• Title/Summary/Keyword: Security Evaluation System

Search Result 687, Processing Time 0.029 seconds

Developing a Framework for the Implementation of Evidence Collection System: Focusing on the Evaluation of Information Security Management in South Korea

  • Choi, Myeonggil;Kang, Sungmin;Park, Eunju
    • Journal of Information Technology Applications and Management
    • /
    • v.26 no.5
    • /
    • pp.13-25
    • /
    • 2019
  • Recently, as evaluation of information security (IS) management become more diverse and complicated, the contents and procedure of the evidence to prepare for actual assessment are rapidly increasing. As a result, the actual assessment is a burden for both evaluation agencies and institutions receiving assessments. However, most of them reflect the evaluation system used by foreign government agencies, standard organizations, and commercial companies. It is necessary to consider the evaluation system suitable for the domestic environment instead of reflecting the overseas evaluation system as it is. The purpose of this study is as follows. First, we will present the problems of the existing information security assessment system and the improvement direction of the information security assessment system through analysis of existing information security assessment system. Second, it analyzes the technical guidance for information security testing and assessment and the evaluation of information security management in the Special Publication 800-115 'Technical Guide to Information Security Testing and Assessment' of the National Institute of Standards and Technology (NIST). Third, we will build a framework to implement the evidence collection system and present a system implementation method for the '6. Information System Security' of 'information security management actual condition evaluation index'. The implications of the framework development through this study are as follows. It can be expected that the security status of the enterprises will be improved by constructing the evidence collection system that can collect the collected evidence from the existing situation assessment. In addition, it is possible to systematically assess the actual status of information security through the establishment of the evidence collection system and to improve the efficiency of the evaluation. Therefore, the management system for evaluating the actual situation can reduce the work burden and improve the efficiency of evaluation.

A Derivation of Evaluation Item about Enterprise Security Management

  • Kim, Sun-Joo;Jo, In-June
    • Journal of information and communication convergence engineering
    • /
    • v.8 no.5
    • /
    • pp.544-548
    • /
    • 2010
  • The Enterprise Security Management system is a centralized control system based on predefined security policies by organizations. In Korea, there is a Common Criteria security certification according to the strict standards for various features. As the needs of information security product are increasing, the ESM system should be evaluated with quality characteristics. In this paper, we propose evaluation items for functionality and performance of Enterprise Security Management system, and the best practices for evaluation.

Design of the Security Evaluation System for Decision Support in the Enterprise Network Security Management (대규모 네트워크 환경에서의 보안관리를 위한 보안평가 시스템 설계)

  • 이재승;김상춘
    • Journal of KIISE:Information Networking
    • /
    • v.30 no.6
    • /
    • pp.776-786
    • /
    • 2003
  • Security Evaluation System is a system that evaluates the security of the entire enterprise network domain which consists of various components and that supports a security manager or a Security Management System in making decisions about security management of the enterprise network based on the evaluation. It helps the security manager or the security management system to make a decision about how to change the configuration of the network to prevent the attack due to the security vulnerabilities of the network. Security Evaluation System checks the “current status” of the network, predicts the possible intrusion and supports decision-making about security management to prevent the intrusion in advance. In this paper we analyze the requirements of the Security Evaluation System that automates the security evaluation of the enterprise network which consists of various components and that supports decision-making about security management to prevent the intrusion, and we propose a design for it which satisfies the requirements.

A Study on Automatic Security Diagnostic Evaluation System for Security Assurance (보안 안전성을 위한 자동화 보안진단평가 시스템에 관한 연구)

  • Eom, Jung Ho;Park, Seon Ho;Chung, Tai M.
    • Journal of Korea Society of Digital Industry and Information Management
    • /
    • v.5 no.4
    • /
    • pp.109-116
    • /
    • 2009
  • In the paper, we designed an automatic security diagnostic evaluation System(SeDES) based on a security diagnostic evaluation model(SeDEM) for an organization's security assurance. The SeDEM evaluates a security level of an organization quantitatively by a security evaluation formula which is composed of security variables and security index as applying the statistical CAEL model for evaluate risk level of banks. The SeDES has a good expandability as changing security variables according to an organization scale, characteristics and so on. And it also has a excellent usage because it inputs only numeric data got from statistical technique to security index. We can understand more a security level correctly than the existent risk assessment system because it is possible to assess quantitatively with an security grade as well as score. analysis.

Advanced Information Security Management Evaluation System

  • Jo, Hea-Suk;Kim, Seung-Joo;Won, Dong-Ho
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.5 no.6
    • /
    • pp.1192-1213
    • /
    • 2011
  • Information security management systems (ISMSs) are used to manage information about their customers and themselves by governments or business organizations following advances in e-commerce, open networks, mobile networks, and Internet banking. This paper explains the existing ISMSs and presents a comparative analysis. The discussion deals with different types of ISMSs. We addressed issues within the existing ISMSs via analysis. Based on these analyses, then we proposes the development of an information security management evaluation system (ISMES). The method can be applied by a self-evaluation of the organization and an evaluation of the organization by the evaluation committee. The contribution of this study enables an organization to refer to and improve its information security levels. The case study can also provide a business organization with an easy method to build ISMS and the reduce cost of information security evaluation.

Development of the Information Security Methodology for Defense Organization (국방조직의 정보보호 평가 방법론 개발)

  • Cho, Sung Rim;Choi, In Soo;Park, Ji Hoon;Shin, Woo Chang
    • Journal of Information Technology Services
    • /
    • v.12 no.4
    • /
    • pp.77-90
    • /
    • 2013
  • As Cyber threats are rising, the scope of information Security (IS) is extending from technical protection of a single information system to organizational comprehensive IS capability. The ministry of National Defense (MND) has established the IS evaluation for defense organization in 'the Directive for Defense Informatization Affairs.' However, no information about an evaluation method, process and organization is provided. We surveyed information security management system (ISMS) and related best practices in public sector and other countries, and analysed the military information security affairs. Thus, this paper recommends the IS evaluation method and process. The trial IS evaluation is in progress this year and the MND will expand this IS evaluation to the entire organization.

Security Evaluation Criteria of Electronic Payment System (전자 지불 시스템의 보안 평가 기준)

  • 신장균;황재준
    • Proceedings of the CALSEC Conference
    • /
    • 1999.07b
    • /
    • pp.491-500
    • /
    • 1999
  • Recent increase of commercial network Integration to World Wide Web(WWW) shifts an ordinary commerce to electronic environment. This draws more people to examine re-assurance of their secure transaction. This study investigates current status of security methodology for Electronic Payment System and extracts important axis of security level for electronic payment. Using these axis as security evaluation criteria, the research proposes a security matrix which consists of four different level of security granularity, hence allowing evaluation of a nation-wide credit card based payment system. Feasible usage of this matrix contributes to security analysis of the electronic system as whole, hence providing better secured electronic environment.

  • PDF

A Study on Design Direction of Industry-Centric Security Level Evaluation Model through Analysis of Security Management System (보안관리체계 분석을 통한 산업중심 보안수준평가 모형 설계 방향 연구)

  • Bae, Je-Min;Kim, Sanggeun;Chang, Hangbae
    • The Journal of Society for e-Business Studies
    • /
    • v.20 no.4
    • /
    • pp.177-191
    • /
    • 2015
  • Recently, the necessity of systematic security management system that consider company' character and environment has appeared because of increasing security accident continuously in domestic companies. However, most of companies has applied to only K-ISMS which is existing information security management system, although They are different from object, purpose and way of security level evaluation by companies. According to this situation, Many experts have questioned that there are many problems with effectiveness of introducing security management system. In this study, We established definition of information security management system, industrial security management system and research security management system through analysis of previous study and developed evaluation item which can implement security in whole industry comparing and analyzing the control items of them. Also, we analyzed existing security level evaluation and suggest design direction of industry-centric security level evaluation model considering character of industry.

The Proposal of Security Evaluation Criteria for PKI Systems in Korea (국내 PKI 시스템 평가 기준 제안)

  • 심주걸;박택진;이철원;원동호
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.12 no.3
    • /
    • pp.61-76
    • /
    • 2002
  • To ensure PKI systems' reliability, the security for PKI systems evaluation is required. But, unfortunately, the systematic security evaluation and certification of PKI systems is insufficient. In Korea, Firewall and intrusion detection system's security evaluation and certification has been enforced, but research of PKI systems’ evaluation is insufficient. This paper provides a PKI system evaluation criteria. This paper specifies a 7 level of the functional and assurance security requirements for a PKI system. And this PKI system evaluation criteria provides a compatibility with CC(Common Criteria) and KISES(Korea Information Security Evaluation Systems).

A Relationship between Security Engineering and Security Evaluation

  • Kim, Tai-Hoon
    • Convergence Security Journal
    • /
    • v.4 no.2
    • /
    • pp.71-75
    • /
    • 2004
  • The Common Criteria (CC) philosophy is to provide assurance based upon an evaluation of the IT product or system that is to be trusted. Evaluation has been the traditional means of providing assurance. It is essential that not only the customer' srequirements for software functionality should be satisfied but also the security requirements imposed on the software development should be effectively analyzed and implemented in contributing to the security objectives of customer's requirements. Unless suitable requirements are established at the start of the software development process, the re suiting end product, however well engineered, may not meet the objectives of its anticipated consumers. By the security evaluation, customer can sure about the quality of the products or sys tems they will buy and operate. In this paper, we propose a selection guide for If products by show ing relationship between security engineering and security evaluation and make help user and customer select appropriate products or system.

  • PDF