DOI QR코드

DOI QR Code

Development of Security Metrics of Enterprise Security Management System

통합보안관리시스템의 보안성 메트릭 개발

  • Yang, Hyo-Sik (Samil PricewaterhouseCoopers IT Risk & Security)
  • 양효식 (삼일회계법인 IT Risk & Security)
  • Received : 2017.10.11
  • Accepted : 2017.12.20
  • Published : 2017.12.28

Abstract

As new information technology emerges, companies are introducing an Enterprise Security Management system to cope with new security threats, reducing redundant investments and waste of resources and counteracting security threats. Therefore, it is necessary to construct a security evaluation metric based on related standards to demonstrate that the Enterprise Security Management(ESM) System meets security. Therefore, in order to construct a metric for evaluating the security of the ESM, this study analyzed the security quality related requirements of the ESM and constructed a metric for measuring the degree of satisfaction. This metric provides synergies through the unification of security assessments that comply with ISO/IEC 15408 and ISO/IEC 25000 standards. It is expected that the evaluation model of the security quality level of ESM will be established and the evaluation method of ESM will be standardized in the future.

신생 정보기술의 등장에 따른 새로운 보안 위협에 대처하기 위해 기업은 통합보안괸리(Enterprise Security Management)시스템을 도입하고 솔루션 간 상호연동을 통해 중복투자나 자원 낭비를 줄이고 보안 위협에 대처하고 있다. 이에 따라 통합보안관리시스템이 보안성을 충족시킴을 입증하기 위해 관련 표준을 근거로 한 보안성 평가 메트릭의 구축이 필요한 실정이다. 따라서 본 연구에서는 통합보안괸리시스템에 대한 보안성을 평가할 수 있는 메트릭을 구축하기 위해 통합보안괸리시스템의 보안성 품질 관련 요구사항을 분석하고 총족 정도를 측정할 수 있는 메트릭을 구축하였다. 본 메트릭을 통해 ISO/IEC 15408과 ISO/IEC 25000 표준에 부합하는 보안성 평가의 일원화를 통한 시너지 효과를 얻을 수 있다. 이를 통해 통합보안관리시스템의 보안성 품질수준을 평가하는 모델을 구축하고, 향후 통합보안괸리시스템에 대한 평가방법의 표준화를 기할 수 있을 것으로 사료된다.

Keywords

References

  1. Deuk-Soo Kang, Hae-Sool Yang, "Evaluation Items of ESM S/W by Case Analysis", The Korea Contents Society, Journal of the korea contents association, p.84, August, 2010.
  2. Hyung-Ho Kang, "A Study on the Improvement of Alert Function in ESM for Effective Attack Detection", Sungkyungkwan University, Thesis of Master's Degree, 2014.
  3. Korea Internet & Security Agency, "Cyber Threat Trend Report for the 2nd quarter 2017", July, 2017.
  4. ComputerWeekly.com, "Security audits reveal poor state of corporate cyber defences", August 4, 2017.
  5. ISO/IEC 9126-1:2001, Software engineering -- Product quality -- Part 1:Quality Model, 2001.
  6. ISO/IEC 9126-2:2003, Software engineering -- Product quality -- Part 2:External Metrics, 2003.
  7. ISO/IEC 25010, "Systems and software engineering -- Systems and software Quality Requirements and Evaluation(SQuaRE) -- system and software quality models", 2011.
  8. ISO/IEC 15408, Information technology -- Security techniques -- Evaluation criteria for IT security, 1999.
  9. Jae-Woo Im, "Refining software vulnerability Analysis under ISO/IEC 15408 and 18045", Journal of the Korea Institute of Information Security & Cryptology, Vol.24, No.5, pp.969-974, October, 2014. https://doi.org/10.13089/JKIISC.2014.24.5.969
  10. Ji-Hoon Jeong, Goang-Taek Han, Heui-Bong Choi, Gang-Soo Lee, Young-Soo Kim, Gap-Seung Go, "Enterprise Security Management System Protection Profile V2.0", National Security Research Institute & Hannam University, September, 2008.
  11. Ha-Yong Lee, Jung-Gyu Kim, "Efficiency Eval8uation Convergence Model of Virtual Private Network based on CC and ISO Standard", The Journal of Digital Convergence, Vol.13, No.15, pp.169-176, 2015.
  12. Ha-Yong Lee, Hyo-Sik Yang, "Convergence Performance Evaluation Model for Intrusion Protection System based on CC and ISO Standard", The Journal of Digital Convergence, Vol.13, No.15, pp.251-257, 2015.
  13. ISO/IEC 25020, "Software product Quality Requirements and Evaluation(SQuaRE) -- Measurement reference model and guide", 2007.
  14. ISO/IEC 25030, "Software product Quality Requirements and Evaluation(SQuaRE) -- Quality requirements", 2007.
  15. ISO/IEC 25040, "Systems and software engineering - Systems and software Quality Requirements and Evaluation(SQuaRE) -- Evaluation process", 2011.
  16. ISO/IEC 25051, "Software engineering -- Systems and software Quality Requirements and Evaluation (SQuaRE) -- Requirements for quality of Ready to Use Software Product (RUSP) and instructions for testing", 2014.
  17. ISO/IEC 25041, "Systems and software engineering -- Systems and software Quality Requirements and Evaluation(SQuaRE) -- Evaluation guide for developers, acquirers and independent evaluators", 2012.