課題Ⅱ 第１編② セキュリティ対策基準とガイドライン

ISMS (Information Security Management System) is a systematic management mechanism for protecting the information assets held by an organization. JIS Q 27001 is the Japanese version of ISO/IEC 27001 and stipulates the requirements for ISMS. The central concept is the PDCA cycle (Plan-Do-Check-Act), which continuously improves the security level by repeating plan, execute, check, and improve. ISMS is a comprehensive framework that covers not only technical countermeasures but also organizational policy, human management, and physical security.

The scope of ISMS is determined by the organization itself. After clarifying which operations, locations, and information assets are covered, a risk assessment is conducted. The risk assessment procedure is: (1) identify information assets, (2) identify threats, (3) assess vulnerabilities, (4) calculate risk values, and (5) select controls. Selected controls are documented in a Statement of Applicability (SoA), which clearly maps their correspondence to the controls in Annex A.

ISMS certification is conducted by accredited audit bodies (certification bodies). The certification validity period is 3 years, with annual surveillance audits. If the renewal audit is passed after 3 years, certification continues. JIS Q 27002 (ISO/IEC 27002) is implementation guidance for controls, and in the 2022 revision, controls were reorganized into 4 themes: organizational, people, physical, and technological.

The Personal Information Protection Commission (PPC) formulates the Personal Information Protection Act guidelines, which consist of 4 volumes. The most important is the General Rules volume, which comprehensively covers rules on acquisition, use, storage, provision, and disclosure requests. The chapter on "safety management measures" is particularly detailed, requiring specific measures from 4 aspects: organizational, human, physical, and technical. Furthermore, reduced measures (simplified methods) are permitted for small and medium-scale business operators, commonly those with 100 or fewer employees.

The Foreign Third-Party Provision volume establishes rules for transferring personal data to third parties overseas. It requires consent from the individual in principle, and confirmation that the destination country's system is at an equivalent level to Japan's (adequacy recognition) or that the recipient maintains an appropriate structure. The Confirmation and Record Obligation volume stipulates traceability requirements to make the circulation routes of personal data traceable. The Pseudonymized/Anonymized Information volume establishes the processing standards and handling obligations for each. Pseudonymized information is limited to internal analysis purposes, and third-party provision is prohibited in principle.

Guidelines are not law themselves, but the Personal Information Protection Commission (PPC) uses them as the basis for issuing guidance, recommendations, and orders. If a business operator violates the guidelines, the PPC can issue an improvement order, and penalties are imposed for non-compliance. Therefore, guidelines have de facto legal binding force.

For specific personal information (personal information containing My Number), the Personal Information Protection Commission separately publishes "Guidelines on the Proper Handling of Specific Personal Information." The scope of My Number use is limited to tax, social security, and disaster countermeasures, and stricter safety management measures are mandated than for ordinary personal information. Restrictions on collection and storage are also strict, and use or provision outside the designated purpose is prohibited in principle.

The Basic Act on Cybersecurity was enacted in 2014 and clarified the basic philosophy of Japan's cybersecurity strategy and the responsibilities of the state. Under this law, the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) was established. NISC coordinates cooperation with each ministry and the private sector and undertakes the formulation and promotion of the cybersecurity strategy.

An important pillar of the Basic Act on Cybersecurity is critical infrastructure protection. The government designates the following 14 sectors as critical infrastructure: information and communication, finance, aviation, airports, railways, electric power, gas, government and administrative services, medical, water supply, logistics, chemical, credit, and petroleum. Operators in these sectors are required to strengthen their cybersecurity measures.

The Unfair Competition Prevention Act stipulates the protection of trade secrets. The 3 requirements for trade secrets are extremely frequently tested on the exam. (1) Secrecy management: the information is managed as confidential (marked "confidential," access restricted, stored under lock, etc.). (2) Usefulness: the information is useful for business activities (customer lists, manufacturing techniques, sales strategies, etc.). (3) Non-public knowledge: the information is not generally known.

Acts of trade secret infringement include wrongful acquisition (theft, fraud, coercion, etc.), wrongful use, and wrongful disclosure. Victims can file injunction claims (cessation of infringing acts) and claims for damages. In malicious cases, criminal penalties (imprisonment of 10 years or less, etc.) may also apply.

The Unauthorized Computer Access Prohibition Act is a law that punishes unauthorized intrusion into computers. Unauthorized access acts refer to: (a) using another person's ID/password without permission, (b) exploiting security holes, and (c) using another person's authentication information without authorization. Prohibited acts include, in addition to unauthorized access itself, wrongful acquisition of another person's IDs, acts facilitating unauthorized access (selling/sharing passwords), and phishing. Penalties are imprisonment of 3 years or less, or a fine of 1 million yen or less.

Article 4 of the Telecommunications Business Act guarantees "secrecy of communications," and telecommunications operators bear the obligation to protect users' communication content. The Act on Regulation of Transmission of Specified Electronic Mail mandates opt-in (prior consent) for sending commercial emails. The Criminal Code's "wrongful electromagnetic record commands" crime punishes the creation, distribution, and provision for use of computer viruses.

The Cybersecurity Framework (CSF) formulated by the U.S. National Institute of Standards and Technology (NIST) is widely adopted worldwide. CSF consists of 5 functions: "Identify" (understanding assets and risks), "Protect" (implementing safeguards), "Detect" (discovering anomalies), "Respond" (incident handling), and "Recover" (returning to normal state). Many organizations in Japan also use the NIST CSF as a reference.

The ISO/IEC 27000 series is a family of international standards for information security management. Key standards: 27000 defines vocabulary, 27001 specifies ISMS requirements, 27002 is a code of practice for controls, 27005 covers information security risk management, 27017 addresses cloud security, 27018 covers protection of personal information (PII) in the cloud, and 27701 specifies a Privacy Information Management System (PIMS: privacy extension). By combining these, organizations can manage information security and privacy protection in an integrated manner.