Domain 4. Information Security Management
박형근
�Outcomes of ISM
• • • • • • Strategic alignment Risk management Value delivery Resource management Performance measurement Integration of assurance functions
�ISM Standard
• Process – ISO 9001:2000, BS77992:2002, CMM, ITIL/ITSM, ISM3 • Controls – ISO 13335-4, BSI-ITBPM, CobiT • Product – Common Criteria • Risk analysis – Octave, Magerit • Best Practices – ISO17799:2002, CobiT, ISF-SGP
�SLA(Service Level Agreement) for Security
• • • • Critical patch Security products’ signature update 24 X 365 Monitoring and Response 문제 발생 후 2시간 이내 문제 상황 보고, 4시간 이내 문 제 원인에 관한 보고서 제출 • 보안 구성 및 정책 변경 요청에 대해 일반적인 경우는 48 시간 이내, 긴급 상황인 경우 4시간 이내 처리 • Security Assurance – Configuration and Vulnerability • Account and ACL Provisioning and DeProvisioning Time
�Security Review and Testing
• • • • • • • • • Review Policies Develop Security Matrix Review Security Documentation Review Audit Capability and Use Review Security Patches and Updates releases for all components Run analysis tools Correlate all information Develop report Make recommendations to correct problems
�Security Awareness Program
• Identify program scope, goals, and objectives • Identify training staff • Identify target audiences • Motivate management and employees • Administer the program • Maintain the program • Evaluate the program
�Security Awareness with Corp. Culture
• Live/Interactive presentations (CBT) • Publishing/Distribution – Poster, Newsletter, Bulletins, Security Portal • Incentive – Recognition • Reminders – Login banner messages, mugs, pens, sticky notes, mouse pad.
�