IE interfaces (산업공학)

Korean Institute of Industrial Engineers (대한산업공학회)
권호 표지

A Case Study of Business Process Centered Risk Analysis for Information Technology Security

업무 프로세스 중심의 정보기술 보안 위험분석 적용 사례-클라이언트/서버 시스템 중심으로

  • Ahn, Choon-Soo (Department of Industrial System Engineering, Dongguk University) ;
  • Cho, Sung-Ku (Department of Industrial System Engineering, Dongguk University)
  • 안춘수 (동국대학교 산업시스템공학부) ;
  • 조성구 (동국대학교 산업시스템 공학부)
  • Received : 20030800
  • Accepted : 20030900
  • Published : 2003.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

Due to the increasing complexity of the information systems environment, modern information systems are facing more difficult and various security risks than ever, there by calling for a higher level of security safeguard. In this paper, an information technology security risk management model, which modified by adopting the concept of business processes, is applied to client/server distributed systems. The results demonstrate a high level of risk-detecting performance of the model, by detecting various kinds of security risks. In addition, a practical and efficient security control safeguard to cope with the identified security risks are suggested. Namely, using the proposed model, the risks on the assets in both of the I/O stage(on client side) and the request/processing stage(on server side), which can cause serious problems on business processes, are identified and the levels of the risks are analyzed. The analysis results show that maintenance of management and access control to application systems are critical in the I/O stage, while managerial security activities including training are critical in the request/processing stage.

Keywords

References

  1. Ahn, C. S., Cho, S. K., (2002), A Risk Management Model for Efficient Domestic Information Technology Serurity, Journal of the Korea Institute of Industrial Engineers, 28, 44-56
  2. BSl. (1998), Guide to Risk Assessment and Risk Management, BS7799, British Standard Institute
  3. CCTA. (1998), The CCTA Risk Analysis and Management Method: CRAMM, Central Computer and Telecommunications Agency
  4. Fried, L.(1993), Distributed Information Security, Information Systems Management, summer, 56-65
  5. ISO/IEC. (1996), Information Technology-Guidelines for the Management of IT security-Part 1, ISO/IEC TR13335-1, ISO/IEC
  6. ISO/IEC. (1997), Information Technology-Guidelines for the Management of IT security-Part 2, ISO/IEC TR 13335-2, ISO/IEC
  7. ISO/IEC. (1998), Information Technology-Guidelines for the Management of IT security-Part 3, ISO/IEC TR 13335-3, ISO/IEC
  8. ISO/IEC. (2000), Information Technology-Guidelines for the Management of IT security-Part 4, ISO/IEC TR 13335-4, ISO/IEC
  9. Ken Otwell, Bruce Aldridge.(1990), The Role of Vulnerability in Risk Management, IEEE, 32-38
  10. Kim, H. B., (2000), Risk Analysis and Management Standards for Public Information Systems Security : Risk Analysis Methodology Model, Journal of Telecommunications Technology Association, 69, 62-73
  11. Kim, J. P., Park, D. S., Lee, S. J.,(2003), The point of Information Security Knowledge, Jungil
  12. Korea Information Security Agency,(2001), Concept of Information Security, Kyowoo
  13. Lee, S. J., (2000), The controls of Client-Server System:Case Studies of Bank, Korean Management Science Review, 17, 97-113
  14. NCA.(1998), A Study on the Contingency and Disaster Recovery Plan for the Public Information System, National Computerization Agency
  15. NIST. (1999), An lntroduction to Computer Security : The NIST handbook, NIST Special Publication 800-12, National Institute of Standards Technology
  16. Park, T. G., Kang, C. K., Kim, D. H., .(1996), Security Management of Network System, Korea Institute of Information Security & Cryptology Review, 6, 95-114, Journal of MIS. 129-147
  17. Ryan, S.D., B. Bordoloi.(1997), Evaluating Security Threats in Mainframe and Client/Server Environments, Information &Management, 32,137-146
  18. Vlasta Molak, (1997), Fundamental of Risk Analysis and Risk Management, CRC Lewis