Please feel free to use articles in this publication, with proper credits.

Formulation of Guidelines for Information Security Measures for ASP/SaaS
- From the Report from the Study Group on ASP/SaaS Information Security Measures -

Background

Japan’s Internet users now account for over 68% of the total population, and in fact, two out of three citizens are now using the Internet. Also, there were 26.44 million broadband users as of the end of fiscal year 2006, and with the penetration of broadband, the distribution of high volume contents such as music and movies has become possible, turning the Internet into a major infrastructure supporting people’s lives and the economic activities of society.

There is no denying that Japan is facing a declining population and that the existing economic model is nearing its limits. In order to put the economic back on track for growth in the current conditions, it is vital to use ICT to improve productivity and strengthen international competitiveness.

Under such conditions, ASP (Application Service Provider) and SaaS (Software as a Service) which provide applications and related functions through networks have attracted attention as easy-to-use new ICT services for small and medium sized companies, and having been mentioned in the likes of the Program for Enhancing Growth Potential (Council on Economic and Fiscal Policy) and the final compilation by the Panel on ICT International Competitiveness (MIC), the government as a whole is working towards promoting the penetration of ASP/SaaS as trump cards to improving productivity and strengthening global competitiveness.

The corporate usage of ASP/SaaS offers enormous advantages from the point of view of costs and ICT literacy, including the ability to build and operate systems in a short time rather than developing them separately, plus the reduction in the burden related to system maintenance, operation and management. This is why the use of ASP/SaaS seriously contributes to improvements in productivity in small and medium-sized companies where both human and financial resources are limited. On the other hand, given that ASP/SaaS operators accumulate large-scale confidential information and customer information from the corporations that are their users, the implementation of appropriate security measures is important.

This is why the Study Group on ASP/SaaS Information Security Measures was established in order to investigate information security measures that ASP/SaaS operators should implement, having grasped the actual condition of ASP/SaaS, the current status of information security measures, and future developments.

Current Status and Issues Related to ASP/SaaS Information Security Measures

The two major characteristic of ASP/SaaS services can be said to be that the majority of providers are small and medium-sized operators, and that there is a wide diversity in the services on offer. Taking these characteristics into consideration, the results of interviews implemented with ASP/SaaS operators revealed the following issues in relation to the implementation of information security measures:
• There has been no prioritization of information security measures.
• The most appropriate information security measures based on the characteristics of the ASP/SaaS services provided have not been developed.

On the one hand, in terms of existing standards and guidelines for information security measures, there are a variety of things out there that can serve as guidelines in implementing measures, such as the JIS Q 27001 (ISO/IEC 27001) and the JIS Q 27002 (ISO/IEC 27002). Since, however, these were not necessarily formulated with the particular characteristics of ASP/SaaS in mind, if ASP/SaaS business operators make use of such standards and guidelines as they stand, there will be a problem in introducing and operating information security guidelines that are in line with actual conditions.

From the results of the above analysis, the study group came to the conclusion that there is a need to produce new information security guidelines that reflect the characteristics of ASP/SaaS, and are in line with the current conditions of ASP/SaaS operators.

The Formulation of Guidelines for Information Security Measures

In order to work towards solving the issues related to information security measures for ASP/SaaS, “Concrete guidelines for ASP/SaaS service operators when investigating the implementation of appropriate information security measures based on the characteristics of the services provided” should be the basic positioning of the guidelines, and in producing them, the following important points were kept in mind.

• To pinpoint the information security guidelines that should be given priority, and that reflect the characteristics of the ASP/SaaS operators and their services.

• Making it possible to relatively easily implement information security measures which take into account the services each provides, by having the ASP/SaaS business operator use the guidelines as they stand.

• Offering concrete information security guidelines that are easy for ASP/SaaS business operators to understand and implement.

Furthermore, investigations took place to consider the facts of the guidelines being used as reference by the ASP/SaaS service providers, but these have also been produced keeping in mind that they should be easy to understand for users of ASP/SaaS services.

In order to work towards ongoing operation and revisions of the information security guidelines for ASP/SaaS operators, there is a need for putting in place an operation management system within the internal organization of the ASP/SaaS business operators, for measures for the organizational and operational sides of the matters for consideration in contracts with external organizations. In parallel, physical and technical measures will be needed that apply to the hardware and software that makes up the systems, as well as housing such as buildings, power sources, etc. in order to preserve the information resources of the ASP/SaaS services.

With regard to the information security measures for the organizational and operational sides, ASP/SaaS stakeholders (those with interests) were taken into consideration and measure items were obtained using the information security detailed management measures shown in appendix A of the JIS Q 27001.

On the other hand, with regard to physical and operational security, measure items were obtained by categorizing the widely varied ASP/SaaS services into 6 patterns, specifying the elements that make up ASP/SaaS, clarifying information resources and conducting an analysis of dangers facing information resources, and then referring to existing standards and guidelines such as Appendix A of the JIS Q 27001 and the guidelines concerning outsourcing in public IT (MIC). In addition, with regard to the deriving of each measure item, the fact that a large proportion of ASP/SaaS business operators are small and medium-sized companies was taken into consideration, investigations are focused on measures that are easy to understand as well as prioritizing the order in which they should be applied, and similar measure items are being grouped together and re-written so as to reduce the number of measure items.

Following on from that, a two-level priority system was established regarding the necessity and importance of each measure item, with measure items that should be given priority implementation, regardless of ease of implementation or cost, classified as “basic,” and measure items that could be applied selectively when working to differentiate oneself from other companies or responding to high-level user demands classified as “recommended.”

In addition, in order to deepen the understanding of ASP/SaaS business operators concerning measure items, an explanatory document for a best practice addendum of concrete implementation methods and warnings relating to implementing the measures was produced, referring to the JIS Q 27002 as well as “Security Guidelines and Explanations for Financial Institution Computer Systems” (The Center for Financial Industry Information Systems), and attached to the measure items.

Furthermore, with regard to physical and technical measures, as there are differences in the information resources depending on the type of ASP/SaaS service, it is necessary to put in place a measure implementation level that complies with the pattern, while keeping in mind that different levels of information security are required. Consequently, it was decided to establish a “measure reference value” that is attached to each pattern as a value for gauging implementation levels, and an “evaluation item” that works as an indicator for evaluating the implementation level of each measure item quantitatively or concretely, so as to obtain easily the measure implementation level that should be aimed for.

Also, in terms of investigating best practices, valuation items and measure reference values, by including the opinions of experts in relevant fields (ASP/SaaS business operators, information equipment manufacturers, ISPs and data center business operators), attention was paid to the extent possible to consistency with the actual condition of ASP/SaaS services, for example with regard to attention to difficulties relating to the actual implementation of measures by ASP/SaaS business operators.

The guidelines that were completed according to the process described above were composed out of the three parts shown below.

• Prologue: Introduction including the guideline objectives, range covered, usage methods, warnings and definition of terms

• Organization and Operation: A collection of information security measures related to organization and operations such as operation management systems to secure information security, points to consider in contracts with outside organizations, and responsibilities towards users. This will probably mainly be used as reference material by organizational managers such as executives.

• Physical and Technical Measures: Information security measures for operations, failure surveillance, virus countermeasures, back-ups and damage measures, taking into consideration the variety of ASP/SaaS services as well as structural elements (applications, networks, and also buildings and power sources etc.). This will probably be mainly used as reference by on-site engineers.

The Effects of Proper Use of the Guidelines and Future Topics

By using these guidelines effectively, the following results can be expected both for the ASP/SaaS business operators and for the service users.

• The promotion of the implementation of appropriate information security measures that are in line with the characteristics of the services provided, and the development of approaches for small and medium-sized operators as well as new entrant business operators (ASP/SaaS business operators).

• They can be used as guidelines for desirable information security items with regard to business operators that coordinate to offer services (ASP/SaaS business operators).

• They can be used as guidelines for the contents of the information security measures implementation status that is provided to users (ASP/SaaS business operators).

• They can be used as guidelines when evaluating the appropriateness of the state of implementation of information security measures by ASP/SaaS business operators (service users).

• Overall information security levels can be improved by receiving a service in which appropriate information security measures have been implemented (service users).

With these results of effective usage, there is a move towards the improvement of information security levels for the ASP/SaaS industry as a whole, as well as an increase in awareness of information security, including among users, with the expectation of vitalization and a healthy development for the ASP/SaaS industry.

Conclusion

By making proactive effective usage of these guidelines in the future, centering on the ASP/SaaS industry, the provision of ASP/SaaS services with appropriate information security measures will be promoted, leading to expectations of the even greater growth as one of the ICT services that lead Japan’s economic growth. MIC will continue to provide the necessary support in looking towards further promoting the penetration of ASP/SaaS as well as improving the level of information security.

top

Copyright © 2008 Ministry of Internal Affairs and Communications All Rights Reserved.