4.8.2 Countermeasures to be implemented against expected threats
This subsection describes countermeasures to be implemented against the expected threats described in 4.7 Analyzing expected threats.
The table below shows the threats expected for the system, and countermeasures against them for each target user type. For details about these threats, see 4.7 Analyzing expected threats.
|
Target user |
Threat |
Countermeasure |
|---|---|---|
|
System administrator |
System configuration by an unauthorized System administrator |
|
|
System operator |
System operation by an unauthorized System operator |
|
|
System operation by the System operator, not in compliance with the procedure document |
|
|
|
End-user |
Service use by an unauthorized user |
|
|
Service use by a user who does not follow the procedure document |
|
These countermeasures are outlined below.
- Measures for the System administrator
-
-
OS-based user identification and authentication
Configure user identification and authentication on the OS running the system to control command execution permissions so that the system can only be managed by the System administrator.
-
- Measures for System operators
-
-
OS-based user identification and authentication
Configure user identification and authentication on the OS running the system to control command execution permissions so that the system can be operated by a System operator.
-
User identification and authentication of System operators
Configure user identification and authentication on the system so that the system can be operated by the System operator.
-
System audit log output
In order to audit whether the system has been operated in accordance with the relevant procedure documents, output system audit logs.
-
J2EE application audit log output
In order to audit whether end-users have been managed in accordance with the relevant procedure documents, use the audit log output API provided by the application server to implement J2EE applications and output J2EE application audit logs. For details about how to implement a J2EE application using the audit log output API, see Chapter 6 in the uCosminexus Application Server Operation, Monitoring, and Linkage Guide.
-
- Measures for end-users
-
-
J2EE application audit log output
In order to audit whether authorized end-users have used services in accordance with the relevant procedure documents, use the audit log output API provided by the application server to implement J2EE applications and output J2EE application audit logs. For details about how to implement a J2EE application using the audit log output API, see Chapter 6 in the uCosminexus Application Server Operation, Monitoring, and Linkage Guide.
-
J2EE application-based user identification and authentication
Implement user identification and authentication for J2EE applications so that services can only be used by authorized end-users.
-
J2EE application-based access control
Implement access control for J2EE applications so that protected data can only be accessed by end-users who have access permission.
-