43 * ** *** *** * ** *** ISO 9000 ISO 14000 A Study on the Implementation of Information Security Management Systems Abstract During the 90's, global civilization went through a great change. Quality of life, preservation of our environment, and management of human health and safety all turned gradually toward universal consistency and toward a high level of standardization. Related international standards have influenced economic development as well as operations in corporate organizations. Best examples are the compliance with the series of ISO 9000 standards for quality management and ISO 14000 standards for environmental protection. In the last month of the twentieth century, an international standard for the emerging field of information security management was adopted by ISO, the standardization body. The standard offers guidelines for establishing reliable and safe environment for information processing and communication. In this article, the authors describe the approach and steps for systematic implementation of information security management systems under the guideline of this newly adopted standardiso 17799. Key Words: Information Policy, Information Security Management System, Risk Assessment, Risk Management, Standard
44 1. 2001 4 27 1.1 1.1 7 6,000 N.T.$1,300,000,000.- 41 [1] 1999 1998 U.S.$6,500,000.- U.S.$37,600,000.- 478%[6] 1999 12 18 [5] 1.1 1.1 (International Organization for Standardization, ISO) 2000 12 1 (Information technologycode of practice for information security management) ISO/IEC 17799[14] (Information Security Management System, ISMS) 1.1 1. 2001 4 27 1 / 6 2. 7 6,000 N.T.$1,300,000,000.- 41 3. 2 SOGO N.T.$300.-
45 1 N.T.$8,000.-~N.T.$9,000.- 1,200~1,300 N.T.$50,000.-~N.T.$70,000.- 1 N.T.$10,000,000.- 4. 7 ( ) ( ) ( 5. SOGO 6. ISO/IEC 17799 2000(E) (Covert Channels and Trojan Code) 20014 27 5 1.1
46 ISO/IEC 17799 ISMS ISO/IEC 17799 (British Standard Institute, BSi) 1999 BS7799 (Part 1) BS7799 (Part 2) (Specification for information security management systems)[9] (Certification Body)ISMS ISMS ISO/IEC 17799 BS7799 ISO/IEC 17799 1.2 2 3 ISMS 4 1.2 1. 1990 (Organization for Economic Cooperation and Development, OECD) 2. 1992 OECD 1992 11 26 3. 1993 4. 1995 BS7799 (International Organization for Standardization, ISO) ISO DIS 14980 5. 1996 BS7799 (ISO) 1996 2 24 6 6. 1997 6.1 OECD 1997 3 27 6.2 7. 1998 7.1 BS7799 7.2 1995 10 1998 10 25 (Adequacy Standard) 8. 1999 BS7799 ISO 9. 2000 BS7799 2000 12 1 ISO ISO/IEC 17799 10. 2001 (?): ISO 17799 BS7799
47 2. 2.1 2.2 2.1 1996 8 6 AOL 24 1. 1. U.S. $3,000.000.- 2. 2. U.S. $80,000,000.- 1998 4 13 AT&T 6~26 1. U.S. $40,000,000.- 1999 2 3 ~1999 3 3 E*Trade 1999 2 24 Charles ~1999 4 21 Schwab& Co. 2. 5 1. 2. 1999 2 5 22% 4 1. 1. 2. 2. U.S. $70,000,000.- 1999 6 12 ebay 2 1.U.S. $3,000,000.-~U.S. $4,000,000.- 2. 26% 20% 40% 40% ISO/IEC 17799 ( )
48 2.2 1. 1.1 200173 5 / 1.2 200173 3 / 1.3 200173 3 / 2. 2,000 3. 20016304 4. 2 5. SET(Secure Electronic Transaction) 6. ISO/IEC 17799 (Systems Development and Maintenance) (User Registration) 1. 2. 3. 4. 5. BS7799-2 2.1
49 1 2 ISMS ISMS, 3, 4 BS 7799, 5 BS 7799 6 ISMSInformation Security Management System 1. ( ) 2. 3. (Risk Analysis) (Risk Evaluation) (Gap Analysis) (Patch) [4] 4. 5. ISO/IEC 17799 6.
50 7. BS7799 ISO/IEC 17799 BS7799 P-D-C-A (Plan-Do-Control-Action) BS7799 3. ISO/IEC 17799 BS7799 ISO/IEC 17799 BS7799 [12] (Risk Assessment) / 3.1 [13] 3.2 3.3 3.4 3.5 3.6 3.1 (Risk Management)
51 4 4
52 3.1
53 3.1 () 3.2IEC(International Electrotechnical Commission)1508 3.3IEC 1508
54 (Catastrophic) (Critical) (Marginal) (Negligible) 3.4 (Certificate Authority, CA) 3.5 http://www.caida.org/analysis/security/code-red (2001)7 19 250000 (code-red) (worm)[8] 4% ( (Microsoft) 6 18 ) 3.2
55 [7] 3.5 3.1 3.3 BS7799-2 [3,15,17] 1. 2. (Hazard) 3. (Estimation) (Evaluation) 1. (Tolerability) 2. 1. 2. 3. (Assessment) (Management)
56 3.6 3.1 1. 1.1 1.2 1.3 2. 2.1 2.2 2.3 (Guidelines) 3. 3.1 3.2 3.3 [11] 3.2 1. 1.1 (2001)2001 Web 76~90 1.2 (2001) 11 107~116 1.3 (2001) 82001613 2. 21664Web 1.1 82.5% 3. 2000522~20001121 43 50 1.2 18% 24%16%42% 4. 200159~2001510
57 520 1 (Worm) 1.3 562 5. ISO/IEC 17799 2000(E) (Malicious Software) (Scanner) (Patch)
58 3.3BS7799-2 2002 BS7799-2 1999 1. 2. 1. 2. ISO/IEC 15026 3. 2. ISO/IEC 15408 1. 2. ISO/IEC 15026 2. ISO/IEC 15408 3. ISO/IEC 15504 1. 2. ISO/IEC 15026 2. ISO/IEC 15408 3. ISO/IEC 15504 4. NIST FIPS 140-2 1. 2. 3. 3.3 1997 (Federal Deposit Insurance Corporation, FDIC) (Division of Supervision, DOS) [2](Electronic Banking Safety and Soundness Examination Procedures,
59 S&S Exam.) 1. (Level 1) (Information-only) 2. (Level 2) (Electronic Information Transfer) 3. (Level 3) (Fully Transactional Information) 3.6 1. 2. BS7799-2 4.1~4.10 (BS7799-2 3.6) 3-6
60 4. [10,16] (Policy) (Guideline) (Standard) (Procedure) (Control) 1. 2. 3. 4.
61 1. (Guideline) (Guideline) (must) (should) (universal application)( ) 2. (Standard) 3. (Procedure) ( ) 4. (Control) ( )
62 1. 2. 3. 4. 5. 6. 7.
63 8. (Fundamental Conceptual Models) ( ) [1] 2001 4 27 [2] 1999 [3] 2001 [4] 2001 Web 2001 76-90 [5] 1999 12 18
64 [6] (2001 5 21~25 ) [7] 2000 1(1), 29-38 [8] / 31 / 31 2001 8 1 11 [9] BSi, Information security management Part 2: Specificatoin for information security management systems, BS7799-2:1999, BSi. [10] Cresson, C., Information Security Polices Made Easy, Version 7, Accu-Disk, 1999. [11] Eckes, G., The Six Sigma Revolution, Wiley, 2000. [12] Eloff, M.M. and Von Solms S.H., Information security Management: An Approach to Combine Process Certification and Product Evaluation, Computers and Security, 19(8), 2000, 698-709. [13] ISO, Banking and Related financial services Information security guidelines, ISO/TR 13569:1997(E), ISO. [14] ISO, Information TechnologyCode of practice for information security management,iso/iec 17799:2000 (E), ISO. [15] NIST(National Institute of Standards and Technology), Security Requirements for Cryptographic Modules, FIPS (Federal Information Processing Standard)PUB (Publication) 140-2, 2001, NIST. [16] Peltier, T.R., Information Security Policies and Procedures, Auerbach, 1999. [17] Siponen, M.T., A Paradigmatic Analysis of Convention Approaches for Developing and Managing Secure IS, IFIP (International Federation for Information Processing)/Sec01, 2001, 437-452.
65