Journal of Internet Computing and Services (인터넷정보학회논문지)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

A study on primary control area for information security management system (ISMS): focusing on the finance-related organizations

정보보호 관리체계를 위한 주요 통제영역 연구: 금융 관련 조직을 중심으로

  • Received : 2018.08.07
  • Accepted : 2018.09.14
  • Published : 2018.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

Financial service industry has introduced and operated management systems such as information security management system (ISMS), personal information security management system, business continuity management system to protect and maintain suitably customer's financial information and financial service. This study started that it's desirable financial industry takes consideration of ISMS and it can be different types among various organizations taking consideration of culture, practical work, and guideline of information security. The study derives primary control areas of ISMS through analyzing non-conformity trends and control factors according to certification audit for finance-related organizations introduced international ISMS of ISO27001 which is well known and commonly applicable irrespective of areas in financial service industry. Through case analyses for five finance-related organizations operating ISMS, this study analyzed improvement effects of ISMS. It has a meaning as an initial research though it was difficulty in acquiring data for empirical study because of rare organizations maintaining certification in financial sector. As a result, number of non-confirmity from the first audit to three years' elapse was decreased every year. Physical and environmental security, communication and operations management, and access control having the highest frequency of non-conformity each presented 23%, 19%, and 17%, which reached 59% in total and they are derived into primary control areas. ISMS can fulfill technical, managerial, physical security issues, which have not been treated importantly in financial industry. In addition, this study presented that ISMS can be an effective management system applicable for financial service industry.

금융서비스산업 전반에 고객의 금융정보 및 금융서비스를 적절하게 보호하고 유지하기 위해, 조직은 정보보호 관리체계(ISMS), 개인정보보호 관리체계, 비즈니스연속성 관리체계와 같은 경영시스템을 도입하여 운영하기 시작하였다. 본 연구는 금융권이 ISMS를 고려하는 것이 바람직하며 정보보안 문화, 실무 및 가이드라인을 고려하는 다양한 조직 안에 각기 다른 형태를 가질 수 있다는데서 출발하였다. 금융서비스산업 내에서도 분야에 상관없이 적용 가능하고 보편적으로 널리 알려진 국제 정보보호 관리체계 ISO27001을 도입한 금융 관련 조직을 대상으로 인증 심사에 따른 부적합 추이 및 통제 요인의 분석을 통해 해당 ISMS의 주요 통제 영역을 도출하게 된다. 이에 따라 ISMS를 도입하여 운용하고 있는 금융 관련 5개 조직의 사례분석을 통해 정보보호 수준의 개선 효과를 분석해 보고자 했다. 금융 섹터에서 인증을 유지하고 있는 곳이 적어 실증 연구를 위한 자료 확보가 어려웠지만, 초기 연구 대상으로서의 의미가 있는 것으로 분석되었다. 분석을 통해, 대상 업체들에서 최초심사로부터 3년 주기가 지나는 동안 부적합 건수가 매년 감소하고 있음을 확인할 수 있었다. 부적합 빈도수가 가장 높았던 물리적 환경적 보안, 의사소통 및 운영관리, 접근통제 영역이 각 23%, 19%, 17%를 나타내 전체 부적합의 59% 정도를 차지하는 주요 통제영역으로 도출되었다. 이를 통해 금융권에서 중요하게 다루어지지 않았던 기술적, 관리적, 물리적 보안 이슈를 ISMS가 충족시키고, ISMS가 금융서비스산업에 적용 가능한 효과적인 관리체계가 될 수 있음을 발견하였다.

Keywords

OTJBCD_2018_v19n6_9_f0001.png 이미지

(그림1) 국내 ISMS와 ISO27001 통제항목별 연관도 (Figure 1) Degree of relationship among control items of domestic ISMS and ISO27001

OTJBCD_2018_v19n6_9_f0002.png 이미지

(그림 2) 5개 범주에 기반 한 BS7799, ISO 27001:20005, ISO 27001:2013의 비교 (Figure 2) Comparison among BS7799, ISO 27001:20005 and ISO 27001:2013 based on five categories

OTJBCD_2018_v19n6_9_f0003.png 이미지

(그림 3) 5가지 범주에 기반 한 ISO 27001:2005에서 삭제된 통제와 ISO 27001:2013에 추가된 통제의 비교 (Figure 3) Comparison between deleted controls from ISO 27001:2005 and inserted controls into ISO 27001:2013 based on five categories

OTJBCD_2018_v19n6_9_f0004.png 이미지

(그림 4) 전 세계 ISO27001 인증 추이 (단위: 건) (Figure 4) Trends of world ISO27001 certification (unit: item)

OTJBCD_2018_v19n6_9_f0005.png 이미지

(그림 5) 인증심사종류 (Figure 5) Type of certification audit

OTJBCD_2018_v19n6_9_f0006.png 이미지

(그림 6) ISMS 구축 후 부적합 추이 (Figure 6) Non-conformity trends after introducing ISMS

OTJBCD_2018_v19n6_9_f0007.png 이미지

(그림 7) 금융 관련 조직의 정보보호 주요 통제영역 (Figure 7) Primary information security control areas of finance-related organizations

(표 1) ISMS 인증 기준 (Table 1) ISMS certification criteria

OTJBCD_2018_v19n6_9_t0001.png 이미지

(표 2) 국내 ISMS 인증서 누적 발급 건수 (단위: 건) (Table 2) Cumulative issuing number of domestic ISMS certification (unit: item)

OTJBCD_2018_v19n6_9_t0002.png 이미지

(표 3) 산업별 인증 (Table 3) Certification by jndustrial sector

OTJBCD_2018_v19n6_9_t0003.png 이미지

(표 4) ISO27001 도입에 따른 정보보호 수준 개선효과 분석 대상 업체 (Table 4) Analysis target organizations for improvement effect of information security level according to ISO27001 introduction

OTJBCD_2018_v19n6_9_t0004.png 이미지

(표 5) ISO27001:2005 통제영역 별 빈도 (Table 5) Frequency of each ISO27001:2005 control area

OTJBCD_2018_v19n6_9_t0005.png 이미지

(표 6) ISO/IEC TR 27015:2012에 따른 보안 조치 방안* (Table 6) Method for security execution according to ISO/IEC TR 27015:2012

OTJBCD_2018_v19n6_9_t0006.png 이미지

References

  1. White Paper for National Information Security, Korea Internet and Security Agency (KISA), 2016, pp. 183-185. https://isis.kisa.or.kr/ebook/download_pdf/2016.pdf
  2. "Finance-related area, mandatory ISMS certification is abolished", Boannnews, 2016.05.31. https://www.boannews.com/media/view.asp?idx=50772&kind=2&search=title&find=
  3. ISMS Certification-related Documentation, Financial Security Institute, 2017.03.02. http://www.fsec.or.kr/user/bbs/fsec/148/319/bbsDataView/740.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=
  4. R. Alavi, "Information Security Management Systems: Modelling Human Factors", The State of Security, Tripwire, 3 Nov. 2013. https://www.tripwire.com/state-of-security/security-data-protection/3
  5. Y.J. Jun, G.H. Cho, and W.K. Kim, "A Design and Implementation of Information Security Management and Audit System for Government Agencies," Journal of Internet Computing and Services, Vol. 7, No. 5, pp. 81-94, 2006. http://www.jics.or.kr/digital-library/423
  6. H.K. Kim, K.H. Lee, and J.I. Lim, "A Study on the Impact Analysis of Security Flaws between Security Controls: An Empirical Analysis of K-ISMS using Case-Control Study", KSII Transactions on Internet and Information Systems, Vol. 11, No. 9, pp. 4588-4608, 2017. DOI: 10.3837/tiis.2017.09.022
  7. H.S. Jo, S.J. Kim, and D.H. Won, "Advanced Information Security Management Evaluation System," KSII Transactions on Internet and Information Systems, Vol. 5, No. 6, pp. 1192-1213, 2011. https://doi.org/10.3837/tiis.2011.06.006
  8. J.S. Kim, S.Y. Lee, and J.I. Lim, "Comparison of The ISMS Difference for Private and Public Sector", Journal of the Korea Institute of Information Security and Cryptology, Vol. 20, No. 2, pp. 117-129, 2010. https://academic.naver.com/article.naver?doc_id=181695427
  9. H.K. Kim, G.M. Gho, and J.I. Lee, "Comparison for Corporate Information Security Institution State and Certification Criteria of Information Security Management System According to the Revision for the Law of Information and Communication Network", Journal of the Korea Institute of Information Security and Cryptology, Vol. 23, No. 4, pp. 53-58, 2013. https://academic.naver.com/article.naver?doc_id=61862547
  10. S.S. Jang and H.S. Lee, "A study on the analysis for flaw item of Information Security Management Sysem (ISMS) certification audit", Journal of the Korea Institute of Information Security and Cryptology, Vol. 20, No. 1, pp. 31-38, 2010. https://academic.naver.com/article.naver?doc_id=41633109
  11. W. Boehmer, "Appraisal of The Effectiveness and Efficiency of an Information Security Management System based on ISO 27001", 2008 2nd International Conference on Emerging Security Information, Systems and Technologies, IEEE, 2008. https://doi.org/10.1109/SECURWARE.2008.7
  12. N.K. Sharma and P.K. Dash, "Effectiveness of ISO 27001, As an Information Security Management System: An Analytical Study of Financial Aspects", Far East Journal of Psychology and Business, Vol. 9, No. 5, pp. 57-71, 2012. https://ideas.repec.org/a/fej/articl/v9cy2012i5p57-71.html
  13. B. Shojaie, H. Federrath, and I. Saberi, "Evaluating the effectiveness of ISO 27001:2013 based on Annex A", 2014 9th International Conference on Availability, Reliability and Security, IEEE, 2014. https://doi.org/10.1109/ARES.2014.41
  14. ISO/IEC27001:2005 Requirement, ISO, 2005. http://bcc.portal.gov.bd/sites/default/files/files/bcc.portal.gov.bd/page/adeaf3e5_cc55_4222_8767_f26bcaec3f70/ISO_IEC_27001.pdf
  15. The ISO Survey of Management System Standard Certifications(2006-2012), ISO, 2013. http://www.pjr.com/downloads/iso_survey.pdf

Cited by

  1. 정보보호 관리체계를 위한 주요 통제영역에 대한 연구: 국내 3개 산업을 중심으로 vol.22, pp.4, 2021, https://doi.org/10.5762/kais.2021.22.4.140