Browse > Article
http://dx.doi.org/10.3745/KIPSTC.2003.10C.4.423

A Study on Business Process Based Asset Evaluation Model and Methodology for Efficient Security Management over Telecommunication Networks  

Woo, Byoung-Ku (국가보안기술연구소)
Lee, Gang-Soo (한남대학교 컴퓨터공학과)
Chung, Tai-Myoung (성균관대학교 정보통신공학부)
Publication Information
The KIPS Transactions:PartC / v.10C, no.4, 2003 , pp. 423-432 More about this Journal
Abstract
It is essential suity management and standardized asset analysis for telecommunication networks, however existing risk analysis methods and tools are not enough to give shape of the method to evaluate value and asset. they only support asset classification schemes. Moreover, since the existing asset classification schemes are to evaluate comprehensive general risk, they are not appropriate for being applied telecommunication networks and they can´t offer any solutions to an evaluator´s subjectivity problem. In this paper, to solve these problems, we introduce the standardized definition of asset evaluation model new asset classification scheme, two-dimensional asset process classification scheme to consider business process and asset, various evaluation standards for quantitative value and qualitative evaluation. To settle an valuator´s subjectivity problem, we proposed $\beta$-distribution Delphi method.
Keywords
Risk Analysis; Asset Classification Schemes; Asset Evaluation Model; Security Management;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 B. Boehm, 'Software Engineering Economics,' PrenticeHall, 1981
2 CC, Common Criteria for Information Technology Security Evaluation, Version 2.1, CCIMB-99-031, August, 1999
3 ISO/IEC PDTR 15446, 'Information technology-Security techniques-Guide for the production of protection profiles and security targets,' Draft, April, 2000
4 ISO/IEC-9126 'IT-Software product evaluation-Quality characteristics and guidelines for their use, December, 1991
5 ISO/IEC 14598, 'IT-Software product evaluation, Part 1, 1997, Part 5, 1997., Part 6, 1997
6 D. Peeples, 'The Foundations of Risk Management,' 20'th NISSC, pp.577-602, May, 1997
7 CSE, 'A Guide to Security Risk Management for IT Systems,' Government of Canada, Communications Security Establishment(CSE),' 1996
8 김정덕(외), '위험 분석 도구 기초기술 개발에 관한 연구', ETRI 연구보고서, 2001
9 CRAMM, 'A Practitioner's View of CRAMM.'
10 A. Pagnoni, Project Engineering Computer oriented Planning and Operational Decision Making, Springer-Verlag, 1990
11 W. Royce, 'Software Project Management-Unified Framework,' Addison Wesley, 1998
12 ISO/IEC TR 13335-1, 2, 3, IT 보안 개념 및 모델, 1996, IT 보안 관리 및 계획, 1997, IT 보안 관리 기법, 1998
13 British Standards Institution(BSI), BS-7799, 1999
14 R. Macmillan, Site Security Policy Development, http://www.auscert.org.au/Information/Auscert_info/Papers/Site_Security_Policy_Development.txt
15 Alan Robiette, Developing an Information Security Policy, JISC Committee on Authentication and Security, February, 2001
16 TTAS, '공공정보시스템 보안을 위한 위험분석 표준 - 개념과 모델', TTAS.KO-12.0007, 1998
17 박순태, 보호프로파일 개발을 위한 위험분석, 정보보호뉴스, 정보보호뉴스, 2000.8 외 다수의 정보보호뉴스 수록자료
18 NIST, 'Risk Management Guide for Information Technology Systems,' NIST-SP-800-30, October, 2001
19 Will Ozier, 'Risk Analysis and Assessment,' Information Security Management Handbookt-(4th Ed.), CRC Press, 2000
20 OCTAVE, 'OCATVE Criteria, Version 2.0,' Carnegie Mellon Software Engineering Institute, OCATVE Method Implementation Guide Version 2.0, OCTAVE, June, 2001
21 송관호(외), '정보시스템 보안을 위한 위험분석 소프트웨어 개발', 한국전산원 연구보고서, 1997
22 NIST, 'A Introduction to Computer Security: The NIST Handbook,' pub., 800-12, 1991
23 이광형, 오길록, Fuzzy이론 및 응용, 홍릉과학출판사, 1991