JP2005071087A - Decision making device and method for infringement and program thereof - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To solve the problem that it hitherto takes time to make a decision on measures to be taken when an information asset is illegally infringed, causing damage to increase. <P>SOLUTION: The decision making device for infringement comprises an asset management register database 8 that registers the name and the value of an information asset, a content of infringement of the information asset, the level of the threat, necessity of taking measures for the threat, detailed management measures to cope with the threat, and priority of the detailed management measures if there are a plurality of them; an infringement responding decision making part 2 that receives the name of the information asset, the content of infringement, and date and time of the infringement from an infringement detection part 1, searches the asset management register database 8 by the name of the information asset and the content of infringement, acquires the corresponding necessity of taking measures and the detailed management measures, and the priority if there are a plurality of them, determines whether to take measures or not and indicates the result, and selects detailed management measures when taking measures and indicates the results; a notification processing part 3 that notifies a terminal of a person in charge, of the status of infringement if the selected detailed management measures are notification; and a detailed management measures registration part 5. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a decision making apparatus and method for an infringement corresponding to an unauthorized infringement on information assets using a computer, and a program.

  Conventionally, a crisis related to information assets has been dealt with according to a predetermined rule or procedure if there is a document, and if there is no document, it has been dealt with at an individual's knowledge level.

  In recent years, however, security awareness has increased, and international standards and standards recommended by government agencies have been established. Companies and organizations have established security policies in accordance with the standards and are carrying out activities to maintain their own security. .

  Security maintenance identifies information assets that should be protected, assumes damage when infringement of the information assets occurs, establishes management measures to prevent damage, implements management measures, and It is a series of work that is reviewed and improved accordingly.

  Standards related to security maintenance are the British Standard “BS7799” and “ISO / IEC 17799” established by the International Organization for Standardization (ISO), and “Information Security Management System (ISMS) compatibility” established by the Japan Information Processing Development Corporation in Japan. There is an “evaluation system”.

  In addition, as a technology to support the construction of security policy, a method and device for constructing a security policy of an organization, first a draft of the security policy is simply constructed and the difference between it and the actual situation of the organization is investigated, and based on the difference A method and apparatus for completing a security policy in stages by adjusting a draft of a security policy or adjusting an operation rule of an actual information system of a group is disclosed (see Patent Document 1).

  As devices for detecting threats to information assets, technologies such as IDS (Intrusion Detection System) and IDP (Intrusion Detection and Prevention) are known and widely commercialized.

  FIG. 7 shows the relationship between threats and infringements on information assets, detection devices, and security policies. The security policy is defined as the top policy, and the actual procedure is defined as a separate procedure.

  Detect illegal infringement on information assets by IDS. The behavior after the detection is performed is executed according to the methods described in various procedures.

JP 2002-56176 A (second page)

  As described above, the technology for detecting the infringement has been established, and the action when the infringement is found can be dealt with by a procedure based on the security policy.

  However, when an “infringement event not described in the procedure” occurs or when the “procedure description is ambiguous”, there is a problem that the response is delayed, which in turn increases the damage.

  Moreover, when it is not defined in the procedure, ultimately, decision making by human resources is required.

  Therefore, the present invention specifies a threat level according to the contents when an unauthorized infringement of information assets using a computer occurs, and indicates whether or not to deal with the threat level and a detailed management measure for dealing with it. It is an object of the present invention to provide a decision making apparatus and method for infringement so that threats due to infringement can be appropriately dealt with.

  The first decision making apparatus for infringement of the present invention stores the asset name, value, content of infringement on the information asset, threat level, necessity of dealing with the threat in the database, and when the infringement of the information asset occurs The information processing apparatus is characterized by comprising means for receiving the information asset name and the content of infringement, referring to the database, and determining whether to deal with the threat.

  According to a second infringement decision-making apparatus of the present invention, in the first infringement decision-making apparatus, the database includes a detailed management measure for dealing with threats corresponding to the contents of infringement on information assets. A priority order of each detailed control measure in a plurality of cases is registered, and means for selecting a detailed control measure by referring to the database by the information asset name and the infringement content received when the infringement occurs is provided.

  The third infringement decision making apparatus according to the present invention comprises means for receiving the information asset name, infringement content, and infringement date and time from the apparatus for detecting infringement of information assets in the second infringement decision making apparatus. It is characterized by having.

  The decision making apparatus for infringement according to the fourth aspect of the present invention provides a notification (escalation) as means for detailed management measures for removing threats against infringement on information assets in the decision making apparatus for second infringement. And a notification processing means for notifying the occurrence of infringement to a preset destination device.

  The fifth infringement decision-making apparatus according to the present invention is the above-described second infringement decision-making apparatus, wherein “normal state”, “access violation detection”, “threat level check state”, “threat-handling state” The state management means is provided.

  The sixth infringement decision-making apparatus of the present invention is the second infringement decision-making apparatus, wherein the asset name and value of the information asset, the content of the infringement on the information asset, its threat level, threat It is characterized in that there is a means for registering the necessity of coping with each other, detailed management measures for coping with each other, and the priority of each of the detailed management measures when there are a plurality of them.

  According to the seventh infringement decision-making apparatus of the present invention, in the decision-making apparatus for the second infringement, the asset name of the information asset, the value, the content of the infringement on the information asset, its threat level, and the countermeasure necessary for the threat No, detailed control measures for coping, and means for displaying priority on a display device.

  An eighth infringement decision-making apparatus according to the present invention relates to a date and time when an infringement is detected, an information asset name, an infringement content, a detection method, and a countermeasure for the detailed control method selected in the third infringement decision-making apparatus. The present invention is characterized in that it includes means for storing the date and time and details of countermeasures as detailed management measures in a database for history management.

  The first program of the present invention is a procedure for receiving information asset name and content of infringement when an information asset infringement occurs, information asset name, value, content of infringement on information asset, threat level, and threat countermeasures. It is characterized by causing a computer to execute a procedure for referring to a database storing “no” and determining whether or not to deal with a threat.

  The second program of the present invention is a procedure for receiving information asset name and content of infringement when an information asset infringement occurs, information asset name, value, content of infringement on information asset, threat level, and threat countermeasures. No, detailed control measures to deal with, the procedure for judging whether to deal with threats by referring to the database storing the priority of each detailed control measure when there are multiple, and details when dealing with it The computer is caused to execute a procedure for selecting a management policy.

  The third program of the present invention includes a procedure for receiving an information asset name and infringement content from an apparatus for detecting infringement of an information asset, the date and time of occurrence of the infringement, an asset name of the information asset, a value, an infringement content to the information asset, and its threat A procedure for determining whether to deal with a threat by referring to a database storing the level, necessity of dealing with threats, detailed management measures to deal with, and the priority of each detailed management measure when there are multiple The computer is caused to execute a procedure for selecting the detailed management policy when dealing with the problem.

  The fourth program of the present invention is a procedure for receiving information asset name and content of infringement when information asset infringement occurs, information asset name, value, content of infringement on information asset, threat level, and threat countermeasures. No, detailed control measures to deal with, the procedure for judging whether to deal with threats by referring to the database storing the priority of each detailed control measure when there are multiple, and details when dealing with it When the procedure for selecting a control measure and the selected detailed control measure is a report (escalation), the computer is caused to execute a procedure for reporting the occurrence of infringement to a preset device.

  The fifth program of the present invention includes a procedure for receiving information asset name and infringement content, date and time of occurrence of infringement from a device for detecting infringement of information asset, information asset name, value, infringement content to information asset, threat thereof A procedure for determining whether to deal with a threat by referring to a database storing the level, necessity of dealing with threats, detailed management measures to deal with, and the priority of each detailed management measure when there are multiple , The procedure for selecting detailed management measures when dealing with it, the date and time when the infringement was detected, the information asset name, the content of the infringement, the detection method, the date and time of the countermeasure, and the details of the detailed control measures that were handled in the database It is made to perform.

  The first decision-making method for infringement according to the present invention includes a procedure for receiving information asset name and content of infringement when an information asset infringement occurs, information asset name, value, content of infringement on information asset, threat level, threat Refers to the database that stores the detailed management measures to deal with the necessity of countermeasures, the priority order, and the procedure for determining whether or not to deal with threats, and selects the detailed management measures when dealing with them And a procedure for performing.

  The second decision-making method for infringement of the present invention includes a procedure for receiving an information asset name and infringement content, an infringement occurrence date and an infringement occurrence time from a device for detecting infringement of an information asset, an asset name of an information asset, a value, Refer to the database that stores the content of infringement on information assets, threat level, necessity of dealing with threats, detailed control measures to deal with, and the priority of each detailed control measure when there are multiple threats. And a procedure for selecting a detailed management policy when dealing with it.

  The third decision-making method for infringement of the present invention is the information asset name, the procedure for receiving the infringement content, the information asset name, value, the infringement content for the information asset, the threat level, the threat The procedure for determining whether or not to deal with threats by referring to the database that stores the necessity of handling, detailed management measures to deal with, and the priority order of each detailed management measure when there are multiple countermeasures And a procedure for selecting a detailed management measure in the case, and a procedure for reporting the occurrence of infringement to a preset device when the selected detailed management measure is a report (escalation).

  The fourth decision-making method for infringement of the present invention is a procedure for receiving information asset name, infringement content, date of occurrence of infringement from a device for detecting infringement of information asset, infringement on information asset name, value, information asset. Whether or not to deal with threats by referring to the database that stores the contents, threat level, necessity of dealing with threats, detailed management measures to deal with, and the priority of each detailed management measure when there are multiple Judgment procedures, procedures for selecting detailed control measures to deal with, date and time of infringement detection, information asset name, content of infringement, detection method, date and time of countermeasures, content of the detailed control measures handled in the database and history management And a procedure for performing.

  According to the present invention, the asset value of the information asset and the content of the infringement on the asset, the data for identifying the threat level, the necessity of countermeasures, the management measures against the threat are stored in the database in advance, and when the infringement on the information asset occurs, The database is referred to by information asset name and content of infringement, and it is necessary to cope with it, and management measures are implemented or instructed so that it is possible to respond without delay when unauthorized infringement occurs.

  The database also includes multiple detailed management measures and their priorities corresponding to the content of infringement on information assets. When an infringement occurs on information assets, the corresponding multiple detailed management measures are set to priorities and the implementation status so far. Therefore, appropriate management measures can be taken against threats caused by infringement.

  Next, the best mode for carrying out the present invention will be described in detail with reference to the drawings. FIG. 1 is a block diagram showing a functional configuration of a decision making apparatus for infringement of the present invention.

  The asset management ledger database 8 includes information asset names, information asset values, information infringement contents, threat levels, necessity of handling when threats occur, priority of actions, and detailed management measures for threats. Stored.

  The management information registration unit 5 uses an input device 6 such as a keyboard, and the asset name and value of the information asset, the content of the infringement on the information asset, its threat level, whether or not to deal with the threat, detailed management measures for handling and priority It is a processing unit that registers the ranking in the asset management ledger database 8 and updates it.

  When update is selected, the registered information in the asset management ledger database 8 is read out and displayed in the memory, information updated on the memory is displayed on this, and when the update is instructed, the asset management ledger database 8 is updated.

  Initially register detailed control measures and priorities for dealing with information asset name, value, details of infringement of information assets, threat level, whether to deal with threats, and then add, update, and You may make it change.

  As a result of registration, addition, update, and change, the display unit 4 extracts data from the asset management ledger database 8 and outputs the data to a display device 7 such as a CRT or a liquid crystal display.

  When the infringement response decision-making unit 2 receives information from the infringement detection unit 1 that has detected fraudulent infringement on the information asset, it acquires the information from the asset management ledger database 8 using the received information as a key, and identifies the threat level. Instruct the necessity of dealing with the threat. If a countermeasure is required, a detailed management measure is selected and instructed. The result of the process is stored in the infringement history ledger database 9.

  When escalation to the decision maker becomes necessary in the process of the infringement decision making part 2, it is processed in the notice processing part 3 and a notice to the decision maker is made. The notification processing unit 3 holds a destination (communication address) of a preset notification destination device.

  Next, the information asset name stored in the asset management ledger database 8, value, content of infringement, threat level thereof, necessity of coping with infringement, detailed management measures for coping and priority thereof will be described.

  As the information asset name, a name for identifying the information asset is stored. As the value, a value representing the value of the information asset is stored.

  The content of infringement stores specific details of infringement of information assets. The threat level stores a value indicating the degree of influence when the infringement occurs.

  As the necessity of countermeasure, information indicating whether or not the countermeasure against the threat is necessary is stored.

  As the priority order, a value indicating the priority order of countermeasures when there are a plurality of detailed management measures for the threat is stored. As a detailed management measure, a countermeasure content for a threat is stored.

  A specific example of the asset management ledger database 8 is shown in FIG. For example, “Public Web content” is stored in the information asset name column, “Important” is stored in the value column, and the assumed infringement of “content falsification / destruction” is stored in the infringement content. “Medium” is stored, and “Necessary” is stored in the action column.

  Also, as detailed management measures to cope with, priority is "perform access restriction on upper border router of server" as priority 1, and priority is "disconnect UTP cable connection with server-accommodated HUB" As a ranking 3, “decision maker call escalation” is registered.

  Next, the occurrence date and time, information asset name, infringement content, detection method, handling date and time, and handling content stored in the infringement history ledger database 9 will be described.

  As the occurrence date and time, the date and time when an infringement of information assets was detected is stored. As the information asset name, a name for identifying the information asset in which unauthorized infringement has occurred is stored.

  The contents of infringement store the contents of fraud that occurred in information assets. As a detection method, the contents of how to detect an illegal infringement on information assets are stored.

  In the handling date and time, the date and time when the threat has been resolved by using a management measure for illegal infringement on information assets is stored. The countermeasure contents store what kind of management measures are used for illegal infringement on information assets.

A specific example of the infringement history ledger database 9 is shown in FIG. For example, at 13:45:00 on December 24, 2002, the “Web content monitoring tool” detects the alteration / destruction of the content of “Public WEB content”, and 13:45:20 on December 24, 2002. It is stored as a history that access restriction has been performed on the upper border router of the server per second.

  Returning to FIG. 1, the infringement response decision-making unit 2 has a state management unit 21, and performs infringement occurrence and response processing state management. That is, the status of intrusion detection and response processing is managed, and the status is changed as the processing proceeds.

  FIG. 4 is a diagram showing this state transition. The “normal state” represents a state where no infringement has occurred. When an infringement occurs, the state changes, and when the threat of the infringement is resolved, the state returns to the “normal state”.

  “Access infringement detection” changes from “normal state” to this state when infringement occurrence information is received from the infringement detection means.

  The “threat level check state” represents a state in which a threat to an asset caused by an illegal infringement on an information asset is analyzed. If it is determined that it is necessary to deal with the threat, the state is changed to a “threat responding state”, and if it is determined that no countermeasure is necessary, the state is returned to the “normal state”.

  “Threat response state” represents a state corresponding to a threat event to an information asset. When the threat of infringement after this state is resolved, the state is returned to the “normal state”, and when the infringement occurrence information is received again, the state is changed to the “access infringement detection” state.

  Next, a specific example of a system including a decision making apparatus for infringement of the present invention will be described. Referring to FIG. 5, a system including a decision making apparatus for infringement according to the present invention includes an infringement detection apparatus 30, 40, a decision making apparatus 10 for infringement, a terminal device 50 of a decision maker, and a router 60, which is a local area network (LAN). 100 for communication connection.

  The infringement decision making device 10 includes the infringement response decision making unit 2, the notification processing unit 3, the display unit 4, the management information registration unit 5, the asset management ledger database 8, the infringement history ledger database 9, the display device 7, and the input device. 6 and the communication unit 11. The infringement response determination unit 2 includes the state management means 21 described above.

  The infringement decision-making device 10 is an information processing device that operates under program control such as a server device or a personal computer as hardware, and includes an external storage device such as a communication unit, an input device, a display device, a hard disk device, and the like. The asset management ledger database 8 and the infringement history ledger database 9 are stored in the external storage device, and the infringement decision making unit 2, the notification processing unit 3, the display unit 4, and the management information registration unit are provided. 5 is realized by a program of the information processing apparatus or a storage area under the control.

  The infringement detection devices 30 and 40 are a server device, a personal computer device, a terminal device, or a communication device provided with the information asset 14 and the infringement detection unit 1 such as IDS.

  The infringement detection unit 1 periodically checks the content of the information asset 14 through the access unit 13 and detects content alteration or destruction due to unauthorized access.

  An external network 101 is connected to the router 60. The terminal device 50 of the decision maker is a personal computer or a terminal device, and has a communication function and a display function, and displays the infringement status of information assets sent from the notification processing unit 3 by a pop-up display means or the like.

  Next, the processing flow of this embodiment will be described with reference to the drawings. FIG. 6 is a flowchart showing the flow of processing from intrusion detection to threat analysis and threat elimination in this embodiment.

  In step 1, the asset name of the information asset that has been infringed from the infringement detection unit 1 having an infringement infringement detection unit such as IDS, the date and time of infringement, and the content of the infringement are transmitted through the communication unit 12, the LAN 100, and the communication unit 11. Delivered to the infringement response decision-making unit 2.

  In step 2, the infringement decision making part 2 searches the asset management ledger database 8 using the asset name of the information asset delivered from the infringement detection device 30 and the content of the infringement as keys, and the value and threat level of the information asset, When there are a plurality of detailed management measures and necessity of handling, detailed management measures, the priority order is acquired from the asset management ledger database 8.

  Search for entries that contain the extracted information asset name and keywords extracted from the received infringement content in the asset name column and infringement content column, respectively, and the value and threat level of the information asset, necessity of countermeasure, detailed control measures and priority To get.

  In step 3, the infringement response determination unit 2 changes the state of the entire process to “access infringement detection”.

  In step 4, the value and threat level of the information asset are grasped. The value and threat level of the information asset acquired in step 2 are used.

  In step 5, the state of the entire process is changed to the “threat level check state”.

  In step 6, it is determined whether or not a response to the threat is necessary. The determination method uses the value and threat level of the information asset acquired in step 2, compares the asset value and the threat level, and if the value of the asset value is larger than the threat level, it is necessary to take a countermeasure. Proceed to step 7.

  If no action is required, the process proceeds to step 10.

  In step 7, the state of the entire process is changed to “threat responding state”.

  In step 8, a detailed management measure for responding to the threat is selected and displayed, and the selected detailed management measure is performed. Or, instruct the implementation and eliminate the threat.

  When there are a plurality of detailed control measures, the detailed control measures are selected according to the priority order. However, if countermeasures are recorded in the infringement history ledger database 9 within the latest predetermined period, a detailed control measure of the next priority order excluding that is selected. select. However, even if there is a record of the report within the recent predetermined period, it will be notified every time.

  When processing is completed (or received input indicating that it has been implemented), the date and time of infringement in the infringement history ledger database 9, the name of the infringed information asset, the content of the infringement, the method of detecting the infringement, the date and time of the action, and then selected Stores the details of countermeasures as detailed management measures.

  In step 9, it is determined whether or not the threat has been resolved by the countermeasure (determined that the threat has been resolved if no infringement of the same information asset is detected for a predetermined period or longer). If the threat is resolved, the process proceeds to step 10. If the threat is still not resolved, go to step 3.

  In step 10, the state of the entire process is changed to the “normal state”.

  In the case of proceeding to step 3, the process up to step 9 is repeated in the same manner. However, in step 8, since there is a record in the infringement history ledger database 9 that the detailed control measure of priority 1 is being dealt with, the detailed control measure of priority 2 is selected. Select, display and implement.

  If it is determined that the threat has not been resolved in the second step 9, step 3 and subsequent steps are repeated, and in step 8, the report (escalation) of the detailed control measure with priority 3 is similarly selected and displayed, and the notification processing unit 3 Is activated, and the notification processing unit 3 transmits the occurrence of the infringement to the terminal device 50 of the decision maker.

  After this, if the threat is not solved, the detailed management measure report (escalation) of priority 3 is selected and the report process is performed.

  If the infringement detection device 30 is a Web server, the information asset 14 is public WEB content, and the infringement detection unit 1 including the Web content monitoring tool detects the alteration / destruction of the content, the router 60 in the first step 8 The access restriction is selected and executed, and in the second step 8, the cable connection between the router 60 and the LAN 100 is disconnected.

  In step 8 after the third time, a notification is sent to the terminal device 50 of the decision maker. In addition, you may make it make the notification to the terminal device 50 of a decision maker every time from the first time.

  Although the above-described system including a decision-making device for infringement has been described as a specific example, the example in which the decision-making device 10 for infringement receives infringement occurrence information from the infringement detection devices 30 and 40 having information assets and an infringement detection unit has been described. Infringement decision making unit 2, notification processing unit 3, management information registration unit 5, display unit 4 and asset management ledger database 8, infringement detection unit, or device having information asset and infringement detection unit There is also an example in which the history ledger database 9 is provided.

The block diagram which shows the function structure of the decision-making apparatus with respect to the infringement of this invention. The figure which shows the specific example of the content of the asset management ledger database 8 of FIG. The figure which shows the specific example of the content of the infringement history ledger database 9 of FIG. The figure which shows the state transition of the process of the decision making apparatus with respect to the infringement of this invention. The block diagram which shows the structure of the specific example of the system containing the decision-making apparatus with respect to the infringement of this invention. The flowchart which showed the flow of the process of the decision-making apparatus with respect to the infringement of this invention. The figure which showed a mode that it developed from the conventional general security policy to a security standard and a security procedure.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Infringement detection part 2 Infringement response decision-making part 3 Report processing part 4 Display part 5 Management information registration part 6 Input device 7 Display apparatus 8 Asset management ledger database 9 Infringement history ledger database 10 Infringement decision making apparatus 11, 12 Communication part 13 Access unit 14 Information asset 30, 40 Infringement detection device 50 Decision-maker's terminal device 60 Router 100 LAN
101 External network

Claims (17)

Information asset name, value, information asset infringement content, threat level, threat countermeasures, necessity of dealing with threats are stored in the database. When information asset infringement occurs, information asset name and infringement content are received, refer to the database And a decision making apparatus for infringement, characterized by comprising means for determining whether or not to deal with the threat. In the database, detailed management measures for dealing with threats corresponding to information asset infringements and priorities of each detailed control policy when there are multiple information assets are registered. The decision making apparatus for infringement according to claim 1, further comprising means for selecting a detailed management measure by referring to the database. 3. The decision making apparatus for infringement according to claim 2, further comprising means for receiving information asset name, infringement content, and date and time of occurrence of infringement from an apparatus for detecting infringement of information assets. When a report (escalation) was selected as a means of detailed management measures to remove threats for infringement of information assets, it had a notification processing means for notifying the occurrence of infringement to a preset destination device The decision-making device for infringement according to claim 2. The infringement decision-making apparatus according to claim 2, further comprising state management means for "normal state", "access violation detection", "threat level check state", and "threat-handling state". Asset name and value of information asset via input device, content of infringement on information asset, threat level, necessity of dealing with threat, detailed control measures to deal with and priority of each detailed control measure when there are multiple The decision making apparatus for infringement according to claim 2, further comprising means for registering. It is characterized by having a means for displaying on the display device the asset name and value of the information asset, the content of the infringement on the information asset, its threat level, necessity of dealing with the threat, detailed control measures for dealing with it, and priority order A decision making apparatus for infringement according to claim 2. With regard to the selected detailed management measure, the date and time when the infringement was detected, the information asset name, the content of the infringement, the detection method, the date and time of the countermeasure, and the content of the countermeasure as the detailed control measure are stored in a database, and a means for managing the history is provided. 4. A decision making apparatus for infringement according to claim 3. Refer to the database that stores the information asset name, the content of the infringement, and the information asset name, value, information infringement content, threat level, and necessity of dealing with the threat when information asset infringement occurs. , A program for causing a computer to execute a procedure for determining whether or not to deal with a threat. Procedure for receiving information asset name and content of infringement when information asset infringement occurs, information asset name, value, content of infringement on information asset, threat level, necessity of dealing with threat, detailed control measures to cope with In the case where there are multiple cases, refer to the database in which the priority of each detailed control measure is stored, determine whether to deal with the threat, and select the detailed control measure when dealing with it on the computer. A program to be executed. Information asset name and content of infringement from the device that detects the infringement of information assets, the procedure to receive the infringement date and time, information asset asset name, value, content of infringement on information assets, its threat level, whether to deal with threats, Detailed control measures to deal with, the procedure for determining whether to deal with threats by referring to the database storing the priority of each detailed control measure when there are multiple, and the detailed control measures when dealing with them A program that causes a computer to execute the procedure for selecting Procedure for receiving information asset name and content of infringement when information asset infringement occurs, information asset name, value, content of infringement on information asset, threat level, necessity of dealing with threat, detailed control measures to cope with , A procedure for determining whether to deal with a threat by referring to a database in which the priority of each detailed control measure is stored when there are multiple, and a procedure for selecting the detailed control measure when selecting a response A program for causing a computer to execute a procedure for reporting the occurrence of an infringement to a preset device when the detailed control measure is a report (escalation). Information asset name and content of infringement from the device that detects the infringement of information assets, the procedure to receive the infringement date and time, information asset asset name, value, content of infringement on information assets, its threat level, whether to deal with threats, Detailed control measures to deal with, the procedure for determining whether to deal with threats by referring to the database that stores the priority of each detailed control measure when there are multiple, and the detailed control measures to deal with A program for causing a computer to execute a procedure for selecting and storing the history of date and time, information asset name, content of infringement, detection method, date and time of handling, and details of the detailed management measures that have been handled in the database. Information asset name, procedure for receiving information infringement when information asset infringement occurs, information asset name, value, content of infringement on information asset, threat level, necessity of dealing with threat, multiple details to deal with Intention to infringement characterized by including a procedure for referring to a database storing management measures and their priorities and determining whether or not to deal with threats and a procedure for selecting detailed controls when dealing with them. Decision method. Procedure for receiving information asset name and infringement content, infringement occurrence date, infringement occurrence time from the device that detects infringement of information asset, information asset name, value, infringement content against information asset, threat level, threat to threat The procedure for determining whether to deal with threats by referring to the database that stores the necessity of countermeasures, detailed control measures to cope with, and the priority order of each detailed control measure when there are multiple countermeasures. A decision-making method for infringement characterized in that it comprises a procedure for selecting a detailed control. Procedure for receiving information asset name and content of infringement when information asset infringement occurs, information asset name, value, content of infringement on information asset, threat level, necessity of dealing with threat, detailed control measures to cope with In the case where there are multiple cases, a procedure in which the priority of each detailed control measure is stored is referred to, and a procedure for determining whether or not to deal with the threat is selected. A decision making method for infringement, comprising: a step of notifying the occurrence of infringement to a preset device when the detailed control measure is notification (escalation). Information asset name and content of infringement from the device that detects the infringement of information assets Detailed control measures to deal with, the procedure for determining whether to deal with threats by referring to the database that stores the priority of each detail control measure when there are multiple, and the detailed control measures to deal with Intention to infringement characterized in that it includes a procedure to select and the date and time of infringement detection, information asset name, infringement content, detection method, date and time of handling, and details of the detailed control measures to be stored in the database and history management Decision method.

Images