Consideration for Information Security Issues in Geospatial Information Services of Local Governments

Geographic Information System (GIS) is one of the important elements of the IT infrastructure of local governments. In recent years, in the consequence of development of Web-based GIS technology, the definition of GIS has been changing to “Geospatial Information Service”. For a local government, the geospatial information service is becoming an important IT system in the field of information service or in the field of information disclosure for its residents. Since all of the governmental geospatial information is public property, it should not only be utilized but be protected. However, there is no standard or guideline for the information security regarding the geospatial information service in Japan. Therefore, a study from the stance of IT security is required in order to secure the geospatial information service and to protect the geospatial information as public property. ISO/IEC TR 13335 GMITS that is one of ISO standards for the IT security management is a useful framework for discussing regarding IT security policy of an information service. This paper aims to consider regarding IT security requirements for the geospatial information service and analyze the specific threats to them according to the framework of GMITS. Based on the threat analysis, a set of safeguards for the baseline security of the geospatial information service is selected. In addition, technical issues of the safeguards to clarify the feasibility of them are discussed. Introduction Geographic information system (GIS) is one of the important factors that constitute social IT infrastructure today. Furthermore, the system that carries out interoperability of the geospatial information data through the Internet is becoming feasible. In this situation, GIS has been changed to the terminology meaning geospatial information service. GIS in local governments is the main application field of GIS. Introduction of GIS in Japanese local governments shows rapid progress ignited by the Kobe earthquake in 1995. According to a survey in 2004 by the National Spatial Data Infrastructure Promoting Association (NSDIPA), the introductory rate of GIS in the allprefectures agency is 100%. Moreover, in 40% of the cities, towns and villages, GIS introduction has been completed. The main purpose of GIS in local governments is management of geospatial information in regard of administration and decision support. In addition, utilization of GIS for information disclosure and the public information service has become important year by year. Since the distribution of the geospatial information service can contribute to the improvement of the welfare of residents, it is a desirable usage of public resource. On the other hand, standardization of the specification of Web Map Service (WMS) has been carried out by Open Geospatial Consortium (OGC) Inc., and the technical infrastructure of geospatial information service has been developed year by year. Not only the service of conventional “End to End” but also the service chaining by combining two or more geospatial information services are becoming possible. It is expected that the circumstances of the geospatial information service in local governments also change a lot by such technology. In some local governments, the operation of “wide-area integrated GIS” which has multi-service interoperability of geospatial information has already started. In such condition while a user’s convenience and the quality of service improve greatly, the possibility of information security problem also increases. The service that a local government provides must not threaten the residents’ safety. In order to prevent illegal usage of the geospatial information that is public property, the countermeasure based on suitable information security is indispensable. However, in Japan, those countermeasures are being entrusted to each local government. Therefore, in consideration of the circumstances of geospatial information services of local governments, to discuss those requirements for the information security systematically is required The meaning and the purpose of research In order to make the information service on the Internet secure, many technologies and standards already exist and