Guidelines
for
IT Security Policy

(Provisional translation)






July 18, 2000

Decisions Made by IT Security Promotion
Committee




Contents


  1. BACKGROUND

  2. BASIC CONCEPT
    1. SIGNIFICANCE
      (1) Necessity of information security policies
      (2) Characteristics of information security
    2. GOVERNMENT'S BASIC CONCEPT OF INFORMATION SECURITY
    3. DEFINITIONS
    4. TARGET OF APPLICATION
    5. POLICY DISCLOSURE
    6. CONSIDERATIONS ABOUT POLICY

  3. GUIDELINES FOR INFORMATION SECURITY POLICY
    1. POSITIONING AND BASIC STRUCTURE OF THE SECURITY POLICY
    2. PROCEDURE FOR SETTING UP THE POLICY
      (1) Outline of the procedure
      (2) Organization and system for setting up the Policy
      (3) Mapping the basic guidelines
      (4) Analyzing the risk 1) General
      2) Inquiry to information assets
      3) Classification by importance
      4) Risk assessment
      5) Countermeasures against risks
      (5) Formulating the standard of measures 1) Configuration
      2) Organization and system
      3) Classification and management of information (i) Management responsibility of information
      (ii) Classification and management of information
      4) Physical security
      5) Human security (i) Role, responsibility, and exemption
      (ii) Education and training
      (iii) Reporting of incidents and defects
      (iv) Password management
      (v) Employment of part-time and temporary staff and their employment agreement
      6) Technical security (i) Management of computers and networks
      (ii) Access control
      (iii) Development, implementation and maintenance of systems
      (iv) Countermeasures against computer viruses
      (v) Collection of security information
      7) Operation (i) Monitoring of information systems and making sure of policy observation (operation management)
      (ii) Considerations in operation management
      (iii) Contingency plan
      (iv) Operation agreement for consignment to outside contractors
      8) Compliance of laws
      9) Actions taken against violation of information security policy
      10) Assessment and review (i) Auditing
      (ii) Inspection
      (iii) Updating the Policy
      (6) Decision of the Policy
    3. INTRODUCTION
      (1) Outline of introduction
      (2) Preparation of implementation procedure
      (3) Conformity to the Policy
      (4) Distribution and briefing
    4. OPERATION
      (1) Operation management
      (2) Actions taken in case of intrusion 1) Training
      2) Notes for liaison
      3) Notes for investigation
      4) Notes for taking actions
      5) Prevention of repeated intrusions
    5. ASSESSMENT AND REVIEW
      (1) Auditing
      (2) Updating the Policy
      (3) Reflection to the Guidelines

  4. APPENDIX
    1. GLOSSARY
    2. FOR REFERENCE

Back