• Title/Summary/Keyword: ISMS(Information Security Management System)

Search Result 86, Processing Time 0.02 seconds

The Integrated Cyber SRM(Security Risk Monitoring) System Based on the Patterns of Cyber Security Charts

  • Lee, Gang-Soo;Jung, Hyun Mi
    • Journal of the Korea Society of Computer and Information
    • /
    • v.24 no.11
    • /
    • pp.99-107
    • /
    • 2019
  • The "Risk management" and "Security monitoring" activities for cyber security are deeply correlated in that they prepare for future security threats and minimize security incidents. In addition, it is effective to apply a pattern model that visually demonstrates to an administrator the threat to that information asset in both the risk management and the security system areas. Validated pattern models have long-standing "control chart" models in the traditional quality control sector, but lack the use of information systems in cyber risk management and security systems. In this paper, a cyber Security Risk Monitoring (SRM) system that integrates risk management and a security system was designed. The SRM presents a strategy for applying 'security control' using the pattern of 'control charts'. The security measures were integrated with the existing set of standardized security measures, ISMS, NIST SP 800-53 and CC. Using this information, we analyzed the warning trends of the cyber crisis in Korea for four years from 2014 to 2018 and this enables us to establish more flexible security measures in the future.

A study for Information Security Risk Assessment Methodology Improvement by blockade and security system level assessment (봉쇄와 보안장비 수준평가를 통한 정보보호 위험평가 개선 연구)

  • Han, Choong-Hee;Han, ChangHee
    • Convergence Security Journal
    • /
    • v.20 no.4
    • /
    • pp.187-196
    • /
    • 2020
  • In order to manage information security risk, various information security level evaluation and information security management system certification have been conducted on a larger scale than ever. However, there are continuous cases of infringement of information protection for companies with excellent information security evaluation and companies with excellent information security management system certification. The existing information security risk management methodology identifies and analyzes risks by identifying information assets inside the information system. Existing information security risk management methodology lacks a review of where cyber threats come from and whether security devices are properly operated for each route. In order to improve the current risk management plan, it is necessary to look at where cyber threats come from and improve the containment level for each inflow section to absolutely reduce unnecessary cyber threats. In addition, it is essential to measure and improve the appropriate configuration and operational level of security equipment that is currently overlooked in the risk management methodology. It is necessary to block and enter cyber threats as much as possible, and to detect and respond to cyber threats that inevitably pass through open niches and use security devices. Therefore, this paper proposes additional evaluation items for evaluating the containment level against cyber threats in the ISMS-P authentication items and vulnerability analysis and evaluation items for major information and communication infrastructures, and evaluates the level of security equipment configuration for each inflow.

Perceptual Differences between Managers and Practitioners on Competencies of Information Security Consultants (정보보호컨설턴트 역량에 대한 관리자와 실무자의 인식차이)

  • Kim, Se-Yun;Kim, Tae-Sung
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.26 no.1
    • /
    • pp.227-235
    • /
    • 2016
  • As various measures of law observance obligations such as mandatory obligation of privacy impact assessment (PIA) for public institutions and authorization of information security management system (ISMS) are put into practice, increase in demand for information security consulting and securement of information security consultants are emerging as a major issue. The purpose of this study is to empirically investigate what core competencies information security consultants should possess and how much they actually possess them. By analyzing the differences in perception between practitioners and managers on core competencies, this study understands difference of views between the two groups and suggests ideas for cultivation of information security consultants.

Adaptation Policy of ISO 27001 ISMS (Information Security Management System) for e-Government (전자정부 정보보호관리체계(G-ISMS) 적용 정책)

  • Han, Keun-Hee
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.19 no.5
    • /
    • pp.119-130
    • /
    • 2009
  • Korea ranked 2nd in the UN Global e-Participation Index and ranked number one as the leader in e-Government for the third consecutive year. However, Korea ranked 51 in the level of information security published by WEF(World Economic Forum), relatively a low level comparing with its great number of users and excellent environments for the Internet service. A series of critical hacking accidents such as the information leak at Auction and GS Caltex emerged consecutively in 2008 year, resulting in the leak of personal & critical information. This led to a strong interest in the necessity and importance of information security and personal information so that demand for IT security is growing fast. In this paper, we survey to benchmark information security in the perspective of service level, system, investment and policy about major foreign countries. Then we research on an effective way to make the most of the benchmark result to Korea e-Government. In addition, the purpose of this paper is to improve national information security index by developing a policy for ISO 27001 ISMS, an international standard for Information Security Management System, and elevate safety and security of the e-Government serviced by central administrative organizations and local authorities.

A Improvement Study on the Medical Information Protection Using Personal Information Management System(PIMS) : Focus on medical practitioners (개인정보보호관리체계(PIMS)를 이용한 의료정보보호 개선 방안 연구 : 의료기관 종사자를 중심으로)

  • Min, Kyeongeun;Kim, Sungjun
    • Journal of Korea Society of Digital Industry and Information Management
    • /
    • v.12 no.3
    • /
    • pp.87-109
    • /
    • 2016
  • This study intends to present an effective and efficient development plan about the information protection of medical institutions, by establishing the improvement plan about Personal Information Management System(PIMS) appropriate to the characteristics of medical information focusing on medical institutions generating and using domestic medical information, and doing an empirical study on medical information protection plan. For this, in view of the medical characteristics of the existing Information Security Management System(ISMS), the study presented a study model appropriated to medical institutions based on Personal Information Management Systems index specialized for personal information, and through this, presented the vulnerability diagnosis and vulnerability improvement plan. Based on ISMS index, it designed an improvement index of personal information protection management about each index. The study conducted a survey for executives and employees about PIMS. Accordingly, it presented vulnerability diagnosis items of the current management system indexes from the viewpoint of the people who establish and mange the personal information protection about patients' medical information targeting executives and employees who serve at hospitals and can access medical information.

A Security Evaluation Criteria for Korean Cloud Computing Service (한국형 클라우드를 위한 정보보호 관리체계 평가 기준)

  • Kim, Kichul;Heo, Ok;Kim, Seungjoo
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.23 no.2
    • /
    • pp.251-265
    • /
    • 2013
  • Cloud computing provided as a service type by sharing IT resources cannot be activated unless the issue of information security is solved. The enterprise attempts to maximize the efficiency of information and communication resources by introducing cloud computing services. In comparison to the United States and Japan, however, cloud computing service in korea has not been activated because of a lack of confidence in the security. This paper suggests core evaluation criteria and added evaluation criteria which is removed the redundancy of the security controls from existing ISMS for Korean cloud computing through a comparative analysis between domestic and foreign security controls of cloud certification scheme and guidelines and information security management system. A cloud service provider certified ISMS can minimize redundant and unnecessary certification assessment work by considering added evaluation criteria.

A Study for Limitations and Improvement of Information Security Management System (정보보호 관리의 한계점과 개선방안에 관한 연구)

  • Lee, Sujin;Choi, Sang-Yong;Kim, JaeKyoung;Oh, ChungShick;Seo, Changho
    • Journal of Digital Convergence
    • /
    • v.12 no.2
    • /
    • pp.563-570
    • /
    • 2014
  • As information security is becoming more important today, efforts in managing information security more efficiently is becoming greater. Each department such as Ministry of Security and Public Administration, Ministry of Science, Ministry of Education, National Intelligence Service, etc. is established screening criteria for information security and conducted the evaluation. Various information security certification and evaluation for public institutions effectively help to improve the level of information security. However, there are limitations of efficient security management because the examination to be performed frequently by each department. In this paper, we analyze screening criteria of the information security management that is being conducted in the public institutions. We also present limitations of information security management and the direction of improving the limitations.

Improvement of ISMS Certification Components for Virtual Asset Services: Focusing on CCSS Certification Comparison (안전한 가상자산 서비스를 위한 ISMS 인증항목 개선에 관한 연구: CCSS 인증제도 비교를 중심으로)

  • Kim, Eun Ji;Koo, Ja Hwan;Kim, Ung Mo
    • KIPS Transactions on Computer and Communication Systems
    • /
    • v.11 no.8
    • /
    • pp.249-258
    • /
    • 2022
  • Since the advent of Bitcoin, various virtual assets have been actively traded through virtual asset services of virtual asset exchanges. Recently, security accidents have frequently occurred in virtual asset exchanges, so the government is obligated to obtain information security management system (ISMS) certification to strengthen information protection of virtual asset exchanges, and 56 additional specialized items have been established. In this paper, we compared the domain importance of ISMS and CryptoCurrency Security Standard (CCSS) which is a set of requirements for all information systems that make use of cryptocurrencies, and analyzed the results after mapping them to gain insight into the characteristics of each certification system. Improvements for 4 items of High Level were derived by classifying the priorities for improvement items into 3 stages: High, Medium, and Low. These results can provide priority for virtual asset and information system security, support method and systematic decision-making on improvement of certified items, and contribute to vitalization of virtual asset transactions by enhancing the reliability and safety of virtual asset services.

A Measures to Converge Manage an Efficient Information Security Management System for Information Security Experts Manpower (정보보호 인력양성을 위한 효율적인 정보보호관리체계의 융합 관리 방안)

  • Lee, Keun-Ho
    • Journal of the Korea Convergence Society
    • /
    • v.5 no.4
    • /
    • pp.81-86
    • /
    • 2014
  • The development in IT technology has brought about various services that are on offer based on a new service model. But such new services have increased security risks. The government is operating a program to foster experts in information security to protect assets from the threat of such risks, too. Society's awareness on the importance of information security has also grown, leading to various courses to train such personnel, including membership clubs for the fostering of such specialists. This study seeks to suggest a method that efficiently manages the convergence of running a curriculum on ISMS(information security management systems) and a club that focuses on information protection. Such converged information security courses are expected to contribute to a safer IT-based society.

Advanced Information Security Management Evaluation System

  • Jo, Hea-Suk;Kim, Seung-Joo;Won, Dong-Ho
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.5 no.6
    • /
    • pp.1192-1213
    • /
    • 2011
  • Information security management systems (ISMSs) are used to manage information about their customers and themselves by governments or business organizations following advances in e-commerce, open networks, mobile networks, and Internet banking. This paper explains the existing ISMSs and presents a comparative analysis. The discussion deals with different types of ISMSs. We addressed issues within the existing ISMSs via analysis. Based on these analyses, then we proposes the development of an information security management evaluation system (ISMES). The method can be applied by a self-evaluation of the organization and an evaluation of the organization by the evaluation committee. The contribution of this study enables an organization to refer to and improve its information security levels. The case study can also provide a business organization with an easy method to build ISMS and the reduce cost of information security evaluation.