In Japan, as in other parts of the world, the protection of personal information has become a key concern in recent years, particularly in light of well publicised cases of information leaks. Japan’s Personal Information Protection Act (Pipa) came into effect on April 1, 2005, requiring, among other things, organisations that manage personal information databases with more than 5000 entries to use secure information management systems.
“As a financial organisation, we have always been vigilant about security, and when the Pipa was introduced, we set about bolstering our security by reviewing our systems,” says Yoshinao Hamada, systems planning group assistant general manager at Johoku Shinkin Bank.
The overriding priority became to set up a system platform to monitor PC activity in order to control internal information leaks. At the bank, many users shared a single PC, so logging each user’s activity was essential. In addition, the system had to be compatible with any existing Windows 98 SE installation.
New software
The bank evaluated several software products and after careful consideration opted for Intelligent Wave’s information security management platform, CWAT (cyber-crime warning alert termination). CWAT monitors and restricts printing, copying and writing operations to removable media, such as USB devices. Two types of log are taken, one for normal activity and one for alert information, indicating an information leak. Unauthorised activity can be blocked instantly.
Before implementing the system, Johoku Shinkin Bank tested it against certain scenarios, says Yuki Tomita, head of systems planning. “By combining the CWAT monitoring logs with other information, we could trace the audit log back to the precise second that the information was copied and from which PC, so that we were able to track down our simulated criminal.”
After an initial pilot, the bank installed Operation Defense Controller client software on about 1500 machines in bank branches and in head offices over a four-month period. Using an organisation monitor and working in tandem with a CWAT server and three database servers for logging, it was able to track the entire workforce’s computer operations.
The bank’s network connecting the head office, branch offices and sub-branches was not very fast so it was vital that the network load was unaffected. In the event, this was not an issue.
Tailored service
Using the revamped system, an administrator can alter security levels depending on a particular user’s privileges. For example, for normal users copying to a floppy disk, an alert can be triggered saying something like “that operation is prohibited”, and the operation is cancelled. For an authorised user copying to a USB device during the course of their normal work, the system can be set to alert the employee while allowing the operation to proceed.
“Employees are conscious of the security system, hence the deterrent effect keeps irregular behaviour in check. By the same token, when a user does something irregular by accident, they are informed by a pop-up message. It’s given us a peace of mind we couldn’t achieve with written rules alone,” says Mr Tomita.
The new system allows the bank to compile reports on computer activity from branch level to that of senior management. Moreover, it allows it to check the previous day’s computer activities.
On CWAT’s deterrent effect, Mr Tomita comments: “There were many requirements but the results have exceeded our expectations.”
The new system has allowed Johoku Shinkin Bank to worry less about managing security surrounding unauthorised user activity and accidental violations. Users learn what is and what is not allowed and, as a result, the number of unauthorised operations progressively declines.
“We just couldn’t do this without CWAT,” says Mr Hamada.
