WO2015177832A1 - Security measure determination assistance device and security measure determination assistance method - Google Patents

Security measure determination assistance device and security measure determination assistance method Download PDF

Info

Publication number
WO2015177832A1
WO2015177832A1 PCT/JP2014/063158 JP2014063158W WO2015177832A1 WO 2015177832 A1 WO2015177832 A1 WO 2015177832A1 JP 2014063158 W JP2014063158 W JP 2014063158W WO 2015177832 A1 WO2015177832 A1 WO 2015177832A1
Authority
WO
WIPO (PCT)
Prior art keywords
countermeasure
security
information
safety
measure
Prior art date
Application number
PCT/JP2014/063158
Other languages
French (fr)
Japanese (ja)
Inventor
佑生子 松原
甲斐 賢
千秋 太田原
Original Assignee
株式会社 日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社 日立製作所 filed Critical 株式会社 日立製作所
Priority to PCT/JP2014/063158 priority Critical patent/WO2015177832A1/en
Publication of WO2015177832A1 publication Critical patent/WO2015177832A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management

Definitions

  • the present invention relates to a security measure determination support apparatus and a security measure determination support method.
  • a storage means for storing a correspondence table of threats and assets indicating correspondence between threats that cause changes and asset attributes, and a correspondence table of threats and countermeasures indicating possible measures corresponding to each threat.
  • a device that extracts threats corresponding to attribute information from attribute information such as types of components, operations, etc. in a diagnosis target system and a correspondence table of threats and assets, and outputs a countermeasure corresponding to the threat (Patent Literature) 1) is proposed.
  • the security measures are evaluated based on the minimization of the costs related to the introduction and operation of security measures and the suppression of residual risks and derivative risks associated with the implementation of security measures. It is intended to make a proposal.
  • an object of the present invention is to provide a technology that makes it possible to propose a security measure in consideration of the availability of a countermeasure target.
  • the present application includes a plurality of means for solving the above-described problems.
  • each of the threats that affect the security countermeasure target and the security countermeasure candidates that are assumed to be applied to the threat are considered to be applied to the threat.
  • a storage device for storing countermeasure information including information, and safety request information including each information related to a safety level on information security required for the security countermeasure target and a maintenance time of the corresponding safety level, and A figure area corresponding to each side length corresponding to each size of the safety level and the maintenance time of the corresponding safety level indicated by the safety requirement information, and the corresponding security countermeasure candidate indicated by the information of the security countermeasure candidate in the countermeasure information
  • the length of each side in each size of the safety level assumed for the application and the maintenance time of the applicable safety level The corresponding graphic area is collated to determine the cover state of the graphic area corresponding to the safety requirement information by the graphic area corresponding to the countermeasure information, and the evaluation result of the corresponding security countermeasure candidate is determined according to the cover state.
  • a computing device that generates and outputs to the output device; It is characterized by providing.
  • the security measure determination support method of the present invention is required for the measure information including each information related to the threat that affects the security measure target and the potential security measure candidate to be applied to the threat, and the security measure target.
  • a computer having a storage device for storing safety requirement information including information related to a safety level for information security and a maintenance time of the safety level, and the safety level and the safety indicated by the safety requirement information.
  • the reachable safety level assumed for application of the corresponding security countermeasure candidate and the corresponding reached safety indicated by the graphic area in which each side length corresponds to each magnitude of the maintenance time of the level and the information of the security countermeasure candidate in the countermeasure information The graphic area corresponding to each side length corresponding to each level maintenance time is collated, Determining the cover state of the graphic area corresponding to the safety requirement information by the graphic area corresponding to the information, generating an evaluation result of the corresponding security countermeasure candidate according to the cover state, and executing a process to output to the output device; It is characterized by that.
  • FIG. 1 It is a figure which shows the example of a network structure containing the security countermeasure determination assistance apparatus of this embodiment. It is a figure which shows the hardware structural example of the security countermeasure determination assistance apparatus in this embodiment. It is a figure which shows the example of the main flow of the security countermeasure determination support method in this embodiment. It is a figure which shows the example of the risk reference value table
  • Example 5 of the MS figure in this embodiment It is a figure which shows Example 1 of the DMS figure in this embodiment. It is a figure which shows Example 2 of the DMS figure in this embodiment. It is a figure which shows Example 1 of MO area in this embodiment. It is a figure which shows Example 2 of the MO area in this embodiment. It is a figure which shows Example 1 of the EA area in this embodiment. It is a figure which shows Example 2 of the EA area in this embodiment. It is a figure which shows Example 1 of the countermeasure model proposal table creation rule input screen in this embodiment. It is a figure which shows Example 2 of the countermeasure model proposal table creation rule input screen in this embodiment.
  • FIG. 1 is a diagram illustrating an example of a network configuration including a security measure determination support apparatus 100 according to the present embodiment.
  • a security countermeasure determination support apparatus 100 shown in FIG. 1 is a computer that enables a security countermeasure proposal considering availability in a security countermeasure target system.
  • the security measure determination support apparatus 100 according to the present embodiment includes a user terminal 200 used by a designer of a security measure target system and a user terminal 250 used by a security expert via a network 20. It is tied so that it can communicate.
  • These security countermeasure determination support device 100 and user terminals 200 and 250 can be defined as the security countermeasure determination support system 10.
  • a security countermeasure target system for example, a complicated and large-scale power supply system including a plurality of servers including information management servers, subsystems, meters, terminals, and the like is assumed.
  • a security expert who received a request from the system designer described above performs risk analysis of the target system based on the DFD (data flow diagram, hereinafter referred to as DFD) in the target system, and security.
  • DFD data flow diagram
  • a situation is assumed in which the security measure determination support device 100 of the present embodiment is used via the user terminal 250 as a support means for planning measures.
  • Security specialists are not only requirements for system development, but also security for emergency measures prepared in advance to resume normal execution of business flow and system recovery immediately when a risk occurs during system operation. It is necessary to plan measures.
  • a countermeasure group is defined as a combination of a plurality of security measures planned by the security expert using the security measure determination support apparatus 100 of the present embodiment on a predetermined scale based on a certain rule.
  • this countermeasure group is evaluated, and a countermeasure model is obtained by combining the countermeasure groups on a larger scale (the entire system) based on the evaluation result.
  • FIG. 2 is a diagram illustrating a hardware configuration example of the security measure determination support apparatus 100 according to the present embodiment.
  • the security measure decision support device 100 is stored in the storage device 101, a storage device 101 composed of an appropriate non-volatile storage element such as an SSD (Solid State ⁇ Drive) or a hard disk drive, a memory 103 composed of a volatile storage element such as a RAM, and the storage device 101.
  • a storage device 101 composed of an appropriate non-volatile storage element such as an SSD (Solid State ⁇ Drive) or a hard disk drive
  • a memory 103 composed of a volatile storage element such as a RAM
  • the CPU 102 (arithmetic unit) that performs various determinations, computations, and control processes, and performs communication and control with the user terminals 200 and 250 is performed by reading the program 102 to the memory 103 and executing the program 102
  • a communication device 107 that performs processing is provided.
  • the security measure determination support device 100 may include an input device 105 such as a keyboard and a mouse that receives input from the user, and an output device 106 such as a display and a speaker that outputs processing results.
  • the storage device 101 stores data 110 to 127 necessary for various processes in addition to the program 102 for implementing functions necessary for the security measure determination support device 100 of the present embodiment. Details of the data 110 to 127 will be described later.
  • the user terminals 200 and 250 have the same hardware configuration as a general computer and function as computer terminals.
  • Functional example of security measure decision support device ---
  • functions provided in the security measure determination support device 100 of this embodiment will be described. As described above, the functions described below can be said to be implemented by executing the program 102 provided in the security measure determination support apparatus 100, for example.
  • the security measure determination support apparatus 100 includes a communication unit 171, a registration unit 172, a measure list creation unit 173, an input unit 174, a measure evaluation unit 175, a measure model creation unit 176, and specifications. Each function of the entry unit 177 is provided.
  • the communication unit 171 is a function of controlling the communication device 107 to access the network 20 and performing communication processing with external devices such as the user terminals 200 and 250 according to the protocol of the network 20.
  • the registration unit 172 has a function of performing processing for registering data such as various tables and specifications acquired via the input device 105 or the communication device 107 in the storage area of the storage device 101.
  • the countermeasure list creation unit 173 is a function that performs security countermeasure planning processing based on the risk analysis result regarding the countermeasure target system obtained from the user terminal 250 of the security expert, for example.
  • the input unit 174 receives input of the above-described countermeasure group and countermeasure model creation rules from the input device 105 or the user terminal 250 via the communication device 107, and the accepted creation rules are stored in the memory 103 or the storage device. This is a function stored in 101.
  • the measure evaluation unit 175 is a function for evaluating the security measures planned by the measure list creation unit 173.
  • the measure evaluation unit 175 includes a graphic area in which each side length corresponds to each safety level and each maintenance time level of the safety level indicated by a DFD risk reference value table 111 (safety requirement information) described later, The safe level assumed for application of the corresponding security countermeasure candidate and the maintenance time of the corresponding reached safety level indicated by the information of the security countermeasure candidate for the corresponding DFD in the countermeasure list 115 and the countermeasure list detail table 116 (both countermeasure information) described later.
  • the figure area corresponding to each size of each side is compared with the figure area corresponding to each side length to determine the cover state of the figure area corresponding to the corresponding DFD by the figure area corresponding to the corresponding security countermeasure candidate.
  • An evaluation result of the corresponding security countermeasure candidate is generated according to the state and output to the output device 106 or the user terminal 250. It has a function of.
  • the measure evaluation unit 175 selects the side corresponding to the safety level maintenance time among the above-described graphic regions corresponding to the corresponding DFD, and the reached safety level among the above-described graphic regions corresponding to the security measure candidates for the corresponding DFD.
  • a side corresponding to the maintenance time is arranged on a predetermined time axis, and the time zone covered by the graphic region corresponding to the corresponding security countermeasure candidate among the graphic regions corresponding to the above-mentioned DFD, and arrival in the time zone Information on the area defined by the safety level may be specified as the cover state.
  • the countermeasure evaluation unit 175 has an edge corresponding to the maintenance time of the safety level in the graphic area corresponding to the DFD described above, and an edge corresponding to the maintenance time of the reached safety level in the graphic area corresponding to the security countermeasure candidate for the DFD.
  • the above-described cover state is specified by placing the start point at the time when an allowable recovery time has elapsed since the operation stop of the security countermeasure target indicated by the risk reference value table 111 of the corresponding DFD It is good.
  • the countermeasure evaluation unit 175 has a side corresponding to the safety level maintenance time among the graphic areas corresponding to the DFD described above, and a reaching safety level among the plurality of graphic areas corresponding to the security countermeasure candidates for the DFD.
  • An edge corresponding to the maintenance time is arranged on a predetermined time axis, and among the graphic areas corresponding to the DFD described above, a time zone covered by a plurality of graphic areas corresponding to security countermeasure candidates for the DFD, and Information on an area defined by the overlap of reachable safety levels indicated by the plurality of graphic areas in the time zone may be specified as the cover state.
  • the storage device 101 information on security countermeasure candidates for the above-mentioned DFD is applied when development of a system that is a security countermeasure target and is constantly operated, and when a risk occurs during system operation.
  • the above-mentioned countermeasure evaluation unit 175 has a side corresponding to the maintenance time of the safety level in the graphic area corresponding to the above-mentioned DFD.
  • the side corresponding to the maintenance time of the arrival safety level is arranged on a predetermined time axis among the graphic areas corresponding to the countermeasure information of at least one of the countermeasure for development and the countermeasure for first aid described above, Of the graphic area corresponding to DFD, the time covered by the graphic area corresponding to the countermeasure information of at least one of the countermeasures for development and first aid When, it may identify the information of the area defined by the reach safe level in the time zone as a cover state.
  • the countermeasure model creation unit 176 is a function for creating a countermeasure model based on the evaluation result of the security countermeasures by the countermeasure evaluation unit 175.
  • the countermeasure model creation unit 176 functions as a security countermeasure from the input terminal 106 or from the user terminal 250 via the network 20.
  • the above-mentioned security countermeasure candidates are identified as the evaluation results corresponding to the conditions indicated by the user request, the countermeasure model is generated from the identified security countermeasure candidates, and the countermeasure model is output This is a function for outputting to the user terminal 250 via the device 106 or the network 20.
  • each countermeasure model creation unit 176 identifies security countermeasure candidates in order of the degree of correspondence of the evaluation results to the conditions indicated by the above-described user request, and uses the security countermeasure models in order of the degree of correspondence to the conditions of the user request. May be sequentially generated, and each countermeasure model may be output to the output terminal 106 or the user terminal 250 via the network 20.
  • the specification entry unit 177 automatically inserts the requirement definition of the countermeasure list, which is designated to be adopted from the input device 105 or the user terminal 250, into the corresponding portion of the specification file 127 stored in the storage device 101 in advance. This is a function to generate a document.
  • the security measure determination support apparatus 100 having these functions 171 to 177 evaluates security measures based on information received from the system designer and security specialist, formulates and presents a measure model, and adopts a measure model to be adopted. A device that automatically inserts requirement definitions into specifications and outputs them. --- Main flow example --- Hereinafter, the actual procedure of the security measure determination support method in the present embodiment will be described with reference to the drawings.
  • Various operations corresponding to the security countermeasure determination support method described below are realized by a program 102 that the security countermeasure determination support apparatus 100 reads into the memory 103 and executes. And this program 102 is comprised from the code
  • FIG. 3 is a diagram showing an example of the main flow of the security measure determination support method in the present embodiment. In this flow, not only the processing of the security countermeasure determination support apparatus 100 but also the processing in the user terminals 200 and 250 that give information to the security countermeasure determination support apparatus 100 is also shown.
  • the user terminal 200 of the system designer has the DFD 110, the R_SL determination table 119, the R_TP, A_TP determination table 121, the R_TO, A_TO determination table 122, the DFD risk reference value table 111, the system cooperation WBS 123, the application development WBS 124, Are transmitted and registered to the security measure decision support apparatus 100 in accordance with an instruction from the system designer (S3401).
  • the communication unit 171 of the security measure determination support device 100 receives each of the above-mentioned data transmitted from the above-described user terminal 200, passes it to the registration unit 172, and the registration unit 172 stores it in the storage device 101 ( S3402).
  • a security measure is evaluated by defining the concept (numerical index) of “measure strength”. This countermeasure strength is expressed by the following two values.
  • MO The strength of the ability to maintain system operation (execution of business flow) in a certain security measure.
  • EA The strength of a security measure that can withstand external attacks and execute business flows normally.
  • R_SL A safety level that a business flow corresponding to a certain DFD should satisfy during normal operation.
  • R_TP Time allowed for temporary suspension of the business flow corresponding to a certain DFD.
  • R_TO Minimum operating time required for the business flow corresponding to a certain DFD.
  • A_SL A safety level at which a business flow can be reached by implementing certain security measures.
  • A_TP Time required to prepare for implementation of a certain security measure.
  • A_TO The duration of the effect of a certain security measure.
  • R_SL, R_TP, and R_TO are values that are determined by reflecting the intention of the system designer, and A_SL, A_TP, and A_TO are assigned by security experts from an objective standpoint with respect to the security measures that they have planned. It is the value to hit.
  • R_SL and A_SL are represented by integer values from “0” to “7”
  • R_TP, R_TO, A_TP, and A_TO are represented by integer values from “1” to “10”.
  • R_SL, R_TP, and R_TO are referred to as risk reference values
  • A_SL, A_TP, and A_TO are referred to as countermeasure reference values.
  • the risk reference value is a value given to the information of the DFD 110 registered in the security measure determination support apparatus 100 by the system designer.
  • system cooperation WBS and application development WBS are created in the process of system security design, and are the predecessor of the overall development WBS and development policy definition document included in the final system design requirement definition group.
  • the risk reference value R_SL, R_TP, and R_TO values associated with the ID (DFD_ID) of the corresponding DFD 110 are associated with the DFD risk reference value table 111 described above. It is a collection of records. Each risk reference value stored in the risk reference value table 111 is determined by the system designer's user terminal 200 using the determination tables shown in FIGS. 5, 7, and 8.
  • FIG. 5 is a diagram illustrating a configuration example of the R_SL determination table 119 in the present embodiment.
  • the value of R_SL in the present embodiment is determined by the user terminal 200 with reference to this R_SL determination table 119.
  • the R_SL determination table 119 is created mainly by the system designer, but may be created by a security expert or other related parties in consultation with the system designer.
  • the user terminal 200 determines the value of R_SL as R_SL based on the result of prediction of the impact when the business flow corresponding to the DFD 100 is stopped or abnormally operated (specified by the system designer), for example, “injuring human life / body”.
  • Table 119 is collated, and the corresponding R_SL value “7” is determined.
  • the system designer may input the value of R_SL with the input device of the user terminal 200.
  • FIG. 6 is an example of the A_SL determination table 120 in the present embodiment.
  • the security expert user terminal 250 refers to the A_SL determination table 120 to determine the value of A_SL.
  • the A_SL determination table 120 is created mainly by a security expert, but may be created in consultation with a system designer or other related parties.
  • the user terminal 250 determines the above-described value of A_SL by dividing it into levels according to the degree of recovery of the normal state after implementation of security measures, for example. For example, for the risk that the encryption parameters of encrypted communication will be leaked, if the communication can be resumed as before by tracking and reinforcing the leaked route and changing the encryption parameters, the degree of recovery is 100%, In addition, when using a password encryption means different from the conventional algorithm and taking a temporary measure such as sending the password by another route immediately after message transmission, the degree of recovery is 50%. In some cases, it is necessary to form consensus between the parties regarding the definition of the degree of recovery. The user terminal 250 receives a designation of the degree of recovery after the implementation of the corresponding security measure from the system designer, collates this degree of recovery with the A_SL determination table 120, and determines the value of the corresponding A_SL.
  • FIG. 7 is a diagram illustrating a configuration example of the R_TP and A_TP determination table 121 in the present embodiment.
  • each value of R_TP and A_TP is determined by the system designer's user terminal 200 with reference to the R_TP and A_TP determination table 121.
  • the R_TP and A_TP determination table 121 is created mainly by the system designer, but may be created by a security specialist or other related parties in consultation with the system designer.
  • the user terminal 200 collates the R_TP, A_TP determination table 121 with information on the time specified by the system designer, for example, the time allowed for temporary suspension of the business flow or the time required for preparation of countermeasures, and the corresponding R_TP, Determine the value of A_TP.
  • FIG. 8 is a diagram illustrating a configuration example of the R_TO and A_TO determination table 122 in the present embodiment.
  • the values of R_TO and A_TO are determined by the system designer's user terminal 200 with reference to the R_TO and A_TO determination table 122.
  • the R_TO and A_TO decision table 122 is created mainly by the system designer, but may be created by a security expert or other related parties in consultation with the system designer.
  • the user terminal 200 collates, for example, the minimum operating time required for the business flow or the effective duration of the countermeasure specified by the system designer against the R_TO, A_TO determination table 122, and sets the corresponding R_TO, A_TO values. decide.
  • A_TP and A_TO shall depend on the technical difficulty of countermeasures, the number of approved / known people, environmental facilities, etc.
  • the communication unit 171 of the security measure determination support apparatus 100 relates to the above-described data acquired in step S3401 and stored in the storage device 101 in step S3402 for the security expert user terminal 250.
  • An arrival notification is transmitted (S3403).
  • the security countermeasure determination support apparatus 100 in response to the transmission of the arrival notification, causes the user terminals for the DFD 110, the R_SL determination table 119, the R_TP, A_TP determination table 121, the R_TO, A_TO determination table 122, and the DFD risk reference value table 111. Browsing from 250 is possible.
  • the security measure determination support device 100 notifies the user terminal 250 of a URL indicating the storage location of the corresponding data in the storage device 101.
  • the user terminal 250 is notified of a password for accessing the data storage location.
  • the security expert operates the user terminal 250 to provide the above-described information presented by the security countermeasure determination support apparatus 100, that is, the DFD 110, the R_SL determination table 119, the R_TP, A_TP determination table 121, the R_TO, A_TO determination table 122, Each information in the DFD risk reference value table 111 is browsed, and risk analysis work is performed based on the information.
  • the user terminal 250 provides such a general function for risk analysis to the security expert, and generates the risk analysis table 114 (S3404).
  • the security expert described above uses the countermeasure list table 115 in the user terminal 250.
  • a countermeasure reference value determination work is executed together with the creation work.
  • the user terminal 250 acquires the countermeasure list table 115 thus created and the countermeasure reference value information (S3405).
  • the user terminal 250 transmits the above-described risk analysis table 114, countermeasure list table 115, A_SL determination table 120 (previously held by the user terminal 250), and countermeasure reference values to the security countermeasure determination support apparatus 100 for registration (S3406). ).
  • the communication unit 171 of the security measure determination support apparatus 100 receives the risk analysis table 114, the measure list table 115, the A_SL determination table 120, and the measure reference value transmitted from the user 250, and stores them in the registration unit 172. Then, the registration unit 172 stores the information in the storage device 101 (S3407).
  • the risk analysis table 114 described above includes a DFD (hereinafter, referred to as “risk” extracted at the time of risk analysis, a risk content and a required response level, and a business flow causing the risk occurrence). It is a table including at least each data of information of target DFD, information asset (protection target asset) that causes risk in target DFD, threat analysis, vulnerability analysis, and risk evaluation result.
  • the above-mentioned required response level is a priority for preventing risk occurrence, and is a value determined by a security expert while consulting with the requester (system designer, etc.) as necessary.
  • analysis results are compiled for each type of threat and the location (device, area, etc.) where the threat occurred, and information on information assets targeted by the threat is always included.
  • the target information asset (threat) is extracted from the protection target assets in the target DFD information column.
  • the results are summarized for each location where the vulnerability exists.
  • the results are summarized for each location where the risk exists, and each information of the risk level and the risk case ID is always included.
  • risk cases described above are, for example, “risk generation agents and abusers such as“ an outsider who has entered the information management center exploits the vulnerability of administrator authority settings and alters the device ID ”. This is a risk occurrence situation that clarifies vulnerabilities, occurrence locations, threats, etc. Risk assessment is performed for each risk case. The risk level is the degree of influence of the risk case determined based on the results of threat analysis and vulnerability analysis.
  • the above-described countermeasure list 115 is a list in which risk cases extracted in risk analysis are grouped for each risk occurrence location and threat, each countermeasure is listed, and an ID (measure ID) is given. It is.
  • the countermeasure list 115 a plurality of countermeasures may be listed for each risk case.
  • the security countermeasure with the ID “S003” is repeatedly described in two categories where the risk occurrence location is “information management server” and the threat is “spoofing” and “tampering”.
  • “information assets subject to threat” and “target DFD” in the risk column in the countermeasure list 115 are “target information assets (multiple)” ⁇ “protection” in the risk analysis table 114 (FIG. 9), respectively. It can be created by following “target asset” ⁇ “DFD_ID”.
  • the types of countermeasures are categorized according to whether they belong to functional countermeasures, operational countermeasures, or physical environmental countermeasures, and fall into risk prevention, risk detection, risk reduction, and business recovery. Is described.
  • in the item of type in addition to functions, operations, physical environmental measures, for example, administrative measures, facility measures, and the like may be used.
  • the subordinate items may be, for example, risk avoidance, separation, concentration (combination), and transfer.
  • the countermeasure list creation unit 173 of the security countermeasure determination support apparatus 100 performs the risk analysis table 114, the countermeasure list table 115, the A_SL determination table 120, the countermeasure reference value, and the original information obtained from the user terminal 250.
  • the countermeasure list detail table 116 is created and stored in the storage device 101 (S3408).
  • FIG. 11 is a diagram showing a detailed flow example 1 of the security measure determination support method in the present embodiment.
  • the countermeasure list creation unit 173 of the security countermeasure determination support apparatus 100 refers to the risk reference value table 111 of the DFD, and sets the risk reference value of the target DFD that is described for each threat at the risk occurrence location in the countermeasure list 115.
  • the maximum R_SL, the minimum R_TP, and the maximum R_TO are set in the countermeasure list detail table 116 as risk reference values of the integrated DS diagram (S3501).
  • this integrated DS diagram is created by adopting the maximum R_SL, minimum R_TP, and maximum R_TO of each business flow when there are multiple business flows that are subject to security measures.
  • the DS diagram shows the dangerous state when security measures are not implemented for the business flow that is subject to certain security measures
  • the vertical axis indicates the safety level (SL) of the target system
  • the horizontal axis indicates It is the figure represented by the rectangular area
  • the countermeasure list creation unit 173 of the security countermeasure determination support apparatus 100 refers to the corresponding threat R_SL (determined in S3501) for each countermeasure ID in the countermeasure list 115, and sets the value of this R_SL in the countermeasure reference value column. Is applied to the A_SL calculation formula (R_SL ⁇ 1.0 in the example of FIG. 13), and the A_SL value of each countermeasure ID in the target reference value column of the countermeasure list detail table 116 is calculated (S3502).
  • the countermeasure list creation unit 173 of the security countermeasure determination support apparatus 100 for each countermeasure ID in the target reference value column of the countermeasure list detail table 116, the A_SL obtained in step S3502, and the storage device 101.
  • Each value of A_TP and A_TO quoted from the countermeasure reference values (acquired from the user terminal 250) stored in is set (S3503).
  • the countermeasure list creation unit 173 of the security countermeasure determination support apparatus 100 refers to the countermeasure type table 112 for each of the countermeasure IDs described above, compares the risk reference value and the countermeasure reference value of the integrated DS diagram, and measures the countermeasure type. This countermeasure type and use are set in the corresponding column in the countermeasure column of the countermeasure list detail table 116 (S3504).
  • the above-described countermeasure type table 112 shows the security countermeasures shown in the countermeasure list 115 (FIG. 10) as predetermined types (from the viewpoint of safety, implementation speed, and sustainability).
  • the table is classified into 8 types (M1 to M8).
  • “development” and “emergency” are also designated as security countermeasure applications for each of the types described above.
  • the communication unit 171 of the security measure determination support apparatus 100 transmits a notification of completion of creation of the measure list detail table 116 to the user terminal 200 of the system designer, and the measure list is transmitted from the user terminal 200.
  • the detailed table 116 can be browsed (S3409). This technique for enabling browsing is the same as that performed in accordance with the execution of step S3403 described above.
  • FIG. 13 shows an example of the countermeasure list detail table 116 created by the security countermeasure determination support apparatus 100 and made available for browsing by the user terminal 200.
  • the countermeasure list detail table 116 includes a risk reference value (a maximum value of R_SL, a minimum value of R_TP, a minimum value of R_TO in the target DFD) of an integrated DS diagram corresponding to a risk occurrence location and a threat classification. It is a maximum value, and is a table including each value of the countermeasure reference value for each countermeasure ID, the type, and the usage, obtained from the DFD risk reference value table 111 (FIG. 4).
  • the countermeasure type determination method will be described later in the description of FIG.
  • the system designer operates the user terminal 200, browses the above-described countermeasure list detail table 116, determines a countermeasure group creation rule, and performs an input operation with the input device.
  • the user terminal 200 accepts the input of the countermeasure group creation rule by the system designer described above via the countermeasure group creation rule input screen 1000 provided from the input unit 174 of the security countermeasure determination support apparatus 100. This is transmitted to the security measure decision support apparatus 100 (S3410).
  • FIG. 14 shows an example of the countermeasure group creation rule input screen 100 in this embodiment.
  • a plurality of countermeasures in the countermeasure list 115 are combined based on a certain rule to form a countermeasure group.
  • This rule is specified by the operator of the security measure decision support apparatus 100 (for example, a system designer or a security expert who accesses via the user terminal) from the measure group creation rule input screen 1000.
  • rule items for creating a countermeasure group the number of basic elements serving as a basic value of the number of countermeasure combinations, the minimum unit of countermeasure group application target categories (range for selecting individual countermeasures to be combined)
  • Each setting of the selection condition of the countermeasure type and the presence / absence of the countermeasure selection (duplicate selection) from the same range is accepted.
  • the rule item may be variously set depending on the case, for example, only measures against a specific risk ID are targeted.
  • the measure evaluation unit 175 of the security measure decision support device 100 that has received the input of the measure group creation rule via the measure group creation rule input screen 100 described above saves it in the measure list detail table 116 and its own storage device 101.
  • the countermeasure group evaluation table 117 (FIG. 17) is created and stored in the storage device 101 (S3411).
  • FIG. 15 is a diagram illustrating a detailed flow example 2 of the security measure determination support method according to the present embodiment.
  • the countermeasure evaluation unit 175 of the security countermeasure determination support apparatus 100 creates a plurality of countermeasure groups and countermeasure group IDs for each risk occurrence location and threat category according to the above-described countermeasure group creation rules, that is, under the corresponding rules. All possible combinations of countermeasures are listed and set in the countermeasure group evaluation table 117 (FIG. 17) together with the implementation type and use of each countermeasure (S3601).
  • the above-described implementation type is specified based on the countermeasure implementation type table 113 illustrated in FIG.
  • the measure implementation type table 113 in the present embodiment defines these embodiments for measures classified as the measure type table 112 (FIG. 12).
  • the validity period of M2, M4, M6, and M8 is limited.
  • the countermeasure evaluation unit 175 of the security countermeasure determination support apparatus 100 calculates the MO value for each countermeasure group and sets it as the value in the MO column in the evaluation column of the countermeasure group evaluation table 117 (S3602). Further, the countermeasure evaluation unit 175 of the security countermeasure determination support device 100 obtains the standard deviation of the MO value corresponding to the countermeasure group ID in the category for each threat at the risk occurrence location, and evaluates the countermeasure group evaluation table 117. It is set as the standard deviation value of the MO column in the column (S3603).
  • the countermeasure evaluation unit 175 of the security countermeasure determination support apparatus 100 calculates an EA value for each countermeasure group and sets it as the value of the EA column in the evaluation column of the countermeasure group evaluation table 117 (S3604). Further, the countermeasure evaluation unit 175 of the security countermeasure determination support apparatus 100 obtains the standard deviation of the EA value corresponding to the ID of the countermeasure group in the category for each threat at the risk occurrence location, and evaluates the countermeasure group evaluation table 117. This is set as the standard deviation value of the EA column in the column (S3605).
  • a dangerous state when the measure is not taken is represented by R_SL ⁇ (R_TP + R_TO), where the vertical axis represents the system safety level (SL) and the horizontal axis represents time. ) And is referred to as a DS diagram.
  • the DFD information obtained from the system designer's user terminal 200 includes the values of R_SL, R_TP, and R_TO of the business flow supported by each DFD.
  • the security measure determination support apparatus 100 determines that the R_TP time has elapsed from the origin on the time axis based on the above R_SL, R_TP, and R_TO values obtained from the user terminal 200 (in FIG. 18, “3” time
  • the position of R_TO is set as the start point of R_TO, and the R_SL level (in FIG. 18, in the duration of this R_TO (in FIG. 18, the time period of 8 hours extending from “3” time to “11” time)
  • a rectangular area 500 associated with level “6”) is generated.
  • the above-described rectangular area 500 can be specified by the coordinates of the position of each vertex 505 of the rectangular area 500 on the coordinate space 503 defined by the time axis 501 and the safety level axis 502.
  • the security measure decision support apparatus 100 stores the above-described set of values of the position coordinates of each vertex 505 in the memory 103 or the storage device 101 as information indicating the rectangular area 500 (graphic area) corresponding to each DS diagram. It shall be.
  • the DS diagram is created by adopting the maximum R_SL, the minimum R_TP, and the maximum R_TO of each business flow. This is also referred to as an integrated DS diagram 2200.
  • the degree of safety when security measures are implemented in the business flow to be taken as a countermeasure the time is 0 (system stop time), with the vertical axis representing the system safety level (SL) and the horizontal axis representing time.
  • This is represented by a rectangular area 600 of A_SL ⁇ T_TO starting from the time point when A_TP has elapsed from the time point, and this is called an MS diagram.
  • the calculation formula of A_SL and the values of A_TP and A_TO are simultaneously given.
  • the security measure determination support apparatus 100 creates an MS diagram based on the calculation formula of A_SL and the values of A_TP and A_TO given from the user terminal 250. Note that the value of A_SL depends on the value of R_SL of the business flow to be subjected to security countermeasures (described in the description of FIG. 13).
  • the security measure determination support apparatus 100 calculates the value of A_SL by applying the value of R_SL of the business flow to the above-described calculation formula of A_SL obtained from the user terminal 250, and each value of the A_SL, A_TP, and A_TO Based on the time point 601 on the time axis 601 and the time point A_TP time has passed (the position of time “2” in FIG. 23) is set as the start time point of A_TO, and the duration of A_TO (in FIG. 23, “2 A rectangular area 600 in which the level of A_SL (level “7” in FIG. 23) is associated with “10 hours from“ time ”to“ 12 ”hours) is generated.
  • the above-described rectangular area 600 can be specified by the coordinates of the position of each vertex 605 of the rectangular area 600 on the coordinate space 603 defined by the time axis 601 and the safety level axis 602.
  • the coordinates of the position of each vertex time , Safety level
  • (2, 0), (2, 7), (12, 7), and (12, 0) are obtained.
  • the security measure determination support apparatus 100 stores the set of the coordinates of the position of each vertex 605 described above in the memory 103 or the storage apparatus 101 as information indicating the rectangular area 600 (graphic area) corresponding to each MS diagram. It shall be.
  • the value of A_SL is the case where a countermeasure is applied to the business flow that is the creation source of the integrated DS diagram 2200 of FIG.
  • the concept of development and emergency security measures in this embodiment will be described.
  • the safety and sustainability expected after implementing security measures exceed the safety level to be met during normal operation of the business flow to which the security measures are applied and the required minimum operating time.
  • the security measures for development are used. That is, in the superimposition of the integrated DS diagram 2200 of business flows to which security measures are applied and the MS diagram, security measures satisfying A_SL ⁇ R-SL and A_TO ⁇ R-TO are set as security measures for development. In addition, security measures that do not satisfy this requirement are used as emergency security measures. However, security measures for development can also be used for emergency use.
  • FIG. 22 When the integrated DS diagram 2200 of the work flow to which the security measures are applied is shown in FIG. 22, the security measures shown in the MS diagrams 2400, 2500, and 2600 in FIGS. 24, 25, and 26 are emergency, and FIG. The security measure shown in the MS diagram 2700 is for development.
  • the security countermeasure determination support apparatus 100 includes an MS diagram of each countermeasure that is an element of the countermeasure group. , A diagram obtained by superimposing a DS diagram or an integrated DS diagram of a target business flow is used. This figure is called a DMS diagram.
  • the security measure decision support apparatus 100 When creating this DMS diagram, the security measure decision support apparatus 100, when all the elements of the measure group are emergency measures, displays the MS diagram of each measure and the DS diagram or the integrated DS diagram of the business flow to be applied. Overlay as it is. In this superposition process, the values of the coordinates of the positions of the vertices held for the MS diagram, DS diagram, or integrated DS diagram are read from the memory 103 or the storage device 101, and the rectangular region 500 of the DS diagram or integrated DS diagram is read. Then, a rectangular area 600 of the MS diagram is generated, and processing for superimposing the rectangular areas 500 and 600 on the time axis 701 is performed. The generation and superimposition processing of the rectangular areas 500 and 600 may be performed using an existing drawing program. The result of the drawing process may be displayed on the output device 106, the user terminals 200, 250, and the like.
  • the security countermeasure determination support apparatus 100 uses the time axis 701 for the MS diagram of each countermeasure and the DS diagram or the integrated DS diagram of the business flow to be applied.
  • the above overlay process is performed in a state where the start times of R_TO and A_TO are combined.
  • FIG. 28 is an example of the DMS diagram 2800 in the case where a countermeasure is applied to the business flow from which the countermeasure group having elements of FIG. 24, FIG. 25, and FIG.
  • FIG. 29 is an example of the DMS diagram 2900 in the case where a countermeasure is applied to the business flow from which the countermeasure group having elements of FIG. 24, FIG. 25, and FIG. .
  • the security measure determination support apparatus 100 calculates the area occupied by the A_SL ⁇ A_TO portion of the applied MS diagram within the range of R_SL ⁇ R_TO of the applied DS diagram in the above DMS diagram.
  • this is referred to as an MO area.
  • the coordinate range of the rectangular region 500 (DS diagram) the coordinate range of the area closed by the four vertices 505
  • the coordinate range of each of one or more rectangular regions 600 (DS diagram) each A location where the coordinate range of the area closed by the vertex 605 matches is specified, and the area of the region connecting the vertex coordinates of the corresponding location is calculated.
  • An existing algorithm may be adopted as the method for calculating the area of the polygon closed at the vertex.
  • FIG. 30 is an example of a diagram showing a corresponding portion 700 of the MO area in the DMS diagram 2800 of FIG.
  • FIG. 31 is an example of a diagram showing a corresponding portion 700 of the MO area in the DMS diagram 2900 of FIG. The MO value is calculated based on this MO area.
  • the security measure determination support apparatus 100 when all the elements of the measure group are emergency measures, within the range of R_SL ⁇ (R_TP ⁇ R_TO) of the applied DS diagram in the above DMS diagram. To calculate the total area occupied by the A_SL ⁇ (A_TP ⁇ A_TO) portion of each applicable MS diagram.
  • the security countermeasure determination support apparatus 100 uses the A_SL ⁇ of each applied MS diagram within the range of R_SL ⁇ R_TO of the applied DS diagram in the above DMS diagram. Calculate the total area occupied by the A_TO part. Hereinafter, this is called an EA area.
  • FIG. 32 is an example of a diagram showing a corresponding portion 800 of the EA area in the DMS diagram 2800 of FIG.
  • FIG. 33 is an example of a diagram showing a corresponding portion 800 of the EA area in the DMS diagram 2900 of FIG. The EA value is calculated based on this EA area.
  • the countermeasure group evaluation table 117 includes Not set.
  • the function of the safety level of the applied DS diagram within the R_TP time and the function of the safety level of the applied MS diagram outside the R_TP time are f (x), and the function of the safety level of the applied MS diagram is g (x).
  • the formula for calculating the EA value for development is The formula for calculating the MO value for emergency use is The formula for calculating the MO value for development is Can be expressed.
  • Calculating the EA value has the effect of quantifying the degree of risk coverage that can be realized by the implementation of the countermeasure group, and obtaining the MO value has the effect of quantifying the robustness of the countermeasure of the countermeasure group.
  • obtaining each standard deviation has an effect that it is possible to give the countermeasure group superiority by the magnitude of the EA value and the MO value.
  • the communication unit 171 of the security measure determination support apparatus 100 transmits a measure evaluation completion notification to the user terminal 200 of the system designer, and the risk analysis table 114, the measure list 115, and the measure list details.
  • the table 116 can be browsed (S3412). This technique for enabling browsing is the same as that performed in accordance with the execution of steps S3403 and S3409 described above.
  • FIG. 17 shows an example of the countermeasure group evaluation table 117 that can be viewed on the user terminal 200 in this way.
  • the countermeasure group evaluation table 117 includes a plurality of countermeasure groups created for each risk occurrence location and threat category according to the rules input from the countermeasure group creation rule input screen 1000 (FIG. 14), and the evaluation groups. Each column is provided.
  • Each countermeasure group is associated with the countermeasure ID of the combined countermeasure, the implementation type, the usage, the MO value and the EA value, and each standard deviation value within the category using the countermeasure group ID as a key.
  • the system designer determines the countermeasure model proposal table creation rule from the design policy or the like, and inputs it with the input device of the user terminal 250.
  • the user terminal 250 receives the input of the above-described countermeasure model proposal table creation rule via the countermeasure model proposal table creation rule input screen 1100 obtained from the input unit 174 of the security countermeasure decision support device 100, It transmits to the countermeasure determination support apparatus 100 (S3413).
  • FIG. 34 and 35 show specific examples of the countermeasure model proposal table creation rule input screen 1100.
  • FIG. FIG. 34 shows an example of an input screen 1100 for proposing a countermeasure model for development
  • FIG. 35 shows an example of an input screen 1100 for proposing an emergency countermeasure model.
  • a plurality of countermeasure groups described in the countermeasure group evaluation table 117 are combined based on a certain rule to form a countermeasure model. This rule input is accepted, but the input screen is the countermeasure model proposal table creation rule input screen 1100.
  • the “use” column for designating the countermeasure model as a rule item for development or emergency, MO area or EA Each field includes “priority measures to be prioritized” and “suggested options” for selecting which area to focus on.
  • the “proposed option” column is a column for setting additional conditions such as “there is little risk that cannot be covered” and “the time until R_SL is achieved”. Note that such rule items are not limited to the above-described example, and may be variously set according to the case, for example, the number of elements of the countermeasure model is small.
  • the countermeasure model creation unit 176 of the security countermeasure determination support apparatus 100 follows the countermeasure model proposal table creation rule (obtained in the above-described step S3413) and measures group evaluation table
  • the countermeasure model proposal table 118 is created by determining the priority order of the risk occurrence locations and threat categories in 117 in descending order of the standard deviation of the EA value and the MO value (S3414).
  • FIG. 36 is a diagram illustrating a detailed flow example 3 of the security measure determination support method according to the present embodiment.
  • the countermeasure model creation unit 176 of the security countermeasure determination support apparatus 100 sets the MO value in the classification for each countermeasure group ID for each classification of the threat at the risk occurrence location in the countermeasure group evaluation table 117 (FIG. 17). Numbering is performed in order of increasing standard deviation as 1, 2,... (S3701).
  • the countermeasure model creation unit 176 of the security countermeasure determination support apparatus 100 determines, for each countermeasure group ID, the standard deviation of the EA value in each section of the threat at the risk occurrence location in the countermeasure group evaluation table 117. Numbering is performed in the order of 1, 2, ... (S3702).
  • the countermeasure model creation unit 176 of the security countermeasure determination support apparatus 100 refers to the countermeasure list 115 for each category of the risk occurrence location in the countermeasure group evaluation table 117, and for each countermeasure group ID, in the countermeasure group.
  • the risk cases that cannot be covered are listed (S3703).
  • the countermeasure model creation unit 176 of the security countermeasure determination support apparatus 100 follows the countermeasure model proposal table creation rule and the standard deviation number of the EA value and the MO value for each threat at the risk occurrence location in the countermeasure group evaluation table 117. Numbers in ascending order.
  • the countermeasure model proposal table 118 is compiled for each countermeasure group ID having the same number. (S3704).
  • FIG. 37 is a diagram showing an example of the countermeasure model proposal table 118 in the present embodiment.
  • a plurality of countermeasure groups are combined for each location where a risk occurs, that is, where countermeasures are implemented. Create a countermeasure model for the entire system.
  • a plurality of countermeasure models themselves are created, given item numbers, and presented to the requester (system designer, etc.).
  • the location of security countermeasures a summary of IDs of security countermeasures to be adopted, the risk number and threat to be subjected to security countermeasures, the countermeasure group ID to which the security countermeasures to be adopted belong
  • the configuration includes each value of the countermeasure ID (new and existing) and risk cases that cannot be covered.
  • the communication unit 171 of the security measure determination support device 100 transmits a measure model proposal table creation completion notification to the user terminal 200 of the system designer, and enables the user terminal 200 to view the measure model proposal table 118 ( S3415).
  • the technique for enabling browsing is the same as that performed in accordance with the execution of steps S3403, S3409, and S3412 described above.
  • the user terminal 200 of the system designer receives the above-described countermeasure model proposal table 118, displays it on the output device, and provides it for viewing by the system designer.
  • the system designer who has viewed the countermeasure model proposal table 118 determines a countermeasure model to be adopted after conducting various examinations such as implementation costs, and performs an input operation on the input device of the user terminal 200 for the number of the corresponding countermeasure model. Will do.
  • the user terminal 200 receives the number of the countermeasure model designated by the system designer by the input device, and transmits it to the security countermeasure determination support device 100 (S3416).
  • the input unit 174 of the security countermeasure determination support apparatus 100 receives the above-described countermeasure model number from the user terminal 200 and stores it in the memory 103 or the storage device 101 (S3417).
  • the specification entry unit 177 of the security measure determination support device 100 calls the system cooperation WBS 123 and the application development WBS 124 from the storage device 101, and details the requirement definition and design related to the measure model corresponding to the number received from the user terminal 200.
  • the specifications 127 are generated by inserting the corresponding documents in the two documents (system cooperation WBS 123 and application development WBS 124) (S3418).
  • the countermeasure model information 1800 corresponding to the underlined portion in the column “1.4. Security countermeasure mechanism” is inserted into the insertion location 1801.
  • the communication unit 171 of the security measure determination support device 100 transmits a specification entry completion notification to the system designer's user terminal 200, and also includes the completed specification 127, that is, the completed system cooperation WBS 123 and the application development WBS 124. Can be viewed on the user terminal 200 (S3419), and the process ends.
  • the technique for enabling browsing is the same as that performed in accordance with the execution of steps S3403, S3409, S3412, and S3415 described above.
  • each of the above-described configurations, functions, processing units, processing means, and the like may be realized by hardware by designing a part or all of them, for example, with an integrated circuit.
  • Each of the above-described configurations, functions, and the like may be realized by software by the CPU 104 interpreting and executing a program that realizes each function.
  • Information such as programs, tables, and files for realizing each function can be stored in a recording device such as a memory, a hard disk, an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.
  • control lines and information lines indicate what is considered necessary for the explanation, and not all the control lines and information lines on the product are necessarily shown. Actually, it may be considered that almost all the components are connected to each other.
  • the arithmetic device corresponds to the safety requirement information in the determination of the cover state of the graphic region corresponding to the safety requirement information by the graphic region corresponding to the countermeasure information.
  • the side corresponding to the maintenance time of the safety level in the graphic area and the side corresponding to the maintenance time of the reached safety level among the graphic area corresponding to the countermeasure information are arranged on a predetermined time axis, Among the graphic areas corresponding to the safety requirement information, information on the area defined by the time zone covered by the graphic area corresponding to the countermeasure information and the reachable safety level in the time zone is specified as the cover state. It may be a thing.
  • the area of the overlapping area between the graphic areas corresponding to the safety requirement information and the countermeasure information is calculated, and the information of the calculated value, that is, the cover state is presented to the user as reference information for determining the security countermeasure. It is possible to perform processing such as The information of the calculated value presented here corresponds to the time during which the security countermeasure target system is restored by performing security countermeasures and the operation is maintained at a predetermined safety level, that is, availability. Therefore, the user can easily perform the work of comparing the above-mentioned calculated values between the security countermeasure candidates and preferentially determining a security measure with high availability, that is, a large calculated value.
  • the arithmetic unit may determine the graphic corresponding to the safety requirement information in the determination of the cover state of the graphic region corresponding to the safety requirement information by the graphic region corresponding to the countermeasure information.
  • the safety request information indicates, on the predetermined time axis, an edge corresponding to the maintenance time of the safety level in the area and an edge corresponding to the maintenance time of the reached safety level in the graphic area corresponding to the countermeasure information. It is characterized in that the cover state is specified by arranging a point in time when an allowable recovery time has passed since the operation stop of the security countermeasure target as a starting point.
  • the security measure is determined as the cover state under the situation where the security measure is applied according to the start of operation of the corresponding system.
  • the area of the overlapping area between the graphic areas corresponding to the safety requirement information and the countermeasure information is calculated as the cover state information and presented to the user as reference information for determining the security countermeasure.
  • the arithmetic unit may determine the graphic corresponding to the safety requirement information in the determination of the cover state of the graphic region corresponding to the safety requirement information by the graphic region corresponding to the countermeasure information.
  • An edge corresponding to the maintenance time of the safety level and an edge corresponding to the maintenance time of the reachable safety level among the plurality of graphic areas corresponding to the countermeasure information are arranged on a predetermined time axis.
  • the time zone covered by a plurality of graphic regions corresponding to the countermeasure information among the graphic regions corresponding to the safety requirement information and the overlap of the reachable safety level indicated by the plurality of graphic regions in the time zone It is good also as what specifies the information of the area
  • an area that covers a plurality of graphic areas defined by the maintenance time indicated by the countermeasure information and the reached safety level That is, it is possible to perform processing for presenting information about a time zone in which a plurality of security measures are applied at the same time and the safety level thereof to the user as reference information for determining the security measures.
  • the area of the overlapping area between the plurality of graphic areas is calculated as cover state information and presented to the user as reference information for determining security measures.
  • the storage device is applied as a security measure candidate information in the measure information, and is a development measure that is constantly applied and applied during development of the system that is the security measure target.
  • a measure for emergency measures that are applied at the time of risk occurrence during system operation and aiming at functional recovery, and the calculation device is based on a graphic area corresponding to the measure information, In the determination of the cover state of the graphic area corresponding to the safety requirement information, the edge corresponding to the maintenance time of the safety level in the graphic area corresponding to the safety requirement information, and the measures for development and the measures for emergency measures Of the graphic area corresponding to at least one of the countermeasure information of A time zone covered by a graphic area corresponding to the countermeasure information of at least one of the countermeasures for development and the countermeasures for first aid, among the graphic areas corresponding to the safety requirement information, arranged on the axis, and It is good also as specifying the information of the area
  • an emergency phase in which the security target system can be recovered from a stopped state in the shortest possible time even if the safety level indicated by the safety requirement information is not completely satisfied, and the safety level indicated by the safety requirement information is completely satisfied.
  • the normal phase that is normally operated
  • the emergency measures are set for the emergency phase in the time zone within the predetermined time from the stop state
  • the normal phase is Can set a countermeasure for development and specify the above-described cover state.
  • the arithmetic device accepts a user request related to a security measure at an input device, and among the security measure candidates, is an evaluation result corresponding to a condition indicated by the user request.
  • a process of generating a security countermeasure model from the identified security countermeasure candidates and outputting the countermeasure model to an output device may be further executed.
  • the use of security measures eg, emergency measures or development measures
  • the priority of security measures to be prioritized eg, corresponding to measure information in the graphic area corresponding to safety requirement information
  • the priority of security measures to be prioritized eg, corresponding to measure information in the graphic area corresponding to safety requirement information
  • the computing device specifies the security measure candidates in order of the degree of correspondence of the evaluation result to the condition indicated by the user request when generating and outputting the security measure model
  • the security countermeasure models may be sequentially generated using the security countermeasure models in order of the degree of correspondence to the user request conditions, and each security countermeasure model may be output to an output device.
  • the storage device further stores specification data of a system that is a security measure target, and the arithmetic device is employed in accordance with output processing of the security measure model.

Abstract

The present invention enables one to propose security measures taking into account the availability of the subject to which these measures are applied. A security measure determination assistance device (100) is provided with a calculation device (104) which: compares a graphic region corresponding to security requirement information with a graphic region corresponding to measure information, wherein the graphic region corresponding to the security requirement information has side lengths, each corresponding to a security level, or the amount of time for which the security level should be maintained, indicated by the security requirement information, and wherein the graphic region corresponding to the measure information has side lengths, each corresponding to either a security level estimated to be attained by application of a security measure candidate indicated by security measure candidate information included in the measure information, or the amount of time for which the attained security level is maintained; determines the state in which the graphic region corresponding to the security requirement information is covered by the graphic region corresponding to the measure information; and generates evaluation results of the security measure candidate according to the determined coverage state and outputs the evaluation results to an output device.

Description

セキュリティ対策決定支援装置およびセキュリティ対策決定支援方法Security measure determination support apparatus and security measure determination support method
 本発明は、セキュリティ対策決定支援装置およびセキュリティ対策決定支援方法に関する。 The present invention relates to a security measure determination support apparatus and a security measure determination support method.
 ネットワーク環境の広範な普及やコンピュータ技術の進展等が急速に進む一方、いわゆるなりすまし、情報漏洩、情報改竄といった情報セキュリティ上の各種の脅威とそれに伴うリスクも増大しつつある。そのため、こうした脅威やリスクを認識して的確なセキュリティ対策を施すことが重要となっている。 While widespread use of network environments and progress in computer technology are rapidly progressing, various information security threats such as so-called spoofing, information leakage, and information falsification and the risks associated therewith are also increasing. Therefore, it is important to recognize such threats and risks and take appropriate security measures.
 そうした情報セキュリティ対策に関する支援技術として、以下の技術が提案されている。すなわち、情報セキュリティやITシステムの専門的な知識を必要とすることなく、情報セキュリティリスクを網羅的に分析し、その対策を提示することを目的として、初期状態を経て被害発生時に至るまでの状態変化を発生させる脅威と、資産の属性との対応付けを示す脅威と資産の対応表と、各脅威に対応してとりうる対策を示す脅威と対策の対応表とを記憶する記憶手段を備えて、診断対象システムにおける構成機器、業務等の種別等の属性情報と、脅威と資産の対応表とから、属性情報に対応する脅威を抽出し、該当脅威に対応する対策を出力する装置(特許文献1参照)などが提案されている。 The following technologies have been proposed as support technologies for such information security measures. In other words, the state from the initial state to the time of occurrence of damage for the purpose of exhaustively analyzing information security risks and presenting countermeasures without requiring specialized knowledge of information security and IT systems A storage means is provided for storing a correspondence table of threats and assets indicating correspondence between threats that cause changes and asset attributes, and a correspondence table of threats and countermeasures indicating possible measures corresponding to each threat. A device that extracts threats corresponding to attribute information from attribute information such as types of components, operations, etc. in a diagnosis target system and a correspondence table of threats and assets, and outputs a countermeasure corresponding to the threat (Patent Literature) 1) is proposed.
特開2009-110177号公報JP 2009-110177 A
 セキュリティ対策に関する従来の支援技術においては、主に、セキュリティ対策の導入および運用に関するコストの最小化や、セキュリティ対策の実施に伴う、残存リスクおよび派生リスクの抑制に関して評価を行い、それに基づいてセキュリティ対策の提案を行うものとなっている。 In the conventional assistive technology related to security measures, mainly the security measures are evaluated based on the minimization of the costs related to the introduction and operation of security measures and the suppression of residual risks and derivative risks associated with the implementation of security measures. It is intended to make a proposal.
 しかしながら、セキュリティ対策対象となるコンピュータシステムやその機能の可用性に着目して評価を行う思想が欠けており、医療、金融、および政府機関等のシステムのように、安易な停止や停止からの長い復旧時間が許容出来ない対策対象に関して、的確なセキュリティ対策の提案を行うことは困難となっている。 However, there is a lack of philosophy to evaluate focusing on the availability of computer systems and their functions that are subject to security measures, and long recovery from easy outages and outages, as in systems such as medical, financial, and government agencies It is difficult to propose an appropriate security measure for a countermeasure object whose time is not acceptable.
 そこで本発明の目的は、対策対象の可用性を考慮したセキュリティ対策の提案を可能とする技術を提供することにある。 Therefore, an object of the present invention is to provide a technology that makes it possible to propose a security measure in consideration of the availability of a countermeasure target.
 上記課題を解決するために、例えば特許請求の範囲に記載の構成を採用する。本願は上記課題を解決する手段を複数含んでいるが、その一例を挙げるならば、セキュリティ対策支援装置において、セキュリティ対策対象に影響する脅威と前記脅威に対する適用が想定されるセキュリティ対策候補とに関する各情報を含む対策情報と、前記セキュリティ対策対象にて必要とされている情報セキュリティ上の安全レベルと該当安全レベルの維持時間とに関する各情報を含む安全要求情報と、を格納する記憶装置と、前記安全要求情報が示す、前記安全レベルおよび該当安全レベルの前記維持時間の各大きさに各辺長が対応した図形領域と、前記対策情報における前記セキュリティ対策候補の情報が示す、該当セキュリティ対策候補の適用で想定される到達安全レベルおよび該当到達安全レベルの維持時間の各大きさに各辺長が対応した図形領域とを照合して、前記対策情報に対応した図形領域による、前記安全要求情報に対応した図形領域のカバー状態を判定し、前記カバー状態に応じて該当セキュリティ対策候補の評価結果を生成し出力装置に出力する演算装置と、
 を備えることを特徴とする。 In order to solve the above problems, for example, the configuration described in the claims is adopted. The present application includes a plurality of means for solving the above-described problems. To give an example, in the security countermeasure support apparatus, each of the threats that affect the security countermeasure target and the security countermeasure candidates that are assumed to be applied to the threat. A storage device for storing countermeasure information including information, and safety request information including each information related to a safety level on information security required for the security countermeasure target and a maintenance time of the corresponding safety level, and A figure area corresponding to each side length corresponding to each size of the safety level and the maintenance time of the corresponding safety level indicated by the safety requirement information, and the corresponding security countermeasure candidate indicated by the information of the security countermeasure candidate in the countermeasure information The length of each side in each size of the safety level assumed for the application and the maintenance time of the applicable safety level The corresponding graphic area is collated to determine the cover state of the graphic area corresponding to the safety requirement information by the graphic area corresponding to the countermeasure information, and the evaluation result of the corresponding security countermeasure candidate is determined according to the cover state. A computing device that generates and outputs to the output device;
It is characterized by providing.
 また、本発明のセキュリティ対策決定支援方法は、セキュリティ対策対象に影響する脅威と前記脅威に対する適用が想定されるセキュリティ対策候補とに関する各情報を含む対策情報と、前記セキュリティ対策対象にて必要とされている情報セキュリティ上の安全レベルと該当安全レベルの維持時間とに関する各情報を含む安全要求情報と、を格納する記憶装置を備えたコンピュータが、前記安全要求情報が示す、前記安全レベルおよび該当安全レベルの前記維持時間の各大きさに各辺長が対応した図形領域と、前記対策情報における前記セキュリティ対策候補の情報が示す、該当セキュリティ対策候補の適用で想定される到達安全レベルおよび該当到達安全レベルの維持時間の各大きさに各辺長が対応した図形領域とを照合して、前記対策情報に対応した図形領域による、前記安全要求情報に対応した図形領域のカバー状態を判定し、前記カバー状態に応じて該当セキュリティ対策候補の評価結果を生成し出力装置に出力する処理を実行する、ことを特徴とする。 In addition, the security measure determination support method of the present invention is required for the measure information including each information related to the threat that affects the security measure target and the potential security measure candidate to be applied to the threat, and the security measure target. A computer having a storage device for storing safety requirement information including information related to a safety level for information security and a maintenance time of the safety level, and the safety level and the safety indicated by the safety requirement information. The reachable safety level assumed for application of the corresponding security countermeasure candidate and the corresponding reached safety indicated by the graphic area in which each side length corresponds to each magnitude of the maintenance time of the level and the information of the security countermeasure candidate in the countermeasure information The graphic area corresponding to each side length corresponding to each level maintenance time is collated, Determining the cover state of the graphic area corresponding to the safety requirement information by the graphic area corresponding to the information, generating an evaluation result of the corresponding security countermeasure candidate according to the cover state, and executing a process to output to the output device; It is characterized by that.
 本発明によれば、対策対象の可用性を考慮したセキュリティ対策の提案が可能となる。 According to the present invention, it is possible to propose a security measure in consideration of the availability of the countermeasure target.
本実施形態のセキュリティ対策決定支援装置を含むネットワーク構成例を示す図である。It is a figure which shows the example of a network structure containing the security countermeasure determination assistance apparatus of this embodiment. 本実施形態におけるセキュリティ対策決定支援装置のハードウェア構成例を示す図である。It is a figure which shows the hardware structural example of the security countermeasure determination assistance apparatus in this embodiment. 本実施形態におけるセキュリティ対策決定支援方法のメインフロー例を示す図である。It is a figure which shows the example of the main flow of the security countermeasure determination support method in this embodiment. 本実施形態におけるDFDのリスク参照値表の例を示す図である。It is a figure which shows the example of the risk reference value table | surface of DFD in this embodiment. 本実施形態におけるR_SL決定表の例を示す図である。It is a figure which shows the example of the R_SL determination table in this embodiment. 本実施形態におけるA_SL決定表の例を示す図である。It is a figure which shows the example of the A_SL determination table in this embodiment. 本実施形態におけるR_TP,A_TP決定表の例を示す図である。It is a figure which shows the example of the R_TP and A_TP determination table in this embodiment. 本実施形態におけるR_TO,A_TO決定表の例を示す図である。It is a figure which shows the example of the R_TO and A_TO determination table in this embodiment. 本実施形態におけるリスク分析表の例を示す図である。It is a figure which shows the example of the risk analysis table | surface in this embodiment. 本実施形態における対策リストの例でを示す図である。It is a figure which shows in the example of the countermeasure list | wrist in this embodiment. 本実施形態におけるセキュリティ対策決定支援方法の詳細フロー例1を示す図である。It is a figure which shows the detailed flow example 1 of the security countermeasure determination support method in this embodiment. 本実施形態における対策タイプ表の例を示す図である。It is a figure which shows the example of the countermeasure type table | surface in this embodiment. 本実施形態における対策リスト詳細表の例を示す図である。It is a figure which shows the example of the countermeasure list detailed table | surface in this embodiment. 本実施形態における対策グループ作成ルール入力画面の例を示す図である。It is a figure which shows the example of the countermeasure group creation rule input screen in this embodiment. 本実施形態におけるセキュリティ対策決定支援方法の詳細フロー例2を示す図である。It is a figure which shows the detailed flow example 2 of the security countermeasure determination support method in this embodiment. 本実施形態における対策実施タイプ表の例を示す図である。It is a figure which shows the example of the countermeasure implementation type table | surface in this embodiment. 本実施形態における対策グループ評価表の例を示す図である。It is a figure which shows the example of the countermeasure group evaluation table | surface in this embodiment. 本実施形態におけるDS図の例1を示す図である。It is a figure which shows Example 1 of the DS diagram in this embodiment. 本実施形態におけるDS図の例2を示す図である。It is a figure which shows Example 2 of the DS diagram in this embodiment. 本実施形態におけるDS図の例3を示す図である。It is a figure which shows Example 3 of the DS figure in this embodiment. 本実施形態におけるDS図の例4である。It is Example 4 of the DS figure in this embodiment. 本実施形態における統合DS図の例を示す図である。It is a figure which shows the example of the integrated DS diagram in this embodiment. 本実施形態におけるMS図の例1を示す図である。It is a figure which shows Example 1 of the MS figure in this embodiment. 本実施形態におけるMS図の例2を示す図である。It is a figure which shows Example 2 of the MS figure in this embodiment. 本実施形態におけるMS図の例3を示す図である。It is a figure which shows Example 3 of the MS figure in this embodiment. 本実施形態におけるMS図の例4を示す図である。It is a figure which shows Example 4 of the MS figure in this embodiment. 本実施形態におけるMS図の例5を示す図である。It is a figure which shows Example 5 of the MS figure in this embodiment. 本実施形態におけるDMS図の例1を示す図である。It is a figure which shows Example 1 of the DMS figure in this embodiment. 本実施形態におけるDMS図の例2を示す図である。It is a figure which shows Example 2 of the DMS figure in this embodiment. 本実施形態におけるMO面積の例1を示す図である。It is a figure which shows Example 1 of MO area in this embodiment. 本実施形態におけるMO面積の例2を示す図である。It is a figure which shows Example 2 of the MO area in this embodiment. 本実施形態におけるEA面積の例1を示す図である。It is a figure which shows Example 1 of the EA area in this embodiment. 本実施形態におけるEA面積の例2を示す図である。It is a figure which shows Example 2 of the EA area in this embodiment. 本実施形態における対策モデル提案表作成ルール入力画面の例1を示す図である。It is a figure which shows Example 1 of the countermeasure model proposal table creation rule input screen in this embodiment. 本実施形態における対策モデル提案表作成ルール入力画面の例2を示す図である。It is a figure which shows Example 2 of the countermeasure model proposal table creation rule input screen in this embodiment. 本実施形態におけるセキュリティ対策決定支援方法の詳細フロー例3を示す図である。It is a figure which shows the detailed flow example 3 of the security countermeasure determination support method in this embodiment. 本実施形態における対策モデル提案表の例を示す図である。It is a figure which shows the example of the countermeasure model proposal table | surface in this embodiment. 本実施形態における仕様書の出力例を示す図である。It is a figure which shows the example of an output of the specification document in this embodiment.
---セキュリティ対策決定支援装置のハードウェア構成例例---
 以下に本発明の実施形態について図面を用いて詳細に説明する。図1は本実施形態のセキュリティ対策決定支援装置100を含むネットワーク構成例を示す図である。図1に示すセキュリティ対策決定支援装置100は、セキュリティ対策対象のシステムにおける可用性を考慮したセキュリティ対策の提案を可能とするためのコンピュータである。図1に例示するように、本実施形態のセキュリティ対策決定支援装置100は、ネットワーク20を介して、セキュリティ対策対象のシステムの設計者が用いるユーザ端末200、およびセキュリティ専門家が用いるユーザ端末250と通信可能に結ばれている。これら、セキュリティ対策決定支援装置100、ユーザ端末200、250を含めてセキュリティ対策決定支援システム10と定義できる。 --- Example of hardware configuration of security measure decision support device ---
Embodiments of the present invention will be described below in detail with reference to the drawings. FIG. 1 is a diagram illustrating an example of a network configuration including a security measure determination support apparatus 100 according to the present embodiment. A security countermeasure determination support apparatus 100 shown in FIG. 1 is a computer that enables a security countermeasure proposal considering availability in a security countermeasure target system. As illustrated in FIG. 1, the security measure determination support apparatus 100 according to the present embodiment includes a user terminal 200 used by a designer of a security measure target system and a user terminal 250 used by a security expert via a network 20. It is tied so that it can communicate. These security countermeasure determination support device 100 and user terminals 200 and 250 can be defined as the security countermeasure determination support system 10.
 本実施形態においては、セキュリティ対策対象のシステムとして、例えば、情報管理用のサーバを含む複数のサーバ、サブシステム、計器、端末などからなる複雑かつ大規模な電力供給システムを想定する。また、この電力供給システムの開発において、上述のシステム設計者に依頼を受けたセキュリティ専門家が、対象システムにおけるDFD(データフローダイアグラム。以下DFD)を元に、対象システムのリスク分析を行い、セキュリティ対策を立案する支援手段として本実施形態のセキュリティ対策決定支援装置100を、ユーザ端末250を介して用いる状況を想定する。セキュリティ専門家は、システム開発時の要件とすべきものだけでなく、システム運用中のリスク発生時に、業務フローの正常実行再開やシステムの復旧を早急に行うため予め用意しておく応急処置用のセキュリティ対策も立案する必要がある。 In the present embodiment, as a security countermeasure target system, for example, a complicated and large-scale power supply system including a plurality of servers including information management servers, subsystems, meters, terminals, and the like is assumed. In the development of this power supply system, a security expert who received a request from the system designer described above performs risk analysis of the target system based on the DFD (data flow diagram, hereinafter referred to as DFD) in the target system, and security. A situation is assumed in which the security measure determination support device 100 of the present embodiment is used via the user terminal 250 as a support means for planning measures. Security specialists are not only requirements for system development, but also security for emergency measures prepared in advance to resume normal execution of business flow and system recovery immediately when a risk occurs during system operation. It is necessary to plan measures.
 また、上述のセキュリティ専門家が本実施形態のセキュリティ対策決定支援装置100を用いて立案した複数のセキュリティ対策を一定のルールに基づき所定規模で組み合わせたものを対策グループと定義する。本実施形態では、この対策グループの評価を行い、その評価結果に基づいて対策グループをさらに大きな規模(システム全体)で組み合わせたものを対策モデルとする。 Further, a countermeasure group is defined as a combination of a plurality of security measures planned by the security expert using the security measure determination support apparatus 100 of the present embodiment on a predetermined scale based on a certain rule. In the present embodiment, this countermeasure group is evaluated, and a countermeasure model is obtained by combining the countermeasure groups on a larger scale (the entire system) based on the evaluation result.
 また、上述のセキュリティ対策決定支援装置100のハードウェア構成は以下の如くとなる。図2は、本実施形態のセキュリティ対策決定支援装置100のハードウェア構成例を示す図である。セキュリティ対策決定支援装置100は、SSD(Solid State Drive)やハードディスクドライブなど適宜な不揮発性記憶素子で構成される記憶装置101、RAMなど揮発性記憶素子で構成されるメモリ103、記憶装置101に保持されるプログラム102をメモリ103に読み出すなどして実行し装置自体の統括制御を行なうとともに各種判定、演算及び制御処理を行なうCPU104(演算装置)、ネットワーク20と接続しユーザ端末200、250との通信処理を担う通信装置107を備える。なお、セキュリティ対策決定支援装置100は、上述の構成に加えて、ユーザからの入力を受け付けるキーボード、マウスといった入力装置105、処理結果を出力するディスプレイやスピーカー等の出力装置106を備えるとしてもよい。 In addition, the hardware configuration of the security measure determination support apparatus 100 described above is as follows. FIG. 2 is a diagram illustrating a hardware configuration example of the security measure determination support apparatus 100 according to the present embodiment. The security measure decision support device 100 is stored in the storage device 101, a storage device 101 composed of an appropriate non-volatile storage element such as an SSD (Solid State や Drive) or a hard disk drive, a memory 103 composed of a volatile storage element such as a RAM, and the storage device 101. The CPU 102 (arithmetic unit) that performs various determinations, computations, and control processes, and performs communication and control with the user terminals 200 and 250 is performed by reading the program 102 to the memory 103 and executing the program 102 A communication device 107 that performs processing is provided. In addition to the above-described configuration, the security measure determination support device 100 may include an input device 105 such as a keyboard and a mouse that receives input from the user, and an output device 106 such as a display and a speaker that outputs processing results.
 なお、記憶装置101内には、本実施形態のセキュリティ対策決定支援装置100として必要な機能を実装する為のプログラム102の他に、各種処理に必要なデータ類110~127が記憶される。このデータ類110~127の詳細については後述する。 Note that the storage device 101 stores data 110 to 127 necessary for various processes in addition to the program 102 for implementing functions necessary for the security measure determination support device 100 of the present embodiment. Details of the data 110 to 127 will be described later.
 また、特に図示しないが、ユーザ端末200、250は一般的なコンピュータと同様のハードウェア構成を備え、コンピュータ端末として機能するものとする。
---セキュリティ対策決定支援装置の機能例---
 続いて、本実施形態のセキュリティ対策決定支援装置100が備える機能について説明する。上述したように、以下に説明する機能は、例えばセキュリティ対策決定支援装置100が備えるプログラム102を実行することで実装される機能と言える。 Although not particularly illustrated, the user terminals 200 and 250 have the same hardware configuration as a general computer and function as computer terminals.
--- Functional example of security measure decision support device ---
Next, functions provided in the security measure determination support device 100 of this embodiment will be described. As described above, the functions described below can be said to be implemented by executing the program 102 provided in the security measure determination support apparatus 100, for example.
 セキュリティ対策決定支援装置100は、図2におけるメモリ103内に示すように、通信部171、登録部172、対策リスト作成部173、入力部174、対策評価部175、対策モデル作成部176、および仕様記入部177の各機能を備える。 As shown in the memory 103 in FIG. 2, the security measure determination support apparatus 100 includes a communication unit 171, a registration unit 172, a measure list creation unit 173, an input unit 174, a measure evaluation unit 175, a measure model creation unit 176, and specifications. Each function of the entry unit 177 is provided.
 このうち通信部171は、通信装置107を制御してネットワーク20にアクセスし、ネットワーク20のプロトコルに従って、ユーザ端末200、250などの外部装置との通信処理を行う機能である。 Among these, the communication unit 171 is a function of controlling the communication device 107 to access the network 20 and performing communication processing with external devices such as the user terminals 200 and 250 according to the protocol of the network 20.
 また、登録部172は、入力装置105または通信装置107を介して取得した、各種表や仕様書などのデータ類を記憶装置101の記憶領域に登録する処理を行う機能である。また、対策リスト作成部173は、例えばセキュリティ専門家のユーザ端末250から得た、対策対象のシステムに関するリスク分析結果に基づいてセキュリティ対策の立案処理を行う機能である。 In addition, the registration unit 172 has a function of performing processing for registering data such as various tables and specifications acquired via the input device 105 or the communication device 107 in the storage area of the storage device 101. The countermeasure list creation unit 173 is a function that performs security countermeasure planning processing based on the risk analysis result regarding the countermeasure target system obtained from the user terminal 250 of the security expert, for example.
 また、入力部174は、上述の対策グループや対策モデルの作成ルールの入力を、入力装置105にて、または通信装置107を介したユーザ端末250から受け付け、受け付けた作成ルールをメモリ103または記憶装置101に格納する機能である。 Further, the input unit 174 receives input of the above-described countermeasure group and countermeasure model creation rules from the input device 105 or the user terminal 250 via the communication device 107, and the accepted creation rules are stored in the memory 103 or the storage device. This is a function stored in 101.
 また、対策評価部175は、対策リスト作成部173が立案したセキュリティ対策を評価する機能である。この対策評価部175は、後述するDFDのリスク参照値表111(安全要求情報)が示す各DFDに関する安全レベルおよび該当安全レベルの維持時間の各大きさに各辺長が対応した図形領域と、後述する対策リスト115および対策リスト詳細表116(いずれも対策情報)における該当DFDに対するセキュリティ対策候補の情報が示す、該当セキュリティ対策候補の適用で想定される到達安全レベルおよび該当到達安全レベルの維持時間の各大きさに各辺長が対応した図形領域とを照合して、該当セキュリティ対策候補に対応した上述の図形領域による、該当DFDに対応した上述の図形領域のカバー状態を判定し、このカバー状態に応じて該当セキュリティ対策候補の評価結果を生成し出力装置106またはユーザ端末250に出力する機能を有している。 Further, the measure evaluation unit 175 is a function for evaluating the security measures planned by the measure list creation unit 173. The measure evaluation unit 175 includes a graphic area in which each side length corresponds to each safety level and each maintenance time level of the safety level indicated by a DFD risk reference value table 111 (safety requirement information) described later, The safe level assumed for application of the corresponding security countermeasure candidate and the maintenance time of the corresponding reached safety level indicated by the information of the security countermeasure candidate for the corresponding DFD in the countermeasure list 115 and the countermeasure list detail table 116 (both countermeasure information) described later The figure area corresponding to each size of each side is compared with the figure area corresponding to each side length to determine the cover state of the figure area corresponding to the corresponding DFD by the figure area corresponding to the corresponding security countermeasure candidate. An evaluation result of the corresponding security countermeasure candidate is generated according to the state and output to the output device 106 or the user terminal 250. It has a function of.
 なお、対策評価部175は、該当DFDに対応した上述の図形領域のうち安全レベルの維持時間に対応した辺、および、該当DFDに対するセキュリティ対策候補に対応した上述の図形領域のうち到達安全レベルの維持時間に対応した辺を、所定時間軸上に配置して、上述のDFDに対応した図形領域のうち、該当セキュリティ対策候補に対応した図形領域でカバーされた時間帯と、当該時間帯における到達安全レベルとで規定される領域の情報をカバー状態として特定するとしてもよい。 Note that the measure evaluation unit 175 selects the side corresponding to the safety level maintenance time among the above-described graphic regions corresponding to the corresponding DFD, and the reached safety level among the above-described graphic regions corresponding to the security measure candidates for the corresponding DFD. A side corresponding to the maintenance time is arranged on a predetermined time axis, and the time zone covered by the graphic region corresponding to the corresponding security countermeasure candidate among the graphic regions corresponding to the above-mentioned DFD, and arrival in the time zone Information on the area defined by the safety level may be specified as the cover state.
 また、対策評価部175は、上述のDFDに対応した図形領域における安全レベルの維持時間に対応した辺、および該当DFDに対するセキュリティ対策候補に対応した図形領域における到達安全レベルの維持時間に対応した辺を、所定時間軸上において、該当DFDのリスク参照値表111が示す、セキュリティ対策対象の稼働停止時から許容出来る復旧時間だけ経過した時点を始点として配置して、上述のカバー状態の特定を行うとしてもよい。 In addition, the countermeasure evaluation unit 175 has an edge corresponding to the maintenance time of the safety level in the graphic area corresponding to the DFD described above, and an edge corresponding to the maintenance time of the reached safety level in the graphic area corresponding to the security countermeasure candidate for the DFD. On the predetermined time axis, and the above-described cover state is specified by placing the start point at the time when an allowable recovery time has elapsed since the operation stop of the security countermeasure target indicated by the risk reference value table 111 of the corresponding DFD It is good.
 また、対策評価部175は、上述のDFDに対応した図形領域のうち安全レベルの維持時間に対応した辺、および、該当DFDに対するセキュリティ対策候補に対応した複数の各図形領域のうち到達安全レベルの維持時間に対応した辺を、所定時間軸上に配置して、上述のDFDに対応した図形領域のうち、該当DFDに対するセキュリティ対策候補に対応した複数の図形領域でカバーされた時間帯と、当該時間帯における上述の複数の図形領域が示す到達安全レベルの重なりとで規定される領域の情報をカバー状態として特定するとしてもよい。 In addition, the countermeasure evaluation unit 175 has a side corresponding to the safety level maintenance time among the graphic areas corresponding to the DFD described above, and a reaching safety level among the plurality of graphic areas corresponding to the security countermeasure candidates for the DFD. An edge corresponding to the maintenance time is arranged on a predetermined time axis, and among the graphic areas corresponding to the DFD described above, a time zone covered by a plurality of graphic areas corresponding to security countermeasure candidates for the DFD, and Information on an area defined by the overlap of reachable safety levels indicated by the plurality of graphic areas in the time zone may be specified as the cover state.
 また、記憶装置101において、上述のDFDに対するセキュリティ対策候補の情報として、セキュリティ対策対象であるシステムの開発時に適用して恒常的に運用される開発用対策と、システム運用中のリスク発生時に適用して機能復旧を目的とする応急処置用対策と、の各情報を格納している場合、上述の対策評価部175は、上述のDFDに対応した図形領域のうち安全レベルの維持時間に対応した辺、および、上述の開発用対策および応急処置用対策の少なくともいずれかの対策情報に対応した図形領域のうち到達安全レベルの維持時間に対応した辺を、所定時間軸上に配置して、上述のDFDに対応した図形領域のうち、開発用対策および応急処置用対策の少なくともいずれかの対策情報に対応した図形領域でカバーされた時間帯と、当該時間帯における到達安全レベルとで規定される領域の情報をカバー状態として特定するとしてもよい。 Further, in the storage device 101, information on security countermeasure candidates for the above-mentioned DFD is applied when development of a system that is a security countermeasure target and is constantly operated, and when a risk occurs during system operation. In the case of storing each information of emergency measures for the purpose of function recovery, the above-mentioned countermeasure evaluation unit 175 has a side corresponding to the maintenance time of the safety level in the graphic area corresponding to the above-mentioned DFD. And, the side corresponding to the maintenance time of the arrival safety level is arranged on a predetermined time axis among the graphic areas corresponding to the countermeasure information of at least one of the countermeasure for development and the countermeasure for first aid described above, Of the graphic area corresponding to DFD, the time covered by the graphic area corresponding to the countermeasure information of at least one of the countermeasures for development and first aid When, it may identify the information of the area defined by the reach safe level in the time zone as a cover state.
 また、対策モデル作成部176は、対策評価部175によるセキュリティ対策の評価結果に基づき、対策モデルを作成する機能であり、入力装置106にて、またはネットワーク20を介してユーザ端末250より、セキュリティ対策に関するユーザ要求を受け付けて、上述のセキュリティ対策候補のうち、ユーザ要求が示す条件に対応した評価結果であるものを特定し、当該特定したセキュリティ対策候補から対策モデルを生成し、当該対策モデルを出力装置106またはネットワーク20を介したユーザ端末250に出力する機能である。 The countermeasure model creation unit 176 is a function for creating a countermeasure model based on the evaluation result of the security countermeasures by the countermeasure evaluation unit 175. The countermeasure model creation unit 176 functions as a security countermeasure from the input terminal 106 or from the user terminal 250 via the network 20. The above-mentioned security countermeasure candidates are identified as the evaluation results corresponding to the conditions indicated by the user request, the countermeasure model is generated from the identified security countermeasure candidates, and the countermeasure model is output This is a function for outputting to the user terminal 250 via the device 106 or the network 20.
 なお、上述の対策モデル作成部176は、上述のユーザ要求が示す条件への評価結果の対応程度順にセキュリティ対策候補を特定し、セキュリティ対策モデルをユーザ要求の条件への対応程度順に用いて対策モデルを順次生成し、各対策モデルを出力装置106またはネットワーク20を介したユーザ端末250に出力するとしてもよい。 Note that the above-described countermeasure model creation unit 176 identifies security countermeasure candidates in order of the degree of correspondence of the evaluation results to the conditions indicated by the above-described user request, and uses the security countermeasure models in order of the degree of correspondence to the conditions of the user request. May be sequentially generated, and each countermeasure model may be output to the output terminal 106 or the user terminal 250 via the network 20.
 また、仕様記入部177は、入力装置105またはユーザ端末250から採用の指定を受けた対策リストの要件定義を、記憶装置101に予め保持する仕様書ファイル127のうち該当箇所に自動挿入して仕様書を生成する機能である。 In addition, the specification entry unit 177 automatically inserts the requirement definition of the countermeasure list, which is designated to be adopted from the input device 105 or the user terminal 250, into the corresponding portion of the specification file 127 stored in the storage device 101 in advance. This is a function to generate a document.
 こうした各機能171~177を備えるセキュリティ対策決定支援装置100は、システム設計者とセキュリティ専門家から受け取る情報に基づき、セキュリティ対策を評価し、対策モデルを立案して提示し、採用される対策モデルの要件定義を仕様書に自動挿入して出力する装置となる。
---メインフロー例---
 以下、本実施形態におけるセキュリティ対策決定支援方法の実際手順について図に基づき説明する。以下で説明するセキュリティ対策決定支援方法に対応する各種動作は、セキュリティ対策決定支援装置100がメモリ103に読み出して実行するプログラム102によって実現される。そして、このプログラム102は、以下に説明される各種の動作を行うためのコードから構成されている。 The security measure determination support apparatus 100 having these functions 171 to 177 evaluates security measures based on information received from the system designer and security specialist, formulates and presents a measure model, and adopts a measure model to be adopted. A device that automatically inserts requirement definitions into specifications and outputs them.
--- Main flow example ---
Hereinafter, the actual procedure of the security measure determination support method in the present embodiment will be described with reference to the drawings. Various operations corresponding to the security countermeasure determination support method described below are realized by a program 102 that the security countermeasure determination support apparatus 100 reads into the memory 103 and executes. And this program 102 is comprised from the code | cord | chord for performing the various operation | movement demonstrated below.
 図3は、本実施形態におけるセキュリティ対策決定支援方法のメインフロー例を示す図である。このフローにおいては、セキュリティ対策決定支援装置100の処理のみならず、このセキュリティ対策決定支援装置100に対して情報を与えるユーザ端末200,250における処理についてもあわせて示すものとする。 FIG. 3 is a diagram showing an example of the main flow of the security measure determination support method in the present embodiment. In this flow, not only the processing of the security countermeasure determination support apparatus 100 but also the processing in the user terminals 200 and 250 that give information to the security countermeasure determination support apparatus 100 is also shown.
 この場合まず、システム設計者のユーザ端末200は、DFD110、R_SL決定表119、R_TP,A_TP決定表121、R_TO,A_TO決定表122、DFDのリスク参照値表111、システム連携WBS123、アプリケーション開発WBS124、の各データを、システム設計者の指示に応じてセキュリティ対策決定支援装置100に送信して登録する(S3401)。 In this case, first, the user terminal 200 of the system designer has the DFD 110, the R_SL determination table 119, the R_TP, A_TP determination table 121, the R_TO, A_TO determination table 122, the DFD risk reference value table 111, the system cooperation WBS 123, the application development WBS 124, Are transmitted and registered to the security measure decision support apparatus 100 in accordance with an instruction from the system designer (S3401).
 一方、セキュリティ対策決定支援装置100の通信部171は、上述のユーザ端末200から送信されてきた上述の各データを受け取り、これを登録部172に渡して登録部172が記憶装置101に保存する(S3402)。 On the other hand, the communication unit 171 of the security measure determination support device 100 receives each of the above-mentioned data transmitted from the above-described user terminal 200, passes it to the registration unit 172, and the registration unit 172 stores it in the storage device 101 ( S3402).
 ここで、本実施形態において用いる用語とセキュリティ対策の評価方針について説明する。本実施形態では、「対策強度」という概念(数値指標)を定義してセキュリティ対策を評価するものとする。この対策強度は以下の2つの値で表す。 Here, the terms used in this embodiment and the evaluation policy for security measures will be described. In this embodiment, a security measure is evaluated by defining the concept (numerical index) of “measure strength”. This countermeasure strength is expressed by the following two values.
 MO:あるセキュリティ対策における、システム稼働(業務フローの実行)を維持できる力の大きさ。 MO: The strength of the ability to maintain system operation (execution of business flow) in a certain security measure.
 EA:あるセキュリティ対策における、外部からの攻撃に耐え業務フローを正常実行できる力の大きさ。 EA: The strength of a security measure that can withstand external attacks and execute business flows normally.
 また、上述のMOおよびEAの算出に以下の値を用いることとする。 In addition, the following values are used for the above-mentioned MO and EA calculations.
 R_SL:あるDFDに対応する業務フローが通常運用時に満たすべき安全レベル。 R_SL: A safety level that a business flow corresponding to a certain DFD should satisfy during normal operation.
 R_TP:あるDFDに対応する業務フローの、一時停止が許される時間。 R_TP: Time allowed for temporary suspension of the business flow corresponding to a certain DFD.
 R_TO:あるDFDに対応する業務フローに要求される最低稼働時間。 R_TO: Minimum operating time required for the business flow corresponding to a certain DFD.
 A_SL:あるセキュリティ対策の実施により業務フローが到達できる安全レベル。 A_SL: A safety level at which a business flow can be reached by implementing certain security measures.
 A_TP:あるセキュリティ対策の実施準備に必要な時間。 A_TP: Time required to prepare for implementation of a certain security measure.
 A_TO:あるセキュリティ対策の効力の持続時間。 A_TO: The duration of the effect of a certain security measure.
 上述のR_SL、R_TP、R_TOは、システム設計者側の意向を反映して決定される値であり、A_SL、A_TP、A_TOは、セキュリティ専門家が自身の立案したセキュリティ対策について客観的な見地より割りあてる値である。本実施形態では、R_SL、A_SLは、「0」から「7」の整数値、R_TP、R_TO、A_TP、A_TOは、「1」から「10」の整数値で表すものとする。以後、R_SL、R_TP、R_TOをリスク参照値、A_SL、A_TP、A_TOを対策参照値と呼ぶ。リスク参照値は、システム設計者よりセキュリティ対策決定支援装置100に登録されるDFD110の情報に付与された値である。 The above-mentioned R_SL, R_TP, and R_TO are values that are determined by reflecting the intention of the system designer, and A_SL, A_TP, and A_TO are assigned by security experts from an objective standpoint with respect to the security measures that they have planned. It is the value to hit. In this embodiment, R_SL and A_SL are represented by integer values from “0” to “7”, and R_TP, R_TO, A_TP, and A_TO are represented by integer values from “1” to “10”. Hereinafter, R_SL, R_TP, and R_TO are referred to as risk reference values, and A_SL, A_TP, and A_TO are referred to as countermeasure reference values. The risk reference value is a value given to the information of the DFD 110 registered in the security measure determination support apparatus 100 by the system designer.
 また、システム連携WBS、アプリケーション開発WBSはシステムのセキュリティ設計の過程で作成され、最終的なシステム設計の要件定義書群に含まれる開発全体WBSおよび開発方針定義書の前身である。 Also, the system cooperation WBS and application development WBS are created in the process of system security design, and are the predecessor of the overall development WBS and development policy definition document included in the final system design requirement definition group.
 また、上述のDFDのリスク参照値表111は、図4にて例示するように、該当DFD110のID(DFD_ID)をキーとして、リスク参照値であるR_SL、R_TP、R_TOの各値が対応付けされたレコードの集合体となっている。このリスク参照値表111が格納する各リスク参照値は、システム設計者のユーザ端末200が、図5、図7、図8に示す各決定表を用いて決定するものとなる。 Further, as illustrated in FIG. 4, the risk reference value R_SL, R_TP, and R_TO values associated with the ID (DFD_ID) of the corresponding DFD 110 are associated with the DFD risk reference value table 111 described above. It is a collection of records. Each risk reference value stored in the risk reference value table 111 is determined by the system designer's user terminal 200 using the determination tables shown in FIGS. 5, 7, and 8.
 図5は、本実施形態におけるR_SL決定表119の構成例を示す図である。本実施形態におけるR_SLの値は、ユーザ端末200がこのR_SL決定表119を参照して決定する。また、R_SL決定表119はシステム設計者が主体となって作成するが、セキュリティ専門家やその他の関係者がシステム設計者と相談の上作成したものであってもよい。ユーザ端末200は、R_SLの値を、該当DFD100に対応する業務フローの停止または異常稼動時の影響予測結果(システム設計者が指定)、例えば、「人命・身体に危害を加える」を、R_SL決定表119に照合し、対応するR_SLの値「7」を決定する。勿論、システム設計者がユーザ端末200の入力装置でR_SLの値を入力するとしてもよい。 FIG. 5 is a diagram illustrating a configuration example of the R_SL determination table 119 in the present embodiment. The value of R_SL in the present embodiment is determined by the user terminal 200 with reference to this R_SL determination table 119. The R_SL determination table 119 is created mainly by the system designer, but may be created by a security expert or other related parties in consultation with the system designer. The user terminal 200 determines the value of R_SL as R_SL based on the result of prediction of the impact when the business flow corresponding to the DFD 100 is stopped or abnormally operated (specified by the system designer), for example, “injuring human life / body”. Table 119 is collated, and the corresponding R_SL value “7” is determined. Of course, the system designer may input the value of R_SL with the input device of the user terminal 200.
 図6は、本実施形態におけるA_SL決定表120の例である。本実施形態では、セキュリティ専門家のユーザ端末250が、このA_SL決定表120を参照してA_SLの値を決定する。A_SL決定表120はセキュリティ専門家が主体となって作成するが、システム設計者やその他の関係者と相談の上作成してもよい。 FIG. 6 is an example of the A_SL determination table 120 in the present embodiment. In the present embodiment, the security expert user terminal 250 refers to the A_SL determination table 120 to determine the value of A_SL. The A_SL determination table 120 is created mainly by a security expert, but may be created in consultation with a system designer or other related parties.
 ユーザ端末250は、上述のA_SLの値を、例えばセキュリティ対策実施後の通常状態の回復の程度によってレベル分けして決定する。例えば、暗号化通信の暗号化パラメータが漏洩するというリスクに対し、漏洩ルートを追跡・補強の上暗号化パラメータを変更することで以前と同じように通信を再開できる場合、回復度は100%、また、従来のアルゴリズムとは別のパスワードによる暗号化手段を用い、メッセージ送信を行った直後に別ルートでパスワードを送付するといった一時的な処置をとる場合、回復度は50%とする。こうした回復の程度の定義については、場合によっては関係者同士の合意形成が必要となる。ユーザ端末250は、該当セキュリティ対策の実施後の回復度の指定を、システム設計者から受け、この回復度をA_SL決定表120に照合し、該当するA_SLの値を決定する。 The user terminal 250 determines the above-described value of A_SL by dividing it into levels according to the degree of recovery of the normal state after implementation of security measures, for example. For example, for the risk that the encryption parameters of encrypted communication will be leaked, if the communication can be resumed as before by tracking and reinforcing the leaked route and changing the encryption parameters, the degree of recovery is 100%, In addition, when using a password encryption means different from the conventional algorithm and taking a temporary measure such as sending the password by another route immediately after message transmission, the degree of recovery is 50%. In some cases, it is necessary to form consensus between the parties regarding the definition of the degree of recovery. The user terminal 250 receives a designation of the degree of recovery after the implementation of the corresponding security measure from the system designer, collates this degree of recovery with the A_SL determination table 120, and determines the value of the corresponding A_SL.
 図7は、本実施形態におけるR_TP、A_TP決定表121の構成例を示す図である。本実施形態では、R_TP、A_TPの各値は、システム設計者のユーザ端末200がR_TP、A_TP決定表121を参照して決定する。R_TP、A_TP決定表121はシステム設計者が主体となって作成するが、セキュリティ専門家やその他の関係者がシステム設計者と相談の上作成してもよい。ユーザ端末200は、システム設計者から指定された、例えば業務フローに一時停止が許される時間または対策実施の準備に必要な時間の情報を、R_TP、A_TP決定表121に照合し、対応するR_TP、A_TPの値を決定する。 FIG. 7 is a diagram illustrating a configuration example of the R_TP and A_TP determination table 121 in the present embodiment. In this embodiment, each value of R_TP and A_TP is determined by the system designer's user terminal 200 with reference to the R_TP and A_TP determination table 121. The R_TP and A_TP determination table 121 is created mainly by the system designer, but may be created by a security specialist or other related parties in consultation with the system designer. The user terminal 200 collates the R_TP, A_TP determination table 121 with information on the time specified by the system designer, for example, the time allowed for temporary suspension of the business flow or the time required for preparation of countermeasures, and the corresponding R_TP, Determine the value of A_TP.
 図8は、本実施形態におけるR_TO、A_TO決定表122の構成例を示す図である。本実施形態では、R_TO、A_TOの値は、システム設計者のユーザ端末200が、R_TO、A_TO決定表122を参照して決定する。R_TO、A_TO決定表122はシステム設計者が主体となって作成するが、セキュリティ専門家やその他の関係者がシステム設計者と相談の上作成してもよい。ユーザ端末200は、システム設計者から指定された、例えば業務フローに要求される最低稼動時間または対策の効力の持続時間を、R_TO、A_TO決定表122に照合し、対応するR_TO、A_TOの値を決定する。 FIG. 8 is a diagram illustrating a configuration example of the R_TO and A_TO determination table 122 in the present embodiment. In the present embodiment, the values of R_TO and A_TO are determined by the system designer's user terminal 200 with reference to the R_TO and A_TO determination table 122. The R_TO and A_TO decision table 122 is created mainly by the system designer, but may be created by a security expert or other related parties in consultation with the system designer. The user terminal 200 collates, for example, the minimum operating time required for the business flow or the effective duration of the countermeasure specified by the system designer against the R_TO, A_TO determination table 122, and sets the corresponding R_TO, A_TO values. decide.
 なお、A_TP、A_TOの設定は、対策の技術的困難性、承認・周知人数、環境設備等に依存するものとする。 In addition, the setting of A_TP and A_TO shall depend on the technical difficulty of countermeasures, the number of approved / known people, environmental facilities, etc.
 ここで図3のメインフローの説明に戻る。上述のステップS3402に続いて、セキュリティ対策決定支援装置100の通信部171は、セキュリティ専門家のユーザ端末250に対し、上述のステップS3401で取得し、S3402で記憶装置101に保存した上述のデータに関する到着通知を送信する(S3403)。なお、セキュリティ対策決定支援装置100は、この到着通知の送信に伴い、DFD110、R_SL決定表119、R_TP,A_TP決定表121、R_TO,A_TO決定表122、およびDFDのリスク参照値表111に対するユーザ端末250からの閲覧可能とする。セキュリティ対策決定支援装置100は、例えば、記憶装置101における該当データの格納場所を示すURLをユーザ端末250に通知する。または、該当データの格納場所へのアクセス用パスワードをユーザ端末250に通知する。 Returning to the explanation of the main flow in FIG. Subsequent to step S3402, the communication unit 171 of the security measure determination support apparatus 100 relates to the above-described data acquired in step S3401 and stored in the storage device 101 in step S3402 for the security expert user terminal 250. An arrival notification is transmitted (S3403). The security countermeasure determination support apparatus 100, in response to the transmission of the arrival notification, causes the user terminals for the DFD 110, the R_SL determination table 119, the R_TP, A_TP determination table 121, the R_TO, A_TO determination table 122, and the DFD risk reference value table 111. Browsing from 250 is possible. For example, the security measure determination support device 100 notifies the user terminal 250 of a URL indicating the storage location of the corresponding data in the storage device 101. Alternatively, the user terminal 250 is notified of a password for accessing the data storage location.
 一方、セキュリティ専門家は、ユーザ端末250を操作してセキュリティ対策決定支援装置100が提示する上述の情報、すなわち、DFD110、R_SL決定表119、R_TP,A_TP決定表121、R_TO,A_TO決定表122、およびDFDのリスク参照値表111の各情報を閲覧し、これら情報に基づいてリスク分析の作業を行うことになる。ユーザ端末250は、そうしたリスク分析用の一般的な機能をセキュリティ専門家に提供し、リスク分析表114を生成する(S3404)、その後、上述のセキュリティ専門家は、ユーザ端末250において対策リスト表115の作成作業とともに、対策参照値の決定作業を実行する。ユーザ端末250は、そうして作成された対策リスト表115と、対策参照値の情報を取得する(S3405)。 On the other hand, the security expert operates the user terminal 250 to provide the above-described information presented by the security countermeasure determination support apparatus 100, that is, the DFD 110, the R_SL determination table 119, the R_TP, A_TP determination table 121, the R_TO, A_TO determination table 122, Each information in the DFD risk reference value table 111 is browsed, and risk analysis work is performed based on the information. The user terminal 250 provides such a general function for risk analysis to the security expert, and generates the risk analysis table 114 (S3404). Thereafter, the security expert described above uses the countermeasure list table 115 in the user terminal 250. A countermeasure reference value determination work is executed together with the creation work. The user terminal 250 acquires the countermeasure list table 115 thus created and the countermeasure reference value information (S3405).
 また、ユーザ端末250は、上述のリスク分析表114、対策リスト表115、A_SL決定表120(ユーザ端末250が予め保持)、対策参照値をセキュリティ対策決定支援装置100に送信して登録する(S3406)。 Further, the user terminal 250 transmits the above-described risk analysis table 114, countermeasure list table 115, A_SL determination table 120 (previously held by the user terminal 250), and countermeasure reference values to the security countermeasure determination support apparatus 100 for registration (S3406). ).
 他方、セキュリティ対策決定支援装置100の通信部171は、ユーザ250から送信されてきた上述のリスク分析表114、対策リスト表115、A_SL決定表120、対策参照値を受け取ってこれを登録部172に渡し、登録部172は、記憶装置101に保存する(S3407)。 On the other hand, the communication unit 171 of the security measure determination support apparatus 100 receives the risk analysis table 114, the measure list table 115, the A_SL determination table 120, and the measure reference value transmitted from the user 250, and stores them in the registration unit 172. Then, the registration unit 172 stores the information in the storage device 101 (S3407).
 上述のリスク分析表114は、図9にて例示するように、リスク分析実施の際に抽出したリスク、リスクの内容と要対応レベル、リスク発生の要因となる業務フローが含まれるDFD(以下、対象DFD)の情報、対象DFD中のリスク発生原因となる情報資産(保護対象資産)、脅威分析、脆弱性分析、およびリスク評価結果の各データを少なくとも含むテーブルである。 As illustrated in FIG. 9, the risk analysis table 114 described above includes a DFD (hereinafter, referred to as “risk” extracted at the time of risk analysis, a risk content and a required response level, and a business flow causing the risk occurrence). It is a table including at least each data of information of target DFD, information asset (protection target asset) that causes risk in target DFD, threat analysis, vulnerability analysis, and risk evaluation result.
 上述の要対応レベルとは、リスク発生防止の優先度であり、必要に応じて依頼元(システム設計者等)と相談しながらセキュリティ専門家が決定する値である。脅威分析の欄では、脅威の種類と脅威の発生箇所(機器やエリア等)ごとに分析結果がまとめられており、脅威の対象となる情報資産の情報が必ず含まれている。 The above-mentioned required response level is a priority for preventing risk occurrence, and is a value determined by a security expert while consulting with the requester (system designer, etc.) as necessary. In the column of threat analysis, analysis results are compiled for each type of threat and the location (device, area, etc.) where the threat occurred, and information on information assets targeted by the threat is always included.
 なお、(脅威の)対象となる情報資産とは、対象DFD情報欄にある保護対象資産の中から抽出される。また、脆弱性分析欄では、脆弱性の存在箇所ごとに結果がまとめられている。また、リスク評価欄では、リスクの存在箇所ごとに結果がまとめられており、リスクレベルおよびリスクケースのIDの各情報が必ず含まれている。 Note that the target information asset (threat) is extracted from the protection target assets in the target DFD information column. In the vulnerability analysis column, the results are summarized for each location where the vulnerability exists. In the risk evaluation column, the results are summarized for each location where the risk exists, and each information of the risk level and the risk case ID is always included.
 上述のリスクケースとは、例えば「情報管理センタ内に侵入した外部者が、管理者権限設定の脆弱性を悪用し、機器IDの改ざんを行う」などの様に、リスクの発生主体、悪用される脆弱性、発生箇所、脅威等を明らかにしたリスク発生の状況である。リスク評価は、リスクケースごとに行われる。またリスクレベルとは、脅威分析および脆弱性分析の結果を受けて決定されるリスクケースの影響度である。 The risk cases described above are, for example, “risk generation agents and abusers such as“ an outsider who has entered the information management center exploits the vulnerability of administrator authority settings and alters the device ID ”. This is a risk occurrence situation that clarifies vulnerabilities, occurrence locations, threats, etc. Risk assessment is performed for each risk case. The risk level is the degree of influence of the risk case determined based on the results of threat analysis and vulnerability analysis.
 また上述の対策リスト115は、図10にて例示するように、リスク分析において抽出したリスクケースをリスクの発生箇所と脅威ごとにまとめ、それぞれの対策を列挙しID(対策ID)を付与したリストである。この対策リスト115において、リスクケース1つにつき複数の対策が列挙されているとしてもよい。また、リスクの発生箇所または脅威が異なっていれば、既出の対策を繰り返し記載することも可能とする。ただし、その場合は対策IDは同一のものを付与している。図10の例では、リスクの発生箇所が「情報管理サーバ」であり、脅威が「なりすまし」と「改ざん」である2つの区分において、IDが「S003」のセキュリティ対策を繰り返し記載している。 Further, as illustrated in FIG. 10, the above-described countermeasure list 115 is a list in which risk cases extracted in risk analysis are grouped for each risk occurrence location and threat, each countermeasure is listed, and an ID (measure ID) is given. It is. In the countermeasure list 115, a plurality of countermeasures may be listed for each risk case. In addition, if the location or threat of the risk is different, it is possible to repeatedly describe the countermeasures already mentioned. However, in this case, the same countermeasure ID is assigned. In the example of FIG. 10, the security countermeasure with the ID “S003” is repeatedly described in two categories where the risk occurrence location is “information management server” and the threat is “spoofing” and “tampering”.
 なお、この対策リスト115におけるリスク欄の「脅威の対象となる情報資産」と「対象DFD」は、リスク分析表114(図9)でそれぞれ「対象となる情報資産(複数あり)」→「保護対象資産」→「DFD_ID」とたどることで作成することができる。列挙した対策については対策の内容、種類も記載されている。対策の種類では、まずそれが機能的対策、運用的対策、物理環境的対策のどれに属するかで分類され、さらにリスクの予防、リスクの検知、リスクの低減、業務の復旧のどれに該当するかが記載されている。なお種類の項目では、機能、運用、物理環境的対策の他にも例えば管理的対策、設備的対策などとしてもよい。また、それに従属する項目は予防、検知、低減、復旧の他にも例えばリスクの回避、分離、集中(結合)、移転などとしてもよい。 In addition, “information assets subject to threat” and “target DFD” in the risk column in the countermeasure list 115 are “target information assets (multiple)” → “protection” in the risk analysis table 114 (FIG. 9), respectively. It can be created by following “target asset” → “DFD_ID”. For the listed measures, the contents and types of measures are also described. The types of countermeasures are categorized according to whether they belong to functional countermeasures, operational countermeasures, or physical environmental countermeasures, and fall into risk prevention, risk detection, risk reduction, and business recovery. Is described. In addition, in the item of type, in addition to functions, operations, physical environmental measures, for example, administrative measures, facility measures, and the like may be used. In addition to prevention, detection, reduction, and recovery, the subordinate items may be, for example, risk avoidance, separation, concentration (combination), and transfer.
 ここで図3のメインフローの説明に戻る。上述のステップS3407に続いて、セキュリティ対策決定支援装置100の対策リスト作成部173は、ユーザ端末250から得ているリスク分析表114、対策リスト表115、A_SL決定表120、対策参照値、および元々自身の記憶装置101に保存してある対策タイプ表112を参照し、対策リスト詳細表116を作成し、これを記憶装置101に保存する(S3408)。 Returning to the explanation of the main flow in FIG. Subsequent to step S3407 described above, the countermeasure list creation unit 173 of the security countermeasure determination support apparatus 100 performs the risk analysis table 114, the countermeasure list table 115, the A_SL determination table 120, the countermeasure reference value, and the original information obtained from the user terminal 250. By referring to the countermeasure type table 112 stored in its own storage device 101, the countermeasure list detail table 116 is created and stored in the storage device 101 (S3408).
 以下に、上述の対策リスト詳細表116の作成処理、すなわちステップS3408の詳細について説明する。図11は本実施形態におけるセキュリティ対策決定支援方法の詳細フロー例1を示す図である。 Hereinafter, the creation processing of the above-described countermeasure list detail table 116, that is, details of step S3408 will be described. FIG. 11 is a diagram showing a detailed flow example 1 of the security measure determination support method in the present embodiment.
 この場合、セキュリティ対策決定支援装置100の対策リスト作成部173は、DFDのリスク参照値表111を参照し、対策リスト115のリスク発生箇所の脅威ごとに、記載のある対象DFDのリスク参照値のうち最大のR_SL、最小のR_TP、最大のR_TOを統合DS図のリスク参照値として対策リスト詳細表116に設定する(S3501)。詳細は後述するが、この統合DS図とは、セキュリティ対策の実施対象となる業務フローが複数ある場合での、各業務フローのうち最大のR_SL、最小のR_TP、最大のR_TOを採用して作成したDS図である。また、DS図とは、あるセキュリティ対策の実施対象となる業務フローについて、セキュリティ対策が未実施である場合の危険な状態を、縦軸を対策対象のシステムの安全レベル(SL)、横軸を時間として、R_SL×(R_TP+R_TO)の矩形領域で表した図である。 In this case, the countermeasure list creation unit 173 of the security countermeasure determination support apparatus 100 refers to the risk reference value table 111 of the DFD, and sets the risk reference value of the target DFD that is described for each threat at the risk occurrence location in the countermeasure list 115. Among them, the maximum R_SL, the minimum R_TP, and the maximum R_TO are set in the countermeasure list detail table 116 as risk reference values of the integrated DS diagram (S3501). Although details will be described later, this integrated DS diagram is created by adopting the maximum R_SL, minimum R_TP, and maximum R_TO of each business flow when there are multiple business flows that are subject to security measures. FIG. In addition, the DS diagram shows the dangerous state when security measures are not implemented for the business flow that is subject to certain security measures, the vertical axis indicates the safety level (SL) of the target system, and the horizontal axis indicates It is the figure represented by the rectangular area | region of R_SLx (R_TP + R_TO) as time.
 次に、セキュリティ対策決定支援装置100の対策リスト作成部173は、対策リスト115における対策IDごとに、対応する脅威のR_SL(S3501で決定)を参照し、このR_SLの値を、対策参照値欄におけるA_SLの算定式(図13の例では、R_SL×1.0など)に適用し、対策リスト詳細表116の対象参照値欄における各対策IDのA_SLの値を算定する(S3502)。 Next, the countermeasure list creation unit 173 of the security countermeasure determination support apparatus 100 refers to the corresponding threat R_SL (determined in S3501) for each countermeasure ID in the countermeasure list 115, and sets the value of this R_SL in the countermeasure reference value column. Is applied to the A_SL calculation formula (R_SL × 1.0 in the example of FIG. 13), and the A_SL value of each countermeasure ID in the target reference value column of the countermeasure list detail table 116 is calculated (S3502).
 続いて、セキュリティ対策決定支援装置100の対策リスト作成部173は、上述のように、対策リスト詳細表116の対象参照値欄における各対策IDごとに、ステップS3502で求めたA_SL、および記憶装置101に保存している対策参照値(ユーザ端末250から取得済)から引用したA_TP、A_TO、の各値を設定する(S3503)。 Subsequently, as described above, the countermeasure list creation unit 173 of the security countermeasure determination support apparatus 100, for each countermeasure ID in the target reference value column of the countermeasure list detail table 116, the A_SL obtained in step S3502, and the storage device 101. Each value of A_TP and A_TO quoted from the countermeasure reference values (acquired from the user terminal 250) stored in is set (S3503).
 また、セキュリティ対策決定支援装置100の対策リスト作成部173は、上述の対策IDごとに、対策タイプ表112を参照し、上述の統合DS図のリスク参照値と対策参照値を比較して対策タイプを決定し、この対策タイプと用途を、対策リスト詳細表116の対策欄における該当欄に設定する(S3504)。 Further, the countermeasure list creation unit 173 of the security countermeasure determination support apparatus 100 refers to the countermeasure type table 112 for each of the countermeasure IDs described above, compares the risk reference value and the countermeasure reference value of the integrated DS diagram, and measures the countermeasure type. This countermeasure type and use are set in the corresponding column in the countermeasure column of the countermeasure list detail table 116 (S3504).
 なお、上述の対策タイプ表112は、図12にて例示するように、対策リスト115(図10)が示すセキュリティ対策を、安全性、実施速度、(効果の)持続性の観点から所定タイプ(図12の例ではM1~M8の8タイプ)に分類する表である。また、この対策タイプ表112においては、上述のタイプ別にセキュリティ対策の用途として「開発用」、「応急用」の指定もなされている。 Note that, as illustrated in FIG. 12, the above-described countermeasure type table 112 shows the security countermeasures shown in the countermeasure list 115 (FIG. 10) as predetermined types (from the viewpoint of safety, implementation speed, and sustainability). In the example of FIG. 12, the table is classified into 8 types (M1 to M8). In the countermeasure type table 112, “development” and “emergency” are also designated as security countermeasure applications for each of the types described above.
 ここで図3のメインフローの説明に戻る。上述のステップS3408に続いて、セキュリティ対策決定支援装置100の通信部171は、システム設計者のユーザ端末200に対し、対策リスト詳細表116の作成完了の通知を送信し、ユーザ端末200から対策リスト詳細表116の閲覧可能とする(S3409)。この閲覧可能とする手法としては上述のステップS3403の実行に伴って行ったものと同様である。 Returning to the explanation of the main flow in FIG. Subsequent to step S3408 described above, the communication unit 171 of the security measure determination support apparatus 100 transmits a notification of completion of creation of the measure list detail table 116 to the user terminal 200 of the system designer, and the measure list is transmitted from the user terminal 200. The detailed table 116 can be browsed (S3409). This technique for enabling browsing is the same as that performed in accordance with the execution of step S3403 described above.
 セキュリティ対策決定支援装置100により作成され、ユーザ端末200が閲覧可能となった対策リスト詳細表116の例を、図13に示す。本実施形態における対策リスト詳細表116は、リスクの発生箇所と脅威の区分に対応する対象DFDの統合DS図のリスク参照値(対象DFD中でのR_SLの最大値、R_TPの最小値、R_TOの最大値であり、DFDのリスク参照値表111(図4)から取得したもの)、対策IDごとの対策参照値、タイプ、および用途の各値を含む表となっている。なお、対策のタイプ決定方法は図16に関する説明において後述する。 FIG. 13 shows an example of the countermeasure list detail table 116 created by the security countermeasure determination support apparatus 100 and made available for browsing by the user terminal 200. The countermeasure list detail table 116 according to the present embodiment includes a risk reference value (a maximum value of R_SL, a minimum value of R_TP, a minimum value of R_TO in the target DFD) of an integrated DS diagram corresponding to a risk occurrence location and a threat classification. It is a maximum value, and is a table including each value of the countermeasure reference value for each countermeasure ID, the type, and the usage, obtained from the DFD risk reference value table 111 (FIG. 4). The countermeasure type determination method will be described later in the description of FIG.
 一方、システム設計者は、ユーザ端末200を操作して上述の対策リスト詳細表116を閲覧して対策グループ作成ルールを決定し、入力装置にて入力動作を行う。この場合、ユーザ端末200は、セキュリティ対策決定支援装置100の入力部174から提供されている、対策グループ作成ルール入力画面1000を介して、上述のシステム設計者による、対策グループ作成ルールの入力を受け付けて、これをセキュリティ対策決定支援装置100に送信する(S3410)。 On the other hand, the system designer operates the user terminal 200, browses the above-described countermeasure list detail table 116, determines a countermeasure group creation rule, and performs an input operation with the input device. In this case, the user terminal 200 accepts the input of the countermeasure group creation rule by the system designer described above via the countermeasure group creation rule input screen 1000 provided from the input unit 174 of the security countermeasure determination support apparatus 100. This is transmitted to the security measure decision support apparatus 100 (S3410).
 図14に本実施形態における対策グループ作成ルール入力画面100の例を示す。本実施形態においては、対策リスト115(図10)における複数の対策を一定のルールに基づき組み合せ、対策グループとしている。このルールは、セキュリティ対策決定支援装置100の操作者(例:ユーザ端末を介してアクセスしてくるシステム設計者か、セキュリティ専門家)が対策グループ作成ルール入力画面1000より指定したものとなる。 FIG. 14 shows an example of the countermeasure group creation rule input screen 100 in this embodiment. In the present embodiment, a plurality of countermeasures in the countermeasure list 115 (FIG. 10) are combined based on a certain rule to form a countermeasure group. This rule is specified by the operator of the security measure decision support apparatus 100 (for example, a system designer or a security expert who accesses via the user terminal) from the measure group creation rule input screen 1000.
 本実施形態では、当該画面1000において、対策グループ作成のルール項目として、対策の組み合わせ数の基本値となる基本要素数、対策グループの適用対象区分の最小単位(組み合わせる個々の対策を選択する範囲)、同じ範囲からの対策の選択(重複選択)の有無、対策の種類の選択条件の各設定を受け付ける。なお、ルール項目では上述の他にも、例えば特定のリスクIDに対する対策のみを対象とするなど、場合に応じて様々に設定してよい。 In the present embodiment, on the screen 1000, as rule items for creating a countermeasure group, the number of basic elements serving as a basic value of the number of countermeasure combinations, the minimum unit of countermeasure group application target categories (range for selecting individual countermeasures to be combined) Each setting of the selection condition of the countermeasure type and the presence / absence of the countermeasure selection (duplicate selection) from the same range is accepted. In addition to the above, the rule item may be variously set depending on the case, for example, only measures against a specific risk ID are targeted.
 一方、上述の対策グループ作成ルール入力画面100を介し、対策グループ作成ルールの入力を受け付けたセキュリティ対策決定支援装置100の対策評価部175は、対策リスト詳細表116および元々自身の記憶装置101に保存してある対策実施タイプ表113を参照し、対策グループ評価表117(図17)を作成し、これを記憶装置101に保存する(S3411)。 On the other hand, the measure evaluation unit 175 of the security measure decision support device 100 that has received the input of the measure group creation rule via the measure group creation rule input screen 100 described above saves it in the measure list detail table 116 and its own storage device 101. Referring to the countermeasure implementation type table 113, the countermeasure group evaluation table 117 (FIG. 17) is created and stored in the storage device 101 (S3411).
 この対策グループ評価表117の作成処理の詳細について、以下に説明する。図15は、本実施形態におけるセキュリティ対策決定支援方法の詳細フロー例2を示す図である。この場合、セキュリティ対策決定支援装置100の対策評価部175は、上述の対策グループ作成ルールに従い、リスクの発生箇所と脅威の区分ごとに複数の対策グループおよび対策グループIDを作成し、すなわち該当ルール下で可能な全ての対策の組み合わせを列挙し、各対策の実施タイプ、用途と共に対策グループ評価表117(図17)に設定する(S3601)。 Details of the processing for creating the countermeasure group evaluation table 117 will be described below. FIG. 15 is a diagram illustrating a detailed flow example 2 of the security measure determination support method according to the present embodiment. In this case, the countermeasure evaluation unit 175 of the security countermeasure determination support apparatus 100 creates a plurality of countermeasure groups and countermeasure group IDs for each risk occurrence location and threat category according to the above-described countermeasure group creation rules, that is, under the corresponding rules. All possible combinations of countermeasures are listed and set in the countermeasure group evaluation table 117 (FIG. 17) together with the implementation type and use of each countermeasure (S3601).
 上述の実施タイプは、図16に例示する対策実施タイプ表113に基づいて特定される。本実施形態における対策実施タイプ表113は、対策タイプ表112(図12)の通り分類される対策について、これらの実施形態を定義したものとなる。図16で例示する対策実施タイプ表113は、対策タイプ表112(図12)に示した対策のタイプをそのまま実施形態とした8つに加え、M2、M4、M6、M8について、効果の期限が切れた後にもう一度同じ対策を実施するという反復の実施形態をとることで、持続性の判定を「○」とする3つのタイプを新たに定義した構成で、計11個の実施タイプが記載されている。なお、新たに定義した3つのタイプの用途については。開発時点でR_TO期限内での対策の反復利用を想定する可能性は低いとの見地から、「応急用」のみとしている。 The above-described implementation type is specified based on the countermeasure implementation type table 113 illustrated in FIG. The measure implementation type table 113 in the present embodiment defines these embodiments for measures classified as the measure type table 112 (FIG. 12). In the countermeasure implementation type table 113 illustrated in FIG. 16, in addition to the eight countermeasure types shown in the countermeasure type table 112 (FIG. 12) as they are in the embodiment, the validity period of M2, M4, M6, and M8 is limited. By adopting an iterative embodiment in which the same countermeasure is implemented once again after it has expired, a total of 11 implementation types are described in a configuration that newly defines three types with “○” as the determination of sustainability. Yes. Regarding the three types of newly defined applications. From the viewpoint that it is unlikely that repeated use of countermeasures within the R_TO deadline will be assumed at the time of development, only “emergency use” is set.
 また、セキュリティ対策決定支援装置100の対策評価部175は、それぞれの対策グループについてMO値を計算し、対策グループ評価表117の評価欄におけるMO欄の値として設定する(S3602)。また、セキュリティ対策決定支援装置100の対策評価部175は、リスク発生箇所の脅威ごとに、その区分内での対策グループのIDに対応するMO値の標準偏差を求め、対策グループ評価表117の評価欄におけるMO欄の標準偏差値として設定する(S3603)。 Further, the countermeasure evaluation unit 175 of the security countermeasure determination support apparatus 100 calculates the MO value for each countermeasure group and sets it as the value in the MO column in the evaluation column of the countermeasure group evaluation table 117 (S3602). Further, the countermeasure evaluation unit 175 of the security countermeasure determination support device 100 obtains the standard deviation of the MO value corresponding to the countermeasure group ID in the category for each threat at the risk occurrence location, and evaluates the countermeasure group evaluation table 117. It is set as the standard deviation value of the MO column in the column (S3603).
 また、セキュリティ対策決定支援装置100の対策評価部175は、それぞれの対策グループについてEA値を算出し、対策グループ評価表117の評価欄におけるEA欄の値として設定する(S3604)。また、セキュリティ対策決定支援装置100の対策評価部175は、リスク発生箇所の脅威ごとに、その区分内での対策グループのIDに対応するEA値の標準偏差を求め、対策グループ評価表117の評価欄におけるEA欄の標準偏差値として設定する(S3605)。 Further, the countermeasure evaluation unit 175 of the security countermeasure determination support apparatus 100 calculates an EA value for each countermeasure group and sets it as the value of the EA column in the evaluation column of the countermeasure group evaluation table 117 (S3604). Further, the countermeasure evaluation unit 175 of the security countermeasure determination support apparatus 100 obtains the standard deviation of the EA value corresponding to the ID of the countermeasure group in the category for each threat at the risk occurrence location, and evaluates the countermeasure group evaluation table 117. This is set as the standard deviation value of the EA column in the column (S3605).
 ここで、リスク参照値および対策参照値を用いたMO値およびEA値の算出方針を具体的に説明する。本実施形態では、あるセキュリティ対策の実施対象となる業務フローについて、対策未実施である場合の危険な状態を、縦軸をシステムの安全レベル(SL)、横軸を時間として、R_SL×(R_TP+R_TO)の矩形領域500で表し、これをDS図と呼ぶ。図18は、R_SL=6、R_TP=3、R_TO=8である業務フローのDS図1800の例である。本実施形態において、システム設計者のユーザ端末200より得られるDFDの情報には、各DFDが対応している業務フローのR_SL、R_TP、R_TOの値が含まれている。 Here, the calculation policy of the MO value and the EA value using the risk reference value and the countermeasure reference value will be specifically described. In the present embodiment, for a business flow that is subject to implementation of a certain security measure, a dangerous state when the measure is not taken is represented by R_SL × (R_TP + R_TO), where the vertical axis represents the system safety level (SL) and the horizontal axis represents time. ) And is referred to as a DS diagram. FIG. 18 is an example of a DS diagram 1800 of a business flow in which R_SL = 6, R_TP = 3, and R_TO = 8. In the present embodiment, the DFD information obtained from the system designer's user terminal 200 includes the values of R_SL, R_TP, and R_TO of the business flow supported by each DFD.
 そこでセキュリティ対策決定支援装置100は、ユーザ端末200から得た上述のR_SL、R_TP、R_TOの各値に基づいて、時間軸上の原点からR_TP時間経過した時点(図18中では、「3」時間の位置)を、R_TOの開始時点とし、このR_TOの持続時間帯(図18中では、「3」時間から「11」時間にわたる8時間の時間帯)に、R_SLのレベル(図18中では、レベル「6」)を対応付けた矩形領域500を生成する。 Therefore, the security measure determination support apparatus 100 determines that the R_TP time has elapsed from the origin on the time axis based on the above R_SL, R_TP, and R_TO values obtained from the user terminal 200 (in FIG. 18, “3” time The position of R_TO is set as the start point of R_TO, and the R_SL level (in FIG. 18, in the duration of this R_TO (in FIG. 18, the time period of 8 hours extending from “3” time to “11” time) A rectangular area 500 associated with level “6”) is generated.
 上述の矩形領域500は、時間軸501と安全レベル軸502で規定される座標空間503上における、矩形領域500の各頂点505の存在位置座標で特定できる。図18における矩形領域500の例であれば、R_TPの終了時点(「3」時間)で安全レベル「0」に該当する頂点を起点に時計回りに見た場合、各頂点の存在位置座標(時間、安全レベル)として、(3、0)、(3、6)、(11、6)、(11、0)の各値が得られる。よって、セキュリティ対策決定支援装置100は、各DS図に対応する矩形領域500(図形領域)を示す情報として、上述した各頂点505の存在位置座標の値のセットをメモリ103または記憶装置101に格納するものとする。 The above-described rectangular area 500 can be specified by the coordinates of the position of each vertex 505 of the rectangular area 500 on the coordinate space 503 defined by the time axis 501 and the safety level axis 502. In the example of the rectangular area 500 in FIG. 18, when the vertex corresponding to the safety level “0” is viewed clockwise from the end point of R_TP (“3” time), the coordinates of the position of each vertex (time , Safety level), (3, 0), (3, 6), (11, 6), and (11, 0) are obtained. Therefore, the security measure decision support apparatus 100 stores the above-described set of values of the position coordinates of each vertex 505 in the memory 103 or the storage device 101 as information indicating the rectangular area 500 (graphic area) corresponding to each DS diagram. It shall be.
 セキュリティ対策の実施対象となる業務フローが複数ある場合は、各業務フローのうち最大のR_SL、最小のR_TP、最大のR_TOを採用してDS図を作成する。またこれを統合DS図2200と呼ぶ。図19はR_SL=2、R_TP=4、R_TO=8である業務フローのDS図1900の例、図20はR_SL=3、R_TP=3、R_TO=7である業務フローのDS図2000の例、図21はR_SL=5、R_TP=5、R_TO=6である業務フローのDS図2100の例、図22はこれらの業務フローの統合DS図2200の例である。図22の統合DS図2200は、R_SL=5、R_TP=3、R_TO=8となる。 If there are multiple business flows to be subjected to security measures, the DS diagram is created by adopting the maximum R_SL, the minimum R_TP, and the maximum R_TO of each business flow. This is also referred to as an integrated DS diagram 2200. 19 is an example of a DS diagram 1900 of a business flow with R_SL = 2, R_TP = 4, and R_TO = 8. FIG. 20 is an example of a DS diagram 2000 of a business flow with R_SL = 3, R_TP = 3, and R_TO = 7. FIG. 21 shows an example of a DS diagram 2100 of a business flow in which R_SL = 5, R_TP = 5, and R_TO = 6, and FIG. 22 shows an example of an integrated DS diagram 2200 of these business flows. In the integrated DS diagram 2200 of FIG. 22, R_SL = 5, R_TP = 3, and R_TO = 8.
 また本実施形態では、対策対象となる業務フローにセキュリティ対策を実施した場合の安全性の程度を、縦軸をシステムの安全レベル(SL)、横軸を時間として、時間0(システム停止時刻)からA_TPだけ経過した時点からはじまるA_SL×T_TOの矩形領域600で表し、これをMS図と呼ぶ。図23は、A_SL=7、A_TP=2、A_TO=10となる対策のMS図2300の例である。本実施形態では、セキュリティ専門家がリスク分析後に対策を立案する際、A_SLの計算式およびA_TP、A_TOの値を同時に付与する。セキュリティ対策決定支援装置100は、ユーザ端末250から付与されたA_SLの計算式およびA_TP、A_TOの値を元にMS図を作成する。なお、A_SLの値はセキュリティ対策の実施対象となる業務フローのR_SLの値に依存する(図13に関する説明において述べた)。 In this embodiment, the degree of safety when security measures are implemented in the business flow to be taken as a countermeasure, the time is 0 (system stop time), with the vertical axis representing the system safety level (SL) and the horizontal axis representing time. This is represented by a rectangular area 600 of A_SL × T_TO starting from the time point when A_TP has elapsed from the time point, and this is called an MS diagram. FIG. 23 is an example of MS diagram 2300 for countermeasures in which A_SL = 7, A_TP = 2, and A_TO = 10. In this embodiment, when a security expert plans measures after risk analysis, the calculation formula of A_SL and the values of A_TP and A_TO are simultaneously given. The security measure determination support apparatus 100 creates an MS diagram based on the calculation formula of A_SL and the values of A_TP and A_TO given from the user terminal 250. Note that the value of A_SL depends on the value of R_SL of the business flow to be subjected to security countermeasures (described in the description of FIG. 13).
 セキュリティ対策決定支援装置100は、ユーザ端末250から得た、上述のA_SLの計算式に業務フローのR_SLの値を適用してA_SLの値を算定し、当該A_SLの値、A_TP、A_TOの各値に基づいて、時間軸601上の原点610からA_TP時間経過した時点(図23では「2」時間の位置)を、A_TOの開始時点とし、このA_TOの持続時間帯(図23中では、「2」時間から「12」時間にわたる10時間の時間帯)に、A_SLのレベル(図23中では、レベル「7」)を対応付けた矩形領域600を生成する。 The security measure determination support apparatus 100 calculates the value of A_SL by applying the value of R_SL of the business flow to the above-described calculation formula of A_SL obtained from the user terminal 250, and each value of the A_SL, A_TP, and A_TO Based on the time point 601 on the time axis 601 and the time point A_TP time has passed (the position of time “2” in FIG. 23) is set as the start time point of A_TO, and the duration of A_TO (in FIG. 23, “2 A rectangular area 600 in which the level of A_SL (level “7” in FIG. 23) is associated with “10 hours from“ time ”to“ 12 ”hours) is generated.
 上述の矩形領域600は、時間軸601と安全レベル軸602で規定される座標空間603上における、矩形領域600の各頂点605の存在位置座標で特定できる。図23における矩形領域600の例であれば、A_TPの終了時点(「2」時間)で安全レベル「0」に該当する頂点を起点に時計回りに見た場合、各頂点の存在位置座標(時間、安全レベル)として、(2、0)、(2、7)、(12、7)、(12、0)の各値が得られる。 The above-described rectangular area 600 can be specified by the coordinates of the position of each vertex 605 of the rectangular area 600 on the coordinate space 603 defined by the time axis 601 and the safety level axis 602. In the example of the rectangular region 600 in FIG. 23, when the vertex corresponding to the safety level “0” is viewed clockwise from the end point of A_TP (“2” time), the coordinates of the position of each vertex (time , Safety level), (2, 0), (2, 7), (12, 7), and (12, 0) are obtained.
 よって、セキュリティ対策決定支援装置100は、各MS図に対応する矩形領域600(図形領域)を示す情報として、上述した各頂点605の存在位置座標の値のセットをメモリ103または記憶装置101に格納するものとする。 Therefore, the security measure determination support apparatus 100 stores the set of the coordinates of the position of each vertex 605 described above in the memory 103 or the storage apparatus 101 as information indicating the rectangular area 600 (graphic area) corresponding to each MS diagram. It shall be.
 また、図24はA_SL=1、A_TP=1、A_TO=11となる対策のMS図2400の例、図25はA_SL=3、A_TP=2、A_TO=7となる対策のMS図2500の例、図26はA_SL=5、A_TP=5、A_TO=5となる対策のMS図2600の例、図27はA_SL=5、A_TP=3、A_TO=9となる対策のMS図2700の例である。いずれも、A_SLの値は図22の統合DS図2200の作成元となった業務フローに対策を適用した場合となっている。 FIG. 24 shows an example of an MS diagram 2400 for countermeasures for A_SL = 1, A_TP = 1, and A_TO = 11. FIG. 25 shows an example of an MS diagram 2500 for countermeasures for A_SL = 3, A_TP = 2, and A_TO = 7. FIG. 26 shows an example of a countermeasure MS in which A_SL = 5, A_TP = 5, and A_TO = 5, and FIG. 27 shows an example of a countermeasure MS in FIG. 2700 in which A_SL = 5, A_TP = 3, and A_TO = 9. In both cases, the value of A_SL is the case where a countermeasure is applied to the business flow that is the creation source of the integrated DS diagram 2200 of FIG.
 ここで、本実施形態における開発用と応急用のセキュリティ対策の考え方について説明する。本実施形態では、セキュリティ対策を実施した暁に期待される安全性およびその持続性が、セキュリティ対策の適用対象となる業務フローの通常運用時に満たすべき安全レベルおよび要求される最低稼働時間を上回っているものを開発用のセキュリティ対策とする。すなわち、セキュリティ対策の適用対象となる業務フローの統合DS図2200とMS図との重ね合わせにおいて、A_SL≧R-SLかつA_TO≧R-TOとなるセキュリティ対策を開発用のセキュリティ対策とする。また、これを満たさないセキュリティ対策を応急用のセキュリティ対策とする。ただし、開発用のセキュリティ対策は応急用としても利用可能である。セキュリティ対策の適用対象となる業務フローの統合DS図2200を図22としたとき、図24、図25、および図26の各MS図2400、2500、2600が示すセキュリティ対策は応急用、図27のMS図2700が示すセキュリティ対策は開発用である。 Here, the concept of development and emergency security measures in this embodiment will be described. In this embodiment, the safety and sustainability expected after implementing security measures exceed the safety level to be met during normal operation of the business flow to which the security measures are applied and the required minimum operating time. The security measures for development are used. That is, in the superimposition of the integrated DS diagram 2200 of business flows to which security measures are applied and the MS diagram, security measures satisfying A_SL ≧ R-SL and A_TO ≧ R-TO are set as security measures for development. In addition, security measures that do not satisfy this requirement are used as emergency security measures. However, security measures for development can also be used for emergency use. When the integrated DS diagram 2200 of the work flow to which the security measures are applied is shown in FIG. 22, the security measures shown in the MS diagrams 2400, 2500, and 2600 in FIGS. 24, 25, and 26 are emergency, and FIG. The security measure shown in the MS diagram 2700 is for development.
 また本実施形態では、立案した複数のセキュリティ対策を任意に組み合わせた対策グループに関する評価を行うが、この場合、セキュリティ対策決定支援装置100は、対策グループの要素となっている各対策のMS図と、対象となる業務フローのDS図若しくは統合DS図を重ね合わせた図を用いる。この図をDMS図と呼ぶ。 In this embodiment, an evaluation is made on a countermeasure group in which a plurality of security countermeasures are arbitrarily combined. In this case, the security countermeasure determination support apparatus 100 includes an MS diagram of each countermeasure that is an element of the countermeasure group. , A diagram obtained by superimposing a DS diagram or an integrated DS diagram of a target business flow is used. This figure is called a DMS diagram.
 このDMS図の作成に際し、セキュリティ対策決定支援装置100は、対策グループの要素が全て応急用の対策である場合は、各対策のMS図および適用対象となる業務フローのDS図若しくは統合DS図をそのまま重ね合わせる。この重ね合わせの処理は、MS図、DS図または統合DS図に関して保持している、各頂点の存在位置座標の値をメモリ103または記憶装置101から読み出してDS図または統合DS図の矩形領域500と、MS図の矩形領域600とを生成し、各矩形領域500、600を時間軸701上で重ね合わせる処理を行う。こうした矩形領域500、600の生成と重ね合わせの処理は、既存の描画プログラムを用いて処理すればよい。また描画処理の結果は、出力装置106やユーザ端末200、250らに表示しても良い。 When creating this DMS diagram, the security measure decision support apparatus 100, when all the elements of the measure group are emergency measures, displays the MS diagram of each measure and the DS diagram or the integrated DS diagram of the business flow to be applied. Overlay as it is. In this superposition process, the values of the coordinates of the positions of the vertices held for the MS diagram, DS diagram, or integrated DS diagram are read from the memory 103 or the storage device 101, and the rectangular region 500 of the DS diagram or integrated DS diagram is read. Then, a rectangular area 600 of the MS diagram is generated, and processing for superimposing the rectangular areas 500 and 600 on the time axis 701 is performed. The generation and superimposition processing of the rectangular areas 500 and 600 may be performed using an existing drawing program. The result of the drawing process may be displayed on the output device 106, the user terminals 200, 250, and the like.
 一方、対策グループの要素に1つ以上開発用の対策がある場合、セキュリティ対策決定支援装置100は、各対策のMS図および適用対象となる業務フローのDS図若しくは統合DS図について、時間軸701上でのR_TOおよびA_TOの開始時点を合わせた状態で上述の重ね合わせ処理を行う。 On the other hand, when one or more countermeasures for development are included in the elements of the countermeasure group, the security countermeasure determination support apparatus 100 uses the time axis 701 for the MS diagram of each countermeasure and the DS diagram or the integrated DS diagram of the business flow to be applied. The above overlay process is performed in a state where the start times of R_TO and A_TO are combined.
 図28は、図24および図25および図26が要素となっている対策グループを図22の統合DS図の作成元となった業務フローに対策を適用した場合のDMS図2800の例である。また図29は、図24および図25および図27が要素となっている対策グループを図22の統合DS図の作成元となった業務フローに対策を適用した場合のDMS図2900の例である。 FIG. 28 is an example of the DMS diagram 2800 in the case where a countermeasure is applied to the business flow from which the countermeasure group having elements of FIG. 24, FIG. 25, and FIG. FIG. 29 is an example of the DMS diagram 2900 in the case where a countermeasure is applied to the business flow from which the countermeasure group having elements of FIG. 24, FIG. 25, and FIG. .
 一方、MO値の算出に際し、セキュリティ対策決定支援装置100は、上述のDMS図において、適用DS図のR_SL×R_TOの範囲内で適用MS図のA_SL×A_TO部分が全体で占める面積を算定する。以後、これをMO面積と呼ぶ。このMO面積算定に当たっては、矩形領域500(DS図)の座標範囲(4つの頂点505で閉じたエリアの座標範囲)内にて、1ないし複数の矩形領域600(DS図)の座標範囲(各頂点605で閉じたエリアの座標範囲)が一致する箇所を特定し、該当箇所の頂点座標を結んだ領域の面積を算定する。こうした頂点で閉じた多角形の面積算定手法は既存のアルゴリズムを採用すれば良い。 On the other hand, when calculating the MO value, the security measure determination support apparatus 100 calculates the area occupied by the A_SL × A_TO portion of the applied MS diagram within the range of R_SL × R_TO of the applied DS diagram in the above DMS diagram. Hereinafter, this is referred to as an MO area. In calculating the MO area, within the coordinate range of the rectangular region 500 (DS diagram) (the coordinate range of the area closed by the four vertices 505), the coordinate range of each of one or more rectangular regions 600 (DS diagram) (each A location where the coordinate range of the area closed by the vertex 605 matches is specified, and the area of the region connecting the vertex coordinates of the corresponding location is calculated. An existing algorithm may be adopted as the method for calculating the area of the polygon closed at the vertex.
 図30は、図28のDMS図2800においてMO面積の該当部分700を示した場合の図の例である。また図31は、図29のDMS図2900においてMO面積の該当部分700を示した場合の図の例である。MO値はこのMO面積に基づき算定する。 FIG. 30 is an example of a diagram showing a corresponding portion 700 of the MO area in the DMS diagram 2800 of FIG. FIG. 31 is an example of a diagram showing a corresponding portion 700 of the MO area in the DMS diagram 2900 of FIG. The MO value is calculated based on this MO area.
 他方、EA値の算出に際し、セキュリティ対策決定支援装置100は、対策グループの要素が全て応急用の対策である場合、上述のDMS図において、適用DS図のR_SL×(R_TP×R_TO)の範囲内で各適用MS図のA_SL×(A_TP×A_TO)部分が占める総面積を算定する。あるいは、対策グループの要素に1つ以上開発用の対策がある場合、セキュリティ対策決定支援装置100は、上述のDMS図において、適用DS図のR_SL×R_TOの範囲内で各適用MS図のA_SL×A_TO部分が占める総面積を算定する。以後、これをEA面積と呼ぶ。 On the other hand, when calculating the EA value, the security measure determination support apparatus 100, when all the elements of the measure group are emergency measures, within the range of R_SL × (R_TP × R_TO) of the applied DS diagram in the above DMS diagram. To calculate the total area occupied by the A_SL × (A_TP × A_TO) portion of each applicable MS diagram. Alternatively, when one or more countermeasures for development are included in the elements of the countermeasure group, the security countermeasure determination support apparatus 100 uses the A_SL × of each applied MS diagram within the range of R_SL × R_TO of the applied DS diagram in the above DMS diagram. Calculate the total area occupied by the A_TO part. Hereinafter, this is called an EA area.
 図32は、図28のDMS図2800においてEA面積の該当部分800を示した図の例である。また図33は、図29のDMS図2900においてEA面積の該当部分800を示した図の例である。EA値はこのEA面積に基づき算定する。 FIG. 32 is an example of a diagram showing a corresponding portion 800 of the EA area in the DMS diagram 2800 of FIG. FIG. 33 is an example of a diagram showing a corresponding portion 800 of the EA area in the DMS diagram 2900 of FIG. The EA value is calculated based on this EA area.
 例えば、図17の対策グループ評価表117における対策グループIDが「MSx」の対策グループ要素は、MS図が図26および図25および図24であり、MO面積が図30、EA面積が図32と同様に現され、MOは「32」、EAは「10+21+25」=56となる。また、対策グループIDが「MSy」の対策グループ要素は、MS図が図27および図25および図24で、MO面積が図31、EA面積が図33と同様に現され、MOは「40」、EAは「48+21+40」=69となる。ただし、対策グループ要素「MSy」は開発用のセキュリティ対策であり、EA値は適用する業務フローの統合DS図におけるR_SL×R_TOと同値となることが既知であるため、対策グループ評価表117には設定しない。 For example, the countermeasure group elements whose countermeasure group ID is “MSx” in the countermeasure group evaluation table 117 of FIG. 17 are the MS diagrams of FIGS. 26, 25 and 24, the MO area of FIG. 30, and the EA area of FIG. Similarly, MO is “32” and EA is “10 + 21 + 25” = 56. Further, the countermeasure group element having the countermeasure group ID “MSy” is shown in the MS diagrams in FIGS. 27, 25 and 24, the MO area is the same as FIG. 31, the EA area is the same as FIG. 33, and the MO is “40”. EA is “48 + 21 + 40” = 69. However, since the countermeasure group element “MSy” is a security measure for development and the EA value is known to be the same value as R_SL × R_TO in the integrated DS diagram of the applied business flow, the countermeasure group evaluation table 117 includes Not set.
 ここで、DMS図において、R_TP時間内の適用DS図の安全レベルおよびR_TP時間外の適用MS図の安全レベルの関数をf(x)、また適用MS図の安全レベルの関数をg(x)(xは時間)とおくと、
開発用のEA値の算出式は、
Figure JPOXMLDOC01-appb-I000001

応急用のMO値の算出式は、
Figure JPOXMLDOC01-appb-I000002
開発用のMO値の算出式は、
Figure JPOXMLDOC01-appb-I000003

と現すことができる。 Here, in the DMS diagram, the function of the safety level of the applied DS diagram within the R_TP time and the function of the safety level of the applied MS diagram outside the R_TP time are f (x), and the function of the safety level of the applied MS diagram is g (x). (Where x is time)
The formula for calculating the EA value for development is
Figure JPOXMLDOC01-appb-I000001

The formula for calculating the MO value for emergency use is
Figure JPOXMLDOC01-appb-I000002
The formula for calculating the MO value for development is
Figure JPOXMLDOC01-appb-I000003

Can be expressed.
 EA値を求めることは対策グループの実施によって実現できるリスクのカバー範囲の程度を、またMO値を求めることは対策グループの対策のロバスト性を数値化する効果がある。また、それぞれの標準偏差を求めることは、EA値とMO値の大きさにより対策グループの優位性をつけることが可能になるという効果がある。 Calculating the EA value has the effect of quantifying the degree of risk coverage that can be realized by the implementation of the countermeasure group, and obtaining the MO value has the effect of quantifying the robustness of the countermeasure of the countermeasure group. In addition, obtaining each standard deviation has an effect that it is possible to give the countermeasure group superiority by the magnitude of the EA value and the MO value.
 ここで図3のメインフローの説明に戻る。上述のステップS3411に続いて、セキュリティ対策決定支援装置100の通信部171は、対策評価完了通知をシステム設計者のユーザ端末200に対して送信し、リスク分析表114、対策リスト115、対策リスト詳細表116を閲覧可能とする(S3412)。この閲覧可能とする手法としては上述のステップS3403、S3409の実行に伴って行ったものと同様である。 Returning to the explanation of the main flow in FIG. Subsequent to step S3411 described above, the communication unit 171 of the security measure determination support apparatus 100 transmits a measure evaluation completion notification to the user terminal 200 of the system designer, and the risk analysis table 114, the measure list 115, and the measure list details. The table 116 can be browsed (S3412). This technique for enabling browsing is the same as that performed in accordance with the execution of steps S3403 and S3409 described above.
 こうしてユーザ端末200において閲覧可能となった対策グループ評価表117の例を図17に示す。本実施形態における対策グループ評価表117は、対策グループ作成ルール入力画面1000(図14)より入力されたルールに従って、リスクの発生箇所と脅威の区分ごとに複数作成された対策グループ、およびその評価の各欄を備えている。各対策グループは、対策グループIDをキーとして、組み合わされた対策の対策IDおよび実施タイプ、用途、MO値とEA値および区分内での各標準偏差の各値が対応付けされている。 FIG. 17 shows an example of the countermeasure group evaluation table 117 that can be viewed on the user terminal 200 in this way. The countermeasure group evaluation table 117 according to the present embodiment includes a plurality of countermeasure groups created for each risk occurrence location and threat category according to the rules input from the countermeasure group creation rule input screen 1000 (FIG. 14), and the evaluation groups. Each column is provided. Each countermeasure group is associated with the countermeasure ID of the combined countermeasure, the implementation type, the usage, the MO value and the EA value, and each standard deviation value within the category using the countermeasure group ID as a key.
 一方、システム設計者は、設計ポリシー等から対策モデル提案表作成ルールを決定し、これをユーザ端末250の入力装置にて入力する。この場合、ユーザ端末250は、セキュリティ対策決定支援装置100の入力部174から得た、対策モデル提案表作成ルール入力画面1100を介し、上述の対策モデル提案表作成ルールの入力を受け付け、これをセキュリティ対策決定支援装置100に送信する(S3413)。 On the other hand, the system designer determines the countermeasure model proposal table creation rule from the design policy or the like, and inputs it with the input device of the user terminal 250. In this case, the user terminal 250 receives the input of the above-described countermeasure model proposal table creation rule via the countermeasure model proposal table creation rule input screen 1100 obtained from the input unit 174 of the security countermeasure decision support device 100, It transmits to the countermeasure determination support apparatus 100 (S3413).
 図34、図35に、対策モデル提案表作成ルール入力画面1100の具体例を示す。図34には、開発用の対策モデル提案用の入力画面1100の例、図35には応急用の対策モデル提案用の入力画面1100の例を示している。本実施形態においては、対策グループ評価表117(図17)に記載された複数の対策グループを一定のルールに基づき組み合せ、対策モデルとする。このルールの入力を受け付けるが入力画面が、この対策モデル提案表作成ルール入力画面1100となる。 34 and 35 show specific examples of the countermeasure model proposal table creation rule input screen 1100. FIG. FIG. 34 shows an example of an input screen 1100 for proposing a countermeasure model for development, and FIG. 35 shows an example of an input screen 1100 for proposing an emergency countermeasure model. In the present embodiment, a plurality of countermeasure groups described in the countermeasure group evaluation table 117 (FIG. 17) are combined based on a certain rule to form a countermeasure model. This rule input is accepted, but the input screen is the countermeasure model proposal table creation rule input screen 1100.
 図34、35で例示した、本実施形態における対策モデル提案表作成ルール入力画面1100においては、対策モデル作成のルール項目として、開発用か応急用かを指定する「用途」欄、MO面積かEA面積のどちらに着目するか選択する「優先させる対策強度」、および「提案オプション」の各設定欄を備えている。このうち「提案オプション」欄は、例えば「カバーできないリスクが少ない」、「R_SL達成までの時間が短い」などといった追加条件を設定する欄となる。なお、こうしたルール項目としは、上述の例に限定されず、例えば対策モデルの要素数が少ないなど、場合に応じて様々に設定したものを採用すればよい。 In the countermeasure model proposal table creation rule input screen 1100 in the present embodiment illustrated in FIGS. 34 and 35, the “use” column for designating the countermeasure model as a rule item for development or emergency, MO area or EA Each field includes “priority measures to be prioritized” and “suggested options” for selecting which area to focus on. Among these, the “proposed option” column is a column for setting additional conditions such as “there is little risk that cannot be covered” and “the time until R_SL is achieved”. Note that such rule items are not limited to the above-described example, and may be variously set according to the case, for example, the number of elements of the countermeasure model is small.
 図3のフローにおける上述のステップS3413に続いて、セキュリティ対策決定支援装置100の対策モデル作成部176は、対策モデル提案表作成ルール(上述のステップS3413で得ている)に従い、かつ対策グループ評価表117におけるリスク発生箇所と脅威の区分を上から順に、それぞれEA値とMO値の標準偏差が高い順に優先順位を決定して対策モデル提案表118を作成する(S3414)。 Following the above-described step S3413 in the flow of FIG. 3, the countermeasure model creation unit 176 of the security countermeasure determination support apparatus 100 follows the countermeasure model proposal table creation rule (obtained in the above-described step S3413) and measures group evaluation table The countermeasure model proposal table 118 is created by determining the priority order of the risk occurrence locations and threat categories in 117 in descending order of the standard deviation of the EA value and the MO value (S3414).
 この対策モデル提案表118の作成手順についてより具体的に説明する。図36は、本実施形態におけるセキュリティ対策決定支援方法の詳細フロー例3を示す図である。この場合、セキュリティ対策決定支援装置100の対策モデル作成部176は、対策グループ評価表117(図17)におけるリスク発生箇所の脅威の各区分について、対策グループIDごとに、その区分内におけるMO値の標準偏差の大きい順に1,2,・・・と番号付けをする(S3701)。 The procedure for creating the countermeasure model proposal table 118 will be described more specifically. FIG. 36 is a diagram illustrating a detailed flow example 3 of the security measure determination support method according to the present embodiment. In this case, the countermeasure model creation unit 176 of the security countermeasure determination support apparatus 100 sets the MO value in the classification for each countermeasure group ID for each classification of the threat at the risk occurrence location in the countermeasure group evaluation table 117 (FIG. 17). Numbering is performed in order of increasing standard deviation as 1, 2,... (S3701).
 続いて、セキュリティ対策決定支援装置100の対策モデル作成部176は、対策グループ評価表117におけるリスクの発生箇所の脅威の各区分について、対策グループIDごとに、その区分内におけるEA値の標準偏差の大きい順に1,2,・・・と番号付けをする(S3702)。 Subsequently, the countermeasure model creation unit 176 of the security countermeasure determination support apparatus 100 determines, for each countermeasure group ID, the standard deviation of the EA value in each section of the threat at the risk occurrence location in the countermeasure group evaluation table 117. Numbering is performed in the order of 1, 2, ... (S3702).
 次に、セキュリティ対策決定支援装置100の対策モデル作成部176は、対策グループ評価表117におけるリスク発生箇所の脅威の各区分について、対策リスト115を参照し、対策グループIDごとに、その対策グループでカバーできないリスクケースを列挙する(S3703)。 Next, the countermeasure model creation unit 176 of the security countermeasure determination support apparatus 100 refers to the countermeasure list 115 for each category of the risk occurrence location in the countermeasure group evaluation table 117, and for each countermeasure group ID, in the countermeasure group. The risk cases that cannot be covered are listed (S3703).
 続いて、セキュリティ対策決定支援装置100の対策モデル作成部176は、対策モデル提案表作成ルールに従い、かつ対策グループ評価表117におけるリスク発生箇所の脅威ごとに、EA値とMO値の標準偏差の番号の和が小さい順に番号をつける。この番号が同じ対策グループIDごとに、対策モデル提案表118をまとめる。(S3704)。 Subsequently, the countermeasure model creation unit 176 of the security countermeasure determination support apparatus 100 follows the countermeasure model proposal table creation rule and the standard deviation number of the EA value and the MO value for each threat at the risk occurrence location in the countermeasure group evaluation table 117. Numbers in ascending order. The countermeasure model proposal table 118 is compiled for each countermeasure group ID having the same number. (S3704).
 図37は本実施形態における対策モデル提案表118の例を示す図である。本実施形態では、対策モデル提案表作成ルール入力画面1100(図34または図35)にて入力されたルールに従い、リスクの発生箇所すなわち対策の実施箇所ごとに複数の対策グループを組み合わせ、セキュリティ対策対象となるシステム全体の対策モデルを作成する。なお、対策モデル自体も複数個作成し、項番をつけて依頼元(システム設計者等)に提示することになる。 FIG. 37 is a diagram showing an example of the countermeasure model proposal table 118 in the present embodiment. In the present embodiment, according to the rules input on the countermeasure model proposal table creation rule input screen 1100 (FIG. 34 or FIG. 35), a plurality of countermeasure groups are combined for each location where a risk occurs, that is, where countermeasures are implemented. Create a countermeasure model for the entire system. In addition, a plurality of countermeasure models themselves are created, given item numbers, and presented to the requester (system designer, etc.).
 こうした本実施形態における対策モデル提案表118においては、セキュリティ対策の実施箇所、採用するセキュリティ対策のIDのまとめ、セキュリティ対策の実施対象となるリスクNoと脅威、採用するセキュリティ対策が属する対策グループID、対策ID(新出と既出)、カバーできないリスクケース、の各値を含む構成となっている。 In the countermeasure model proposal table 118 in this embodiment, the location of security countermeasures, a summary of IDs of security countermeasures to be adopted, the risk number and threat to be subjected to security countermeasures, the countermeasure group ID to which the security countermeasures to be adopted belong, The configuration includes each value of the countermeasure ID (new and existing) and risk cases that cannot be covered.
 その後、セキュリティ対策決定支援装置100の通信部171は、対策モデル提案表作成完了通知を、システム設計者のユーザ端末200に送信し、ユーザ端末200に対し対策モデル提案表118を閲覧可能とする(S3415)。この閲覧可能とする手法としては上述のステップS3403、S3409、S3412の実行に伴って行ったものと同様である。 Thereafter, the communication unit 171 of the security measure determination support device 100 transmits a measure model proposal table creation completion notification to the user terminal 200 of the system designer, and enables the user terminal 200 to view the measure model proposal table 118 ( S3415). The technique for enabling browsing is the same as that performed in accordance with the execution of steps S3403, S3409, and S3412 described above.
 一方、システム設計者のユーザ端末200は、上述の対策モデル提案表118を受信して出力装置に表示させ、システム設計者による閲覧に提供する。対策モデル提案表118を閲覧したシステム設計者は、実施コスト等様々な検討を行った上で採用する対策モデルを決定し、該当対策モデルの番号について、ユーザ端末200の入力装置にて入力動作を行うことになる。 On the other hand, the user terminal 200 of the system designer receives the above-described countermeasure model proposal table 118, displays it on the output device, and provides it for viewing by the system designer. The system designer who has viewed the countermeasure model proposal table 118 determines a countermeasure model to be adopted after conducting various examinations such as implementation costs, and performs an input operation on the input device of the user terminal 200 for the number of the corresponding countermeasure model. Will do.
 この場合、ユーザ端末200は、システム設計者から指定された対策モデルの番号を入力装置で受け付け、これをセキュリティ対策決定支援装置100に送信する(S3416)。セキュリティ対策決定支援装置100の入力部174は、上述の対策モデルの番号をユーザ端末200から受信し、メモリ103または記憶装置101に格納する(S3417)。 In this case, the user terminal 200 receives the number of the countermeasure model designated by the system designer by the input device, and transmits it to the security countermeasure determination support device 100 (S3416). The input unit 174 of the security countermeasure determination support apparatus 100 receives the above-described countermeasure model number from the user terminal 200 and stores it in the memory 103 or the storage device 101 (S3417).
 続いてセキュリティ対策決定支援装置100の仕様記入部177は、システム連携WBS123およびアプリケーション開発WBS124を記憶装置101から呼び出し、ユーザ端末200から受け付けた番号に該当する対策モデルに関する要件定義および設計に関する内容を、二つの文書(システム連携WBS123およびアプリケーション開発WBS124)における対応部分に挿入して仕様書127を生成する(S3418)。図38に示す仕様書127の例においては、「1.4. セキュリティ対策機構」の欄における、下線部に対応した対策モデルの情報1800が、挿入箇所1801に挿入された構成となっている。 Subsequently, the specification entry unit 177 of the security measure determination support device 100 calls the system cooperation WBS 123 and the application development WBS 124 from the storage device 101, and details the requirement definition and design related to the measure model corresponding to the number received from the user terminal 200. The specifications 127 are generated by inserting the corresponding documents in the two documents (system cooperation WBS 123 and application development WBS 124) (S3418). In the example of the specification 127 shown in FIG. 38, the countermeasure model information 1800 corresponding to the underlined portion in the column “1.4. Security countermeasure mechanism” is inserted into the insertion location 1801.
 セキュリティ対策決定支援装置100の通信部171は、システム設計者のユーザ端末200に対し、仕様書記入完了通知を送信するとともに、記入済みの仕様書127すなわち、記入済みのシステム連携WBS123およびアプリケーション開発WBS124をユーザ端末200にて閲覧可能とし(S3419)、処理を終了する。この閲覧可能とする手法としては上述のステップS3403、S3409、S3412、S3415の実行に伴って行ったものと同様である。 The communication unit 171 of the security measure determination support device 100 transmits a specification entry completion notification to the system designer's user terminal 200, and also includes the completed specification 127, that is, the completed system cooperation WBS 123 and the application development WBS 124. Can be viewed on the user terminal 200 (S3419), and the process ends. The technique for enabling browsing is the same as that performed in accordance with the execution of steps S3403, S3409, S3412, and S3415 described above.
 なお、上述の各構成、機能、処理部、処理手段等は、それらの一部又は全部を、例えば集積回路で設計する等によりハードウェアで実現してもよい。また、上述の各構成、機能等は、CPU104がそれぞれの機能を実現するプログラムを解釈し、実行することによりソフトウェアで実現してもよい。各機能を実現するプログラム、テーブル、ファイル等の情報は、メモリや、ハードディスク、SSD(Solid State Drive)等の記録装置、または、ICカード、SDカード、DVD等の記録媒体に置くことができる。 Note that each of the above-described configurations, functions, processing units, processing means, and the like may be realized by hardware by designing a part or all of them, for example, with an integrated circuit. Each of the above-described configurations, functions, and the like may be realized by software by the CPU 104 interpreting and executing a program that realizes each function. Information such as programs, tables, and files for realizing each function can be stored in a recording device such as a memory, a hard disk, an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.
 また、制御線や情報線は説明上必要と考えられるものを示しており、製品上必ずしも全ての制御線や情報線を示しているとは限らない。実際には殆ど全ての構成が相互に接続されていると考えてもよい。 Also, the control lines and information lines indicate what is considered necessary for the explanation, and not all the control lines and information lines on the product are necessarily shown. Actually, it may be considered that almost all the components are connected to each other.
 以上、本発明を実施するための最良の形態などについて具体的に説明したが、本発明はこれに限定されるものではなく、その要旨を逸脱しない範囲で種々変更可能である。 The best mode for carrying out the present invention has been specifically described above. However, the present invention is not limited to this, and various modifications can be made without departing from the scope of the present invention.
 こうした本実施形態によれば、対策対象の可用性を考慮したセキュリティ対策の提案が可能となる。 According to this embodiment, it is possible to propose a security measure considering the availability of the countermeasure target.
 本明細書の記載により、少なくとも次のことが明らかにされる。すなわち、本実施形態のセキュリティ対策決定支援装置において、前記演算装置は、前記対策情報に対応した図形領域による、前記安全要求情報に対応した図形領域のカバー状態の判定において、前記安全要求情報に対応した図形領域のうち前記安全レベルの維持時間に対応した辺、および、前記対策情報に対応した図形領域のうち前記到達安全レベルの維持時間に対応した辺を、所定時間軸上に配置して、前記安全要求情報に対応した図形領域のうち、前記対策情報に対応した図形領域でカバーされた時間帯と、当該時間帯における到達安全レベルとで規定される領域の情報を前記カバー状態として特定するものである、としてもよい。 記載 At least the following will be made clear by the description in this specification. That is, in the security measure determination support device of the present embodiment, the arithmetic device corresponds to the safety requirement information in the determination of the cover state of the graphic region corresponding to the safety requirement information by the graphic region corresponding to the countermeasure information. The side corresponding to the maintenance time of the safety level in the graphic area and the side corresponding to the maintenance time of the reached safety level among the graphic area corresponding to the countermeasure information are arranged on a predetermined time axis, Among the graphic areas corresponding to the safety requirement information, information on the area defined by the time zone covered by the graphic area corresponding to the countermeasure information and the reachable safety level in the time zone is specified as the cover state. It may be a thing.
 これによれば、例えば、安全要求情報および対策情報に対応した各図形領域間で重なった領域の面積を算定し、この算定値の情報すなわちカバー状態を、セキュリティ対策決定の参考情報としてユーザに提示するといった処理が可能となる。ここで提示する上述の算定値の情報は、セキュリティ対策を施すことでセキュリティ対策対象のシステムを復旧させ、所定の安全レベルで稼働を維持する時間、すなわち可用性に対応したものとなる。従ってユーザは、上述の算定値の大小をセキュリティ対策候補間で比較し、高い可用性すなわち算定値の大きいものを優先してセキュリティ対策として決定する作業を容易に行える。 According to this, for example, the area of the overlapping area between the graphic areas corresponding to the safety requirement information and the countermeasure information is calculated, and the information of the calculated value, that is, the cover state is presented to the user as reference information for determining the security countermeasure. It is possible to perform processing such as The information of the calculated value presented here corresponds to the time during which the security countermeasure target system is restored by performing security countermeasures and the operation is maintained at a predetermined safety level, that is, availability. Therefore, the user can easily perform the work of comparing the above-mentioned calculated values between the security countermeasure candidates and preferentially determining a security measure with high availability, that is, a large calculated value.
 また、上述のセキュリティ対策決定支援装置において、前記演算装置は、前記対策情報に対応した図形領域による、前記安全要求情報に対応した図形領域のカバー状態の判定において、前記安全要求情報に対応した図形領域における前記安全レベルの維持時間に対応した辺、および前記対策情報に対応した図形領域における前記到達安全レベルの維持時間に対応した辺を、前記所定時間軸上において、前記安全要求情報が示す、前記セキュリティ対策対象の稼働停止時から許容出来る復旧時間だけ経過した時点を始点として配置して、前記カバー状態の特定を行うものである、ことを特徴とする。 Further, in the above-described security measure determination support device, the arithmetic unit may determine the graphic corresponding to the safety requirement information in the determination of the cover state of the graphic region corresponding to the safety requirement information by the graphic region corresponding to the countermeasure information. The safety request information indicates, on the predetermined time axis, an edge corresponding to the maintenance time of the safety level in the area and an edge corresponding to the maintenance time of the reached safety level in the graphic area corresponding to the countermeasure information. It is characterized in that the cover state is specified by arranging a point in time when an allowable recovery time has passed since the operation stop of the security countermeasure target as a starting point.
 これによれば、セキュリティ対策対象として、開発中または開発完了後で未稼働のシステムを想定する場合に、セキュリティ対策を該当システムの稼働開始にあわせて適用する状況下でのカバー状態をセキュリティ対策決定の参考情報としてユーザに提示する処理が可能となる。例えば、安全要求情報および対策情報に対応した各図形領域間で重なった領域の面積をカバー状態の情報として算定し、セキュリティ対策決定の参考情報としてユーザに提示することになる。 According to this, when assuming a system that is under development or not in operation after completion of development as a security measure target, the security measure is determined as the cover state under the situation where the security measure is applied according to the start of operation of the corresponding system. Can be presented to the user as reference information. For example, the area of the overlapping area between the graphic areas corresponding to the safety requirement information and the countermeasure information is calculated as the cover state information and presented to the user as reference information for determining the security countermeasure.
 また、上述のセキュリティ対策決定支援装置において、前記演算装置は、前記対策情報に対応した図形領域による、前記安全要求情報に対応した図形領域のカバー状態の判定において、前記安全要求情報に対応した図形領域のうち前記安全レベルの維持時間に対応した辺、および、前記対策情報に対応した複数の各図形領域のうち前記到達安全レベルの維持時間に対応した辺を、所定時間軸上に配置して、前記安全要求情報に対応した図形領域のうち、前記対策情報に対応した複数の図形領域でカバーされた時間帯と、当該時間帯における前記複数の図形領域が示す到達安全レベルの重なりとで規定される領域の情報を前記カバー状態として特定するものである、としてもよい。 Further, in the above-described security measure determination support device, the arithmetic unit may determine the graphic corresponding to the safety requirement information in the determination of the cover state of the graphic region corresponding to the safety requirement information by the graphic region corresponding to the countermeasure information. An edge corresponding to the maintenance time of the safety level and an edge corresponding to the maintenance time of the reachable safety level among the plurality of graphic areas corresponding to the countermeasure information are arranged on a predetermined time axis. The time zone covered by a plurality of graphic regions corresponding to the countermeasure information among the graphic regions corresponding to the safety requirement information and the overlap of the reachable safety level indicated by the plurality of graphic regions in the time zone It is good also as what specifies the information of the area | region used as said cover state.
 これによれば、安全要求情報が示す維持時間と安全レベルで規定される図形領域のうち、対策情報が示す維持時間と到達安全レベルで規定される複数の図形領域が重複してカバーする領域、すなわち複数のセキュリティ対策が同時に適用される時間帯とその安全レベルについての情報を、セキュリティ対策決定の参考情報としてユーザに提示する処理が可能となる。例えば、前記複数の図形領域間での重複領域の面積をカバー状態の情報として算定し、セキュリティ対策決定の参考情報としてユーザに提示することになる。 According to this, among the graphic areas defined by the maintenance time and safety level indicated by the safety requirement information, an area that covers a plurality of graphic areas defined by the maintenance time indicated by the countermeasure information and the reached safety level, That is, it is possible to perform processing for presenting information about a time zone in which a plurality of security measures are applied at the same time and the safety level thereof to the user as reference information for determining the security measures. For example, the area of the overlapping area between the plurality of graphic areas is calculated as cover state information and presented to the user as reference information for determining security measures.
 また、上述のセキュリティ対策決定支援装置において、前記記憶装置は、前記対策情報における前記セキュリティ対策候補の情報として、前記セキュリティ対策対象であるシステムの開発時に適用して恒常的に運用される開発用対策と、システム運用中のリスク発生時に適用して機能復旧を目的とする応急処置用対策と、の各情報を含んでいるものであり、前記演算装置は、前記対策情報に対応した図形領域による、前記安全要求情報に対応した図形領域のカバー状態の判定において、前記安全要求情報に対応した図形領域のうち前記安全レベルの維持時間に対応した辺、および、前記開発用対策および前記応急処置用対策の少なくともいずれかの対策情報に対応した図形領域のうち前記到達安全レベルの維持時間に対応した辺を、所定時間軸上に配置して、前記安全要求情報に対応した図形領域のうち、前記開発用対策および前記応急処置用対策の少なくともいずれかの対策情報に対応した図形領域でカバーされた時間帯と、当該時間帯における到達安全レベルとで規定される領域の情報を前記カバー状態として特定するものである、としてもよい。 Further, in the above-described security measure determination support device, the storage device is applied as a security measure candidate information in the measure information, and is a development measure that is constantly applied and applied during development of the system that is the security measure target. And a measure for emergency measures that are applied at the time of risk occurrence during system operation and aiming at functional recovery, and the calculation device is based on a graphic area corresponding to the measure information, In the determination of the cover state of the graphic area corresponding to the safety requirement information, the edge corresponding to the maintenance time of the safety level in the graphic area corresponding to the safety requirement information, and the measures for development and the measures for emergency measures Of the graphic area corresponding to at least one of the countermeasure information of A time zone covered by a graphic area corresponding to the countermeasure information of at least one of the countermeasures for development and the countermeasures for first aid, among the graphic areas corresponding to the safety requirement information, arranged on the axis, and It is good also as specifying the information of the area | region prescribed | regulated with the reach | attainment safe level in a time slot | zone as the said cover state.
 これによれば、セキュリティ対策対象のシステムを、安全要求情報の示す安全レベルが完全に満たされずとも停止状態から出来るだけ短期間に復旧させる応急フェーズと、安全要求情報の示す安全レベルが完全に満たされつつ通常運用する通常フェーズ、の2つのフェーズを想定した場合に、上述の緊急フェーズに関しては、上述の停止状態から所定時間内の時間帯に応急処置用対策を設定し、上述の通常フェーズに関しては開発用対策を設定し、それぞれ上述のカバー状態を特定するといった処理が可能となる。 According to this, there is an emergency phase in which the security target system can be recovered from a stopped state in the shortest possible time even if the safety level indicated by the safety requirement information is not completely satisfied, and the safety level indicated by the safety requirement information is completely satisfied. Assuming two phases, the normal phase that is normally operated, the emergency measures are set for the emergency phase in the time zone within the predetermined time from the stop state, and the normal phase is Can set a countermeasure for development and specify the above-described cover state.
 また、上述のセキュリティ対策決定支援装置において、前記演算装置は、入力装置においてセキュリティ対策に関するユーザ要求を受け付けて、前記セキュリティ対策候補のうち、前記ユーザ要求が示す条件に対応した評価結果であるものを特定し、当該特定したセキュリティ対策候補からセキュリティ対策モデルを生成し、当該対策モデルを出力装置に出力する処理を更に実行するものである、としてもよい。 Further, in the above-described security measure determination support device, the arithmetic device accepts a user request related to a security measure at an input device, and among the security measure candidates, is an evaluation result corresponding to a condition indicated by the user request. A process of generating a security countermeasure model from the identified security countermeasure candidates and outputting the countermeasure model to an output device may be further executed.
 これによれば、例えば、セキュリティ対策の用途(例:応急処置用対策と開発用対策のいずれか)、優先させるセキュリティ対策強度(例:安全要求情報に対応した図形領域のうち対策情報に対応した図形領域でカバーされた面積か、安全要求情報に対応した図形領域に対して対策情報に対応した複数の図形領域で重複カバーされた領域の面積、のいずれか)、システム停止状態の許容時間の大小といった条件に関するユーザ要求に基づいて、セキュリティ対策候補のうち上述のユーザ要求が示す条件に対応した評価結果を備えたものを特定し、これを含むセキュリティ対策モデルをユーザに提示することができる。 According to this, for example, the use of security measures (eg, emergency measures or development measures), the priority of security measures to be prioritized (eg, corresponding to measure information in the graphic area corresponding to safety requirement information) Either the area covered by the graphic area, or the area of the graphic area corresponding to the safety requirement information, and the area covered by multiple graphic areas corresponding to the countermeasure information) Based on a user request regarding a condition such as a magnitude, it is possible to identify a security countermeasure candidate having an evaluation result corresponding to the condition indicated by the user request, and present a security countermeasure model including this to the user.
 また、上述のセキュリティ対策決定支援装置において、前記演算装置は、前記セキュリティ対策モデルの生成および出力に際し、前記ユーザ要求が示す条件への前記評価結果の対応程度順に、前記セキュリティ対策候補を特定し、前記セキュリティ対策モデルを、前記ユーザ要求の条件への対応程度順に用いて前記セキュリティ対策モデルを順次生成し、各セキュリティ対策モデルを出力装置に出力するものである、としてもよい。 Further, in the above-described security measure determination support device, the computing device specifies the security measure candidates in order of the degree of correspondence of the evaluation result to the condition indicated by the user request when generating and outputting the security measure model, The security countermeasure models may be sequentially generated using the security countermeasure models in order of the degree of correspondence to the user request conditions, and each security countermeasure model may be output to an output device.
 これによれば、ユーザ要求が示す条件にマッチする度合いによって推薦度が異なるセキュリティ対策モデルをユーザに提示することが出来る。 According to this, it is possible to present to the user a security countermeasure model having a different recommendation level depending on the degree of matching with the condition indicated by the user request.
 また、上述のセキュリティ対策決定支援装置において、前記記憶装置は、セキュリティ対策対象であるシステムの仕様書データを更に格納したものであり、前記演算装置は、前記セキュリティ対策モデルの出力処理に伴い、採用セキュリティ対策のユーザ指定を入力装置で受け付けて、前記ユーザ指定を受けたセキュリティ対策の情報を、前記システムの仕様書データのうち該当箇所に挿入して仕様書を生成する処理を更に実行するものであるとしてもよい。 Further, in the above-described security measure determination support device, the storage device further stores specification data of a system that is a security measure target, and the arithmetic device is employed in accordance with output processing of the security measure model. A process for generating a specification by receiving a user specification of a security measure by an input device and inserting the information of the security measure that has received the user specification into a corresponding portion of the specification data of the system. There may be.
 これによれば、開発中のシステムがセキュリティ対策対象である状況に対応して、セキュリティ対策モデルの情報を該当システムの仕様書に設定し、仕様書の自動生成を行うことが可能となる。 According to this, it becomes possible to set the information of the security countermeasure model in the specification of the corresponding system and automatically generate the specification corresponding to the situation where the system under development is the target of the security countermeasure.
10 セキュリティ対策決定支援システム
20 ネットワーク
100 セキュリティ対策決定支援装置
101 記憶装置
102 プログラム
103 メモリ
104 CPU(演算装置)
105 入力装置
106 出力装置
107 通信装置
108 内部バス
110 DFD
111 DFDのリスク参照値表(安全要求情報)
112 対策タイプ表
113 対策実施タイプ表
114 リスク分析表
115 対策リスト(対策情報)
116 対策リスト詳細表(対策情報)
117 対策グループ評価表
118 対策モデル提案表
119 R_SL決定表
120 A_SL決定表
121 R_TP、A_TP決定表
122 R_TO、A_TO決定表
123 システム連携WBS
124 アプリ開発WBS
125 記入済システム連携WBS
126 記入済アプリ開発WBS
127 仕様書
171 通信部
172 登録部
173 対策リスト作成部
174 入力部
175 対策評価部
176 対策モデル作成部
177 仕様記入部
200、250 ユーザ端末 DESCRIPTION OF SYMBOLS 10 Security countermeasure determination support system 20 Network 100 Security countermeasure determination support apparatus 101 Storage apparatus 102 Program 103 Memory 104 CPU (arithmetic unit)
105 Input Device 106 Output Device 107 Communication Device 108 Internal Bus 110 DFD
111 DFD risk reference value table (safety requirement information)
112 Countermeasure Type Table 113 Countermeasure Implementation Type Table 114 Risk Analysis Table 115 Countermeasure List (Countermeasure Information)
116 Countermeasure list details table (Countermeasure information)
117 Countermeasure group evaluation table 118 Countermeasure model proposal table 119 R_SL determination table 120 A_SL determination table 121 R_TP, A_TP determination table 122 R_TO, A_TO determination table 123 System cooperation WBS
124 Application Development WBS
125 Completed system linkage WBS
126 Completed application development WBS
127 Specification 171 Communication unit 172 Registration unit 173 Countermeasure list creation unit 174 Input unit 175 Countermeasure evaluation unit 176 Countermeasure model creation unit 177 Specification entry unit 200, 250 User terminal

Claims (9)

  1.  セキュリティ対策対象に影響する脅威と前記脅威に対する適用が想定されるセキュリティ対策候補とに関する各情報を含む対策情報と、前記セキュリティ対策対象にて必要とされている情報セキュリティ上の安全レベルと該当安全レベルの維持時間とに関する各情報を含む安全要求情報と、を格納する記憶装置と、
     前記安全要求情報が示す、前記安全レベルおよび該当安全レベルの前記維持時間の各大きさに各辺長が対応した図形領域と、前記対策情報における前記セキュリティ対策候補の情報が示す、該当セキュリティ対策候補の適用で想定される到達安全レベルおよび該当到達安全レベルの維持時間の各大きさに各辺長が対応した図形領域とを照合して、前記対策情報に対応した図形領域による、前記安全要求情報に対応した図形領域のカバー状態を判定し、前記カバー状態に応じて該当セキュリティ対策候補の評価結果を生成し出力装置に出力する演算装置と、
     を備えることを特徴とするセキュリティ対策決定支援装置。     Countermeasure information including information regarding threats affecting security countermeasure targets and potential security countermeasure candidates that are assumed to be applied to the threats, information security safety levels required for the security countermeasure targets, and corresponding safety levels A storage device for storing safety request information including information on the maintenance time of
    Corresponding security countermeasure candidate indicated by the graphic area in which each side length corresponds to each size of the safety level and the maintenance time of the corresponding safety level indicated by the safety requirement information, and information of the security countermeasure candidate in the countermeasure information The safety requirement information based on the figure area corresponding to the countermeasure information by comparing the figure area corresponding to each side length with each of the reachable safety level assumed in the application and the maintenance time of the corresponding arrival safety level. An arithmetic unit that determines the cover state of the graphic area corresponding to the, and generates an evaluation result of the corresponding security countermeasure candidate according to the cover state and outputs it to the output device;
    A security measure decision support device characterized by comprising:
  2.  前記演算装置は、
     前記対策情報に対応した図形領域による、前記安全要求情報に対応した図形領域のカバー状態の判定において、
     前記安全要求情報に対応した図形領域のうち前記安全レベルの維持時間に対応した辺、および、前記対策情報に対応した図形領域のうち前記到達安全レベルの維持時間に対応した辺を、所定時間軸上に配置して、前記安全要求情報に対応した図形領域のうち、前記対策情報に対応した図形領域でカバーされた時間帯と、当該時間帯における到達安全レベルとで規定される領域の情報を前記カバー状態として特定するものである、
     ことを特徴とする請求項1に記載のセキュリティ対策決定支援装置。     The arithmetic unit is:
    In determining the cover state of the graphic area corresponding to the safety requirement information by the graphic area corresponding to the countermeasure information,
    A side corresponding to the maintenance time of the safety level in the graphic area corresponding to the safety requirement information and a side corresponding to the maintenance time of the reached safety level in the graphic area corresponding to the countermeasure information are set on a predetermined time axis. The information of the area defined by the time zone covered by the graphic area corresponding to the countermeasure information and the reachable safety level in the time period among the graphic areas corresponding to the safety requirement information It is specified as the cover state,
    The security measure determination support apparatus according to claim 1, wherein
  3.  前記演算装置は、
     前記対策情報に対応した図形領域による、前記安全要求情報に対応した図形領域のカバー状態の判定において、
     前記安全要求情報に対応した図形領域における前記安全レベルの維持時間に対応した辺、および前記対策情報に対応した図形領域における前記到達安全レベルの維持時間に対応した辺を、前記所定時間軸上において、前記安全要求情報が示す、前記セキュリティ対策対象の稼働停止時から許容出来る復旧時間だけ経過した時点を始点として配置して、前記カバー状態の特定を行うものである、
     ことを特徴とする請求項2に記載のセキュリティ対策決定支援装置。     The arithmetic unit is:
    In determining the cover state of the graphic area corresponding to the safety requirement information by the graphic area corresponding to the countermeasure information,
    An edge corresponding to the maintenance time of the safety level in the graphic area corresponding to the safety requirement information and an edge corresponding to the maintenance time of the reached safety level in the graphic area corresponding to the countermeasure information are on the predetermined time axis. The safety requirement information indicates that the cover state is specified by placing a point in time when an acceptable recovery time has elapsed since the operation stop of the security countermeasure target,
    The security measure determination support apparatus according to claim 2, wherein
  4.  前記演算装置は、
     前記対策情報に対応した図形領域による、前記安全要求情報に対応した図形領域のカバー状態の判定において、
     前記安全要求情報に対応した図形領域のうち前記安全レベルの維持時間に対応した辺、および、前記対策情報に対応した複数の各図形領域のうち前記到達安全レベルの維持時間に対応した辺を、所定時間軸上に配置して、前記安全要求情報に対応した図形領域のうち、前記対策情報に対応した複数の図形領域でカバーされた時間帯と、当該時間帯における前記複数の図形領域が示す到達安全レベルの重なりとで規定される領域の情報を前記カバー状態として特定するものである、
     ことを特徴とする請求項2に記載のセキュリティ対策決定支援装置。     The arithmetic unit is:
    In determining the cover state of the graphic area corresponding to the safety requirement information by the graphic area corresponding to the countermeasure information,
    The side corresponding to the maintenance time of the safety level among the graphic areas corresponding to the safety requirement information, and the side corresponding to the maintenance time of the reached safety level among the plurality of graphic areas corresponding to the countermeasure information, A time zone covered by a plurality of graphic regions corresponding to the countermeasure information, among the graphic regions corresponding to the safety requirement information, arranged on a predetermined time axis, and the plurality of graphic regions in the time zone indicate The area information defined by the overlap of the reachable safety level is specified as the cover state.
    The security measure determination support apparatus according to claim 2, wherein
  5.  前記記憶装置は、
     前記対策情報における前記セキュリティ対策候補の情報として、前記セキュリティ対策対象であるシステムの開発時に適用して恒常的に運用される開発用対策と、システム運用中のリスク発生時に適用して機能復旧を目的とする応急処置用対策と、の各情報を含んでいるものであり、
     前記演算装置は、
     前記対策情報に対応した図形領域による、前記安全要求情報に対応した図形領域のカバー状態の判定において、
     前記安全要求情報に対応した図形領域のうち前記安全レベルの維持時間に対応した辺、および、前記開発用対策および前記応急処置用対策の少なくともいずれかの対策情報に対応した図形領域のうち前記到達安全レベルの維持時間に対応した辺を、所定時間軸上に配置して、前記安全要求情報に対応した図形領域のうち、前記開発用対策および前記応急処置用対策の少なくともいずれかの対策情報に対応した図形領域でカバーされた時間帯と、当該時間帯における到達安全レベルとで規定される領域の情報を前記カバー状態として特定するものである、
     ことを特徴とする請求項2に記載のセキュリティ対策決定支援装置。     The storage device
    As information on the security countermeasure candidates in the countermeasure information, development countermeasures that are applied constantly during development of the system that is the subject of the security countermeasures, and function recovery that is applied when a risk occurs during system operation And the information for first aid measures and
    The arithmetic unit is:
    In determining the cover state of the graphic area corresponding to the safety requirement information by the graphic area corresponding to the countermeasure information,
    Of the graphic area corresponding to the safety requirement information, the side corresponding to the maintenance time of the safety level, and the arrival of the graphic area corresponding to at least one of the countermeasure information for the development measure and the emergency measure measure An edge corresponding to the maintenance time of the safety level is arranged on a predetermined time axis, and the countermeasure information for at least one of the countermeasure for development and the countermeasure for emergency treatment is included in the graphic area corresponding to the safety requirement information. The information of the area defined by the time zone covered by the corresponding graphic area and the reachable safety level in the time zone is specified as the cover state.
    The security measure determination support apparatus according to claim 2, wherein
  6.  前記演算装置は、
     入力装置においてセキュリティ対策に関するユーザ要求を受け付けて、前記セキュリティ対策候補のうち、前記ユーザ要求が示す条件に対応した評価結果であるものを特定し、当該特定したセキュリティ対策候補からセキュリティ対策モデルを生成し、当該対策モデルを出力装置に出力する処理を更に実行するものである、
     ことを特徴とする請求項1に記載のセキュリティ対策決定支援装置。     The arithmetic unit is:
    The input device accepts a user request related to a security measure, identifies the security measure candidate that is an evaluation result corresponding to the condition indicated by the user request, and generates a security measure model from the identified security measure candidate , To further execute the process of outputting the countermeasure model to the output device,
    The security measure determination support apparatus according to claim 1, wherein
  7.  前記演算装置は、
     前記セキュリティ対策モデルの生成および出力に際し、前記ユーザ要求が示す条件への前記評価結果の対応程度順に、前記セキュリティ対策候補を特定し、前記セキュリティ対策モデルを、前記ユーザ要求の条件への対応程度順に用いて前記セキュリティ対策モデルを順次生成し、各セキュリティ対策モデルを出力装置に出力するものである、
     ことを特徴とする請求項6に記載のセキュリティ対策決定支援装置。     The arithmetic unit is:
    When generating and outputting the security countermeasure model, the security countermeasure candidates are identified in order of the degree of correspondence of the evaluation results to the conditions indicated by the user request, and the security countermeasure model is ordered in the degree of correspondence to the condition of the user request. The security countermeasure models are sequentially generated using each security countermeasure model and output to the output device.
    The security measure decision support apparatus according to claim 6.
  8.  前記記憶装置は、
     セキュリティ対策対象であるシステムの仕様書データを更に格納したものであり、
     前記演算装置は、
     前記セキュリティ対策モデルの出力処理に伴い、採用セキュリティ対策のユーザ指定を入力装置で受け付けて、前記ユーザ指定を受けたセキュリティ対策の情報を、前記システムの仕様書データのうち該当箇所に挿入して仕様書を生成する処理を更に実行するものであることを特徴とする請求項6に記載のセキュリティ対策決定支援装置。     The storage device
    It further stores the specification data of the system that is the target of security measures.
    The arithmetic unit is:
    Along with the output process of the security countermeasure model, the user device accepts the user specification of the adopted security countermeasure, and the security countermeasure information received by the user is inserted into the corresponding part of the specification data of the system. The security measure determination support apparatus according to claim 6, further comprising a process of generating a document.
  9.  セキュリティ対策対象に影響する脅威と前記脅威に対する適用が想定されるセキュリティ対策候補とに関する各情報を含む対策情報と、前記セキュリティ対策対象にて必要とされている情報セキュリティ上の安全レベルと該当安全レベルの維持時間とに関する各情報を含む安全要求情報と、を格納する記憶装置を備えたコンピュータが、
     前記安全要求情報が示す、前記安全レベルおよび該当安全レベルの前記維持時間の各大きさに各辺長が対応した図形領域と、前記対策情報における前記セキュリティ対策候補の情報が示す、該当セキュリティ対策候補の適用で想定される到達安全レベルおよび該当到達安全レベルの維持時間の各大きさに各辺長が対応した図形領域とを照合して、前記対策情報に対応した図形領域による、前記安全要求情報に対応した図形領域のカバー状態を判定し、前記カバー状態に応じて該当セキュリティ対策候補の評価結果を生成し出力装置に出力する処理を実行する、
     ことを特徴とするセキュリティ対策決定支援方法。     Countermeasure information including information regarding threats affecting security countermeasure targets and potential security countermeasure candidates that are assumed to be applied to the threats, information security safety levels required for the security countermeasure targets, and corresponding safety levels A computer having a storage device for storing safety request information including information on the maintenance time of
    Corresponding security countermeasure candidate indicated by the graphic area in which each side length corresponds to each size of the safety level and the maintenance time of the corresponding safety level indicated by the safety requirement information, and information of the security countermeasure candidate in the countermeasure information The safety requirement information based on the figure area corresponding to the countermeasure information by comparing the figure area corresponding to each side length with each of the reachable safety level assumed in the application and the maintenance time of the corresponding arrival safety level. Determining the cover state of the graphic area corresponding to the, and executing a process of generating an evaluation result of the corresponding security countermeasure candidate according to the cover state and outputting it to the output device,
    A security measure decision support method characterized by the above.
PCT/JP2014/063158 2014-05-19 2014-05-19 Security measure determination assistance device and security measure determination assistance method WO2015177832A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2014/063158 WO2015177832A1 (en) 2014-05-19 2014-05-19 Security measure determination assistance device and security measure determination assistance method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2014/063158 WO2015177832A1 (en) 2014-05-19 2014-05-19 Security measure determination assistance device and security measure determination assistance method

Publications (1)

Publication Number Publication Date
WO2015177832A1 true WO2015177832A1 (en) 2015-11-26

Family

ID=54553532

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2014/063158 WO2015177832A1 (en) 2014-05-19 2014-05-19 Security measure determination assistance device and security measure determination assistance method

Country Status (1)

Country Link
WO (1) WO2015177832A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6081038B1 (en) * 2016-06-01 2017-02-15 三菱電機株式会社 Security management device, central security management device, security management method, and security management program

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001101135A (en) * 1999-09-29 2001-04-13 Hitachi Ltd Method and device for evaluating security and method and device for aiding preparation of security measure
JP2006331383A (en) * 2005-04-25 2006-12-07 Hitachi Ltd Tool, method, and program for supporting system security design/evaluation
JP2006350399A (en) * 2005-06-13 2006-12-28 Hitachi Ltd Importance acquisition device, security-design support system, relevance acquisition device, and program
JP2013025429A (en) * 2011-07-19 2013-02-04 Mitsubishi Electric Corp Security evaluation apparatus, security evaluation method of security evaluation apparatus, security evaluation program

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001101135A (en) * 1999-09-29 2001-04-13 Hitachi Ltd Method and device for evaluating security and method and device for aiding preparation of security measure
JP2006331383A (en) * 2005-04-25 2006-12-07 Hitachi Ltd Tool, method, and program for supporting system security design/evaluation
JP2006350399A (en) * 2005-06-13 2006-12-28 Hitachi Ltd Importance acquisition device, security-design support system, relevance acquisition device, and program
JP2013025429A (en) * 2011-07-19 2013-02-04 Mitsubishi Electric Corp Security evaluation apparatus, security evaluation method of security evaluation apparatus, security evaluation program

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6081038B1 (en) * 2016-06-01 2017-02-15 三菱電機株式会社 Security management device, central security management device, security management method, and security management program
WO2017208403A1 (en) * 2016-06-01 2017-12-07 三菱電機株式会社 Security management device, central security management device, security management method and security management program

Similar Documents

Publication Publication Date Title
JP6677623B2 (en) Security measure planning support system and method
US9692778B1 (en) Method and system to prioritize vulnerabilities based on contextual correlation
Huang et al. Optimal information security investment in a Healthcare Information Exchange: An economic analysis
JP5803463B2 (en) Security event monitoring apparatus, method and program
US11611590B1 (en) System and methods for reducing the cybersecurity risk of an organization by verifying compliance status of vendors, products and services
Papakonstantinou et al. A zero trust hybrid security and safety risk analysis method
Plósz et al. Combining safety and security analysis for industrial collaborative automation systems
Kalloniatis Incorporating privacy in the design of cloud-based systems: a conceptual meta-model
Goluch et al. Integration of an ontological information security concept in risk aware business process management
Faleiro et al. Digital twin for cybersecurity: Towards enhancing cyber resilience
US20230208882A1 (en) Policy - aware vulnerability mapping and attack planning
Alharbi et al. Managing software security risks through an integrated computational method
JP2019219898A (en) Security countermeasures investigation tool
McDowall Effective and practical risk management options for computerised system validation
Chung et al. An analytical method for developing appropriate protection profiles of Instrumentation & Control System for nuclear power plants
Pavlidis et al. Selecting security mechanisms in secure tropos
Buccafurri et al. An analytical processing approach to supporting cyber security compliance assessment
WO2015177832A1 (en) Security measure determination assistance device and security measure determination assistance method
Moonsamy et al. Developing a Comprehensive Risk Management Framework for E-Health Care Delivery
Saltarella et al. Privacy design strategies and the GDPR: A systematic literature review
Alaküla et al. An experience report of improving business process compliance using security risk-oriented patterns
Koch et al. Development process for information security concepts in iiot-based manufacturing
Hornsteiner et al. SIREN: Designing Business Processes for Comprehensive Industrial IoT Security Management
Angermeier et al. Supporting risk assessment with the systematic identification, merging, and validation of security goals
Nazarov Estimation of the information safety level of modern infocommunication networks on the basis of the logic-probability approach

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14892631

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14892631

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP