11 장 평가 , 측정

11 장평가 , 측정

2005.10

신수정

2

Reference

NIST, Security Self-Assessment guide for Information Technology Systems, 2001Carnegie Mellon, OCTAVE Method Implementation Guide Version 2.0, 2001BSI, Information security management Part1, 2, 1999DISC, PD3003 Are you ready for a BS7799 audit?, 1999CSI, IPAK, 1997KPMG, Vulnerability Assessment Framework 1.1, 1998ISACA, COBIT III, 2000NWS, Information security guideline for NSW Government Agencies, 2001KISA, 정보보호관리기준 , 2001

3

1. Introduction

People

Technology

보안전략 / 조직

정책 / 정보분류

보안기술 아키텍쳐

사고대응 사업연속 인력보안 보안교육

보안관리 아키텍쳐

Enterprise Architecture & IT Planning

Process

모니터링

Validation/Audit/Measure/Certification

외주보안

Identification Authentication Authorization Administration Audit

기밀성

Data Application

User System Network Physical

무결성 가용성

Data Application

User System Network Physical

위험평가

4

2. 의미

Business &Application

Drivers

Security PolicySecurity

Requirement

Security Architecture

-Design - Deployment

Operation(Management))

VALIDATION (Security Assessment)

VALIDATION (Security Assessment)

Security PoliciesBest Practices

Security ArchitectureMEASURE MEASURE

Deploy Deploy

Design Design

Manage Manage

Assess Assess

5

3. NIST - Topics

Management Controls1. Risk Management 9. Contingency Planning2. Review of Security Controls 10. Hardware and Systems Software3. Life Cycle Maintenance4. Authorize Processing (Certification 11. Data Integrity and Accreditation) 12. Documentation5. System Security Plan 13. Security Awareness,Training, Edu

14. Incident Response CapabilityOperational Controls6. Personnel Security Technical Controls7. Physical Security 15. Identification and Authentication 8. Production, Input/Output Controls 16. Logical Access Controls 17. Audit Trails

Topic Areas

6

IT Security Assessment Framework

3. NIST - Framework

Determine SecurityCriticality

Establish Security & Test Procedures

Assess Effectiveness

Establish a Security Baseline

Establish SecurityAction Plan

Risk Assessment & Management

Level 1: Documented Policy

Level 2: Documented ProceduresLevel 3: Implemented Procedures & Controls

Level 4: Tested & Reviewed Procedures & Controls

Level4 +Level 5: Fully Integrated Procedures & Controls

FITSAF

7

Level 1 criteria describe the components of a security policy.

Criteria for Level 1

a. Purpose and scope. An up-to-date security policy is written that covers all major facilities and operations agency-wide or for the asset. The policy is approved by key affected parties and covers security planning, risk management, review of security controls, rules of behavior, life-cycle management, processing authorization, personnel, physical and environmental aspects, computer support and operations, contingency planning, documentation, training, incident response, access controls, and audit trails. The policy clearly identifies the purpose of the program and its scope within the organization.

b. Responsibilities. The security program comprises a security management structure with adequate authority, and expertise. IT security manager(s) are appointed at an overall level and at appropriate subordinate levels. Security responsibilities and expected behaviors are clearly defined for asset owners and users, information resources management and data processing personnel, senior management, and security administrators.

c. Compliance. General compliance and specified penalties and disciplinary actions are also identified in the policy.

3. NIST - Framework

8


a. Control areas listed and organization’s position stated. Up-to-date procedures are written that covers all major facilities and operations within the asset. The procedures are approved by key responsible parties and cover security policies, security plans, risk management, review of security controls, rules of behavior, life-cycle management, processing authorization, personnel, physical and environmental aspects, computer support and operations, contingency planning, documentation, training, incident response, access controls, and audit trails. The procedures clearly identify management’s position and whether there are further guidelines or exceptions.

b. Applicability of procedures documented. Procedures clarify where, how, when, to, whom, and about what a particular procedure applies.

c. Assignment of IT security responsibilities and expected behavior. Procedures clearly define security responsibilities and expected behaviors for (1) asset owners and users, (2) information resources management and data processing personnel, (3) management, and (4) security administrators.

d. Points of contact and supplementary information provided. Procedures contain appropriate individuals to be contacted for further information, guidance, and compliance.

Level 2 criteria describe the components of security procedures.

3. NIST - Framework

9


a. Owners and users are made aware of security policies and procedures. Security policies and procedures are distributed to all affected personnel, including system/application rules and expected behaviors. Requires users to periodically acknowledge their awareness and acceptance of responsibility for security.b. Policies and procedures are formally adopted and technical controls installed. Automated and other tools routinely monitor security. Established policy governs review of system logs, penetration testing, and internal/external audits.c. Security is managed throughout the life cycle of the system. Security is considered in each of the life-cycle phases: initiation, development/acquisition, implementation, operation, and disposal.d. Procedures established for authorizing processing (certification and accreditation). Management officials must formally authorize system operations and manage risk.e. Documented security position descriptions. Skill needs and security responsibilities in job descriptions are accurately identified. f. Employees trained on security procedures. An effective training and awareness program tailored for varying job functions is planned, implemented, maintained, and evaluated.

3. NIST - Framework

10


a. Effective program for evaluating adequacy and effectiveness of security policies, procedures, and controls. Evaluation requirements, including requirements regarding the type and frequency of testing, should be documented, approved, and effectively implemented. The frequency and rigor with which individual controls are tested should depend on the risks that will be posed if the controls are not operating effectively. At a minimum, controls should be evaluated whenever significant system changes are made or when other risk factors, such as the sensitivity of data processed, change. Even controls for inherently low-risk operations should be tested at a minimum of every 3 years.

b. Mechanisms for identifying vulnerabilities revealed by security incidents or security alerts. Agencies should routinely analyze security incident records, including any records of anomalous or suspicious activity that may reveal security vulnerabilities. In addition, they should review security alerts issued by FedCIRC, vendors, and others.

c. Process for reporting significant security weaknesses and ensuring effective remedial action. Such a process should provide for routine reports to senior management on weaknesses identified through testing or other means, development of action plans, allocation of needed resources, and follow-up reviews to ensure that remedial actions have been effective. Expedited processes should be implemented for especially significant weaknesses that may present undue risk if not addressed immediately.

3. NIST - Framework

11


a. There is an active enterprise-wide security program that achieves cost-effective security.

b. IT security is an integrated practice within the asset.

c. Security vulnerabilities are understood and managed.

d. Threats are continually re-evaluated, and controls adapted to changing security environment.

e. Additional or more cost-effective security alternatives are identified as the need arises.

f. Costs and benefits of security are measured as precisely as practicable.

g. Status metrics for the security program are established and met.

3. NIST - Framework

12

3. NIST - Framework

13

4. BS7799

부문 기준

1) 보안정책 • 보안정책

2) 보안조직• 보안 인프라• 제 3 자 접근 보안

3) 자산 분류 및 통제 • 자산 책임 추적성• 정보의 분류

4) 인력보안• 직무정의와 채용에서의 보안• 사용자 훈련• 사고 및 오작동 대응

5) 물리 , 환경 보안• 보호구역• 장비보안• 일반통제

6) 개발보안

• 시스템에 대한 보안 요구• 응용시스템 보안• 암호화 정책• 시스템 파일 보안• 개발 및 지원 프로세스 보안

부문 기준

7) 운영보안

• 운영절차 및 책임• 시스템계획 및 승인• 불법 소프트웨어대책• House Keeping• 네트웍 관리• 매체 취급과 보안• 정보와 소프트웨어의 교환

8) 접근제어

• 시스템 접근의 업무 요구사항• 사용자 접근 관리• 사용자 책임• 네트웍 접근제어• OS 접근제어• 응용 접근통제• 시스템 접근과 사용 모니터링• 모빌컴퓨팅 및 텔레워킹

9) 사업 연속성 • 사업 연속성 관리의 방면

10) 순응성 • 법적요구사항에 대한 순응• 보안정책 검토 , 기술적 순응

14

2.security Management Concepts & Principles

5단 계

6단 계

추 가 적 인통 제

요 구 되 는보 증 수 준

정 보 보 안 정 책 정 의

ISMS 범 위 정 의

위 험 평 가 수 행

위 험 관 리

통 제 목 적 과 구 현 되 는 통 제 선 택

적 용 성 보 고 서 정 의

문 서 화

문 서 화

정 보 보 안 정 책

문 서 화

문 서 화

문 서 화

문 서 화

ISMS범 위

위 험 평 가

관 리 되 는 위 험 분 야

선 택 이 유

적 용 성 문 서

정 보 자 산

결 과 와 결 론

선 택 된 통 제 대 안

선 택 된 통 제 목 적 과 통 제

, 위 험 취 약 성 영 향

조 직 의 위 험 관 리접 근 법

BS7799 P art2 통 제 목 적 과 통 제

4단 계

3단 계

2단 계

1단 계

BS7799

4. BS7799

15

10/24/96

Domain

ProcessAreas

CommonFeatures

BasePracticesGeneric

PracticesBase

PracticesGeneric

Practices

CommonFeatures

BasePracticesBase

Practices

ProcessAreas

BasePractices

Continuously Improving

Planned & TrackedPerformed

BasePractices

Process Areas

OrganizationProject

Security Engineering

Capability LevelsInitial

Well DefinedQuantitatively Controlled

ProcessAreas • • •

• • •

• • •

CapabilityDomain

5. SSE-CMM

16

1. Administer System Security Controls

2. Assess Impact

3. Assess security Risk

4. Assess Threat

5. Assess Vulnerability

6. Build assurance argument

7. Coordinate security

8. Monitor security posture

9. Provide security Input

10. Specify security needs

11. Verify and Validate secuirty

Security Engineering PAs

5. SSE-CMM

17

Project/Organization PAs(based on SE-CMM with Security Considerations)

Project12. Ensure Quality

13. Manage Configurations

14. Manage Program Risk

15. Monitor and Control Technical Effort

16. Plan Technical Effort

Organization17. Define Organization’s Security

Engineering Process18. Improve Organization’s

Security Engineering Process19. Manage Security Product Line

Evolution20. Manage Security Engineering

Support Environment21. Provide Ongoing Skills and

Knowledge22. Coordinate with Suppliers

5. SSE-CMM

18

2.security Management Concepts & Principles5. SSE-CMM

19

2.security Management Concepts & Principles5. 기타

OCTAVE

IPAK

VAF

정보통신부 인증기준

금융감독원 IT 검사 기준

20

2.security Management Concepts & Principles6. Security metric Guide- SP 900-55

21


22


23


24


11 장 평가 , 측정

Documents