A Risk Management Model for Efficient Domestic Information Technology Security

효율적 국내 정보기술 보안을 위한 위험관리 모형

  • Ahn, Choon-soo (Department of Industrial Engineering, Dongguk University) ;
  • Cho, Sung-Ku (Department of Industrial Engineering, Dongguk University)
  • 안춘수 (동국대학교 산업시스템공학과) ;
  • 조성구 (동국대학교 산업시스템공학과)
  • Published : 2002.03.31

Abstract

For the risk analysis and risk assessment techniques to be effectively applied to the field of information technology (IT) security, it is necessary that the required activities and specific techniques to be applied and their order of applications are to be determined through a proper risk management model. If the adopted risk management model does not match with the characteristics of host organization, an inefficient management of security would be resulted. In this paper, a risk management model which can be well adapted to Korean domestic IT environments is proposed for an efficient security management of IT. The structure and flow of the existing IT-related risk management models are compared and analysed, and their common and/or strong characteristics are extracted and incorporated in the proposed model in the light of typical threat types observed in Korean IT environments.

Keywords

References

  1. Ahn, J-H. (1998), Information System for Management Hongmoonsa, Seoul, Korea
  2. BSI. (1998), Guide to Risk Assessment and Risk Management, BS7799, British Standard Institute, Great Britain
  3. CCTA. (1998), The CCTA Risk Analysis and Management Method, CRAMM, Central Computer and Telecommunications Agency, Great Britain
  4. CSI (2001), CSI/FBI Computer Crime & Security Survey Analysis, Computer Security Issues&Trends, V1(1), San Francisco, USA
  5. ISO/IEC. (1996), Information Technology-Guidelines for the Management of IT security-Part 1, ISO/lEC 1R 13335-1, ISO/lEC, Switzerland
  6. ISO/lEC. (1997), Information Technology-Guidelines for the Management of IT security-Part 2, ISO/lEC 1R 13335-2, ISO/IEC, Switzerland
  7. ISO/lEC. (1998), Information Technology-Guidelines for the Management of IT security-Part 3, ISO/lEC 1R 13335-3, ISO/IEC, Switzerland
  8. ISO/lEC. (2000), Information Technology-Guidelines for the Management of IT security-Part 4, ISO/lEC 1R 13335-4, ISO/IEC, Switzerland
  9. Kang, D-S. (1998), Risk Analysis and Management in Public Project Selection, The Journal of Information. 5(1), 16-29
  10. Kim, Y-C. and Nam, G-H. (1993),Information System Security and Auditing Mechanisms, Korea Institute of Information Security & Cryptology Review, 3(3),67-79
  11. KISA. (1998), Information Dysfunction Analysis in the First Quarter of The Year 1998, Korea Information Security Agency, Seoul, Korea
  12. KISA. (1999),Information Dysfunction Analysis of The Year 1999, Korea Information Security Agency, Seoul, Korea
  13. KISA. (2000),. Information Dysfunction Analysis of The Year 2000, Korea Information Security Agency, Seoul, Korea
  14. Lee, Y-H. and Lee, N-Y. (1999), The Study for Security Engineering Methodology, Korea Institute of Information Security & Cryptology Review, 9(2), 69-81
  15. NCA.(1996), Development of Automated Risk Analysis Software (V. 1.0) for Information Systems Security, NCA III-RER-9653, National Computerization Agency, Gyonggi-do, Korea
  16. NCA. (1996), Analysis of Computer Crime and Misuse Cases, NCA III-RER-96099, National Computerization Agency, Gyonggi-do, Korea
  17. NCA. (1998), A Study on Audit Guideline for the Information Systems Management, IV-AUER-98061, National Computerization Agency, Gyonggi-do, Korea
  18. NIST. (1989), DoE Risk Assessment Instruction, National Institute of Standards Technology, Washington, USA
  19. NIST. (1990), U.S. Department of Justice Simplified Risk Analysis Guidelines, NISTlR 4387, National Institute of Standards Technology, Washington, USA.
  20. NIST. (1994), Guidelines for the Analysis of Local Area Network Security, FIPS PUB 191, National Institute of Standards Technology, Washington, USA
  21. NIST.(1999), An Introduction to Computer Security: The NIST Handbook, NIST Special Publication 800-12, National Institute of Standards Technology, Washington, USA
  22. Sergio B. Guarro. (1987), Principles and Procedures of the LRAM Approach to Information System Risk Analysis and Management, Computers & Security, 6, 493-504
  23. TTA. (2000), Risk Analysis and Management Standards for Public Information System Security-Risk Analysis Methodology Model, TTA KO-12.0007, Telecommunications Techoology Association, Seoul, Korea
  24. Vlasta Molak. (1997), Fundamental of Risk Analysis and Risk Management, CRC Lewis, New York, USA