12月 21, 2013 PHP Security, Security

(Last Updated On: 2018/08/31)








  • 目的(AIMS)
  • 適用範囲(SCOPE)
  • セキュリティの目的(SECURITY OBJECTIVE)」

OECD情報セキュリティガイドラインの歴史と概要については平成13年のOECD 情報セキュリティガイドライン に関する調査(PDF)に記載されています。

現在のOECD勧告(PDF)は2002年の改定を経て簡略化され TOWARDS A CULTURE OF SECURITY、AIMS、 PRINCIPLESの3つの項目から成り立っています。具体的な内容はISO 13335、ISO 17799などのISOセキュリティ標準で定められた為、必要ないと判断されたのだと思われます。
(注:現在、ISO 17799はISO 27000シリーズとなり、重複が多いISO 13335はオブソリートとなっています)




1) Awareness (自覚)
Participants should be aware of the need for security of information systems and networks and what they can do to enhance security.
Awareness of the risks and available safeguards is the first line of defence for the security of information systems and networks. Information systems and networks can be affected by both internal and external risks. Participants should understand that security failures may significantly harm systems and networks under their control. They should also be aware of the potential harm to others arising from interconnectivity and interdependency. Participants should be aware of the configuration of, and available updates for, their system, its place
within networks, good practices that they can implement to enhance security, and the needs of other participants.

2) Responsibility (責任)
All participants are responsible for the security of information systems and networks.

Participants depend upon interconnected local and global information systems and networks and should understand their responsibility for the security of those information systems and networks. They should be accountable in a manner appropriate to their individual roles. Participants should review their own policies, practices, measures, and procedures regularly and assess whether these are appropriate to their environment. Those who develop, design and supply products and services should address system and network security and distribute appropriate information including updates in a timely manner so that
users are better able to understand the security functionality of products and services and their responsibilities related to security.

3) Response (対応)
Participants should act in a timely and co-operative manner to prevent, detect and respond to security incidents.

Recognising the interconnectivity of information systems and networks and the potential for rapid and widespread damage, participants should act in a timely and co-operative manner to address security incidents. They should share information about threats and vulnerabilities, as appropriate, and implement procedures for rapid and effective co-operation to prevent, detect and respond to security incidents. Where permissible, this may involve cross-border information sharing and co-operation.

4) Ethics (倫理)
Participants should respect the legitimate interests of others.

Given the pervasiveness of information systems and networks in our societies, participants need to recognise that their action or inaction may harm others. Ethical conduct is therefore crucial and participants should strive to develop and adopt best practices and to promote conduct that recognises security needs and respects the legitimate interests of others.

5) Democracy (民主主義)
The security of information systems and networks should be compatible with essential values of a democratic society.

Security should be implemented in a manner consistent with the values recognised by democratic societies including the freedom to exchange thoughts and ideas, the free flow of information, the confidentiality of information and communication, the appropriate protection of personal information, openness and transparency.

6) Risk assessment (リスク評価)
Participants should conduct risk assessments.

Risk assessment identifies threats and vulnerabilities and should be sufficiently broad-based to encompass key internal and external factors, such as technology, physical and human factors, policies and third-party services with security implications. Risk assessment will allow determination of the acceptable level of risk and assist the selection of appropriate controls to manage the risk of potential harm to information systems and networks in light of the nature and importance of the information to be protected. Because of the growing interconnectivity of information systems, risk assessment should include consideration of the potential harm that may originate from others or be caused to others.

7) Security design and implementation (セキュリティ設計と実装)
Participants should incorporate security as an essential element of information systems and networks.

Systems, networks and policies need to be properly designed, implemented and co-ordinated to optimise security. A major, but not exclusive, focus of this effort is the design and adoption of appropriate safeguards and solutions to avoid or limit potential harm from identified threats and vulnerabilities.
Both technical and non-technical safeguards and solutions are required and should be proportionate to the value of the information on the organisation’s systems and networks. Security should be a fundamental element of all products, services, systems and networks, and an integral part of system design and architecture. For end users, security design and implementation consists largely of selecting and configuring products and services for their system.

8) Security management (セキュリティ管理)
Participants should adopt a comprehensive approach to security management.

Security management should be based on risk assessment and should be dynamic, encompassing all levels of participants’ activities and all aspects of their operations. It should include forward-looking responses to emerging threats and address prevention, detection and response to incidents, systems recovery, ongoing maintenance, review and audit. Information system and network security policies, practices, measures and procedures should be co-ordinated and integrated to create a coherent system of security. The requirements of security management depend upon the level of involvement, the role of the participant, the risk involved and system requirements.

9) Reassessment (再評価)
Participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, practices, measures and procedures.
New and changing threats and vulnerabilities are continuously discovered. Participants should continually review, reassess and modify all aspects of security to deal with these evolving risks.



  • 可用性(Availability)
  • 機密性(Confidentiality)
  • 完全性(Integrity)

情報セキュリティの目的とこれらの用語も1992年のOCDE勧告で定義されています。2002年の改定で削除されましたが、ISO 27000でこの3つの要素を維持することを情報セキュリティの目的としています。

ISO/IEC 27000:2012では以下のように定義されています。

availability (可用性)
property of being accessible and usable upon demand by an authorized entity

confidentiality (機密性)
property that information is not made available or disclosed to  unauthorized individuals, entities, or processes (2.54)

integrity (完全性)
property of protecting the accuracy and completeness of assets (2.4)


ISO/IEC 27000:2012では情報セキュリティは以下のように定義されています。

information security (情報セキュリティ)
preservation of confidentiality (2.13), integrity (2.36) and availability (2.10) of information

In addition, other properties, such as authenticity (2.9), accountability (2.2), non-repudiation (2.49), and reliability (2.56) can also be involved.



accountability (責任追跡性)
assignment of actions and decisions to an entity

authenticity (真正性)
property that an entity is what it claims to be

non-repudiation (否認防止)
ability to prove the occurrence of a claimed event or action and its originating entities

reliability (信頼性)
property of consistent intended behaviour and results


情報セキュリティリスクに対する対策、つまり一般に情報セキュリティ対策と言われる用語には様々な物が使われてきました。例えば、ISO 13335では”セーフガード”と呼ばれていました。ISO/IEC 27000:2012ではRisk Treatmentとして定義されています。

risk treatment (リスク対応)
process (2.54) to modify risk (2.61)

Risk treatment can involve:

  •  avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
  •  taking or increasing risk in order to pursue an opportunity;
  •  removing the risk source;
  •  changing the likelihood;
  •  changing the consequences;
  •  sharing the risk with another party or parties (including contracts and risk financing); and
  •  retaining the risk by informed choice.

Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
Risk treatment can create new risks or modify existing risks.

否定的な結果に対するRisk Treatment(リスク対策)はRisk Mitigation(リスク緩和)、Risk Elimination(リスク排除)、Risk Prevention(リスク防止)、Risk Reduction(リスク削減)とも呼ばれる事があるとしています。


興味深い点はリスクを削減することのみでなく、リスクを取ることもRisk Treatmentに含まれている点です。

  •  taking or increasing risk in order to pursue an opportunity;

情報システムの利用には必ずリスクを伴います。リスクを取らずにメリットを得る事はできません。同じ目的を達成する場合でも様々な方法を選択できる事があります。方法によりリスクは変化します。どのようなリスクを取って目的を達成するのか?もセキュリティ対策の一つと考えて良いでしょう。Risk Treatmentは”リスク取り扱い”または”リスク管理”と訳した方が良いのかも知れません。



解りやすい例は入力バリデーションです。入力バリデーションは直接脆弱性を防止する対策ではなく、事前防御的な対策と言えます。ISO標準の定義から入力バリデーションは有効なセキュリティ対策です。統計的情報を基に作成したSANS TOP 25の怪物的セキュリティ対策の第一位にもなっています。


通常ISO文書は購入する必要がありますが、用語の定義、ISMSの概要を解説したISO/IEC 27000:2012 は無料でダウンロードできます。手元に一つ置いておいて損はないと思います。




バリデーションには3種類のバリデーションがある 〜 セキュアなアプリケーションの構造 〜

投稿者: yohgaki