Interesting People mailing list archives
Japan: IT Security, JCSEC criteria
From: David Farber <farber () central cis upenn edu>
Date: Sat, 9 Oct 1993 06:59:53 -0400
Date: Thu, 16 Sep 1993 19:54:42 +0200 From: Klaus Brunnstein <brunnstein () rz informatik uni-hamburg d400 de> Subject: Japan: IT Security, JCSEC criteria It is not well recognized in the current discussions in North America and Europe aimed at harmonizing their different criteria (FC, ITSEC) that Japanese organisations are undertaking major efforts to assess and improve the state of IT and Communications security also in their country. In order to guarantee their IT industries' opportunities in international markets, they are also looking for a minimum harmonized set of criteria (JCSEC) as a basis of universally applicable product evaluation and certification. Among others, Information-technology Promoting Agency (IPA) and Japan Electronic Industry Development Association (JEIDA) have started their respective work with major analyses of the state-of-security in Japan, North America, Europe and Australia. IPA, a MITI funded organisation with interests in AntiVirus measures, sponsored a study which received some attention in 1992. Its basic statement was that the number of hacker-like attacks on systems doubled in recent times while virus infections diminished significantly. It is interesting that IPA's recent statistics about viral events in Japan sharply increased in 1993: from 1990's total 14 events over 1991's total 57 events and 1992's 252 events, the partial figures in 1993 (Jan-July) are 366. While findings in Mac (less than 10 reports) and so far 19 viruses having appeared on the (IBM-incompatible) Japanese PCs (15 reports in 1993) are constant, the very fast growth of IBM compatible PCs is based on 42 different viruses, with 166 Yankee Doodle, 103 Cascade 1701/1704, 24 Anti-Telefonica, 20 Stoned III or Michelangelo and 14 Form reports in 1993. Though IPA's request for reporting virus events is now known in many enterprises, these figures do NOT indicate the exact number of infections but only show the relative development: growth. As its basis for future work, JEIDA has published a "Summary Report on the Worldwide Survey for Information Systems Security in Nine Nations", conducted by Coopers & Lybrand, in March 1993. The survey which is based on 1,059 questionnaires filled from enterprises in Japan (39%), Australia (21%), North America (15%) and Europe (13%) analyses the state of security consciousness (chapter 1), experience with incidents (ch.2: e.g. malfunction of hardware>75%, introduction of viruses >30%, theft of equipment about 10%, disclosure of Passwords: 10%, etc), and IS Security Measures taken (a rather detailed analysis, ch. 3). An analysis of the Cost of IS Security Measures (ch. 4) and IS Risk Analysis (ch. 5), Motivating Factors (ch. 6) and Development Priorities (ch. 7) concludes this study (17 pages). For detailed analysis, it would be helpful to complement the hi-quality color print with a volume containing more details of the raw data, but this "JEIDA Study" is worthwhile to read for worldwide comparison. JEIDA published another study in August 1992 "Japanese Computer Security Evaluation Criteria: Functional Requirements (Draft V1.0)" which has not been recognised so far in the Western discussion (similar to Russia's development, published in December 1992, though in Russian). JEIDA's study (in English), developed after MITI guidelines, describes (ch.1: Introduction) Functionality Requirements, with scope of the "Target of Evaluation" (TOE) and Target Models, and gives detailed "Functional Requirements" (ch.2), including minimum requirements for Identification and Authentication (2.1), Access Control (2.2), Accountability (2.3), Auditing (2.4), Object Reuse (2.5), Integrity (2.6), Reliability of Service (2.7) and Data Exchange (2.8). Though the structure conforms with ITSEC concerning the 8 basic function categories, JCSEC evidently follows US' Minimal System Function Requirements philosophy which is also basic to ECMA's (European Computer Manufacturers Association) and ISO/IEC JTC1 SC 27 works. The report (26 pages) ends with a graph describing the different security criteria in USA, Europe, Japan and ISO, followed by a glossary with informal definitions of essential terms. Though the Assurance part of JCSEC has not been published so far (due end-of-1993), it seems as if ITSEC's Assurance levels may play the role of related "Minimum Assurance Requirements" (rather than the complex Assurance descriptions in US' Federal Criteria). JEIDA officials motivated their work in JCSEC generally with their vendors' experience when having attempted to sell Japanese IT systems in Australia. Following regulations for Australian government installations, which seem also to be applied by major Aussie enterprises, Japanese installations had to undergo a security evaluation process which was partly difficult as most documents were not available in English. When being forced to prepare evaluation and certification of their products in non-Japanese countries, MITI and Japanese vendors evidently concluded that a set of internationally harmonized criteria with minimum requirements would serve their interests best. Moreover, Japanese vendors seem to favour self-evaluation of security functions, as opposed to an evaluation by independent institutions as practiced or prepared in USA and Europe. As some of these ideas are shared also by IT vendors outside Japan (see ECMA's approach), the Japanese involvement may add fresh wind to the international ITSEC discussion which is presently dominated by USA/Canada and Europe (including their preoccupations :-) Klaus Brunnstein (Univ-Hamburg, September 16, 1993) PS: JEIDA's address is: Japan Electronic Industry Development Association, JEIDA, Kikai-Shinko-Bldg., 3-5-8 Shiba-Koen, Minato-ku, Tokyo 105 JAPAN. ------------------------------
Current thread:
- Japan: IT Security, JCSEC criteria David Farber (Oct 09)