Browse > Article
http://dx.doi.org/10.13089/JKIISC.2015.25.2.343

A Study on Information Access Control Policy Based on Risk Level of Security Incidents about IT Human Resources in Financial Institutions  

Sim, Jae-Yoon (Graduate School of Information Security, Korea University)
Lee, Kyung-Ho (Graduate School of Information Security, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.25, no.2, 2015 , pp. 343-361 More about this Journal
Abstract
The financial industry in South Korea has witnessed a paradigm shift from selling traditional loan/deposit products to diversified consumption channels and financial products. Consequently, personification of financial services has accelerated and the value of finance-related personal information has risen rapidly. As seen in the 2014 card company information leakage incident, most of major finance-related information leakage incidents are caused by personnel with authorized access to certain data. Therefore, it is strongly required to confirm whether there are problems in the existing access control policy for personnel who can access a great deal of data, and to complement access control policy by considering risk factors of information security. In this paper, based on information of IT personnel with access to sensitive finance-related data such as job, position, sensitivity of accessible data and on a survey result, we will analyze influence factors for personnel risk measurement and apply data access control policy reflecting the analysis result to an actual case so as to introduce measures to minimize IT personnel risk in financial companies.
Keywords
RBAC; Sensitivity of Information; Risk Level of Security Incidents; Business Continuity;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Ki-wan Ko, "www.hankyung.com/news/app/newsview.php?aid=2014012750251"
2 Jong-in Lim, "Law and Technology in the Cyber Space," 2002
3 In-hwan Cha, "An Empirical Research on Developing Personnel Security Management Indicators in Information Security," Kwangwoon University, 2009
4 Chang-Lai Choi, "Study on IT Outsourcing Policy Based on Operational Risks of Financial Industries," Korea Institute of Information Security & Cryptology, Aug. 2014
5 Myoung-sup Sim, "An Empirical Study on the Improvement of Security Levels in IT Outsourcing Service," Konkuk University, 2013
6 Mikko et al. "A Critical Assessment of IS Security between 1990-2004," 2005
7 Jinho Yoo at el, "Estimating Economic Damages from Internet Incidents," 2008, Information Society, vol.15, no.1
8 ANSI/INCITS 359-2004, "Information Technology-Role Based Access Control, International committee for Information Technoloty Standards," 2004
9 Seong-min Jung, "Application Method of Efficient Role Extraction and Safe Role-based Access Control for Developing Financial Application," Journal of Information Security, Vol. 18, No. 5, Oct. 2008
10 John Barkley, "Computing simple role based access control models and access control lists," Proceeding of 2nd workshop on Role-based access control, august, 1997, pp127-132
11 Ravi S. Sandhu, Edward J. Coyne, "Role-based access control models," IEEE Computer, February 1996, pp3-47
12 Ferraiolo D. F.,"Proposed NIST Standard for Role-Based Access Control," ACM Transactions on Information and System Security, Vol.4, No.3, August 2001
13 NIST, "American National Standard for Information Technoloty-Role Based Access Control (Draft 4/4/2003)," American National Standards Institute Inc. 2003
14 Sylvia O., "Database Applications of Role-Based Access Control," The University of Western Ontario, Nov. 2001
15 Difinition of RACF, "http://en.wikipedia.org/wiki/Resource_Access_Control_Facility"
16 The average salary of bank employees in 2013, http://www.hankyung.com/news/app/newsview.php?aid=2014033147361
17 Definition of REXX, http://ko.wikipedia.org/wiki/REXX
18 Jeong-hwan Kim, "A Study on SQL Performance-Based IT Application Change Management Process to Prevent Failures of Online Transactions," Korea Institute of Information Security & Cryptology, Oct. 2014
19 Definition of JCL, http://en.wikipedia.org/wiki/Job_Control_Language
20 Definition of Metadata, http://en.wikipe dia.org/wiki/Metadata