Outline of "Guidelines for IT Security Policy"

December 2000

Branch for IT Security
Cabinet Office for National Security Affairs and Crisis Management

1. Guidelines for IT Security Policy

The guidelines are part of the basic guidelines on information security for the entire government. The guidelines work as a reference manual for the ministries and agencies in drawing-up the Policy and indicates the minimum measures that each ministry and agency should provide.

2. Outline of Information Security Policy

(1) Keeping the security level high through the management cycle for the Policy
To keep the security level high, it is necessary not only to set up the policy but also to introduce it appropriately and to evaluate and review it repeatedly. That is Setting up the policy - Introduction - Operation - Evaluation and review.

(2) Establishing the organization and system
By establishing the organization and system by selecting Chief Information Security Officer and establishing the "Information Security Committee," the commitment of the organization executives to policy making and the responsibility of each member are made clear.

(3) Implementing comprehensive measures
Physical security: installation of proper facilities, entry/exit management, etc.
Human security: education, training, and password management, etc.
Technical security: management of networks, access control, etc.
Operation: monitoring of information systems, contingency plan, etc.

(4) Setting up the implementation procedures
For putting into operation for actual work or in the information system, the implementation procedure has to be determined by the relevant departments and bureaus.

3. Future

Individual ministries and agencies of the government should draw-up an information security policy based on these guidelines until December 2000.