CyberSecurityAssesment
CyberSecurityAssesment
Create
Information asset administrator must prepare Network diagram (to
1 2 1 1 network
get a grasp of all the systems)
diagram
Create a use An information asset administrator must prepare a list of the used
4 2 1 1'
application list softwares (email software, office software)
Information
8 2 3 1 gathering of Keep up with cybersecurity threats
cyber attack
Grasp the
Consider a possible cyberattack scenario against the company and
9 2 3 2 impact of
understand the impact that a cyberattack would have on its assets
cyber attacks
Understanding
cyber attack Get a grasp of the implementation status of countermeasures
10 2 3 3
countermeasu against cyber threats at the company.
res
Analyze risks that the company faces, decide how to address the
risks, and prioritize countermeasures.
Prioritizing Countermeasures to address risks are classified into three levels,
11 2 3 4 cyber attack “risk reduction (fix vulnerabilities by applying security patch, etc.),
risk “risk acceptance (do not take any action for low-level risks) and “risk
avoidance (eliminate root cause). Specify what countermeasures
need to be taken for the identified risks.
Grasp
15 3 1 4 vulnerability Keep up with the latest vulnerabilities information.
information
Set password
20 3 2 3' Ensure that easy-to-guess passwords are not used.
not guessed
Prohibition of
Ensure that remote operation (Remote desktop connection) is not
the personal
performed in personal computer. When a staff member has no
22 3 2 5 computer of
choice but perform remote operation, an IT infrastructure
the remote
administrator shall confirm the intended use and grant permission.
operation
Appropriate
It is defined and complied that implement access controls such as
access right
24 3 2 7 authentication-based access controls to ensure that only authorized
setting of the
personnel can access essential systems.
system
Server log Determine the scope of server audit logs/logging record and log
25 3 2 8
recording important security events.
Perform all remote administration of servers and network devices
over a secure channel (use secondary encryption channel such as
SSH※3 or SSL※4/IPSEC※5)
.
Server remote ※3 SSH (Secure Shell)is the configuration of safely using remote
26 3 2 9 operation computer by using Encryption and authentication.
encryption ※4 SSL (Secure Sockets Layer)is a configuration of sending and
receiving the encrypted data over the internet.
※5 IPSEC is a protocol that provides tamper detection and
concealment functions on an IP packet basis by using encryption
technology
Internet access Configure firewall or UTM settings to block all non-permitted access
27 3 3 1
restrictions at network perimeter.
Signature
management Centrally manage signature files of anti-virus software on each
31 3 4 2 of anti- personal computer/server or implement a mechanism that allows an
malware IT infrastructure administrator to check signature update status.
software
Implementatio
32 3 5 1 n of system Ensure that each system is backed up on a regular basis.
backup
Create a
Establish back-up procedures for OS, applications, and data on the
33 3 5 2 backup
machine, respectively. (for only servers)
procedure
Monitoring
Minimize administrative privileges and only use them when they are
operation of
35 3 6 1 required. Implement auditing on the use of administrative privileges
administrator
to monitor anomalous behavior.
account
Monitoring
registration of
Configure the system to issue log entries and alerts when an account
36 3 6 2 AD
is added or deleted to/from Domain Admins group.
administrator
account
Prohibition of
directly log on
Administrators should be required to access a UNIX server using non-
the Unix
37 3 6 3 administrative accounts. Once logged on, an administrator should
server
transition to administrative privilege.
administrator
account
Network
division of Segment the network according to the level of importance of the
38 3 7 1
confidential information.
information
Access right Implement access control on all the information stored on the
setting of system using the access control function of the file system, file
39 3 7 2
confidential sharing server, application and database. Ensure that only authorized
information users can access information with the access control.
Encryption of Use encrypted communication (HTTPS, SSH, LDAPS, VPN, etc.) when
40 3 7 3 communicatio communicating confidential information (ID, password, personal
n information, etc.) on the Internet.
WEB browser
Web browsers should be provided with security support and the
42 3 8 1 settings,
latest security patches.
update
E-mail client
Email clients should use support related to security and provided the
43 3 8 1' settings,
latest security patches.
update
Prohibition of
Uninstall or disable prohibited browser plug-ins or add-on
44 3 8 2 Add-on to
applications.
WEB browser
Prohibition of
45 3 8 2' Add-on to Uninstall or disable prohibited email plug-ins or add-on applications.
Email client
Recording
46 3 8 3 internet usage Log all URL requests send to internet.
log
Internet
47 3 8 4 Implement URL filtering to restrict unauthorized website access.
filtering
Virus check of Scan all attachments coming to the email gateway and block them if
48 3 8 5
mail server they contain malicious code.
Wireless LAN Ensure that each personal computer and network devices in the
49 3 9 1 device intranet connected to the wireless network only if it matches the
management authorized configuration and security profile.
Wireless LAN
Ensure that all wireless traffic leverages at least Wi-Fi Protected
50 3 9 2 encryption
Access 2 (WPA2)
protocol
Wireless
Detect wireless access points using scanning tools, etc. Ensure that
52 3 9 4 access point
only authorized access points are activated.
scan
Prohibition of
In principle, network connection (Tethering connection) using
53 3 9 5 Bluetooth
Bluetooth is prohibited except when permitted.
device
Communicatio
For public web applications handling personal information and
n encryption
58 3 10 4 confidential information, make sure that HTTPS (TLS) is used and
of WEB
access by unencrypted communication (normal HTTP) is not allowed
application
IT staff
Ensure that IT staff regularly receive security education that
59 3 11 1 security
maintains security standards.
education
Implementatio
n of incident Ensure that the incident response team participates in incident
60 3 11 2
response response drills on regular basis.
training
Sharing
Ensure that preventive measures obtained from past incidents is
61 3 11 3 preventive
shared.
measures
Check to make sure that the following items meet the relevant legal
Confirmation requirements, country policies, and company rules.
of the Terms and conditions
63 3 12 2 requirements Cloud service provider’s personal information handling
of cloud Cloud service provider’s confidential information handling
service Encryption function used by cloud service provider
Cloud service provider’s business continuity
Data location
and
management Ensure that geographical location of cloud data, its management
64 3 12 3
methods of methods, and management procedures are disclosed.
the cloud
service
Investigation Ensure that a cloud service provider provides the evidence needed
65 3 12 4 of incidents of for an investigation when an information security incident occurs or
cloud services an alternative solution can be implemented.
Contact
system of Clarify the structure/system to share (notify) information security
66 3 12 5
incidents of incidents.
cloud services
Monitor login
69 4 2 1 Monitor unauthorized login attempt by employees.
attempts
Monitoring of
network-
70 4 2 2 Monitor unauthorized device connection.
connected
equipment
Installation
monitoring of
71 4 2 3 Monitor prohibited software installations.
prohibited
software
Audit of
72 4 2 4 Regularly monitor and be aware of contractors' network operations.
outsourced
Log storage Establish a log retention policy (including log retention period) and
73 4 3 1
rules ensure that the policy is enforced.
Time
Implement time synchronization for all the servers/personal
74 4 3 2 synchronizatio
computers/systems.
n
4-4 Communication
It is important to minimize the impact of an incident by communicating information to relevant persons in a swift manner
Establish security event communication procedures and ensure that
Incident
75 4 4 1 detected anomalies are notified to relevant parties according to the
contact
procedures.
IT Risk Management
Creation of IT
Risk Are additional rules (for IT risk management policy) for your
Management company already made?
76 1
Group Policy Have IT Risk Management Group Guidelines and additional rules
additional been communicated to all IT users including IT staff?
rules
User security
77 3 Is security education given to the people concerned?
education
Ledger
management Has a list of memory devices (USB flash memory, compact discs etc.)
78 9
of recording been created and is the person in charge clearly defined (by name)?
media
Ledger
licences been created and is the person in charge of the list clearly
79 9 management
defined (by name)?
of software
Discarding of
When a server, PC, or recording media (e.g. USB memory) is disposed
80 18 recording
of, is all data in it completely deleted beforehand?
media
Encryption of
brought out Are personal computers used outside is protected from being lost,
83 94
personal such as disk encryption?
computer
Smartphone
84 12 Are smartphones protected against loss, such as remote lock etc?
remote lock
USB memory Are external storage devices such as USB memory and external HD
85 12
encryption protected against loss, such as encryption?
Measures
when the PC / In case of lost recording media such as PCs or USB memory devices
86 13
USB memory is taken outside the company, are actions taken appropriately?
lost
2020
Answer Operated by L1 L2 L3
ch as information leaks and suspensions of business and manage them, so that they can appropriately measure and determine the exte
YES:
NO:
NO: We have prepared a
Although there is a
There is no network network diagram that
network diagram,
diagram. allows a grasp of the
information is incomplete.
internal system / network.
NO:
Some are listed, but there
are things that can not be
NO: YES:
listed.
Not listed. Listed and managed.
(As GDPR preparing, the
list for all group companies
was made.)
YES:
NO:
A list is made and
NO: A list of used software is
inventory of software
Not listed. made, but its inventory is
licenses and its version is
not conducted.
regularly conducted.
NO:
The list of OS and
middleware is managed,
NO: but versions are not YES:
Not listed. managed. Or either OS or Listed and managed.
middleware can be
managed, but the other
cannot.
erations that are critical to business continuity so that they can prioritize cyber-attack defense and response measures.
e to completely defend assets against cyberattacks and there are no absolute anti-cyberattack measures. Therefore, it is important to
ctive in preventing attacks exploiting system vulnerabilities (proactive measures). Vulnerabilities are found on a daily basis, therefore,
NO:
Some personal computers
YES:
have security patches
NO: Required security patches
applied promptly, but
Some personal computers are applied promptly to all
other terminals are not
are not applied patches, personal computers after
patched (or application
and the application status patch release.
takes more than one
is not grasped. Or patching is done with
week), but the patch
same mechanism in YMC.
application status is
grasped from a list.
NO:
Patches are chosen by
YES:
NO: individual judgment, some
Security patches are
Some servers are not servers have security
applied according to policy
applied patches, and the patches applied promptly,
based on the impact.
application status is not but other stervers are not
Patching is done with
grasped. patched, but the patch
same mechanism in YMC.
application status is
grasped from a list.
YES:
NO:
There is a mechanism (tool
For some personal
etc) for grasping security
computers/servers, there
patch application status of
is a mechanism (tool etc)
each personal
NO: of grasping patch
computers/server, and it is
Cannot grasp the application status, and the
possible to grasp the
application status of application status is
application status of all
security patches. grasped. However, there
personal
are some personal
computers/server.
computers/Servers that
Patching is done with
can not grasp the
same mechanism in YMC.
application status.
Conducts vulnerability
scanning regularly and
Not conducts vulnerability Conducted vulnerability before publication.
scanning. scanning. YMC group is scannig listed
YMC group Web site every
month.
ze security incidents.
YES:
Standard secure
No:
configuration is defined,
NO: Standard secure
and environment is set in
Standard secure configuration is defined,
accordance with it.
configuration is not but creating the
Introduced standarized
defined. environment is left to the
machine of YMC .
person in charge.
Apply the same setting
with standarized machine.
NO: YES:
Such procedures are not - Procedures are
established. established.
YES:
NO: NO: We check that default
Default passwords are not Default passwords passwords are changed.
changed. changed, but not checked. Authentication is done in
ACCESS system.
YES:
NO: We ensure that for all
NO:
For some systems, it is systems.
We don't ensure that.
ensured. Authentication is done in
ACCESS system.
NO: YES:
NO: There are rules prohibiting In principle, use is
Not prohibiting use use, but the situation prohibited, but if there is a
cannot be confirmed. reason, it is permitted.
NO: YES:
NO: There are rules prohibiting In principle, use is
Not prohibiting use use, but the situation prohibited, but if there is a
cannot be confirmed. reason, it is permitted.
NO: YES:
We do not record logon - We determine the scope,
success / logon failure and record logs.
NO: YES:
NO:
Tere is no specific rule Access rights control and
There is a rules, but some
regarding system inventory are
systems are not
operation or development, implemented in all
ipmlemented access
no access control is systems that require
controls and its inventory.
implemented. access control.
NO:
We have determined the
YES:
scope according to rules,
NO: We determine the scope,
but we do not cover all
No log is recorded. and record logs according
important security events.
to rules.
Or, some logs are not
recorded.
YES:
Use SSH / SFTP / FTPS
Or all the servers you use
are Windows servers.
NO:
Or all servers that are
Use other than SSH / -
using a Windows server.
SFTP / FTPS
(In case of Windows
server, communication of
remote operation is
encrypted.)
mation leaks from within, maintain network security, and protect information assets. Especially, companies need to detect/identify un
guidelines, “network perimeter” is used to refer to the boundary between company internal / group internal network (intranet) and th
YES:
It is set to refuse
NO: communication except
Communication other than that which is necessary for
-
that necessary for business business.
is allowed. Or after connecting with
YMC group network we
can internet.
YES:
Introduced
(Please enter service or
NO: product name in the
-
Not introduced comment column)
Or after connecting with
YMC group network we
can internet.
YES:
We have implimented a
NO:
mechanism that can block
We have not implimented
communication for specific
a mechanism that can
- URLs, domain names, and
block communication for
IP addresses
specific URLs, domain
Or after connecting with
names, and IP addresses
YMC group network we
can internet.
g down, delays, stolen admin credentials, exploitation of ID/passwords, direct or indirect affect of systems, and become threats to com
xecution or to realize early malware detection.
YES:
The IT infrastructure
administrator regularly
NO:
NO: checks the update status
Anti-malware software is
Anti-malware software is of signatures (definition
installed, but update
not installed. files) of all terminals.
status is not checked.
Or YMC's antivirus
management service is
used.
YES:
There is a mechanism for
checking the version of the
NO:
signature file, and the
We cannot grasp the
- administrator grasps the
update status of the
update status.
signature file
Or use YMC's anti-virus
software management
service.
e. It can be extremely difficult without a trustworthy data recovery capability to remove all aspects of the attacker’s presence on the m
used by ransomware. Therefore, it is important to have a trustworthy data recovery capability.
YES:
NO:
NO: Backup is done for the all
Some are not backed up
Some are not backed up. required programs and
regularly.
data.
YES:
NO: NO: Backup procedures exist
Backup procedures do not Backup procedures exist for all required OS,
exist. for some servers. applications, and datas
and data.
NO: YES:
NO:
Some backup destinations All backup destinations are
Backup destinations are
are continuously not continuously
continuously addressable
addressable through addressable through
through backup source
backup source operation backup source operation
operation system calls.
system calls. system calls.
e and exploit important information or passwords using software (key logger, network wiretapping, remote control
systems. Therefore, companies need to properly manage administrative privileges.
YES:
NO: NO:
It is limited to only when
It is also used for other Limited to only when
necessary and abnormal
than management work. necessary.
behavior is monitored.
No: YES:
NO: Output to the EventLog, EventLog is output. Also, e-
No output to the EventLog. but mail notification is not mail notification is
implemented. implemented.
YES:
NO:
SSH is configured so that
Allow Logon directly by -
logon by root can not be
root.
done directly.
same network, attackers could easily take out highly confidential information after they intrude into the internal network. Therefore,
e information.
NO: YES:
Highly confidential Highly sensitive
NO: information and other information and other
Highly confidential information are arranged information are located on
information and other on different network different network
information are arranged segments, but segments. It is restricted
on the same network. communication between so that communication can
network segments is not not be performed between
restricted. network segments.
NO: YES:
Access control is not The administrator sets
implemented, or it is in a access rights to a folder,
-
state other than the user and only users authorized
authorized by the by the administrator can
administrator. access it.
NO: NO:
YES:
Although a public line is Partial use of
Communication is
used, communication is communication
encrypted (eg using SSL).
not encrypted. encryption.
NO:
Some information is
NO: YES:
encrypted but some
Not encrypted Encrypted
information is not
encrypted.
he internet, they are often used as entry points for cyberattacks. Because of their technical complexity and flexibility, it is important to
YES:
NO:
There is a rule to apply the
There are no rules for NO:
latest security patches to
applying the latest security There is a rule to apply the
browsers, and patches are
patches, and it is not latest security patches, but
applied.
possible to grasp if patches patches are not applied.
Or use YMC group
are applied/not applied.
standard web browser.
YES:
NO: The latest security patch is
NO:
The latest security patch is applied to all terminals.
The latest security patch
applied to some terminals Or using YMC group
has not been applied.
and not applied to others. standard mail client
(Outlook).
YES:
NO: The rules on using browser
There are no rules on using plug-ins or add-ons are
-
browser plug-ins or add- defined and only
ons. permitted browser plug-ins
or add-ons are used.
NO: YES:
Using plug-ins or add-ons Only permitted browser
-
are not restricted plug-ins or add-ons are
technically. used
YES:
NO: A proxy, a URL filter
URL request log is not - product, etc. output a log
output. showing which URL was
accessed.
YES:
NO: URL filtering product has
URL filtering product has - been introduced.
not been introduced. Or use YMC group
standard web filtering.
YES:
A Web gateway product or
NO: UTM has been introduced
Products that check mail and virus checking for
on the mail server for - email attachments is being
viruses have not been implemented.
introduced. Or use YMC group
standard mail system
(Office 365).
ss to the intranet from outside, then bypassed the security perimeter. Also, accessing the personal computer and network devices by
n the clients reconnect to the intranet with personal computer and network devices, there is a possibility that they will be continuousl
NO: YES:
Non-authorized personal Only authorized personal
computers and network - computers and network
devices can connect to the devices can connect to the
wireless LAN. wireless LAN.
NO:
Although some
NO: YES:
communications use
Do not use WPA2. (Using Use WPA2 more advanced
WPA2, other standards
WPA, WEP etc) protocols.
such as WPA and WEP may
be used in some cases.
NO: YES:
NO:
Some wireless networks All wireless networks use
Do not use authentication
use authentication authentication protocols
protocols such as EAP-TLS.
protocols such as EAP-TLS. such as EAP-TLS.
NO: YES:
Although it is prohibited, it Wireless access points are
NO: does not detect it and can being detected with a
It does not prohibited. not grasp even if a wireless scanning tools and only
access point is set up authorized access points
without permission are used
YES:
In principle, it is
NO:
- prohibited. When using it,
It does not prohibited.
it is done only when
permitted.
ebsite manipulation, and taking down websites. Therefore, companies need to implement measures to help developers develop “vulne
YES:
NO: NO:
All input values are
In some cases, input values Some web applications or
validated for security, and
are not validated for some input values are
when it is not valid, it is set
security. validated for securityi.
as an input error.
NO: YES:
NO:
There is WAF for some There is WAF for all
There is no WAF
applications. applications
NO:
Although HTTPS
NO: communication is used, YES:
HTTPS communication is HTTP communication is Only HTTPS
not used also enabled. Or HTTPS communication is used.
communication is not used
for some aaplications.
an important role in effectively implementing security measures. A company needs to achieve more effective security measures by pr
ould result in an incident, and the impact that incidents have on business and relevant parties.
NO: YES:
NO: Education is given to some Training is conducted
Education is not of the people concerned according to the
implemented. Taking e-learning Exam in educational plan and to
YMC group. everyone concerned.
vider assumes responsibility for information security risk management and the company has indirect responsibility for security risk ma
ns and criteria. The following are the requirements that the company needs to meet when choosing a cloud service provider.
YES:
Service provider is chosen
NO:
with consideration for
Service provider is chosen
- that.
without consideration for
Or you have confirmed in
that.
the cloud service checklist
(YMC).
YES:
NO: Cloud service is only
NO: These requirements are chosen when all
These requirements are checked, but the service is requirement are met.
not checked. chosen even if some are Or you have confirmed in
not met. the cloud service checklist
(YMC).
YES:
These are disclosed.
NO: Or you have confirmed in
-
These are not disclosed. the cloud service checklist
(YMC).
YES:
NO: That is ensured.
NO:
That is ensured for some Or you have confirmed in
That is not ensured.
providers only. the cloud service checklist
(YMC).
YES:
The structure/system is
clear.
NO: (YMC clarifies the
The structure/system is - structre/system using
not clear. 'Cloud Service Check List')
Or you have confirmed in
the cloud service checklist
(YMC).
YES:
There is an agreement
with the provider for
compensation for damage
NO: NO:
in case of violation of data
There is no agreement There is an agreement
confidentiality, integrity,
with the provider. with some providers only.
and availability.
Or you have confirmed in
the cloud service checklist
(YMC).
chnological system to detect a security incident. Therefore, it is important for companies to implement technological security measure
YES:
Introduced.
NO:
- Or Use internet after
Not introduced
connecting to the YMC
group network.
detection of deviations from the normal state and easy identification of unusual behavior (anomaly). Understanding of a network/syst
nts. Therefore, companies need to conduct monitoring and information gathering to understand the normal state of a network/system
NO:
NO: YES:
Unauthorized login
There is no record of Unauthorized login
attempts by employees are
unauthorized login attempts by employees are
recorded, but not
attempts by employees. recorded and monitored.
monitored.
NO:
YES:
There is no mechanism
There is a mechanism such
such as authentication
as performing
when connecting to a -
authentication of devices
wired LAN, so that any
when connecting to a
device can be connected
wired LAN.
to a wired LAN.
YES:
NO:
NO: The software that is
The software that is
The software that is prohibited to install is
prohibited to install is
prohibited to install is decided, and the
decided but installation
decided. installation status is
status is not grasped.
grasped using a tool.
YES:
NO: NO:
Regular monitoring and
Contractors’ network Regular monitoring
audit of contractors'
operations are not operations is implemented
network operations are
grasped. but audits are not.
implemented.
nect the dots of the event. Conducting correlation analysis of multiple events plays an important role in determining if a security incide
NO:
YES:
NO: The rules are defined but
Access logs are kept for a
The rules are not defined. access logs are only
specified period.
partially kept.
NO: YES:
NO: On some servers/personal Time synchronization is
Time synchronization is computers/systems., time performed on all
not performed. synchronization is servers/personal
performed. computers/systems.
YES:
NO:
(1) Additional rules have
Additional rules have been
NO: been made.
made, but guidelines and
Additional rules have not (2) Guidelines and
additional rules have not
been made. additional rules have been
been communicated to the
communicated to the
persons concerned.
persons concerned.
YES:
(1) Training is conducted
NO: NO: according to the
Education is not Education is given to some educational plan .
implemented. of the people concerned. (2) A systematically
maintained educational
program is conducted.
NO: YES:
NO:
It is documented but not It is documented and
It is not documented.
updated. updated.
NO:
NO: YES:
Software licences are
Not listed. Listed and updated.
listed but not updated.
NO:
NO:
(1)Data is not deleted YES:
The rules are defined but
completely. The rules exist and are
not implemented
(2)The rules are not implemented.
thoroughly.
defined.
NO: YES:
NO: The rules are defined but The rules are
The rules are not defined. not communicated to communicated to users
users. through education etc.
NO: YES:
NO:
Counter meausres has Counter measures are
No countermeasure
taken for some personal taken against all personal
has taken
computers. computers.
YES:
NO: NO:
Counter measures are
No countermeasure Counter meausres has
taken against all
has taken taken for some
smartphones.
smartphones.
NO:
YES:
NO: Countermeasure
Counter measures are
No countermeasure has taken for some
taken against all external
has taken external storage devices.
storage devices.
YES:
NO:
NO: The response procedure at
Although the response
Procedure to perform at the time of loss is well
procedure at the time of
the time of loss are not known through training
loss is defined, it is not
defined. etc and actions are
well known.
performed accordingly.
Comment
measures.
refore, it is important to understand cyber