JP4625353B2 - Security design support method, security design support device, and security design support program - Google Patents

Description

  The present invention relates to a technology for supporting security design of an information system.

  There is an international security evaluation standard ISO / IEC15408 (CC: Common Criteria) as a standard for designing and evaluating security functional requirements of IT products and systems. In order to develop products and systems that conform to ISO / IEC15408, and to obtain evaluation and certification, create security requirement specifications (PP: Protection Profile) or security design specifications (ST: Security Target). Is mandatory. Hereinafter, a security requirement specification and a security design specification for the system are referred to as a system security basic specification.

  In order to create a system security basic specification, the following must be determined in system security design.

(1) Security functional requirements necessary for the design target system (2) Configuration of the design target system and arrangement of security functional requirements to each component of the design target system As an example of a method for determining “security function requirements”, Patent Document 1 describes all steps of security design as “TOE (Target Of Evaluation) modeling (phase I)”, “threat extraction (phase II)”. ”,“ Countermeasures derivation (Phase III) ”,“ Security goal establishment (Phase IV) ”,“ CC (Common Criteria) functional requirement assignment (Phase V) ”,“ Security functional requirement design (Phase VI) ” It is described that security design is performed in order in six phases. This makes it possible to determine the security function requirements of the design target system with high accuracy and without omission.

  In addition, as another example of the determination method of “(1) security function requirements necessary for the design target system” described above, Patent Document 2 and Non-Patent Document 1 extract the threat of the design target system and then extract it. It is described that security functional requirements for countering each threat are determined in units of security functional requirements called security subsystems. As a result, it is possible to improve the efficiency of the work of determining the security function requirements necessary for the design target system.

Japanese Unexamined Patent Publication No. 2000-132767 (page 13, FIG. 1) US 2002/0157015 A1 “A method for designing secure solutions”, IBM SYSTEMS JOURNAL, VOL.40, NO.3,2001

  As described above, the prior art can cope with the clarification and efficiency of the procedure for the determination method of “(1) system security function requirements”. However, there is no conventional technique for clarifying and improving the efficiency of the determination method of “(2) Configuration of system to be designed and allocation of security function requirements to each component of the system to be designed”. , Determined by the experience and knowledge of the designer. Therefore, the quality of the system security design varies depending on the designer.

  An object of the present invention is to facilitate the arrangement of security function requirements for an information system, in particular, a technology that supports security design of the information system.

  The present invention has been made to achieve the above-described object, and one or more locations on the path from the location of the agent that causes the threat assumed in the design target system to the location of the asset damaged by the threat Is determined as a security function requirement placement candidate, and the priority of each placement candidate is determined according to a predetermined placement rule.

  Specifically, for example, a security design support method for arranging a security function requirement to counter a threat assumed in a design target system including a plurality of devices, and a computer having storage means, A system configuration storing step for storing information indicating a system configuration of the design target system, and a security function requirement that counters the threat and a location of an agent that causes the threat are stored in the storage unit for each threat. A function requirement placement information storage step for storing information and information indicating the location of an asset damaged by the agent, and security function requirement placement candidates in the storage means according to the location on the design target system A placement rule storage step for storing placement rule information indicating the priority of the Read the information indicating the location of the agent for each threat and the information indicating the location of the asset for each threat, and cause each threat to cause the threat based on the information indicating the system configuration in the storage means A placement candidate acquisition step of identifying a route from the location of the agent to the location of the asset damaged by the agent, and setting one or more locations on the route as placement candidates of security functional requirements that counter the threat; Based on the placement rule information read from the storage means, a priority determination step for determining a priority for each placement candidate of the security function requirement, a placement candidate for the acquired security function requirement, and a priority for each candidate And an output step of outputting.

  According to the technology of the present invention, it is possible to clarify and increase the efficiency of the procedure for arranging security function requirements. In addition, it is possible to reduce the placement of security function requirements, and even general designers who do not have specialized knowledge, technology, and know-how can easily and easily create basic security specifications for information network systems that ensure a certain level of quality. It can be created efficiently.

  Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings.

  First, an outline of the present embodiment will be described. FIG. 1 is a diagram for explaining the outline of the present embodiment. In FIG. 1, a system security design support apparatus 40 according to the present embodiment includes security function requirements for a design target system based on information in a system basic design document 5001 indicating information such as the purpose, basic configuration, and basic architecture of the design target system. Arrangement candidates are obtained, and the priority of each arrangement candidate is determined. That is, the system security design support apparatus 40 supports the work of arranging the security function requirements in the design target system among the work of creating the system security basic specification 5003. Here, the design target system is a system having a plurality of devices connected by a communication network.

  Hereinafter, FIG. 1 will be described in detail. First, an operator who performs system security design 5002 receives “system basic design document 5001” as an input, and follows the above-described procedures from “phase I to phase V” to “TOE definition 5101”, “asset definition 5102”, “ After performing “agent definition 5103”, “threat extraction 5104” is performed, “security target derivation 5105” is performed against the extracted threat, and “security function requirement derivation 5106” corresponding to each security target is performed.

  The “TOE definition 5101” is to clarify the elements of the TOE and the inter-element communication path, and determine the elements to be evaluated. “Asset definition 5102” is to determine an asset (information, equipment, process, program, etc.) to be protected among the determined TOE. “Agent definition 5103” is to define an agent (participant, device, process, program, etc. of a system that causes a threat to the asset) that is assumed for the asset of the design target system. “Threat extraction 5104” is extraction of an assumed threat to an asset. “Security target derivation 5105” is to derive a security target for countering the extracted threat. “Security function requirement derivation 5106” is to derive a security function requirement for achieving the derived security goal.

  After performing the above procedure, the schema acquisition processing unit 401 in the system security design support apparatus 40 in accordance with the operator's instruction, based on the result of the TOE definition 5101, a system schema for arranging security function requirements ( System structure) information is acquired, and the acquired schema information is stored in the security function requirement arrangement DB 41. Next, the function requirement allocation information acquisition processing unit 402 acquires the above-described “asset definition 5102”, “agent definition 5103”, “threat extraction 5104”, “security target derivation 5105”, and “security function requirement derivation 5106”. Based on the obtained information and the schema information of the design target system stored in the security function requirement arrangement DB 41, the function requirement arrangement information for arranging the security function requirements is acquired, and the acquired function requirement arrangement information is security Stored in the functional requirement arrangement DB 41. Next, the security function requirement placement processing unit 403 refers to the information stored in the security function requirement placement DB 41 and the placement rule DB 42 and acquires the placement candidate of the security function requirement for each security target and the priority of each placement candidate. Then, according to the instructions of the worker, each security functional requirement is arranged in the element of the design target system.

  After placing security function requirements on the components of the system to be designed using the system security design support apparatus 40, an operator who performs system security design follows the procedure of “Phase VI” described above to create “security basic specification creation 5107”. I do. As a result, since “(2) the configuration of the design target system and the arrangement of the security function requirements to each component of the design target system” described above is determined, the system security basic design document 5003 can be created. .

  Next, a configuration example of a design target system used for explaining the configuration and operation of the system security design support apparatus 40 of the present embodiment will be described. FIG. 2 is a diagram for explaining an example of the design target system 2. In FIG. 2, a design target system 2 is a system that provides a WEB information browsing service. The design target system 2 of this embodiment includes a user site 21 and a server site 22. The user site 21 has a device A 211 (user client). The server site 22 includes a device B 221 (firewall), a device C 222 (WEB server) including a WEB information DB 2221, and a device D 223 (management terminal). Each device in the server site 22 is connected to each other via an intranet 23. The user site 21 and the server site 22 are connected via the Internet 24. The administrator of the server site 22 uses the device D223 to access the device C222 and updates the WEB information DB 2221. The user uses the device A 211 to access the device C 222 and refers to information in the WEB information DB 2221.

  Next, the schema of this embodiment will be described. FIG. 3 is a diagram for explaining an example of the schema of the design target system 2 shown in FIG. 2 as an example. In the present embodiment, the design target system 2 is subdivided into a hierarchical structure of domains and subsystems. Further, each device including the network is defined based on the physical configuration of horizontal distribution in each subsystem, and the application layer (hereinafter referred to as AP layer), database layer is defined based on the logical configuration of vertical distribution in each device. (Hereinafter referred to as DB layer) and OS layer are defined.

  A domain is a unit for managing a network. A subsystem is a system that realizes one function. The AP layer, DB layer, and OS layer are logical hierarchies generally used by system engineers (system design / developer) during system design.

  Thus, by dividing the system into a hierarchical structure of domains and subsystems, the security policy can be changed in units of domains and subsystems. In addition, by defining the device configuration like the above-described AP layer, DB layer, and OS layer, it is possible to determine logical placement candidates for security function requirements.

  In the design target system 2, the configuration of each device is defined by a layer structure such as an AP layer, a DB layer, and an OS layer. However, the configuration of each device is not limited to the above-described layers, and is a logical placement candidate. Anything is appropriate. Examples of layers include two of an AP layer and an OS layer, three of an AP layer, a middleware layer, and an OS layer, and three of a user interface layer, an AP layer, and a DB layer.

  Hereinafter, this embodiment will be described in detail.

  FIG. 4 is a diagram showing a configuration of the system security design support apparatus 40 of the present embodiment. 4, the system security design support device 40 includes a storage device 43, a memory 44, a CPU 45, a disk drive device 46, an input / output connection unit 47, and a network connection unit 48, and these units are connected to each other via a bus 49. Is done. The disk drive device 46 is a device that reads from and writes to a medium such as a CD (Compact Disc), a DVD (Digital Versatile Disk), or an MO (Magneto Optical Disk). An output device 471 such as a display and a printer and an input device 472 such as a keyboard and a mouse are connected to the input / output connection unit 47. Further, the system security design support device 40 is connected to a communication network (not shown) via the network connection unit 48, and transmits / receives information to / from other devices (not shown) connected to the communication network.

  The storage device 43 is, for example, an HDD (Hard Disk Drive). The storage device 43 includes a security function requirement arrangement DB 41, an arrangement rule DB 42, a communication control program 431, a system security design support program 432, and the like.

  The security function requirement arrangement DB 41 stores information for arranging security function requirements. Here, in the security function requirement arrangement DB 41, schema information indicating the system configuration of the design target system 2, information on threats assumed in the design target system 2, information on assets to be protected, information on agents that cause threats In addition, information on security objectives of the design target system 2, information on security function requirements to counter threats, information on arrangement of security function requirements, and the like are stored. These pieces of information are input by an operator through operations described later, and are stored in the security function requirement arrangement DB 41.

  The placement rule DB 42 stores information for determining the priority for placing security function requirements.

  The information stored in each DB will be described in detail. The information described below is information related to the design target system 2 shown in FIG.

  First, information stored in the security function requirement arrangement DB 41 will be described with reference to FIGS. FIG. 5 shows an example of schema information. In FIG. 5, the schema information is indicated by a system element configuration table 51 that stores elements constituting the design target system 2 and a system network configuration table 52 that indicates a network connection relationship.

  5A, the system element configuration table 51 includes a domain 511, a subsystem 512, a device 513, a layer 514, a network connection destination 515, and the like. The domain 511 is information indicating the name of the domain. The subsystem 512 is information indicating the name of the subsystem included in each domain 511. The device 513 is information indicating the name of the device included in each subsystem 512. The layer 514 is information indicating the name of the layer defined for each of the devices 513. The network connection destination 515 is information indicating the name of the device to which each of the devices 513 is connected via the communication network.

  In FIG. 5B, the system network configuration table 52 includes a network 521, a network connection destination 522, and the like. The network 521 is information indicating the name of the network. The network connection destination 522 is information indicating the name of the device to which each network 521 is connected.

  FIG. 6 shows an example of an asset table 61 that stores information related to assets. In FIG. 6, the asset table 61 includes assets 611, locations 612, and the like. The assets 611 are information, devices, processes, programs, and the like to be protected. The place 612 is a place where each asset 611 exists, and is, for example, a device, a network, a layer, or the like that has the asset.

  FIG. 7 shows an example of an agent table 71 that stores information about agents. In FIG. 7, the agent table 71 includes an agent 711, a location 712, and the like. The agent 711 is a system participant, a device, a process, a program, or the like that causes a threat assumed in the design target system 2. The place 712 is a place where each agent 711 causes a threat, and is, for example, a device, a network, a layer, or the like.

  FIG. 8 shows an example of the threat table 81 that stores information on threats. In FIG. 8, the threat table 81 includes a threat 811 and the like. The threat 811 is a threat assumed for the design target system 2.

  FIG. 9 shows an example of the security goal table 91 that stores information related to security goals. In FIG. 9, the security target table 91 includes a security target 911 and the like. The security target 911 is a security target for the design target system 2.

  FIG. 10 shows an example of a security function requirement table 101 that stores information on security function requirements. In FIG. 10, a security function requirement table 101 includes security function requirements 1011 and the like. The security functional requirement 1011 is a functional requirement for achieving the security goal.

  FIG. 11 shows an example of the security function requirement placement information table 111 that stores information for placing security function requirements. In FIG. 11, the security function requirement arrangement information table 111 includes a security target 1111, a threat 1112, an agent 1113, an asset 1114, a countermeasure method 1115, a security function requirement 1116, and the like. In the security function requirement arrangement information table 111, the threat 1112, the agent 1113, the asset 1114, the countermeasure method 1115, and the security function requirement 1116 are associated with the security target 1111.

  The security goal 1111 is a security goal of the design target system 2 and includes a part or all of the security goal 911 of the security goal table 91 described above. The threat 1112 is a threat of the corresponding security objective 1111 and includes a part or all of the threat 811 of the threat table 81 described above. The agent 1113 is an agent that causes a threat of the corresponding security objective 1111, and includes a part or all of the agent 711 and the location 712 of the agent table 71 described above. The asset 1114 is an asset to be protected from the threat of the corresponding security objective 1111, and includes a part or all of the asset 611 and the location 612 of the asset table 61 described above. The countermeasure method 1115 is a method for achieving the corresponding security objective 1111. The security function requirement 1116 is a security function requirement for achieving the corresponding security objective 1111, and includes a part or all of the security function requirement 1011 of the security function requirement table 101.

  Next, information stored in the placement rule DB 42 will be described. The placement rule DB 42 stores placement rule information for determining the priority for placing security function requirements. Information in the placement rule DB 42 is stored in advance, but an operator may add or modify the information.

  FIG. 12 shows an example of an arrangement rule table 121 that stores information for determining the priority for arranging security function requirements. In FIG. 12, the arrangement rule table 121 includes a type 1211, an arrangement rule A1212, an arrangement rule B1213, and the like. The type 1211 is information indicating the type of countermeasure method for the security target. The placement rule A1212 is information indicating a rule of a place to be placed as the first priority candidate for each type of countermeasure method. The placement rule B1213 is information indicating a rule of a place to be placed as the second priority candidate for each type of countermeasure method.

  In FIG. 4, a communication control program 431 is a program for communicating with other devices connected to the communication network via the network connection unit 48. The system security design support program 432 is a program for realizing a schema acquisition processing unit 401, a function requirement arrangement information acquisition processing unit 402, and a security function requirement arrangement processing unit 403, which will be described later.

  The memory 44 includes a schema data area 441, a function requirement arrangement information acquisition data area 442, and a function requirement arrangement data area 443. These data areas are areas for temporarily storing information acquired or read by operations of a schema acquisition processing unit 401, a function requirement arrangement information acquisition processing unit 402, and a security function requirement arrangement processing unit 403, which will be described later. It is.

  The CPU 45 executes the system security design support program 432 loaded in the memory 44, thereby realizing a schema acquisition processing unit 401, a function requirement arrangement information acquisition processing unit 402, and a security function requirement arrangement processing unit 403.

  The schema acquisition processing unit 401 acquires information (schema information) related to the system configuration of the design target system 2 and stores the acquired information in the security function requirement arrangement DB 41. The function requirement arrangement information acquisition processing unit 402 acquires information about agents, information about threats, information about security targets, information about security function requirements, and the like, and stores the acquired information in the security function requirement arrangement DB 41. The security function requirement placement processing unit 403 obtains security function requirement placement candidates, and determines the priority of each security function requirement placement candidate based on information in the placement rule DB 42.

  The operation will be described below.

  First, an operation example of the schema acquisition processing unit 401 that acquires schema information of the design target system 2 will be described with reference to FIG. With the operation in FIG. 13, the schema acquisition processing unit 401 acquires the system element configuration table 51 and the system network configuration table 52 shown in FIG.

  The schema acquisition processing unit 401 accepts input of schema information in accordance with the operator's instruction (S1301). Specifically, for example, the schema acquisition processing unit 401 outputs a screen for receiving an instruction as shown in FIG. 14 based on a predetermined format to the output device 471 such as a display.

  In FIG. 14, a work screen 141 includes a file menu 1411, an edit menu 1421, a main display unit 142, and the like. From the file menu 1411, submenus such as a schema input end 1412 and a close 1413 can be selected. From the edit menu 1421, submenus such as element addition 1422, element deletion 1423, network addition 1424, network deletion 1425 can be selected. From the Add Element 1422 submenu, submenus such as the domain 1426, the subsystem 1427, and the device 1428 can be selected. The main display unit 142 can be input from the input device 472.

  The schema input end 1412 is a submenu for ending the schema input and moving the processing to the function requirement arrangement information acquisition processing unit 402. Close 1413 is a submenu for ending the system security design support program.

  The operator uses the input device 472 to select the submenu displayed on the work screen 141 and the display contents, thereby instructing the schema of the design target system 2. When an instruction is input (S1301), the schema acquisition processing unit 401 performs processing to be described later in accordance with the instruction, and displays a screen such as an example on the main display unit 142 of FIG. (S1311).

  When the operator instructs the selection of an element (domain, subsystem, device, network, etc.) using the input device 472 such as a mouse, the schema acquisition processing unit 401 places the instructed element in a selected state (S1302). Specifically, for example, the schema acquisition processing unit 401 stores in advance the elements added in the processing of S1303 to S1308, which will be described later, in the schema data area 441 of the memory 44, and is stored in that area. Elements are displayed on the main display unit 142 of FIG. 15 as an example. When the worker clicks and selects one of the elements displayed on the main display unit 142 in FIG. 15, the schema acquisition processing unit 401 is selected as the selected element in the schema data area 441. The flag indicating is given. Further, the schema acquisition processing unit 401 outputs the selected element to the main display unit 142 so that it can be understood that the element has been selected (S1311), and returns to the input reception from the worker (S1301). In order to output so that it can be understood that an element has been selected, for example, the schema acquisition processing unit 401 changes the color of the selected element and outputs the selected element.

  When the worker instructs to add a domain using the input device 472 such as a mouse, the schema acquisition processing unit 401 acquires the domain name of the domain to be added according to the information input by the worker (S1303), and information on the domain Is stored in the schema data area 441. Referring to the example of FIG. 14, when “domain 1426” is specified in the submenu “add element 1422”, the schema acquisition processing unit 401 uses the input device 472 such as a keyboard to input characters The column is the domain name of the domain. The schema acquisition processing unit 401 stores the acquired domain name in the schema data area 441, and displays information on the domain (configuration, location, domain name, etc.) on the main display unit 142 as shown in FIG. (S1311), it returns to the input reception from the worker (S1301).

When the worker instructs “add subsystem” using the input device 472 such as a mouse, the schema acquisition processing unit 401 acquires the subsystem name of the subsystem to be added according to the information input by the worker (S1304). ), Information about the subsystem is stored in the schema data area 441. Referring to the example of FIG. 14, when “subsystem 1427” is specified in the submenu of “add element 1422”, the schema acquisition processing unit 401 is input by an operator using an input device 472 such as a keyboard. The character string is the subsystem name of the subsystem. The schema acquisition processing unit 401 stores information on the subsystem (configuration, location, subsystem name, etc.) in the schema data area 441 and displays the subsystem on the main display unit 142 as shown in FIG. (S1311), the process returns to the input reception from the worker (S1301).
Here, if any element or network is in a selected state when an instruction to add an element such as a domain, subsystem, or device is instructed, the schema acquisition processing unit 401 selects an element to be added in accordance with the instruction. Are added as a hierarchy below the element or network and stored in the schema data area 441 of the memory 44. For example, when the addition of the subsystem 1 is instructed while the domain A is selected, the schema acquisition processing unit 401 adds the subsystem 1 as a layer below the domain A. In order to determine whether any element or network is in a selected state, for example, it is determined based on whether or not a flag indicating that the element or network stored in the schema data area 441 has been selected is given.

  When the worker instructs “add device” using the input device 472 such as a mouse, the schema acquisition processing unit 401 acquires the hierarchical structure of the device to be added and the device name in accordance with the worker's instruction (S1305). , S1306), information about the device is stored in the schema data area 441. Referring to the example of FIG. 14, when “device 1428” is instructed in the submenu of “add element 1422”, the schema acquisition processing unit 401 uses the input device 472 such as a keyboard or a mouse to input the operator. In accordance with the instruction, information related to the device to be added (configuration, location, layer structure of the device, name of the device, etc.) is stored in the schema data area 441, and the device is displayed in the main display unit as shown in FIG. 142 (S1311), and the process returns to the input reception from the worker (S1301). Here, the layer structure of the device to be added is, for example, the AP layer, the DB layer, and the OS layer shown in FIG. 3 described above.

  When the operator instructs “add network” using the input device 472 such as a mouse, the schema acquisition processing unit 401 follows the operator's instruction to connect the device to which the network to be added and the network name of the network to be added. (S1307, S1308), and information related to the network is stored in the schema data area 441. Referring to the example of FIG. 14, when “add network 1424” is designated, the schema acquisition processing unit 401 first acquires the name of the connection destination device of the network to be added. Specifically, for example, the schema acquisition processing unit 401 determines whether any device is in a selected state by referring to the schema data area 441 or the like. When there is a selected device, the schema acquisition processing unit 401 sets the connection destination of the network to which the device is added. If there is no selected device, the schema acquisition processing unit 401 receives the instruction of the connection destination device by outputting the main display unit 142 shown in FIG. 15 as an example, and selects the device selected by the operator using the input device 472. The connection destination of the network to be added. Next, the schema acquisition processing unit 401 acquires the name of the network to be added. Specifically, for example, the schema acquisition processing unit 401 uses the character string input by the operator using the input device 472 such as a keyboard as the name of the network to be added. The schema acquisition processing unit 401 stores information about the network acquired in this way (configuration, name of device connected to the network, name of the network, etc.) in the schema data area 441 and the network to be added is connected to As shown in FIG. 15 as an example, a diagram showing that the device is connected to the device designated as the name and the name of the network are displayed on the main display unit 142 (S1311), and an input is received from the operator (S1301). Return to.

  When the worker designates the submenu “Delete Element 1423” with the input device 472 such as a mouse, the schema acquisition processing unit 401 deletes the element (domain, subsystem, device) selected by the worker ( S1309). Specifically, for example, the schema acquisition processing unit 401 determines whether any element is in a selected state by referring to the schema data area 441 or the like. Delete from the schema data area 441. If there is no element in the selected state, the schema acquisition processing unit 401 receives an input of an element to be deleted by outputting the main display unit 142 shown in FIG. 15 as an example, and the element selected by the input device 472 is schematized. Delete from the data area 441. Next, the schema acquisition processing unit 401 deletes and displays the specified element from the main display unit 142 as shown in FIG. 15 as an example (S1311), and returns to the input reception from the worker (S1301).

  When the worker designates the submenu “delete network 1425” with the input device 472 such as a mouse, the schema acquisition processing unit 401 deletes the network selected by the worker (S1310). A specific example of this operation is the same as the “deletion of element” described above. The schema acquisition processing unit 401 deletes and displays the specified network from the main display unit 142 as shown in FIG. 15 (S1311), and returns to the input reception from the worker (S1301).

  When the operator designates the submenu “schema input end 1412” with the input device 472 such as a mouse, the schema acquisition processing unit 401 uses the information stored in the schema data area 441 as the system element configuration shown in FIG. The table 51 and the system network configuration table 52 are stored, the table is stored in the security function requirement arrangement DB 41 (S1312), and the process ends.

  By the above-described operation, the system can be subdivided into a hierarchical structure (domain, subsystem) within a range where security policies are different. In addition, based on the physical configuration of horizontal distribution in each subsystem, the device configuration including the network of each subsystem and two or more layers based on the logical configuration of vertical distribution in each device are defined. By doing so, it is possible to define the schema of the system.

  Next, an operation example of the function requirement placement information acquisition processing unit 402 that acquires information for placing security function requirements will be described with reference to FIG. The functional requirement arrangement information acquisition processing unit 402 performs the operations described later, the asset table 61, the agent table 71, the threat table 81, the security target table 91, the security functional requirement table 101, the security function shown in FIG. 6 to FIG. The requirement placement information table 111 is acquired.

  The functional requirement placement information acquisition processing unit 402 receives input of placement requirement information (S1601). Specifically, for example, the function requirement arrangement information acquisition processing unit 402 outputs a screen for accepting an instruction as shown in FIG. 17 and FIG. 18 to the output device 471 such as a display based on a predetermined format. To do.

  FIG. 17 is a diagram illustrating a menu that can be instructed by the user. In FIG. 17, the work screen 171 includes a file menu 1711, an edit menu 1721, a main display unit 172, and the like. From the file menu 1711, submenus such as arrangement information input end 1712 and close 1713 can be selected. From the edit menu 1721, submenus such as an asset addition 1722, an agent addition 1723, a threat addition 1724, a security target addition 1725, a security function requirement addition 1726, an arrangement information editing 1727 can be selected. An arrangement information input end 1712 is a submenu for ending the process of the function requirement arrangement information acquisition processing unit 402 and moving the process to the security function requirement arrangement processing unit 403. A close 1713 is a submenu for ending the system security design support program.

  FIG. 18 is an example of a screen for allowing an operator to input information for arranging security function requirements. 18, the main display unit 172 includes the schema of the design target system 2 acquired by the operation described with reference to FIG. 13, and information for arranging the security function requirements input to the sub display unit 173. Is displayed. Note that the schema displayed on the main display unit 172 follows a predetermined format based on the system element configuration table 51 and the system network configuration table 52 shown in FIG. Is displayed. The sub display unit 173 includes a tab for an asset 1731, an agent 1732, a threat 1733, a target 1734, a functional requirement 1735, an edit 1736, a table display unit 1737, and the like.

  The worker uses the input device 472 to select information from the submenu displayed on the work screen 171 and display contents, thereby instructing information for arranging security function requirements. When an instruction is input (S1601), the functional requirement arrangement information acquisition processing unit 402 performs processing described later in accordance with the instruction, and a screen showing an example on the main display unit 172 and the sub display unit 173 in FIG. Is output to an output device 471 such as a display (S1608).

  When the operator instructs “add asset” using the input device 472 such as a mouse, the function requirement arrangement information acquisition processing unit 402 follows the information input by the worker and the name of the asset to be added and the asset The location is acquired (S1602), and the acquired subsystem name is stored in the function requirement arrangement information acquisition data area 442 in the memory 44. 18 and FIG. 17, when the submenu “add asset 1722” is specified, the functional requirement arrangement information acquisition processing unit 402 enables the “asset 1731” tab of the sub display unit 173. Thus, the asset name can be input to the table display unit 1737. The functional requirement arrangement information acquisition processing unit 402 uses a character string input by the operator using the input device 472 in a specific area of the table display unit 1737 as the name of the asset to be added, as a function requirement arrangement information acquisition data area 442. And stored in the asset 611 of the asset table 61 therein. Further, the functional requirement arrangement information acquisition processing unit 402 acquires the location of the asset to be added.

  For this purpose, for example, the functional requirement arrangement information acquisition processing unit 402 refers to the functional requirement arrangement information acquisition data area 442 or the like to determine whether any location (device, layer, network, etc.) is in a selected state. To determine. When there is a place in the selected state, the function requirement arrangement information acquisition processing unit 402 assumes that the place is where the asset exists. When there is no place in the selected state, the function requirement arrangement information acquisition processing unit 402 outputs the main display unit 172 shown in FIG. 18 as an example, receives the place input, and the place selected by the operator using the input device 472 (Device, layer, network, etc.) is stored in the location 612 of the asset table 61 in the function requirement arrangement information acquisition data area 442 as the location of the asset to be added. The functional requirement arrangement information acquisition processing unit 402 displays the input asset name and the location of the asset in accordance with the asset 1801 (WEB server PG, WEB public information, WEB update PG, WEB display 172) shown in FIG. WEB browser PG) and the table 1741 of the sub display unit 173 (S1608), and the process returns to the input reception from the worker (S1601).

  When the worker instructs “add agent” using the input device 472 such as a mouse, the function requirement arrangement information acquisition processing unit 402 follows the information input by the worker and the name of the agent to be added and the agent's name. The location is acquired (S1602), and the name and location of the acquired agent are stored in the functional requirement arrangement information acquisition data area 442. 18 and FIG. 17, when the submenu “add agent 1723” is designated, the function requirement arrangement information acquisition processing unit 402 displays the sub display unit 173 as shown in an example in FIG. The tab of “Agent 1732” is enabled, and the name of the agent can be input. The functional requirement arrangement information acquisition processing unit 402 uses the input device 472 to input a character string input to a specific area of the table display unit 1737 as the name of the agent to be added, as a function requirement arrangement information acquisition data area 442. And stored in the agent 711 of the agent table 71 in the table. Further, the function requirement arrangement information acquisition processing unit 402 acquires the location (device, layer, network, etc.) of the agent to be added, and adds the function requirement arrangement information acquisition data area 442 in the same manner as the above-described addition of assets. Store in the location 712 of the agent table 71. The function requirement arrangement information acquisition processing unit 402 displays the input agent name and location as an agent 1802 (administrator, unauthorized user, user) of the main display unit 172 shown in FIG. 18 as an example, and as shown in FIG. Is displayed as a table 1742 of the sub display unit 173 (S1608), and the process returns to the input reception from the worker (S1601).

  When the worker designates “add threat” using the input device 472 such as a mouse, the functional requirement arrangement information acquisition processing unit 402 acquires the added threat according to the information input by the worker (S1604). The acquired threat is stored in the function requirement arrangement information acquisition data area 442. 18 and FIG. 17, when the submenu “add threat 1724” is designated, the function requirement arrangement information acquisition processing unit 402 displays the sub display unit 173 as shown in an example in FIG. The “threat 1733” tab is enabled, and an input threat can be input. The functional requirement arrangement information acquisition processing unit 402 uses the input device 472 to input a character string input to a specific area of the table display unit 1737 as a threat to be added in the functional requirement arrangement information acquisition data area 442. Stored in the threat 811 of the threat table 81. Furthermore, the functional requirement arrangement information acquisition processing unit 402 displays the input threat as a table 1743 of the sub display unit 173 shown in FIG. 20 as an example (S1608), and receives input from the worker (S1601). Return to.

  When the worker designates “add security target” using the input device 472 such as a mouse, the functional requirement arrangement information acquisition processing unit 402 acquires the security target to be added according to the information input by the worker ( S1605), the acquired security target is stored in the function requirement arrangement information acquisition data area 442. 18 and FIG. 17, when the submenu “Add Security Target 1725” is instructed, the function requirement arrangement information acquisition processing unit 402, as shown in FIG. 21 as an example, displays the sub display unit 173. The “Goal 1734” tab of “1” is enabled to enable the input of the security goal to be added. The functional requirement arrangement information acquisition processing unit 402 uses the input device 472 to input a character string input to a specific area of the table display unit 1737 as a security target to be added in the functional requirement arrangement information acquisition data area 442. Are stored in the security goal 911 of the security goal table 91. Furthermore, the functional requirement arrangement information acquisition processing unit 402 displays the input security target as a table 1744 of the sub display unit 173 shown in FIG. 21 as an example (S1608), and receives input from the worker (S1601). Return to).

  When the operator instructs “add security function requirement” using the input device 472 such as a mouse, the function requirement placement information acquisition processing unit 402 acquires the added security function requirement according to the information input by the worker. In step S1606, the acquired security function requirement is stored in the function requirement arrangement information acquisition data area 442. 18 and FIG. 17, when the submenu “addition of security function requirement 1726” is designated, the function requirement arrangement information acquisition processing unit 402, as shown in FIG. The “functional requirement 1735” tab of 173 is validated and the security functional requirement to be added can be input. The functional requirement arrangement information acquisition processing unit 402 uses the input device 472 to input a character string input to a specific area of the table display unit 1737 as a functional functional arrangement information acquisition data area 442 as a security functional requirement to be added. Are stored in the security function requirement 1011 of the security function requirement table 101 in FIG. Further, the function requirement arrangement information acquisition processing unit 402 displays the input security function requirements as a table 1745 of the sub display unit 173 shown as an example in FIG. 22 (S1608), and receives input from the operator ( The process returns to S1601).

  When the operator uses the input device 472 such as a mouse to instruct “editing of functional requirement placement information”, the functional requirement placement information acquisition processing unit 402 acquires the content to be edited according to the information input by the worker. (S1607), the acquired editing content is stored in the function requirement arrangement information acquisition data area 442. 18 and FIG. 17, when the submenu “edit arrangement information 1727” is designated, the function requirement arrangement information acquisition processing unit 402 displays a sub display unit as shown in FIG. The “edit 1736” tab of 173 is enabled, and the security function requirement arrangement information to be edited can be input. The functional requirement arrangement information acquisition processing unit 402 stores information input by the operator using the input device 472 in the security functional requirement arrangement information table 111 in the functional requirement arrangement information acquisition data area 442, and The information is displayed like a table 1746 shown in FIG. 23 as an example (S1608), and the process returns to accepting input from the worker (S1601). Each row of the table 1746 realizes a threat corresponding to the security goal described in the row, an agent of the threat, an asset damaged by the threat, a countermeasure method for achieving the security goal, and the countermeasure method. The security functional requirements are shown.

  The operation of S1607 described above will be described in detail with reference to FIG.

  The functional requirement arrangement information acquisition processing unit 402 displays a table 1746 on the sub display unit 173 as shown in an example in FIG. 23 in accordance with a predetermined format (S2401).

  At this time, the function requirement arrangement information acquisition processing unit 402 may display only the items and the security target in the table 1746 when the security function requirement arrangement information to be edited is not acquired. Specifically, for example, the functional requirement arrangement information acquisition processing unit 402 refers to an area for storing information in the table 1746 of the functional requirement arrangement information acquisition data area 442, and no information is stored in the area. In this case, it is determined that the security function requirement arrangement information to be edited has not been input. In this case, the function requirement arrangement information acquisition processing unit 402 displays “security target”, “corresponding threat”, “agent”, “assets”, “countermeasure”, “corresponding” in the field for displaying the items in the table 1746. Items such as “security function requirement” are displayed, the security target 911 stored in the security target table 91 is read, and the read security target 911 is displayed in the security target field 2301 of the table 1746.

  The functional requirement arrangement information acquisition processing unit 402 receives an instruction from the worker (S2402), performs the processes of S2403 to S2407, which will be described later, in accordance with the instruction, and stores it in the table 1746 of the sub display unit 173 in FIG. The input information is displayed (S2408).

  When the worker instructs to edit “threat” using the input device 472 such as a mouse, the function requirement placement information acquisition processing unit 402 follows the information input by the worker and the threat corresponding to the designated security target. Is acquired (S2403) and stored in the function requirement arrangement information acquisition data area 442. Referring to the example of FIG. 23, when the operator selects any of the threat fields 2302 of the security function requirement placement information table 1746 using the input device 472 such as a mouse, the function requirement placement information acquisition processing unit 402 is selected. As shown in FIG. 20, the table 1743 is displayed with the “threat 1733” tab of the sub display unit 173 enabled. When the worker selects any one of the displayed threats using the input device 472, the function requirement arrangement information acquisition processing unit 402 corresponds to the selected threat in the row selected in the threat field 2302. The security target threat is stored in the threat 1112 of the security function requirement arrangement information table 111 in the function requirement arrangement information acquisition data area 442. Further, the functional requirement arrangement information acquisition processing unit 402 enables the “Edit 1736” tab of the sub display unit 173 and displays the threat in the selected threat field 2302 in the table 1746 (S2408). The process returns to the input reception from the worker (S2402).

  When the worker instructs to edit “assets” using the input device 472 such as a mouse, the function requirement arrangement information acquisition processing unit 402 follows the information input by the worker and corresponds to the designated security target. Is acquired (S2404) and stored in the function requirement arrangement information acquisition data area 442. In the example of FIG. 23, when the operator selects any of the asset fields 2304 of the table 1746 using the input device 472 such as a mouse, the function requirement arrangement information acquisition processing unit 402 is an example of FIG. Is displayed, and an instruction for the asset to be edited is received. When the operator uses the input device 472 to select any of the assets 1801 displayed on the main display unit 172 shown in FIG. 18 as an example, the functional requirement arrangement information acquisition processing unit 402 selects the selected asset 1801. Is stored in the asset 1114 of the security function requirement placement information table 111 in the function requirement placement information acquisition data area 442 as a security target asset corresponding to the row selected in the asset field 2304. Further, the functional requirement arrangement information acquisition processing unit 402 enables the “edit 1736” tab of the sub display unit 173 and displays the asset in the selected asset field 2304 in the table 1746 (S2408). The process returns to the input reception from the worker (S2402).

  When the worker instructs to edit the “agent” using the input device 472 such as a mouse, the function requirement arrangement information acquisition processing unit 402 performs an agent corresponding to the designated security target according to the information input by the worker. Is acquired (S2405) and stored in the function requirement arrangement information acquisition data area 442. Referring to the example of FIG. 23, when the operator selects any of the agent fields 2303 of the table 1746 using the input device 472 such as a mouse, the function requirement arrangement information acquisition processing unit 402 is an example shown in FIG. The main display unit 172 is displayed, and an instruction from the agent to be edited is received. When the operator uses the input device 472 to select any of the agents 1802 displayed on the main display unit 172 shown in FIG. 18 as an example, the function requirement arrangement information acquisition processing unit 402 selects the selected agent 1802. Are stored in the agent 1113 of the security function requirement placement information table 111 in the function requirement placement information acquisition data area 442 as the security target agent corresponding to the row selected in the agent field 2303. Further, the functional requirement arrangement information acquisition processing unit 402 enables the “edit 1736” tab of the sub display unit 173 and displays the agent in the selected agent field 2303 in the table 1746 (S2408). The process returns to the input reception from the worker (S2402).

  When the operator instructs to edit the “measure method” using the input device 472 such as a mouse, the function requirement arrangement information acquisition processing unit 402 responds to the instructed security target according to the information input by the worker. A countermeasure policy is acquired (S2406) and stored in the function requirement arrangement information acquisition data area 442. Referring to the example of FIG. 23, when the operator selects any one of the “countermeasure method field 2305” in the table 1746 using the input device 472 such as a mouse, the function requirement arrangement information acquisition processing unit 402 A character string input to a specific area of the table display unit 1737 by the user using the input device 472 is used as a security target countermeasure method corresponding to the selected countermeasure method field 2305 row. The function requirement arrangement information acquisition processing unit 402 displays the countermeasure method in the selected countermeasure method field 2305 in 1746 (S2408), and displays the countermeasure method in the function requirement arrangement information acquisition data area 442. The information is stored in the countermeasure method 1115 of the security function requirement arrangement information table 111, and the process returns to the input reception from the worker (S2402).

  When the worker designates editing of “security function requirements” using the input device 472 such as a mouse, the function requirement arrangement information acquisition processing unit 402 responds to the instructed security target according to the information input by the worker. Security function requirements to be acquired (S2407), and stored in the function requirement arrangement information acquisition data area 442. Referring to the example of FIG. 23, when the operator selects any one of the security function requirement fields 2306 of the table 1746 using the input device 472 such as a mouse, the function requirement arrangement information acquisition processing unit 402 performs the process shown in FIG. The table 1745 is displayed by enabling the tab of “functional requirement 1735” of the sub display unit 173 as shown in FIG. When the operator selects any one of the security function requirements in the table 1745 displayed using the input device 472, the function requirement arrangement information acquisition processing unit 402 converts the selected security function requirement into the security function requirement. The security functional requirement of the security target corresponding to the row selected in the field 2306 is stored in the functional requirement 1116 of the security functional requirement arrangement information table 111 in the functional requirement arrangement information acquisition data area 442. Further, the function requirement arrangement information acquisition processing unit 402 enables the “Edit 1736” tab of the sub display unit 173 and displays the security function requirement in the selected security function requirement field 2306 in the table 1746. (S2408), it returns to the input reception (S2402) from an operator.

  When the operator gives an instruction different from the above using the input device 472 such as a mouse, the function requirement arrangement information acquisition processing unit 402 performs processing according to the instruction.

  In the above-described processing of S2404, when selecting an asset corresponding to the instructed security target, the worker selects an asset in consideration of which asset the asset in the corresponding threat field 2302 is a threat to. Like that. Further, in the process of S2405 described above, when selecting an agent corresponding to the instructed security target, the worker selects an agent in consideration of which agent causes the threat in the corresponding threat field 2302. Make a selection. In addition, when inputting a countermeasure method corresponding to the instructed security goal in the above-described step S2406, the worker can determine how the threat in the corresponding threat field 2302 can be prevented, suppressed, detected, or the like. Make sure to enter it in consideration.

In FIG. 16, when the operator uses the input device 472 to specify the submenu “configuration information input end 1712”, the function requirement placement information acquisition processing unit 402 stores the function requirement placement information acquisition data area 442. The asset table 61, the agent table 71, the threat table 81, the security target table 91, the security function requirement table 101, and the security function requirement arrangement information table 111 are stored in the security function requirement arrangement DB 41 (S1609), and the process ends. .
16 and 24, the worker inputs assets, agents, threats, security objectives, security functional requirements and their corresponding relations, and sets the contents of threats to counter each security objective. Originally, it can be converted into a predetermined format (a format linked to (1) an agent and its location, (2) an asset and its location, and (3) a countermeasure method). As a result, it becomes possible to acquire information necessary for placing security function requirements in the system schema.

  Next, with reference to FIG. 25, an example of an operation for arranging security function requirements will be described. In this example, first, a security target is placed, and the operation of placing the security functional requirements for realizing the security goal at the position where the security goal is placed is described. However, the present invention is not limited to this. Functional requirements may be placed directly.

  The security function requirement arrangement processing unit 403 reads each table stored in the security function requirement arrangement DB 41 (S2501), and stores each read table in the function requirement arrangement data area 443 in the memory 44. The tables read out here are the system element configuration table 51, the system network configuration table 52, and the security function requirement arrangement information table 111. Next, the security function requirement placement processing unit 403 acquires a security target to be placed according to the operator's instruction (S2502). Specifically, for example, the security function requirement arrangement processing unit 403 outputs a screen as shown in FIG. 26 and FIG. 27 to the output device 471 such as a display based on a predetermined format.

  FIG. 26 is a diagram illustrating a menu that can be instructed by an operator. In FIG. 26, the work screen 261 includes menus such as a file menu 2611 and an edit menu 2621. From the file menu 2611, a submenu of output 2612 and close 2613 can be selected. From the edit menu 2621, a submenu of security target selection 2622 can be selected. An output 2612 is a submenu for outputting information on the arrangement position of the security function requirement. Close 2613 is a submenu for ending the system security design support program.

  FIG. 27 is an example of a screen for allowing an operator to input a security target to which a security function requirement is to be placed. 27, the work screen 261 includes a main display unit 262, a sub display unit 263, and the like. The main display unit 262 displays information such as system schema information read out by the operation of S2501 described above, information for arranging a security target acquired by an operation described later, information indicating an arrangement position of a security function requirement, and the like. . The sub display unit 263 displays a tab for the security target 2631 and a table 2641 for storing information for arranging the security target. The table 2641 includes a security target field 2642, a threat field 2643, an agent field 2644, an asset field 2645, a countermeasure method field 2646, a type field 2647, and the like. In each of the threat field 2643, the agent field 2644, the asset field 2645, the countermeasure method field 2646, and the type field 2647, the threat, agent, asset, countermeasure method, and type corresponding to the security goal stored in the security goal field 2642 are stored. Stored.

  Note that the security goal stored in the security goal field 2642 of the table 2641 is the security goal selected in the operation described later. Information stored in each of the threat field 2643, the agent field 2644, the asset field 2645, the countermeasure method field 2646, and the type field 2647 corresponding to the security target field 2642 is later described from the security function requirement arrangement information table 111. Each of the threat 1112, the agent 1113, the asset 1114, and the countermeasure method 1115 corresponding to the security goal 1111 that matches the security goal selected by the action to be performed.

  The operator can use the input device 472 to instruct the arrangement of security function requirements by selecting one of the submenu and display content displayed on the work screen 261. In response to the instruction, the security function requirement arrangement processing unit 403 performs processing of S2503 and S2504, which will be described later, and outputs a screen shown as an example in the main display unit 262 of FIG. 27 to the output device 471 such as a display (S2506). ).

  When the worker selects the sub-menu “target security target selection 2622” using the input device 472 such as a mouse, the security function requirement placement processing unit 403 acquires the security goal to be placed according to the worker's instruction ( S2503), the acquired security target is stored in the functional requirement arrangement data area 443. Next, the security function requirement placement processing unit 403 obtains security target placement candidates, obtains the priority of each placement candidate according to the type of security target countermeasure method instructed by the worker, The location where the security target is actually arranged is acquired (S2504).

  The operations of S2503 and S2504 will be described in detail. When the submenu “target security target selection 2622” is designated, the security function requirement placement processing unit 403 reads the security goal 1111 from the security function requirement placement information table 111 stored in the function requirement placement data area 443, and selects a specific target. Based on the format, a table 281 shown in FIG. 28 is displayed on an output device 471 such as a display.

  In FIG. 28, a table 281 includes a security goal field 2811, an arrangement field 2812, a selection field 2813, and the like. The security goal field 2811 is a field for displaying a list of security goals, and the security goal contained in the field is a part or all of the security goal 1111 stored in the security function requirement arrangement information table 111. The arrangement field 2812 is a field for displaying information indicating whether or not the security target has been arranged. In the example of FIG. 28, the arrangement field 2812 indicates “already”, and no arrangement indicates “not yet”. . The selection field 2813 is a field for displaying a button for instructing a target security target.

  It should be noted that the worker may arrange all the security goals, or may arrange some of the security goals, but here, the worker shall arrange all the security goals.

  When the operator presses any one of the buttons displayed in the selection field 2813 of the table 281 illustrated in FIG. 28 using the input device 472, the security function requirement arrangement processing unit 403 corresponds to the pressed button. The security objective is the security objective to be deployed. Here, a case where the security target of “item number 1” in the table 281 shown in FIG. 28 as an example is selected will be described.

  After acquiring the security goal to be placed as described above, the security functional requirement placement processing unit 403 identifies a route from the location of the asset of the security goal to the location of the agent, and secures one or more locations on the route. It is acquired as a target placement candidate, and the priority of the security target placement candidate is obtained according to the type of countermeasure method for the security goal. Further, the security function requirement placement processing unit 403 acquires the position where the security target is actually placed according to the information input by the worker (S2504). This operation will be described in detail with reference to FIG. 29 and FIG. FIG. 30 is a diagram for explaining in detail the processing of S2914 in FIG.

  The security functional requirement arrangement processing unit 403 reads schema information from the system element configuration table 51 and the system network configuration table 52 in the functional requirement arrangement data area 443. Further, the security function requirement placement processing unit 403 reads threats, agents, assets, countermeasure methods, security function requirements, and the like corresponding to the selected security goal from the function requirement placement information table 111 in the function requirement placement data area 443. .

  As shown in FIG. 27, the security function requirement arrangement processing unit 403 displays the asset 1801 and the agent 1802 corresponding to the selected security goal on the main display unit 262 by mapping them on the system schema (S2911). ). Further, as shown in FIG. 27, the security function requirement arrangement processing unit 403 includes a table 2641 including, in the sub display unit 263, a selected security goal, a threat corresponding to the security goal, an agent, an asset, a countermeasure method, and the like. Is displayed (S2912).

  In the example of FIG. 27, the security function requirement arrangement processing unit 403 displays the schema as shown in the main display unit 262 of FIG. 27, and displays the agent 1802 for the target security target as the “user” of the device A211. The asset 1801 corresponding to the target security target is displayed on the DB layer of the device C222 as “WEB public information”.

  Next, the security function requirement arrangement processing unit 403 acquires the type of countermeasure method corresponding to the target security goal according to the information input by the worker (S2913). Specifically, for example, when the operator selects the type field 2647 of the table 2641 displayed on the sub display unit 263 by using the input device 472, the security function requirement arrangement processing unit 403 shows an example in FIG. The type 1211 of the arrangement rule table 121 shown is read from the storage device 43 and output to the output device 471 such as a display. When the operator selects any of the types 1211 in the arrangement rule table 121 shown in FIG. 12 using the input device 35, the security function requirement arrangement processing unit 403 selects the selected type as a countermeasure for the selected security target. The type of method. The security function requirement arrangement processing unit 403 displays the type of the selected countermeasure method in the type field 2647 of the table 2641 displayed on the sub display unit 263, and further stores it in the function requirement arrangement data area 443. Here, it is assumed that “unauthorized access prevention” of “item number 1” is selected as the type of countermeasure method.

  Next, the security function requirement placement processing unit 403 obtains security target placement candidates from the asset location corresponding to the selected security goal and the agent location corresponding to the target security goal, and the obtained placement candidate. The priority is determined on the basis of the placement rule table 121. The security function requirement placement processing unit 403 displays the security target placement candidate and the priority for each placement candidate on the main display unit 262 (S2914).

  Here, the operation of determining the priority of the placement target of the security target will be described in detail with reference to FIG. The security function requirement placement processing unit 403 selects a device layer on the schema having an asset corresponding to the security target as a placement candidate (S3011). Next, the security function requirement arrangement processing unit 403 selects another layer of the device having the asset as an arrangement candidate (S3012). Next, the security function requirement arrangement processing unit 403 refers to the system element configuration table 51 and the system network configuration table 52, and performs a route search from the device having the asset to the device with the agent to find all devices on the route. Acquired (S3013), and selects all layers of each device on the route as arrangement candidates (S3014).

  In order for the security function requirement arrangement processing unit 403 to search for a route from a device having an asset to a device having an agent, first, all routes having the device having the asset as a base point are specified, and then each of the specified By selecting a route from the route to the device with the agent, the corresponding route is searched. A specific example of this operation will be described by taking the case of “apparatus C222” having “WEB public information” as an example. For example, the security function requirement arrangement processing unit 403 reads the network connection destinations 151 “device B” and “device D” associated with the device 153 “device C” with reference to the system element configuration table 51. In accordance with this, the security function requirement arrangement processing unit 403 specifies the route “device B-device C” and the route “device D-device C”. Next, the security function requirement arrangement processing unit 403 acquires another device directly connected to each set route. Specifically, for example, the security function requirement arrangement processing unit 403 acquires all devices to which each of the network connection destinations 151 “device B” and “device D” is connected. For example, in order to select all devices directly connected to the route “device D-device C”, the security function requirement arrangement processing unit 403 refers to the system element configuration table 51 and corresponds to the device 153 “device D”. The attached network connection destination 151 “device B” and “device C” are read out. Next, the security function requirement arrangement processing unit 403 selects the devices included in the identified path among the read network connection destinations 151 “device B” and “device C”, that is, “device C” and “device C”. A device other than the directly connected devices (device B, device D) is selected. In this case, since there is no corresponding device, the security function requirement arrangement processing unit 403 ends the specification of the route “device C-device D”. Further, for example, in order to acquire all devices directly connected to the route “device B-device C”, the security function requirement arrangement processing unit 403 refers to the system element configuration table 51 and refers to the device 153 “device B”. The network connection destinations 151 “device A”, “device C”, and “device D” associated with are read out. Next, in the same manner as described above, the security function requirement arrangement processing unit 403, among the read network connection destinations 151 “device A”, “device C”, and “device D”, devices included in the already specified path, that is, A device other than devices (device B, device D) directly connected to “device C” and “device C” is selected. In this case, since the corresponding device is “device A”, the security function requirement arrangement processing unit 403 specifies the route “device A-device B-device C”. Next, the security function requirement arrangement processing unit 403 acquires all devices directly connected to the route “device A-device B-device C” in the same manner as described above. Specifically, for example, the system element configuration table 51 is referred to, and the network connection destination 151 “device B” associated with the device 153 “device A” is read. Next, the security function requirement arrangement processing unit 403 among the read network connection destination 151 “device B”, the devices included in the already specified path, that is, the devices directly connected to “device B” and “device B”. A device other than (Device A, Device C, Device D) is selected. In this case, since there is no corresponding device, the security function requirement arrangement processing unit 403 ends the specification of the route “device A-device B-device C”. The security function requirement arrangement processing unit 403 selects a route including the device with the agent from among the identified routes “device D-device C” and “device A-device B-device C”. In this case, since the device with the agent is “device A”, the route “device A-device B-device C” is selected as the corresponding route.

  Next, the security function requirement arrangement processing unit 403 refers to the arrangement rule table 121, and determines the priority of the arrangement candidate based on the type of countermeasure method acquired by the above-described processing (S3015). An example of the case where “unauthorized access prevention” is selected as the countermeasure method type will be described. The security function requirement placement processing unit 403 reads the placement rule “placement rule A (first rule) corresponding to the type from the placement rule table 121. Priority candidates): “Layers of devices with assets”, “Placement rule B (second priority candidates): Other layers of devices with assets” are read out. According to the read arrangement rule, the security function requirement arrangement processing unit 403 determines that “DB layer” of “device C222” having the asset 1801 “WEB public information” is “priority 1”, and “AP” of “device C222” “Layer” and “OS layer” are determined as “priority 2”.

  As shown in an example of the arrangement rule table 121 in FIG. 12, by assigning a security target to a certain layer of assets or another layer of the same device, it is possible to most effectively counter the threat caused by the agent. .

  Next, the security function requirement arrangement processing unit 403 displays the determined priority for each arrangement candidate on the schema of the main display unit 262 (S3016).

  In FIG. 27, the security function requirement placement processing unit 403 allows the worker to recognize placement targets for security targets such as “AP layer”, “DB layer”, “OS layer” of “device C222”, for example. Alternatively, the color of the arrangement candidate layer may be changed and displayed. In FIG. 27, priority 2701 is a display example of “priority 1”, and priority 2702 is a display example of “priority 2”.

  As described above, when the security target placement candidate and the priority for each placement candidate are acquired, the security function requirement placement processing unit 403 obtains the location where the security goal is actually placed according to the operator's instruction (S2915). It is stored in the functional requirement arrangement data area 443. Specifically, for example, when any one of the layers displayed on the main display unit 262 shown in FIG. 27 is selected, the security function requirement arrangement processing unit 403 sets the layer as a place where the security target is arranged. To do. The security function requirement placement processing unit 403 displays the placement so that the operator can recognize the placement as shown in the placement symbol 2703 of FIG. 27 at a location corresponding to the placement location acquired by the main display unit 262. .

  Note that the operator refers to the agent, asset, countermeasure method, and the like in the table 2641 displayed on the sub display unit 263 when selecting the layer where the security target is actually arranged, and counters the threat from the agent to the asset. It is advisable to select a layer that can be prevented, suppressed, detected, etc. according to the countermeasure method. In addition, the worker may refer to the priority displayed on the main display unit 262 and preferentially select a higher priority layer.

  Next, the security function requirement placement processing unit 403 stores in the function requirement placement data area 443 that the security function requirement corresponding to the security goal is placed in the layer where the security goal is placed (S2916).

  By performing the above-described processing for all the security goals, it is possible to acquire the arrangement positions of the security function requirements of the design target system 2.

  In FIG. 25, when the operator uses the input device 472 such as a mouse to instruct the submenu “output 2612”, the security function requirement arrangement processing unit 403 displays the security target arrangement candidates and the Information such as the priority of the arrangement candidate and the arrangement position of the security function requirement is output to a printer or other apparatus connected via the communication network (S2505), and the process returns to the input reception from the operator (S2502). This output may be output as a diagram as an example on the main display unit 262 of FIG. 27, and information such as security target placement candidates, priority of each placement candidate, placement location of security function requirements, etc. The data may be output in a table format according to a predetermined format. An example of output in tabular form is shown in FIG. In FIG. 31, a table 3101 is an example of information indicating a security target and an arrangement position of a security function requirement that realizes the security target. In the table 3101, security objectives and security functional requirements are written beside the layer indicating the arrangement position.

  In FIG. 25, when the operator uses the input device 472 such as a mouse to instruct the submenu “Close 2613”, the security function requirement arrangement processing unit 403 ends the process.

  The embodiment of the present invention has been described in detail with reference to the drawings. However, the specific configuration is not limited to this embodiment, and includes design changes and the like within a scope not departing from the gist of the present invention.

  For example, the types shown in FIG. 12 are examples, and other types may be used. Similarly, the arrangement rule shown in FIG. 12 is an example, and other arrangement rules may be determined. The arrangement rule may be determined according to, for example, an asset and the location of the asset, or an agent and the location of the agent.

  In the above-described embodiment, the tables in the security function requirement arrangement DB and the arrangement rule DB are stored in the storage device. However, the present invention is not limited to this. For example, reading and writing are performed by a disk drive device. You may store in the media to perform. Further, a part or all of the tables in the security function requirement arrangement DB and the arrangement rule DB may be stored in another device connected via a communication network.

  In addition, each unit in the CPU of the system security design support apparatus described above, and another apparatus having some or all of each DB and program in the storage device may execute a part of the above-described processing. Thereby, it becomes possible to perform the above-mentioned process simultaneously by a plurality of workers.

  In the above-described embodiment, the priority of the security function requirement is determined as the first priority candidate and the second priority candidate, but the number of priority determinations is arbitrary.

It is a figure explaining the outline | summary of one Embodiment of this invention. In the embodiment, it is a figure explaining the example of a structure of the design object system. In the same embodiment, it is a figure explaining a schema. 3 is a diagram illustrating a configuration example of a system security design support apparatus in the embodiment. FIG. 3 is a diagram illustrating an example of a system element configuration table and a system network configuration table in the embodiment. FIG. In the same embodiment, it is a figure which shows an example of an asset table. 5 is a diagram illustrating an example of an agent table in the embodiment. FIG. In the same embodiment, it is a figure which shows an example of a threat table. 5 is a diagram illustrating an example of a security target table in the embodiment. FIG. 5 is a diagram illustrating an example of a security function requirement table in the embodiment. FIG. In the same embodiment, it is a figure which shows an example of the information table for security function requirement arrangement | positioning. In the same embodiment, it is a figure which shows an example of an arrangement | positioning rule table. FIG. 6 is a diagram for explaining an operation example for acquiring schema information in the embodiment. In the embodiment, it is an example of a screen for inputting schema information. In the embodiment, it is an example of a screen for displaying a schema. FIG. 10 is a diagram for describing an operation example for acquiring arrangement information in the embodiment. In the same embodiment, it is an example of a screen for inputting arrangement information. In the same embodiment, it is an example of a screen for inputting arrangement information. In the same embodiment, it is an example of a screen for inputting arrangement information. In the same embodiment, it is an example of a screen for inputting arrangement information. In the same embodiment, it is an example of a screen for inputting arrangement information. In the same embodiment, it is an example of a screen for inputting arrangement information. In the same embodiment, it is an example of a screen for inputting arrangement information. FIG. 10 is a diagram for explaining an operation example of inputting arrangement information in the embodiment. In the same embodiment, it is an example of operation | movement which acquires the arrangement position of a security function requirement. In the embodiment, it is an example of a screen for inputting an arrangement position of security function requirements. In the embodiment, it is an example of a screen for inputting an arrangement position of security function requirements. In the embodiment, it is an example of a screen for inputting an arrangement position of security function requirements. In the same embodiment, it is an example of operation | movement which acquires the arrangement position of a security function requirement. In the same embodiment, it is an example of operation | movement which acquires the arrangement position of a security function requirement. In the embodiment, an example of outputting an arrangement position of security function requirements is shown.

Explanation of symbols

  5001: System basic design document, 5002: System security design, 5003: System security basic specification, 5101: TOE definition, 5102: Asset definition, 5103: Agent definition, 5104: Threat extraction, 5105: Security target derivation, 5106: Security Functional requirement derivation, 5107: Security basic specification creation, 2: Design target system, 21: User site, 22: Server site, 23: Intranet, 24: Internet, 211: Device A, 221: Device B, 222: Device C 223: Device D, 2221: WEB information DB, 40: System security design support device, 41: Security function requirement placement DB, 42: Placement rule, 43: Storage device, 44: Memory: 45: CPU, 46: Disk drive Device, 47: Output device connection unit, 48: network connection unit, 401: schema acquisition processing unit, 402: function requirement arrangement information acquisition processing unit, 403: security function requirement arrangement processing unit, 431: communication control program, 432: system security design support Program, 441: Schema data area, 442: Function requirement arrangement information acquisition data area, 443: Function requirement arrangement data area, 471: Output device, 472: Input device, 51: System element configuration table, 511: Domain, 512: Subsystem, 513: Device, 514: Layer, 515: Network connection destination, 52: System network configuration table, 521: Network, 522: Network connection destination, 61: Asset table, 611: Asset, 612: Location, 71: Agent Table, 711 Agent: 712: Location, 81: Threat table, 811: Threat, 91: Security goal table: 911: Security goal, 101: Security function requirement table, 1011: Security function requirement, 111: Security function requirement placement information table, 1111 : Security target, 1112: Threat, 1113: Agent, 1114: Asset, 1115: Countermeasure method, 1116: Security function requirement, 121: Placement rule table, 1211: Type, 1212: Placement rule A, 1213: Placement rule B, 141 : Work screen, 142: Main display section, 1411: File menu, 1421: Edit menu, 1412: Schema input end, 1413: Close, 1422: Add element, 1423: Delete element, 1424: Network 1425: Delete network, 1426: Domain, 1427: Subsystem, 1428: Device, 171: Work screen, 172: Main display, 1711: File menu, 1721: Edit menu, 1712: Information for placement End of input, 1713: Close, 1722: Add asset, 1723: Add agent, 1724: Add threat, 1725: Add security target, 1726: Add security functional requirement, 1727: Edit information for placement, 1801: Asset, 1802: Agent, 173: Sub display unit, 1731: Asset, 1732: Agent, 1733: Threat, 1734: Target, 1735: Functional requirement, 1736: Edit, 1737: Table display unit, 1741: Table, 1742: Table , 1743: Table 1744: table, 1745: table, 1746: table, 2301: security target field, 2302: threat field, 2303: agent field, 2304: asset field, 2305: countermeasure method field, 2306: security functional requirement field, 261: work Screen, 262: main display unit, 2611: file menu, 2621: edit menu, 2612: output, 2613: close, 2622: security target selection, 2701: priority, 2702: priority, 2703: arrangement symbol, 263: sub Display unit, 2631: Security goal, 2641: Table, 2642: Security goal field, 2643: Threat field, 2644: Agent field, 2645: Asset field, 646: countermeasure field, 2647: type field, 281: tables, 2811: security target field 2812: alignment field, 2813: selection field 3101: Table

Claims (8)

A security design support method for allocating security functional requirements to counter a threat assumed in a design target system including a plurality of devices,
A computer having storage means
A system configuration storage step of storing information indicating a system configuration of the design target system in the storage unit;
For each threat, the storage means stores security functional requirements that counter the threat, information that indicates the location of the agent that causes the threat, and information that indicates the location of the asset damaged by the agent. Information storage step for functional requirement placement;
An arrangement rule storage step for storing arrangement rule information indicating the priority of arrangement candidates for security function requirements in accordance with the location on the design target system in the storage unit;
Read the information indicating the location of the agent for each threat and the information indicating the location of the asset for each threat from the storage means, based on the information indicating the system configuration in the storage means for each of the threats, The route from the location of the agent causing the threat to the location of the asset damaged by the agent is identified, and one or more locations on the route are set as candidates for placement of security functional requirements to counter the threat. A placement candidate acquisition step;
A priority determination step of determining a priority for each of the security function requirement placement candidates based on the placement rule information read from the storage means;
A security design support method comprising: executing an output step of outputting the obtained security function requirement arrangement candidate and the priority for each candidate. A security design support method according to claim 1,
In the arrangement candidate acquisition step, a security design support method characterized in that, for each of the threats, a device having an asset damaged by the threat is set as an arrangement candidate of security function requirements that counters the threat. A security design support method according to claim 1 or 2,
In the arrangement candidate acquisition step, a security design support method characterized in that, for each of the threats, a hierarchy having an asset damaged by the threat is set as an arrangement candidate of security function requirements to counter the threat. A security design support method according to any one of claims 1 to 3,
In the placement candidate acquisition step, for each of the threats, the hierarchy of the design target system located on the path between the location of the agent causing the threat and the location of the asset damaged by the threat A security design support method characterized in that all or all of the hierarchy of devices located on the route are set as candidates for arrangement of security function requirements to counter the threat. A security design support method according to claim 3 or 4,
The security design support method, wherein the hierarchy is a physical hierarchy or a logical hierarchy. The security design support method according to claim 1, wherein:
The placement rule information indicates a priority according to a location on the design target system for each type of countermeasure method for each threat.
In the priority determination step, a priority is changed for each placement candidate of the security function requirement according to the type of countermeasure method for each of the threats. A security design support device that arranges security function requirements to counter threats assumed in a design target system including a plurality of devices,
System configuration storage means for storing information indicating a system configuration of the design target system;
Functional requirement arrangement information for storing security functional requirements for countering the threat, information indicating the location of the agent causing the threat, and information indicating the location of the asset damaged by the agent for each threat Storage means;
An arrangement rule storage unit that stores arrangement rule information indicating the priority of arrangement candidates for security function requirements according to the location on the design target system;
The information indicating the location of the agent for each threat and the information indicating the location of the asset for each threat are read from the information storage unit for functional requirement arrangement, and the system configuration in the system configuration storage unit for each of the threats The path from the location of the agent that causes the threat to the location of the asset damaged by the agent is identified based on the information indicating the security, and one or more locations on the path are security that counters the threat. An arrangement candidate acquisition means as an arrangement candidate for the functional requirement;
A priority determination unit that determines a priority for each allocation candidate of the security function requirement based on the allocation rule information read from the allocation rule storage unit;
Output means for outputting the obtained security function requirement placement candidates and the priority for each candidate;
A security design support apparatus comprising: A computer-readable security design support program that arranges security functional requirements to counter threats assumed in a design target system including a plurality of devices,
A computer having storage means
A system configuration storage step of storing information indicating a system configuration of the design target system in the storage unit;
For each threat, the storage means stores security functional requirements that counter the threat, information that indicates the location of the agent that causes the threat, and information that indicates the location of the asset damaged by the agent. Information storage step for functional requirement placement;
An arrangement rule storage step for storing arrangement rule information indicating the priority of arrangement candidates for security function requirements in accordance with the location on the design target system in the storage unit;
Read the information indicating the location of the agent for each threat and the information indicating the location of the asset for each threat from the storage means, based on the information indicating the system configuration in the storage means for each of the threats, The route from the location of the agent causing the threat to the location of the asset damaged by the agent is identified, and one or more locations on the route are set as candidates for placement of security functional requirements to counter the threat. A placement candidate acquisition step;
A priority determination step of determining a priority for each of the security function requirement placement candidates based on the placement rule information read from the storage means;
A security design support program that causes the computer to execute an output step of outputting the obtained security function requirement arrangement candidate and the priority for each candidate.

Images