The Information Security Management Benchmark (abbr: ISM-Benchmark)

Transcription

1 The Information Security Management Benchmark (abbr: ISM-Benchmark) July 17, 2008 Yasuko Kanno Chief Advisor, IPA Security Center Information-technology Promotion Agency, Japan (IPA)

2 Today s Contents 1. What is the ISM-Benchmark 2. How to use the ISM-Benchmark 3. Assessment Result 4. Progress of the ISM-Benchmark 5. How well is the ISM-Benchmark being used? 6. Why so many users? 2

3 What is the ISM-Benchmark? Officially it is called: Information Security Measures Benchmark You can understand this tool also as; Information Security Management Benchmark Tools for establishing information security governance. The concept was proposed by METI in March IPA developed it s as web-based self-assessment tool. Providing on IPA Web page since Aug Self-assessment tool to visually checks where the level of the user s company s security measures resides. Aimed SME to improve their security level. (IPA)ISM-Benchmark (English) 3

4 What is the ISM-Benchmark? 4

5 25 questions about security measures Consists of 5 sections, each of which has 3 to 7 questions, 25 questions in total. (a) Organizational Approaches to Information Security 7 questions (b) Physical (Environmental) Security Countermeasures 4 questions (c) Operation and Maintenance Controls over Information Systems and Communication Networks 6 questions (d) Information System Access Control and Security Countermeasures during the Development and Maintenance Phases 5 questions (e) Information Security Incident Response and BCM (Business Continuity Management) 3 questions The 25 questions of ISM-Benchmark based on 133 security controls in ISO/IEC 27001:2005, Annex A (ISO/IEC 27002:2005). Characteristics of this questions are: Developed by a working group of security specialists Uses simple and easy-to-understand expressions Number of questions(= evaluation items) is limited to25 so that it is not difficult for SMEs to conduct self-assessment 146 Tips for the Security Measures 5

6 Answer to 25 questions For each answer, the user selects the most appropriate level from the five levels below (PDCA-conscious). Not implemented Implemented The management is not aware of its necessity or no rule and control has been established even though they are aware of its necessity. The management is aware of its necessity and they are proceeding to formulate and disseminate the rules and controls, but only some part of them is implemented. rules and controls have been established with the approval of the management, and they are disseminated and implemented company-wide, but the state of implementation has not been reviewed. The rules and controls have been established under the leadership and approval of the management, and they are disseminated and implemented company-wide with its status reviewed on a regular basis by the responsible person. In addition to those described in item 4 above, your company has improved it to become a good example for other companies by dynamically reflecting the changes of security environment. 6 A P C D

7 25 questions and 146 tips for the measures 146 tips for the security measures in Total If you click this button, you will see tips for the security measures and recommended approaches. 7

8 2Assessment Result: Scatter Chart 8

9 Assessment Result: Radar Chart Your diagnosis result is shown in a radar chart Your score is indicated in the red line Ideal Level Average As the line comes closer to the center, your security level indicates lower. 9

10 Assessment Result: frequency distribution and T-score of total score The T- Score is derived by using the equation below. (Your organization s total score the average total score of the group) / standard deviation x T - Score is a score converted to an equivalent standard score in a normal distribution with a mean of 50 and a standard deviation ( ) of 10. As shown in this figure on the left, 68.26% of organizations are within the range of 1 (40 to 60). That is to say, if your organization s T-score is 60, it means that your organization has been ranked in around 15.87% from the top. 10

11 Assessment Result: Score Chart Now demonstratd emonstrate: ISM-Benchmark verv er

12 New stage of the ISM-Benchmark From ver. 3.1, statistic information for basic data that is used for the diagnosis is made available to the public. To increase trust level and transparency to diagnosis Statistic information is available at: If you would like to take a look of the statistic data, please let me know. 12

13 Another Challenge of the ISM-Benchmark Handbook of the ISM-Benchmark (132 pages) Provides ideas on how to make use of the ISM-Benchmark. Various organization involved in the project to make the handbook. Committee chief Prof. Eijiro Ooki Member of Committee IPA (Provides ISM-Benchmark) JIPDEC (Conducts ISMS Conformity Assessment) JASA (Conducts Information Security Audit) Observer METI, JAB (ISMS Conformity Assessment) You can download the handbook (Japanese only) at: 13

14 How many companies use the ISM-Benchmark? Benchmark is being used by more than 14,000 companies! Total Score Based on the 40 responses given to the Part 1 and Part 2 questionnaires, you will be mapped to this chart.. Dots represent data provided by other enterprises. Number of Access: ca. 14,000 cases Number of Data Provided: ca. 5,000 cases (Aug. 4, 2005 July. 11, 2008 ACCESS + Initial 885 Data included) Risk Indicator for Information Security Categorized into 3 groups: Group I : High level IT security measures are required. Group II : Medium level IT security measures are required. Group : Not thorough IT security measures are required. Your company s s position 14

15 Why so many users? Because Conforms to international standards ISO/IEC 27001:2005 Free of charge. Provided by the government agency. Organizational, technical, physical and human security measures are assessed in good balance Can compare your company s position with that of other companies To Improve awareness at the management level Gateway to assessment/certification by third party Provides ideas on how to make use of it (Handbook released:jan, 2008) In addition to 25 security measures, 146 tips displayed in pop-up etc 15

16 How do you think the ISM-Benchmark How do you think this nick-name? do you have any objection? or better idea? Questions etc Please give me your input. 16

17 Thank you! IPA isec-info@ipa.go.jp Hon-Komagome Bunkyo-ku, Tokyo , Japan 17