IT
IT
Study on organizational enhancement of IT
infrastructure in a National University Corporation
From the view point of IT governance
IT
WG
WG
IT
Information Security Management System ISMS
ISO/IEC27001
ISMS ISMS ISMS ISMS ISMS ISMS ISMS ISMS ISMS ISMS
Abstract
In the university, many information systems are introduced in each field of education, research, and management. Recently, those information systems are always exposed to the threat in connection with the information security. In fact, there may also be many information systems which the school staff has introduced freely for the reason required in education or research, and some of them are holding the brittleness on an information security. Moreover, a difference of a code system become a cause and may follow difficulty on an exchange of data. At the time of incorporation of Yamaguchi University, there was no system to unify the university as a whole to maintain and manage the development and operation of information systems in the university. And it was extremely difficult to grasp the whole picture. Therefore, it was considered urgent to concretize the mechanism by which the University Executive Division gains control of the information system within the university. As leadership of the university enforcement department including the president was required along with corporatization, it was necessary to grasp the in-campus information system in order to promote efficient IT development while
maintaining compatibility as the whole university. And it was necessary to add consideration from the viewpoint of the whole school and from the viewpoint of information security protection. However, at this time there were no national universities with mechanisms to satisfy both requirements. Therefore, in order to satisfy these requirements, we devised the notification system of campus information system and realized it within Yamaguchi University. Specifically, it is a mechanism of submitting notice on each campus information system (henceforth a "notification matter"), introduced and worked within the campus, to the committee (henceforth a "committee") which takes charge of intramural information infrastructure maintenance, and undergoing examination by a committee. This notification system is managed by the working group (henceforth "WG") who set in the committee using the computer systems (henceforth a "notification matter managerial system") for recording and managing the life cycle of a notification matter based on the intramural rule which makes a notification duty. When a notification matter corresponds to predetermined conditions, WG make a consultation on the notification matter, and WG asks the person who submitted the notice for the required improvement of that matter. By introducing and operating this notification system at our university, the effect of resolving the problems in some notification cases that may have been overlooked before, was recognized, and the effectiveness of this system for the Improvement of IT infrastructure in the university was comfirmed.
On the other hand, since incidents related to information security are becoming more frequent, an Information Security Management System (ISMS), for managing information security matters at an organizational level, instead of at a departmental or individual level, is being requested, even in universities. Moreover, it is important that the organization is actually operated in accordance with the ISMS, and it is necessary to objectively confirm the mechanism and the activity. In Japan, there is the scheme under which the third-party organization authenticates the compatibility of the ISMS which is constructed so as to be conformable to ISO/IEC 27001. This scheme is called “ISMS Conformity Assessment Scheme”. More specifically, an organization outside the university authenticates that the ISMS subject to audit is being actually operated according to the above mentioned international standard, through an advice type audit. At the time of incorporation of a national university, it was hard to say that the university executive department grasped and controlled the information assets of its university corporation, and there were no national university corporations that established ISMS. At our university, ISMS had been developed and certified under the aforementioned certification system. ISMS requires an ISMS manual that specifies a code of conduct in terms of information security in operations. In order to construct the ISMS at the national university corporation, "A sample regulation collection for information security measures of higher education institutions” is provided, but when it will be applied to a national university corporation, it will be needed to adjust to a form suitable for the university corporation. In addition, insufficient points can be seen in the mechanism for ensuring the substantial operation of ISMS. In this paper, the importance of the audit carried out by an organization outside the university and the effects provided by it are described based on the knowledge obtained through construction and operation of the ISMS in Yamaguchi University. Then, for the other university aiming to construct its ISMS, we propose constructing the effective ISMS through including the mechanism of the audit carried out by an organization outside university by taking advantage of the ISMS Conformity Assessment Scheme.
1
1.1 1.2 1.3 1.42
IT
2.1 2.2 IT 2.3 IT 2.4 IT 2.5 IT 2.63
3.1 3.2 IT 3.2.1 3.2.2 3.2.3 IT 3.3 IT 3.3.1 IT 3.3.2 3.4 3.4.1 3.4.2 3.4.3 3.4.4 3.4.5 3.4.5.1 3.4.5.2 1 4 5 8 9 9 12 12 14 17 18 18 18 19 22 23 23 26 27 27 29 30 32 34 34 353.4.5.3 3.4.6 3.4.6.1 3.4.6.2 3.4.6.3 3.4.6.4 3.5 3.5.1 3.5.2 3.5.2.1 3.5.2.2 3.5.2.3 3.6 3.6.1 3.6.2 3.6.3 3.7
4
ISMS
4.1 4.2 ISMS 4.3 4.3.1 ISMS 4.3.2 ISMS ISMS 4.4 ISMS 4.4.1 4.4.2 ISMS 4.4.3 ISMS 4.4.4 ISMS 4.5 ISMS 4.5.1 36 36 36 37 38 38 39 39 41 41 43 45 50 50 52 54 55 56 56 57 57 57 58 58 59 61 61 62 624.5.2 ISMS 4.5.3 ISMS 4.5.4 ISMS 4.5.5 4.5.6 4.6
5
5.1 5.2 IT 62 63 64 66 67 67 69 70 73 751
1.1
2004 16 J-SOX CSR IT IT IT EA Enterprise Architecture 2006 3 IT 3-6 1-1 SE1-1
1-2
1-2
UML(Unified Modeling Language)
1-2
HIPACE SDEM
2004
[4]
[4]
ERP Enterprise Resource Planning)
IT
2011 2 [8] 2010 1 197 ( IT CIO CISO
1.2
IT 2 (1) (2) IT IT1.3
3 1 IT 2 3 1 IT IT IT IT IT 2 2 CIO IT CIO IT [16] IT p.12 IT IT IT ITIT WG 2004 3.4.3 2010 2011 2 [8] 2010 1 197
CIO
3
3 (ISMS Information Security
Management System)( ISMS )
2
ISMS
ISO/IEC27001 [1] JIS JIS Q 27001
JIPDEC Japan Institute for Promotion of Digital Economy
and Community 2016 9 5,000
ISMS
2007
ISMS 2008 ISMS ISMS
ISO/IEC27001
ISMS
ISMS
ISMS ISMS ISMS 2007 [10] ISMS 4
1.4
2 5 2 1 IT IT 3 2 2 CIO 4 3 1 ISMS CIO IT ISMS ISMS [10] 5 ISMS 2 IT2
IT
2.1
1 2.2 IT IT 2.3 2.4 IT 2.52.2
IT
IT [18] 40 [22] 11 4 15 15 7 6 10 16 4 [11] 74 1 2 3 4 [11] 16 3 IT IT IT 1 30 2 1
IT
2-1
11
IT
IT 1 IT
2.3 IT
IT IT IT IT ICT IT 2000 2004 4 OECD OECD 2006 IT IT 3 IT IT2. 4 IT
IT IT IT5 5 IT (1) (5) (5) IT IT (1) IBM IT (5) 2006 6 CIO IT [16] (1)IT IT IT IT IT IT [9] (2) IT [6] (3) IT [6] (4) IT IT [24] (5)IT IT [16] IT 2 4 1 IT IT IT
4 (5) IT IT IT IT 6 IT IT 2016 6 IT IT IT IT IT IT IT
2.5
IT
2006 CIO IT [16] 82 IT 3 (a) IT (b) IT (c) IT(a) p.23 CIO IT A CIO B IT C D CIO IT E CIO IT IT [21] 2005 CIO CIO CIO IT CIO 22 CIO 2-2 IT 3 C IT B IT IT CIO 1 A CIO CIO CIO CISO IT
C IT IT p.22 IT IT IT IT IT IT 2-2 CIO
2. 6
IT IT IT
3
3.1
2 1 2 2 1 2 2 3.2 IT 3.3 3.4 3.5 3.6 3.73.2
IT
3.2.1 IT IT 2 [5] 738 5 35 74 69 8 [5]69 IT 3.2.2 IT IT
CIO CIO CIO
CIO CIO IT 1 CIO 2-2 CIO 3 1 IT 1 1 3 IT
IT
30 2
CIO 3 CIO
[19]
3.2.3 IT IT IT IT IT CIO
3-1 2 3-2 2 A A B B
3.3
IT
3.3.1 IT IT3-1
CIO 3-1 3-1 2010 CIO CIO 3-1 1 3-1 CIO 8 14.0 12 21.1 0 0.0 6 10.5 11 19.3 16 28.1 4 7.0 57 100.0
IT 3.3.2 1 DBMS 1 7 3 CIO 3-2
1 3-2
3.4
3.4.1 IT 11 3-3 WG3.3.2
1
3-3
IT
3-3
1
(1) (2) B 3.4.3 3-4 CIO A 1-1 1-2 A B C 3 B C A B C: A 2
A 3 3-1 3-2 3-3 3 3-1 3-2 3-3 3-4 3-5 Web 3-5 Web 3.4.4 3-6
4 3-7
3-3
3-7 Web 3.4.5 3.4.5.1 M M M M M
(1) M (2) M (3) M (4) M (1) M (2) 2 (3) M (4) M 3.4.5.2 2010 12 100 70 30 DB CIO IT (1) (2)
(3) IT 2 3.4.5.3 IT IT 3.5.1 3.4.6 3.4.6.1 2010 9
CIO (1) CIO (2) (3) (1) (2) (3) 1 [3] 3 CIO 3.4.6.2 (1) (2)
(3) 1 (4) WG 3 2 3.4.6.3 3.4.6.4 2011 3 2011 3-8 2011 10 1 10 3-8 2010 13 2
3-8
3.5
3.5.1 2010 9 3.4.6 (1) 2011 3-4 (2) (3)IP 3-4 (4) 4 1 1 (5) CIO CISO (6) (7) 3-4 6 3-5 3.4.3 A Web
(8) 2 a b 3.5.2 3.5.2.1 2011 1 3-6 3-9 1 1 PC 3-4 LAN LAN 1 2 ( ) 3 4 PC 5 6 7
3-5 (1) ( / / ) ( / / ) (2) ( / /IP ) ( / / ) ( / / ) / / 1 2013 9 3 516 125 391 CIO 2011 7 1 2012 7 3-6 1 2011.1 2011.6 22 4 26 2 2011.7 2011.12 38 116 154 3 2012.1 2012.6 37 245 282 4 2012.7 2012.12 8 12 20 5 2013.1 2013.6 17 6 23 6 2013.7 2013.9 3 8 11 7 125 391 516
3-9 3.5.2.2 125 396 1 1 3-7 3-7 150 (38%) 91 (23% IT COBIT[2]/[17] PO COBIT COBIT
Control Objectives for Information and related Technology
(ISACA;Information Systems Audit and Control Association) IT (ITGI;IT Governance Institute) IT
Ver.4.1
Ver.5 COBIT IT 4
PO; AI; DS; ME
COBIT 4 IT 3-7 1 55 2 20 3 16 4 22 5 128 6 30 7 IT 57 8 35 9 33 10 396 CIO CIO
3.5.2.3 4 1 1 3-10 Moodle Moodle
Moodle Moodle (Learning
Management System: LMS) (Course Management
System: CMS) 1 Moodle
URL http://www.cc.yamaguchi-u.ac.jp/guides/moodle/
2 DB 3-11 DB DB DB DB DB DB DB DB DB 3-11 2 DB
3
3-12 (BCP Business continuity planning)
BCP
1
2
4 3-13
3-13
3.6
3.6.1 3 (1) 3-7 1 75 19% PC Web PC PC 3.5.2.2 150 38% 3 4 (2) 3-7 7 57 ( 14%) 3.5 3-10 1 Moodle 100 3-8 3-8 /3-8 3.6.2 3-7 1 3-7 6 8 (3) IT IT [16] IT IT 3-7 3 16 4% CIO CISO IT
3.6.2
IT
1
2 1 Web Web 3 4
3 3 CIO CIO 3.6.3 516 250 130
3.7
1 3.6.1 3 (1) (2) (3) IT 3.6.2 3.6.3 1 1.2 (1) IT IT 1 3.6.2 44
ISMS
4.1
2
2 IT
IT
Information Security Management System ISMS ISMS http://www.isms.jipdec.or.jp/isms.html ISMS ISMS ISMS [10]
4.2
ISMS
ISMS ISMS 2012 [23] ISMS ITISMS ITSMS IT Service Management System
3
ISMS ISMS
4.3
4.3.1 ISMS ISO/IEC 27001[1] JIS ISMS ISMS ISMS 9 ISMS ISMS ISMS ISMS ISMS ISMS 4.3.2 ISMS ISMSISMS ISMS ISMS
4 4 ISMS ISMS ISMS ISMS 1 ISMS ISMS
ISMS 1 ISMS ISMS 4.5.6 PC ISMS ISMS ISMS
4.4
ISMS
4.4.1 ISMS ISMS ISMS ISMS ISMS ISMSISMS ISMS 2008 10 ISMS
20 URL http://www.mext.go.jp/a_menu/koutou/houjin/1289584.htm 2008 ISMS 3 2015 4-1 15 ISMS 12 2012 ISMS C ISMS
4-1 ISMS 1 2003/11/25 2 2005/3/16 3 2007/1/24 4 2007/11/25 5 2007/12/4 6 2008/10/24 7 2012/3/9 8 2012/3/22 9 2013/3/4 10 2013/4/23 11 2013/11/12 12 2014/3/6 13 2015/3/27 14 2015/3/27 15 2015/4/13 JIPDEC http://www.isms.jipdec.or.jp/lst/ind/search.cgi 2015 10 17 4.4.2 ISMS ISMS ISMS 4 ISMS 2 4-1 2015 ISMS ISMS ISMS ISMS 2 ISMS
4-1 ISMS 1 ISMS ISMS ISMS ISMS ISMS ISMS ISMS ISMS 9 1 ISMS
ISMS ISMS ISMS ISMS ISMS ISMS ISMS ISMS ISMS ISMS ISMS ISMS ISMS ISMS 4.4.3 ISMS ISMS 2015 13 4-1 ISMS ISMS 2014 [12] ISMS PDCA P A ISMS ISMS ISMS
ISMS PDCA Plan Do Check Act
4.4.4 ISMS
ISMS ISMS
ISO/IEC27001 ISMS
2013 [10] ISMS ISMS
4.5
ISMS
4.5.1 ISO/IEC 27001 [15] 4 ISO/IEC 27001 JIS Q 27001 ISMS A 2 2.1.1 3 2.3.2 2.3.2 2 ISMS ISMS 4.5.2 ISMS ISMS ISMS ISMS ISMS ISMS ISMS ISMS 4.3 ISMS PDCA ISMS ISMSISMS 2 ISMS ISMS ISMS ISO/IEC 27001 A A C1001-01 C1001-02 C1001-03 B2152 4.5.3 ISMS 4.2 4 PDCA 4 C2401 ISMS ISMS 4
4-2 ISMS 2014 C 4-3 ISMS 4-2 ISMS CIO CISO ISMS 4-2 ISMS ISMS ISMS 4.5.4 ISMS ISMS ISMS JIPDEC ISMS [13] ISMS C2401 C3401 ISO/IEC27007:2011 ISMS ISO/IEC 27001 ISO/IEC 27001 9.2
ISMS
4-2
1 ISMS ISMS PDCA C 3 ISMS [16] C3500 1 C3501 a. b. c. d. e. f. g. h. i. j. 4.5.5 ISMS PDCA ISMS ISMS ISMS ISMS ISMS
4.5.6 ISMS ISO/IEC27001 5 ISMS ISMS ISMS 9 9.2 9.3 ISMS ISMS 4202 [14] 9 ISMS 5
4.6
ISMS 4.4 ISMS ISMS ISMS ISMS ISMS ISMS ISMS ISMS PDCA CISMS 1 1.2 (2) ISMS ISMS ISMS ISMS
5
5.1
IT IT 2 3 IT CIO IT 4 ISMS ISMS ISMS ISMS ISMS ISMS ISMSISMS ISMS PDCA C ISMS ISMS IT IT ) ) ISMS ISMS CIO
5.2
IT
IT 1 ICTICT I/O 2 A (1) (2) 2 (3) 3 3 [20] 2-1 G
a) b) c) CIO CISO A d) Web IT
BYOD Bring your own device IOT Internet of Things
IR(Institutional Reserch)
[1] ISO&IEC 2013 ISO/IEC 27001:2013 [2] IT [2008] COBIT 4.1 ISACA [3] 2006 pp56 57 [4] 2008 [5] [2007] A) 15203033 [6] [2005] pp.8-9 [7] 2011 ISMS
IPSJ SIG Technical Report Vol.2011-IOT-14 No.6 pp.1-6 [8] KDS 2011 2 http://www.janu-s.co.jp/mail_magazine_html_data/pdf/2011/h2302.pdf 2012-2-11 [9] [2002] IT p.42 [10] 2015 2015 http://www.nii.ac.jp/csi/sp/ (2016-5-10 ) [11] 2002 [12] 2014 ISMS No.18 pp.90-98
[13] JIPDEC ISMS 2014 ISMS
[14] JIPDEC 2014 ISMS JIPDEC [15] 2014 2014 http://www.nisc.go.jp/active/general/kijun26.html (2015-11-5 ) [16] CIO (2006) IT ( IT ) &Microsft p.13 [17] IT (2008) COBIT BP p.14 [18] [2006] 2005 [19] [2006] 2006 8 29 [20] 1 (2008) -150 2-1 http://www.nistep.go.jp/achiev/ftx/jpn/mat150j/pdf/mat150j.pdf(2014-2-24 ) [21] [2005] 2005.12.28 [22] (1999 ) http://www.mext.go.jp/a_menu/koutou/houjin/03052701.htm (2016-7-18 ) [23] 2012 ISO ISMS No.16 pp.197-199 [24] @IT IT http://www.itmedia.co.jp/im/articles/0302/28/news031.html (2016-12-28 )
A
3 6 1. 2. 2 3. 2 4. 3-1 5. 3-2 6. 3-3(1) (2)
( (TEL ) (Mail )
( (TEL ) (Mail )
( ) (TEL ) (Mail )
(1) (2) (3)
<TEL> <TEL> <Mail> <Mail>
<TEL> <TEL> <Mail> <Mail> DBMS ( ) step step DB GB DB GB GB DB
B
(#115) (#364) (#441) (1) (2) (1) (2)(1) (2) (3) ( ) (1) (2) (3) (1) 16 (2) 16
C
ISMS
ISMS
Considerations in ISMS scope expansion
† †‡ †‡
Yoshikazu NAGAI† Katsumi TADAMURA†‡ Kakuji OGAWARA†‡ †
‡
† Media and Information Technology Center, Organization for Academic Information, Yamaguchi Univ. ‡ Graduate School of Science and Engineering, Yamaguchi Univ.
ISMS
ISMS
Abstract
In Yamaguchi University, the improvement activities in respect of an information security are advanced in response to ISMS conformity attestation. As the first step, a part of organization had been the scope of the ISMS, then the scope expansion of ISMS is planned as the next step. When the expansion is executed, various kinds of work arise in this step. The education to the affiliation member of the organization which newly expands is required as well as the revised work of various documents. This paper reports the important matter in the case of ISMS scope expansion focusing on a new staff's education.
( ) (JIPDEC Japan
Institute for Promotion of Digital Economy and Community)
(ISMS Information Security Management System) ISO/IEC 27001
JIS Q 27001 ISMS [1] JIPDEC 2014 3 27 4,493 [2] 10 8 7 ISMS 2008 10 1 ISMS 3 10 2 2 4 3 2
2 3 4 3 ISMS 1 ISMS C 2 1 A [3] 1 A B 1 ISMS [4] 2 1 B C 1 2 ISMS WG WG 10 ISMS ISMS WG 1 WG 4 1 ISMS WG 0 WG ( ) ISMS ISMS 1 WG 2 ISMS ISMS 3 ISMS ISMS ISMS 4 5 6 ISMS (ISMS ) ISMS 7
8 9 10 C A (1) ISMS ISMS ISMS (2) (3) (4) ISMS ISMS ISMS 3.1 ISMS [5] ISMS (1) ISMS 1 ISMS (2) ISMS ISMS (3) 4 (4) ISMS ISMS 3.2 ISMS 1 ISMS (1) ISMS ISMS PDCA(Plan-Do-Check-Act) 3 ISMS ISMS ISMS PDCA 1 ISMS (2 ISMS ) WG ISMS ISMS (2) ISMS WG WG
WG ISMS ISMS WG ISMS ISMS ISMS ISMS 3 a. b. c. ISMS ISMS WG 2 a. b. ISMS ISMS PDCA WG (3) ISMS ISMS ISMS 2 ISMS 2 ISMS 3 [1] JIPDEC ISMS http://www.isms.jipdec.or.jp/isms.html (Apr.24.2014) [2] JIPDEC http://www.isms.jipdec.or.jp/lst/ind/suii.html (Apr.24.2014) [3] 15 2011 pp67-68 [4] , , , [ ] (ISMS) . IOT, [ ] 2011-IOT-14(6) 1-6 2011-07-08 [5] ISMS 10. ISMS ISMS ( )ITSC 2007 pp86-91
