1. Field of the Invention
The present invention relates to establishment of a so-called security policy. More particularly, the present invention relates to a method and apparatus which enable immediate establishment of a security policy suitable for an individual organization, as well as to a method and apparatus for supporting establishment of a security policy.
2. Background Art
In association with development of information technology, the importance of information security increases. Every organization takes various measures for protecting internal information.
For example, a firewall is set at an interface for establishing connection with an external network, thereby preventing unauthorized intrusion of the outsider into an internal network of the organization, or unauthorized access to internal information.
In order to combat viruses or the like, virus detection/combat software is employed for monitoring computers disposed in the organization. Throughout the specification, the expression “organization” signifies an enterprise, a federal or municipal agency, a corporation such as a legally-incorporated foundation, or any other party or organized group.
As mentioned above, various measures have hitherto been taken for ensuring information security.
If such measures are independently or separately discussed or reviewed, ensuring the security level of the entire organization becomes difficult.
For instance, no matter how well a firewall is enhanced, if third parties can freely enter the organization's building and have an opportunity to operate a terminal, the security level of the entire organization is considerably deteriorated.
Even if virus detection software is used, if updating of software for opposing new viruses is neglected, the software cannot combat newly created computer viruses.
In order to enhance the information security level of the entire organization, there must be devised a method for designing and implementing information security of the entire organization. Such a designing and implementation method (or a group of designing and implementation methods) is generally called a security policy.
Various proposals concerning basic headings and contents for establishing a standard security policy have already been put forward as international guidelines. As a matter of course, the headings and contents must be individually tailored to the organization.
Therefore, there still remains a necessity for establishing a security policy on a per-organization basis; security policies cannot be mass-produced. Thus, establishment of an individual security policy involves consumption of much time and effort.
Further, contents of a security policy must be changed with elapse of time. For instance, in a case where a corporate organizational structure has been changed, usage value and risk assessment of existing information must be changed correspondingly.
A common method concerning establishment of a security policy and making periodic amendments to the security policy has not been known. For this reason, individual systems engineer has had to establish or amend a security policy through experience and guess work. As a result, establishment of or making amendments to a security policy consumes an enormous amount of manpower. It is assumed that amendments may fail to catch up with a change in the actual circumstances (hereinafter called “reality”) of an organization.
It has often been seen that a wide difference arises between a security policy and the reality of an organization, thereby imposing difficulty in establishing and sustaining enhanced information security.
The present invention has been conceived in light of the foregoing drawbacks of the background art and is aimed at providing a method of efficiently establishing a security policy, as well as an apparatus for supporting establishment of a security policy.