課題Ⅱ 第３編 オフィスセキュリティ

To protect personal information, not only technical countermeasures but also physical security measures are indispensable. Office security refers to initiatives to physically protect information assets by preventing unauthorized intrusion into buildings and facilities. The basic principle is defense in depth: establishing layers of defense progressively from the building perimeter to the floor, room, cabinet, and terminal device, so that even if one layer is breached, the next layer can stop the threat.

Security zoning is a method of dividing the office into zones according to their level of importance and setting different entry restrictions and surveillance levels for each zone. The general area (public area) is the scope visitors can enter, such as the reception and lobby. The work area is the general office area used only by employees. The secure area is a zone only designated personnel can enter, such as server rooms and document storage rooms. The high-security area is a zone requiring the strictest management, such as data centers and vaults. The basic design is that restrictions become stricter the further inside from the perimeter you go.

In entry and exit management, only authorized persons are allowed to enter the applicable zone. Main authentication methods include IC cards, biometric authentication (fingerprint, iris, vein), PIN codes, and physical keys. For secure areas and above, combining two-factor authentication (e.g., IC card + PIN code) is considered desirable.

Tailgating means an unauthenticated person enters a room by following someone who has been authenticated. Prevention measures include anti-passback (a mechanism where you cannot exit without an entry record), mantraps (authenticating one person at a time in a small room with double doors), revolving doors, and security gates. For high-security areas, mantraps are particularly effective.

Visitor management is also an important element of entry and exit management. Visitors register at reception and receive a visitor badge. Inside the company, an employee must always escort them; unaccompanied movement is not allowed. When leaving, visitors return their badge and their departure is confirmed. Entry and exit records are stored for a fixed period and periodically reviewed and audited.

The guidelines under the Act on Protection of Personal Information (General Rules Part 10-5) stipulate four implementation items as physical safety management measures. (a) Management of zones handling personal data: In management zones (server rooms, etc.), entry/exit management, locking, and restrictions on items brought in are implemented. In handling zones (general offices), measures such as seat arrangement to prevent shoulder surfing and installation of partitions are carried out.

(b) Prevention of theft of equipment and electronic media: Notebook PCs are secured with wire locks (Kensington locks) and electronic media are stored in lockable cabinets. Server racks are locked, and portable devices are tracked with a management ledger recording lending and return.

(c) Prevention of leakage when carrying electronic media: USB drives and notebook PCs are encrypted and password-protected. Taking items out requires a prior application and approval procedure, and traceability of who took what is ensured.

(d) Deletion of personal data and disposal of equipment/electronic media: Data erasure methods include overwriting with dedicated software, magnetic erasure (degaussing), and physical destruction. After disposal, a disposal certificate is obtained and records are kept. Paper documents are reliably disposed of using cross-cut shredders or higher, or dissolution processing.

Surveillance cameras (CCTV) are installed at entrances/exits, corridors, and important areas, and footage is stored for a fixed period (typically 1-3 months). However, compatibility with employee privacy is necessary, and it is desirable to clearly state the installation purpose and recording scope. For monitoring entry/exit logs, a mechanism is established to detect suspicious entry patterns during late night/holidays and frequent authentication failures, and issue alerts.

For earthquake countermeasures, earthquake-resistant racks and seismic isolation devices are introduced for server racks, and anti-toppling measures are taken. Critical systems are made redundant so that if one is damaged, operations can continue with the other.

For fire countermeasures, inert gas fire suppression systems (which do not use water) are installed in server rooms. In general areas, sprinklers, fire compartments, and fire alarms are installed. For flood countermeasures, server equipment is placed on upper floors with waterproofing measures applied. For power outage countermeasures, UPS (uninterruptible power supply) devices prevent momentary interruptions, and private power generation equipment prepares for prolonged outages.

BCP (Business Continuity Plan) is a plan to avoid interrupting business or to recover promptly even when large-scale disasters or failures occur. As important indicators, RPO (Recovery Point Objective) determines "to what point in time data should be restored," and RTO (Recovery Time Objective) determines "how long recovery should take."

For backup, the 3-2-1 rule is recommended: maintain three copies, save on two different media, and store one in a remote location. There are three types of DR (Disaster Recovery) sites. A hot site is always operational and can be switched to immediately. A warm site has equipment installed, and can be used after data restoration. A cold site has only the location and power supply; equipment must be brought in and configured.

There are three backup methods, used differently according to operational requirements. Full backup copies all data in its entirety each time; restoration is simplest (just restore the latest full), but acquisition time and storage capacity are the largest. Incremental backup saves only the differences changed since the previous backup (full or incremental), so acquisition is fastest and capacity is smallest, but restoration requires applying the latest full plus all subsequent incrementals in order, making restoration time long. Differential backup saves data changed since the previous full backup each time; capacity is larger than incremental, but restoration only needs the latest full plus the latest differential, making restoration simpler than incremental.

To bring RPO infinitely close to zero, real-time replication (synchronous replication) is used. By simultaneously reflecting writes from the production site to a remote site, a configuration with no data loss even when failures occur (RPO=0) can be realized. DR (Disaster Recovery) sites supporting this are classified into three categories according to operational state and switchover time (RTO). Hot sites continuously synchronize equipment and data equivalent to production and can switch over within minutes (short RTO, highest cost). Warm sites have equipment installed but restore data from periodic backups, recovering in hours to days (medium RTO, medium cost). Cold sites have only the location, power, and lines prepared; equipment must be brought in, set up, and data restored, requiring days to weeks (long RTO, lowest cost).

Clear desk policy is a rule to store documents and recording media on the desk in lockable cabinets or drawers when leaving one's seat or leaving the office. Clear screen policy is a rule to lock the computer screen when leaving one's seat and to log off when away for a long time. This minimizes the risk of information being seen by third parties. These are stipulated in ISO 27001 Annex A.11.2.9 and, while simple, have a great effect in preventing information leakage.

Even when entrusting personal data to external data centers or cloud providers, the outsourcing party bears the obligation to confirm the physical security level. Items to confirm include: building entry/exit management (biometric authentication, mantraps, etc.), surveillance cameras, earthquake-resistant structure, fire suppression equipment, UPS and private power generation, location (low flood-risk area), etc. On-site inspection is the principle, but Tier III/Tier IV data center certification (Uptime Institute) and ISO 27001/ISO 27017 acquisition status may be used as alternative confirmation means.