スライド 1

Size: px

Start display at page:

Download "スライド 1"

ちかこたかぎ
5 years ago
Views:

1 NIST SP800 BCPContingency Contingency Planning

2 1. IPAIPA 2. BCP/BCM 3. NIST SP800 FISMA 4. SP SP IT Contingency Planning Guide for Information Technology Systems IT January

3 3 BCP/BCM BCM BCP BCP BCP BCPBCM ITIT

4 4 BCP,SARS NFPA 1600:2004 Annex A (Explanatory Material BCP BCPIT-BCP BCP = IT-BCP IT-BCPBCP/BCM

5 1. IPAIPA 2. BCP/BCM 3. NIST SP800 FISMA 4. SP SP IT Contingency Planning Guide for Information Technology Systems IT January

6 NIST : National Institute of Standards and Technology SP Contingency Planning Guide for Information Technology Systems IT (June 2002) SP Computer Security Incident Handling Guide (January 2004) SP Guide to Malware Incident Prevention and Handling (November 2005) SP Recommended Security Controls for Federal Information Systems (February 2005) FIPS 199 Standards for Security Categorization of Federal Information and Information Systems (February 2004 Draft SP Rev1, Guide for Information Security Program Assessments and System Reporting Form (August 15, 2005) (SP Security Self-Assessment Guide for Information Technology Systems (November 2001)) IT Draft SP A: Guide for Assessing the Security Controls in Federal Information Systems (July 15,2005) SP Risk Management Guide for Information Technology Systems (July 2002) IT 6

publications/nist/index.html http://www.nri-secure.co.jp/news_alert/report/nist/nist_report.

7 publications/nist/index.html 7 NIST : National Institute of Standards and Technology SP800: SP=Special Publications NIST CSD (Computer Security Division) IT NIST CSD: FIPS: Federal Information Processing Standards NIST

8 FISMA Each federal agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source --- Federal Information Security Management Act of 2002 (Title III of the E-Government Act) NISTFISMA FISMA I FISMAFIPS(SP 1-2 II 2006 III Flagship StandardFIPS199 (FIPS: Federal Information Processing Standards ) FIPS/SP: 8

9 9

10 1. IPAIPA 2. BCP/BCM 3. NIST SP800 FISMA 4. SP SP IT Contingency Planning Guide for Information Technology Systems IT January

11 Recommended Security Controls for Federal Information Systems (February 2005) No. SP SP Annex 1 SP Annex 2 SP Annex 3 2:

12 SP RA PL SA CA PS PE (Contingency Planning) CP CM MA SI MP (Incident Response) IR AT IA CP-1 CP-2 CP-3 CP-4 CP-5 CP-6 CP-7 CP-8 CP-9 CP-10 AC * AU SC 12

13 ISO/IEC Information security aspects of business continuity management () Including information security in the business continuity management process () Business continuity and risk assessment () Developing and implementing continuity plans including information security ( ) Business continuity planning framework () Testing, maintaining and re-assessing business continuity plans () 13

14 14 SP F: CP-9 CP-9 CP-9 (1) CP-9 (1) (2) (3)

15 15 SP D() CP-1 CP-1 CP-1 CP-1 CP-2 CP-2 CP-2 (1) CP-2 (1) CP-3 CP-3 CP-3 (1) CP-4 CP-4 (1) CP-4 (1) (2) CP-5 CP-5 CP-5 CP-5 CP-6 CP-6 (1) CP-6 (1) (2) (3) CP-7 CP-7 (1) (2) (3) CP-7 (1) (2) (3) (4) CP-8 CP-8 (1) (2) CP-8 (1) (2) (3) (4) CP-9 CP-9 CP-9 (1) CP-9 (1) (2) (3) CP-10 CP-10 CP-10 CP-10 (1) IR-1 IR-1 IR-1 IR-1 IR-2 IR-2 IR-2 (1) (2) IR-3 IR-3 IR-3 (1) IR-4 IR-4 IR-4 (1) IR-4 (1) IR-5 IR-5 IR-5 (1) IR-6 IR-6 IR-6 (1) IR-6 (1) IR-7 IR-7 IR-7 (1) IR-7 (1) FIPS199 SP SP800-53

16 - SP G: ( ISO NIST GAO FISCAM DOD DCID 6/3 CP , , CP , , COBR-1 DCAR , , , , SC-3.1 SC-1.1 CODP-1 COEF-1 2.B.4.e(5) 6.B.1.a(1) 6.B.2.b(1) CP SC-2.3 PRTN-1 8.B.1 CP , , SC-3.1 COED-1 6.B.3.b(2)(b) CP , , SC-2.1 SC-3.1 DCAR-1 6.B.3.b(2) CP , , SC-2.1 SC-3.1 CODB-2 6.B.2.a(2) 6.B.3.a(2)(d) CP , 9.2.4, 9.2.5, 9.2.7, 9.2.9, SC-2.1 SC-3.1 COAS-1, COEB-1 COSP-1, COSP-2 6.B.3.a(2)(d) CP B.2.a(4) CP , , 9.2.6, 9.2.9, 9.3.1, SC-2.1 CODB-1, CODB-2 COSW-1 6.B.1.a(2) CP SC-2.1 COTR-1, ECND-1 4.B.1.a(4) 6.B.1.a(1) 6.B.2.a(3)(d) 16

17 SP : SP ISO/IEC FDIS 17799:2004/11/28 CP-1 CP-2 CP-3 Contingency planning policy and procedures Contingency plan Contingency training Information security policy document Controls against malicious code Including information security in the business continuity management process Developing and implementing continuity plans including information security Identification of applicable legislation System acceptance Controls against malicious code Business information systems Developing and implementing continuity plans including information security Business continuity planning framework Developing and implementing continuity plans including information security Business continuity planning framework CP-4 CP-5 CP-6 CP-7 CP-8 CP-9 CP-10 Contingency plan testing Contingency plan update Alternate storage Alternate processing sites Telecommunications services Information system backup Information system recovery and reconstitution Information back-up Testing, maintaining and re-assessing business continuity plans Developing and implementing continuity plans including information security Testing, maintaining and re-assessing business continuity plans Information back-up Business continuity planning framework Business continuity planning framework Information back-up Mobile computing and communications Business continuity planning framework 17

18 18 ISO/IEC17799:2005, NIST SP ISO/IEC17799:2005

19 19 IT-BCP SP CP(IR ITBCP BCMITBCP SDLCSystem Development Life Cycle IT SP Contingency Planning Guide for Information Technology Systems IT(January 2004) 107 pages SP Computer Security Incident Handling Guide (January 2004) 148 pages SP Guide to Malware Incident Prevention and Handling (November 2005) 101 pages SP An Introduction to Computer Security: The NIST Handbook (October 1995) 11 Preparing for Contingencies and Disasters

20 1. IPAIPA 2. BCP/BCM 3. NIST SP800 FISMA 4. SP SP IT Contingency Planning Guide for Information Technology Systems IT January

21 21 SP800-34: IT IT (1) (2) (3) (4) (5)IT (6) (7) 6. 7.

22 SP IT IT IT IT IT LAN WAN IT IT IT IT 22

24 24 SP800-34BCP IT ITSP IT BCP IT BRP ITIT COOP 30 IT / IT ITIT IT DRP IT OEP IT

25 SP SP SP Risk Management Guide for Information Technology Systems IT 25

26 26 SP800-34IT IT - SP IT IT SP SP Computer Security Incident Handling Guide (January 2004) SP Guide to Malware Incident Prevention and Handling (November 2005)

27 SP (SDLC) / SDLC SDLCSystem Development Life Cycle IT / / SP SP Security Considerations in the Information System Development Life Cycle NIST CSD SDLC Web Information Security in the SDLC Brochure 27

28 SP IT

29 29 SP

30 SP B 30 50LAN IT A. B. C. D. E. A.

31 31 SP ) 2) 3) 4) 5)

32 32 SP IT 5 6 ( / / 7

33 SP AIT / IT 33

34 34 SP IT SP IT

35 SP SLA

36 SP D IT : URL( : : : Disaster Recovery Institute International: Disaster Recovery Journal: : 36

37 まとめ FIPS200/ SP セキュリティ管理の選択開始点 FIPS199/ ＳP ＳP セキュリティの分類 SP800-53/ FIPS200/SP 選択したセキュリティ管理の調整 SP セキュリティ管理策の文書化 SP システム運用の承認 SP セキュリティ管理策の導入 SP800-53A/SP80026/SP セキュリティ管理策の評価 FISMA リスクマネジメントフレームワーク FIPS199 SP 維セキュリティ分類管理策の選定持運用継続計画 (COOP) 保 SP IT緊急時対応計画 SP IT-BCPを組織全体のBCP/BCMとどう連携させるかどのように位置づけて機能させるかを考えることで BCPへの理解や取組みが進むセキュリティ管理策実施状況の監視サイバーインシデント対応計画人員緊急時計画 (OEP) インシデント対応事業継続計画 (BCP) 護事業継続は情報セキュリティ対策において重要な対策項目であるサポート継続計画/ IT緊急時対応計画緊急時コミュニケーション計画災害復旧計画 (DRP) 事業復旧再開計画 (BRP) 開説明再施設 IT ビジネス Copyright 2006 独立行政法人情報処理推進機構特に重要復旧各種計画の相互関連性 37

38 IPA/ISEC 38

金融機関の業務継続強化に向けた課題と対応

金融機関の業務継続強化に向けた課題と対応 1 2 95/1 95/1 02/4 04/10 06/8 03/2 05/7 05/8 01/9 03/8 3 4 5 6 7 8 3 9 10 11 16/91114/810 16861468 12 13 14 18/45 11138 15 2 16 17 18 19 SARS 20 21 BCP BCM Business Continuity Plan Business Continuity