t 공공 기관 정보시스템을 위한 - tta.or.kr -ks a iso 22300:2012 societal security –...
TRANSCRIPT
-
T T
A S
t a n
d a
r d
()
TTAK.KO-12.0009/R1 : 2013 12 18
A Guide to the Contingency and Disaster
Recovery Plan for the Public Information
Systems
-
()
TTAK.KO-12.0009/R1 : 2013 12 18
A Guide to the Contingency and Disaster
Recovery Plan for the Public Information
Systems
TTA , TTA
.
Copyright Telecommunications Technology Association 2013. All Rights Reserved.
-
()
TTAK.KO-12.0009/R1i
1.
.
2.
1) , 2) , 3)
3 .
/ .
.
3.
, .
4. ()
4.1. ()
- .
4.2.
- KS A ISO 22300:2012,
- KS A ISO 22301:2012,
- KS X ISO IEC 24762:2008,
5. ()
5.1. ()
TTAS.KO-12.0009
.
-
()
TTAK.KO-12.0009/R1ii
TTAK.KO-12.0009/R1 KS A ISO 22301:2012 KS X ISO IEC
24762:2008
1. - - -
2. - - -
3. () - - -
4. - -KS X ISO IEC
22300
5.
- -
6.
- - -
6.1.
- - -
6.2. 4. ~7. -
6.3. - - -
6.4. 9.~10. -
7.
-
5.6 ,
7.
5.2. ()
6.
TTA .
,
.
.
7.
7.1.
- .
7.2.
- .
-
()
TTAK.KO-12.0009/R1iii
8.
8.1.
1 2000.03.28.
TTAS.KO-12.0009
2 2013.12.18.
TTAK.KO-12.0009/R1
8.2.
.
TTAK.KO-12.0009/R1 TTAK.KO-12.0009
1. 1.
2. 2.
3. ()
4.
5. 3.
6. 4.
7. 5.
1.
2.
A. 3.
4.
5.
6.
I.
-
()
TTAK.KO-12.0009/R1iv
Preface
1. Purpose of Standard
The purpose of this guideline is to guide public organizations to establish its
own business continuity plan by providing methodologies and related information
on the contingency management and disaster recovery to improve continuity of
public information systems services
2. Summary of Contents
This guideline provides the new trend on business continuity management and
related concepts. The activities for business continuity management are explained
in the 1) plan, 2) operation and 3) review and improvement phases of business
continuity management system. Major processes and activities, required technique
and tools/methods are provided for the phases. Public organizations usually
outsource their information systems environment and the issues and management
practices are explained.
3. Applicable Fields of Industry and its Effect
This standard could be used by Information systems people in charge of
contingency plan and disaster recovery in public organizations and be used in
establishing business continuity, planing contingency and disaster recovery
procedures.
4. Reference Standards(Recommendations)
4.1. International Standards(Recommendations)
- None.
4.2. Domestic Standards
- KS A ISO 22300:2012 Societal security Terminology
- KS A ISO 22301:2012 Societal security Business continuity management
systems Requirements
- KS X ISO IEC 24762:2011 Information technology Security techniques
Guidelines for information and communications technology disaster recovery
services
-
()
TTAK.KO-12.0009/R1v
TTAK.KO-12.0009/R1KS A ISO
22301:2012
KS X ISO IEC
24762:2008Remarks
1. Introduction - - -
2. Constitution and
Scope- - -
3. Reference standards
(Recommendation)- - -
4. Terms and Definitions - -Selected from KS
A ISO IEC 22300
5. Concepts of business
continuity management- - -
6. Methodology on
establishing business
continuity management
- - -
6.1. BCM Process - - -
6.2. Planing phase
4. Context of
organization
~7. Support
-Abstract
introduction
6.3. Operation phase - - -
6.4. Review and
improvement phase
9. Performance
evaluation
~10. Improvement
-Abstract
introduction
7. Consideration on
outsourcing
environment
-
5.6 Outsourcing
arrangements,
7. Outsourced
service providers
capability
Introduction and
providing further
reference
5. Relationship to Reference Standards(Recommendations)
5.1. Relationship of Reference Standards(Recommendations)
This standard is revised from TTAS.KO-12.0009 A Guide to the contingency and
Disaster Recovery Plan for the Public Information Systems reflecting global and local
trends on business continuity management.
5.2. Differences between Reference Standard(Recommendation) and this Standard
-
()
TTAK.KO-12.0009/R1vi
Edition Issued date Outline
The 1st edition 2000.03.28.Established
TTAS.KO-12.0009
The 2nd edition 2013.12.18.Revised
TTAK.KO-12.0009/R1
6. Statement of Intellectual Property Rights
IPRs related to the present document may have been declared to TTA. The
information pertaining to these IPRs, if any, is available on the TTA Website.
No guarantee can be given as to the existence of other IPRs not referenced on
the TTA website.
And, please make sure to check before applying the standard.
7. Statement of Testing and Certification
7.1. Object of Testing and Certification
- None.
7.2. Standards of Testing and Certification
- None.
8. History of Standard
8.1. Change History
-
()
TTAK.KO-12.0009/R1vii
TTAK.KO-12.0009/R1 TTAK.KO-12.0009 Remarks
1. Introduction 1. Introduction Revised
2. Constitution and scope 2. Constitution and scope Revised
3. Reference standards
(Recommendations)Added
4. Definitions Added
5. Concepts of business continuity
management
3. Concepts of business continuity
management
Revised by
addition
6. Methodology on establishing
business continuity management4. BCM Processes and activities
Revised by
rearrangement
and addition
7. Consideration on outsourcing
environment5. Common applications of BCM
Revised by
addition
Appendix
1. Definitions Deleted
2. List of business continuity
management Processes and
actions
Deleted
Annex A. Business continuity
management output
samples
3. Format of major BCM outputs Equivalent
4. Method on business impact
measurement for business
impact analysis
Deleted
5. Example of business continuity
planning policyDeleted
6. Casse studies of BCM Deleted
Appendix I. References ReferencesRevised by
addition
8.2. Revisions
Current trend on business continuity management and outsourcing service
environment is added.
-
()
TTAK.KO-12.0009/R1viii
1. 1
2. 2
3. () 2
4. 2
5. 5
5.1. 5
5.2. 7
5.3. 9
6. 11
6.1. 11
6.2. 13
6.3. 17
6.4. 50
7. 55
7.1. 55
7.2. 55
7.3. 57
7.4. 57
7.5 58
A. 60
. 64
-
()
TTAK.KO-12.0009/R1ix
Contents
1. Introduction 1
2. Constitution and Scope 2
3. Reference Standards (Recommendations) 2
4. Terms and Definitions 2
5. Concepts of Business Continuity Management 5
5.1. Disaster Recovery Concepts Change 5
5.2. New Trend on Business Continuity Management 7
5.3. Relationships on Business Continuity Management and Related Elements 9
6. Methodology on Establishing Business Continuity Management 11
6.1. BCM Process 11
6.2. Planning Phase 13
6.3. Operation Phase 17
6.4. Review and Improvement Phase 50
7. Consideration on Outsourcing Environment 55
7.1. General Consideration and Accountability When Outsourcing 55
7.2. Business Impact Analysis and Risk Analysis 55
7.3. Consideration on Outsourcing Contract 57
7.4. Control on Outsourcer 57
7.5. Required Changes on Business Continuity Plan 58
Annex A. Business Continuity Management Output Samples 60
Appendix. References 64
-
()
TTAK.KO-12.0009/R11
(A Guide to the Contingency and Disaster Recovery Plan
for the Public Information Systems)
1.
1.1.
. 2009
2 ,
2011 SSO/LDAP
6 .
,
.
.
1.2. ICT
ICT
.
,
.
, , , .
, , , ,
.
, ,
.
-
()
TTAK.KO-12.0009/R12
1.3. ICT
.
. ,
(business continuity management)
.
.
,
.
,
.
2.
. 4 5
. 6
1) , 2) , 3) 3
.
/ .
7 .
3. ()
- KS A ISO 22300:2012,
- KS A ISO 22301:2012,
- KS X ISO IEC 24762:2008,
4.
4.1.
KS A ISO 22300:2012 .
-
()
TTAK.KO-12.0009/R13
4.1.1. (Business continuity)
(disruptive incident)
[ISO 22300]
4.1.2. (risk)
[KS A ISO/IEC GUIDE 73]
1 .
2 (, , ) ,
(, , , ) .
3 , .
4 ( )
.
5
() .
4.1.3. (risk management)
[KS A ISO 22300]
4.1.4. (disaster)
,
, , [KS A ISO
22300]
4.1.5. (incident)
, ,
[KS A ISO 22300]
4.1.6. (mitigation)
, , ,
[KS A ISO 22300]
-
()
TTAK.KO-12.0009/R14
4.1.7. (policy)
(2.2.9)
4.1.8. (objective)
1 , .
2 (, , )
, [ , ,
] .
3 , , ,
[, (aim), (goal)
(target)] .
4.1.9. (management system)
(2.2.9)
,
1 .
2 , , , .
3 , ,
1 .
4.1.10. (business impact analysis)
4.1.11. (organization)
, ,
1 , ,
, , , , , ,
.
-
()
TTAK.KO-12.0009/R15
4.1.12. (performance)
1 .
2 , , ( ),
.
4.1.13. (monitoring)
,
1 , .
5.
5.1.
5.1.1.
1960 ,
.
,
.
.
.
. ,
,
, .
5.1.2.
. 1970
.
grandfather-father-son" 3 .
,
.
. (data vaulting)
.
-
()
TTAK.KO-12.0009/R16
5.1.3.
1980
.
SunGard, Comdisco, CHI/COR
.
ComPAS, RecoveryPAC, Rexsys, Sunrise TRPS
. 80
( Seattle , LA , )
.
,
, ,
,
.
(first-come first-serve)
.
5.1.4.
1990 ,
,
.
,
(business issue) .
.
(business
continuity plan), / (business recovery/resumption plan)
1990 .
5.1.5.
2001
. (Back-up) 2
-
()
TTAK.KO-12.0009/R17
100% , Bank Of America
, 2
,
.
, CIT ,
SARS
.
,
,
.
.
5.2.
5.2.1.
.
,
. , ,
, ,
.
, .
. ,
,
, , ,
.[ISO
22300]
5.2.2.
, .
. ,
, , , ,
, , .
-
()
TTAK.KO-12.0009/R18
ICT ,
,
,
,
.
5.2.3.
----- - 7 .
,
.
---
.
,
.
. , , ,
, , ,
. 4
-- 3 .
,
.
, ,
,
.
, ,
. 6 .
5.2.4.
,
.
KSAISO/PAS 22301:2012 ISO/IEC 22301:2012
. 2010 (BS 25999)
2014
ISO .
-
()
TTAK.KO-12.0009/R19
5.3.
5.3.1.
.
(business strategy) (technology strategy)
.
.
, ,
.
, .
.
.
5.3.2.
(contingency plan) (disaster recovery plan)
,
.
(availability
management) ,
.
.
.
(business issue)
, .
5.3.3.
.
.
;
-
()
TTAK.KO-12.0009/R110
( , )
.
.
.
. .
IT IT
.
. IT ,
.
.
.
.
;
,
(outsourcing) , ,
, 3
,
, ,
, , ,
.
.
(upgrade) . ,
, .
(safety-net)
.
-
()
TTAK.KO-12.0009/R111
.
.
, ,
.
.
IT ,
IT .
,
, IT
.
,
.
6.
6.1.
6.1.1.
5.2.3 3 .
, , . .
.
, ,
. ,
-
,
- ,
- ,
-
-
()
TTAK.KO-12.0009/R112
.
,
.
-
-
-
- .
.
,
,
.
. , , ,
, .
-
-
- .
6.1.2.
, 3 1
, 2
. , 2
3
.
,
. , , , , IT ,
,
.
-
()
TTAK.KO-12.0009/R113
6.2.
6.2.1.
.
,
. .
- , , , , ,
-
- ( )
-
, .
-
-
-
-
.
.
.
, ,
.
.
.
,
.
.
, ,
,
-
()
TTAK.KO-12.0009/R114
.
(, , )
,
.
6.2.2.
.
,
.
.
,
.
. . . . . . . .
.
.
,
,
.
. , .
,
.
-
()
TTAK.KO-12.0009/R115
-
-
- ( )
.
.
.
,
.
6.2.3.
.
,
. , ,
,
.
,
.
,
.
.
,
.
.
.
,
.
. , .
, .
-
()
TTAK.KO-12.0009/R116
, ,
, , , .
6.2.4.
.
.
.
,
. ,
.
, ,
.
, .
.
,
, .
,
.
.
.
-
-
-
.
-
- , , ,
- ,
-
()
TTAK.KO-12.0009/R117
-
- ,
-
6.3.
6.3.1.
, 6.1
, .
a)
b)
c)
, .
.
6.3.2.
.
1)
(BIA, Business Impact Analysis)
, . (risk analysis)
,
.
,
.
,
, .
,
.
.
-
()
TTAK.KO-12.0009/R118
2)
(BIA) . ,
. ,
.
:
, ,
, ,
, ,
, ,
(BIA) :
(impact scenario)
(potential business impact)
(business process)
. (, )
. , ,
. ,
.
,
.
.
:
(BPR: Business Process Re-engineering)
(organizational information models)
.
-
()
TTAK.KO-12.0009/R119
.
,
.
3)
, (disruption) .
( ) ,
.
.
, , , ,
.
. , ,
, ,
. , 1-2
.
15 , 1, 3, 12, 1, 2, 1, 2, 1, 2
.
( )
, .
4)
.
. (financial or hard)
(non-financial or soft) ( ) .
, .
.
l - ( ), , (
), (goodwill or credibility) , .
-
()
TTAK.KO-12.0009/R120
l () - , ,
, , , .
(marginal) . ,
1,000,000 400,000 ,
600,000 . ,
.
,
. ( , HAWK,
CCTA's CRAMM )
.
5)
.
.
.
:
12 , 1
.
2 .
2 , 4
.
.
6)
, , .
, .
, , ,
.
:
-
-
-
-
()
TTAK.KO-12.0009/R121
1.
2. ( )
3.
4.
5. , (, ),
(, IBM AS400),
6. . 5
.
7. . 6
(network access points) .
8. , ,
9.
10. .
.
- ,
-
-
(minimum requirements)
.
. ,
, , .
.
. ,
, , ,
.
-
()
TTAK.KO-12.0009/R122
A
()20 12
20 486/50
3
1
2
Bridge 1
X.25 Switch 1
Mega Stream A 1 2Mps
Telesales S/W 20 lcopy
B 50 2
50 486/50
3
1
4
Bridge 2 A
X.25 Switch 1 A
Mega Stream B 1 8Mps
Telesales S/W 50 lcopy
/
15
1 3 12 1 2 1 2 1
2
()
A
B
C
20
10
50 30
50
50
20
30 50 30 50 70
A
B
C
20
10
50
30
30 80
A
B
C
4
2
6
, ,
6)
.
.
-
()
TTAK.KO-12.0009/R123
Tier1
+
()86 4
Tier2 ()+
32 24
Tier3
122
21
(0~2 )
Tier4 ~
Tier6 779
21 ~ 45
(
)
Tier7 - - 5
1,024
Tier 1 3
Tier 2 3 24
()
Tier 3
24 , 7
, 24
Tier 4 7 , 21
Tier 5 45 ,
Tier 6
Tier 7
.
.
-
()
TTAK.KO-12.0009/R124
1 58 4
2 54 24
- 54 21
- 00
- ,
,
-
-
-
()
TTAK.KO-12.0009/R125
.
1)
,
(risk assessment) . (BIA)
.
.
-
-
-
2)
(asset) (threat)
.
,
. , , /
, /, , , ,
.
.
( (severity)) . (source)
(internal & external) , (perpetrator)
(human & non-human) , (intent)
(accidental & intentional) (Loch,
Carr, and Warkentin, 1992). , , ,
.
, (, , , ),
(, , ,
, ,
, , ),
( ),
( , , ,
) .
-
()
TTAK.KO-12.0009/R126
3)
(threat)
(vulnerability) .
, , , ,
.
. ( , , ,
, ), (,
, , , , ), (,
) .
. ,
.
-
-
-
-
-
-
4)
.
, .
.
.
(ALE, Annual Loss
Expectancy).
.
, (exponential)
. ,
, .
100 200 , 100
, .
. ,
10(100 k$) , (ALE) 400
.
-
()
TTAK.KO-12.0009/R127
($)
1 100 1 k 10 k 100 k 1m 10m 1b
1 min 526 52,6k 525.6k
1 hour 9 876 8.8k 87.6k 876k
1 day 37 365 3.7k 36.5k 365k
1week 5 52 521 5.2k 52.1k 521.4k
1month 1 12 120 1.2k 12k 120k
3month 4 40 400 4k 40k
1 year 1 10 100 1k 10k 1m
5 year 2 20 200 2k 200k
10 year 1 10 100 1k 100k
20 year 1 5 50 500 50k
50 year 2 20 200 20k
100 year 1 10 100 10k
300 year 3 33 3.3k
ALE
5)
, , (question-
naires), (fuzzy metrics) .
, , , , ,
, (stochastic dominance) .
, , , ,
. /
. Perry & Kuong(1981)
.
- :
- : /
- :
- :
- :
- :
- :
.
-
()
TTAK.KO-12.0009/R128
.
.
.
(value chain analysis) (Rainer, Snyder & Carr,
1991).
.
6.3.3.
. .
:
-
-
-
.
.
,
:
-
- ,
- , ,
- ,
-
()
TTAK.KO-12.0009/R129
.
S/W
,
,
.
1.
.
2.
.
3.
4.
a.
b.
c. PC/
call-off
/
.
.
5. 3
.
6.
7.
.
8.
.
S/W
1.
.
2.
s/w
,
1. S/W
2.
3. S/W
.
-
()
TTAK.KO-12.0009/R130
1. (,
, , CD-ROM)
,
2. (journalling),
(vaulting)
,
3.
,
,
1.
2.
3.
(node)
4.
5.
PABX
ACD
1. ,
,
PABX
.
,
.
1. .
2.
3.
4.
1.
/ .
2.
.
3.
-
-
()
TTAK.KO-12.0009/R131
.
, ,
1.
.
.
2. /
,
3.
a.
b.
.
4. 3(,
) 3 .
5. .
.
6. (:
) .
1. .
2. (fiche)
.
3. /
3 . .
1.
.
2.
3.
-
()
TTAK.KO-12.0009/R132
H/W
S/W
DBMS
DBMS SQL(Structured
Query Language)
DBMS
6-9>
.
.
.
.
-
- , , , , ,
, ,
- , ,
, , .
-
.
.
. ,
.
- /
-
-
- CCTV
-
()
TTAK.KO-12.0009/R133
, ,
, , ,
, , CCTV , ,
, ,
, , ,
,
, , ,
,
, ,
, ,
6-10>
-
- , , , ,
.
.
.
.
CCTA(Central Computer and Telecommunications Agency, 1990)
9
.
1) (do nothing) -
.
.
2) (clerical backup procedures) -
-
()
TTAK.KO-12.0009/R134
.
3) (reciprocal arrangement) -
,
.
(change management system) .
4) (the "fortress" approach) -
,
. ,
.
5) ("cold" start fixed centre) -
cold start
. , , ,
.(provision of a building
accommodation only) .
, ,
, .
6) ("cold" start portable
centre) - 5) .
. ( , )
,
3 10
.
7) ("hot"
start- external) - hot start , ,
( )
(provision of computer
accommodation accommodation and equipment) .
.
, ,
.
,
, .
,
.
-
()
TTAK.KO-12.0009/R135
8) ("hot" start-internal) -
7) ,
.
,
.
9) (mobile hot start
or "computer on the back of a lorry") -
.
. ,
.
, ,
,
.
6.3.4.
. .
-
-
-
-
-
.
. :
- , , (Command, Control, and Communication)
-
-
1) , ,
, ,
-
()
TTAK.KO-12.0009/R136
( 6-1) , ,
. ( 6-1) /, ,
, ,
.
) /
/
:
(, , )
)
/ .
,
.
.
, , , , , , ,
-
()
TTAK.KO-12.0009/R137
, ,
(Salvage)
.
.
.
.
)
.
.
.
)
-
()
TTAK.KO-12.0009/R138
.
. :
/ , .
.
.
.
.
.
.
2)
, , , ,
, , ,
. ,
. ( 6-2)
.
( 6-2)
:
: ,
-
()
TTAK.KO-12.0009/R139
( 6-3) ''
:
:
. ( 6-2)
.
( 6-3)
;
- /
- , , /
-
, , , ,
.
/ .
3)
:
-
-
-
()
TTAK.KO-12.0009/R140
-
,
.
.
1)
, ,
. :
- , , ,
-
-
-
-
-
-
-
-
, ,
.
:
-
-
)
.
-
-
-
:
-
()
TTAK.KO-12.0009/R141
-
- , , ,
- , ,
,
- (mobile service) ,
-
)
, ,
.
. , ,
.
2)
,
.
.
.
1)
;
- : , , ,
- :
- :
. :
-
-
-
()
TTAK.KO-12.0009/R142
)
;
-
-
-
-
)
:
-
-
.
.
.
.
.
2)
:
- /
- , , /
-
)
:
-
-
-
-
- , , 3
-
()
TTAK.KO-12.0009/R143
-
-
/ .
/ .
)
.
.
:
-
-
-
- , , ,
-
- (:
)
-
)
.
.
.
.
-
- , ,
-
- (ex , LAN)
-
-
-
()
TTAK.KO-12.0009/R144
.
)
. ,
.
.
.
- , ,
- , ,
-
-
-
.
.
.
,
.
)
, .
.
. ,
,
.
.
:
-
-
)
/
.
-
()
TTAK.KO-12.0009/R145
, , . ,
.
, , ,
.
3
:
-
- FAQ
-
-
.
.
.
.
.
;
-
-
-
-
.
,
.
. .
-
- CCTV
1)
,
,
.
-
()
TTAK.KO-12.0009/R146
. 6 :
-
-
-
-
-
-
)
;
-
-
- , ,
-
)
4 .
o (Walkthroughs)
o
:
-
-
-
.
o
-
()
TTAK.KO-12.0009/R147
.
o
)
.
:
- 3 7 .
.
- . 1 24
.
- .
- .
)
. .
:
- ; .
-
- (, , ,
)
-
-
.
.
.
)
.
(test diary) .
.
-
()
TTAK.KO-12.0009/R148
-
-
-
- 3
-
-
)
,
, , .
6.3.5.
.
.
.
,
.
.
(, , , )
.
.
.
.
, .
.
.
.
.
,
.
.
-
()
TTAK.KO-12.0009/R149
.
.
.
:
- .
-
.
- .
:
-
-
-
-
Q&A
.
.
. :
-
-
-
.
.
-
()
TTAK.KO-12.0009/R150
6.4.
6.4.1.
,
, , ,
.
.
.
- ,
-
- ,
- ,
- , ,
-
, , .
, , ,
. ,
.
.
.
6.4.2.
.
. .
.
6.4.3.
. ,
-
()
TTAK.KO-12.0009/R151
.
, , , , .
, .
.
.
o .
.
o :
.
o :
.
o :
. ,
, .
o :
.
6.4.4.
.
.
,
.
.
-
-
-
- (assumptions)
-
-
-
-
()
TTAK.KO-12.0009/R152
-
-
-
-
-
- ,
- ,
- ,
.
.
- ;
.
, , .
- ;
. , , ,
.
:
-
-
-
-
1)
. :
-
.
- . (:
)
.
-
()
TTAK.KO-12.0009/R153
.
.
, , ,
/.
2)
.
.
.
-
-
-
- (, )
-
.
.
3)
.
, /
:
- ( )
, ,
-
-
-
-
- ,
-
()
TTAK.KO-12.0009/R154
/
:
-
-
- ,
.
:
-
-
-
-
4)
.
.
.
.
6 .
-
-
-
-
- ,
- , ,
6
.
. 6
.
-
()
TTAK.KO-12.0009/R155
.
7.
. , (core
competence)
,
. ,
.
.
7.1.
.
.
, , ,
.
,
.
,
.
.
. (service level agreement)
.
.
7.2.
.
.
.
-
()
TTAK.KO-12.0009/R156
.
. :
-
-
-
-
- ,
.
.
, :
-
.
.
-
.
-
. (,
.
.)
.
:
-
- ,
-
-
-
()
TTAK.KO-12.0009/R157
-
-
-
-
-
-
, .
7.3.
.
.
. (1 ) .
, ,
.
7.4.
.
, , .
, 3
.
.
.
-
-
-
-
-
-
()
TTAK.KO-12.0009/R158
7.5
.
. :
- (in-house back up)
- 2
.
:
- ,
-
-
-
-
. , ,
, , ,
. , . ,
.
.
.
.
:
- ,
-
- (. , )
-
-
()
TTAK.KO-12.0009/R159
.
:
-
-
-
-
- ,
-
.
. ,
.
.
.
. ,
.
. ,
, ,
.
.
.
.
. ,
KS X ISO/IEC 24762:2011
.
-
()
TTAK.KO-12.0009/R160
.
;
-
-
-
-
-
,
-
?
-
?
- , , ?
- ?
-
?
-
?
A
-
()
TTAK.KO-12.0009/R161
.
.
,
.
;
-
-
-
-
,
, ,
- PID ?
- ?
- ?
-
?
-
()
TTAK.KO-12.0009/R162
, .
.
;
-
-
-
-
, ,
, ,
- ,
?
- ?
-
?
- ?
-
?
-
?
-
()
TTAK.KO-12.0009/R163
.
.
;
-
-
-
-
-
, ,
,
- ?
- ?
-
?
- ?
- ?
- ?
-
()
TTAK.KO-12.0009/R164
[1] , , , 1995.
[2] Butler, J., Contingency Planning and Disaster Recovery Strategies, Computer
Technology Research Corp., 1994.
[3] Carlton, R. A., Telecommunications Disaster Planning, , DATAPRO, 1994.
[4] CCTA, An Introduction to Business Continuity Management, The Government
Centre for Information Systems, 1995.
[5] Cerullo, M. and R. McDuffie, "Computer Contingency Plans and the Auditors: A
Survey of Businesses Affected by Hurricane Hugo, " Computers & Security,
(Vol. 11, No. 7) Nov. 1992, pp.620622.
[6] Collins, B. and S. Mathews, "Securing Your Business Process," Computers &
Security, (Vol. 12, No. 7) Nov. 1993, pp.629-633.
[7] Commission of the European Communities Security Investigations Projects,
Final and Strategy Report, Project S2014 Risk Analysis, Report Number 9744
(S2014/WP08), Version 1.0, Feb. 1993.
[8] Corby, M., "Disaster Recovery Testing in a Client/Server Environment,"
DATAPRO, July 1994, pp.101-107.
[9] Devlin, E., C. Emerson, and L. Wrobel, Business Resumption Planning,
Auerbach, 1998.
[10] Earl, Michael J. "Experience in Strategic Information Systems Planning," MIS
Quarterly, Mar. 1993, pp. 1-20.
[11] FIPS PUB 41, Computer Security Guidelines for Implementing the Privacy Act
of 1974, U.S. Department of Commerce/National Bureau of Standards, May.
1975.
[12] FIPS PUB 65, Guidelines for Automatic Data Processing Risk Analysis, U.S.
Department of Commerce/National Bureau of Standards, Aug. 1979.
[13] , , 1997. 12.
[14] , , 1997. 2.
[15] , , 1995. 12.
[16] C. Wood, W. Bank, S. Guarro, A. Garcia, V. Hampel, E. Viktor, and H.
Sartorio,
[17] , : ,
, 1994.
[18] FIPS PUB 73, Guidelines for Security of Computer Applications, U.S.
Department of Commerce/National Bureau of Standards, Jun. 1980.
-
()
TTAK.KO-12.0009/R165
[19] Haar, David J., "How Activity Accounting Works in Government," Management
Accounting, September 1990, 3640.
[20] Highland, H., "Disaster Recovery at the WTC, " Computers & Security, (Vol.
12, No. 3) May 1993, pp.216-217.
[21] ISO/IEC JTC1/SC27 N442, Key Management Parti: Framework, ISO, Mar.
1994.
[22] ISO/IEC JTC1/SC27 N689, Guidelines for the Management of IT System
Security: Part3~Techniques for the Management of IT Security, ISO, Mar.
1993.
[23] ISO/IEC JTC1/SC27 N720, Guidelines for the Management of IT Security
(GMITS): Part2 ~ Managing and Planning IT Security, ISO, May. 1993.
[24] ISO/IEC JTC1/SC27 N777, Guidelines for the Management of IT System
Security (GMITS): Parti - Concepts and Models for IT Security, ISO, Oct.
1993.
[25] Jackson, Carl B., "Business Continuity Planning: The Need and the Approach,"
DATA PRO, February 1994, 101-109.
[26] Keefer, Donald L. & Bodily, Samuel E., "ThreePoint Approximations For
Continuous Random Variables," Management Science, Vol.29, No.5, May
1983, pp.595-609.
[27] Menkus, B., "A High Rise Building Fire Case Study," Computers & Security,
(Vol. 11, No. 1) Jan. 1992a, pp.19-23.
[28] Menkus, B., "The Lessons of the Great Chicago Flood of 1992, " Computers
& Security, (Vol. 11, No. 5) Sept. 1992b, pp.417-420.
[29] Menkus, B., "The New Importance of "Business Continuity" in Data Processing
Disaster Recovery Planning," Computers & Security, (Vol. 13, No. 2) May
1994, pp.115-118.
[30] Miora, Michael, "Protecting the Enterprise: Seven Steps to Safety, " Carolina
Computer News, April 1997.
[31] Moeller, M. "World Trade Center bombing tests disaster recovery," Computer
Fraud and Security Bulletin, March 1993, pp.12.
[32] Moore, Pat, "How to Plan for Enterprise-Wide Business and Service
Continuity," Strohl Systems, 1997.
[33] Moses, Robin., "Risk Analysis and Management," Computer Security Reference
Book edited by Jackson, K. M. & Hruska, J. & Parker, Donn B., CRC Press,
Inc., 1992, pp.227-263.
[34] NIST, U.S. Department of Justice Simplified Risk Analysis Guidelines, NISTIR
4387, Aug. 1990.
[35] Ozier, Will., "Issues in Quantitative Versus Qualitative Risk Analysis, " Datapro
Reports on Information Security, March 1992, ppl01-107.
-
()
TTAK.KO-12.0009/R166
[36] Perry, William E. & Kuong, Javier F., EDP Risk Analysis and Control
Justification, Management Advisory Publications 1981.
[37] Rainer, Rex Kelly, Jr. & Snyder, Charles A. & Carr, Houston H., Risk Analysis
for Information Technology, Journal of Management Information Systems,
1991, Vol.8, No.l, pp.129147.
[38] Robak, Edward. & Security and Emergency Planning Staff, U.S. Department of
Justice, Simplified Risk Analysis Guidelines(SRAG), National Institute of
Standards and Technology, 1990.
[39] Smith, M. and J. Sherwood, "Business Continuity Planning, " Computers &
Security, (Vol. 14, No. 1) Jan. 1995, pp.14-23.
[40] UCG (United Communications Group), "Trends in Disaster Recovery, " I/S
Analyzer, (Vol. 26, No. 11) Nov. 1988, pp.l-12.
[41] Wold, Geoffrey H. & Shriver, Robert F., "Risk Analysis Techniques, " Basic DR
Articles, Disaster Recovery Journal, December, 1997.
[42] "CCTA Risk Analysis and Management Methodology(CRAMM), " Datapro
Reports on Information Security, December 1992, pp.101110.
[43] , KS X ISO IEC 22300:2012 , 2012. 12
[44] , KS X ISO IEC 22301:2012
, 2012. 12
[45] , KS X ISO IEC 24762:2008
, 2008
-
()
TTAK.KO-12.0009/R167
: TTAK.KO-12.0009/R1
.
(E-mail )
() PG 504 [email protected] TCA
PG 504 [email protected] TCA
PG 504 [email protected] TCA
PG 504 [email protected] ETRI
TC5 02-405-6410
031-724-0110
031-724-0083
031-724-0117
-
()
(A Guide to the Contingency and Disaster Recovery
Plan for the Public Information Systems)
:
:
463-824, 47
Tel : 031-724-0114, Fax : 031-724-0109
: 2013.12.