ID number system - Recent revisions to guidelines for protection of personal information -



Similar documents
upgrade insurers' ERM

lakyara vol.164 Japan to normalize short-selling regulations Sadakazu Osaki 10. May. 2013

lakyara vol.226 Japanese exchanges set to keep upgrading infrastructure as JGB futures market turns 30 years old

New life insurance sales channels

T + 1 settlement of JGB trades to strengthen its international competitiveness

Internet finance era in China

investment activities

of asset securitization in China

lakyara vol.181 China starting to regulate shadow banking Takeshi Jingu 11. November. 2013

growing rapidly in China

driven by short-term traders

Coexistence with artificial intelligence

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

in Hong Kong's Offshore RMB Market

How To Grow The Lse Group

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK

Management Standards for Information Security Measures for the Central Government Computer Systems

How To Be A Successful Company

Outsourcing Risk Guidance Note for Banks

Recommendations for companies planning to use Cloud computing services

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Cloud Computing: Legal Risks and Best Practices

Montclair State University. HIPAA Security Policy

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

Article 29 Working Party Issues Opinion on Cloud Computing

BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994

NOTE: SERVICE AGREEMENTS WILL BE DRAFTED BY RISK SERVICES SERVICE AGREEMENT

Service Schedule for CLOUD SERVICES

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

A Best Practice Guide

14 December 2006 GUIDELINES ON OUTSOURCING

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

Business Associate Agreement

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS Risk Assessment 357-7

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Construction Occupational Health and Safety Management System COHSMS Guidelines & COHSMS External System Evaluation External Audit By JCOSHA

Data Protection Act Guidance on the use of cloud computing

FINAL DOCUMENT. Guidelines for Regulatory Auditing of Quality Management Systems of Medical Device Manufacturers Part 1: General Requirements

Information Security Policies. Version 6.1

CONSULTATION PAPER ON HIGH LEVEL PRINCIPLES ON OUTSOURCING COVER NOTE

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation

WHL Affiliate Terms & Conditions

Estate Agents Authority

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

Managing Outsourcing Arrangements

This form may not be modified without prior approval from the Department of Justice.

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

A GOOD PRACTICE GUIDE FOR EMPLOYERS

Information Security Operational Procedures Banner Student Information System Security Policy

BUSINESS ASSOCIATE AGREEMENT

Guidance for Data Users on the Collection and Use of Personal Data through the Internet 1

Electronic business conditions of use

HIPAA BUSINESS ASSOCIATE AGREEMENT

Third Party Security Requirements Policy

Financial Services Guidance Note Outsourcing

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

07/2013. Specific Terms and Conditions Mobile Device Management

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

DEPARTMENT OF TAXATION AND FINANCE SECURITY OVER PERSONAL INFORMATION. Report 2007-S-77 OFFICE OF THE NEW YORK STATE COMPTROLLER

CONTRACT ADDENDUM BUSINESS ASSOCIATE CONTRACT 1

Information for Management of a Service Organization

(a) the kind of data and the harm that could result if any of those things should occur;

DDV Declaration (VE 12/2009) Commissioned Data Processing and Data Treatment

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Refresher on cloud computing

Corporate Information Security Policy

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement.

05.0 Application Development

Transcription:

lakyara Information security safeguards required for new ID number system - Recent revisions to guidelines for protection of personal information - Jun Tsutsumi 11. May. 2015

Executive Summary Jun Tsutsumi General Manager Financial IT Risk Management Department Japan's forthcoming national ID number system will require companies that handle identifying personal information (information that can identify a specific individual) to upgrade their information security beyond existing confidential information controls. This report provides an overview of recent revisions to various guidelines for protection of identifying personal information and discusses requirements for highlevel safeguards. Required safeguards The time has come for financial institutions and nonfinancial companies in Japan to prepare posthaste for the January 2016 advent of national ID numbers pursuant to the Act on the Use of Numbers to Identify Specific Individuals in Administrative Procedures (the so-called My Number Act). In December 2014, the Cabinet Office's Specific Personal Information Protection Commission issued Guidelines for Proper Handling of Specific Personal Information for businesses (the Personal Information Protection Guidelines). The Guidelines contain specific guidance for financial institutions and non-financial companies on how to properly handle identifying personal information. On their first page, the Personal Information Protection Guidelines warn that noncompliance with any of their mandatory provisions may be deemed a legal violation. Failure to comply with their advisory provisions, by contrast, would not immediately constitute a legal violation, but the guidelines recommend that companies comply with their advisory provisions in accord with the My Number Act's intent to the extent feasible given the companies' size and resources. One specific guideline states that businesses that use the national ID numbers must devise appropriate safeguards necessary to manage identifying personal information, including safeguards against leakage, loss and impairment of ID numbers and/or identifying personal information. The guidelines' appendix includes numerous pages of content on such safeguards. 2015 Nomura Research Institute, Ltd. All Rights Reserved. 1

Specifically, the Personal Information Protection Guidelines recommend formulating a basic information security policy and regulations for handling identifying personal information. They specify four types of safeguards: organizational, human, physical and technological, as discussed below (see Exhibit). The guidelines provide specific examples of recommended safeguards. For example, recommended human safeguards include inclusion of confidentiality rules in employment regulations. Examples of physical safeguards for controlling access to areas where identifying personal information is handled include segregation of such areas with walls or partitions and installation of admittance control systems using technologies such as smart cards or numeric keypads. Recommended safeguards to prevent theft of IT hardware or electronic media include fastening IT hardware with security cables if a company's information system that stores identifying personal information files comprises hardware only. Examples of technological safeguards to prevent information leaks include encryption of communication channels, and protection of data via encryption or passwords. In sum, the Personal Information Protection Guidelines are very instructive on the topic of specific safeguards. Guidelines for financial institutions December 2014, the Ministry of Economy, Trade and Industry (METI) revised its Guidelines Targeting Economic and Industrial Sectors Pertaining to the Act on Protection of Personal Information. In response, the Financial Services Agency (FSA) is expected to likewise issue new guidelines on protection of personal information. With the Consumer Affairs Agency advocating standardization of personal information protection guidelines, the FSA's revised guidelines are likely to coincide to some extent with METI's in terms of content. Exhibit: Four types of safeguards recommended in the Personal Information Protection Guidelines Organizational safeguards Human safeguards Physical safeguards Technological safeguards Formation of information security team, compliance with internal information handling regulations, adoption of procedures for monitoring information handling, formation of incident (e.g., information leak) response team, and assessment of handling of personal information and review/revision of safeguards Training and supervision of personnel who handle identifying personal information Control of access to areas in which identifying personal information is handled, prevention of theft of IT hardware and electronic media, prevention of leaks via portable electronic media, deletion of personal ID numbers, and proper disposal of disused IT hardware and electronic media Access controls, identification and authentication of persons who access identifying personal information, prevention of improper access by outsiders, and prevention of information leaks 2015 Nomura Research Institute, Ltd. All Rights Reserved. 2

Like the Personal Information Protection Guidelines, METI's guidelines present examples of four types of safeguards (organizational, human, physical and technological). While the four categories are the same in both sets of guidelines, METI's examples include responses to actual security breaches. These historical examples are more detailed than other examples. For example, METI's guidelines recommend that information terminals able to access and process identifying personal data be equipped with the minimum functionality required to perform their assigned tasks (e.g., terminals on which users can only view personal data should not be connectable to external recording media such as CD-R or USB storage and their connectivity to memory-equipped devices such as smartphones and PCs should be restricted). METI's guidelines provide considerable detail on previous security breaches, including even the specific type of device (e.g., smartphone) used to perpetrate the breach. Given the aforementioned similarities between METI's guidelines and the Personal Information Protection Guidelines, companies would be well advised to refer to the examples in both when devising internal safeguards. However, the two sets of guidelines differ substantially in certain respects. For example, METI's guidelines recommend explicitly appointing a chief information security officer in charge of handling personal information, whereas the Personal Information Protection Guidelines recommend that all personnel who handle identifying personal information be individually identified and supervised. The latter recommendation reflects that in the event of a leak of identifying personal information, companies must be able to thoroughly investigate the leak's cause or source. In January 2015, the Center for Financial Information Systems (FISC) issued a draft revision of its FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions (FISC Security Guidelines). In February 2015, the FSA released draft revisions of its Comprehensive Guidelines for Supervision of Major Banks and Financial Inspection Manual's respective provisions on information systems. Both the FISC and FSA revisions are updates that reflect responses to recent security breaches, international developments with respect to cybercrime, and new technological and contractual modalities related to cloud services. Both also seek to broaden the PDCA (plan-do-check-adjust) cycle to encompass not only employees but also external contractors (including subcontractors and sub-subcontractors). 2015 Nomura Research Institute, Ltd. All Rights Reserved. 3

The various guideline revisions discussed above reflect a need to overhaul precautions against information leaks in conjunction with the upcoming advent of national ID numbers. Protection of identifying personal information and supervision of external contractors The safeguards required of business processes that involve identifying personal information apply without distinction to not only in-house but also outsourced business processes. Companies therefore must treat external contractors the same as internal organizational units. They must delegate responsibility for outsourced business processes to external contractors and ensure that the contractors implement adequate safeguards. They must also monitor the contractors. If we compare supervision of external contractors with directors' management of internal organizational units, entering into a service level agreement (SLA) with an external contractor corresponds to explicitly allocating responsibility for business operations among internal organizational units. SLAs must incorporate informationsecurity safeguards. Additionally, companies must verify whether safeguards designed and implemented by external contractors are adequate in light of relevant risks. Companies will consequently require external contractors to conduct internal audits just as they require their internal organizational units to conduct self-inspections. Their SLAs therefore should include a clause authorizing the outsourcer's internal audit department to conduct such internal audits. In sum, in supervising external contractors, companies must ascertain the adequacy of contractors' information security safeguards in comparison to their own internal safeguards, utilize their assessments of contractors' safeguards as an input in contractor selection decisions, draft agreements that obligate contractors to comply with their policies, and monitor contractors on an ongoing basis after the outsourcing relationship has commenced. In addition to the Personal Information Protection Guidelines, the Specific Personal Information Protection Commission has also issued an equivalent set of guidelines specifically for financial businesses. These guidelines stipulate safeguards required when financial institutions outsource business processes as well as restrictions on financial institutions' use and provision of identifying personal information. 2015 Nomura Research Institute, Ltd. All Rights Reserved. 4

In terms of specific safeguards, the guidelines instruct financial institutions to refer to the Personal Information Protection Guidelines and also require financial institutions to supervise external contractors. They define necessary and appropriate supervision as contractor selection, execution of an SLA and monitoring of the contractor's handling of personal information as discussed above. Additionally, the guidelines permit subcontracting (including sub-subcontracting) only if the outsourcing financial institution has consented to the arrangement. Financial institutions must be fully aware of the extent to which subcontractors are utilized by the external contractors to which they outsource business processes that involve handling of identifying personal information. Protection of personal information requires an ongoing, cross-organizational security regime While the Personal Information Protection Guidelines and METI's guidelines provide many easy-to-understand examples of safeguards, companies relying solely on these guidelines may be susceptible to the misconception that all they need to do is comply with these guidelines' safeguard recommendations. The guidelines' examples are easy to understand because they present specific measures based on recent incidents. However, the examples are merely responses to past incidents. Guidelines are generally unable to present examples of safeguards targeted at anticipated new risks. Additionally, in terms of information security from the standpoint of maintaining confidentiality, integrity and availability in accord with JIS, ISO or other standards, both the Personal Information Protection Guidelines and METI's guidelines pertain mainly to confidentiality, reflecting their retrospective focus. In the event that some party is harmed in the future by integrity problems (e.g., erroneous records of individuals' national ID numbers), integrity-related incidents would likely be added to the guidelines' safeguards. Risk management Companies must keep two key points in mind regarding risk management in connection with national ID numbers. First, risk management is an essential tool for management to fulfill its functions. This point is true across the entire spectrum of risk management, not just for protection of identifying personal information. Second, it is management's responsibility to build a continuously functioning risk management 2015 Nomura Research Institute, Ltd. All Rights Reserved. 5

regime. Specifically, companies should incorporate the following PDCA-cycle arrangements into their risk management models. (1) Arrangements for collecting information on "close call" incidents within the company and at other companies (2) Arrangements for analyzing the collected information (3) Arrangements for devising internal safeguards in response to the results of the analysis (4) Arrangements for notifying all concerned personnel about new safeguards (5) Arrangements for monitoring the safeguards to verify whether they have been robustly implemented Management must explain to stakeholders that such a risk-management PDCA cycle is functioning properly. Accountability therefore must be built into the risk management regime described above. The crucial question for management is not whether the company's safeguards for protection of identifying personal information are adequate but whether the company has arrangements in place to maintain the adequacy of such safeguards. Additionally, when companies outsource business processes, it is important for management to select a contractor that is capable of monitoring the outsourcer's controls and accessible for direct discussions. 2015 Nomura Research Institute, Ltd. All Rights Reserved. 6

about NRI Nomura Research Institute, Ltd. ( NRI, TYO: 4307) is an independent, global IT solutions and consulting services provider with annual sales of 406.0 billion yen as of FY ended March 2015. With front-to-back support for the buy- and sellside, NRI s tradition of innovation has positioned them as a trusted international market leader. Leveraging NRI s global consulting business, NRI is able to provide innovative financial IT solutions for investment banks, asset managers, banks and insurance providers. For more information, visit www.nri.com. The entire content of this report is subject to copyright with all rights reserved. The report is provided solely for informational purposes for our UK and USA readers and is not to be construed as providing advice, recommendations, endorsements, representations or warranties of any kind whatsoever. Whilst every effort has been taken to ensure the accuracy of the information, NRI shall have no liability for any loss or damage arising directly or indirectly from the use of the information contained in this report. Reproduction in whole or in part use for any public purpose is permitted only with the prior written approval of Nomura Research Institute, Ltd. Inquiries to : Financial IT Marketing Department Nomura Research Institute, Ltd. Marunouchi Kitaguchi Bldg. 1-6-5 Marunouchi, Chiyoda-ku, Tokyo 100-0005, Japan E-mail : kyara@nri.co.jp http://www.nri.com/global/opinion/lakyara/index 2015 Nomura Research Institute, Ltd. All Rights Reserved. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information