ÁÖ¿ä Á¤º¸º¸È£½ÇÇà±âÁصéÀÇ ±¸Á¶ ¹× Ư¡

½Å¼öÁ¤/³Ý½ÃÅ¥¾îÅ×Å©³î·ÎÁö ÄÁ¼³ÆÃº»ºÎÀå(sjs1234@netsecuretech.com)

 

¿¬ÀçÁ¦¸ñ: Á¤º¸º¸È£ ½ÇÇà ¹× °ü¸® ü°èÀÇ ±¸Á¶ ¹× Àû¿ë¹æ¾È

 

1ȸ: ÁÖ¿ä Á¤º¸º¸È£½ÇÇà±âÁصéÀÇ ±¸Á¶ ¹× Ư¡

2ȸ: Á¤º¸º¸È£ À§Çè°ü¸® ü°èÀÇ Àû¿ëÇö½Ç ¹× ´ë¾È

3ȸ: IT¾Æ¿ô¼Ò½Ì ±¸Á¶ÇÏ¿¡¼­ÀÇ º¸¾Èü°èÀÇ ¼ö¸³¹æ¾È

4ȸ: Á¤º¸º¸È£ ¾ÆÅ°ÅØÃÄ ¼ö¸³¹æ¾È

5ȸ: Á¤º¸º¸È£ ü°è¼ö¸³À» À§ÇÑ ÄÁ¼³ÆÃÀÇ È°¿ë¹æ¾È

 

ÁÖ¿ä Á¤º¸º¸È£ ½ÇÇà±âÁصéÀÇ ±¸Á¶ ¹× Ư¡
- ³Ý½ÃÅ¥¾î ÄÁ¼³ÆÃº»ºÎÀå : ½Å¼öÁ¤
±¹³»ÀÇ ¸¹Àº ±â¾÷µéÀÌ ÀÌÁ¦ º¸¾È¿¡ ´ëÇÑ Á߿伺À» ÃæºÐÈ÷ ÀνÄÇÏ°í ³ª¸§´ë·Î ±â¾÷¿¡¼­ Á¤º¸º¸È£¸¦ Àû¿ëÇÏ°í ½ÇÇàÇÒ ¼ö ÀÖ´Â ¹æ¾ÈµéÀ» ¸ð»öÇϰí ÀÖ´Ù.
ÀÌ¿¡ µû¶ó Ãë¾à¼ºÀ» ºÐ¼®Çϰųª, BS7799¸¦ Àû¿ëÇϰųª, ¸ðÀÇ ÇØÅ· µî ÄÁ¼³ÆÃÀ» ¹Þ¾Æº¸°Å³ª, ¹æÈ­º® µî ´Ù¾çÇÑ º¸¾È½Ã½ºÅÛÀ» ±¸ÃàÇϱ⵵ ÇÑ´Ù.
±×·¯³ª ÀÌ·¯ÇÑ È°µ¿ÈÄ¿¡µµ ¿©ÀüÈ÷ ´ÙÀ½°ú °°Àº °í¹Î°ú Áú¹®À» Á¦½ÃÇÑ´Ù.
'°ú¿¬ À̰ÍÀ¸·Î Á¤º¸º¸È£ Ȱµ¿ÀÌ ÃæºÐÇÏ°Ô ÀÌÇàµÈ °ÍÀΰ¡?', 'µµ´ëü Á¤º¸º¸È£¸¦ Á¦´ë·Î ÇÑ´Ù´Â °ÍÀÌ ¹«¾ùÀΰ¡?'
ÀÌ·¯ÇÑ °í¹ÎÀÌ µå´Â Å« ÀÌÀ¯µéÁß Çϳª´Â 'Á¤º¸º¸È£ ½ÇÇà'À» ¾ÆÁ÷µµ ´ÜÆíÀûÀÎ °üÁ¡¿¡¼­ ÀÌÇØÇϰí Á¢±ÙÇ߱⠶§¹®ÀÌ´Ù.
±×·¯¹Ç·Î ±â¾÷ÀÌ Á¤º¸º¸È£ÀÇ ½ÇÇà°ú °ü¸®¸¦ ºÐ¸íÇÏ°Ô ¼öÇàÇϱâ À§Çؼ­´Â ¹«¾ùº¸´Ùµµ ¸ÕÀú Á¤º¸º¸È£ÀÇ ±âȹ, ¼³°è, ½ÇÇà, °ü¸®¿¡ ´ëÇÑ Ã¼°è¸¦ °Å½ÃÀûÀ¸·Î ¹Ù¶óº¸°í ÀÌÇØÇÏ´Â °ÍÀÌ ÇÊ¿äÇÏ´Ù.

ÇÊÀÚ´Â ÀÌ·¯ÇÑ ÀνÄÇÏ¿¡ Á¤º¸º¸È£ÄÁ¼³ÆÃ °æÇè°ú Áö½ÄÀ» ±â¹ÝÀ¸·Î ½ÇÇàÀÇ °üÁ¡, À§ÇèÀÇ °üÁ¡, ¾Æ¿ô¼Ò½ÌÀÇ °üÁ¡, ±â¼úÀÇ °üÁ¡ µî ¸î °¡Áö °üÁ¡¿¡¼­ Á¤º¸º¸È£ ½ÇÇà ¹× °ü¸® ü°è¿¡ ´ëÇÑ ±¸Á¶µéÀ» Á¤¸®Çغ¸°í, ÀÌ¿¡ ´ëÇÑ Àû¿ë°ú ¹®Á¦Á¡¿¡ ´ëÇØ ³íÀÇÇØº¸·Á ÇÑ´Ù.
ÀÌ ¿¬ÀçÀÇ ÃÊÁ¡Àº Á¤º¸º¸È£°ü¸®ÀÚ³ª IT°ü¸®ÀÚµé·Î ÇÏ¿©±Ý ±â¾÷ÀÇ Á¤º¸º¸È£ ü°è¸¦ ¼ö¸³Çϰí À̸¦ ÀûÀýÈ÷ ½ÇÇà, °ü¸®ÇϱâÀ§ÇØ ÇÊ¿äÇÑ ¸î °¡Áö ±×¸²µéÀ» º¸¿©ÁÖ·Á ÇÔÀÌ´Ù.
1. °³¿ä
ÀϹÝÀûÀ¸·Î Á¤º¸º¸È£°ü¸®´Â Æò°¡-> ´ëÃ¥¼³°è ¹× °èȹ¼ö¸³ -> ÀÌÇà -> ¸ð´ÏÅ͸µ ¹× À¯Áöº¸¼öÀÇ ÇÁ·Î¼¼½º¸¦ µû¸£°Ô µÈ´Ù.
ÀÌ·¯ÇÑ ÇÁ·Î¼¼½º´Â »ç½Ç 'Á¤º¸º¸È£'¿¡¸¸ ±¹ÇѵǴ °ÍÀÌ ¾Æ´Ï¶ó ÀϹÝÀûÀ¸·Î ¸ðµç ¿µ¿ª¿¡ °øÅëÀûÀ¸·Î Àû¿ëµÈ´Ù.
¾î´À ºÐ¾ßÀ̵ç Çö »óŸ¦ °³¼±ÇÏ°í ´ç¸éÇÑ ¹®Á¦µéÀ» ÇØ°áÇϱâ À§Çؼ­´Â, ¸ÕÀú Çö»óŸ¦ Àß Æò°¡ÇÏ¿© ÀÌ¿¡ µû¸¥ ¹®Á¦Á¡À» µµÃâÇϰí, ÀÌ·¯ÇÑ ¹®Á¦Á¡À» ÇØ°áÇÒ ¼ö ÀÖ´Â ´ëÃ¥À» ¼±Á¤ÇÏ¿© À̸¦ ÀÌÇàÇÒ ¼ö ÀÖ´Â °èȹÀ» ¼ö¸³Çϰí, À̸¦ ÀÌÇàÇϰí ÀÌÇàÀÇ È¿°ú¼º, º¯°æ µîÀ» ¸ð´ÏÅ͸µÇÏ°í °ü¸®ÇÏ´Â ÇÁ·Î¼¼½º¸¦ ¹â´Â °ÍÀº ÀÚ¸íÇÏ´Ù°í ÇÒ ¼ö ÀÖ´Ù.

ÀÌ µé ÇÁ·Î¼¼½º Áß ¾î´À ÇÁ·Î¼¼½º°¡ °¡Àå Áß¿äÇÑ °¡¿¡ ´ëÇØ¼­´Â ³í¶õÀÇ ¿©Áö°¡ ÀÖÁö¸¸ ´ç¿¬È÷ °¡Àå ±â¹ÝÀÌ µÇ´Â °ÍÀº 'Æò°¡' ÇÁ·Î¼¼½ºÀÌ´Ù.
Çö»óÅ¿¡ ´ëÇÑ ÀûÀýÇÑ Æò°¡°¡ ÀÌ·ç¾îÁöÁö ¾ÊÀº »óÅ¿¡¼­ ÀÌ¿¡ µû¸¥ ÈÄ¼Ó °èȹÀ̳ª °ü¸® °úÁ¤ÀÌ Á¦´ë·Î ÀÌ·ç¾îÁú ¼ö ¾ø´Ù.
±×·¯¹Ç·Î ÀÌ·¯ÇÑ 'Æò°¡'ÀÇ °úÁ¤À» ¾î¶»°Ô °´°üÀûÀ̰í È¿°úÀûÀ¸·Î ¼öÇàÇϴ°¡°¡ Á¤º¸º¸È£°ü¸®ÀÇ Ã¹¹øÂ° ¼º°ø¿ä¼Ò¶ó ÇÒ ¼ö ÀÖÀ» °ÍÀÌ´Ù.
ƯÈ÷ 'Á¤º¸º¸È£'ÀÇ °æ¿ì ÀÌ·¯ÇÑ 'Æò°¡'ÀÇ °úÁ¤ÀÌ 'À§Çè'°ú °áÇյǾî, ±âÁØ¿¡ µû¸¥ ´Ü¼øÇÑ GapºÐ¼®Æò°¡°¡ ¾Æ´Ñ, ¸î °¡ÁöÀÇ ¿ä¼Ò°¡ º¹ÇÕµÈ 'À§ÇèÆò°¡'ÀÇ °úÁ¤À» °ÅÄ¡°Ô µÈ´Ù.

À̶§ ÀÌ·¯ÇÑ Æò°¡ ¼öÇà½Ã °í·ÁµÇ¾î¾ß µÉ ±âº»ÀûÀÎ ¿ä¼Ò´Â Æò°¡ÀÇ '±âÁØ'À» ¹«¾ùÀ¸·Î ÇÒ °ÍÀΰ¡ÀÌ´Ù. Çö»óÅÂÀÇ ¹®Á¦Á¡À̳ª Ãë¾à¼ºÀ» µµÃâÇØ³»±â À§Çؼ­´Â ¹«¾ð°¡ ºñ±³ÇÒ '±âÁØ' ÀÌ ÇÊ¿äÇÏ´Ù.
ÀÌ·¯ÇÑ ±âÁØÀº ¼¼ºÎ ±â¼úÀûÀÎ ¿µ¿ª¿¡¼­ºÎÅÍ Àü¹ÝÀûÀÎ °ü¸®ÀÇ ¿µ¿ª¿¡ °ÉÃÄ ´Ù¾çÇÏ°Ô Á¸ÀçÇÒ ¼ö ÀÖ´Ù. ¶ÇÇÑ Á¤ºÎ±â°ü, º¥´õµé, ÄÁ¼³ÆÃ±â°ü µî ´Ù¾çÇÑ ÁÖüµé¿¡ ÀÇÇØ Á¦½ÃµÉ ¼ö µµ ÀÖ´Ù.
±×·¯³ª ¾î¶² °æ¿ìµç ¸ðµç Á¤º¸º¸È£ ¿µ¿ª¿¡¼­ÀÇ 'Àý´ëÀûÀÎ' ±âÁØÀ̶õ Á¸ÀçÇÏ±â ¾î·Æ´Ù.
'Àý´ëÀû'À̶õ ÀÌ·¸°Ô ÇØ¾ß Á¤º¸º¸È£°¡ ¿Ïº®ÇÏ°Ô ÀÌ·ç¾îÁø´Ù´Â ÀǹÌÀε¥ ¿ì¼± Á¤º¸º¸È£¿¡¼­´Â '¿Ïº®'À̶ó´Â °ÍÀÌ Á¸ÀçÇÏ±â ¾î·Æ°í, ¶Ç '¿Ïº®'À̶ó´Â °ÍÀÌ Á¸ÀçÇÒÁö¶óµµ ±× Àû¿ë¼º Ãø¸é¿¡¼­ ¹Ýµå½Ã ¹Ù¶÷Á÷ÇÏÁö ¾ÊÀ» ¼ö ÀÖÀ¸¹Ç·Î, ÀϹÝÀûÀ¸·Î ÀÌ ±âÁØÀº 'best practices' ¶Ç´Â 'good practices' (¢ß ÀÌÇÏ '½ÇÇà±âÁØ'°ú 'best practices'µîÀ» È¥¿ëÇÏ¿© »ç¿ëÇÔ. ¹°·Ð '½ÇÇà±âÁØ'°ú 'best practices'¿¡´Â ÀǹÌÂ÷À̰¡ ÀÖÀ½. '±âÁØ'Àº 'must'ÀûÀÎ Àǹ̰¡ Á¸ÀçÇϳª 'best practices'´Â 'should'ÀÇ Àǹ̰¡ Á¸ÀçÇÔ. ±×·¯³ª º» ±Û¿¡¼­´Â ÀÌ Â÷À̸¦ ¼¼ºÎÀûÀ¸·Î ±¸º°ÇÏÁö ¾ÊÀ½ )ÇüÅ·ΠÁ¦½ÃµÉ ¼ö ¹Û¿¡ ¾ø´Ù.

¹°·Ð ÀÌ·¯ÇÑ ±âÁØÀº 'Æò°¡' ´Ü°èÀÇ Æò°¡ÁöÇ¥·Î »ç¿ëµÇÁö¸¸, '´ëÃ¥¼³°è ¹× °èȹ¼ö¸³' ´Ü°è¿¡¼­µµ Ȱ¿ëµÈ´Ù.
Áï Æò°¡´Ü°è¿¡¼­´Â ÀϹÝÀûÀ¸·Î 'GAP'À» µµÃâÇϱâ À§ÇÑ µµ±¸·Î »ç¿ëµÇ°í, ´ëÃ¥¼³°è ¹× °èȹ¼ö¸³ ´Ü°è¿¡¼­´Â ÀûÀýÇÑ ´ëÃ¥À» ¼±ÅÃÇϰí, ¼³°èÇϱâ À§ÇÑ ¹æ¾ÈÀ¸·Î »ç¿ëµÈ´Ù.

ÀÌ·¯ÇÑ °üÁ¡¿¡¼­ ±â¾÷¿¡¼­ ü°èÈ­µÈ 'best practices' ¶Ç´Â 'good practices' ¸¦ Âü°íÇϰí À̸¦ ¼÷ÁöÇÏ¿© Àû¿ëÇØº¸´Â °ÍÀº Á¤º¸º¸È£°ü¸®ÀÇ ½ÇÇà¿¡ À־ »ó´çÈ÷ ÀǹÌÀִ Ȱµ¿À̶ó ÇÒ ¼ö ÀÖ´Ù.
º» ±Û¿¡¼­´Â À̸¦ À§ÇØ Àü»çÀûÀÎ Á¤º¸º¸È£ÀÇ Æò°¡ ¹× ´ëÃ¥¼ö¸³½Ã Àû¿ëÇÒ ¼ö ÀÖ´Â ÁÖ¿ä '½ÇÇà±âÁØ' À» °ËÅäÇØº¸°í ±× ±¸Á¶¿Í Ư¡À» °£·«È÷ ¿ä¾àÇÏ°í ºñ±³ÇØ º¸·Á ÇÑ´Ù.
2. ´Ù¾çÇÑ ±â¹ý/ÇÁ·¹ÀÓ¿÷µé ¼Ó¿¡ Æ÷ÇÔµÈ 'Á¤º¸º¸È£½ÇÇà±âÁØ'
Àü¼úÇÑ ¹Ù¿Í °°ÀÌ 'Á¤º¸º¸È£½ÇÇà±âÁØ'Àº ´Ù¾çÇÑ ÇüÅ·ΠÁ¸ÀçÇϸç, ´Ù¾çÇÑ ÁÖü¿¡ ÀÇÇØ Á¦½ÃµÇ°í ÀÖ´Ù. ±×·¯³ª ÀÌ ±Û¿¡¼­´Â Àü»çÀûÀ¸·Î Àû¿ëÇØº¼ ¼ö ÀÖ°í, ´ëÁßÀûÀ¸·Î »ç¿ëµÇ´Â ¸î °¡ÁöÀÇ '½ÇÇà±âÁØ' µé¿¡ ±¹ÇÑÇÑ´Ù.
º» ±Û¿¡¼­ ºñ±³Çغ¸·Á°í ÇÏ´Â '½ÇÇà±âÁØ'µéÀº BS7799, OCTAVE, NIST, VAF, IPAK, COBIT¿¡¼­ Á¦½ÃµÇ´Â 'best practices' ¶Ç´Â 'Æò°¡Áú¹®¼­' µîÀÌ´Ù.
À̶§ ÁÖÀÇÇÒ °ÍÀº À§¿¡ ¾ð±ÞÇÑ ±â¹ýÀ̳ª ÇÁ·¹ÀÓ¿÷µé ÀÚü´Â ¼­·Î ºñ±³µÉ ¼ö ÀÖ´Â ¼±»ó¿¡ ÀÖÁö¾Ê´Ù´Â °ÍÀÌ´Ù.
¿¹¸¦ µé¸é OCTAVE³ª VAF´Â »ó¼¼ÇÑ À§ÇèÆò°¡ ¹æ¹ý·ÐÀ̸ç, IPAKÀº °£´ÜÇÑ Ã¼Å©¸®½ºÆ® Áß½ÉÀÇ Æò°¡±â¹ýÀ̰í, BS7799´Â °ü¸®ÀÎÁõü°èÀÌ´Ù.
±×·¯¹Ç·Î ±× ±âº»ÀûÀÎ ±¸Á¶¾Èµé ÀÚü¸¦ µ¿Àϼ±»ó¿¡¼­ ºñ±³ÇÏ´Â °ÍÀº ¾î¸®¼®Àº ÀÏÀÏ ¼ö ÀÖ´Ù.
´ÜÁö º» ±Û¿¡¼­´Â ±× ±¸Á¶¾Èµé ¼ÓÀÇ ÀϺκР¶Ç´Â Àüü·Î Á¦½ÃµÇ°í ÀÖ´Â '½ÇÇà±âÁØ' ¸¸À» »Ì¾Æ¼­ ºñ±³ÇÏ·Á´Â °ÍÀÌ´Ù.

(1) BS7799(ISO/IEC 17799)
ÇöÀç º¸¾È°ü¸®Ã¼°è ±¸Ãà ¹× ÀÎÁõÀÇ '¹ÙÀ̺í'ó·³ »ç¿ëµÇ´Â °ÍÀÌ BS7799ÀÌ´Ù.
BS7799 Á¦1ºÎ´Â 10°³ ÁÖ¿ä ºÐ¾ßÀÇ 127°³ÀÇ ÅëÁ¦ Ç׸ñÀ¸·Î ±¸¼ºµÇ¾î ÀÖÀ¸¸ç, ÇöÀç »ç¿ëµÇ°í ÀÖ´Â Á¤º¸º¸È£ 'best practices'µéÀ» Á¦½ÃÇÑ´Ù.
10°³ÀÇ ÁÖ¿äºÐ¾ß´Â º¸¾ÈÁ¤Ã¥, º¸¾ÈÁ¶Á÷, ÀÚ»êºÐ·ù¿Í ÅëÁ¦, ÀÎÀûº¸¾È, ¹°¸®Àû ¹× ȯ°æÀûº¸¾È, Åë½Å ¹× ¿î¿µ°ü¸®, Á¢±ÙÅëÁ¦, ½Ã½ºÅÛ °³¹ß ¹× À¯Áöº¸¼ö, ¾÷¹«¿¬¼Ó¼º°èȹ, ÁؼöÀÌ´Ù.
Á¦2ºÎ´Â Á¤º¸º¸È£°ü¸®½Ã½ºÅÛ(Information Security Management System; ISMS)¿¡ ´ëÇÑ Ç¥ÁØÀûÀÎ ¸í¼¼ÀÌ´Ù.
¹°·Ð ÀÌ Ç¥ÁØ¿¡¼­ Á¦½ÃÇϰí ÀÖ´Â ÅëÁ¦µé ¸ðµÎ¸¦ Àû¿ëÇØ¾ß ÇÒ ÇÊ¿ä´Â ¾øÀ¸¸ç, °³º°ÀûÀΠȯ°æÀû ¶Ç´Â ±â¼úÀû Á¦¾àÁ¶°ÇÀ» °í·ÁÇÏ¿© ¼±ÅÃÇÒ Çʿ䰡 ÀÖ´Ù.

BS7799´Â 'ÀÎÁõ'°ú ¿¬°áµÇ¾î Ȱ¿ëµÇÁö¸¸, ±¤¹üÀ§Çϰí ÃÑüÀûÀÎ Best practicesµéÀÌ Á¦½ÃµÇ¾î ÀÖÀ¸¹Ç·Î ÄÁ¼³ÅÏÆ®³ª Á¤º¸º¸È£°ü¸®ÀÚµéÀº ÀÌ best practicesµéÀ» 'Á¤º¸º¸È£ ½ÇÇà±âÁØ'À¸·Î Ȱ¿ëÇÏ¿© ±â¾÷ÀÇ Á¤º¸º¸È£ÀÇ ¼öÁØÆò°¡ÀÇ µµ±¸·Î Ȱ¿ëÇÑ´Ù. Æò°¡¸¦ À§ÇØ BS7799¸¦ ±¸Ã¼ÀûÀ¸·Î ¾î¶»°Ô Ȱ¿ëÇÒ °ÍÀΰ¡¿¡ ´ëÇØ¼­´Â Æò°¡ÀÚ¿¡ µû¶ó ´Ù¾çÇÏÁö¸¸, DISC PD3003¿¡¼­´Â BS7799¸¦ Ȱ¿ëÇÏ¿© ÀÚüÀûÀ¸·Î Æò°¡ÇÒ °æ¿ì ÅëÁ¦Ç׸ñµéÀÇ Áؼö¿¡ ´ëÇØ¼­ Yes, No, Partly·Î Æò°¡ÇÏ´Â ¹æ¾ÈÀ» º¸¿©ÁÖ°í ÀÖ´Ù.

±×·¯³ª ½ÇÁ¦ BS7799ÀÇ 'best practices'¸¦ Ȱ¿ëÇÏ¿© Æò°¡ üũ¸®½ºÆ®¸¦ µµÃâÇϰí Àû¿ëÇÏ´Â °ÍÀÌ, Àü¹®°¡¿¡ ÀÇÇØ¼­°¡ ¾Æ´Ò °æ¿ì¿¡´Â ¿ëÀÌÇÏÁö ¾Ê´Ù´Â ´ÜÁ¡ÀÌ Á¸ÀçÇÑ´Ù.
±× ÇÑ °¡Áö ÀÌÀ¯´Â ¾î¶² ºÐ¾ß¿¡´Â ³Ê¹«µµ ¸¹°í ¼¼ºÎÀûÀÎ ³»¿ëµéÀÌ Á¦½ÃµÇ¾îÀÖ°í, ¾î¶² ºÐ¾ß¿¡´Â »ó´ëÀûÀ¸·Î ³Ê¹« ±¤¹üÀ§ÇÑ ³»¿ë¸¸ ±â¼úµÇ¾î ÀÖ´Ù´Â °ÍÀ̰í, ¶Ç ÇѰ¡Áö ÀÌÀ¯´Â 10°³ÀÇ ÁÖ¿äºÐ¾ß¿¡ ´ëÇÑ ºÐ·ù ¹× ±× ÇÏÀ§ ºÐ·ùµéÀÌ °ú¿¬ ±â¾÷¿¡ Àû¿ëÇϱ⠸íÈ®Çϰí ÀûÇÕÇѰ¡¶ó´Â °Í ¶§¹®ÀÌ´Ù.

(2) OCTAVE(Operationally Critical Threat, Asset, and Vulnerability Evaluation)
OCTAVE´Â Á¤º¸º¸È£À§ÇèÀ» Æò°¡Çϰí ÀÌ¿¡ µû¸¥ °èȹÀ» ¼ö¸³ÇÏ´Â ¹æ¹ý·ÐÀ¸·Î Ä«³×±â¸á·ÐÀÇ SEI(Software Engineering Institute)ÀÇ ÇÁ·Î±×·¥À¸·Î °³¹ßµÇ¾ú´Ù.
1999³â 1.0¹öÀü¿¡¼­ ¹ßÀüÇÏ¿© ÇöÀç 2.0 ¹öÀüÀÌ Ãâ°£µÇ¾î ÀÖ´Ù. ±âº»ÀûÀ¸·Î OCTAVE¿¡¼­´Â Á¶Á÷Àû ¹× ±â¼úÀûÀÎ º¸¾È À̽´µéÀ» Á¤ÀÇÇϰí, Á¶Á÷ÀÇ Á¤º¸º¸È£Çʿ信 ´ëÇÑ ÃÑüÀûÀÎ ´ëÃ¥À» ¼³°èÇϱâ À§ÇØ 3´Ü°èÀÇ Á¢±Ù¹ýÀ» »ç¿ëÇÑ´Ù.
1´Ü°è´Â 'Àڻ꿡 ±âÃÊÇÑ À§Çù ÇÁ·ÎÆÄÀÏÀ» ±¸ÃàÇÏ´Â ´Ü°è'ÀÌ´Ù. ÀÌ ´Ü°è´Â 'Á¶Á÷' °üÁ¡ÀÇ Æò°¡ ´Ü°è·Î, Á¶Á÷¿¡ ÇÙ½ÉÀûÀÎ ÀÚ»êÀ» Á¤ÀÇÇϰí, ÇöÀç ÀÌ ÀÚ»êµéÀ» º¸È£Çϱâ À§ÇØ ¼öÇàµÇ°í Àִ Ȱµ¿µéÀ» ÆÄ¾ÇÇÏ°Ô µÈ´Ù.
2´Ü°è´Â 'ÀÎÇÁ¶óÀÇ Ãë¾à¼ºÀ» Á¤ÀÇÇÏ´Â ´Ü°è'ÀÌ´Ù. ÀÌ ´Ü°è´Â 'Á¤º¸ ÀÎÇÁ¶ó' °üÁ¡ÀÇ Æò°¡ ´Ü°è·Î, ÇÙ½É ÀÚ»êµé¿¡ ´ëÇÑ ±â¼úÀû Ãë¾à¼ºµéÀ» ÆÄ¾ÇÇÏ°Ô µÈ´Ù.
3´Ü°è´Â 'º¸¾ÈÀü·« ¹× °èȹÀ» °³¹ßÇÏ´Â ´Ü°è' ·Î, ÀÌ ´Ü°è¿¡¼­´Â ±â¾÷ÀÇ ÇÙ½ÉÀÚ»êµé¿¡ ´ëÇÑ À§ÇèÀ» Á¤ÀÇÇϰí ÀÌ·¯ÇÑ À§Çè¿¡ ´ëÀÀÇÏ´Â Àü·«°ú ¹æ¾ÈÀ» µµÃâÇÏ°Ô µÈ´Ù.

OCTAVE ¹æ¹ý·Ð¿¡¼­ '½ÇÇà±âÁØ'¿¡ ÇØ´çµÉ ¼ö ÀÖ´Â °ÍÀº 'Catalog of practices'¶ó ºÒ¸®¿ì´Â ³»¿ëÀÌ´Ù. ÀÌ 'Catalog of practices'Àº 'Àü·«Àû' °ú '¿î¿µÀû'ÀÇ µÎ °¡Áö ÇüÅ·Π³ª´¶´Ù.
Àü·«Àû ½ÇÇàÀº Á¤Ã¥·¹º§¿¡¼­ÀÇ Á¶Á÷ÀûÀÎ À̽´¿¡ ÃÊÁ¡À» ¸ÂÃß¸ç ¸ð¹üÀûÀ̰í ÀϹÝÀûÀÎ °ü¸® ½ÇÇàÀ» Á¦½ÃÇÑ´Ù.
¿î¿µÀû ½ÇÇà¿¡¼­´Â ¹Ý´ë·Î ¾î¶»°Ô »ç¶÷µéÀÌ ±â¼úÀ» »ç¿ëÇϰí, º¸È£Çϰí, ´Ù·ç´ÂÁö¿¡ ´ëÇÑ ±â¼úÀû À̽´¿¡ ÃÊÁ¡À» ¸ÂÃß°Ô µÈ´Ù.
OCTAVEÀÇ '½ÇÇà±âÁØ'ÀÇ ±¸Á¶¸¦ ¿ä¾àÇϸé Ç¥1 °ú °°´Ù.
µ¥ÀÌÅÍ ¼Ò½º ±â¹Ý Operational practices
SP1. Security awareness & training
SP2. Security strategy
SP3. Security Management
SP4. Security policies & regulations
SP5. Collaborative security management
SP6. Contingency planning/Disaster recovery
OP1. Physical security
OP2. Information Technology Security
OP3. Staff security


<Ç¥ 1> OCTAVE Catalog of practices
 
Ç¥¿¡¼­ È®ÀÎÇÒ ¼ö ÀÖµíÀÌ 'Àü·«Àû ½ÇÇà'Àº º¸¾ÈÀÎ½Ä ¹× ÈÆ·Ã, º¸¾ÈÀü·«, º¸¾È°ü¸®, º¸¾ÈÁ¤Ã¥ ¹× ±ÔÄ¢, Collaborative º¸¾È°ü¸®, ºñ»ó°èȹ/ÀçÇØº¹±¸ÀÇ 6°³ÀÇ ¿µ¿ªÀ¸·Î, '¿î¿µÀû ½ÇÇà' ¹°¸®Àûº¸¾È, Á¤º¸±â¼úº¸¾È, Staff º¸¾ÈÀÇ 3°³ÀÇ ¿µ¿ªÀ¸·Î ³ª´µ¾îÁ® ÀÖ´Ù. °¢ ¿µ¿ª¾Æ·¡ ¼¼ºÎÀûÀÎ ½ÇÇà ±âÁؾȵéÀÌ Á¦½ÃµÇ¾î ÀÖ´Ù.

´Ù¸¥ ºÎºÐµéÀº Á¦¸ñ¸¸ º¸¾Æµµ ½±°Ô ÀÌÇØÇÒ ¼ö ÀÖÁö¸¸ ¸î °¡Áö ÀÌÇØÇϱ⠾î·Á¿î ¿µ¿ª¸¸ ¾ð±ÞÇϸé 'º¸¾È°ü¸®(Security Management)'ºÎºÐÀº °æ¿µÃþÀÇ ÀÚ¿øÇÒ´ç, º¸¾ÈÃ¥ÀÓ ¹× ¿ªÇÒ, º¸¾ÈÀ§Çè°ü¸®, ÁÖ±âÀûÀÎ º¸¾È°ËÅä µîÀ» Æ÷ÇÔÇϰí ÀÖÀ¸¸ç, 'Collaborative security management'´Â ¿ÜºÎ±â°ü(Á¦ 3ÀÚ, Çù·ÂÀÚ, sub°è¾àÀÚ, ÆÄÆ®³Ê µî)¿¡ ´ëÇÑ º¸¾È ½ÇÇàÀ» ´Ù·ç°í ÀÖ´Ù.

ÀÌ 'Catalog of practices'´Â ±¸Á¶ÀûÀÎ ºÐ·ù°¡ Àß µÇ¾î ÀÖ°í ±â¼úÀûÀÎ Ç׸ñÀÌ ¸¹ÀÌ ¹Ý¿µµÇ¾îÀÖ´Ù.
±×·¯³ª ¼¼ºÎ ³»¿ëµéÀÌ Æ÷°ýÀûÀÎ ºÎºÐÀÌ ¸¹¾Æ Àü¹ÝÀûÀÎ Æò°¡¿ëÀ¸·Î´Â »ç¿ëÇϱ⿡´Â ÀûÇÕÇÏÁö¸¸, ¼¼ºÎÀûÀÎ Æò°¡¿ëÀ¸·Î´Â ¾à°£ÀÇ ÇѰ谡 Á¸ÀçÇÑ´Ù.
(3) IPAK(Information Protection Assessment Kit)
IPAKÀº OCTAVE¿Í ´Þ¸® ¾î¶² ¹æ¹ý·Ð ü°è°¡ ¾Æ´Ï°í CSI¿¡¼­ ¹ß°£µÈ ´Ü¼øÇÑ self-assessment KitÀÌ´Ù.
IPAK¿¡¼­´Â 10°³ÀÇ ¿µ¿ª¿¡¼­ °¢ 20 ¿©°³ÀÇ Ã¼Å©¸®½ºÆ® ÇüÅÂÀÇ ½ÇÇà±âÁصéÀ» Á¦½ÃÇϰí À̸¦ ÅëÇØ °¢ ±â¾÷¿¡¼­ °¡ÁßÄ¡(3´Ü°è)¸¦ ºÎ¿©Çϰí, Áؼöµµ(Poor¿¡¼­ Excellent±îÁö 5´Ü°è)¸¦ Æò°¡ÇÏ¿© Àü¹ÝÀûÀÎ Á¤º¸º¸È£½ÇÇà Æò°¡Á¡¼ö¸¦ µµÃâÇÒ ¼ö ÀÖµµ·Ï Çϰí ÀÖ´Ù.

IPAKÀÇ '½ÇÇà±âÁØ' ¿µ¿ªÀº ´ÙÀ½°ú °°´Ù.
- Á¤º¸º¸È£ÇÁ·Î±×·¥ ¹× °ü¸®(Information Protection program and administration)
- ÀλçÁ¤Ã¥ ¹× ½ÇÇà(personnel policies and practices)
- ¹°¸®Àû º¸¾È(physical security)
- ¾÷¹« ÇÁ·Î¼¼½º ÅëÁ¦(Business process controls)
- ¹é¾÷ ¹× º¹±¸ ÃøÁ¤(backup & recovery measures)
- ÃÖÁ¾ »ç¿ëÀÚ ÅëÁ¦(End-user controls)
- ³×Æ®¿÷ º¸¾È ÅëÁ¦(Network security controls)
- ÀÎÅÍ³Ý º¸¾È ÅëÁ¦(Internet security controls)
- À¥ º¸¾È ÅëÁ¦(Web security controls)
- Åë½Å ¹× ¿ø°Å¸® Á¢±Ù º¸¾È ÅëÁ¦(Telecommunications & remote access security controls)

¼¼ºÎ üũ¸®½ºÆ®¿¡´Â ÇÙ½ÉÀûÀÌ°í ½ÇÁ¦ÀûÀÎ ³»¿ëµéÀÌ Æ÷ÇԵǾî ÀÖ¾î ªÀº ½Ã°£³»¿¡ ÁÖ¿ä ½ÇÇàÇ׸ñµéÀÇ ³»¿ëµéÀ» ÆÄ¾ÇÇÏ°Ô ÇÒ ¼ö ÀÖ´Â ÀÕÁ¡ÀÌ Á¸ÀçÇÏÁö¸¸, ´ë ¿µ¿ª³»¿¡ ¼¼ºÎ¿µ¿ªµéÀÌ ºÐ·ùµÇ¾î ÀÖÁö ¾Ê°í, 'Business process controls'¶õ ÈçÈ÷ »ç¿ëÄ¡ ¾Ê´Â ¿µ¿ª³»¿¡ º¸¾È°ü¸®ÀûÀÎ ³»¿ëµéÀÌ ÆÄ»óÀûÀ¸·Î Æ÷ÇԵǾî ÀÖ¾î Àü¹ÝÀûÀÎ Á¤º¸º¸È£½ÇÇàü°èÀÇ ±âÁØÀ¸·Î Ȱ¿ëÇϱ⿡´Â ¹«¸®°¡ ÀÖ´Ù.

(4) NIST Self-Assessment Guide
NISTÀÇ ÀÚüÆò°¡ÁöħÀº ÀÚüÀûÀÎ Á¤º¸º¸È£ assurance¸¦ À§ÇÑ ¹æ¹ýÀ¸·Î Á¦½ÃµÇ°íÀÖ´Ù.
¿©±â¼­ Á¤º¸º¸È£ assurance¶õ °ü¸®Àû, ±â¼úÀû, ¿î¿µÀû º¸¾È´ëÃ¥µéÀÌ ÀǵµµÈ´ë·Î ½Ã½ºÅÛ°ú Á¤º¸¸¦ º¸È£Çϰí ÀÖ´ÂÁö¿¡ ´ëÇÑ È®½ÅÀÇ Á¤µµ¸¦ ÀǹÌÇÑ´Ù.
ÀÌ Áöħ¿¡´Â ½Ã½ºÅÛÀÇ º¸¾ÈÀ» ÃøÁ¤ÇÒ ¼ö ÀÖ´Â ¼¼ºÎÀûÀÎ ÅëÁ¦¸ñÀû°ú ±â¹ýµéÀ» Æ÷ÇÔÇÏ´Â Áú¹®¼­µéÀ» º¸À¯Çϰí ÀÖ°í À̰ÍÀÌ '½ÇÇà±âÁØ'¿¡ ÇØ´çÇÑ´Ù°í º¼ ¼ö ÀÖ´Ù

ÀÌ Áú¹®¼­´Â ¾Æ·¡ÀÇ Ç¥¿Í °°ÀÌ 3°³ÀÇ ¿µ¿ª ¹× ¿µ¿ª¾Æ·¡ 17°³ÀÇ ÁÖÁ¦·Î ±¸¼ºµÇ¸ç, °¢ ÁÖÁ¦ ÇÏ¿¡ ¼¼ºÎÇ׸ñÀÌ Á¸ÀçÇÑ´Ù.
°¢ Ç׸ñ¿¡ ´ëÇÑ Áؼö´Â Level 1(¹®¼­È­µÈ Á¤Ã¥)¿¡¼­ Level 5(¿ÏÀüÈ÷ ÅëÇÕµÈ ÀýÂ÷ ¹× ´ëÃ¥µé)±îÁöÀÇ 5´Ü°è·Î ³ª´©¾î Æò°¡Çϵµ·Ï Á¦½ÃµÇ¾î ÀÖ´Ù.
Management Controls 1. Risk Management
2. Review of security control
3. Life cycle
4. Authorize processing
5. System Security plan
Operational Controls 6. Personnel security
7. Physical security
8. Production, I/O Controls
9. Contingency planning
10. HW and Systems SW maintenance
11. Data Integrity
12. Documentation
13. Security awareness, training, and education
14. Incident response capability
Technical Controls 15. identification & Authentication
16. Logical access controls
17. audit trails
<Ç¥2> NISTÀÇ Self-Assessment Áú¹®¼­ ±¸Á¶
 
±×·¯³ª ÀÌ ÁöħÀº Àü¹ÝÀûÀÎ Á¶Á÷º¸´Ù´Â '´ÜÀÏ ¶Ç´Â ±×·ìÇÎµÈ ½Ã½ºÅÛ'À» Æò°¡Çϴµ¥ ÃÊÁ¡À» ¸ÂÃß°í ÀÖÀ¸¹Ç·Î ÀüüÀûÀÎ Á¶Á÷ÀÇ º¸¾È½ÇÇàÆò°¡ º¸´Ù´Â ƯÁ¤ ½Ã½ºÅÛÀÇ º¸¾È½ÇÇàÆò°¡¿¡ Ȱ¿ëÇÏ´Â °ÍÀÌ È¿°úÀûÀÌ´Ù.
(5) VAF(Vulnerability Assessment Framework)
VAF´Â ¹Ì±¹ÀÇ ±â¹Ýº¸È£¹ý°ú °ü·ÃÇÏ¿© 1998³â KPMG¿¡¼­ °³¹ßµÈ Ãë¾à¼º Æò°¡ ¹æ¹ý·ÐÀÌ´Ù.
±âº»ÀûÀÎ Æò°¡ ¹æ¹ý·ÐÀº 3´Ü°è·Î ±¸¼ºµÇ¾î ÀÖ´Ù.
1´Ü°è¿¡¼­´Â Á¶Á÷ÀÇ ÁÖ¿ä ÀÎÇÁ¶ó¸¦ Á¤ÀÇÇϰí, 2´Ü°è¿¡¼­´Â ÁÖ¿ä ÀÎÇÁ¶ó¿¡ ´ëÇÑ Ãë¾à¼º Æò°¡¸¦ À§ÇÑ µ¥ÀÌÅ͸¦ ¼öÁýÇϸç, 3´Ü°è¿¡¼­´Â Ãë¾à¼ºÀ» ºÐ¼®ÇÏ°í ¿ì¼±¼øÀ§È­ ÇÑ´Ù.
ÀÌ ¹æ¹ý·Ð¿¡¼­µµ Á¶Á÷ ¹× ½Ã½ºÅÛÀÇ º¸¾ÈÃë¾à¼ºÀ» Æò°¡Çϱâ À§ÇØ Æò°¡¿µ¿ª ¹× ¼¼ºÎ Ç׸ñµéÀ» Á¦½ÃÇϰí ÀÖ´Ù.
ÀÌ ¿µ¿ª ¹× Ç׸ñµéÀÌ '½ÇÇà±âÁØ'¿¡ ÇØ´çÇÑ´Ù°í º¼ ¼ö ÀÖ´Ù.

Æò°¡¿µ¿ªÀº ´ÙÀ½°ú °°´Ù.
-Entity-wide security: À§ÇèÀ» °ü¸®Çϰí, º¸¾ÈÁ¤Ã¥À» °³¹ßÇϰí, Ã¥ÀÓÀ» ÇÒ´çÇϸç, º¸¾È´ëÃ¥ÀÇ ÀûÁ¤¼ºÀ» ¸ð´ÏÅ͸µÇÏ´Â ÇÁ·¹ÀÓ¿÷ ¹× Ȱµ¿
-Access Control: ÀÚ¿øµé¿¡ ´ëÇÑ Á¢±ÙÀ» Á¦ÇÑÇϰí, °¨ÁöÇÏ¿©, ÀÚ¿øÀ» º¸È£ÇÏ´Â ÀýÂ÷¿Í ´ëÃ¥
-segregation of duties: ÇÑ °³ÀÎÀÌ ¹°¸®Àû, ÄÄÇ»ÅÍ °ü·Ã ¿î¿µ µîÀÇ ÁÖ¿ä»çÇ×À» µ¶´ÜÀûÀ¸·Î ÅëÁ¦ÇÏ´Â °ÍÀ» ¸·¾Æ, ÀÚ¿øµé¿¡ ´ëÇÑ ºÒ¹ýÀûÀÎ Á¢±ÙÀ̳ª ÇൿÀ» ¼öÇàÇÏÁö ¸øÇϵµ·Ï ÇÏ´Â Á¤Ã¥, ÀýÂ÷ ¹× Á¶Á÷±¸Á¶
- continuity of service & operations: ±â´ëÇÏÁö ¾ÊÀº ¹®Á¦µéÀÇ ¹ß»ý½Ã, ÀûÀýÇÑ ºñ»ó°èȹµî À» ÅëÇØ ¼­ºñ½º³ª ¿î¿µÀÌ ¹æÇØ ¹ÞÁö ¾Ê°Å³ª ¼ÓÈ÷ ¹®Á¦·ÎºÎÅÍ È¸º¹ÇÏ¿©, ÁÖ¿ä µ¥ÀÌŸ°¡ º¸È£µÉ ¼ö ÀÖÀ½À» º¸ÁõÇÏ´Â ÅëÁ¦
- Change control & life cycle management: Çã°¡¹ÞÁö ¾ÊÀº ÇÁ·Î±×·¥À̳ª ±âÁ¸ ÇÁ·Î±×·¥ÀÇ ¼öÁ¤ÀÌ ÀÌÇàµÇ´Â °ÍÀ» ¹æÁöÇÏ´Â ÀýÂ÷¿Í ´ëÃ¥
- System software: ±âÁ¸ÀÇ ÅëÁ¦¸¦ ¿ìȸÇÒ ¼ö ÀÖ´Â ½Ã½ºÅÛ ÆÄÀÏÀ̳ª ÇÁ·Î±×·¥¿¡ ´ëÇÑ Á¢±ÙÀ» Á¦ÇÑÇϰųª ¸ð´ÏÅ͸µÇÏ´Â ÅëÁ¦

VAFÀÇ °æ¿ì change control & life cycle management µîÀÇ ¿µ¿ªÀÇ ¼¼ºÎ³»¿ëÀ» °ËÅäÇÏ¸é ½±°Ô ÆÄ¾ÇÇÒ ¼ö ÀÖ°ÚÁö¸¸, ´Ù¸¥ ¹æ¹ý°ú ´Þ¸® ÀϹÝÀûÀÎ ÇÁ·Î±×·¥ °³¹ß ¹× °ü¸® ºÎºÐ¿¡ ´ëÇÑ ÅëÁ¦°¡ »ó´çÈ÷ ¸¹Àº ºÎºÐÀ» Â÷ÁöÇϰí ÀÖ´Ù.
VAF¿¡¼­´Â ´Ù¾çÇÏ°í ±¸Ã¼ÀûÀÎ Ç׸ñµéÀ» Á¦½ÃÇØ³õ¾ÒÀ¸³ª, ¼¼ºÎ ºÐ·ùü°è°¡ È¥¶õ½º·´´Ù´Â ´ÜÁ¡ÀÌ ÀÖ´Ù.
(6) COBIT(Control Objectives of Information related Technology)
COBITÀº ISACA¿¡¼­ °³¹ßµÈ Á¤º¸±â¼úÀÇ ³ôÀº ÅëÁ¦ ¸ñÀûÀ» ´Þ¼ºÇϱâ À§ÇÑ °ü¸®µµ±¸·Î¼­, Àü»çÀû Á¤º¸½Ã½ºÅÛÀÇ ÅëÁ¦¿¡ Àû¿ëÇÒ ¼ö ÀÖ´Â Best practicesµéÀÌ Á¦½ÃµÇ¾î ÀÖ´Ù.
COBITÀº ÀüüÀûÀ¸·Î 4°³ ¿µ¿ªÀÇ 34°³ ÇÁ·Î¼¼½º·Î ±¸¼ºµÇ¾î ÀÖÀ¸¸ç, ÀÌ Áß Á¤º¸º¸È£¿Í Á÷Á¢ÀûÀ¸·Î °ü·ÃµÈ ÇÁ·Î¼¼½º´Â DS5 Ensure Systems SecurityÀÌ´Ù.
±× ¿Ü Á¤º¸º¸È£¿Í ¸¹Àº °ü·ÃÀÌ ÀÖ´Â ÇÁ·Î¼¼½º´Â PO9 Assess Risks, AI6 Manage changes, DS4 Ensure continuous services, DS11.0 Manage Data, DS12.0 Manage Facilities µîÀ̶ó ÇÒ ¼ö ÀÖ´Ù. ¹°·Ð ´Ù¸¥ ÇÁ·Î¼¼½ºµé ³»¿¡µµ Á¤º¸º¸È£¿¡ °ü·ÃµÈ »çÇ×µéÀÌ Á¶±Ý¾¿ Æ÷ÇԵǾî ÀÖ´Ù.

COBITÀÌ Á¦½ÃÇϰí ÀÖ´Â ÇÁ·Î¼¼½ºµéÀÇ ÅëÁ¦Ç׸ñ ¹× 'best practices'µéÀ» 'Á¤º¸º¸È£½ÇÇà±âÁØ'À¸·Î Ȱ¿ëÇÒ ¼ö´Â ÀÖ°ÚÁö¸¸, ºÒÇàÈ÷µµ COBITÀº 'Á¤º¸º¸È£'¿¡ ÃÊÁ¡À» ¸ÂÃá ÇÁ·¹ÀÓ¿÷ÀÌ ¾Æ´Ï¹Ç·Î Àû¿ë¿¡ ÇѰ谡 Á¸ÀçÇÑ´Ù.
Áï COBITÀº IT Àü¹ÝÀûÀÎ Æò°¡ ¹× ´ëÃ¥¼ö¸³ÀÇ Æ²·Î Ȱ¿ëÇϱ⿡´Â ¹Ù¶÷Á÷ÇÏÁö¸¸, Á¤º¸º¸È£ºÎºÐÀº ¿©·¯ °÷¿¡ »êÀçµÇ¾î ÀÖ¾î, COBITÀ» Ȱ¿ëÇØ¼­ Á¤º¸º¸È£¿¡ °üÇÑ ºÎºÐ¸¸À» Æò°¡, ÃøÁ¤ÇÑ´Ù´Â °ÍÀº ¹«¸®°¡ ÀÖ´Ù.

(7) ±âŸ ±¹³» ±âÁصé
±¹³»¿¡¼­´Â Á¤º¸º¸È£°ü¸®Ã¼°è³ª ½ÇÇà±âÁصéÀÌ 'best practices' , ÇÁ·¹ÀÓ¿÷, ¹æ¹ý·Ð ÇüÅ·ΠÁ¦½ÃµÇ±â º¸´Ù´Â, Á¤ºÎ±â°üµéÀ» Áß½ÉÀ¸·Î '±ÔÁ¤'ÇüÅ·ΠÁ¦½ÃµÇ¾î¿Ô´Ù.
±×·¯¹Ç·Î ÀÌ·¯ÇÑ '±ÔÁ¤' µéÀº ±â¾÷ÀÇ Àü¹ÝÀûÀÎ Á¤º¸º¸È£°ü¸®Ã¼°èÇÏ¿¡¼­ ¼¼ºÎÀûÀÎ Ç׸ñµé¿¡ ´ëÇÑ ±âÁؾȵéÀ» Á¦½ÃÇϱ⠺¸´Ù´Â, Àü»ê½Ç, Àü»êÀÚ·á, IDC¼¾ÅÍ, ¹ÙÀÌ·¯½º, PC µî ƯÁ¤ º¸È£ ´ë»óÀ» Áß½ÉÀ¸·ÎÇÑ ¼¼ºÎ ÅëÁ¦Ç׸ñ¿¡ ÃÊÁ¡À» ¸ÂÃß¾ú´Ù.
±×·¯³ª ÃÖ±Ù KISAÀÇ ÁÖµµÇÏ¿¡ 'Á¤º¸º¸È£°ü¸®±âÁØ'ÀÌ Á¦½ÃµÇ¾î ±× ³»¿ëµéÀ» ½ÇÇà±âÁØÀ¸·Î Ȱ¿ëÇÒ ¼ö ÀÖ´Ù. ÀÌ ±âÁØÀÇ ÇüÅ´ 'BS7799'¿Í À¯»çÇÏ´Ù.
3. 'Á¤º¸º¸È£½ÇÇà±âÁØ' µéÀÇ ºñ±³
¸ÕÀú À§¿¡¼­ ¾ð±ÞÇÑ ÁÖ¿ä ±â¹ý/ÇÁ·¹ÀÓ¿÷µéÀÇ Æ¯Â¡À» ºñ±³ ¿ä¾àÇØº¸¸é ´ÙÀ½ÀÇ Ç¥¿Í °°´Ù.
°ú¸ñ OCTAVE VAF BS7799 IPAK NIST
À¯Çü Æò°¡¹æ¹ý·Ð Æò°¡¹æ¹ý·Ð °ü¸®Ã¼°è ¹×
½ÇÇà¾È
Æò°¡µµ±¸ Æò°¡Áöħ
´ë»ó Á¶Á÷Àü¹Ý Á¶Á÷Àü¹Ý Á¶Á÷Àü¹Ý Á¶Á÷Àü¹Ý ½Ã½ºÅÛ
½ÇÇà±âÁØ ' catalog of practices' 'questionnaire' Best practices(Part 1) 'questionnaire' 'questionnaire'
ÃøÁ¤ Yes, No,
Don't Know
  Yes, Partly, No 5´Ü°è
(Poor -> Excellent)
5´Ü°è
(¹®¼­È­µÈ Á¤Ã¥
-> ÅëÇÕµÈ ´ëÃ¥)
<Ç¥3> ÁÖ¿ä ±â¹ý/ÇÁ·¹ÀÓ¿÷µéÀÇ ºñ±³
 
´ÙÀ½ÀÇ Ç¥¿¡¼­´Â °¢ ±â¹ý/ÇÁ·¹ÀÓ¿÷ µé¿¡¼­ Á¦½ÃÇϰí ÀÖ´Â ½ÇÇà±âÁصéÀÇ ±¸Á¶µéÀ» ºñ±³Çغ¸¾Ò´Ù.
È¿°úÀûÀÎ ºñ±³¸¦ À§ÇØ ÇÊÀÚ´Â Á¤º¸º¸È£°ü¸®¸¦ À§ÇÑ 17°³ÀÇ ºÐ¾ß¸¦ ¼³Á¤Çϰí, ÀÌ °üÁ¡¿¡¼­ °¢ ½ÇÇà±âÁØÀÇ ÁÖ¿ä ºÐ¾ßµéÀ» ºñ±³Çغ¸¾Ò´Ù.
Ç¥¸¦ º¸¸é µ¶ÀÚµéÀº °¢ ½ÇÇà±âÁصéÀÇ ±¸Á¶Àû °­Á¶Á¡ ¶Ç´Â Ãë¾àÁ¡ µîÀ» ´ë·«ÀûÀ¸·Î ÆÄ¾ÇÇÒ ¼ö ÀÖÀ» °ÍÀÌ´Ù.
°ú¸ñ ºÐ¾ß BS7799 NIST IPAK OCTAVE VAF
1 Security Awareness
& Training
  13. Security Awareness, Training and Education 1. Information Protection program and administration
6. End-user control
1-1. Security Awareness
& Training
1. Entity
-wide
security
2 Security Planning   5. System security plan 1-2. Security
Strategy
1. Entity
-wide
security
3 Security Organization 2. Organizational security   1-3. Security Management 1. Entity
-wide
security
3.
Segregation
of duties
4 Security
Policy & Documentation
1. Security Policy 12. Documentation 1-4. Security
Policy &
Regulations
1. Entity
-wide
security
5 Contingency Planning   9. Contingency Planning 5. Backup & recovery Measures 1-6. Contingency Planning/ Disaster Recovery 4.Continuity
of services
& operations
6 Risk Management   1. Risk Management   1-3. Security Management 1. Entity
-wide
security
7 External-Party Security Management 2. Organizational security   ¡¡ 1-5. Collaborative Security
Management
1. Entity
-wide
security
8 Incident Response & Management   14. Incident Response Capability 6. End-user Control 2-3. Staff
Security
1. Entity
-wide
security
9 Human Resource Security 4. Personnel Security 6. Personnel Security 2. Personal Policy & Practices 2-3. Staff
Security
1. Entity
-wide
security
10 Physical Security 5. Physical & Environmental Security 7. Physical Security 3. Physical security 2-1. Physical
Security
2. Access Control
11 Asset Classification 3. Asset classification & Control   ¡¡ ¡¡ 2. Access Control
12 Change Control &
Life-Cycle Security
6. System Development & Maintenance 3. Life Cycle
8. Production, Input, Output Control
10. HW & Systems SW Maintenance
4. Business Process Control   ¡¡
13 System & Network Management 6. Communication & Operation Management 11. Data Integrity 7. Network Security8. Internet Security9. Web Security10. Telecom Security 2-2. IT Security
(System
& Network Management)
2. Access Control
14 Access Control 7. Access Control 15. Identification & Authentication
16. Logical Access Control
  2-2. IT Security
(Authentication & Authorization)
 
15 Encryption   ¡¡ 4. Business Process Contro 2-2. IT Security
(Encryption)
2. Access Control
16 Vulnerability Management   ¡¡ ¡¡ 2-2. IT Security
(Vulnerability Management)
 
17 Review, Monitor & Audit 10. Compliance 17. Audit Trail
2. Review of security Control
4. Authorize Processing
4. Business Process Control 2-2. IT Security
(Monitoring &
Auditing)
2. Access Control
3.
Segregation
of duties
<Ç¥4> ½ÇÇà±âÁصéÀÇ ºñ±³
4. °á·Ð
º» ±ÛÀº ¸î °¡Áö ´ëÁßÀûÀÎ ±â¹ý/ÇÁ·¹ÀÓ¿÷ µé ¾È¿¡ Æ÷ÇԵǾî ÀÖ´Â 'good practices' ¶Ç´Â 'best practices'µéÀ» '½ÇÇà±âÁØ'ÀÇ °üÁ¡¿¡¼­ ±× Ư¡À» »ìÆìº¸°í ±¸Á¶¸¦ ºñ±³Çغ¸¾Ò´Ù.
ºÒÇàÈ÷µµ º» ±ÛÀº ³í¹®ÀÌ ¾Æ´Ï¹Ç·Î ¼¼ºÎÀûÀÎ ³»¿ë±îÁö ºÐ¼®ÇÏ·Á ÇÏÁö ¾Ê¾Ò´Ù.
´ÜÁö º» ±ÛÀ» ÀÌ·¯ÇÑ ³»¿ëµéÀ» Æ÷°ýÀûÀ¸·Î ¾ËÁö ¸øÇÏ´Â µ¶ÀÚµéÀ» ´ë»óÀ¸·Î ÀÔ¹®À» Á¦½ÃÇÏ¿©, À̸¦ ÅëÇØ ¼¼ºÎ ³»¿ëµéÀ» Á¶±Ý ´õ °ËÅäÇϱ⸦ ±Ç°íÇÏ´Â ¸ñÀû¿¡¼­ÀÌ´Ù.
±×·¯¹Ç·Î ¾î´À°ÍÀÌ ´ë»ó ±â¾÷¿¡ ÀûÇÕÇÏ´Ù´Â ÆÇ´ÜÀº µ¶ÀÚµéÀÌ ¼¼ºÎ³»¿ëÀ» °ËÅäÇÑ ÈÄ¿¡ ÇÒ ¼ö ÀÖÀ» °ÍÀÌ´Ù.
¹°·Ð °¡Àå ÁÁÀº ¹æ¹ýÀº ¿©·¯ °÷¿¡ Èð¾îÁ® ÀÖ´Â ÀåÁ¡µéÀ» ÃßÃâÇÏ¿© Á¾ÇÕÇØº¸´Â °ÍÀÌ´Ù.
ÀÌ·¯ÇÑ ÀÛ¾÷ÀÌ ¿ëÀÌÇÏÁö´Â ¾ÊÁö¸¸ ¼÷·ÃµÈ º¸¾È°ü¸®ÀÚµéÀ̳ª ÄÁ¼³ÅÏÆ®µéÀ̶ó¸é ½ÃµµÇØ º¼ ÃæºÐÇÑ °¡Ä¡°¡ ÀÖÀ» °ÍÀÌ´Ù.
 
Âü°í¹®Çå
Carnegie Mellon, OCTAVE Method Implementation Guide Version 2.0, 2001
BSI, Information security management Part1, 2, 1999
DISC, PD3003 Are you ready for a BS7799 audit?, 1999
CSI, IPAK, 1997
KPMG, Vulnerability Assessment Framework 1.1, 1998
NIST, Security Self-Assessment guide for Information Technology Systems, 2001
ISACA, COBIT III, 2000
NWS, Information security guideline for NSW Government Agencies, 2001
KISA, Á¤º¸º¸È£°ü¸®±âÁØ, 2001

 

   

   

   

   

¡¡


Copyright © 2001