KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Advanced Information Security Management Evaluation System

  • Jo, Hea-Suk (Authentication Service Division, Financial Security Agency) ;
  • Kim, Seung-Joo (CIST (Center for Information Security Technologies), Korea University) ;
  • Won, Dong-Ho (Information Security Group, School of Information and Communication Engineering, Sungkyunkwan University)
  • Received : 2011.01.19
  • Accepted : 2011.05.29
  • Published : 2011.06.28
Download PDF
⟨ Previous Next ⟩

Abstract

Information security management systems (ISMSs) are used to manage information about their customers and themselves by governments or business organizations following advances in e-commerce, open networks, mobile networks, and Internet banking. This paper explains the existing ISMSs and presents a comparative analysis. The discussion deals with different types of ISMSs. We addressed issues within the existing ISMSs via analysis. Based on these analyses, then we proposes the development of an information security management evaluation system (ISMES). The method can be applied by a self-evaluation of the organization and an evaluation of the organization by the evaluation committee. The contribution of this study enables an organization to refer to and improve its information security levels. The case study can also provide a business organization with an easy method to build ISMS and the reduce cost of information security evaluation.

Keywords

References

  1. Thuy Nguyen and Grenville Armitage, "A survey of techniques for Internet traffic classification using machine learning," IEEE Communications Surveys and Tutorials, pp. 56-76, Nov. 2008. http://dx.doi.org/10.1109/SURV.2008.080406
  2. BSI, "Code of Practice for Information Security Management," British Standards Institute, 1999.
  3. ISO, International Standards ISO/IEC27001:2005, ISO/IEC27002:2005, ISO/IEC 22399:2007, "Information Technology Security Techniques," 2005.
  4. ISO, BS 25999-1:2006/BS 25999-1:2006, "Business Continuity Management Part1, Part2," 2006.
  5. http://www.iso27001security.com/html/27000.html.
  6. International Standard ISO/IEC 15408, "Common Methodology for Information Technology Security Evaluation," Version 3.1, 2006.10.
  7. International Standard ISO/IEC 15408, "Common Criteria, Part1, 2, 3," Version 3.1, 2006.10 .
  8. Korea Communications Commission, "Certification of Information Security Management System," 2008.5.
  9. Department of Defense, "5810.1-M:DITSCAP Application Manual", 2001.
  10. Anthony M.Valletta, "DoD Instruction", 1997.
  11. DC: DoD PKI C & A Working Group, "DIACAP Knowledge Base Overview," Mar. 2005.
  12. DoD, "Department of Defense Trusted Computer System Evaluation Criteria, 8500.01E," 2002.
  13. Lunarline.Inc, "DIACAP," Mar. 2006.
  14. Department of Defense, "DIACAP", Nov. 2007.
  15. Department of Trade and Industry, "Information Technology Security Evaluation Criteria," 1991.
  16. BIS, "IT Baseline Protection Manual," 2004.
  17. BIS, "IT Baseline protection Manual Layer model".
  18. S Weiss, O Weissmann, F Dressler, "A Comprehensive and Comparative Metric for Information Security," in Proc. of IFIP International Conference, 2005.
  19. BSI, "BSI-Standard 100-1 Information Security Management Systems", Version 1.5, 2008.
  20. "The ISO 27000 Directory".
  21. Pounder, C., "The Revised Version of BS7799-So What's New," Computer and Security, vol.18, 1999, pp.307-311. http://dx.doi.org/10.1016/S0167-4048(99)80075-3
  22. Japan Information processing development corporation, "JIS Q 27001 (ISO/IEC 27001: 2005) Information security management system conformity assessment scheme," 2006.
  23. JIPDEC, http://www.isms.jipdec.jp/en/index.html.
  24. KISA, "Guidelines for the vulnerability analysis and evaluation," 2004.
  25. KISA, "Information Security Safety Checklist," 2001.
  26. KISA, "Self Test of Information Security Level for small and medium enterprises," 2008.
  27. KISA, "Information Security Management System," 2010.
  28. KISA, "Information Security Evaluation Methodology," 3. 2010.
  29. Kim I, Chung Y, Lee Y, et al., "Information system modeling for analysis of propagation effects and levels of damage," in Proc. of ICCSA 2006, vol. 3982,54-63, 2006
  30. Kim Y, Nam T, Won D, "2-Way text classification for harmful Web documents," in Proc. of ICCSA 2006, vol. 3981,545-551, 2006
  31. Kwak J, Rhee K, Oh S, et al., "RFID system with fairness within the framework of security and privacy," LNCS, vol.3813, 142-152, 2005.
  32. National Intelligence Service, "Assessment of Information Security Management Handbook," 2007.
  33. Chih-Wei Hsu, et al., "A Practical Guide to Support Vector Classification," 2003.
  34. Corinna Cortes and V. Vapnik, "Support-Vector Networks," Machine Learning, 20, 1995.
  35. California office of Information Security and Privacy protection, "Information Security Assessment Tool for State Agencies," 4. 2008.
  36. Gwangyeom Kim, "Construction of controlled model for self-assessment through Information Security Management System," Daejeon Univ.10. 2009.
  37. U.S Cyber Consequence Unit, "The US-CCU Cyber-Security Check List," 2007.
  38. SH Hur et al., "A Study on Development of Information Security Evaluation Model," KIPS, ISSN 1598-2858, 2008.
  39. Korea Internet and Security Agency, "ISMS Authentication Example".
  40. KISA, "Information Security Management Vulnerability Top 10," 2007-2009.
  41. CISSP forum, ISO27k forum, "Top Information Security Risks for 2008," Dec. 2007.
  42. Permeter E-Security, "Top 10 Information Security threats for 2010," 2010.
  43. Heasuk Jo, Seungjoo Kim, and Dongho Won, "A Study on Comparative Analysis of the Information Security Management Systems," in Proc. of ICCSA 2009, LNCS6019 pp. 510-519, Mar. 2010.
  44. Ministry of Information and Communication Republic of Korea, "A Development of Information Security Evaluation Model," 2007.

Cited by

  1. 국방조직의 정보보호 평가 방법론 개발 vol.12, pp.4, 2011, https://doi.org/10.9716/kits.2013.12.4.077
  2. A holistic cyber security implementation framework vol.22, pp.3, 2011, https://doi.org/10.1108/imcs-02-2013-0014
  3. Aligning Two Specifications for Controlling Information Security : vol.4, pp.2, 2011, https://doi.org/10.4018/ijcwt.2014040104
  4. A Study on the Impact Analysis of Security Flaws between Security Controls: An Empirical Analysis of K-ISMS using Case-Control Study vol.11, pp.9, 2017, https://doi.org/10.3837/tiis.2017.09.022
  5. 정보보호 관리체계를 위한 주요 통제영역 연구: 금융 관련 조직을 중심으로 vol.19, pp.6, 2011, https://doi.org/10.7472/jksii.2018.19.6.9
  6. Cybersecurity vulnerability mitigation framework through empirical paradigm: Enhanced prioritized gap analysis vol.105, pp.None, 2011, https://doi.org/10.1016/j.future.2019.12.018