Remarkable trends in cyber security
Corporate challenges identified by the Cyber Security Management Guidelines
Overview of the Guidelines
In December 2015 the Ministry of Economy, Trade and Industry (METI) and the Information-technology Promotion Agency (IPA) issued the "Cyber Security Management Guidelines." These guidelines position cyber security as an important management task, and identify three cyber security principles that top management must adopt and 10 important items that must be executed with a top-down approach. The guidelines target people in top management.
The 10 important items can be divided into four categories: demonstration of leadership by top management and constructing systems for cyber security; determining a framework for cyber security risk management; measures to prevent attacks based on risk management; and preparations for cyber attacks. It goes without saying that while the management guidelines call for measures to prevent cyber attacks on the companies themselves, they also advise top management to implement business-wide measures that include the supply chain (business partners), and devise measures to respond to security incidents such as malware infestations and internal information leaks.
Overview of simple risk assessment
NEC has released a simple diagnostic tool on its website called "Simple Risk Assessment Based on Cyber Security Management Guidelines" (hereafter referred to as the Simple Diagnosis) that can be used to determine the status of the security measures implemented by customers.
|Demonstration of leadership by top management and constructing systems for cyber security|
|Q1||Does your company have an information security policy (*1), and has it been published within the organization under the auspices of top management?|
|Q2||Has the information security policy been made public under the name of the president so as to advertise your security policy?|
|Q3||Does the information security policy include measures against cyber attack threats?|
|Q4||Is there someone in top management, such as a CISO (*2), who is primarily responsible for security activities?|
|Q5||Has a security risk management framework (*3) been constructed to respond to cyber attacks?|
Excerpt of questions
The Simple Diagnosis consists of twenty yes or no questions in four categories that are based on the 10 important items in the Cyber Security Management Guidelines. The answers are checked against the Guidelines to determine the security measure status of the company. There are six possible results: "The four categories are generally covered"; four types of "Notes concerning the most problematic category"; and "Problems in all four categories." Customers can receive advice on security measures according to their results.
People who have taken the Simple Diagnosis can download an overview of the Management Guidelines and a manual of case studies on the measures that NEC has implemented based on these Guidelines.
Excerpt from diagnosis results and advice
"Your procedures for implementing measures to respond to a cyber attack and your practical training for such a case may be insufficient."
"Under your current conditions, if a cyber attack were to occur you would not be able to promptly determine the cause or scope of the damage, so that the damage may spread. Once the damage spreads, it will take longer than necessary to recover, which will increase the severity of the damage."