NIST SP800 シリーズに見る情報セキュリティと事業 .2 2. ISO/IEC17799 とNIST SP800

  • View
    216

  • Download
    0

Embed Size (px)

Text of NIST SP800 シリーズに見る情報セキュリティと事業 .2 2. ISO/IEC17799 とNIST SP800

  • 1

    2006 5 15

    NIST SP800

    IPA

    1. 20042005

    2005 3 2005 8

    2005 10 2006 2BCP1BCP

    BCP

    BCPBCP BCP/BCM2

    ITBCP

    (Disaster Management in Japan) 13(1880) 21(1946) 34(1959)

    IT IT

    1 BCPBusiness Continuity Planning 2 BCMBusiness Continuity Management=

  • 2

    2. ISO/IEC17799NIST SP800 Contingency Plan

    Computer Security Incident HandlingNIST31995 SP4800-12 An Introduction to Computer Security: The NIST HandbookNIST 11PREPARING FOR CONTINGENCIES AND DISASTERS 12 COMPUTER SECURITY INCIDENT HANDLING20026SP800-34 Contingency Planning Guide for Information Technology SystemsIT2004 1SP800-61 Computer Security Incident Handling Guide2005 11SP800-83 Guide to Malware Incident Prevention and Handling

    ISO/IEC17799

    Compliance ( 11 )

    Business continuity management ( 5 )

    Systems development & maintenance ( 18 )

    Access control ( 31 )

    Communications & operations management 24)

    Physical & environmental security ( 13 )

    Personnel security ( 10 )

    Asset classification & control ( 3 )

    Security organization ( 10)

    Security policy ( 2 )

    ISO/IEC 17799:2000ISO/IEC 17799:2000JIS X 5080

    Information security incident management ( 5 )

    Compliance ( 10 )

    Business continuity management ( 5 )

    Information systems acquisition, development and maintenance ( 16 )

    Access control ( 25 )

    Communications & operations management ( 32 )

    Physical & environmental security ( 13 )

    Human resources security ( 9 )

    Asset management ( 5 )

    Organizing information security ( 11 )

    Security policy ( 2 )

    ISO/IEC 17799:2005ISO/IEC 17799:2005JIS Q 27002

    17799:2005

    ISO/IEC 17799:2000ISO/IEC 17799:2000JISJIS X 5080 ISO/IEC 17799:2005ISO/IEC 17799:2005JISJIS Q 27002

    ISO/IEC17799:2000 ISO/IEC17799:2005

    3 NISTNational Institute of Standards and Technology 4 SP: Special Publications NIST

  • 3

    ISO/IEC17799:2000(2000) 109Business Continuity ManagementISO/IEC17799:2005(2005)(Information Security Incident Management) 1110Business Continuity Management2000 2005

    2000 2005 ISO/IEC17799:2000JIS X 5080 11. 11.1 Aspects of business continuity management

    ISO/IEC17799:2005 14 14.1 Information security aspects of business continuity management

    2000 Aspects of business continuity management2005 Information security aspects of business continuity management2005

  • 4

    2000 2005

    2000JIS X 508011.1.2

    2005 214.1.2

    20002005 3. BCPContingency Plan5 17 3 INTAP 16

    ITDR6

    ITDR

    ( IT)ITDRITIT IT

    IT BCP IT IT INTAP IT 1 2006 3ITDR

    5 Contingency Plan: 6 ITDR: IT Disaster Recovery IT

  • 5

    IT Disaster RecoveryIT Contingency PlanningBCPContingency PlanDisasters Recovery Plan(Incident Response Plan)

    BCPContingency Plan BCP CPBCP CPBCP

    BCP

    NIST SP800-34 IT 7BCPBCP IT IT 2001 9 11

    9,000

    BCP BCP BCM BCM BCM IT(20043 44.3 http://www.bcijapan.jp/documents/BCM_survey.pdf 7 NIST SP800-34 Contingency Planning Guide for Information Technology Systems (ITSP800-34 ITSP800-34

  • 6

    IT IT ISO/IEC17799

    BCPIT IT IT

    2004 10

    CSR IT

    NISTITNIST SP800-34 ITIT NIST SP800-342.2 IT

    ITIT SP800-34 8 BCP: Business Continuity Plan BRP: Business Recovery (or Resumption) Plan COOP: Continuity of Operations Plan /IT(Continuity of Support Plan/IT Contingency Plan) (Crisis Communications Plan) (Cyber Incident Response Plan)

  • 7

    DRP: Disaster Recovery Plan OEP: Occupant Emergency Plan IT ITIT IT not business process focusedNISTITSP800-34 IT

    not business process focused

    SP800-34 IT IT

    IT ITIT ITSP800-34

    IT

    12 6.3.2 BCP http://www.bits.go.jp/active/general/pdf/k303-052.pdf 4. NIST SP800-34 8 2 IT

    Reference Model

  • 8

    NIST SP800-34 2.2 IT

    Ultimately, an organization would use a suite of plans to properly prepare response, recovery, and continuity activities for disruptions affecting the organizations IT systems, business processes, and the facility.shall shouldwouldSP800-34NIST

    NISTIT

    IT

    (BCP)

    (OEP)

    (DRP)

    /IT

    (COOP)

    (BRP)

    2

    IT IT

  • 9

    NISTIT BCP/BCMISO2BCI8Good Practice GuidelinesBSIPAS956 Guide to Business Continuity ManagementNFPA10NFPA1600Standard on Disaster/Emergency Management and Business Continuity Programs20042

    NFPA1600AAnnex A Explanatory Material A.5.3.2The hazard identification should include, but is not limited to, following types of potential hazards:(

    )SARS

    5.

    DRII11BCI10

    1 2 3 4

    8 BCI: The Business Continuity Institute 9 PAS: Publicly Available Specification :PAS56 10 NPA: National Fire Protection Association: 11 DRII: Disaster Recovery Institute International 1988

  • 10

    5 6 7 8 9 10 Co-ordination with External Agencies

    BCP

    BCPWebWebWeb

    ITIT

    IT

    6. ISO/IEC17799SP800-53 SP800-34NISTSPISO/IEC17799SP800-53 Recommended Security Controls for Federal Information SystemsISO/IEC17799 SP800-53 ISO/IEC17799:200511 133SP800-5317 160ISO/IEC17799:2005 5 SP800-53 IT9

  • 11

    NIST SP 800-53 3 1

    CPCP-1

    SC

    AU

    AC

    IA

    AT

    IR (Incident Response)MP

    SI

    MA

    CM

    CP (Contingency Planning)PE

    PS

    CA

    SA

    PL

    RA

    *

    3SP800-53CP

    *

    CP-1

    CP-2

    CP-3

    CP-4

    CP-5

    CP-6

    CP-7

    CP-8

    CP-9

    CP-10

    17163

    Information security incident management

    Compliance

    Business continuity management

    Information systems acquisition, development and maintenance

    Access control

    Communications & operations management

    Physical & environmental security

    Human resources security

    Asset management

    Organizing information security

    Security policy

    ISO/IEC 17799:2005ISO/IEC 17799:2005

    4ISO/IEC17799:2005(BCP)

    14.1 Information security aspects of business continuity management()

    14.1.1 Including information security in the business continuity management process

    ()14.1.2 Business continuity and risk assessment

    ()14.1.3 Developing and implementing continuity

    plans including information security(

    )14.1.4 Business continuity planning framework

    ()14.1.5 Testing, maintaining and re-assessing

    business continuity plans()

    11133

  • 12

    SP SP800-53 SP800-53

    SP800-30 Risk Management Guide for Information Technology Systems ( IT)CP(SP800-34 Contingency Planning Guide for Information Technology SystemsITIRSP800-61 Computer Security Incident Handling Guide SP800-83 Guide to Malware Incident Prevention and Handling ( IPANRI()2006 3 12 SP800-53SP800-34SP800-61WebSP800-83 6. SP800-34 IT

    SP800-34IT

    IT

    SP800-34 1. 2. 3. 4. 5. 7 6. 7.

    6.1 IT

    IT

    SP800-34 ITIT

  • 13

    SP800-34

    IT

    IT ISO/IEC17799:2005 10.4.1

    6.2

    SP800-342.3

    SDLC: System Development Life Cycle IT / /

    SDLC: System Development Life Cycle//

    6.3

  • 14

    IT IT

    4

    6.4 IT SP800-347 (1) (2) (3) (4) (5)IT (6) (7) ITIT 6

    6 IT

    LANWAN

    LANWAN

    1. 2. 3. 4.

    2.

    IT

    LANWAN

    LANWAN

    8

    SOPStandard Operating Procedure)

  • 15

    7. SP800-34DIT

    :

  • 16

    http://www.meti.go.jp/report/downloadfiles/g50331d06j.pdf http://www.meti.go.jp/report/data/g50331dj.html http://www.bcijapan.jp/documents/guideline01.pdf

    http://www.bousai.go.jp/MinkanToShijyou/shiryou4.pdf (Disaster Management in Japan) http://www.bousai.go.jp/panf/saigaipanf.pdf IT http://www.bcijapan.jp/documents/BCM_survey.pdf INTAP 16 ( 17 3) http://www.net.intap.or.jp/INTAP/information/report/16-business-report.pdf http://www.boj.or.jp/about/03/data/sai0307a.pdf 2003 7 http://www.boj.or.jp/set/03/data/fsk0307a.pdf BCP((2004 6 23 ) http://www.tse.or.jp/guide/bcp/bcp2004.pdf Business Continuity Management Good Practice Guidelines (2005)

    http://www.thebci.org/goodpracticeguidetoBCM.pdf NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs 2004 Edition http://www.state.nj.us/njoem/pdf/nfpa1600.pdf NIST SP800 http://csrc.nist.gov/ http://www.ipa.go.jp/security/publications/nist/ SP800-12 An Introduction to Computer Security: The NIST Handbook

    (October 1995) SP800-34 Contingency Planning Guide for Information Technology Systems IT (June 2002) SP800-61 Computer Security Incident Handling Guide (January 2004) SP800-83 Guide to Malware Incident Prevention and Handling (November 2005) SP800-53 Recommended Security Controls for Federal Information Systems (February 2005)

  • 17

    ISO/IEC17799 JIS X 5080 ISO/IEC 17799:2000 ISO/IEC 17799:2005

    http://www.bits.go.jp/active/general/pdf/k303-052.pdf 2005 12

    http://www.