DOI QR코드

DOI QR Code

Development of Security Metrics of Enterprise Security Management System

통합보안관리시스템의 보안성 메트릭 개발

  • Yang, Hyo-Sik (Samil PricewaterhouseCoopers IT Risk & Security)
  • 양효식 (삼일회계법인 IT Risk & Security)
  • Received : 2017.10.11
  • Accepted : 2017.12.20
  • Published : 2017.12.28

Abstract

As new information technology emerges, companies are introducing an Enterprise Security Management system to cope with new security threats, reducing redundant investments and waste of resources and counteracting security threats. Therefore, it is necessary to construct a security evaluation metric based on related standards to demonstrate that the Enterprise Security Management(ESM) System meets security. Therefore, in order to construct a metric for evaluating the security of the ESM, this study analyzed the security quality related requirements of the ESM and constructed a metric for measuring the degree of satisfaction. This metric provides synergies through the unification of security assessments that comply with ISO/IEC 15408 and ISO/IEC 25000 standards. It is expected that the evaluation model of the security quality level of ESM will be established and the evaluation method of ESM will be standardized in the future.

Keywords

Enterprise Security Management;Security;Merics;Quality Evaluattion;Quality Requirements

References

  1. Deuk-Soo Kang, Hae-Sool Yang, "Evaluation Items of ESM S/W by Case Analysis", The Korea Contents Society, Journal of the korea contents association, p.84, August, 2010.
  2. Hyung-Ho Kang, "A Study on the Improvement of Alert Function in ESM for Effective Attack Detection", Sungkyungkwan University, Thesis of Master's Degree, 2014.
  3. Korea Internet & Security Agency, "Cyber Threat Trend Report for the 2nd quarter 2017", July, 2017.
  4. ComputerWeekly.com, "Security audits reveal poor state of corporate cyber defences", August 4, 2017.
  5. ISO/IEC 9126-1:2001, Software engineering -- Product quality -- Part 1:Quality Model, 2001.
  6. ISO/IEC 9126-2:2003, Software engineering -- Product quality -- Part 2:External Metrics, 2003.
  7. ISO/IEC 25010, "Systems and software engineering -- Systems and software Quality Requirements and Evaluation(SQuaRE) -- system and software quality models", 2011.
  8. ISO/IEC 15408, Information technology -- Security techniques -- Evaluation criteria for IT security, 1999.
  9. Jae-Woo Im, "Refining software vulnerability Analysis under ISO/IEC 15408 and 18045", Journal of the Korea Institute of Information Security & Cryptology, Vol.24, No.5, pp.969-974, October, 2014. https://doi.org/10.13089/JKIISC.2014.24.5.969
  10. Ji-Hoon Jeong, Goang-Taek Han, Heui-Bong Choi, Gang-Soo Lee, Young-Soo Kim, Gap-Seung Go, "Enterprise Security Management System Protection Profile V2.0", National Security Research Institute & Hannam University, September, 2008.
  11. Ha-Yong Lee, Jung-Gyu Kim, "Efficiency Eval8uation Convergence Model of Virtual Private Network based on CC and ISO Standard", The Journal of Digital Convergence, Vol.13, No.15, pp.169-176, 2015.
  12. Ha-Yong Lee, Hyo-Sik Yang, "Convergence Performance Evaluation Model for Intrusion Protection System based on CC and ISO Standard", The Journal of Digital Convergence, Vol.13, No.15, pp.251-257, 2015.
  13. ISO/IEC 25020, "Software product Quality Requirements and Evaluation(SQuaRE) -- Measurement reference model and guide", 2007.
  14. ISO/IEC 25030, "Software product Quality Requirements and Evaluation(SQuaRE) -- Quality requirements", 2007.
  15. ISO/IEC 25040, "Systems and software engineering - Systems and software Quality Requirements and Evaluation(SQuaRE) -- Evaluation process", 2011.
  16. ISO/IEC 25051, "Software engineering -- Systems and software Quality Requirements and Evaluation (SQuaRE) -- Requirements for quality of Ready to Use Software Product (RUSP) and instructions for testing", 2014.
  17. ISO/IEC 25041, "Systems and software engineering -- Systems and software Quality Requirements and Evaluation(SQuaRE) -- Evaluation guide for developers, acquirers and independent evaluators", 2012.