IT Security Policy in Japan

23 September 2002

Office of IT Security Policy

Ministry of Economy, Trade and Industry

JAPAN

Outline of the presentation

1 Security of information systems and networks(1) Best practices

(2) Protection of critical infrastructure

(3) Cyber-crime and terrorism

2 Information security (1) Cryptography Policy

(2) Electronic signatures and authentication

(3) Certification and good security practices

1.(1) Best practices• The significance of best practices in IT Security.• “Elimination of possibilities of service suspension which may have a great influence

upon every day life of the Japanese and their socioeconomic activities (e-Japan Priority Policy Program 2002).”

• Need for awareness and understanding of the significance of IT security. Need for best practices in IT security

• OECD Security Guidelines.• Japan hosted WS in Tokyo in cooperation with OECD Secretariat and IPA with the view

to facilitating the review of the 1992 Security Guidelines.

• Japan is promoting the OECD Security Guidelines as best practices.

• Electronic government (e-government)• Japan sets goals to make it the world’s most advanced IT nation within 5 years (e-Japan

Priority Policy Program 2001)

• An e-government, which treats electronic information in the same way as information on papers will be realized by 2003 (e-Japan Priority Policy Program 2001).

• IT security evaluation (ISO/IEC 15408) and standardization of cryptographic techniques for procurement by an e-government.

1.(2) Protection of critical infrastructure

•Adoption of Special Action Plan on Fighting Cyber-terrorism against Crit

ical Infrastructure (December 15, 2000) /Follow-up Measures to the Special Action Plan (March 28, 2002)•Target Areas of Critical Infrastructure : Telecommunications, finance, aviation, railroads, electrical power, gas.•Cyber Terrorism Countermeasures by Government and the Private Sector:(1) Prevention of damage (raise security level)/(2) Establish and enhance communication and coordination systems between government and the private sector/(3) Detection and emergency response to cyber attacks through cooperation between government and the private sector/(4) Establish foundations of information security/(5) International cooperation

•Foundation of National Incident Response Team (NIRT) (March 28, 2002

) •Action Plan for Ensuring IT Security of Electronic Government (October 10, 2001)

•Establishment of Cyber Force (National Police Agency) (April 1, 2002)•A mobile technical unit in National Police Agency.

1.(3) Cyber-crime and terrorism

• G8 Lyon Group High-tech SG• Japan participate in high-tech SG activities. Japan hosted Industry-Government Joint Co

nference in Tokyo in April of 2001. LG adopted Traceability recommendation and other documents.

• Council of Europe Convention on Cyber-crime. • Japan signed the Convention in November of 2001. It is now preparing for the ratificati

on of the Convention. Password procurement, virus production, child pornography, preservation order, real time tracing, jurisdiction are in question

• Business’s need for the confidentiality shall not be sacrificed by the need of law enforcement agency. An appropriate balance between them is to be required.

2. (1) Cryptography Policy

• Adopting a list of recommendable cryptographic techniques• MPHPT and METI should aim at adopting a list concerning recommendable

cryptographic techniques for e-government by FY 2002 for the purpose of facilitating procurement by e-government (Action Plan for Ensuring IT Security of Electronic Government (October 10, 2001)).

• MPHPT and METI organized CRYPTREC which will have drafted the list until the end of March 2003.

• After the adoption of the list, CRYPTREC may deal with issues, such as cryptographic module validation program and monitoring of recommendable cryptographic techniques.

• Correspondence with ISO/IEC international standardization• ISO/IEC agreed in April 2001 to standardize cryptography. Japan proposes its own

cryptography to the standardization process at ISO/IEC

2.(2) Electronic signatures and authentication• “Electronic Signatures Law” has entered into force in April 1, 2001

• Aim of “Electronic Signatures Law”• Promote of EC through securing the smooth utilization of electronic

signatures• Improving citizen’s quality of life and the sound development of the

national economy

• Content of “Electronic Signatures Law”• Presumption: To make sure the legal position of electronic signatures

• Presumption given when electronic documents are accompanied by electronic signatures

• Voluntary accreditation: To ensure the reliability of CA

• Voluntary accreditation of certification service (Article 4 to Article 16)• Designated investigating organization (Article 17-32)

• Penalties (Article 41-47)

• Other items• Support, etc. for certification service (Article 33)

• Public education activities and public information activities (Article 34)

2.(3) Certification and good security practices

• ISO/IEC 15408 • Japan has started in April of 2001 the evaluation and certification scheme for governmen

t use of IT products to promote secure e-Government. This scheme evaluates security function and quality of the IT products (software, hardware and systems.)

• Concerning the scheme, NITE (National Institute of Technology and Evaluation) is in charge of certification.

• Japan also plans to participate in Common Criteria Arrangement in 2003, discussing with CC Arrangement members.

• IS Management Scheme based on ISO/IEC 17799• JIPDEC (Japan Information Processing Development Corporation) started ISMS (Infor

mation Security Management System), a new accreditation system for any kind of services dealing with information, based on ISO/IEC 17799 in April of 2002, instead of IAS (Information-Processing Accreditation Scheme (IAS) : Japanese original accreditation system for security evaluation of Information-Processing Services)

• JIPDEC accredited 3 certification bodies and they issued certifications to 37 companies in 2001 under the pilot project. In April of 2002, JIPDEC started the ISMS officially. 　　

Thank you