JP2015103212A - Security evaluation system and security evaluation method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To efficiently and accurately evaluate the security of a whole system in system design in which a plurality of different types of cloud services are combined.SOLUTION: A security evaluation system 1 is configured of: a component level database 35 in which the information of a security function to be provided by each of a plurality of sub-systems configuring an object system is stored; a storage device 53 for storing a configuration database 42 in which a connection relation between the sub-systems and the content of information assets to be processed or accumulated by each sub-system is stored; and an arithmetic device 51 for specifying the connection relation between the sub-systems configuring the object system in the configuration database 42, and for synthesizing the level of the security function of each sub-system in the component level database 35 on the basis of the dataflow of the information assets between the sub-systems, and for determining whether or not a synthesis level as a result satisfies a predetermined prescribed level, and for calculating a security evaluation result related to the evaluation object system.

Description

  The present invention relates to a security evaluation system and a security evaluation method. Specifically, in a cloud-based design in which a system is designed by combining a plurality of different types of cloud services, the security of the entire system is efficiently and accurately evaluated. It relates to the technology to be made possible.

  In recent years, with the spread of cloud computing, there has been an increase in the construction of all or part of information systems built in an organization by utilizing cloud services outside the organization. In system development before the spread of cloud computing, as shown in FIG. 1, the ordering company 11 first performs a business analysis 101 of its own organization and formulates a required specification 102. On the other hand, an SIer (System Integrator) 12 performs a basic design 103 and performs a system development 104 in accordance with a required specification formulated by the ordering company 11. The ordering company 11 introduces 105 a system developed by the SIer 12 and operates 106 in the organization.

  On the other hand, in system development after the spread of cloud computing, as shown in FIG. 2, the ordering company 21 first performs a business analysis 201 and formulates a required specification 202. On the other hand, a CBIer (Cloud Based Integrator) 22 performs a cloud-based design 203 in accordance with a required specification 202 formulated by the ordering company 21. In this cloud-based design 203, computer resources are used via a network on the premise that a contract is made with a cloud service provided by the cloud service provider CSP-1 (23a) or CSP-2 (23b) 204a, 204b. System design that takes this into account is made. Thereafter, the ordering company 21 introduces a system developed by the CBIer 22 206 and operates 207 within the organization.

  The feature of system development after the spread of cloud computing is that it can speed up development by utilizing cloud services prepared as a part in advance, that can reduce development cost, and select various cloud services as options. Incorporating development ensures scalability and scalability.

  While cloud-based development has these advantages, there is also a problem that it is difficult to evaluate the security of the entire system because the security of the system depends on cloud services outside the organization. In particular, when security is evaluated after the system is constructed, rework occurs, so security evaluation from the system design stage is required. Therefore, it is necessary to evaluate the security of the entire system from the stage of the requirement specification formulation 202 by the ordering company 21 and the cloud-based design 203 by the CBIer 22 surrounded by a broken line 210 in FIG.

  Therefore, as a technique related to system security evaluation, a technique (see Patent Document 1) for the purpose of efficiently and reliably specifying an attack method and a threat related to a security design target has been proposed. In this conventional technique, a series of meta templates in which external entities are common and one attack target serves as the entry point of the other is specified, and information of each metadata template group constituting the series is specified as an attack path. It is stored as a pattern, and the attack method and threat are specified.

JP 2009-70084 A

  However, in cloud-based development that combines multiple and different types of cloud services, the number of attack path patterns becomes enormous and the amount of computation increases. For example, an attack by a third party via the Internet, an attack by a system administrator on the cloud service provider side, or a multi-tenant configuration in which computer and network resources are shared between different users, from an adjacent multi-tenant user There can be an attack. Furthermore, as standardization of cloud service interfaces progresses in the future, vendor lock-in can be easily avoided in the future, and if one cloud service can be easily replaced with another service, each time such service replacement is performed. It is necessary to recalculate the attack path pattern, and the calculation amount for obtaining the attack path pattern becomes larger.

  There is also a concern that an excessive level of CSP (cloud service provider) may be used in combination to meet the requirements of the ordering company. For example, it is assumed that the ordering company 21 has a system having a confidentiality level of “2”, an integrity level of “1”, and an availability level of “3” as required specifications. In the cloud-based design in such a situation, in order to satisfy the above-described requirements, as illustrated in FIG. 3, CSP-1 (23a) and CSP-2 that exceed the requirements for confidentiality, integrity, and availability. (23b), CSP-3 (23c), and CSP-4 (23d) are used to design the system. In this case, since a CSP that always exceeds the required specification level is selected, there is a possibility that the CSP-3 (23c) whose integrity level exceeds the required specification may be selected. This will limit the reduction of development costs. On the other hand, CSP-5 (23e) whose availability level is “1” cannot be adopted because it does not satisfy the above-mentioned required specifications. In other words, it limits the scalability and scalability of development, which is one of the characteristics of cloud-based development.

  Accordingly, an object of the present invention is to provide a technology that enables efficient and accurate evaluation of the security of the entire system in a cloud-based design in which a system design is performed by combining a plurality of different types of cloud services.

  The security evaluation system of the present invention that solves the above-described problem is a component level database that stores information on security functions provided by a plurality of subsystems constituting the system to be evaluated, and a connection relationship between the plurality of subsystems. And a configuration database storing the contents of information assets processed or accumulated in each subsystem, and a connection relationship between the storage system and each subsystem constituting the system to be evaluated is the configuration database Based on the data flow of the information asset between the subsystems in the identified connection relationship, the security function level of each subsystem in the component level database is synthesized with a predetermined algorithm, and the result of the synthesis It is determined whether or not the synthesis level is a predetermined level Characterized in that it and a calculation device to calculate the security evaluation results of the evaluation of the system.

  The security evaluation method of the present invention includes a component level database storing security function information provided by each of a plurality of subsystems constituting the evaluation target system, a connection relationship between the plurality of subsystems, A computer having a configuration database storing the contents of information assets processed or accumulated in each subsystem, and a storage device for storing the configuration, the connection relationship between the subsystems constituting the evaluation target system Based on the data flow of the information assets between the subsystems in the identified connection relationship specified by the database, the security function level of each subsystem in the component level database is synthesized by a predetermined algorithm, Determine whether the resultant synthesis level meets a predetermined level Te, characterized in that to calculate the security evaluation results of the evaluation of the system.

  According to the present invention, it is possible to efficiently and accurately evaluate the security of the entire system in a cloud-based design in which a system design is performed by combining a plurality of different types of cloud services.

It is explanatory drawing which shows the flow of system development. It is explanatory drawing which shows the flow of cloud-based development. It is a figure explaining security evaluation in cloud base design. It is a whole block diagram of the security evaluation system in a first embodiment. It is a functional block diagram of the security evaluation system in a first embodiment. It is a table relation figure of the evaluation item database in a first embodiment. It is a data figure of the evaluation item table in a first embodiment. It is a data figure of the evaluation level table in 1st embodiment. It is a figure which shows the request | requirement level input screen in 1st embodiment. It is a table relation figure of a demand level database in a first embodiment. It is a data figure of the information asset table in 1st embodiment. It is a data diagram of a request level table in the first embodiment. It is a data figure of the participating subject table in 1st embodiment. It is a data figure of the relationship table in 1st embodiment. It is a figure which shows the component level input screen in 1st embodiment. It is a table relation figure of the parts level database in a first embodiment. It is a data figure of the interface table in 1st embodiment. It is a data figure of the security function table in 1st embodiment. It is a data figure of the component level table in 1st embodiment. It is a figure which shows the cloud base design information input screen in 1st embodiment. It is a table relation figure of the CBI information database in a first embodiment. It is a data figure of the CBI table in a first embodiment. It is a data figure of the utilization service table in 1st embodiment. It is a data figure of the service relation table in 1st embodiment. It is a main flowchart figure of the synthetic | combination level calculation part of 1st embodiment. It is a figure which shows the example 1 of a flowchart of the synthetic | combination level calculation part of 1st embodiment. It is a table relationship figure of the synthetic | combination level database in 1st embodiment. It is a data figure of the evaluation result table in 1st embodiment. It is a figure which shows the display screen of the synthetic | combination level in 1st embodiment. It is a table relation figure of the evaluation item database in a second embodiment. It is a data figure of the calculation table in 2nd embodiment. It is a data figure of the evaluation item table in 3rd embodiment.

  Embodiments of the present invention will be described below in detail with reference to the drawings. FIG. 4 is an overall block diagram of the security evaluation system 1 in the first embodiment, and FIG. 5 is a functional block diagram of the security evaluation system 1 in the first embodiment. The security evaluation system 1 shown in FIGS. 4 and 5 is a computer system that can efficiently and accurately evaluate the security of the entire system in a cloud-based design in which a system design is performed by combining a plurality of different types of cloud services.

  In the security evaluation system 1, an ordering company that orders system development from a developer or the like requires a required security level (hereinafter referred to as a required level) for a system that is a development product, and a provider of a cloud service incorporated in the corresponding system ( Hereinafter, the security level (hereinafter referred to as the component level) of the cloud service provided by the CSP) and information input by the system developer (hereinafter referred to as the CBIer) at the time of cloud-based design (connection relationship and information between the cloud services as subsystems) The security evaluation is performed by calculating the security synthesis level of the entire target system in combination with the information on the asset etc. and determining whether the corresponding synthesis level has achieved the above-mentioned required level. Hereinafter, an embodiment of the security evaluation system 1 will be described with reference to the drawings.

--- First embodiment ---
FIG. 4 shows an overall block diagram of the security evaluation system 1. The security evaluation system 1 includes an evaluation item database 31 that defines evaluation items for security evaluation, a request level input unit 32 that the ordering company 21 accesses via a predetermined terminal, and the ordering company 21 side inputs the request level input unit 32. A request level database 33 that stores a request level, a component level input unit 34 that the CSP 23 accesses via a predetermined terminal, a component level database 35 that stores a component level input from the CSP 23 side, and a CBIer 22 A CBI information input unit 41 accessed via a terminal, a CBI information database 42 (configuration database) for storing CBI information (information on connection between cloud services and information assets) input from the CBIer 22 side, and the entire system The security level of The formation level calculation unit 43, a mixing level database 44 that stores the calculated mixing level, and a mixing level display unit 45 for displaying the calculated mixing level. Among them, the request level input unit 32, the component level input unit 34, the CBI information input unit 41, and the composite level display unit 45 are screens that the security evaluation system 1 has in advance in the storage device as input interfaces at the output device. It is a functional unit that displays and accepts input from an external terminal. Further, the synthesis level calculation unit 43, the request level input unit 32, the component level input unit 34, the CBI information input unit 41, and the synthesis level display unit 45 are programs that the security evaluation system 1 has in the memory 52, the storage device 53, and the like. It can be said that it is a function implemented by execution.

  The request level database 33 and the part level database 35 are based on a common evaluation item database 31. Therefore, the synthesis level calculation unit 43 can calculate the synthesis level for each security function for each security evaluation item according to the security evaluation items defined by the evaluation item database 31.

  In FIG. 1, the composite level display unit 45 shows a mode of accepting access from the terminal of the CBIer 22, but presents all or part of the security evaluation result upon receiving access from the terminal of the ordering company 21 or the CSP 23. The form to do may be sufficient.

  Next, the hardware configuration of the security evaluation system 1 will be described. The security evaluation system 1 has a configuration in which a CPU 51, which is an arithmetic device, a memory 52, a storage device 53, a communication unit 54, a power supply unit 55, an input unit 56, and an output unit 57 are connected by a bus 58. The CPU 51 is a central processing unit, and performs processing of a request level input unit 32, a component level input unit 34, a CBI information input unit 41, a synthesis level calculation unit 43, and a synthesis level display unit 45. The memory 52 is a main storage device used when the CPU 51 performs processing. The storage device 53 is an auxiliary storage device for storing input data and output data to the CPU 51, and stores an evaluation item database 31, a request level database 33, a component level database 35, a CBI information database 42, and a synthesis level database 44. To do. The communication unit 54 is a communication device that communicates with an external node, and communicates with various networks. The power supply unit 55 is a device that supplies power to the security evaluation system 1 and is connected to a power outlet or the like. The input unit 56 is an interface for an operator to input, and is, for example, a keyboard, a touch panel, a card reader, a voice input device, or the like. The output unit 57 is an interface for giving feedback to the operator. For example, the output unit 57 is an output device that performs screen display, audio display, printing, and the like.

  In FIG. 5, the configuration of only one security evaluation system 1 is illustrated. However, in addition, the security evaluation system 1 is configured by a plurality of computers connected via a network and cooperating with each other. May be.

  Next, databases used by the security evaluation system 1 will be described. First, a table relation diagram of the evaluation item database 31 is shown in FIG. The evaluation item database 31 includes an evaluation item table 300 and an evaluation level table 310. The evaluation item table 300 is a table for systematically defining evaluation items for security evaluation, and has a table structure with an evaluation item identifier as a primary key. The evaluation level table 310 is a table for defining in detail the level related to security for each evaluation item, and has a table structure with the evaluation item identifier as a primary key.

  Note that the evaluation level table 310 has a structure that can define levels 0 to 10, but the first embodiment is merely an example, and the upper and lower limits of the level and the pitch width may be in other formats. good.

  The evaluation item database 31 will be described in more detail with reference to FIG. Of these, the evaluation item table 300 includes a combination of each data of the major classification 301, the middle classification 302, the minor classification 303, the evaluation item identifier 304, the evaluation item description 305, the highest level 306, and the lowest level 307 as one column. It has a table structure composed of one or more columns. The primary key is the evaluation item identifier 304 and is uniquely determined in the evaluation item table 300.

  On the other hand, the evaluation level table 310 illustrated in FIG. 8 includes an evaluation item identifier 311, level 0 description 312, level 1 description 313, level 2 description 314, level 3 description 315, level 4 description 316, and the like. It has a table structure composed of one or more columns with each data combination as one column. The primary key is an evaluation item identifier 311 and is uniquely determined in the evaluation level table 310.

  The evaluation item table 300 shown in FIG. 7 and the evaluation level table 310 (FIG. 8) corresponding to the evaluation item table 300 are examples. The evaluation item may be a list of security audit items used by the ordering company or the like in its own organization, or may be a list created with reference to security standards that are standardly referenced in a specific industry.

  In addition, as an example of the configuration of the evaluation level table 310, there is a case where the set with the fewest levels consists of only “0” and “1”. In this case, it means that the evaluation item is “not possessed” or “have”.

  Next, the request level input unit 32 accessed by the ordering company 21 and the request level database 33 for storing the input results will be described with reference to FIGS. First, the input interface of the request level input unit 32 will be described with reference to FIG. In this case, the person in charge of the ordering company 21 accesses the security evaluation system 1 via a predetermined terminal after completing the required specification formulation 202 as shown in FIG. 1, and the security evaluation system 1 returns. In the screen 401, it is assumed that the project name is entered in the text box and the “Next” button is pressed. Since the security evaluation system 1 returns the screen 402 to the above-described terminal, the above-mentioned person in charge who browses the screen 402 sequentially inputs a list of information assets revealed through the requirement specification formulation 202 into the text box, Press the “To” button. In response to this, the security evaluation system 1 returns the screen 403 to the above-described terminal, and the above-mentioned person in charge who browses the screen 403 sequentially inputs a list of the participants (including the participating systems) in the text box, Press the “To” button.

  When the security evaluation system 1 completes the above wizard processing with the terminal in the ordering company 21, the request required according to the relationship between the information asset and the participant, the participation system, and the value of the information asset through the screen 410 Accept level input.

  This screen 410 has a pane 411 for representing a list of information assets in a tree structure, a pane 412 for representing and expressing the relationship between information assets and participants in a graph notation, and a tabular format for each information asset. A pane 413 for inputting a request level with respect to each evaluation item structurally expressed. The screen 410 is an interface in which the level increases by one each time the cell 414 of the required level in the table in the pane 413 is clicked or tapped by the terminal of the ordering company 21. In this way, the security evaluation system 1 that has received information such as the request level from the terminal of the ordering company 21 stores the corresponding information in the request level database 33.

  A table relationship diagram of the request level database 33 will be described with reference to FIG. The request level database 33 includes a project table 500, an information asset table 510, a request level table 520, a participant table 530, and a relationship table 540. The project table 500 is a table for inputting basic information of a project by the ordering company 21, that is, a system to be developed, and has a project identifier as a primary key. The information asset table 510 is a table for storing a list of information assets input by the ordering company 21, and uses a project identifier as a primary key. The request level table 520 is a table for storing a request level for each evaluation item, and uses a project identifier, an information asset identifier, and an evaluation item identifier as main keys. The evaluation item identifier includes all evaluation item identifiers included in the evaluation level table 310. The participating entity table 530 is a table for storing a list of participants (including participating systems) input by the ordering company 21, and uses a project identifier as a primary key. The relationship table 540 is a table for storing the relationship between the information asset and the participant input by the ordering company 21, and uses the project identifier and the relationship identifier as a main key.

  A data configuration example of each table in the request level database 33 will be described with reference to FIGS. Among them, the information asset table 510 includes information such as the project identifier 511, the number of information assets 512, the information asset 1 identifier 513, the information asset 1 description 514, the information asset 2 identifier 515, and the information asset 2 description 516. It has a table structure composed of one or more columns, where the combination is one column. The primary key of the information asset table 510 is a project identifier 511 and has a unique value in the information asset table 510.

  The request level table 520 has a table structure composed of one or more columns, each of which includes a combination of data of the project identifier 521, information asset identifier 522, evaluation item identifier 523, and request level 524. Have. The primary keys of the request level table 520 are a project identifier 521, an information asset identifier 522, and an evaluation item identifier 523, and these primary keys have unique values in the request level table 520.

  The participating entity table 530 includes combinations of data such as project identifier 531, number of participating entities 532, participating entity 1 identifier 533, participating entity 1 description 534, participating entity 2 identifier 535, and participating entity 2 description 536. One table has a table structure composed of one or more columns. The primary key of the participant table 530 is a project identifier 531, and this primary key has a unique value in the participant table 530.

  The relationship table 540 is composed of one or more columns, each of which includes a combination of the data of the project identifier 541, the involvement identifier 542, the relationship source identifier 543, the relationship destination identifier 544, and the relationship description 545. Has a table structure. The primary keys of the relationship table 540 are a project identifier 541 and a participation identifier 542, and these primary keys have unique values in the relationship table 540.

  In summary, the ordering company 21 accesses the request level input unit 32 in the security evaluation system 1 via the terminal and inputs the request level, while the request level input unit 32 of the security evaluation system 1 inputs the request level. Stores the input result from the ordering company 21 in the request level database 33.

  Next, the screen interface for the CSP 23 to input the component level of the cloud service and the structure of the component level database 35 will be described with reference to FIGS. First, the interface of the component level input unit 34 for the CSP 23 to input the component level will be described with reference to FIG. In this case, the person in charge of the CSP 23 accesses the security evaluation system 1 via a predetermined terminal and views the screen 601 returned from the security evaluation system 1. The person in charge enters the cloud service name in the text box on this screen 601 and presses the “Next” button.

  In response to this, the security evaluation system 1 returns the screen 602 to the above-described terminal. The terminal of the CSP 23 displays the screen 602 and allows the above-mentioned person in charge to view it. The person in charge checks the interface or API (Application Programming Interface) radio box provided in the cloud service on this screen 602, and presses the “Next” button. On the other hand, the security evaluation system 1 receiving this returns the screen 603 to the above-described terminal. The terminal of the CSP 23 displays the screen 603 and allows the above-mentioned person in charge to view it. On this screen 603, the person in charge inputs a list of security functions provided in the cloud service in the text box, and presses the “Next” button.

  The security evaluation system 1 returns the screen 610 to the corresponding terminal when the wizard-type screen input from the terminal of the CSP 23 is accepted. The terminal of the CSP 23 displays the screen 610 and allows the person in charge to view it. The person in charge inputs the component level of each security function on this screen 610. The screen 610 includes a pane 611 that displays a list of security functions in a tree shape, and a pane 612 that inputs a component level for each evaluation item for the security functions. In the pane 612 in which the person in charge inputs the part level, the part level can be input in a tabular form for each evaluation item, and whenever the person in charge clicks or taps the cell 613 in the table via the terminal, You can increase the level one by one.

  When the input at the component level input unit 34 from the terminal of the CSP 23 is completed, the component level input unit 34 in the security evaluation system 1 stores the input contents received so far in the component level database 35 as shown in FIG. The component level database 35 includes an interface table 700, a service table 710, a security function table 720, and a component level table 730.

  Of these, the interface table 700 is a table for storing types of interfaces for inter-service connections provided in the cloud service, and uses an interface identifier as a primary key. The service table 710 is a table for storing an outline of the cloud service input by the CSP 23, and uses a service identifier as a primary key. The security function table 720 is a table for storing a list of security functions provided in the cloud service, and uses a service identifier as a primary key. The component level table 730 is a table for storing a request level for each evaluation item of the security function, and uses a service identifier, a security function identifier, and an evaluation item identifier as main keys. The evaluation item identifier includes all of the evaluation item identifiers in the evaluation level table 310.

  Here, the upper limit of the interface identifiers is 30 in the service table 710, but other upper limit values may be used. Further, although the upper limit of 30 security function identifiers is set in the security function table 720, other upper limit values may be used.

  Next, a data configuration example of each table in the component level database 35 will be described with reference to FIGS. Among these, the interface table 700 has a table structure composed of one or more columns in which a combination of each data of the interface identifier 701 and the interface description 702 is one column. The primary key of the interface table 700 is an interface identifier 701, and this primary key has a unique value in the interface table 700.

  The security function table 720 includes a service identifier 721, a security function number 722, a security function 1 identifier 723, a security function 1 description 724, a security function 2 identifier 725, a security function 2 description 726, and the like. It has a table structure consisting of one or more columns, where the combination is one column. The primary key of the security function table 720 is a service identifier 721, and this primary key has a unique value in the security function table 720.

  The component table 730 has a table structure including one or more columns, each of which includes a combination of data of the service identifier 731, the security function identifier 732, the evaluation item identifier 733, and the component level 734. The main keys of the component level table 730 are a service identifier 731, a security function identifier 732, and an evaluation item identifier 733, and these main keys have unique values in the component level table 730.

  In summary, the person in charge of the CSP 23 uses the terminal to access the security evaluation system 1 and inputs the component level related to the security of the provided cloud service through the component level input unit 34. On the other hand, the component level input unit 34 of the security evaluation system 1 stores information input from the terminal of the CSP 23 in the component level database 35.

  The CBIer 22 performs cloud-based design using the request level database 33 configured with the input contents from the terminal of the ordering company 21 and the parts level database 35 configured with the input contents from the terminal of the CSP 23 as described above. It becomes. The screen interface, data diagram, and flowchart diagram in this cloud-based design will be described with reference to FIGS.

  First, the input interface of the CBI information input unit 41 in the security evaluation system 1 accessed by the terminal of the CBIer 22 will be described with reference to FIG. A screen 801 shown in FIG. 20 is a screen for displaying a project list stored in the request level database 33. The person in charge of CBIer 22 who has viewed this screen 801 on a predetermined terminal checks the radio button of the project he is in charge of and presses the “Next” button. Upon receiving this, the security evaluation system 1 returns the screen 810 to the corresponding terminal. When the “detail confirmation” button is pressed on the screen 801, the security evaluation system 1 displays a screen 410 (see FIG. 9) of the request level input unit 32 showing a list of participants and information assets and their relationship. To do.

  Upon receiving the screen 810, the terminal of the CBIer 22 displays it and allows the above-mentioned person in charge to browse it. The person in charge of the CBIer 22 refers to this screen 810 and inputs information on cloud-based design. A screen 810 illustrated in FIG. 20 includes a pane 811 for displaying a list of information assets in a tree format, a pane 812 for inputting and illustrating a list of participating parties and cloud services to be used and their relationships, and each of the cloud services. The pane 813 has a table structure for inputting processing contents for information assets.

  When the person in charge of CBIer 22 performs the cloud-based design on the pane 812 of the screen 810, the “Cloud service addition” button at the top of the screen 810 is pressed by the input operation from the terminal and stored in the part level database 35. Add an appropriate cloud service from the list of cloud services. Further, the person in charge of the CBIer 22 clicks or taps a cell 814 in the table in the pane 813 by an input operation from the terminal, and selects an interface to be used from the interfaces stored in the service table 710. In addition, the person in charge of the CBIer 22 clicks or taps a cell 815 in the table in the pane 813 by an input operation from the terminal, and information assets to be preprocessed from the list of information assets stored in the information asset table 510 are displayed. Select. Further, the person in charge of the CBIer 22 clicks or taps a cell 816 in the table in the pane 813 by an input operation from the terminal, and selects an information asset to be accumulated from the list of information assets stored in the information asset table 510. select. Hereinafter, the post-processing cell in the pane 813 is the same as the above-described pre-processing cell, and the output cell in the pane 813 is the same as the above-described input cell.

  When all the above processes are completed, the person in charge of CBIer 22 presses the “Done” button on the screen 810. The security evaluation system 1 that receives the event of pressing the “complete” button from the terminal of the CBIer 22 stores the above-described various information received by the CBI information input unit 41 in the CBI information database 42.

  Next, a table relation diagram of the CBI information database 41 will be described with reference to FIG. The CBI information database 41 includes an evaluation table 900, a CBI table 910, a use service table 920, and a service relation table 930. Among them, the evaluation table 900 is a table for inputting basic information of security evaluation, and has an evaluation identifier as a primary key. The CBI table 910 is a table for storing a list of cloud services possessed by the system to be evaluated, and has an evaluation identifier and a project identifier as main keys. The use service table 920 is a table for storing a list of interfaces used in each cloud service and information assets to be processed, and has an evaluation identifier, a project identifier, and a service identifier as primary keys. The information asset stored in the usage service table 920 is selected from the identifiers of the information asset in the information asset table 510. The interface stored in the use service table 920 is selected from the interface identifiers in the service table 710.

  Furthermore, the data structure example of the table which the CBI information database 42 contains is demonstrated using FIGS. Among them, the CBI table 910 includes a combination of data such as an evaluation identifier 911, a project identifier 912, a service number 913, a service 1 identifier 914, and a service 2 identifier 915 as one column. Has a structured table structure. The CBI table 910 has an evaluation identifier 911 and a project identifier 912 as primary keys, and these primary keys have unique values in the CBI table 910.

  The usage service table 920 includes an evaluation identifier 921, a project identifier 922, a service identifier 923, an input interface 924, information assets 1 (925) to be preprocessed, information assets 1 (926) to be stored, and information assets 1 (927) to be postprocessed. The output interface 928 has a table structure composed of one or more columns, each of which is a combination of data. The primary keys of the usage service table 920 are an evaluation identifier 921, a project identifier 922, and a service identifier 923, and these primary keys have unique values within the usage service table 920.

  The service relation table 930 is composed of one or more columns in which each combination of the evaluation identifier 931, the project identifier 932, the participation identifier 933, the relation source identifier 934, the relation destination identifier 935, and the relation explanation 936 is one column. Has a structured table structure. The primary keys of the service relationship table 930 are an evaluation identifier 931, a project identifier 932, and a participation identifier 933. These primary keys have unique values in the service relationship table 930.

  Hereinafter, the actual procedure of the security evaluation method in the first embodiment will be described with reference to the drawings. Various operations corresponding to the security evaluation method described below are realized by a program that the security evaluation system 1 reads into a memory or the like and executes. And this program is comprised from the code | cord | chord for performing the various operation | movement demonstrated below.

  Here, a flowchart for calculating the synthesis level of the entire system using the request level database 33, the component level database 35, and the CBI information database 42 described so far will be described with reference to FIG. 25 and FIG. To do. In this case, the composition level calculation unit 43 in the security evaluation system 1 refers to the security function table 720 of each cloud service regarding the cloud service whose information is stored in the CBI table 910, and reads the number of security functions (step 1001). .

  Subsequently, the combination level calculation unit 43 reads the above-described component level table 730 of each cloud service, and performs MAX calculation for the number of security functions as the combined component level value (steps 1002, 1003, and 1004).

  Next, the composite level calculation unit 43 reads the number of information assets with reference to the information asset table 510 (step 1005). The subsequent steps 1007 to 1012 are repeated by the number of information assets (step 1006 and step 1013). The subsequent steps 1008 to 1011 are repeated by the number of evaluation item identifiers in the evaluation item table 300 (step 1007 and step 1012).

  The composite level calculation unit 43 has the composite component level value obtained in step 1003 described above in the memory area (step 1008). Further, the composition level calculation unit 43 calculates the composition level according to the connection between services between cloud services (step 1009). This process will be described in detail in the following description of FIG.

  Next, the synthesis level calculation unit 43 compares the synthesis level obtained in step 1009 described above with the request level stored in the request level table 520 and determines whether the synthesis level exceeds the request level ( Step 1010). Further, the synthesis level calculation unit 43 stores the determination result obtained in step 1010 in the synthesis level database 44.

  Here, the flowchart of the synthesis level calculation in step 1009 will be described in detail with reference to FIG. In this case, the synthesis level calculation unit 43 refers to the service relationship table 930 and decomposes the connection relationship between the cloud services constituting the system in series and in parallel (step 1101). The synthesis level calculation unit 43 repeats the subsequent steps 1103 to 1105 from the start point to the end point of the service (steps 1102 and 1106).

  Subsequently, the composition level calculation unit 43 determines whether the connection with the next service in the connection relationship is serial or parallel (step 1103). As a result of this determination, if the connection between services is serial (1103: serial), the composite level calculation unit 43 obtains the composite level of the two cloud services by MAX calculation (step 1104). On the other hand, as a result of the determination in step 1103, if the connection between services is parallel (1103: parallel), the composite level calculation unit 43 obtains the composite level of the two cloud services by MIN calculation (step 1105). In this way, the synthesis level calculation unit 43 completes the calculation of the synthesis level of the entire system.

  In addition to the flow example illustrated in FIG. 26, an example in which the calculation of the synthesis level when the connection between services is in series is obtained by another algorithm can be assumed. For example, if the result of determination in step 1103 is that the connection between services is in series (1103: series), the combination level calculation unit 43 calculates the combination level of the two cloud services (step 1104). Specifically, after data encryption in the first cloud service, data already encrypted in the first cloud service is encrypted with a stronger encryption algorithm in the second cloud service in series therewith. In the case of encryption, it is naturally possible to assume a form in which the security strength is improved.

  Next, the synthesis level database 44 that stores the synthesis level obtained by the synthesis level calculation unit 43 will be described with reference to FIGS. 27 and 28. As shown in FIG. 27, the synthesis level database 44 includes an evaluation result table 1200. The evaluation result table 1200 stores the synthesis level and the determination result using the evaluation identifier, project identifier, information asset identifier, and evaluation item identifier as main keys. The evaluation result table 1200 has a common project identifier with the CBI table 910, and the evaluation result table 1200 has an evaluation item identifier common with the request level table 520.

  As shown in FIG. 28, the evaluation result level table 1200 includes an evaluation identifier 1201, a project identifier 1202, an information asset identifier 1203, an evaluation item identifier 1204, a combination level 1205, and a determination result 1206. It has a table structure composed of one or more columns as columns. The primary keys of the evaluation result table 1200 are an evaluation identifier 1201, a project identifier 1202, an information asset identifier 1203, and an evaluation item identifier 1204. These primary keys have unique values in the evaluation result table 1200.

  Subsequently, the composite level display unit 45 accessed by the terminal of the CBIer 22 will be described with reference to FIG. The composite level display unit 45 in the security evaluation system 1 displays a comprehensive report on the screen 1301 for the accessed CBIer 22 terminal. This comprehensive report indicates whether each information asset is “OK” that satisfies the required level or “NG” that does not satisfy it. The CBIer 22 viewing this screen 1301 on the terminal presses the “detail” button on the screen 1301 to refer to the detailed result report.

  In this case, the composite level display unit 45 of the security evaluation system 1 returns the screen 1310 to the terminal of the CBIer 22. A screen 1310 illustrated in FIG. 29 is an example illustrating a detailed result report.

  The screen 1310 includes a pane 1311 that displays a list of information assets in a tree structure, a pane 1312 that illustrates a list of participants and cloud services and their connections, and whether or not the required level is satisfied for each security evaluation item. Is displayed in a table 1313. The CBIer 22 selects an information asset in the pane 1311 by an input operation from the terminal, confirms the data flow and data stock of the information asset on the pane 1312, and the composite level of the entire system on the pane 1313 is the requested level. Can be confirmed.

  According to the security evaluation support system 1 described above, the security of the entire system can be efficiently and accurately evaluated in a cloud-based design in which a system design is performed by combining a plurality of different types of cloud services.

--- Second embodiment-
Next, a description will be given of a case in which the security evaluation system 1 includes a calculation table that defines a calculation expression for performing a composition process for each security evaluation item at the component level. This calculation table is a table that defines a calculation formula for performing a synthesis process for each security evaluation item at the component level, which should be applied for each connection relationship between cloud services for each security evaluation item.

  First, the table relationship of the evaluation item database 31 in the second embodiment will be described with reference to FIG. The evaluation item database 31 in this embodiment includes an evaluation item table 300, an evaluation level table 310, and a calculation table 2200. Similar to the first embodiment described above, the evaluation item table 300 is a table for systematically defining evaluation items for security evaluation, and has a table structure with an evaluation item identifier as a primary key. The evaluation level table 310 is a table for defining in detail the level related to security for each evaluation item, and has a table structure with the evaluation item identifier as a main key. On the other hand, the calculation table 2200 is a table for defining in detail calculation processing necessary for component level synthesis for each evaluation item, and has a table structure with an evaluation item identifier as a main key.

  The calculation table 2200 will be described in more detail with reference to FIG. The calculation table 2200 includes evaluation item identifier 2201, input 1 (2202), input 2 (2203), condition 1 (2204), calculation expression 1 (2205), condition 2 (2206), and calculation expression 2 (2207). The table structure is composed of one or more columns. The primary key is an evaluation item identifier 2201, and is uniquely determined in the calculation table 2200. Among these values, the values of the input 1 and the input 2 are values at the component level of the cloud service having a connection relationship. The value of condition 1 is a serial connection among the connection relationships between cloud services, and the arithmetic expression to be applied to the synthesis level calculation in the case of this serial connection is the value of arithmetic expression 1. Similarly, the value of condition 2 is a parallel connection among the connection relationships between cloud services, and the arithmetic expression to be applied to the synthesis level calculation in the case of this parallel connection is the value of the arithmetic expression 2.

  Here, a flowchart of the synthesis level calculation using the arithmetic expression in the above-described arithmetic table 2200 will be described. In the second embodiment, the main flow is the same as that shown in FIG. 25 and FIG. 26 shown in the first embodiment, and thus the description regarding the main flow is omitted.

  In this case, the synthesis level calculation unit 43 refers to the service relationship table 930 and decomposes the connection relationship between the cloud services constituting the system in series and in parallel (step 1101). The synthesis level calculation unit 43 repeats the subsequent steps 1103 to 1105 from the start point to the end point of the service (steps 1102 and 1106).

  Subsequently, the composition level calculation unit 43 determines whether the connection with the next service in the connection relationship is serial or parallel (step 1103). As a result of this determination, if the connection between services is serial (1103: serial), the composite level calculation unit 43 determines the security evaluation item of each information asset in the data flow between the two cloud services, that is, the evaluation item identifier 2201. With respect to the above, the calculation formula 1 corresponding to the condition 1 in the calculation table 2200 is specified, and the component level for each security function of the corresponding cloud service is applied to the calculation formula 1 to obtain the synthesis level (step 1104).

  On the other hand, if the result of the determination in step 1103 is that the connection between services is parallel (1103: parallel), the composite level calculation unit 43 will determine the security evaluation item of each information asset in the data flow between the two cloud services, With respect to the evaluation item identifier 2201, the calculation formula 2 corresponding to the condition 2 in the calculation table 2200 is specified, and the component level for each security function of the corresponding cloud service is applied to the calculation formula 2 to obtain the synthesis level (step 1105). . In this way, the synthesis level calculation unit 43 completes the calculation of the synthesis level of the entire system.

---- Third Embodiment ---
Next, a third embodiment of the security evaluation system 1 will be described. The third embodiment has the same system configuration as the security evaluation system 1 described in the first embodiment, but only the data structure of the evaluation item database 31 is different. In the evaluation item table 31 shown in FIG. 6, any number of evaluation item identifiers can be defined. However, the more the evaluation item identifier is defined in the evaluation item table 300, the more the subsequent work by the ordering company 21 and the work by the CSP 23 increase. Therefore, in the evaluation item table 1400 in the evaluation item database 31 of the third embodiment, the number of evaluation items is fixed as shown in FIG.

  The evaluation item table 1400 of the evaluation item database 31 in the third embodiment will be described with reference to FIG. The evaluation item table 1400 has 27 columns, each of which is a combination of data of the major classification 1401, the middle classification 1402, the minor classification 1403, the evaluation item identifier 1404, the evaluation item description 1405, the highest level 1405, and the lowest level 1406. It has a table structure composed of columns. The evaluation item table 1401 has an evaluation item identifier 1404 as a primary key, and this primary key has a unique value in the evaluation item table 1404. The 27 evaluation items are based on a combination of 3 × 3 × 3 described below.

(Confidentiality, integrity, availability)
(Prevention, detection, recovery)
(How long, To / from somewhere, To / from someone)
For example, the confidentiality prevention level is a value divided into “How long”, that is, how long it takes for an external breakthrough event such as entry into a system or decryption.

  As described above, in the third embodiment, the evaluation items are fixed, so that the security evaluation items are comprehensively covered and the accuracy of the security evaluation is improved. At the same time, the work by the ordering company 21 and the work by the CSP 23 are performed. The increase in man-hours can be suppressed.

  Although the best mode for carrying out the present invention has been specifically described above, the present invention is not limited to this, and various modifications can be made without departing from the scope of the invention.

  According to the present embodiment, in the cloud-based design in which a system design is performed by combining a plurality of different types of cloud services, the security of the entire system can be evaluated efficiently and accurately.

  At least the following will be clarified by the description of the present specification. That is, in the security evaluation system of the present embodiment, the storage device is required to be evaluated for each evaluation item database, an evaluation item database defining security evaluation items in the system, information assets to be processed or stored in the system, and the information assets. A security level provided by the subsystem in the component level database, and the security evaluation item provided for each security function in the component level database. A storage security level is stored, and the computing device identifies a connection relationship between the subsystems constituting the system to be evaluated in the configuration database, and between the subsystems in the identified connection relationship. Based on the data flow of the information asset, with respect to the security evaluation item of each information asset in the data flow, the security level retained for each security function of each subsystem in the component level database is synthesized by a predetermined algorithm for each security evaluation item Then, it is determined whether the synthesis level for each security evaluation item, which is the result of the synthesis, satisfies the required security level for the corresponding security evaluation item in the corresponding information asset in the request level database, and the security evaluation for the system to be evaluated The result may be calculated.

  According to this, it is possible to obtain a composite value of security levels for each security function for each security evaluation item classified in detail, and to evaluate the entire system to be evaluated with higher accuracy.

  Further, in the security evaluation system of the present embodiment, the evaluation item database in the storage device is a confidentiality evaluation item among the security evaluation items, how long the data leakage is prevented, and where the data leakage is. How to prevent data leakage to whom, how long to detect data leakage, where to detect data leakage, who to detect data leakage, from the data leakage status How much time to recover, where to recover from the data leakage status, to whom to recover from the data leakage status, how long to prevent data tampering as an integrity evaluation item, and where data from Whether to prevent tampering, who to prevent data tampering, how long to detect data tampering, Whether to detect data tampering in the future, who detects data tampering, how long to recover data tampering, where to recover data tampering from, who recovers data tampering, As an availability evaluation item, how long to prevent processing interruptions, where to prevent processing interruptions, to whom to prevent processing interruptions, and how long to detect processing interruptions , Where to detect the disruption of processing, to whom to detect the disruption of processing, how long to recover the disruption of processing, where to recover the disruption of processing, to whom The request level database is an information asset to be processed or stored in the system, and at least one of the information assets required for each information asset. The component level database is stored in association with a security function provided by the subsystem, and at least one of the security functions provided for each security function. It is also possible to store a retained security level that is a level related to the security evaluation item of the definition.

  According to this, it is possible to obtain a composite value of security levels for each security function classified according to security evaluation items that are classified in detail without omission, and to evaluate the entire system to be evaluated with higher accuracy.

  Further, in the security evaluation system according to the present embodiment, the arithmetic device performs the data flow of the information asset between the subsystems connected in series as a synthesis process for each security evaluation item of the retained security level by the predetermined algorithm. On the basis of the security evaluation item of each information asset in the data flow, the higher security function level between subsystems among the security levels held for each security function of each subsystem in the component level database. Based on the data flow of the information asset between the subsystems connected in parallel and selected by security evaluation item, the security evaluation item of each information asset in the data flow is Of holding security level for each security function of each subsystem is for selecting the smaller of the level of the security functions between subsystems by the security endpoint may be.

  According to this, it becomes possible to efficiently and accurately combine security levels according to the connection relationship between subsystems, and further improve the evaluation processing efficiency for the entire system.

  Further, in the security evaluation system according to the present embodiment, the arithmetic device performs the data flow of the information asset between the subsystems connected in series as a synthesis process for each security evaluation item of the retained security level by the predetermined algorithm. Based on the security evaluation items of each information asset in the data flow, the security level held for each security function of each subsystem in the component level database is summed up for each security evaluation item between the subsystems and connected in parallel. On the basis of the data flow of the information asset between the subsystems, the security evaluation item of each information asset in the data flow is stored for each security function of the subsystem in the component level database. Of Interview security level, and it selects the smaller of the level of the security functions between subsystems by the security endpoint may be.

  According to this, it becomes possible to efficiently and accurately combine security levels according to the connection relationship between subsystems, and further improve the evaluation processing efficiency for the entire system.

  Further, in the security evaluation system of the present embodiment, the storage device is an arithmetic expression that performs synthesis processing for each security evaluation item of the retained security level, which should be applied for each security evaluation item for each connection relationship between subsystems. Is further stored, and the computing device identifies the connection relationship between the subsystems that constitute the system to be evaluated in the configuration database, and between the subsystems in the identified connection relationship. Based on the data flow of the information asset, for each of the security evaluation items of the information asset in the data flow, an arithmetic expression corresponding to the connection relationship in the arithmetic table is specified, and each subsystem in the component level database Retention security level for each security function The security evaluation item and the connection formula are applied to the arithmetic expression and synthesized, and the synthesis level for each security evaluation item as a result of the synthesis is related to the corresponding security evaluation item in the corresponding information asset of the request level database. It may be determined whether a required security level is satisfied and a security evaluation result regarding the system to be evaluated is calculated.

  According to this, the security level composition processing can be performed with higher accuracy by the arithmetic expression finely defined for each security evaluation item according to the connection relation between the subsystems.

  In the security evaluation system of the present embodiment, the arithmetic unit inputs inputs about information assets to be processed or accumulated in the system and required security levels related to security evaluation items of the evaluation item database for each of the information assets. It is also possible to further execute a process of receiving by the apparatus and storing the received information asset and the input data of the required security level in the required level database.

  According to this, it is possible to reliably acquire a security level specification desired by a system development orderer and perform a security evaluation based on the specification.

  Further, in the security evaluation system of the present embodiment, the arithmetic device accepts input regarding the security function provided by the subsystem and the retained security level relating to the security evaluation item provided for each security function by the input device. Then, the process of storing the received security function and the input data of the retained security level in the component level database may be further executed.

  According to this, the security level specification in the subsystem (cloud service) indicated by the system developer and the subsystem that is incorporated into the corresponding system, that is, the provider of the cloud service, is reliably obtained, and security evaluation based on this is obtained. Can be performed.

  Further, in the security evaluation system according to the present embodiment, the computing device is an input device that inputs the connection relationship between the plurality of subsystems and the contents of information assets processed or accumulated in the subsystems. And the process of storing the received connection relationship and the input data of the information asset in the configuration database may be further executed.

  According to this, it is possible to reliably acquire information on the connection relationship of each subsystem (cloud service) that is designed by the system developer and the information assets processed between the subsystems connected in this way. It is possible to perform security evaluation based on this.

  In the security evaluation system of the present embodiment, the arithmetic device may further execute a process of displaying a security evaluation result related to the evaluation target system on an output device.

  According to this, it becomes possible to clearly indicate the security evaluation result to the system development orderer or the system developer.

1 Security evaluation system 21 Ordering company 22 CBIer
23 CSP
31 Evaluation Item Database 32 Request Level Input Unit 33 Request Level Database 34 Component Level Input Unit 35 Component Level Database 41 CBI Information Input Unit 42 CBI Information Database (Configuration Database)
43 synthesis level calculation unit 44 synthesis level database 45 synthesis level display unit 51 CPU (arithmetic unit)
52 Memory 53 Storage Device 54 Communication Unit 55 Power Supply Unit 56 Input Unit 57 Output Unit 58 Bus 300 Evaluation Item Table 310 Evaluation Level Table 500 Project Table 510 Information Asset Table 520 Request Level Table 530 Participating Subject Table 540 Relationship Table 700 Interface Table 710 Service Table 720 Security function table 730 Component level table 900 Evaluation table 910 CBI table 920 Use service table 930 Service relation table 1200 Evaluation result table 1400 Evaluation item table

Claims (11)

A component level database storing security function information provided by each of a plurality of subsystems constituting the system to be evaluated, a connection relationship between the plurality of subsystems, and processing or accumulation in each of the subsystems A storage device for storing a configuration database storing the contents of information assets;
The connection relation between the subsystems constituting the system to be evaluated is specified in the configuration database, and the information asset data flow between the subsystems in the specified connection relation is used to determine the connection level in the component level database. A computing device that synthesizes the security function levels of the subsystems with a predetermined algorithm, determines whether the synthesis level as a result of the synthesis satisfies a predetermined level, and calculates a security evaluation result for the system to be evaluated When,
A security evaluation system comprising: The storage device
An evaluation item database defining security evaluation items in the system;
A request level database that stores information assets to be processed or accumulated in the system and a required security level related to the security evaluation item required for each information asset;
In the component level database, a security function provided by the subsystem, and a holding security level related to the security evaluation item provided for each security function are stored,
The arithmetic unit is:
The connection relationship between the subsystems constituting the system to be evaluated is specified in the configuration database, and each information in the data flow is determined based on the data flow of the information asset between the subsystems in the specified connection relationship. With respect to the security evaluation items of assets, the holding security level for each security function of each subsystem in the component level database is synthesized by a predetermined algorithm for each security evaluation item, and the synthesis level for each security evaluation item as a result of the synthesis Is to determine whether or not the required security level related to the corresponding security evaluation item in the corresponding information asset of the required level database is satisfied, and calculates the security evaluation result related to the system to be evaluated,
The security evaluation system according to claim 1. The evaluation item database in the storage device is:
Among the security evaluation items,
As an evaluation item of confidentiality,
How long to prevent data leakage,
Where to prevent data leakage,
To whom to prevent data leakage,
How long will it take to detect data leaks?
Where to detect data leaks,
To whom to detect data leaks,
How long will it take to recover from a data breach?
Where to recover from data leaks,
To whom to recover from data leaks,
As an evaluation item of completeness,
How long to prevent data tampering,
Where to prevent data tampering,
Who will prevent data tampering,
How long it takes to detect data tampering,
Where to detect data tampering,
Who will detect data tampering,
How long will it take to recover data tampering?
Where to recover from data tampering,
Who will recover from data tampering?
As an availability evaluation item,
How long to prevent disruption of processing,
Where to prevent disruption of processing,
To whom to prevent disruption of processing,
How long it will take to detect disruption in processing
Where to detect disruption of processing,
To whom to detect disruption of processing,
How much time to recover from disruption in processing,
Where to recover from disruption of processing,
To whom to recover the disruption of processing,
Which defines
The request level database is:
An information asset to be processed or accumulated in the system is stored in association with a required security level that is required for each information asset and is a level related to at least one of the security evaluation items of the definition,
The parts level database is
A security function provided in the subsystem, and a holding security level that is a level related to a security evaluation item of at least any one of the definitions provided for each security function are stored.
The security evaluation system according to claim 2, wherein: The arithmetic unit is:
As a synthesis process for each security evaluation item of the retained security level by the predetermined algorithm,
Based on the data flow of the information assets between the subsystems connected in series, the security level for each security function of each subsystem in the component level database for the security evaluation item of each information asset in the data flow Among the subsystems, select the security function with a higher level for each security evaluation item,
Based on the data flow of the information asset between the subsystems connected in parallel, the security evaluation item of each information asset in the data flow, the security level retained for each security function of each subsystem in the component level database Among them, the one with the lower security function level between subsystems is selected for each security evaluation item.
The security evaluation system according to claim 3. The arithmetic unit is:
As a synthesis process for each security evaluation item of the retained security level by the predetermined algorithm,
Based on the data flow of the information assets between the subsystems connected in series, the security level for each security function of each subsystem in the component level database for the security evaluation item of each information asset in the data flow For each security evaluation item between subsystems,
Based on the data flow of the information asset between the subsystems connected in parallel, the security evaluation item of each information asset in the data flow, the security level retained for each security function of each subsystem in the component level database Among them, the one with the lower security function level between subsystems is selected for each security evaluation item.
The security evaluation system according to claim 3. The storage device
For each of the security evaluation items, further storing a calculation table that defines a calculation formula for performing synthesis processing for each security evaluation item of the retained security level to be applied for each connection relationship between subsystems,
The arithmetic unit is:
The connection relationship between the subsystems constituting the system to be evaluated is specified in the configuration database, and each information in the data flow is determined based on the data flow of the information asset between the subsystems in the specified connection relationship. With respect to the security evaluation item of the asset, an arithmetic expression corresponding to the connection relation in the calculation table is specified, and the security level retained for each security function of each subsystem in the component level database is set to the security evaluation item and the connection It is applied to the arithmetic expression relating to the relationship and synthesized, and it is determined whether the synthesis level for each security evaluation item, which is the result of the synthesis, satisfies the required security level for the corresponding security evaluation item in the corresponding information asset of the required level database. Before Is intended to calculate the security evaluation results of the system under evaluation,
The security evaluation system according to claim 3. The arithmetic unit is:
The input device accepts input about information assets to be processed or stored in the system and a required security level related to a security evaluation item of the evaluation item database for each information asset, and inputs the received information asset and required security level. The process of storing data in the request level database is further executed.
The security evaluation system according to claim 3. The arithmetic unit is:
The input device accepts an input about the security function provided by the subsystem and the retained security level relating to the security evaluation item provided for each security function, and the received security function and the input data of the retained security level, The process of storing in the parts level database is further executed.
The security evaluation system according to claim 3. The arithmetic unit is:
The input device accepts input about the connection relationship between the plurality of subsystems and the contents of information assets processed or accumulated in each subsystem, and the received connection relationship and information asset input data , Further executing the process of storing in the configuration database.
The security evaluation system according to claim 3.   The security evaluation system according to claim 1, wherein the arithmetic device further executes a process of displaying a security evaluation result related to the evaluation target system on an output device. A component level database storing security function information provided by each of a plurality of subsystems constituting the system to be evaluated, a connection relationship between the plurality of subsystems, and processing or accumulation in each of the subsystems A computer having a storage device for storing a configuration database storing the contents of information assets,
The connection relation between the subsystems constituting the system to be evaluated is specified in the configuration database, and the information asset data flow between the subsystems in the specified connection relation is used to determine the connection level in the component level database. The security function level of each subsystem is synthesized by a predetermined algorithm, it is determined whether the synthesis level as a result of the synthesis satisfies a predetermined level, and the security evaluation result regarding the evaluation target system is calculated. Characteristic security evaluation method.

Images