focus notes
What is the basic policy regarding information security? Explaining the way of thinking and how to make it
table of contents
Basic policy on information securitymeans that the organizationDeclaring how we view information security and how we will maintain a safe systemIt is a public document that has been published.
To put it more simply, it is a written statement of how the management of the organization thinks about information security.
This time, theHow to think about and create a basic information security policyI will explain about it.
About information security policy
Since the information security basic policy is generally treated as a part of the "information security policy," we will first explain the "information security policy."
Overview and purpose
What is information security policy?A compilation of policies and behavioral guidelines for information security measures for companies and organizations.is. Generally, the content includes basic ideas, basic policies, operational systems, operational regulations, and countermeasure standards regarding information security.
Its purpose is to protect an organization's important information from threats.Furthermore, accurate implementation of information security policies is considered important because it increases employee security awareness.
composition
The structure of an information security policy is generally as follows:"Basic policy", "Standard", "Implementation procedure"It consists of
"Basic policy"is an expression of the organization's management's intention to appropriately address information security. In addition, for the entire organization,Indicates a policy for addressing information securityThere are also things.
"Countermeasure standards"In line with our basic policy,Rules for each field that define what measures to take organizationallyis. This also includes personnel regulations and employment regulations related to information security.
"Implementation procedure"is a compilation of more detailed procedures, so-calledIt corresponds to a manual.
In some cases, the basic policy alone, or the basic policy and countermeasure standards alone, is sometimes referred to as an information security policy. Information security policy configurations differ from company to company, so this configuration is not necessarily required.
What is the basic policy?
If you do an Internet search for ``Basic Security Policy,'' you can see each company's basic policy posted on their website. If you compare the basic policies of each company, you will find that the content of the basic policies differs from company to company. it is,This is because the ideal form differs depending on the characteristics and way of thinking of each organization.
On the other hand, the basic policies of any company tend to be concise and summarized in about 5 to 10 items. it is,A statement of intent that clearly states the basic policy's approach to information security both internally and externally.That's why.
It is important to concisely summarize important points such as why you are working on information security, why you have established an information security policy, and why you must comply with it. Some people believe that it is better to summarize the information in sentences that can fit on one A4 sheet of paper.
Create your own basic information security policy
There is no point in repurposing basic policies published by other companies.It is important for companies to carefully consider and create a basic information security policy.
There are two reasons; the first is, as I mentioned earlier,The basic information security policy should differ depending on the characteristics and thinking of the organization.It's from.
The second isIt is important to think for yourselfThat's why. By thinking for ourselves, we can accurately understand what information we need to protect in the first place and the reasons for protecting it, which will also lead to improving management's awareness of information security measures. Even if basic policies are created just for the sake of formality, they are often not reflected at the practical level and end up becoming mere tokens.
What you need to do to create a basic information security policy
When creating a basic policy, we need to have a correct understanding of what information we need to protect and why. IPA (Information-technology Promotion Agency) and other organizations introduce four steps for creating an information security policy, and it may be a good idea to refer to Steps 1 and 2.
Step 1 Create an information asset management ledger
Identify what kind of information assets you have and judge their importance.
First, record the information assets stored within the company in a ledger.For each information asset, determine the importance of the impact if it is leaked, falsified, miswritten, or unavailable.To do. It also identifies the personal information of the parties with respective management responsibilities.
Step 2 Calculation of risk value
Calculate the risk value and understand which information assets require security measures.
Step 1 Calculate the risk value for the identified information assets. The formula is risk value = importance x probability of damage occurring.
The probability of damage occurring is calculated based on two types of values: ``likeliness of the threat occurring'' and ``easiness of exploiting the vulnerability.''To do.
For detailed calculation methods, please refer to page 35 of IPA's " Guidelines for Information Security Measures for Small and Medium Enterprises ."
First, let's check our company's basic policy.
How was it? The basic policy and way of thinking introduced in this article is just one example. As already stated many times,Basic policies differ depending on the characteristics and philosophy of each organization.Rather than reprinting basic policies published by other companies, we think about what kind of basic policies our company needs.It is important for management to take the lead and thoroughly consider the issue.You could say that.
[Reference site]
・Overview and purpose of information security policy│Ministry of Internal Affairs and Communications
・Information Security Policy Sample Explanation | JNSA
・Information security measures guidelines for small and medium-sized enterprises 3.1 version | IPA
-
Use email and websites safely! Introducing malware infection countermeasures
-
What is a cyber attack? Explaining the types and examples
-
How many cyber attacks occur in Japan and what are their purposes?
-
What is unauthorized access? Explanation of damage details, causes, and countermeasures
-
Cyber attacks are increasing rapidly in Japan! Consider the reason
-
Invisible cyber attack! Introducing its visualization and countermeasures
Achievements left behind
48 years since its establishment.
We have a proven track record because we have focused on what is important.
It has a long track record in both the public and private sectors.
Number of projects per year
500 PJ
Annual number of business partners/customers
200 companies
Maximum number of trading years
47 years
Total number of qualified persons
1,870 people