課題Ⅱ 第４編② 技術的安全管理措置の実施項目

The guideline general rules edition 10-6 establishes four main pillars as implementation items for technical safety management measures: (a) access control, (b) identification and authentication of access persons, (c) prevention of unauthorized external access, and (d) prevention of leaks accompanying information system use. This article covers the specific implementation details of each, plus log management, malware countermeasures, and telework/cloud security.

First, regarding (a) access control. The starting point is limiting the terminals and information systems that handle personal data. Access privileges are set per person in charge so that employees without a business need cannot touch personal data. Privileges that become unnecessary due to transfer or resignation must be promptly deleted. Furthermore, regular inventory checks of privileges are conducted to confirm no excessive permissions remain. Operation based on the Principle of Least Privilege is required.

In (b) identification and authentication of access persons, ID management forms the foundation. Shared IDs are prohibited, and a unique ID is assigned to each individual employee. IDs of former employees and transferred personnel are promptly deactivated or deleted to prevent unauthorized use.

Regarding password policy, it is necessary to take into account the latest trends. Under the influence of NIST SP 800-63B, the emphasis has shifted from conventional "regular password changes" toward sufficient length (minimum 8 characters, recommended 12 or more) and complexity. A mechanism that locks accounts after a fixed number of authentication failures (account lock) is also mandatory. Furthermore, introduction of multi-factor authentication (MFA) is strongly recommended, combining two or more of: knowledge factors (password), possession factors (token, smartphone), and biometric factors (fingerprint, facial recognition).

Authentication factors are classified into three types. Knowledge factor (something you know): passwords, PINs, secret questions — "information only the person knows." Possession factor (something you have): IC cards, physical tokens, push notifications to a registered smartphone — "things the person physically possesses." Biometric factor (something you are): fingerprint, face, iris, vein — "physical characteristics of the person themselves." To be called MFA (multi-factor authentication), different categories of factors must be combined; combinations of the same factor type (both knowledge), like "password + secret question," are not multi-factor (this is multi-step authentication).

For (c) prevention of unauthorized external access, the firewall is the most fundamental measure. It is installed at the boundary with external networks, with rules configured and managed to allow only permitted communication through. Unnecessary ports are closed, and rules are reviewed regularly. Introducing antivirus software with automatic pattern file updates and real-time scanning enabled is a prerequisite.

Vulnerability management is also a key pillar. Timely application of security patches for OS, middleware, and applications — never leaving known vulnerabilities unaddressed — is an iron rule. Vulnerability information is collected from JVN (Japan Vulnerability Notes) and CVE (Common Vulnerabilities and Exposures). When providing web services, WAF (Web Application Firewall) is introduced to defend against attacks such as SQL injection and cross-site scripting. By also deploying IDS (Intrusion Detection System) and IPS (Intrusion Prevention System), suspicious communication on the network can be detected and blocked.

Targeted attacks (APT: Advanced Persistent Threat) target a specific organization and lurk over long periods to steal information. The typical entry point is targeted email (spear phishing), with infection occurring via attachments or links disguised as business-related. Countermeasures cannot rely on a single technology — multi-layered defense is mandatory: entry-point measures (mail filters, sandboxes), internal measures (privilege separation, privileged ID management, EDR), and exit measures (external communication monitoring, DLP). Employee training (don't open suspicious mail, report it) is also critically important.

Zero Trust is a security model based on the philosophy of not trusting even the internal network. The background is that traditional perimeter defense (firewalls separating inside from outside, with inside trusted) has stopped functioning due to telework, cloud adoption, and increasing internal fraud. Its principle is "Never Trust, Always Verify" — every access request is authenticated and authorized every time. Implementation uses continuous authentication (dynamic evaluation of device state, location, time), least privilege, and micro-segmentation (fine-grained network segmentation).

In (d) prevention of leaks accompanying information system use, communication encryption is fundamental. TLS 1.2 or higher is used when transmitting and receiving personal data, and VPN (Virtual Private Network) is used to protect the communication route for connections from outside the company. TLS 1.0/1.1 are already deprecated and their use should be ceased.

Email security is also an important countermeasure area. Attachments containing personal data are encrypted with S/MIME or PGP, and as erroneous transmission prevention measures, destination confirmation dialogs and superior approval flows are introduced. Use of external recording media (USB drives, etc.) should also be restricted, using USB control software and device control policies to prohibit connection of unauthorized media.

DLP (Data Loss Prevention) is a mechanism for preventing unauthorized removal of personal data. Through content inspection functionality, it monitors email body text, attachments, uploads to cloud storage, etc., and blocks or warns transmission when information applicable to personal data is detected. Its strength is that it can address both intentional internal fraud and leaks caused by negligence.

Encryption algorithms are broadly classified into symmetric-key and public-key encryption. Symmetric-key encryption (AES, 3DES, etc.) uses the same key for encryption and decryption — fast processing but with key distribution problems. Currently AES-256 is recommended; 3DES and DES are already deprecated. Public-key encryption (RSA, Elliptic Curve Cryptography = ECC, etc.) uses a public/private key pair — slow processing but solves the key distribution problem. In practice, hybrid methods combining both (such as TLS) are common, securely exchanging the symmetric key via the public key. Key management is even more important than encryption itself: centrally managed via HSM (Hardware Security Module) or KMS (Key Management Service), with regular rotation.

Log management is indispensable for making technical safety management measures effective. The logs that should be collected are wide-ranging: access logs (who touched which data and when), operation logs (file operations, printing, copying), authentication logs (login successes/failures), and communication logs (transmission and reception records) are the four representative types.

Caution is also needed for log storage. To prevent falsification, writing to WORM (Write Once Read Many) media or transferring to a dedicated log server separate from the operation server is recommended. The retention period is set according to laws, regulations, and internal rules, but a minimum of one year or more is considered desirable. It is important to prepare log management regulations and codify rules for acquisition, storage, and disposal.

Regular log reviews enable early discovery of suspicious patterns. SIEM (Security Information and Event Management) is effective for efficiently analyzing large volumes of logs. SIEM integrates and performs correlation analysis on multiple logs, detecting attack patterns invisible in standalone logs and issuing alerts. For example, a combination of mass downloads late at night followed immediately by a USB connection can be detected as a sign of internal fraud.

The first step in malware countermeasures is antivirus software. There are three main detection methods: pattern matching (comparing against definition files of known malware characteristics), heuristic detection (estimating unknown malware from structural characteristics), and behavior analysis (monitoring operations during execution to detect suspicious behavior). Combining these three methods enhances the detection rate.

EDR (Endpoint Detection and Response) is a mechanism that supplements conventional antivirus software. It constantly monitors terminal behavior and automatically isolates and responds when suspicious behavior is detected. Its strength is the ability to handle unknown malware and targeted attacks. A sandbox is a technology that executes unknown suspicious files in a virtual environment to safely confirm their behavior, enabling malware determination without affecting the production environment.

Response procedures in case of malware infection must also be established in advance. First, the infected terminal is isolated from the network. Next, the responsible person is notified and the scope of infection and cause are investigated. After that, malware removal and system recovery are performed, and finally recurrence prevention measures are taken. In other words, the flow is: isolation → report → investigation → removal → recovery → recurrence prevention.

In telework environments, means for safely connecting to internal systems from outside are necessary. VPN, remote desktop, and VDI (Virtual Desktop Infrastructure) are the main options. With VDI, no data remains on the terminal, so leakage risk in case of loss or theft can be reduced. For BYOD (Bring Your Own Device), MDM (Mobile Device Management) for centralized terminal management and MAM (Mobile Application Management) with containerization to separate business apps from the personal area are effective.

When using cloud services, understanding the shared responsibility model is indispensable. In IaaS, the provider bears responsibility for managing the physical infrastructure, while management of OS, middleware, applications, and data is the user's responsibility. In PaaS, the provider manages up to the OS and middleware; in SaaS, the provider is responsible up to the application. However, even in SaaS, data input content and access privilege settings remain the user's responsibility. When data is located on foreign servers, application of Article 28 of the Personal Information Protection Act (restrictions on provision to third parties in foreign countries) must be considered.

As international standards for cloud security, there are ISO 27017 (cloud security controls) and ISO 27018 (protection of personally identifiable information in the cloud). Whether the outsourcing cloud provider has obtained these certifications is an important selection criterion. Implementing these technical measures together with organizational, human, and physical safety management measures leads to realizing the safety management measures required by the Personal Information Protection Act.