Towards Measures Related to the Management/Monitoring of Outsourced Sites for Information Security of Local Governments and Personal Information Protection

ABSTRACT

Local governments’ outsourcing of information processing is becoming a high risk issue with the increase in cases of personal information leaks at the outsourced sites. With this in mind, we conducted a national survey questionnaire of local governments concerning the management/monitoring of outsourced sites, personal information protection, and information security measures. We found that almost 100% of the local governments have revised the “personal information protection ordinances”, and have similarly set security policies. On the other hand, they have been slow to create security-related implementation procedures concerning actual management and regulations with regards to outsourcing. These local governments are planning the creation of these areas in the future (three years), and it seems as though the monitoring of information processing done at outsourced sites will be strengthened.

We also conducted a comparative analysis based on security demands made by the local governments at outsourced sites (a part of the survey questionnaire). Specifically, the “effectiveness” of the demands made by the local governments, as well as the “extent of influence” these demands have on IT vendors were analyzed. We found that there are many areas of local government demands with low “effectiveness”, while there are also areas that have a high “extent of influence” on IT vendors. With regards to security, it is necessary to clearly define conditions and etc. that will have both a strong effect for local governments and a low burden on IT vendors.

To do this, it is important for both the local governments (commissioning) and IT vendors (commissioned) to advance personal information protection equally, as well as promote research and the acquisition of qualifications related to information security. On the other hand, regulations focusing on the independence of local governments, such as requiring that limited qualifications and research designed by the local government be part of outsourcing conditions, are not realistic. Flexible response is needed from the local governments. In addition, IT vendors must also internally create and then implement internal regulations, such as information security and personal information protection measures.

Currently, local government’s guidelines concerning personal information protection and information security, as well as standards for regulatory content of requirements concerning outsourcing are disjointed. Local governments should create unified rules with regards to outsourcing as quickly as possible.