Journal of KIISE:Computing Practices and Letters (한국정보과학회논문지:컴퓨팅의 실제 및 레터)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지

A Security Evaluation Model in Aspects of Product, Process and Control

제품, 프로세스, 통제 관점의 통합된 보안평가 모델

  • Published : 2005.04.01
Download PDF
⟨ Previous Next ⟩

Abstract

As the evaluation for the information security has been an important issue, numerous security evaluation methods have been proposed. Those security evaluation methods can be categorized into three different aspects in large including product, process and control. In this paper we identify the possible problems that may occur when one-sided security evaluation is conducted that is on the aspect of product, process or control alone, present with the actual example of threat, and propose an approach to resolve each problem. Based on these approaches, we propose the security evaluation model, which incorporates these three aspects of product, process and control.

정보 보호에 대한 평가가 중요시 되고 있으며 보안 평가 방법론이 제안되었다. 이러한 보안 평가 방법론들은 크게 제품, 프로세스, 통제 중심의 세 가지 관점으로 분류될 수 있다본 논문에서는 제품, 프로세스, 통제 각기 하나의 관점에서 보안 평가할 때에 발생하는 문제점과 위협의 실례를 파악한다. 이 문제점을 해결하기 위하여 제품, 프로세스, 통제의 세 가지 관점을 통합한 보안평가 모델을 제안한다.

Keywords

References

  1. TCSEC: Trusted Computer Evaluation Criteria, DOD5200.28STD, 1985
  2. ITSEC: Information Technology Security Evaluation Criteria, V1.2, 1991
  3. CC; ISO/IEC 15408 Information Technology - Security Technology - Evaluation Criteria for IT security V2.1, 1999
  4. SSE-CMM: System Security Engineering Capability Maturity Model, 1999
  5. BS7799 - Code of Practice for Information Security Management, British Standards Institute, 1999
  6. AAWG Task I Report - An Alternative Assurance Package to the CC's EAL3 assurance level, draft v0.9, 1997
  7. ISO/IEC 15443 Information technology - Security techniques - A framework for IT security assurance, 2001
  8. M.M. Eloff and S.H. von Solms, 'Information Security Management: An Approach to Combine Process Certification And Product Evaluation,' Computer and Security Journal volume 19, Issue 8, Pages 698-709, 2000 https://doi.org/10.1016/S0167-4048(00)08019-6
  9. Markus Mackenbrock, 'Meeting User Needs by a Combination of Common Criteria and IT-Baseline Protection,' 3rd International Common Criteria Conference, 2002
  10. Jeffrey R. Williams, Karan M. Ferraiolo, 'P3I Protection Profile Process Improvement,' 22nd National information System Security Conference, 1999
  11. Jieun Lee, SungHee Lee, Byoungju Choi, 'A CC-based Security Engineering Process Evaluation Model,' 27th International Computer Software and Applications Conference (COMPSAC'2003), pp130-135, Dallas USA, 2003