Journal of Digital Convergence (디지털융복합연구)

The Society of Digital Policy and Management (한국디지털정책학회)
권호 표지
DOI QR코드

DOI QR Code

A Comparison Study between Cloud Service Assessment Programs and ISO/IEC 27001:2013

클라우드 서비스 평가 프로그램과 ISO/IEC 27001:2013의 비교 연구

  • 최주영 (서울여자대학교 정보보호학과) ;
  • 최은정 (서울여자대학교 교양학부) ;
  • 김명주 (서울여자대학교 정보보호학과)
  • Received : 2013.12.01
  • Accepted : 2014.01.20
  • Published : 2014.01.28
Download PDF
⟨ Previous Next ⟩

Abstract

It is very important to IT users that the Cloud service provides dynamic extension of IT resources and cost-saving. However, the reliability for Cloud service hinders utilizing Cloud service actively. Existing studies on assessment program for Cloud Service are executed by extracting information security assessment articles and adding features of cloud services by referencing ISO/IEC 27001:2005. This paper will review the recently released ISO/IEC 27001:2013 for the addition, reduction, and changing of articles for Controls and Control objectives. Comparative analysis for the Controls of ISO/IEC 27001:2013 with those of CSA CCMv.3, FedRAMP which is an assessment program for Cloud service will suggest Control Objects of Information Security Management System for related Cloud service. The suggestion of Controls will be an important reference index for the security policy of companies which manage the information security management system based on Cloud service.

IT 자원의 동적 확장과 비용절감이라는 클라우드 서비스의 장점은 IT 사용자의 관심이다. 그러나 클라우드 서비스의 신뢰성은 클라우드 서비스를 적극적으로 사용하는데 걸림돌이 되고 있다. 기존 클라우드 서비스의 평가 프로그램은 ISO/IEC 27001:2005을 참고하여 정보보호 평가 항목을 도출하고 클라우드 서비스 특징을 추가하는 방법으로 연구가 이루어지고 있다. 본 논문은 최근 발표된 ISO/IEC 27001:2013의 추가와 삭제 그리고 변경된 통제영역 및 통제 항목을 살펴본다. ISO/IEC 27001:2013의 통제 항목과 클라우드 서비스 평가 프로그램인 CSA CCM v.3, FedRAMP의 통제 항목을 비교 분석하여 정보보호관리체계에서 클라우드 서비스와 관련된 평가 항목을 제시한다. 도출한 통제 항목은 클라우드 서비스 기반의 정보보호관리체계를 운영하는 기업의 보안 정책에 참고 지표가 될 것이다.

Keywords

References

  1. Telecommunications Technology Association, http://word.tta.or.kr/terms/terms.jsp
  2. IDC, WorldWide and Regional Public IT Cloud Services 2013-2017 Forecast
  3. W. Y. Kang, Market Views and Policy Trends for Foreign Cloud, Internet & Security Issue, pp. 10, Jun. 2012.
  4. ISO/IEC FDIS 27001 Information technology - Security techniques - Information security management systems - Requirements, ISO/IEC, 2013, http://www.iso.org
  5. Cloud Security Alliance, CSA Position Paper on AICPA Service Organization Control Reports, Feb. 2013.
  6. PCI-DSS, Information Supplement: PCI DSS Cloud Computing Guidelines Version 2.0, Feb. 2013.
  7. FedRAMP: The Federal Risk and Authorization Ma nagement Program, FedRAMP CONOPS Version 1. 2, Jul. 2012.
  8. Cloud Security Alliance, Open Certification Framew ork Vision Statement, Rev. 1, Aug. 2013.
  9. ISACA, Cloud Computing Management Audit/Assu rance Program, 2010.
  10. KCSA, Assessment Criteria of Cloud Service, Feb. 2012.
  11. NIST Computer Security Division, "Recommended Security Control for Federal Information Systems an d Organizations", NIST SP 800-53 Revision 3, Feb, 2010.
  12. Kchul Kim, Ok Heo, Seungjoo Kim, A Security Eva luation Criteria for Korean Cloud Computing Service, Journal of The Korea Institute of Information Sec urity & Cryptology, Vol. 23, No. 2, pp. 251-265, 2013. https://doi.org/10.13089/JKIISC.2013.23.2.251
  13. Kyoung-a Shin, Sang-jin Lee, Information Security Management System on Cloud Computing Service, Journal of The Korea Institute of Information Securit y & Cryptology, Vol. 22, No. 1, pp. 156-167. 2013.

Cited by

  1. Information exchange architecture based on software defined networking for cooperative intelligent transportation systems vol.18, pp.2, 2015, https://doi.org/10.1007/s10586-015-0442-z