All rights reserved Copyright © CICC 2003 e-Government in Japan From the view points of its strategy and security 19 November 2003 at Science Park, Pathumthani,

All rights reserved Copyright © CICC 2003 All rights reserved Copyright © CICC 2003 All rights reserved Copyright © CICC 2003

e-Government in Japan

From the view points of its strategy and security

19 November 200319 November 2003at Science Park, Pathumthani, Thailandat Science Park, Pathumthani, Thailand

Nagatani MitsuyukiNagatani MitsuyukiCICCCICC

Seminar on Information Security Technologies

All rights reserved Copyright © CICC 2003

Contents

1 Two viewpoints of e-Gov. in Japan

2 e-Government

3 e-Japan / e-Japan II

4 Information Security Management


(1) Japan’s Challenge

a) Japan’s rank on e-Gov. survey 2003 b) Strategies e-Japan strategy / e-Japan strategy II

(2) Security

c) Information Security Management Information Security Management System (ISMS)

d) Biometrics

Two viewpoints of e-Gov. in Japan1


E-Gov. surveys

UN World Public Sector Report 2003: E-Government at the Crossroads (4 Nov. 2003)

UN Global E-government Survey 2003

- About 91% of UN member states are using the Internet services

- E-Readiness US, SE, AU, DK, UK (GB), CA, NO, CH, DE, FI

- E-Participation UK (GB), US, CA, CL, EE, NZ, PH,FR, NL, AU, MX Source: United Nation

1. Japan’s Challenge


15th: AccentureResearched in 22 selected economies in April 2003

18th: United Nation (readiness)Among 191 UN member states in November 2003

a) Japan’s rank on E-Gov. surveys – 2003


b) Strategies

e-Japan Strategy (Jan. 2001)

Improvement of the ICT Infrastructure- Make Japan the world’s most advanced

IT nation by 2005

e-Japan Strategy II (July 2003) Expanded IT utilization- Maintain the most advanced

IT nation in the world

Reviewed and revised


2. Security

The Internet

Payment acceptance

Your site

Encryption Authentication Certification

Electronic Signature

The Internet is an open public network, that means anyone can access. One of the most serious problems in using the Internet are attacks.

The Internet is an open public network, that means anyone can access. One of the most serious problems in using the Internet are attacks.

Firewall (Proxy)

Virus CheckerFile Back-upOutsourcing

AttacksDoS / ID Fraud /

Eavesdropping / Virus / Unauthorized Access / Natur

al Disaster

Cryptography


Number of incidents reported worldwide by attack

Once your system has received an attack;

- Lose social confidence

- Financial damage for rebuilding the system

- Also give a damage to third parties (use as a

stepping stone)

Once your system has received an attack;

- Lose social confidence

- Financial damage for rebuilding the system

- Also give a damage to third parties (use as a

stepping stone)

As of Oct. 2003 Source: CERT

20000

10000

20000

1990 1995 2003(1-3Q)

30000

40000

50000

60000

70000

80000

90000

100000

110000


Security Infrastructure

RequiredFunctions

Illegal modification, Tapping, Repudiation, Masquerade, Leak of Privacy Information,. . . - Virtual Private Network

- Encryption Algorithm

- Settlement Protocol

- Visual Authentication:- Water Mark- Internet Marks

- Electronic Stamps

- Cryptographic Programming Library

- Biometrics

- Monitoring- Firewall- Certification Authority (CA)- PKI- Security Policy

- Smartcard- Cryptographic Equipment- Biometric Equipment

SystemTechnologies

SystemTechnologies

HardwareTechnologies

HardwareTechnologies

Software TechnologiesSoftware TechnologiesProtect from security threats:


c) Information Security Management

- Ensuring of security is one of the five priority areas on e-Japan strategy / e-Japan strategy II

-Information Security Management System

BS7799-1 (ISO/IEC 17799:2000) BS7799-2:2002 ISMS Ver.2.0 (on April 2003, Japan)


d) Biometrics

The US government will require to hold biometric capable passports or to get visas to foreigners to enter the country from 26 Oct. 2004

- The Enhanced Border Security and Visa Entry Reform Act 2002- The Homeland Security Act of 2002 (The US DOH)

US-VISIT Program (Beginning in 2004) (U.S. Visitor and Immigrant Status Indicator Technology)

CAPPSII (Computer Assisted Passenger Prescreening System II)


Popular biometric methods

Eye Iris

FingerFingerprint

Finger Vein

HandHand shape

Signature

Face Face shape

Voice Voice


SettlementSettlement Certification(to corporate)Certification(to corporate)

ApplicationsApplications

Information disclosureInformation disclosure

Certification(to individuals)Certification

(to individuals)

B2C

・・

B2B

State GovernmentMinistry / Agency

State GovernmentMinistry / Agency

G2GG2G

G2B G2CFunctions of e-Government

The InternetThe Internet

Local GovernmentLocal Government

G2G

Financial Co.Financial Co.EnterpriseEnterprise CitizensCitizens

ApplicationsApplications

One stop serviceOne stop serviceOne stop serviceOne stop service

e-Procuremente-Procurement

NotaryNotaryCertificationCertification PrivacyPrivacy

Concept of e-Government

2 e-Government


The term “e-Government” is initially used in the US government report “Reengineering Through Information Technology” in 1993. But the concept matured for administrative services in about 1995.

Dissociation between government and citizen

Efficiency Improvement

Information Disclosure

Serviceability Improvement

1993 1995 2000 2005 2010

Remove a barrier among public administrations

High quality services of public administrations to citizens

High

Low

Remove a barrier between public Administration and citizens

Steps to maturity of e-Government

e-Democracy

Hitachi Research Institute


Digitization of In house Administrative process - Non-digitized information such as p such as papers (size, quality, thickness), drawings, pictures - Use same terminologies by state/local government, agency - Government PKI

Information Disclosure to citizens Such as offering administrative information to citizens through the Internet Homepage


Online applications of administrative services - Citizens are not necessary to visit administration counters for the service - Administrative applications (Japanese government) Number: More than 10 Thousand Volume : More than 1 Trillion / Year

Utilization of IT for government and citizens - Seamless : 24 Hr, 365 Days, One Stop, Non Stop - Paperless : Digital administration - Disclosure: Internet Portal, FOIA in US - Open : e-procurement


Vision make Japan the world's most advanced IT nation

IT basic lawOn the formation of an Advanced Information and TelecommunicationsNetwork Society (Force on Jan. 2001)

Strategy- Consolidation of IT infrastructures (e-Japan)- Practical use of IT (e-Japan II)

Driving Organization IT Strategy Headquarter

Priority Policies- World’s most advanced Network- Education and HRD- e-Commerce- Utilization of IT in public sector- Security and reliability

e-Japan / e-Japan II3

e-Japan / e-Japan II


2003 ～ 2002 2001 2000 1999

- Aug. 1994 Headquarters for Promotion of Advanced Information and Communications Society - Dec. 1999　Millennium Project - Jul. 2000/7　 IT Strategy Headquarters - Jan. 2001 e-Japan Strategy - Mar. 2001 e-Japan Priority Policy Program - Jun. 2002 e-Japan Priority Policy Program - 2002 - Jul. 2003 e-Japan Strategy II - Aug. 2003 e-Japan Priority Policy Program – 2003(e-Japan) by 2005 Being the world’s highest-level country(e-Japan II) 2006 Keeping up to be the world’s highest-level country

- Aug. 1994 Headquarters for Promotion of Advanced Information and Communications Society - Dec. 1999　Millennium Project - Jul. 2000/7　 IT Strategy Headquarters - Jan. 2001 e-Japan Strategy - Mar. 2001 e-Japan Priority Policy Program - Jun. 2002 e-Japan Priority Policy Program - 2002 - Jul. 2003 e-Japan Strategy II - Aug. 2003 e-Japan Priority Policy Program – 2003(e-Japan) by 2005 Being the world’s highest-level country(e-Japan II) 2006 Keeping up to be the world’s highest-level country

Aug. 1999 Law of the Basic Resident Registers amended Aug. 1999 Law of Prohibition of Illegal Access enacted Nov. 2000 Basic IT Law enacted Apr. 2001 Digital Signature law enforced (Aug. 2002 Basic resident registry network system enacted) Dec. 2002 Law about Signatures and Certification Services enforced Feb. 2003 Three laws related to administrative procedure enforced (about 52,000 procedures)

E-GovernmentE-GovernmentProjectsProjects

EstablishmentEstablishment

E-GovernmentE-GovernmentProjectsProjects

EstablishmentEstablishment

EstablishmentEstablishmentof Law of Law

EnvironmentsEnvironments

EstablishmentEstablishmentof Law of Law

EnvironmentsEnvironments

　　　　　　　　　 1994

Milestones


e-Japan Strategies, Policies and Programs

Basic IT StrategyBasic IT Strategy

e-Japan Strategye-Japan Strategy

e-Japan Priority Policy Program


e-Japan Priority Policy Program - 2002


Make Japan the world’s most advanced IT nation within 5 years by following 4 policies:

1) Building an ultra high-speed Internet network and providing constant Internet access at the earliest date possible

2) Establishing rules on electronic commerce

3) Realizing an electronic government

4) Nurturing high-quality human resources for the new era.

Make Japan the world’s most advanced IT nation within 5 years by following 4 policies:

1) Building an ultra high-speed Internet network and providing constant Internet access at the earliest date possible

2) Establishing rules on electronic commerce

3) Realizing an electronic government

4) Nurturing high-quality human resources for the new era.

e-Japan Strategy IIe-Japan Strategy II

e-Japan Priority PolicyProgram - 2003


(27 Nov. 2000)

(22 Jan. 2001)

(29 Mar. 2001)

(26 Jun. 2001)

(2 July 2003)

(8 Aug. 2003)


1) Enable everyone to enjoy the benefits of IT

2) Reform economic structure and strengthen industrial competitiveness

3) Realize affluent national line and creative community with vitality

4) Contribute to the formation of an advanced information & Telecommunications network society on a global scale

1) Enable everyone to enjoy the benefits of IT

2) Reform economic structure and strengthen industrial competitiveness

3) Realize affluent national line and creative community with vitality

4) Contribute to the formation of an advanced information & Telecommunications network society on a global scale

IT Basic Law (6 January 2001)Basic IT StrategyBasic IT Strategy

e-Japan Strategye-Japan Strategy





e-Japan Strategy IIe-Japan Strategy II



(27 Nov. 2000)

(22 Jan. 2001)

(29 Mar. 2001)

(26 Jun. 2001)

(2 July 2003)

(8 Aug. 2003)


Structure of e-Japan Priority Policy Program (2001)

5 Priority Policy Areas Crosscutting Issues

Ensuring security and reliability on advanced information & telecommunication networks

Ensuring security and reliability on advanced information & telecommunication networks

１１

22

44

33

55

Digitization of administration and application of IT in other public areasDigitization of administration and application of IT in other public areas

Facilitation of e-commerceFacilitation of e-commerce

Promotion of education anddevelopment of human resourcesPromotion of education anddevelopment of human resources

Formation of the world’s most advanced information & telecom networks


Promotion of R&D

Improvement of digital divide

Environment and other issues

International cooperation

１１ 22 4433 55

１１

44

22

33


Ensuring of security and reliability on advanced information & telecommunications networks

Ensuring of security and reliability on advanced information & telecommunications networks

55

44 Promotion of full utilization of IT in the public sectorPromotion of full utilization of IT in the public sector

33 Promotion of e-commercePromotion of e-commerce

22 Promotion of education anddevelopment of human resourcesPromotion of education anddevelopment of human resources

１１ Formation of the world’s most advanced information & telecom networks


Correspondence to an employment problem etc.44

Promotion of R&D１１

International cooperation and contribution22

Improvement of digital divide33

Measure of deepening an understanding of people55

１１ 22 4433 55

5 Priority Policy Areas (210 measures) Crosscutting Issues (59 measures)

Structure of e-Japan Priority Policy Program - 2003


Structure of e-Japan Priority Policy Program - 2003

Healthcare Food Life

Financing to SM Enterprise Knowledge Work / Labor

PublicAdministration

Leading areas to accelerate practical use of IT (97 measures)

Total 366 measures)

5 Priority Policy Areas (210 measures) Crosscutting Issues (59 measures)

based on a document of prime minister office


1. Healthcare / Medical treatment Electronic patient chart, Telemedicine, Hospital administration

2. Food Traceability of food distribution, IT in food business, IT to agricultural and fishing industries

3. Life Taking care of human life warmly in various area, Communication network for disaster or emergency

4. Financing to Small-Medium Enterprises Low risk money loan, Repayment scheme

5. Knowledge e-Learning, Competitive digital contents, Digital archives

6. Work / Labor Human resource development, Telework, Entrepreneurship

7. Public administration services User-oriented administrative services Simple government with high budget efficiency

Leading areas to accelerate practical use of IT



e-Japan Strategy (Jan. 2001)

Phase 1: Consolidation of IT infrastructures (Make Japan the world’s most advanced IT nation by 2005)

e-Japan Priority Policy Program - 2003366 concrete priority strategies what the government

have to implement rapidly and intensivelyMake Japan the world’s most advanced IT nation by 2005 and

Continue to be the world’s most advanced IT nation after 2006

e-Japan Strategy II (Jul. 2003)Phase 2: Practical use of IT

(Aim at to be a nation of healthy, safety, inspiring and convenient

society)- Leading areas to accelerate (7 areas)

- Consolidation of infrastructures towered new IT rich society

e-Japan Priority Policy Program (Mar. 2001)

5 Priority Policy AreasCrosscutting Issues

e-Japan Priority Policy Program- 2002 (Jun. 2002)

5 Priority Policy AreasCrosscutting Issues

based on a document of prime minister office


Some Examples of International Cooperation

IT Engineers Examination The Government of Japan has agreed with 7 Asian countries (China, India, Korea, Philippines, Singapore, Thailand and Vietnam) about mutual recognition of IT Engineers Examination.

Asia Open Source Software (OSS) ForumCurrently 18 Asian economies are participating to the Asia OSS Forum. The first forum was held in Phuket in Mar. 2003 and the second forum was held in Singapore in Nov. 2003.

Asia Public Key Infrastructure (PKI) ForumAsia PKI Forum was established in June 2001 with the purpose of promoting inter-operability of PKI in Asia and Oceania and the use of PKI in e-Commerce.


Information Security Management4

Security

Security becomes more serious topics nowadays - Terrorist attacks in New York, the US on Sept. 11 2001 - Hansin earthquake in Kobe, Japan on Jan. 17 1995 - Cable fire stops computer system operation in the area - Increment of cyber attack

If your system has a security hole, your system is no longer free from a clacker’s attack

- How to secure the system from disasters- How to protect the system from attack


What is Information Security

Confidentiality: ensuring that information is accessible only to those authorized to have access

Integrity: safeguarding the accuracy and completeness of information and processing methods

Availability: ensuring that authorized users have access to information and associated assets when required ISMS Guideline : JIPDIC


Security PolicySecurity Policy is a document that describes direction and criteria of an organization’s policy on information security management

- An organizational basic rule of the security measurements

- To be invested with the legal binding power to the organization members

- The rules depend on the policy of the organization’s (no common rule)

Procedures, Manuals

Organization’s standard of Security measures

Security Policy


Security Policy development Process

- What to protect from what - User friendly - Concrete idea - Must be realistic - Cost effective

Start

PlanningSecurity Policy

End process

Reviewing the plan

Realistic ?

Putting it into operation

Yes

No

Physical level security

Security Policy

Technical level security

Operationallevel security


PLAN - Development of the security policy - Definition of scope - Information assets, risk analysis

Check - Review the execution - Monitor the potential risks

DOImplementation and

execution of the security management

ACT - Review by the management - Improvement of the activity

Security ManagementCycle


Why Security Policy is necessary

1. Leveling - Making an efficient security level of the organization - Minimize the cost for maintaining security

A B C D E Department

Security level

Security level that the organization determined


- ISO 17799: 2000 (Code of practice for information security management) - BS 7799 (British Standard) - JIS X 5080 (Japan Industrial Standard)

- ISO 15408 (Common Criteria) - ISO/IEC TR 13335 (GMITS: Guidelines for the Management of IT Security) - OECD Recommendation Guideline (on 25 July 2002)

- ISMS (Information Security Management System, Japan)

Information Security Management Guideline and Standards


ISMS Scheme Transition

2001 2002 2003 20042000

BS7799-1

BS7799-2

ISO/IEC 17799:2000Dec. 2000

JIS X 5080:2002(Feb. 2002)

BS7799-2:2002Sep. 2002

ISMS (Ver.0.8)Apr. 2001

ISMS (Ver.1.0)Apr. 2002

ISMS (Ver.2.0)Apr. 2003BS7799-2

Revised

ISO

JIS

Modified from ISMS Guideline : JIPDIC


10 essential key controls for providing effective information security 1 Security policy 2 Organizational security 3 Assets classification and control 4 Personnel security 5 Physical and environmental security 6 Communications and operations management 7 Access control 8 Systems development and maintenance 9 Business continuity management 10 Compliance BS7799-2:1999, ISMS

ISMS Certification Standard security

Essential key controls (10 controls)

Possible purposes of the management (36 purposes)

Possible measures for the management (127 measures)


Process to establishment of the ISMS (Ver.2.0)

Organization Development

Step 1 Determine the scope of the ISMS Step 2 Define an ISMS policy Step 3 Define a systematic approach to risk AssessmentStep 4 Identify risksStep 5 Undertake risk assessment Step 6 Undertake risk treatmentStep 7 Select control objectives and controlsStep 8 Prepare a statement of applicabilityStep 9 Approve residual risks and permit the introduction of the ISMS

RiskTreatment

RiskAssessment

Scope

List of risks

SecurityPolicy

Standards of measures for risks

ISMS Framework

Step 10 Execution of security measures based on the policyStep 11 Operation and recordsStep 12 Internal auditing and lesson learned

Step 13 Apply for the certification examination

Examination and Certification

ISMSExecution

Certification


Security Policy

What should be described at least

(1) Statement by the top management (2) Scope of the activity (3) Purpose of the activity on information security (4) Definition of the information security and appeal of its importance (5) Declaration that the activity is ordered into all members of the organization (6) Determination of the policy - Penalty, Familiarize to members, Responsibility, Compliance


An simple example of a security policy document

To: All company staff - date –

From the Managing Director

The world is now facing problems of computer attacking, data leaking of company’s secrets or trespasses of privacy. They are no longer other party’s problem but are also our problem. I sincerely concern about the impact of those problems to the company, I would like to emphasize the importance of security measurements in order to protect our-self from such fears.

(1) We will take an action of security measures to our properties based on their importance and secret level. (2) All staff must be in compliance with the security measurement that we will determine separately. (3) The security measurement must review time to time in accordance with the necessity and its technology enhancement. (4) All staff are required to understand the Policy. (5) I appoint the IT director for the security administrator and all board of directors for the security policy steering committee members.


Effects of the ISMS (1) Internal effects - Standardized security level in the organization - Helping to boost members morale - Minimize the cost for maintaining security - Being able to apply the certification under the certification scheme (e.g. JIPDEC* in Japan, UKAS** in UK)

(2) External effects - Being able to appeal to be a certificated organization in operation and management based on security policy - Improve the trust of society * JIPDEC: Japan Information Processing Development Corporation ** UKAS : United Kingdom Accreditation Service


1) Awareness Participants should be aware of the need for security of information systems and networks and what they can do to enhance security

2) Responsibility All participants are responsible for the security of information systems and networks

3) Response Participants should act in a timely and co-operative manner to prevent, detect and respond to security incidents

4) Ethics Participants should respect the legitimate interests of others.

5) Democracy The security of information systems and networks should be compatible with essential values of a democratic society

6) Risk assessment Participants should conduct risk assessments.

7) Security design and implementation

Participants should incorporate security as an essential element of information systems and networks.

8) Security management

Participants should adopt a comprehensive approach to security management

9) Reassessment Participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, practices, measures and procedures

OECD Guidelines for the Security of Information Systems and Networks

Source OECD

Documents

All rights reserved Copyright © CICC 2003 e-Government in Japan From the view points of its strategy and security 19 November 2003 at Science Park, Pathumthani,