JP2004259197A - Information security audit system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a system for constructing information security in a frame of management in order to grasp the information security as a problem of the whole organization system and drive the information security home to the organization as a system. <P>SOLUTION: This information security audit system is composed of the following three largely divided parts. One is an audit system 1 auditing all probabilities considered to an organization as an object to extract vulnerability and risk. The second is a three-layer structure 7 which is a constitution of information security in the frame of management of the organization as an object and various laws based on the constitutional law. The third is a countermeasure reflection route 6 which is one of characteristics of the system, fulfilling a role of relating the audit system 1 with the three-layer structure 7. The information collection 12 and various analysis 13 are provided in the periphery of the three-layer structure 7. Improvements are always made in the organization system as an object through the countermeasure reflection route 6 by the above structure, thereby providing a system for constructing the practicable and firm information security in the frame of management. <P>COPYRIGHT: (C)2004,JPO&NCIPI

Description

[0001]
TECHNICAL FIELD OF THE INVENTION
The present invention relates to an information security auditing system, and more particularly, to an auditing system for re-evaluating and improving vulnerabilities and risks of information security as a problem of an organizational system, and an ISMS and a security policy for the results of the information security audit. This is related to the information security audit system used for the formulation and review of the information security audit.
[0002]
[Prior art]
Conventionally, when building an information security management system, first, information is gathered from each layer within the organization through interviews and questionnaires to understand the current situation, and gap analysis, risk analysis, information Inventory of assets was being conducted. However, the information obtained through interviews and questionnaires had a problem in terms of information reliability. In other words, it is not always clear whether the interviewee really understands the system and seriously considers its security, and there are many questions about its reliability. At the extreme, if the interviewee is willing to steal the information, of course, they are not considered to answer the question seriously, but rather become uncooperative. Information assets vary greatly depending on each person's position in the organization and their responsibilities. For example, the quality and quantity of information differs greatly between general employees and managers or managers, and how to analyze and utilize the information assets after the inventory becomes an important issue. In addition, even when performing security audits, there was a major problem in that security audits were only partially performed for unauthorized intrusions and attacks on information equipment from outside and unauthorized intrusions and attacks on networks inside the organization. .
Although many security-related attempts have been made in the past, both business owners and field system staff actually have various problems and concerns about ensuring security. For example, it is difficult to clearly explain the necessity of security measures, showing cost effectiveness. Alternatively, it is not known what measures should be taken and to what extent sufficient security strength can be maintained. Further, the security strength of the company cannot be objectively explained to a third party such as a business partner. Also, the security strength of the business partner cannot be evaluated. In order to solve these problems, the Information Security Management System (ISMS) and the ISMS conformity assessment system already exist, and this system is not an individual countermeasure technology such as a firewall, but a security countermeasure as an organizational system. It is characterized by judging with emphasis on whether or not there is.
[0003]
[Problems to be solved by the invention]
In this way, the conventional method of collecting information from the various members of the organization through interviews and questionnaires and performing gap analysis, risk analysis, and inventory of information assets based on that information is an idea for security. However, there was a problem in terms of accuracy of information and objectivity.
In addition, conventional security audits have only partially performed security audits against unauthorized intrusions and attacks on information equipment from the outside, and unauthorized intrusions and attacks on networks inside the organization. In addition, there was no viewpoint to regard it as a problem of the entire organizational system, and it could not be said that it was a true security audit.
In addition, the ISMS and ISMS conformity assessment system is a system that conducts examinations with an emphasis on whether security management is properly established as an organizational system. It is evaluated, formulated and reviewed based on security audits.
In view of such problems, an object of the present invention is to provide a system for constructing information security within a management framework in order to regard information security as a problem of an entire organizational system and to thoroughly disseminate it as a system. .
[0004]
[Means for Solving the Problems]
In order to solve this problem, the present invention is directed to an information security audit system for performing a security audit of a network and a management system of a user organization, the information being accessible from outside the organization via a communication network. External audit means for auditing the possibility of unauthorized intrusion and attack on the device, and complementing the external audit, setting of information devices, suitability of OS / application versions, and unauthorized access between information devices within the same organization Internal audit means for auditing the possibility, physical audit means for auditing unauthorized access due to physical intrusion from outside into the organization, and root causes for all vulnerabilities and problems or risks extracted from the above audit results System audit means for re-evaluating the problem as a problem of the management system and presenting countermeasures. Extracts the vulnerabilities and risks of the information equipment by means of the department audit means, internal audit means, physical audit means and system audit means, and re-evaluates the vulnerabilities and risks as problems of the organizational system with the information security system The present invention is characterized in that countermeasures against the problem are presented to the organizational system.
When auditing the information security of an organization, it is not enough to audit the security inside the organization. That is, when the communication network is connected to the outside through the network, intrusion from the outside is naturally considered. In addition to physical security audits that audit the possibility of physical intrusion into the building, and other than these visible audits, any vulnerabilities and issues extracted from the results of each audit are considered issues in the organizational system. A system audit that corrects and conforms to reality from a system viewpoint. In this way, it is necessary to not only extract the vulnerabilities and risks of security status details but also to capture them as vulnerabilities and risks of the organizational system by using a comprehensive auditing system, and then examine and take countermeasures.
According to this invention, the vulnerability and risk discovered by the comprehensive audit are re-evaluated as system problems, and measures are instructed by management, so that the organization system can be dealt with, and the problem is solved fundamentally and It will be done exactly.
[0005]
Claim 2 is that the information security is based on a countermeasure standard for selecting management objectives and management measures to be implemented based on an optimal risk evaluation and determining the standards, a specific plan of information security measures, and a plan based on the plan. Implementation of measures, audit of the results of the implementation, and an implementation procedure for continuously improving the cycle of review by the highest decision-making body, and the external audit means, the internal audit means, the physical audit means, and It is necessary to reflect the vulnerabilities and risks extracted by the system auditing means and the measures derived from them in the above-mentioned implementation procedures and countermeasures standards, and also to reflect the results of risk analysis obtained through information collection in the aforementioned countermeasures standards. Features.
The feature of the present invention is that the information security is regarded as a problem of the whole organizational system, and in order to make the system well known, the top policy, countermeasure standards, and implementation procedures that can be called the information security constitution and various laws within the management framework As a three-layer structure. The most important thing here is that, based on the optimal risk assessment, the management objectives and control measures to be implemented are selected and the criteria are determined. In addition to reflecting the risks and the measures derived from them in the measures standards, the results of the risk analysis obtained through information collection should also be reflected. Also, plan: P, operation: D, audit: C, review and improvement : For the implementation procedure that continuously improves by turning the cycle of A, it is to reflect the vulnerabilities and risks extracted by each auditing means and the countermeasures derived from them.
According to this invention, measures against problems derived from vulnerabilities and risks extracted by each auditing means are reflected in the above-mentioned execution procedure, and the measures are taken based on a risk analysis obtained by a system audit and information collection. Because it is reflected in the standards, problems in the organizational system can be continuously improved in a spiral-up manner.
[0006]
A third aspect of the present invention resides in that the external inspection means is in a position equivalent to an unauthorized intruder intruding into an information device accessible via the Internet, a public line, a dedicated line or a wireless LAN, and The present invention is characterized by presenting verification of all security holes that can detect the possibility of unauthorized intrusion into a way system or a computer, and countermeasures against the holes.
It is not clear how to accurately audit the status of intrusions from outside without taking the position of an actual intruder. In other words, the present invention takes on the same position as an actual intruder, tries all possible ways of intruder from what route and by what means, and finds the security weaknesses existing in networks and computer systems. Is verified and its countermeasures are presented.
According to the invention, since security vulnerabilities existing in the network and the computer system are verified in the same position as an actual intruder, it is necessary to accurately verify security holes and take quick countermeasures. Can be.
[0007]
According to a fourth aspect of the present invention, the internal auditing means investigates and investigates the possibility of unauthorized intrusion and the possibility of internal unauthorized access from an auditing computer on a user network to servers inside and outside the user network. In addition to security hole verification, security system configuration and settings, audits are also performed on OS versions, application types and versions, the status of application of patches for known vulnerabilities, and the existence of vulnerabilities in OS and application settings. And presenting a measure based on the audit result.
Like external audits, internal audits need to investigate the possibility of unauthorized access from the same standpoint as internal intruders. Therefore, in the present invention, the auditor takes the same position as the internal user, performs unauthorized access and attacks from the computer connected to the user network to the internal and external servers, verifies the result, and takes measures. Things.
According to the invention, not only does a computer connected to the user network perform unauthorized access and attacks on internal and external servers from the standpoint of an actual internal intruder, but also the same level as an administrator. From a standpoint, in addition to directly configuring and setting up security systems, audit the types and versions of OSs and applications, and whether there are vulnerabilities in settings, and the status of application of patches for known vulnerabilities, as well as internal network and computer system It can accurately verify the security problems that the company has.
[0008]
According to a fifth aspect of the present invention, the physical auditing unit investigates an illegal access to an information asset due to an intrusion from the outside and an illegal acquisition, investigates a management / discard status of a document in which the information asset such as customer information is described, It is characterized by investigating the security system.
Security management targets exist not only in networks and computer systems, but also in other parts. In other words, illegal access to and acquisition of information assets due to intrusion from the outside, management of documents containing customer information and server information, social engineering support systems, intrusion detection / monitoring sensors, surveillance cameras, etc. This is the management status of the physical security system. This is a surprisingly easy to overlook, and can be a big blind spot.
According to this invention, since the security management state of the network and the computer system other than the computer system is audited by the physical auditing means, it is possible to comprehensively perform the security audit without omission.
[0009]
According to a sixth aspect of the present invention, the system auditing means re-examines any vulnerabilities and problems extracted from the results of the external auditing means, the internal auditing means, and the physical auditing means as problems in the system, and conducts an on-site audit of the document management system. Through the system audit, network security risks, physical security risks, and document management system risks are widely regarded as information security system risks and information security risks.
In addition to the visible audit system, invisible audits of the system are also important. In other words, in order to reconsider any vulnerabilities and problems extracted from the results of each audit as a problem in the system, make sure that these measures are thoroughly known to the system, or that the measures standards and implementation procedures are based on the on-site system. It is necessary to constantly audit compliance. In addition, because the standard of measures and the implementation procedure itself do not always match the reality, it is also necessary to conduct an audit on that point.
According to this invention, the system audit is performed by the system audit means to verify the conformity with the reality, so that the measures such as the measure standard and the execution procedure by each audit means can be surely reflected in the system. .
[0010]
The system auditing means may be an account and password management system, a system for setting and changing devices such as servers and firewalls, a system for detecting and responding to unauthorized access, and collecting and responding to newly discovered vulnerability information. It is characterized by auditing the system, the education system for managers and users, and the reporting / instruction system related to security.
The system audit specifically describes how the accounts and passwords of each person within the system are managed, as well as the responsibility and confidentiality when installing and changing the settings of security systems such as servers and firewalls. A system for reporting, handling and instructing unauthorized access, a system for collecting and responding to newly discovered vulnerability information, when and who will provide training to administrators and users within the organization, and security issues that occur on a daily basis. It is necessary to audit how reports and instructions are given within the system.
According to the invention, it is possible to provide a system for constructing information security within a management framework in order to grasp information security as a problem of the entire organizational system by system audit and to make it known as a system.
[0011]
Claim 8 describes the vulnerability of the entire network and the computer system thereover from the viewpoint of an intruder, extracted by the external auditing means, the internal auditing means, the physical auditing means, and the system auditing means, the operation system of the important server, and He pointed out problems in the types and versions of application software and their settings, problems in human management, instruction systems, security education systems for members, and problems in security management status including physical security. It is characterized in that a specific measure is proposed for the pointed out matter.
The feature of the information security audit of the present invention is that the vulnerabilities extracted by each auditing means are regarded as systematic vulnerabilities as system vulnerabilities, and the types and versions of software of important servers, their settings, and management problems. The security management situation is considered as a problem, and these are comprehensively linked to propose specific measures.
According to this invention, since the vulnerability of the entire network and the three problems are comprehensively linked and a specific measure is proposed, information security can be regarded as a problem of the entire organizational system, and the information security can be thoroughly understood as a system. Therefore, it is possible to provide a system for building information security within the framework of management, and to build a solid security system as an organization.
[0012]
BEST MODE FOR CARRYING OUT THE INVENTION
Hereinafter, the present invention will be described in detail using embodiments shown in the drawings. However, the components, types, combinations, shapes, relative arrangements, and the like described in this embodiment are not merely intended to limit the scope of the present invention but are merely illustrative examples unless otherwise specified. .
FIG. 1 is a diagram schematically showing an information security audit system of the present invention.
This information security audit system is roughly composed of three parts. One is an audit system 1, which audits all possible possibilities for a target organization to extract vulnerabilities and risks. The second is a three-layer structure 7, which can be said to be the information security constitution and each law in the management framework of the target organization. The third is a countermeasure reflection route 6, which serves as a pipe linking the audit system 1 with the three-layer structure 7 and the information analysis 13, and is one of the features of the present invention. Further, around the three-layer structure 7, there are information collection 12 and various information analysis 13 which are conventionally performed. With this structure, it is possible to provide a system that builds a realistic and solid information security within the management framework by constantly improving the target organization system through the measure reflection route 6. .
[0013]
Next, the present embodiment will be described in more detail with reference to FIG. First, the audit system 1 includes an external audit 2, an internal audit 3, a physical audit 4, and a system audit 5. The External Audit 2 stands on a par with the intruders, searches for possible intrusions into gateway systems and computers on the user network accessible from the Internet or intranet, and examines all possible intrusions. It presents security hole verification and measures.
The internal audit 3 investigates the possibility of unauthorized intrusion from a computer on the user network to a server or the like inside or outside the user network, verifies all possible security holes, configures and sets a security system, It also audits the OS version, application types and versions, the status of application of patches to known vulnerabilities, and the presence of vulnerabilities in the OS and application settings.
Also, unused or unnecessary for access control for each target device, setting of filtering of routers and firewalls, vulnerabilities due to the type and version of running application software and OS, management of DNS servers, services involving user authentication Account deletion, managing passwords for all accounts, checking for software corrections (patches, etc.) and version upgrades, actually conducting unauthorized attacks, auditing the possibility of such attacks as well, If successful, it also checks for possible attacks on other servers via that server.
[0014]
The physical audit 4 is conducted by examining the situation of destroying documents describing information assets such as customer information and servers (recycle bin fishing = tracing), and passwords by social engineering that collect information by impersonating the person inside the organization or the like by telephone. Investigate the acquisition of and the physical security system. Here, the audit by social engineering is a method of impersonating a person inside the organization or collecting information by telephone, etc.The audit for physical security is an external staff impersonating internal staff and traders Auditing physical security vulnerabilities, how far into the organization the physical penetration is possible, checking for visitors to the building, presence and effectiveness of surveillance cameras, deployment and operation of physical security equipment Investigate the situation and its effectiveness.
Auditing by trashing (garbage bin fishing) is an audit of the status of disposal of documents and other information containing important information and the status of such "garbage" management. The purpose of this study is to investigate whether humans can enter the garbage collection site, obtain "garbage" left inside the building, and obtain important information from the obtained "garbage".
[0015]
The system audit 5, utilizing the results of the external audit 2, the internal audit 3, and the physical audit 4, uses the extracted risks (vulnerabilities and problems) as a system problem and audits the document management system. Through system audits, network security risks, physical security risks, and document management system risks are broadly redefined as information security system risks and information security risks. Specifically, by conducting interviews and on-site inspections with relevant managers from relevant managers, security management systems such as human security management, including a document management system, a command and control system, and a security education system for members are established. audit. In other words, this is an audit method that looks back where the cause of the current vulnerability or the vulnerability that is likely to become apparent is in the entire management system. Specifically, account and password management systems for users and administrators who use each computer, responsibilities and confidentiality systems for installing and changing security systems such as servers and firewalls, and unauthorized access A system for collecting and responding to newly discovered vulnerability information, a system for educating administrators and users, and a system for reporting, responding and giving instructions on security that occurs on a daily basis.
[0016]
Countermeasure reflection route 6 is based on the above-mentioned audit systems, the vulnerability of the entire network and the computer system on it from the viewpoint of the intruder, the types and versions of the OS and application software of the important server and the problems in the setting thereof, Includes responsibilities and confidentiality systems when installing / changing security systems such as firewalls, human security management, reporting / handling and instruction systems, issues with member security education systems, and physical security. Problems in the security management situation are extracted, and these vulnerabilities and risks are regarded as problems in the system and reflected in the implementation procedure 10 of the three-layer structure 7 and the measure standard 9 via the measure reflection route 6. In addition, as another route, the countermeasure reflection route 6 is reflected on the countermeasure standard 9 via the information analysis 13.
The three-layer structure 7 includes a top policy 8, a countermeasure standard 9, and an implementation procedure 10. Top Policy 8 is like a company security constitution. Based on the top policy, the countermeasure standard 9 and the implementation procedure 10 will be formulated, and some of the changes in the countermeasure standard 9 and the implementation procedure 10 will be reflected in the top policy 8.
The countermeasure standard 9 selects a management purpose and a management measure to be implemented based on the optimal risk evaluation, and determines the standard. For example, security policies, security organizations, classification and management of information assets, human security, and the like can be considered as management measures.
[0017]
In the implementation procedure 10, based on the top policy 8, a specific plan and policy for information security measures are formulated (plan: P). Next, implementation and operation of measures are performed based on this plan (implementation and operation: D). Audit the results of the implementation (audit: C). Next, it is reviewed and improved by the management team (review improvement: A). This is to continuously improve by turning the PDCA cycle 11.
These are the ISMSs, and the present invention further considers the vulnerabilities and risks discovered in the above-mentioned audit system 1 as problems of the system, reflects them in this execution procedure 10 and reflects the risk of the information analysis 13. The feature is that the measures are reflected in the measure standard 9 based on the analysis (details will be described later).
In the information collection 12, it is necessary to collect information from persons who actually use the information through hearings and questionnaires in order to grasp the current state of the organization system, and to perform analysis 13 from the information. The analysis includes gap analysis, risk analysis, and inventory of information assets (details will be described later).
[0018]
Next, a more detailed description of the information security constitution and the three-layer structure 7 which can be said to be various laws based on the constitution within the management framework of the target organization will be given. This three-layer structure 7 is a site of an organization, and it is no exaggeration to say that whether or not the information security audit system of the present invention effectively functions is related to the site. FIG. 2 is a diagram for explaining the PDCA cycle 11. In this figure, there is an arrow 31 indicating the improvement of the security strength at the center, and the PDCA rotates in a spiral around the arrow 31 to show a state of spiral up. In this way, the cycle of policy creation 20, plan (P) 21, implementation and operation (D) 22, audit (C) 23, and review and improvement (A) 24 by the management team is repeated to improve the security strength 31. To go. The important thing here is to keep this spiral up in mind. The reason is that it is impractical to plan an ideal security measure from the beginning, and in reality it is realistic to first establish it at a level that all current members can reach and gradually increase it every year. Because there is. Another reason is that new vulnerabilities (security holes) are being discovered in the OS and application software one after another, and it is necessary to correct them. Also, since additions and changes occur in the information system itself being used, it is important to review security measures accordingly. In other words, by repeating the process of the audit (C) 23 and the review and improvement (A) 24 by the management team, it becomes possible to perform such work without omission.
[0019]
FIG. 3 is a diagram illustrating the establishment of a management framework defined by the ISMS authentication standard. Conduct a risk assessment on all information assets to which ISMS is applied and determine appropriate management measures according to the risks. The ISMS certification standard defines this procedure in six steps. First, step S1 is to define an information security policy. The security policy indicates the basic policy 25 of security measures, and determines a general idea and policy for ensuring security by a company or organization. This corresponds to the top policy 8 in FIG.
Step S2 is to define the ISMS coverage 26. This applicable range may be divided in service units.
Step S3 is to perform a risk assessment. Investigate all information assets within the ISMS scope, determine asset values, threats, vulnerabilities, and risks, and create risk assessment results 27. This step is extremely important for maintaining and operating a security policy, and will be described later in detail.
Step S4 is to determine a risk to be managed. With respect to the risks extracted in step S3, it is determined whether to take an attitude of tolerance, reduction, transfer, or avoidance, and a risk list 28 is created.
Step S5 is to select the goals and management measures to be implemented. This is to formulate measure 9 in FIG.
Finally, an application declaration 30 is created in step S6. The application declaration 30 can be called a list of countermeasures standards, and is a list of control measures selected in step S5.
[0020]
FIG. 4 is a diagram for explaining an example of the gap analysis of the analysis 13 of FIG. 1 for explaining step S3 of FIG. 3 in further detail. This is a method called gap analysis that classifies the security measures into information assets that do not need to be treated, measures that have been taken, and measures that have not been taken (including insufficient measures), as compared to the ISMS certification standards. This is because the ISMS certification acquisition promoter 40 conducts a questionnaire and interview survey covering all positions and departments, such as top management, departments, and employees 41 (information collection 12). Perform a simulated attack to check for vulnerabilities. This clarifies the gap between the information asset to be protected as indicated by reference numeral 42 and its importance, the security measures of the information asset, and the level required by the ISMS. Threats, vulnerabilities, and risks are calculated, and the information assets are classified into, as indicated by reference numeral 44, that there is no need to take measures, that measures are taken, and that no measures are taken (including insufficient measures).
[0021]
FIG. 5 is a diagram illustrating a management cycle of security management according to the present invention. This management cycle is based on the above-mentioned ISMS P-D-C-A-C cycle 11. First, in the plan 50, the basic policy is formulated and reviewed, and the risk management and countermeasure standards are formulated and reviewed. Next, with the introduction 51, additional security measures / improvements are carried out, an execution procedure manual is prepared, and training for all employees is introduced.
[0022]
Next, the operation 52 performs operation / maintenance management of the security system, such as monitoring of intrusion / attack detection, compliance with security policies, response to accidents, continuous employee training, and training of professional staff. Audit 53 investigates legal compliance, security policy compliance and system vulnerabilities. By continuously running this management cycle, we will improve and understand the vulnerabilities and risks of the organizational system as problems of the system, and thereby build the organizational system itself with a high security policy.
[0023]
FIG. 6 is a comprehensive security audit diagram for explaining how the information security audit system of the present invention approaches an organizational system. For example, there is one organizational system 60, which is connected to the outside by the Internet 61 and the public telephone network 82. The Internet 61 is connected via a router 62 to a firewall 63 that prevents unauthorized access to an internal computer and performs identification and authentication by a unique authentication method. A DNS server 64 and a WWW / Mail server 65 are connected to an internal bus 66 beyond the firewall 63. It is connected. A proxy server 68, a PC 69, internal firewalls 70 and 76, and a monitoring PC 77 are connected to the internal bus 67 from the public telephone network 82 via the RAS server 81, and a PC 74 is further connected to the internal bus 71 of the internal firewall 70. PCs 79 and 80 are connected to an internal bus 78 of the internal firewall 76.
[0024]
In the system having such an organization system, the present invention simulates an unauthorized attack from the Internet 61 and the public telephone network 82 as an external audit. Since the contents thereof have been described above, a duplicate description will be omitted. However, whether the firewall 63 truly plays its role due to these external attacks, or if the intrusion is permitted, the internal DNS server 64 or WWW / The influence on the mail server 65 is investigated. In addition, it investigates what kind of influence the RAS server 81 has on a pseudo unauthorized attack from the public telephone network 82 and what kind of influence each server, internal firewall, and PC connected to the RAS server 81 have. Investigate whether to receive.
In addition, as an internal audit, a user interview is conducted, and the inside of the organizational system 60 is inspected and inspected, and an unauthorized intrusion is made by the monitoring PC 77 via the internal bus 67 to check the security holes of each server, internal firewall and PC. Conduct a survey. In addition, as a physical security audit, it impersonates an internal person, intrudes into the organizational system 60, and checks the physical security system. For example, if the illegally installed modem 72 is connected to the illegal line 75 to the illegally brought in PC 74, it cannot be detected by the monitoring PC 77, but it can be visually detected by the physical security audit.
[0025]
【The invention's effect】
As described above, according to the first aspect of the present invention, it is possible to deal with the organizational system by re-evaluating the vulnerabilities and risks discovered by the comprehensive audit as system problems and instructing the management on countermeasures. Problem solving will be done fundamentally and accurately.
According to the second aspect, measures against problems derived from the vulnerabilities and risks extracted by each auditing means are reflected in the execution procedure, and the measures are taken based on a risk analysis obtained by a system audit and information collection. Because it is reflected in the standards, problems in the organizational system can be continuously improved in a spiral-up manner.
According to the third aspect of the present invention, since security weaknesses existing in the network and the computer system are verified in the same position as an actual intruder from outside, the security holes are accurately verified and prompt measures are taken. Can be taken.
According to the fourth aspect of the present invention, not only a computer connected to a user network but also an unauthorized access and an attack on internal and external servers can be made in a position equivalent to that of an actual internal intruder. In addition to direct security system configuration and settings, audit the types and versions of OSs and applications, the presence or absence of vulnerabilities in settings, and the application status of patches for known vulnerabilities, as well as internal networks and computers. It can accurately verify the security problems of the system.
According to the fifth aspect, since the security management state other than the network or the computer system is audited by the physical auditing means, the security audit can be totally performed without omission.
According to the sixth aspect, the system audit is performed by the system audit means to verify the conformity with the actual situation, so that the measure proposed by each audit means can be surely reflected in the system.
According to the seventh aspect, a system for constructing information security within a management framework can be provided in order to grasp information security as a problem of the entire organizational system by system audit and to thoroughly disseminate the problem as a system.
In claim 8, since the vulnerability of the entire network and the three problems are comprehensively linked and a specific measure is proposed, information security can be regarded as a problem of the entire organizational system, and the information security can be thoroughly known as a system. For this reason, it is possible to provide a system for building information security within the framework of management, and to build a solid security system as an organization.
[Brief description of the drawings]
FIG. 1 is a diagram schematically showing an information security audit system of the present invention.
FIG. 2 is a diagram illustrating a PDCA cycle 11 of the present invention.
FIG. 3 is a diagram illustrating the establishment of a management framework defined by an ISMS authentication standard.
4 is a diagram illustrating an example of a gap analysis of FIG. 1 in FIG. 1 for explaining step S3 in FIG. 3 of the present invention in further detail.
FIG. 5 is a diagram illustrating a management cycle of security management according to the present invention.
FIG. 6 is a comprehensive security audit diagram for explaining how the information security audit system of the present invention approaches an organizational system.
[Explanation of symbols]
1 Audit system, 2 External audit, 3 Internal audit, 4 Physical security audit, 5 System audit, 6 Measure reflection route, 7 Three-layer structure, 8 Top policy, 9 Measure standard, 10 Implementation procedure, 11 PDCA cycle, 12 Information collection , 13 Analysis

Claims (8)

An information security audit system that performs a security audit of the network and management system of the user organization,
An external auditing means for auditing the possibility of unauthorized intrusion and attack on an information device accessible from outside the organization via a communication network or a communication line; a supplement to the external audit; Internal audit means for auditing the applicability of the application version and the possibility of unauthorized access between information devices within the same organization; physical audit means for auditing unauthorized access due to physical intrusion from outside into the organization; A system auditing means for re-evaluating any vulnerabilities and problems extracted from the audit results as problems of the management system that is the root cause and presenting countermeasures,
The external auditing means, the internal auditing means, the physical auditing means, and the system auditing means extract the vulnerabilities and risks of the information device, and re-evaluate the vulnerabilities and risks as problems of the organizational system having the information security system. An information security audit system characterized by presenting a countermeasure for the problem with respect to the organizational system. The information security is based on measures to determine the management objectives and management measures to be implemented based on the optimal risk assessment and determine the criteria, specific plans for information security measures, and implementation and implementation of measures based on the plans. And an implementation procedure for continually improving the results of the audit and review cycle.
The measures taken for the problems derived from the vulnerabilities and risks of the security management system extracted by the external audit means, the internal audit means, the physical audit means, and the system audit means are reflected in the implementation procedure, and information is collected. 2. The information security audit system according to claim 1, wherein the information is reflected in the measure standard based on the obtained risk analysis. The external auditing means is in a position equivalent to an unauthorized intruder intruding into an information device accessible via the Internet, a public line, a dedicated line or a wireless LAN, and is a gateway system or a computer on a user network. The information security audit system according to claim 1 or 2, wherein verification of all security holes that can detect a possibility of unauthorized intrusion into a computer and a countermeasure thereof are presented. The internal audit unit investigates the possibility of unauthorized intrusion from a computer on the user network to a server inside or outside the user network or the possibility of internal unauthorized access, verifies all security holes that can be searched, and a security system. In addition to the configuration and settings of the OS, the OS version, application type and version, the status of application of patches for known vulnerabilities, and the presence of vulnerabilities in the OS and application settings are also audited, and measures based on the audit results are taken. 3. The information security auditing system according to claim 1, wherein the information security auditing system is provided. The physical auditing means investigates illegal access to or illegal acquisition of information assets due to intrusion from the outside, investigates the destruction status of documents describing information assets such as customer information, passwords impersonating persons inside the organization The information security auditing system according to claim 1, wherein the information security auditing system checks the acquisition of the information and the physical security system. The system auditing means reassesses any vulnerabilities and problems extracted from the results of the audits by the external auditing means, the internal auditing means, and the physical auditing means as problems in the system, and enters the document management system to conduct an audit. 3. The information security auditing system according to claim 1, wherein the network security risk, the physical security risk, and the document management system risk are widely regarded as the information security system risk and the information security risk. The system audit means includes an account and password management system, a server and security system setting change system, an unauthorized access detection and response system, a collection and response system for newly discovered vulnerability information, and an education system for administrators and users. 7. The information security audit system according to claim 6, wherein the system audits a report / instruction system regarding security. The vulnerabilities of the entire network and the computer system on it from the viewpoint of an intruder, and the types of operation systems and application software of important servers, extracted by the external audit means, internal audit means, physical audit means and system audit means Points out problems in the version and its settings, human security related to security, instruction system, security training system for members, and security management status including physical security. The information security audit system according to claim 1, wherein a specific measure is proposed.

Images