The present invention relates to a technology for evaluating the state of security of a system constituted by at least one component, or for supporting the making of security countermeasures specific to the system.
In the business activities of enterprises, an information system based on an Internet technology has become an important infrastructure. Also, as interest in the connection of an intra-enterprise information system to the Internet has grown, a security problem such as an illegal access to the intra-enterprise information system, the destruction of information assets by a virus, or the like has been recognized.
To protect the information system against such a security problem, an enterprise has taken individual technical measures such as the setting up of a firewall, the introduction of a software against a virus, or the like against individual security problems. However, in recent years, it has been desired that security countermeasures specific to the objective information system be taken in a comprehensive manner by analyzing a threat to the entire information system and by evaluating the state of security of the information system and by making a policy of countermeasures to be taken in the future on the basis of the results of evaluation.
Against this backdrop, Common Criteria for Information Technology Security Evaluation (IS 15408) was standardized in June, 1999 as a frame for systematically evaluating and constructing the security of an information technology product and an information system constituted by the information technology products. Also, Information Security Policies Made Easy (ISPME), a collection of examples of security policies to be executed to individual information systems, which was written by Mr. Charles Cresson Wood, a security expert in the U.S., and is centered on the operation and management of the information systems, was published by BASELINE SOFTWARE, INC. on Jun. 10, 1997.
Also, some people have started to offer the services of evaluating the state of security of an information system and supporting the making of security countermeasures directed toward the information system based on the above-stated Common Criteria for Information Technology Security Evaluation or the collection of examples of security policies ISPME as consultant services.