Search in ISMS Guides

Google
 

Wednesday, August 22, 2007

The MIC has compiled the Information Security Management Guidelines for Telecommunications as a contribution to the establishment of information security management in the telecommunications business.

Background

Nowadays, with the increase in information security threats such as viruses, cyber-attacks and information leaks, organizations are being required to put in place information security management. With regard to this point, the Study Group on Next Generation IP-based Infrastructure (chaired by SAITO Tadao, Professor Emeritus, the University of Tokyo) stated in its second report (announced on July 7, 2005) that there was a need to establish and promote the guidelines for information security management for telecommunications business.

The MIC set up the Task Force on ISMS-T* (chaired by NAKAO Koji, General Manager, Information Security Department, KDDI Corporation) in February 2005. The group considered topics that should be taken into account in line with the implementation of information security management for telecommunications organizations. These have now been compiled as the Information Security Management Guidelines for Telecommunications (referred to below as "the guidelines").

* Information Security Management System for Telecommunications

Outline of the guidelines

The guidelines comprise control, implementation guidance, etc, in 11 areas of information security management, to establish information security management within telecommunications organizations.

Future plans

The MIC will work in cooperation with telecommunications carriers and relevant industry organizations to implement the guidelines, and will propose these guidelines to the ITU (International Telecommunication Union) as a contribution to considering the information security management guidelines for telecommunications.


Background of Investigation

Background of Investigation



Comparison of Control in International Standards

Comparison of Control in International Standards



Information Security Management Guideline for Telecommunications

Information Security Management Guideline for Telecommunications



Organization of the Guidelines

Organization of the Guidelines


"FY2005 Competition Review in the Telecommunications Field"
-- Release of "Market Definition of Fixed Telephone Segment"

Upon implementation of the "FY2005 Competition Review in the Telecommunications Field," MIC invited public comments and held the open conference on the "Market Definition of Fixed Telephone Segment" for defining objective markets.

Background

During the period from February 22 through March 15, 2006, MIC invited public comments on the "FY2005 Competition Review in the Telecommunications Field 'Market Definition of Fixed Telephone Segment (draft).'" During said period, MIC received nine comments.

In addition, on March 22, 2006, MIC held the open conference on the "Market Definition of Fixed Telephone Segment" for exchanging opinions with stakeholders, including telecommunications carriers and specialists. Based upon those results, MIC defined the objective markets for review.

Future plans

Based upon the "Basic Approach of Competition Review in the Telecommunications Field" and the "FY2005 Details for Implementation of Competition Review in the Telecommunications Field," MIC will analyze the markets as defined for review. In summer of 2006, MIC will publicize the "FY2005 Competition Review in the Telecommunications Field."

In FY2005, MIC will analyze mainly the fixed telephone segment, in parallel with such segments as the mobile communications and the Internet access.

Main points of "Market Definition of Fixed Telephone Segment"

The FY2005 Competition Review targets the fixed telephone segment carries out a new analysis, the main points governing ideas on the market definition are as follows. Concerning the segments such as "Internet access" and "mobile communications," the results of market definition for FY 2003 and 2004 are adopted.

Settling the market structure of fixed telephones
- "Access" and "Call" will not be differentiated, both being taken together in making up the market.
- "Access" can be selected from (1) NTT East/West telephony service, (2) Direct access telephony service, (3) Cable telephony service or (4) OABJ (geographical number) type IP telephony service.
- "Call" can be selected from (5) PSTN call service, (6) 050 (location free number) type IP telephony service or (7) Internet telephony service. In the case of (1) "Call" is unbundled from "Access" and call service carriers can be selected freely. But in the case of (2) to (4), "Call" is bundled to "Access" and call service carriers are limited.

Market definition of fixed telephone segment (service market)
- The range of the market has been defined as (1) NTT East/West telephony service, (2) Direct access telephony service, (3) Cable telephony service and (4) OABJ type IP telephony service.
[Reason] (1) to (4) options offer a high level of demand-side substitution little difference in functions, and comparable with each other when contracting, etc).

Handling of NTT East/West telephony service
- The (1) NTT East/West telephony service will be handled as a sub-market, and in addition to analyzing the demand structure of the service, we will also analyze the state of competition in (5) PSTN call service and (6) 050 type IP telephony service.
[Reason] NTT East/West telephony service have a high level of independence "Access" and "Call" are structurally separated, and there exists much switching cost when changing the service, etc.)
We did not define the market for (7) Internet telephony service, for the demand for the service has not taken off yet. So analysis will be conducted where data is available.

Definition of geographical market
- The administrative division into prefectures is the smallest unit for analysis.
- Taking the state of competition into account, geographical markets have been set into 2 areas of eastern and western Japan according to the service areas of NTT East/West, or for 10 regional blocks nationwide according to the service areas of the electric power companies.
[Reason] In terms of the possibility of obtaining data, the division is the minimum unit. Since we define the geographical market based on the state of competition, it is necessary to analyze the market divided into 2 areas according to the service areas of NTT East/West or the market divided into 10 areas according to the service areas of the electric power companies.

Handling of 050 type IP telephony service (relationship with Internet access market)
- With regard to 050 type IP telephony service, we analyze from many aspects such as a sub-market of the Internet access market and also as a part of the IP telephony (050 type and 0ABJ type IP telephony) market, in addition to the analysis as a part of the fixed telephone market.
[Reason] 050 type IP telephony service substitute the functions of PSTN call service, but many users consider the service as an additional service to Internet access. In addition, they can hardly distinguish the service from the OABJ type IP telephony service, and see both as the IP telephony service.

Relationship with mobile communications market
- Fixed telephone market and mobile communications market are separate markets (observe the leverage from the other market and the trend in FMC services).
[Reason] Although there is a definite substitution between fixed and mobile, there is also a complementarity as they are used together. So it is unsuitable for them to be considered as the same market.

Preparatory Meeting Held for the Establishment of Hotline Center

The Internet Association Japan held a preparatory meeting to put together standards from experts and related people from industry organizations and the like, in order to make the preparations necessary for the establishment of "Hotline Center" (provisional name).

Aims

Illegal materials on the Internet, such as child pornography and information on covert sale of drugs and the like, as well as sites that are not immediately seen as illegal, such as suicide sites and those showing the manufacturing process for explosive devices, and harmful information regarding contracts murders and other illegal acts have been circulating on the Internet and have become a major societal problem.

Taking these circumstances into consideration, and in order to promote effective measures against illegal activity and harmful information on the Internet, information provided by Internet users concerning illegal and harmful information will be collected and classified according to predetermined standards. The police will be informed concerning illegal information and requests will be made to the administrators of the providers or electronic notice boards asking that measures be taken to block the transmissions.

A preparatory meeting for the establishment of hotline center was held so that providers can fulfill their responsibility in the face of harmful information by taking action and making the preparations necessary to set up "Hotline Center" (provisional name).

Outline

Date and Time: April 4, 2006 (Tuesday) 2-3pm
Place: Shinbashi Internet Association Japan, Shinbashi Frontier Bldg. 6th floor, 3-4-5, Minato-ku, Tokyo
Organizer: Internet Center Japan
Proceedings:
- Preparatory meeting for the establishment of hotline centers
- Invitation to comment on the range of illegal and harmful information handled by the hot lines and procedure for determining this

Outline of "Hotline Center" (provisional name)

Background of establishment

At present, the circulation of child pornography on the Internet, information on restricted drugs and the like, as well as sites that are not immediately seen as illegal, such as suicide sites and those showing the manufacturing process for explosive devices, and harmful information regarding contracts for illegal activities such as murders, have become a major societal problem.

Countermeasures to deal with this illegal and harmful information on the Internet, such as arrests by the police and requests to administrators of providers and electronic notice board operators to voluntarily take measures to stop these transmissions, have been taken. But since vast amounts of new information circulate on the Internet every day, it is clear that there are limits to such countermeasures.

Against such a background, and in order to promote effective and efficient measures against illegal and harmful information on the Internet, the Study Group to Address Illegal and Harmful Information on the Internet also stated in its interim report (announced on January 26, 2006) that an investigation should be carried out on policies to support and promote effective measures by providers and electronic notice board operators to stop such transmissions.

In addition, the National Police Agency, in its fiscal year 2005 General Security Countermeasures Conference, stated that it receives a large number of notices from users concerning illegal and harmful information on the Internet, and proposed that decisions concerning the information received should be made based on predetermined standards, and that there was a need to request of administrators at providers and electronic notice board operators for "hotlines" and a framework for their operation in response to the information.

At present, operation guidelines are being investigated at "Hotline Center" (provisional name) which will be the implementation bodies for these hotlines.

Responsibilities

"Hotline Center" (provisional name) will receive information concerning illegal and harmful information on the Internet from Internet users and will categorize them according to predetermined standards that consider the balance between fundamental human rights such as freedom of expression and public welfare. A decision will be made based on predetermined standards, followed by a notice to the police and a request to administrators at providers and electronic notice board operators to erase the information.

[Reference]
Meeting of the Study Group to Address Illegal and Harmful Information on the Internet
http://www.soumu.go.jp/s-news/2005/050728_5.html
Midterm report of the Study Group to Address Illegal and Harmful Information on the Internet
http://www.soumu.go.jp/s-news/2006/060126_1.html

Operation form

The Center will be operated by a private entity and it is planned that a certain number of experts provide the hotline services, after installing service bases and preparing necessary reference material and equipment.


From : Mic Communications News Vol.17 No.2

ISO/IEC 27000 Information Security Standards Family Adopts a New Member

(July 17, 2007)-- ISO/IEC has formally announced the incorporation of the popular Code of Practice for Information Security Management, formerly known as ISO/IEC 17799:2005 and originally BS 7799, into the ISO/IEC 27000-series. The standard is now known as ISO/IEC 27002:2005.

The announcement is more significant than merely a change of name. The growing family of ISO/IEC 27000 series information security standards is increasingly recognised by information security professionals worldwide as an embodiment of good information security practices. Well over 3,500 large and small organizations have been formally certified compliant with ISO/IEC 27001, with many thousands more using the standards internally to structure their approach to information security management and drive continuous security improvements.

First released in 1995, British Standard BS 7799 comprised three parts. Part 1 became ISO/IEC 27002. Part 2 became ISO/IEC 27001. Part 3 is anticipated to become ISO/IEC 27005 in due course.

ISO (the International Organization for Standardization) and IEC (the International Electrical Committee) released ISO/IEC 17799 in 2000 and revised in 2005. Apart from the name , ISO/IEC 27002:2005 is identical to ISO 17799:2005. Its full English title is: "International Standard ISO/IEC 27002:2005. Information technology - Security techniques - Code of practice for information security management".

The ISO/IEC 27000 family is evolving rapidly but at present comprises the following issued or proposed standards:

* ISO/IEC 27000 - will contain the vocabulary and definitions i.e. the specialist terminology used by all of the ISO27k standards.

* ISO/IEC 27001:2005 - is the Information Security Management System requirements standard (specification) against which organizations are formally certified compliant. Published.

* ISO/IEC 27002:2005 is the code of practice for information security management describing a comprehensive set of information security control objectives and a menu of generally accepted good practice controls. Published.

* ISO/IEC 27003 - will be an implementation guide for these standards.

* ISO/IEC 27004 - will be an information security management measurement (metrics) standard to improve the effectiveness of your ISMS.

* ISO/IEC 27005 - will be an information security risk management standard (replacing BS 7799 Part 3).

* ISO/IEC 27006:2007 - is a guide to the certification or registration process for accredited ISMS certification or registration bodies. Published.


* ISO/IEC 27007 - will be a guideline for auditing Information Security Management Systems.

* ISO/IEC 27031 will be a business continuity standard.

* ISO/IEC 27032 will be guidelines for cybersecurity

* ISO/IEC 27034 will be guidelines for application security.

* ISO/IEC 27799 - will be health sector-specific implementation guidance for ISO/IEC 27002. Other sector-specific implementation guides are planned for industries such as lotteries and (in conjunction with the ITU) telecomms.


From : www.compliancehome.com

ISO/IEC 27031 Information technology

ISO/IEC 27031 Information technology -- Security techniques -- ICT readiness for business continuity (draft, title uncertain)

This new business continuity standard may be based on a Singaporean BC/DR standard SS507 (see below) and may incorporate parts of British Standard BS25999. Published July 18, updated Aug 16 If you are interested, Part 2 of BS25999 is currently freely available in draft for comments prior to its formal publication but hurry - comments were due at the end of July 2007 and final release must be imminent.

SS507 - Singapore Standards for Business Continuity/Disaster Recovery (BC/DR) Service Providers

SS507:2004 “Provides a basis to certify and differentiate the BC/DR service providers, helps the end-user organisations in selecting the best-fit service providers and provides quality assurance. Also establishes industry best practices to mitigate outsourcing risks.”

“Singapore [was] the first country in the world to introduce a Standard and Certification programme for BC/DR service providers. Developed by the Infocomm Development Authority of Singapore and the IT Standards Committee (ITSC), the Standard specifies the stringent requirements for BC/DR service providers. These requirements benchmark against the top practices in the region and stipulate the operating, monitoring and up-keeping of BC/DR services offered. ... By engaging a certified BC/DR service provider, assurance is provided to the end-user and frees the company to focus on its core competencies. This enhances the company’s competitive advantage as it is able to achieve stringent Recovery Time Objective, minimise business and data loss; and enjoy uninterrupted services. The certification also serves as a quality mark to inspire service providers to upgrade themselves to provide better services.”

Read a press release about SS507 and purchase a copy here.

0. Introduction

The ICT DR Services Model or Framework - showing the foundation layer to define supporting infrastructure from which services are derived, such as policies, processes, programme, performance measurement, people and products.

1. Scope

Describes the purpose of this standard, assumptions made when using this standard and what is excluded. Introduces subsequent clauses and explains their interpretation

2. Definitions

Defines terms used within the standard to establish a common understanding by the readers.

3. General Guidelines

Basic guidelines for the ICT DR services provision:

3.1 Environmental stability

3.2 Asset management

3.3 Proximity of services

3.4 Subscription (contention) ratio for shared services

3.5 Third party vendor management

3.6 Outsourcing arrangements

3.7 Privacy and confidentiality

3.8 Activation of subscribed services

4. Disaster Recovery Facilities

Specific guidelines for the ICT DR services provision to provide a secure physical operating environment to facilitate recovery:

4.1 Physical access control

4.2 Physical facilities and security

4.3 Environmental controls

4.4 Telecommunications

4.5 Power supply

4.6 Cable management

4.7 Fire protection

4.8 Location of recovery site

4.9 Emergency operations centre

4.10 Restricted facilities

4.11 Physical facilities and equipment lifecycle

4.12 Non recovery amenities

4.13 Testing

4.14 Training and education

5. Recovery Services Capability

Specific guidelines for the ICT DR services provision to develop service delivery capability supporting recovery. Besides qualified staffing, other minimum capabilities include capacity to support simultaneous invocation of disasters:

5.1 Expertise

5.2 Logical access controls

5.3 Equipment and operation readiness

5.4 Simultaneous recovery support

5.5 Levels of service

5.6 Types of service

5.7 Client testing

5.8 Changes in capability

5.9 Emergency response plan

5.10 Self-assessment

5.11 Disaster recovery training and education

6. Guidelines for Selection of Recovery Sites

Provides guidelines on the factors to consider when selecting recovery sites, such as:

6.1 Infrastructure

6.2 Skilled manpower and support

6.3 Critical mass of vendors and suppliers

6.4 Local service providers’ track records

6.5 Proactive local support

7. Additional Guidelines for the Professional ICT DR Service Provider

Additional guidelines for professional service providers in the provision of ICT DR services.

From : iso27001security.com

ISO/IEC 27011 Information technology

ISO/IEC 27011 Information technology -- Security techniques -- Information security management guidelines for telecommunications (draft)

This ISO/IEC 27001/ISO/IEC 27002 implementation guide for the telecomms industry is being developed jointly by ITU and ISO/IEC. It may be published jointly as ITU-T X.1051 and ISO/IEC 27011 but probably not until 2010.

ITU-T Recommendation X.1051 Information security management system – Requirements for telecommunications (ISMS-T) was originally published in English in July 2004, followed by Spanish, French and Russian translations in 2005. It is based on the ISMS standards extant at that time i.e.:

*
ITU-T Recommendation X.800 (1991), Security architecture for Open Systems Interconnection for CCITT applications.
*
ITU-T Recommendation X.805 (2003), Security architecture for systems providing end-to-end communications.
*
ISO 9001:2000, Quality management systems – Requirements.
*
ISO 14001:1996, Environmental management systems – Specification with guidance for use.
*
ISO/IEC 17799:2000, Information technology – Code of practice for information security management (now known as ISO/IEC 27002).
*
ISO/IEC Guide 73:2002, Risk management – Vocabulary – Guidelines for use in standards.
*
BS 7799-2:2002, Information Security Management Systems – Specification with Guidance for use.

The summary states:

“For telecommunications organizations, information and the supporting processes, telecommunications facilities, networks and lines are important business assets. In order for telecommunications organizations to appropriately manage these business assets and to correctly and successfully continue their business activities, information security management is extremely necessary. This Recommendation provides the requirements on information security management for telecommunications organizations.

This Recommendation specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system (ISMS) within the context of the telecommunication's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual telecommunications or parts thereof.”

From : iso27001security.com