRT JPCERT/CC
CSIRT
https://www.jpcert.or.jp/csirt_material/
https://isms.jp/isms.htmlhttps://isms.jp/csms.htmlhttp://www.meti.go.jp/policy/netsecurity/is-kansa/index.htmlhttp://www.ipa.go.jp/security/benchmark/https://www.ipa.go.jp/security/vuln/websecurity.htmlhttps://jvn.jp/https://www.jpcert.or.jp/csirt_material/
24
CSIRT CSIRT
http://www.nca.gr.jp/activity/build-wg-document.html
[ 25 8 ]
http://www.bousai.go.jp/kyoiku/kigyou/pdf/guideline03.pdf
[ 29 3 ]
http://www.chusho.meti.go.jp/keiei/torihiki/2014/140313shitaukeGL3.pdf
SECURITY ACTION IPA
https://www.ipa.go.jp/security/security-action/
IPA
Web
https://www.ipa.go.jp/security/outline/todoke-top-j.html
IPA
https://www.ipa.go.jp/security/tokubetsu/
J-CSIPIPA
https://www.ipa.go.jp/security/J-CSIP/
http://www.nca.gr.jp/activity/build-wg-document.htmlhttp://www.bousai.go.jp/kyoiku/kigyou/pdf/guideline03.pdfhttp://www.chusho.meti.go.jp/keiei/torihiki/2014/140313shitaukeGL3.pdfhttps://www.ipa.go.jp/security/security-action/https://www.ipa.go.jp/security/outline/todoke-top-j.htmlhttps://www.ipa.go.jp/security/tokubetsu/https://www.ipa.go.jp/security/J-CSIP/
25
@police
Web
https://www.npa.go.jp/cyberpolice/
https://www.npa.go.jp/cyberpolice/
26
ISO/IEC27001 27002
ISO/IEC 27001ISO/IEC 27002
5.1
5.2
5.3
6.1.1
7.1
7.2
6.1
6.2
5.1.1
5.1.2
6.2
9
10
11
12
13
PDCA
7.4
8.1
8.2
8.3
9.1
9.2
9.3
10.1
10.2
17.1.1
17.1.2
17.1.3
18.1.1
18.2.1
18.2.2
18.2.3
16.1.1
16.1.2
16.1.3
16.1.4
16.1.5
17.1.1
17.1.2
17.1.3
8.1
15.1.1
15.1.2
15.1.3
15.2.1
15.2.2
ICT
6.1.3
6.1.4
27
1
2
3
4
IT
5
6
7
http://www.meti.go.jp/policy/netsecurity/docs/secgov/2007_JohoSecurityReportModelRevised.pdf
http://www.me
