December 2000
Branch for IT Security
Cabinet Office for National Security Affairs and Crisis Management
1. Guidelines for IT Security Policy
The guidelines are part of the basic guidelines on information security for the entire government. The guidelines work as a reference manual for the ministries and agencies in drawing-up the Policy and indicates the minimum measures that each ministry and agency should provide.
2. Outline of Information Security Policy
(1) Keeping the security level high through
the management cycle for the Policy
To keep the security level high, it is necessary not only to set up the policy
but also to introduce it appropriately and to evaluate and review it repeatedly.
That is Setting up the policy - Introduction - Operation - Evaluation and
review.
(2) Establishing the organization and system
By establishing the organization and system by selecting Chief Information
Security Officer and establishing the "Information Security Committee," the
commitment of the organization executives to policy making and the responsibility
of each member are made clear.
(3) Implementing comprehensive measures
Physical security: installation of proper facilities, entry/exit
management, etc.
Human security: education, training, and password management, etc.
Technical security: management of networks, access control, etc.
Operation: monitoring of information systems, contingency plan, etc.
(4) Setting up the implementation procedures
For putting into operation for actual work or in the information system, the
implementation procedure has to be determined by the relevant departments
and bureaus.
3. Future
Individual ministries and agencies of the government should draw-up an information security policy based on these guidelines until December 2000.