Journal of Information Technology Applications and Management

Korea Data Strategy Society (한국데이터전략학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on the Improvement of Information Security Management Condition Evaluation in Public Sector through the SCAP Analysis by NIST in U.S.

미(美) NIST 보안성 자동평가프로토콜(SCAP)분석을 통한 공공기관의 정보보안관리실태 평가제도 개선방안 연구

  • Received : 2019.07.17
  • Accepted : 2019.08.21
  • Published : 2019.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

The 129 public institutions in Korea are subject to Information Security Management Condition Evaluation (ISMCE) as a part of the government management evaluation system by the Ministry of Economy and Finance. ISMCE is started in 2006 with the central government institutions, and applied to the all public institutions in 2009. This evaluation is annually conducted by the National Intelligence Service through the site visits, and the number of the evaluated institutions is increasing year by year. However, the process of ISMCE - identifying existing vulnerabilities in the information system - is conducted manually. To improve this inconvenience, this paper introduces the various evaluation system in the major countries, especially in the United States, and analyzes the Security Content Automation Protocol (SCAP) by NIST. SCAP is automation protocol for the system vulnerability management (in technical fields) and security policy compliance evaluation. Based on SCAP, this paper suggests an improvement plan for the ISMCE of Korea.

Keywords

References

  1. Department of Defense, "DOD 8500 : Information Assurance(IA)", DOD Directive, 2002. 10.
  2. ISO/IEC, "ISO/IEC 270001 : 2005 Information technology-Security techniques-Information security management systems-Requirements", ISO/IEC, 2005. 10.
  3. Jang et al., "Introduction to Information Security Management Systems and Policy", The Review of Information Security Institute, Vol. 11, No. 3, 2011, pp. 1-15.
  4. Jung, J.H. and Choi, M.G., "An Analysis of Foreign Information Security Management System and Policy Using Information SecurityManagement Analysis Framework", Proceeding of the KAIS Fall Conference, 2010, pp. 720-723.
  5. Korea Information Security Agency, "National Information Security White Paper, 2019", 2019, pp. 91-93.
  6. National Information Service, "The Explanation, Information Security Management Evaluation Index", 2019, pp. 2-3.
  7. NIST Technology Administration, "An Introduction to Computer Security : The NIST Hand book, NIST USA, Jan, 1998.
  8. NIST, "NIST Special Publication 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations", NIST, 2009. 8.
  9. Quinn, S. D., Scarfone, K. A., Barrett, M., and Johnson, C. S., "Guide to Adopting and Using the Security Content Automation Protocol(SCAP) Version 1.0", NIST Special Publication 800-117, 2010. 7.
  10. US FISMA(Federal Information Security Management Act of 2002), 2002.
  11. US Government Accountability Office, "Federal Information System Controls Audit Manual(FISCAM)", US GAO, 2009. 2.
  12. Waltermire, S., Quinn, K., Scarfone, A., and Halbardier, D., "The Technical Specification for the Security Content Automation Protocol(SCAP) : SCAP Version 1.2", NIST Special Publication 800-126 Revision 2, 2011. 9.