Serial Chap.

Item No Title Description

2-1 Asset Management

Companies shall sort out/identify assets that could/would be affected by security incidents such as information leaks and s
a security incident as well as the damage.

Create
Information asset administrator must prepare Network diagram (to
1 2 1 1 network
get a grasp of all the systems)
diagram

An information asset administrator must prepare a list of important

Create list of
2 2 1 1' data that each group company has/handles (technical data,
important data
management data, indivial information data etc.)

An information asset administrator must prepare a list of the

Create owned
3 2 1 1' systems that each group company has. (Accounting system, Sales
system list
Management system etc.)

Create a use An information asset administrator must prepare a list of the used
4 2 1 1'
application list softwares (email software, office software)

Owned Personal computers and servers Information as well as the

list of the software which is used in those platforms (OS,
Create Owned
5 2 1 1' middleware, etc.) .
PC List
Personal computer: Desktop, Note Book, Tablet etc.

2-2 Understanding of business environment

Companies shall share their business environment and mission/target and identify services/operations that are critical to b

Identify company’s mission/target/activities and share them within

Understanding
6 2 2 1 company and with external entities such as affiliated companies and
your business
vendors.

Understand the impact that suspension of services and operations

Understanding
has on business and clarify requirements related to business and
7 2 2 2 business
service continuity such as maximum tolerable downtime and target
impact & BCP
recovery time.
2-3 Risk assessment and prioritization
There are several flavors of cyber threats and new cyber threats keep emerging. It is impossible to completely defend asse
threats and risks and prioritize anti-cyberattack measures/response

Information
8 2 3 1 gathering of Keep up with cybersecurity threats
cyber attack

Grasp the
Consider a possible cyberattack scenario against the company and
9 2 3 2 impact of
understand the impact that a cyberattack would have on its assets
cyber attacks

Understanding
cyber attack Get a grasp of the implementation status of countermeasures
10 2 3 3
countermeasu against cyber threats at the company.
res

Analyze risks that the company faces, decide how to address the
risks, and prioritize countermeasures.
Prioritizing Countermeasures to address risks are classified into three levels,
11 2 3 4 cyber attack “risk reduction (fix vulnerabilities by applying security patch, etc.),
risk “risk acceptance (do not take any action for low-level risks) and “risk
avoidance (eliminate root cause). Specify what countermeasures
need to be taken for the identified risks.

3-1 Vulnerabilities management

System vulnerabilities are one cause of cyberattack incidents. Applying security patches is effective in preventing attacks e
constantly gather vulnerability information and take action.
It is also important to check to make sure that an actions/measures to address vulnerabilities are taken via vulnerabilities s
Furthermore, as the time until an identified vulnerability is fixed (patch application) is sometimes targeted, if a high-risk vu

Related to personal computers, an IT infrastructure administrator

PC patch
12 3 1 1 should select high-priority security patches. The high-priority patches
application
need to be applied in a timely manner.
 For servers, identify and categorize systems to which a security patch
needs to be applied immediately as well as systems to which a
security patch cannot be applied immediately (needs schedule
Server patch adjustment, testing) and set priority. For systems to which a security
13 3 1 2
application patch cannot be applied immediately, determine what action to take
based on the impact that the vulnerabilities would have on the
business. (e.g. apply patch during routine maintenance or version
update or do not take any actions (risk acceptance), etc.)

Apply security patches to all the target devices/systems based on the

Grasp of patch
system categorization and priority. Ensure that it can be objectively
14 3 1 3 application
confirmed that security patches are applied to all the target
status
devices/systems.

Grasp
15 3 1 4 vulnerability Keep up with the latest vulnerabilities information.
information

Perform vulnerabilities scanning for the systems available over the

internet byusing a tool regularly and at the time of new system and
system update.
Conduct
16 3 1 5 vulnerability Vulnerabilities scan: To execute various attacks on the system in an
scan artificial manner, and to identify problems that may be exploited by
attackers, such as program weaknesses and files and folders with
improper access permissions. It is implemented by ledger
management that is performed by YMC group.

3-2 Strengthening clients and servers

Companies shall implement cyber security measures on clients (PC)/servers in order to minimize security incidents.

Define standard secure configurations for operating systems and

applications and set up environments of personal computer
accordingly. Ensure that environments are set in accordance with the
standard secure configuration.
PC security
17 3 2 1 Secure configuration is-
settings
・Windows Update.
・Anti-Virus Software.
・Authentication(PIN,Password)
・Encryption.
 Creation of
Establish operating system/application install procedures and change
OS /
management procedures (version update, adding license, etc.) of
18 3 2 2 Application
personal computer .so,that IT infrastructure administrators can
installation
implement security measures.
procedure

Change default Ensure that default passwords of personal computers, servers,

19 3 2 3
password softwares and DB etc. are changed.

Set password
20 3 2 3' Ensure that easy-to-guess passwords are not used.
not guessed

Ensure that folder sharing in personal computers is not performed.

Prohibition of When personnel has no choice but to share a folder, an IT
21 3 2 4
file sharing infrastructure administrator shall confirm the intended use and grant
permission.

Prohibition of
Ensure that remote operation (Remote desktop connection) is not
the personal
performed in personal computer. When a staff member has no
22 3 2 5 computer of
choice but perform remote operation, an IT infrastructure
the remote
administrator shall confirm the intended use and grant permission.
operation

Personal computers monitoring records is determined the scope of

PC log
23 3 2 6 terminal audit records and logging records and log important
recording
security events.

Appropriate
It is defined and complied that implement access controls such as
access right
24 3 2 7 authentication-based access controls to ensure that only authorized
setting of the
personnel can access essential systems.
system

Server log Determine the scope of server audit logs/logging record and log
25 3 2 8
recording important security events.
 Perform all remote administration of servers and network devices
over a secure channel (use secondary encryption channel such as
SSH※3 or SSL※4/IPSEC※5)
.
Server remote ※3 SSH (Secure Shell)is the configuration of safely using remote
26 3 2 9 operation computer by using Encryption and authentication.
encryption ※4 SSL (Secure Sockets Layer)is a configuration of sending and
receiving the encrypted data over the internet.
※5 IPSEC is a protocol that provides tamper detection and
concealment functions on an IP packet basis by using encryption
technology

3-3 Network security management

Companies shall implement network security management in order to prevent intrusion, information leaks from within, m
inbound and outbound communications via the internet and properly take an action. In these guidelines, “network perime

Internet access Configure firewall or UTM settings to block all non-permitted access
27 3 3 1
restrictions at network perimeter.

Entrance Introduce entry point control measures (services, device and

28 3 3 2 measures of software) to prevent malware and unauthorized inbound
the Internet communications.

Enable to block communications for specific URLs, domain names,

Exit measures
29 3 3 3 and IP addresses for communication from inside the company to the
of the Internet
Internet.

3-4 Anti-malware measures

Malicious code (malware: virus, ransomware, worms, and trojan horses) result in systems going down, delays, stolen admi
Therefore, company needs to implement anti-malware measures to prevent malicious codes execution or to realize early m
 Ensure that anti-malware software for personal computer/server
Introducing that detects malicious code and prevents system intrusion is
30 3 4 1 anti-malware implemented, there is a mechanism that IT infrastructure
software administrator can check and control the update status by centralized
management of signatures (version and definition file updates)

Signature
management Centrally manage signature files of anti-virus software on each
31 3 4 2 of anti- personal computer/server or implement a mechanism that allows an
malware IT infrastructure administrator to check signature update status.
software

3-5 Data recovery

When attackers compromise machines, they often make changes to configuration and software. It can be extremely difficu
are some cases where important data is deleted or becomes inaccessible due to encryption caused by ransomware. There

Implementatio
32 3 5 1 n of system Ensure that each system is backed up on a regular basis.
backup

Create a
Establish back-up procedures for OS, applications, and data on the
33 3 5 2 backup
machine, respectively. (for only servers)
procedure

Ensure that the backup destination is not continuously addressable

through backup source operation system calls.
Isolation of
34 3 5 3 This will mitigate ransomware attacks that seek to encrypt data on
backup
addressable locations through operation system calls.
(for only servers)

3-6 Administrator privilege management

Once administrative privilege is misused by attackers, they can completely control the machine and exploit important info
software, etc.). There is also a risk of being exploited as a springboard for attacks against other systems. Therefore, compa

Monitoring
Minimize administrative privileges and only use them when they are
operation of
35 3 6 1 required. Implement auditing on the use of administrative privileges
administrator
to monitor anomalous behavior.
account
 Monitoring
registration of
Configure the system to issue log entries and alerts when an account
36 3 6 2 AD
is added or deleted to/from Domain Admins group.
administrator
account

Prohibition of
directly log on
Administrators should be required to access a UNIX server using non-
the Unix
37 3 6 3 administrative accounts. Once logged on, an administrator should
server
transition to administrative privilege.
administrator
account

3-7 Access control

When both highly confidential information and non-confidential information are stored on the same network, attackers co
to implement access control such as network segmentation according to the importance of the information.

Network
division of Segment the network according to the level of importance of the
38 3 7 1
confidential information.
information

Access right Implement access control on all the information stored on the
setting of system using the access control function of the file system, file
39 3 7 2
confidential sharing server, application and database. Ensure that only authorized
information users can access information with the access control.

Encryption of Use encrypted communication (HTTPS, SSH, LDAPS, VPN, etc.) when
40 3 7 3 communicatio communicating confidential information (ID, password, personal
n information, etc.) on the Internet.

Important information that requires high confidentiality, personal

Encryption of
information classified as confidential information, and information
41 3 7 4 confidential
that is required to be encrypted according to rules such as laws
information
should be stored in an encrypted state.

3-8 Protection of email and browsers

Since web browsers and email clients directly interact with other systems and websites over the internet, they are often u
appropriate measures to reduce risks.

WEB browser
Web browsers should be provided with security support and the
42 3 8 1 settings,
latest security patches.
update
 E-mail client
Email clients should use support related to security and provided the
43 3 8 1' settings,
latest security patches.
update

Prohibition of
Uninstall or disable prohibited browser plug-ins or add-on
44 3 8 2 Add-on to
applications.
WEB browser

Prohibition of
45 3 8 2' Add-on to Uninstall or disable prohibited email plug-ins or add-on applications.
Email client

Recording
46 3 8 3 internet usage Log all URL requests send to internet.
log

Internet
47 3 8 4 Implement URL filtering to restrict unauthorized website access.
filtering

Virus check of Scan all attachments coming to the email gateway and block them if
48 3 8 5
mail server they contain malicious code.

3-9 Wireless LAN management

Major thefts of data have been initiated by attackers who have physically gained wireless access to the intranet from outsi
access point outside the company, clients are set as backdoors etc. from the outside, and when the clients reconnect to th
infringed.
Therefore, companies need to properly manage their wireless LANs in the intranet.

Wireless LAN Ensure that each personal computer and network devices in the
49 3 9 1 device intranet connected to the wireless network only if it matches the
management authorized configuration and security profile.
 Wireless LAN
Ensure that all wireless traffic leverages at least Wi-Fi Protected
50 3 9 2 encryption
Access 2 (WPA2)
protocol

Ensure that wireless networks in the intranet use authentication

protocols such as EAP-TLS.
Wireless LAN
51 3 9 3 authentication
※10 EAP-TLS (Extensible Authentication Protocol – Transport Layer
protocol
Security) is a technology that performs authentication at the data
link layer using electronic certificates.

Wireless
Detect wireless access points using scanning tools, etc. Ensure that
52 3 9 4 access point
only authorized access points are activated.
scan

Prohibition of
In principle, network connection (Tethering connection) using
53 3 9 5 Bluetooth
Bluetooth is prohibited except when permitted.
device

3-10 Web application security measures

Vulnerabilities of web applications are often exploited by attackers for information leakage, website manipulation, and tak
web applications and prevent attacks exploiting the vulnerabilities of web application.

For web applications developed in-house, ensure that an explicit

error check is performed for all input.
WEB
[Supplement] Data sent from clients and applications should not be
application
54 3 10 1 trusted, and proper checks should be performed before using them.
input value
A deficiency in checking web applications causes many vulnerability
check
attacks (e.g. SQL injections, interpretation injections, attacks on file
system, buffer overflow)

Protect external public web applications handling personal

information and confidential information by deploying web
Introduction of
55 3 10 5 application firewalls (WAF) that inspect for common web application
WAF
attacks including SQL injections, command injections, and directory
traversal attacks.

If a WAF is not installed, test web applications developed in-house

for common security weaknesses using a tool (remote scanner) prior
Web to deployment or whenever an update is made to the application.
application *Vulnerability scan: Various artificial attacks on the system to
56 3 10 2
vulnerability identify weaknesses in programs and problems that may be
check exploited by attackers, such as files and folders with inappropriate
access privileges. If the ledger is managed by the YMC group, it is
implemented.
 Access
Maintain separate environments for production and non-production
restrictions for
57 3 10 3 systems. Ensure that developers don’t have unmonitored access to
production
production environments.
environment

Communicatio
For public web applications handling personal information and
n encryption
58 3 10 4 confidential information, make sure that HTTPS (TLS) is used and
of WEB
access by unencrypted communication (normal HTTP) is not allowed
application

3-11 Training and information security awareness

In addition to strengthening systems, raising the security awareness of system users also plays an important role in effectiv
for understanding the reason for implementing the security measures, behavior/actions that could result in an incident, an

IT staff
Ensure that IT staff regularly receive security education that
59 3 11 1 security
maintains security standards.
education

Implementatio
n of incident Ensure that the incident response team participates in incident
60 3 11 2
response response drills on regular basis.
training

Sharing
Ensure that preventive measures obtained from past incidents is
61 3 11 3 preventive
shared.
measures

3-12 Appropriate use of cloud services

When deploying the company’s information assets on cloud environments, a cloud service provider assumes responsibility
Therefore, the company needs to choose a cloud service provider that meets certain conditions and criteria. The following
 Confirmation
of compliance
management Choose a cloud service provider that has a department/unit in
62 3 12 1
organization of charge of compliance management or a management supervisor.
the cloud
service

Check to make sure that the following items meet the relevant legal
Confirmation requirements, country policies, and company rules.
of the  Terms and conditions
63 3 12 2 requirements  Cloud service provider’s personal information handling
of cloud  Cloud service provider’s confidential information handling
service  Encryption function used by cloud service provider
 Cloud service provider’s business continuity

Data location
and
management Ensure that geographical location of cloud data, its management
64 3 12 3
methods of methods, and management procedures are disclosed.
the cloud
service

Investigation Ensure that a cloud service provider provides the evidence needed
65 3 12 4 of incidents of for an investigation when an information security incident occurs or
cloud services an alternative solution can be implemented.

Contact
system of Clarify the structure/system to share (notify) information security
66 3 12 5
incidents of incidents.
cloud services

Ensure that the company and service provider have reached an

Damages of
67 3 12 6 agreement on compensation for damage in case of violation of data
cloud services
confidentiality, integrity, and availability.

4-1 Implementation of technological security measures

In order for the incident response team to function effectively, companies need to have the technological system to detec
services, device and software, for incident detection, alert analysis, etc.
 Introduction of Deploy security services and tools (device/software) such as IDS,
68 4 1 1 security IPS/WAF/next-generation firewall to ensure that security incidents
measures are detected.

4-2 Monitoring and anomaly detection

Network/system profiling and understanding of a network/system’s normal state allows quick detection of deviations from
state may also enable incident detection/investigation by checking against logs and other events. Therefore, companies ne

Monitor login
69 4 2 1 Monitor unauthorized login attempt by employees.
attempts

Monitoring of
network-
70 4 2 2 Monitor unauthorized device connection.
connected
equipment

Installation
monitoring of
71 4 2 3 Monitor prohibited software installations.
prohibited
software

Audit of
72 4 2 4 Regularly monitor and be aware of contractors' network operations.
outsourced

4-3 Log acquisition

Logs play an important role in analyzing a security incident and multiple logs could help to connect the dots of the event. C

Log storage Establish a log retention policy (including log retention period) and
73 4 3 1
rules ensure that the policy is enforced.

Time
Implement time synchronization for all the servers/personal
74 4 3 2 synchronizatio
computers/systems.
n

4-4 Communication
It is important to minimize the impact of an incident by communicating information to relevant persons in a swift manner
 Establish security event communication procedures and ensure that
Incident
75 4 4 1 detected anomalies are notified to relevant parties according to the
contact
procedures.

IT Risk Management

Creation of IT
Risk Are additional rules (for IT risk management policy) for your
Management company already made?
76 1
Group Policy Have IT Risk Management Group Guidelines and additional rules
additional been communicated to all IT users including IT staff?
rules

User security
77 3 Is security education given to the people concerned?
education

Ledger
management Has a list of memory devices (USB flash memory, compact discs etc.)
78 9
of recording been created and is the person in charge clearly defined (by name)?
media

Ledger
licences been created and is the person in charge of the list clearly
79 9 management
defined (by name)?
of software

Discarding of
When a server, PC, or recording media (e.g. USB memory) is disposed
80 18 recording
of, is all data in it completely deleted beforehand?
media

Prohibition of In principle it is prohibit to use personally owned devices like

81 20 personal (personal computers, smartphones, USB memory, etc.) , In case you
belongings want to use it do you have the appropriate rules for it?

Transmission When sending an e-mail that contains confidential information, are

rules for the rules defined by the e-mail administrator that users must follow
82 37
confidential communicated to the users?
information

Encryption of
brought out Are personal computers used outside is protected from being lost,
83 94
personal such as disk encryption?
computer
 Smartphone
84 12 Are smartphones protected against loss, such as remote lock etc?
remote lock

USB memory Are external storage devices such as USB memory and external HD
85 12
encryption protected against loss, such as encryption?

Measures
when the PC / In case of lost recording media such as PCs or USB memory devices
86 13
USB memory is taken outside the company, are actions taken appropriately?
lost
 2020

Answer Operated by L1 L2 L3

ch as information leaks and suspensions of business and manage them, so that they can appropriately measure and determine the exte

YES:
NO:
NO: We have prepared a
Although there is a
There is no network network diagram that
network diagram,
diagram. allows a grasp of the
information is incomplete.
internal system / network.

NO: NO: YES:

Important data is not Some data is listed, but All important data is
listed. not all data is managed. grasped as a list.

NO:
Some are listed, but there
are things that can not be
NO: YES:
listed.
Not listed. Listed and managed.
(As GDPR preparing, the
list for all group companies
was made.)

YES:
NO:
A list is made and
NO: A list of used software is
inventory of software
Not listed. made, but its inventory is
licenses and its version is
not conducted.
regularly conducted.

NO:
The list of OS and
middleware is managed,
NO: but versions are not YES:
Not listed. managed. Or either OS or Listed and managed.
middleware can be
managed, but the other
cannot.

erations that are critical to business continuity so that they can prioritize cyber-attack defense and response measures.
 e to completely defend assets against cyberattacks and there are no absolute anti-cyberattack measures. Therefore, it is important to

ctive in preventing attacks exploiting system vulnerabilities (proactive measures). Vulnerabilities are found on a daily basis, therefore,

are taken via vulnerabilities scanning, etc.

mes targeted, if a high-risk vulnerability is identified, take action promptly.

NO:
Some personal computers
YES:
have security patches
NO: Required security patches
applied promptly, but
Some personal computers are applied promptly to all
other terminals are not
are not applied patches, personal computers after
patched (or application
and the application status patch release.
takes more than one
is not grasped. Or patching is done with
week), but the patch
same mechanism in YMC.
application status is
grasped from a list.
 NO:
Patches are chosen by
YES:
NO: individual judgment, some
Security patches are
Some servers are not servers have security
applied according to policy
applied patches, and the patches applied promptly,
based on the impact.
application status is not but other stervers are not
Patching is done with
grasped. patched, but the patch
same mechanism in YMC.
application status is
grasped from a list.

YES:
NO:
There is a mechanism (tool
For some personal
etc) for grasping security
computers/servers, there
patch application status of
is a mechanism (tool etc)
each personal
NO: of grasping patch
computers/server, and it is
Cannot grasp the application status, and the
possible to grasp the
application status of application status is
application status of all
security patches. grasped. However, there
personal
are some personal
computers/server.
computers/Servers that
Patching is done with
can not grasp the
same mechanism in YMC.
application status.

Conducts vulnerability
scanning regularly and
Not conducts vulnerability Conducted vulnerability before publication.
scanning. scanning. YMC group is scannig listed
YMC group Web site every
month.

ze security incidents.

YES:
Standard secure
No:
configuration is defined,
NO: Standard secure
and environment is set in
Standard secure configuration is defined,
accordance with it.
configuration is not but creating the
Introduced standarized
defined. environment is left to the
machine of YMC .
person in charge.
Apply the same setting
with standarized machine.
NO: YES:
Such procedures are not - Procedures are
established. established.

YES:
NO: NO: We check that default
Default passwords are not Default passwords passwords are changed.
changed. changed, but not checked. Authentication is done in
ACCESS system.

YES:
NO: We ensure that for all
NO:
For some systems, it is systems.
We don't ensure that.
ensured. Authentication is done in
ACCESS system.

NO: YES:
NO: There are rules prohibiting In principle, use is
Not prohibiting use use, but the situation prohibited, but if there is a
cannot be confirmed. reason, it is permitted.

NO: YES:
NO: There are rules prohibiting In principle, use is
Not prohibiting use use, but the situation prohibited, but if there is a
cannot be confirmed. reason, it is permitted.

NO: YES:
We do not record logon - We determine the scope,
success / logon failure and record logs.

NO: YES:
NO:
Tere is no specific rule Access rights control and
There is a rules, but some
regarding system inventory are
systems are not
operation or development, implemented in all
ipmlemented access
no access control is systems that require
controls and its inventory.
implemented. access control.

NO:
We have determined the
YES:
scope according to rules,
NO: We determine the scope,
but we do not cover all
No log is recorded. and record logs according
important security events.
to rules.
Or, some logs are not
recorded.
 YES:
Use SSH / SFTP / FTPS
Or all the servers you use
are Windows servers.
NO:
Or all servers that are
Use other than SSH / -
using a Windows server.
SFTP / FTPS
(In case of Windows
server, communication of
remote operation is
encrypted.)

mation leaks from within, maintain network security, and protect information assets. Especially, companies need to detect/identify un
guidelines, “network perimeter” is used to refer to the boundary between company internal / group internal network (intranet) and th

YES:
It is set to refuse
NO: communication except
Communication other than that which is necessary for
-
that necessary for business business.
is allowed. Or after connecting with
YMC group network we
can internet.

YES:
Introduced
(Please enter service or
NO: product name in the
-
Not introduced comment column)
Or after connecting with
YMC group network we
can internet.

YES:
We have implimented a
NO:
mechanism that can block
We have not implimented
communication for specific
a mechanism that can
- URLs, domain names, and
block communication for
IP addresses
specific URLs, domain
Or after connecting with
names, and IP addresses
YMC group network we
can internet.

g down, delays, stolen admin credentials, exploitation of ID/passwords, direct or indirect affect of systems, and become threats to com
xecution or to realize early malware detection.
 YES:
The IT infrastructure
administrator regularly
NO:
NO: checks the update status
Anti-malware software is
Anti-malware software is of signatures (definition
installed, but update
not installed. files) of all terminals.
status is not checked.
Or YMC's antivirus
management service is
used.

YES:
There is a mechanism for
checking the version of the
NO:
signature file, and the
We cannot grasp the
－ administrator grasps the
update status of the
update status.
signature file
Or use YMC's anti-virus
software management
service.

e. It can be extremely difficult without a trustworthy data recovery capability to remove all aspects of the attacker’s presence on the m
used by ransomware. Therefore, it is important to have a trustworthy data recovery capability.

YES:
NO:
NO: Backup is done for the all
Some are not backed up
Some are not backed up. required programs and
regularly.
data.

YES:
NO: NO: Backup procedures exist
Backup procedures do not Backup procedures exist for all required OS,
exist. for some servers. applications, and datas
and data.

NO: YES:
NO:
Some backup destinations All backup destinations are
Backup destinations are
are continuously not continuously
continuously addressable
addressable through addressable through
through backup source
backup source operation backup source operation
operation system calls.
system calls. system calls.

e and exploit important information or passwords using software (key logger, network wiretapping, remote control
systems. Therefore, companies need to properly manage administrative privileges.

YES:
NO: NO:
It is limited to only when
It is also used for other Limited to only when
necessary and abnormal
than management work. necessary.
behavior is monitored.
 No: YES:
NO: Output to the EventLog, EventLog is output. Also, e-
No output to the EventLog. but mail notification is not mail notification is
implemented. implemented.

YES:
NO:
SSH is configured so that
Allow Logon directly by -
logon by root can not be
root.
done directly.

same network, attackers could easily take out highly confidential information after they intrude into the internal network. Therefore,
e information.

NO: YES:
Highly confidential Highly sensitive
NO: information and other information and other
Highly confidential information are arranged information are located on
information and other on different network different network
information are arranged segments, but segments. It is restricted
on the same network. communication between so that communication can
network segments is not not be performed between
restricted. network segments.

NO: YES:
Access control is not The administrator sets
implemented, or it is in a access rights to a folder,
-
state other than the user and only users authorized
authorized by the by the administrator can
administrator. access it.

NO: NO:
YES:
Although a public line is Partial use of
Communication is
used, communication is communication
encrypted (eg using SSL).
not encrypted. encryption.

NO:
Some information is
NO: YES:
encrypted but some
Not encrypted Encrypted
information is not
encrypted.

he internet, they are often used as entry points for cyberattacks. Because of their technical complexity and flexibility, it is important to

YES:
NO:
There is a rule to apply the
There are no rules for NO:
latest security patches to
applying the latest security There is a rule to apply the
browsers, and patches are
patches, and it is not latest security patches, but
applied.
possible to grasp if patches patches are not applied.
Or use YMC group
are applied/not applied.
standard web browser.
 YES:
NO: The latest security patch is
NO:
The latest security patch is applied to all terminals.
The latest security patch
applied to some terminals Or using YMC group
has not been applied.
and not applied to others. standard mail client
(Outlook).

YES:
NO: The rules on using browser
There are no rules on using plug-ins or add-ons are
-
browser plug-ins or add- defined and only
ons. permitted browser plug-ins
or add-ons are used.

NO: YES:
Using plug-ins or add-ons Only permitted browser
-
are not restricted plug-ins or add-ons are
technically. used

YES:
NO: A proxy, a URL filter
URL request log is not - product, etc. output a log
output. showing which URL was
accessed.

YES:
NO: URL filtering product has
URL filtering product has - been introduced.
not been introduced. Or use YMC group
standard web filtering.

YES:
A Web gateway product or
NO: UTM has been introduced
Products that check mail and virus checking for
on the mail server for - email attachments is being
viruses have not been implemented.
introduced. Or use YMC group
standard mail system
(Office 365).

ss to the intranet from outside, then bypassed the security perimeter. Also, accessing the personal computer and network devices by
n the clients reconnect to the intranet with personal computer and network devices, there is a possibility that they will be continuousl

NO: YES:
Non-authorized personal Only authorized personal
computers and network - computers and network
devices can connect to the devices can connect to the
wireless LAN. wireless LAN.
 NO:
Although some
NO: YES:
communications use
Do not use WPA2. (Using Use WPA2 more advanced
WPA2, other standards
WPA, WEP etc) protocols.
such as WPA and WEP may
be used in some cases.

NO: YES:
NO:
Some wireless networks All wireless networks use
Do not use authentication
use authentication authentication protocols
protocols such as EAP-TLS.
protocols such as EAP-TLS. such as EAP-TLS.

NO: YES:
Although it is prohibited, it Wireless access points are
NO: does not detect it and can being detected with a
It does not prohibited. not grasp even if a wireless scanning tools and only
access point is set up authorized access points
without permission are used

YES:
In principle, it is
NO:
- prohibited. When using it,
It does not prohibited.
it is done only when
permitted.

ebsite manipulation, and taking down websites. Therefore, companies need to implement measures to help developers develop “vulne

YES:
NO: NO:
All input values are
In some cases, input values Some web applications or
validated for security, and
are not validated for some input values are
when it is not valid, it is set
security. validated for securityi.
as an input error.

NO: YES:
NO:
There is WAF for some There is WAF for all
There is no WAF
applications. applications

NO: NO: YES:

Application vulnerability Some application Application vulnerability
diagnosis is not vulnerability diagnosis is diagnosis is performed
performed. performed. regularly.
 NO: YES:
The production The production
environment and the test environment and the test
environment are not environment are
-
separated. Alternatively, separated, and the
developers can access the production environment is
production environment at accessed only when
any time. necessary.

NO:
Although HTTPS
NO: communication is used, YES:
HTTPS communication is HTTP communication is Only HTTPS
not used also enabled. Or HTTPS communication is used.
communication is not used
for some aaplications.

an important role in effectively implementing security measures. A company needs to achieve more effective security measures by pr
ould result in an incident, and the impact that incidents have on business and relevant parties.

NO: YES:
NO: Education is given to some Training is conducted
Education is not of the people concerned according to the
implemented. Taking e-learning Exam in educational plan and to
YMC group. everyone concerned.

NO: NO: YES:

Drills are not Drills are implemented but The drill is implemented
implemented. not on a regular basis. on regular basis.

NO: NO: YES:

Responses to past Some past incident Responses to past
incidents and efforts to response and recurrence incidents and efforts to
prevent recurrence have prevention efforts are prevent recurrence are
not been shared. shared. shared.

vider assumes responsibility for information security risk management and the company has indirect responsibility for security risk ma
ns and criteria. The following are the requirements that the company needs to meet when choosing a cloud service provider.
 YES:
Service provider is chosen
NO:
with consideration for
Service provider is chosen
- that.
without consideration for
Or you have confirmed in
that.
the cloud service checklist
(YMC).

YES:
NO: Cloud service is only
NO: These requirements are chosen when all
These requirements are checked, but the service is requirement are met.
not checked. chosen even if some are Or you have confirmed in
not met. the cloud service checklist
(YMC).

YES:
These are disclosed.
NO: Or you have confirmed in
-
These are not disclosed. the cloud service checklist
(YMC).

YES:
NO: That is ensured.
NO:
That is ensured for some Or you have confirmed in
That is not ensured.
providers only. the cloud service checklist
(YMC).

YES:
The structure/system is
clear.
NO: (YMC clarifies the
The structure/system is - structre/system using
not clear. 'Cloud Service Check List')
Or you have confirmed in
the cloud service checklist
(YMC).

YES:
There is an agreement
with the provider for
compensation for damage
NO: NO:
in case of violation of data
There is no agreement There is an agreement
confidentiality, integrity,
with the provider. with some providers only.
and availability.
Or you have confirmed in
the cloud service checklist
(YMC).

chnological system to detect a security incident. Therefore, it is important for companies to implement technological security measure
 YES:
Introduced.
NO:
- Or Use internet after
Not introduced
connecting to the YMC
group network.

detection of deviations from the normal state and easy identification of unusual behavior (anomaly). Understanding of a network/syst
nts. Therefore, companies need to conduct monitoring and information gathering to understand the normal state of a network/system

NO:
NO: YES:
Unauthorized login
There is no record of Unauthorized login
attempts by employees are
unauthorized login attempts by employees are
recorded, but not
attempts by employees. recorded and monitored.
monitored.

NO:
YES:
There is no mechanism
There is a mechanism such
such as authentication
as performing
when connecting to a -
authentication of devices
wired LAN, so that any
when connecting to a
device can be connected
wired LAN.
to a wired LAN.

YES:
NO:
NO: The software that is
The software that is
The software that is prohibited to install is
prohibited to install is
prohibited to install is decided, and the
decided but installation
decided. installation status is
status is not grasped.
grasped using a tool.

YES:
NO: NO:
Regular monitoring and
Contractors’ network Regular monitoring
audit of contractors'
operations are not operations is implemented
network operations are
grasped. but audits are not.
implemented.

nect the dots of the event. Conducting correlation analysis of multiple events plays an important role in determining if a security incide

NO:
YES:
NO: The rules are defined but
Access logs are kept for a
The rules are not defined. access logs are only
specified period.
partially kept.

NO: YES:
NO: On some servers/personal Time synchronization is
Time synchronization is computers/systems., time performed on all
not performed. synchronization is servers/personal
performed. computers/systems.

t persons in a swift manner when an anomaly is detected.

 NO:
NO: YES:
Procedures are prepared,
Procedures are not Procedures are prepared
but there are cases in
prepared. and implemented.
which they are not used.

YES:
NO:
(1) Additional rules have
Additional rules have been
NO: been made.
made, but guidelines and
Additional rules have not (2) Guidelines and
additional rules have not
been made. additional rules have been
been communicated to the
communicated to the
persons concerned.
persons concerned.

YES:
(1) Training is conducted
NO: NO: according to the
Education is not Education is given to some educational plan .
implemented. of the people concerned. (2) A systematically
maintained educational
program is conducted.

NO: YES:
NO:
It is documented but not It is documented and
It is not documented.
updated. updated.

NO:
NO: YES:
Software licences are
Not listed. Listed and updated.
listed but not updated.

NO:
NO:
(1)Data is not deleted YES:
The rules are defined but
completely. The rules exist and are
not implemented
(2)The rules are not implemented.
thoroughly.
defined.

NO: NO: YES:

There are no rules for Although there are rules, The rules is acknowledged
using privately owned they have not been to users by an education
equipment. communicated to users. etc.

NO: YES:
NO: The rules are defined but The rules are
The rules are not defined. not communicated to communicated to users
users. through education etc.

NO: YES:
NO:
Counter meausres has Counter measures are
No countermeasure
taken for some personal taken against all personal
has taken
computers. computers.
 YES:
NO: NO:
Counter measures are
No countermeasure Counter meausres has
taken against all
has taken taken for some
smartphones.
smartphones.

NO:
YES:
NO: Countermeasure
Counter measures are
No countermeasure has taken for some
taken against all external
has taken external storage devices.
storage devices.

YES:
NO:
NO: The response procedure at
Although the response
Procedure to perform at the time of loss is well
procedure at the time of
the time of loss are not known through training
loss is defined, it is not
defined. etc and actions are
well known.
performed accordingly.
 Comment

e and determine the extent and impact of

measures.
refore, it is important to understand cyber

a daily basis, therefore, it is important to

eed to detect/identify unauthorized
network (intranet) and the internet.

d become threats to company’s assets.

cker’s presence on the machine. There
nal network. Therefore, companies need

xibility, it is important to implement

and network devices by a wireless
they will be continuously attacked and
evelopers develop “vulnerability-free”
security measures by providing training

bility for security risk management.

rvice provider.
ological security measures, such as
anding of a network/system’s normal
ate of a network/system.

mining if a security incident has occurred.