The Journal of Society for e-Business Studies (한국전자거래학회지)

Society for e-Business Studies (한국전자거래학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on Information Security Departmentalization Model

정보보호 전담조직 편성모델에 관한 연구

  • Kang, Hyunsik (Dept. of Security Convergence, ChungAng University) ;
  • Kim, Jungduk (Dept. of Industrial Security, ChungAng University)
  • Received : 2015.05.15
  • Accepted : 2015.05.26
  • Published : 2015.05.31
Download PDF
⟨ Previous Next ⟩

Abstract

Information security organization has normally been organized under the IT department. However, as the importance of information security has gradually increased, the way of information security organized for enterprise security management has become a noteworthy issue. The need for separation of Information security organization from IT department is growing, such as restriction on the concurrent positions in CIO and CISO. Nowadays there are many studies about Information security organization while relatively there has been minimal research regarding a departmentalization. For these reasons this study proposes a Information Security Departmentalization Model which is based on business risk and reliance on the IT for effectively organizing Information security organization, using Contingency theory. In addition, this study classified the position of Information security organization into Planning & Coordination, Internal Control, Management and IT and analyze the strengths and weaknesses of each case.

정보보호 전담조직은 IT 부서 산하에 편성되어있는 것이 일반적이었으나 정보보호의 중요성이 증대됨에 따라 전사적 보안을 위한 정보보호 전담조직의 편성이 중요한 이슈로 대두되고 있다. 국내 금융권에서도 전자금융거래법 개정안을 통해 CIO와 CISO를 분리하는 등 정보보호 전담조직의 분리에 대한 필요성이 증대되고 있다. 하지만 현재 정보보호 전담조직 하부구조에 대한 연구는 활발히 진행되고 있으나 편성방법에 대한 연구는 미흡하다. 따라서 본 논문에서는 효과적인 정보보호 전담조직의 편성을 위해, 상황적 접근방법을 통하여 기업의 비즈니스 위험도와 IT 의존도를 기준으로 정보보호 전담조직 편성모델을 제시하였다. 또한 정보보호 전담조직이 소속될 부서를 기획 조정 부서, 내부통제 부서, 내부관리 부서, IT 부서로 분류하고 각 부서에 편제되어있을 경우의 장단점을 분석하였다.

Keywords

References

  1. BoanNews, "The CISO should manage Security Organization," 2014.
  2. Oh, S. H., "Organization Theory," Pakyoungsa, 2011.
  3. Bob, B., "Information Security is Information Risk Management," The 2001 workshop on New security paradigms, pp. 97-104, 2001.
  4. Bruns, W. J., "Budgetary Control and Organization Structure," Journal of Accounting Research, Vol. 13, No. 2, pp. 177-203, 1975. https://doi.org/10.2307/2490360
  5. COSO, "Enterprise Risk Management: Integrated Framework: Executive Summary," 2004.
  6. Dr. Gerald, K., "Establishing an Information Systems Security Organization (ISSO)," Computers and Security, Vol. 17, No. 7, pp. 600-612, 1998. https://doi.org/10.1016/S0167-4048(99)80060-1
  7. Evan Wheeler, "Organizational Stricture What Works," 2011.
  8. Forrester, "Security Organization 2.0: Building a Robust Security Organization," 2010.
  9. Gartner, "Determining Whether the CISO Should Report Outside of IT," 2014.
  10. Gartner, "Difference between governance, management, operation," 2011.
  11. IBM, "Introducing the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security," 2009.
  12. ISO/IEC, ISO/IEX 27000: Information security management systems: Overview and vocabulary, 2013.
  13. Jay, R. Galbraith, Designing Organizations, Pfeiffer, 2001.
  14. Kang, M. A., Son, J. Y., and Kim, H. J., "A Study on applicability of Mixed-methodology," "Korean Public Administration Review," Vol. 41, No. 4, pp. 415-437. 2007.
  15. Pennings, J. M., "Structural contingency theory: A reappraisal," Research In Organizational Behavior, Vol. 14, pp. 267-309, 1992.
  16. Richard, H. H., "Intraorganizational Structural Variation: Application of the Bureaucratic Model," Sage Publications, Inc., Vol. 7, No. 3, pp. 295-308, 1962. https://doi.org/10.2307/2390944
  17. Richard, L., Organization Theory and Design, Cengage Learning, 2012.
  18. Stephen, P., Robbins, Organizational Behavior, Prentice Hall, 2014.
  19. Yoo, J. H., "Comparison of Information Security Controls by Leadership of Top Management," The Journal of Society for e-Business Studies, Vol. 19, No. 1, pp. 63-78, 2014.