Overview of Risk Management Promotion Activities for the Tokyo 2020 Games
●Risk assessment
In order to prevent/reduce the impact of cyberattacks on preparations and the running of the Tokyo 2020 Games, the NISC promoted measures
against possible cybersecurity risks by strengthening risk management by peripheral essential service providers (ESPs) that supported the Games.
In Risk Assessment (“RA”) 6, the NISC not only reconsidered risks of postponement or environmental changes due to the spread of coronavirus
infection but also comprehensively examined measures against risks requiring actions and strengthened the system to handle residual risks that may
arise.
○ To promote risk management, the NISC created a cybersecurity risk identification, analysis, and evaluation procedure.
○ From the important service areas that could influence preparations and
FY2016
FY2017
FY2018
the running of the Games, important ESPs were chosen through
consultation with relevant management parties.
RA 1
RA 2
RA 3
RA 4
Important service areas + venues
(competition and non-competition venues)
Target:
companies, etc. in
the Tokyo 23
wards (19 areas)
Communications, broadcasting, finance, airlines, railways, electricity, gas, water
system, logistics, credit, administrative service (local public agencies), sewage
system, airports, road, maritime, and traffic control, emergency reporting, weather
and disaster information, border control, highways, heat supply, buses, security,
travel, hospitals, and venues
Companies, etc. in
the Greater Tokyo
Area (Tokyo and
three surrounding
prefectures) (20
areas)
Companies, etc. near all
competition venues
(Tokyo, Hokkaido, and
seven other prefectures)
(20 areas) + venue
managers
FY2019
FY2020
RA 5
Companies, etc. near all
competition venues
(Tokyo, Hokkaido, and
eight other prefectures)
(22 areas) + venue
managers
RA 6
Companies, etc. near all
competition venues
(Tokyo, Hokkaido, and
eight other prefectures)
(23 areas) + venue
managers
○ The NISC created based on its assumption “model cases for business, important services, and management resources (information assets) (for each important
service area)” and “events (threats) and sources of risks that may lead to negative consequences in the case of an event that disrupts business operation.” It
provided feedback to ESPs on the possibility of undetected management resources and risk sources to promote more comprehensive RA.
○ The NISC provided feedback to ESPs on their cybersecurity measure management status and offered advice as necessary.
●Cross-sectional risk assessment
Based on the cybersecurity risks predicted for the important ESPs, the NISC checked their cybersecurity measure implementation status.
Doing so confirmed uninterrupted supply of functions essential for the success of the Games. In the case of insufficient implementation, the NISC sent
feedback to the subject important ESP to increase the certainty that said important functions would be provided continuously.
○ A scenario in which Games-related risks arise was created and used as a risk scenario to examine the validity and effectiveness of the rules set by the
important ESPs.
○ In RA 1, an onsite inspection of about five ESPs was carried out in the areas of electricity, communications, water, railways, broadcasting, and so on. From
all important service areas, document inspection was carried out for about 20 ESPs.
○ In RA 2 and 3, an (onsite/document) inspection was carried out for the important ESPs (including venue (including legacy sites)).
Note that, for the state of improvement and supervision of the measures for overlays at venues, the Tokyo Organising Committee of the Olympic and
Paralympic Games (TOCOG) was subject to an onsite inspection.
○ In FY2020, RA 4 was carried out in line with situational changes due to the spread of coronavirus infections.
FY2017
3Q
4Q
Consideration of evaluation
method
1Q
FY2018
2Q
3Q
Cross-sectional risk
evaluation
[RA 1]
4Q
FY2019
2Q
3Q
1Q
[RA 2]
Verification based on risk
evaluation results
Cross-sectional risk
evaluation
[RA 3]
Verification based
on risk evaluation
results
Cross-sectional
risk evaluation
Copyright(c) National center of Incident readiness and Strategy for Cybersecurity
4Q
Verification based
on risk evaluation
results
1Q
FY2020
2Q
3Q
4Q
Follow-up
フォローアップ
[RA 4]
Activities
in line with
situational
changes
1