rainit2006
commented
1 month ago --
Open rainit2006 opened 1 month ago
rainit2006
commented
1 month ago --
rainit2006
commented
1 month ago https://manebi.co.jp/column/m-0057/
コーポレートガバナンス: 企業の組織内部を管理・統治するという意味を持つコーポレートガバナンスは、株主や投資家、従業員などの利益を守るために重要な取り組みです。企業内の不正防止や透明性確保、財務報告の信用性を保つために、経営を統制し管理する機能・仕組みが必要です。
ITガバナンス: 企業経営に必要なIT戦略を立案したり、企画・実行したりする仕組みのこと。
情報ガバナンス: 企業が持つさまざまな情報(紙やDVD、CD-R、HDD、USBメモリ、クラウド上のデータなど、あらゆる情報・データ)を、企業の重要な資産として管理する仕組みのこと。
Security Governance : how security is managed, through policies, roles, and processes used to make security decisions.
コンプライアンスは法律やルールを厳守すること。ガバナンスは法律やルールを厳守させるための管理体制のことです。2つの言葉の関係性から、コンプライアンスはガバナンスに含まれるといってよいでしょう。
ガバナンスだからとルールや仕組みを押し付けるだけでは、従業員は面倒だからと、遵守しない可能性も考えられます。 ガバナンスとコンプライアンスについて理解を深めることは、不祥事を未然に防ぐことにつながります。そしてこのことは企業にとって会社を守り、同時に成長を促すことから、従業員にとっても大きなメリットとなるのです。 企業全体に「なんのために必要なのか」といった基本的な知識を持ってもらい、実施しなくてはなりません。
日本経済産業省の「情報セキュリティガバナンス導入ガイダンス」によると、情報セキュリティガバナンスを確立するためのフレームワークは、次の5つで構成されています。 https://www.meti.go.jp/policy/netsecurity/docs/secgov/2009_JohoSecurityGovernanceDonyuGuidance.pdf
https://www.ipa.go.jp/archive/jinzai/skill-standard/uiss/qv6pgp000000bu3w-att/000010538.pdf
rainit2006
commented
1 month ago https://www.ipa.go.jp/security/security-action/sa/index.html 取り組み段階に応じて「★一つ星」と「★★二つ星」のロゴマークがあり、ロゴマークを無料で使えます。例えば、「★一つ星」のロゴを使用する場合は、以下の「情報セキュリティ5か条」に取り組むことが必要です。
①OSやソフトウェアは常に最新の状態にしよう! ②ウイルス対策ソフトを導入しよう! ③パスワードを強化しよう! ④共有設定を見直そう! ⑤脅威や攻撃の手口を知ろう! 5つはすべて、必ず実行すべき重要なセキュリティ対策です。
★★二つ星 中小企業の情報セキュリティ対策ガイドライン付録の「5分でできる!情報セキュリティ自社診断」で自社の状況を把握したうえで、情報セキュリティ基本方針*1を定め、外部に公開したことを宣言した中小企業等であることを示すロゴマークです。
「5分でできる!情報セキュリティ自社診断」 https://www.ipa.go.jp/security/sme/f55m8k0000001waj-att/000055848.pdf
rainit2006
commented
1 month ago rainit2006
commented
1 month ago rainit2006
commented
1 month ago https://www.linkedin.com/advice/0/how-can-you-create-successful-cybersecurity-governance-vfgnc
Assess your current state 2 . Define your vision and goals 3 . Establish your policies and standards 4 . Assign your roles and responsibilities 5 . Implement and monitor your framework 6 . Review and improve your framework .
Here are the key steps one can take: 1 Understand Business Objectives: Align the cybersecurity framework with the overall business objectives 2 Risk Assessment: Conduct a thorough risk assessment to identify & and prioritize potential cybersecurity risks 3 Define Policies and Procedures: Develop clear and comprehensive cybersecurity policies 4 Security Controls: Implement security controls to mitigate identified risks, considering both tech & non-tech measures 5 Board & Executive Involvement: Ensure active involvement & support from the board and executive leadership 6 Employee Training & Awareness: Provide regular training to employees & create awareness 7 Continuous Monitoring: Implement continuous monitoring to detect & respond
In order to develop a working vision for an organization it is important to ensure all of the stakeholders participate. My first order would be to understand who needs to participate - Legal, Human Resources, and senior leadership are usually universally participants in every organization. I then take their requirements and vision and develop a harmony between theses visions as I am adding what I believe are my team's goals and vision. I also would tie in maturity to the vision - you cannot be NIST SP800-53 compliant overnight! This level of compliance takes time, maturity of process, resources who understand the controls, etc. So the vision needs to take in to account where you maturity is today as an organization and where it will be.
rainit2006
commented
1 month ago ■Information Management Guidelines/情報管理ガイドライン ■Rules for PC/smartphone /パソコン・携帯電話の利用ルール ■System Operation and Maintenance Terminal Management Guidelines/システム運用保守端末管理ガイドライン ■Security check process for XXX Product & Service / XXX社プロダクトのセキュリティチェックプロセス ■Sharing & Handling process of Vulnerability Information / 脆弱性情報の共有と取扱のプロセス ■Security Checklist for XXX Systems/システムセキュリティチェックリスト ■Security Checklist for IoT Devices/IoTデバイスセキュリティチェックリスト ■Subcontractors Security Checklist/業務委託セキュリティチェックリスト ■"Personal Information Protection Act"/個人情報保護法について ■Precautions for using the generative AI /生成AI利用時の注意事項 ■"Risk of Targeted Attacks/標的型攻撃のリスクについて ■Response to Security Incident /情報事故・インシデントが発生したら ! ■Retention period for information assets/情報資産の保存期間 ■Company Regulations, etc/社内規程など ■XXX Global IP & Domain Management Policy / グローバルIPとドメイン管理方針 ■XXX Security Consultation/XXXセキュリティ相談窓口
rainit2006
commented
1 month ago An Information Security Strategy is an organizational plan for protecting sensitive information from unauthorized access, use, disclosure, destruction, or modification. It is a set of guidelines for an organization to ensure the safety and integrity of its data and systems. The strategy is based on the organization's security objectives and its risk assessment results, and covers all aspects of Information Security, including application security, infrastructure security, encryption, user access control, and more.
To establish the goals that the IS governance framework must achieve, the organization must first identify its Information Security objectives. Those objectives should be based on the organization's risk assessment, which should identify the threats, vulnerabilities, and impacts associated with the organization's data and systems. Once the objectives are identified, the organization can develop a strategy to meet those objectives.
The strategy should include steps to protect the organization's data and systems, such as implementing security controls, developing incident response plans, and developing and implementing user access control policies. The strategy should also include measures to ensure the continued protection of the organization's data and systems, such as periodic reviews of the security controls and regular security training for employees.
The strategy should also take into account any applicable laws and regulations, as well as any industry standards and best practices. Additionally, the strategy should consider the organization's budget, resources, and timeline for implementation.
Constraints affecting the strategy building may include the availability of resources, budget, and personnel. Additionally, the strategy may be constrained by the organization's existing infrastructure and technology, or by the laws and regulations that govern the organization. The strategy should also take into account any external factors, such as the threat landscape, industry standards, and customer expectations. Finally, the strategy should consider the organization's culture, values, and goals.
--