Browse > Article
http://dx.doi.org/10.7472/jksii.2018.19.6.9

A study on primary control area for information security management system (ISMS): focusing on the finance-related organizations  

Kang, Youn-chul (Department of Digital Management, Korea University)
Ahn, Jong-chang (Department of Information Systems, Hanyang University)
Publication Information
Journal of Internet Computing and Services / v.19, no.6, 2018 , pp. 9-20 More about this Journal
Abstract
Financial service industry has introduced and operated management systems such as information security management system (ISMS), personal information security management system, business continuity management system to protect and maintain suitably customer's financial information and financial service. This study started that it's desirable financial industry takes consideration of ISMS and it can be different types among various organizations taking consideration of culture, practical work, and guideline of information security. The study derives primary control areas of ISMS through analyzing non-conformity trends and control factors according to certification audit for finance-related organizations introduced international ISMS of ISO27001 which is well known and commonly applicable irrespective of areas in financial service industry. Through case analyses for five finance-related organizations operating ISMS, this study analyzed improvement effects of ISMS. It has a meaning as an initial research though it was difficulty in acquiring data for empirical study because of rare organizations maintaining certification in financial sector. As a result, number of non-confirmity from the first audit to three years' elapse was decreased every year. Physical and environmental security, communication and operations management, and access control having the highest frequency of non-conformity each presented 23%, 19%, and 17%, which reached 59% in total and they are derived into primary control areas. ISMS can fulfill technical, managerial, physical security issues, which have not been treated importantly in financial industry. In addition, this study presented that ISMS can be an effective management system applicable for financial service industry.
Keywords
Personal information security management system; Non-conformity trends; Business continuity management system; Certification audit; Information security management system; Control area;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 White Paper for National Information Security, Korea Internet and Security Agency (KISA), 2016, pp. 183-185. https://isis.kisa.or.kr/ebook/download_pdf/2016.pdf
2 "Finance-related area, mandatory ISMS certification is abolished", Boannnews, 2016.05.31. https://www.boannews.com/media/view.asp?idx=50772&kind=2&search=title&find=
3 ISMS Certification-related Documentation, Financial Security Institute, 2017.03.02. http://www.fsec.or.kr/user/bbs/fsec/148/319/bbsDataView/740.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=
4 R. Alavi, "Information Security Management Systems: Modelling Human Factors", The State of Security, Tripwire, 3 Nov. 2013. https://www.tripwire.com/state-of-security/security-data-protection/3
5 Y.J. Jun, G.H. Cho, and W.K. Kim, "A Design and Implementation of Information Security Management and Audit System for Government Agencies," Journal of Internet Computing and Services, Vol. 7, No. 5, pp. 81-94, 2006. http://www.jics.or.kr/digital-library/423
6 H.K. Kim, G.M. Gho, and J.I. Lee, "Comparison for Corporate Information Security Institution State and Certification Criteria of Information Security Management System According to the Revision for the Law of Information and Communication Network", Journal of the Korea Institute of Information Security and Cryptology, Vol. 23, No. 4, pp. 53-58, 2013. https://academic.naver.com/article.naver?doc_id=61862547
7 H.K. Kim, K.H. Lee, and J.I. Lim, "A Study on the Impact Analysis of Security Flaws between Security Controls: An Empirical Analysis of K-ISMS using Case-Control Study", KSII Transactions on Internet and Information Systems, Vol. 11, No. 9, pp. 4588-4608, 2017. DOI: 10.3837/tiis.2017.09.022   DOI
8 H.S. Jo, S.J. Kim, and D.H. Won, "Advanced Information Security Management Evaluation System," KSII Transactions on Internet and Information Systems, Vol. 5, No. 6, pp. 1192-1213, 2011. https://doi.org/10.3837/tiis.2011.06.006   DOI
9 J.S. Kim, S.Y. Lee, and J.I. Lim, "Comparison of The ISMS Difference for Private and Public Sector", Journal of the Korea Institute of Information Security and Cryptology, Vol. 20, No. 2, pp. 117-129, 2010. https://academic.naver.com/article.naver?doc_id=181695427
10 S.S. Jang and H.S. Lee, "A study on the analysis for flaw item of Information Security Management Sysem (ISMS) certification audit", Journal of the Korea Institute of Information Security and Cryptology, Vol. 20, No. 1, pp. 31-38, 2010. https://academic.naver.com/article.naver?doc_id=41633109
11 The ISO Survey of Management System Standard Certifications(2006-2012), ISO, 2013. http://www.pjr.com/downloads/iso_survey.pdf
12 W. Boehmer, "Appraisal of The Effectiveness and Efficiency of an Information Security Management System based on ISO 27001", 2008 2nd International Conference on Emerging Security Information, Systems and Technologies, IEEE, 2008. https://doi.org/10.1109/SECURWARE.2008.7
13 N.K. Sharma and P.K. Dash, "Effectiveness of ISO 27001, As an Information Security Management System: An Analytical Study of Financial Aspects", Far East Journal of Psychology and Business, Vol. 9, No. 5, pp. 57-71, 2012. https://ideas.repec.org/a/fej/articl/v9cy2012i5p57-71.html
14 B. Shojaie, H. Federrath, and I. Saberi, "Evaluating the effectiveness of ISO 27001:2013 based on Annex A", 2014 9th International Conference on Availability, Reliability and Security, IEEE, 2014. https://doi.org/10.1109/ARES.2014.41
15 ISO/IEC27001:2005 Requirement, ISO, 2005. http://bcc.portal.gov.bd/sites/default/files/files/bcc.portal.gov.bd/page/adeaf3e5_cc55_4222_8767_f26bcaec3f70/ISO_IEC_27001.pdf