• Title/Summary/Keyword: ISMS Certification

Search Result 47, Processing Time 0.023 seconds

Improvements of Information Security Level in Electronic Financial Infrastructure(By Analyzing Information Security Management Level) (전자금융기반시설 정보보호 수준강화 방안 (정보보호 관리수준 분석을 통한))

  • Park, Keun-dug;Youm, Heung-youl
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.26 no.6
    • /
    • pp.1605-1618
    • /
    • 2016
  • In recent years, security incidents - such as personal information leakage, homepage hacking, DDoS and etc. - targeting finance companies(banks, securities companies, credit card companies, insurance companies and etc.) have increased steadily. In this paper, we analyze problems of information security management level in the existing electronic financial infrastructure from perspective of compliance and information security certification system and propose improvements to enable sustainable high level of information security activities under a comprehensive management system for the financial sector characteristics using ISMS, SECU-STAR and CNIVAM system.

Comparing Qualifications of Korea and US Information Security Consultants: Focused on Job Ads (한국과 미국의 정보보호 컨설턴트의 자격요건 비교: 구인광고를 중심으로)

  • Lim, Jae-Jung;Kim, Ha-Young;Kim, Tae-Sung
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.27 no.5
    • /
    • pp.1157-1166
    • /
    • 2017
  • Demand for information security consulting is increasing as the number of major information infrastructure facilities in the country is increasing and the subject of ISMS mandatory certification is expanded. The demand for manpower also increases, but the manpower to meet the needs of industry is scarce. In order to cultivate the manpower that meets the demand, the demand of the industry should be grasped first. Therefore, this study collected and analyzed job advertisements in Korea and the United States in order to grasp the needs of industry. This will contribute to the development of policy to cultivate human resources of consultants in accordance with the future demand of the enterprise, and ultimately it will be able to solve the quality disparity of security consulting personnel.

A Study on ISMS-P Controls for Hyper Scale Cloud (하이퍼 스케일 클라우드에 적합한 정보보호 및 개인정보보호 관리체계 인증 통제항목 연구)

  • Yong-Nyuo Shin
    • The Journal of the Institute of Internet, Broadcasting and Communication
    • /
    • v.23 no.3
    • /
    • pp.19-26
    • /
    • 2023
  • Critical information infrastructure designations for cloud service providers continue to spread around the world as energy, financial services, health, telecommunications, and transportation sectors move to the cloud. In addition, in the case of Ukraine, the removal of restrictions on the use of cloud for national critical facilities and the rapid transition of critical data to the cloud enabled the country to effectively respond to cyberattacks targeting Russian infrastructure. In Korea, the ISMS-P is operated to implement a systematic and comprehensive information protection management system and to improve the level of information protection and personal information protection management in organizations. Control items considering the cloud environment have been modified and added to the audit of companies. However, due to the different technical levels of clouds between domestic and global, it is not easy to obtain information on the findings of cloud providers such as Microsoft for the training of domestic certification auditors on hyperscale scale. Therefore, this paper analyzes findings in hyperscale clouds and suggests ways to improve cloud-specific control items by considering the compatibility of hyperscale environments with ISO/IEC 27001 and SOC(System and Organization Control) security international standards.

A study for Information Security Risk Assessment Methodology Improvement by blockade and security system level assessment (봉쇄와 보안장비 수준평가를 통한 정보보호 위험평가 개선 연구)

  • Han, Choong-Hee;Han, ChangHee
    • Convergence Security Journal
    • /
    • v.20 no.4
    • /
    • pp.187-196
    • /
    • 2020
  • In order to manage information security risk, various information security level evaluation and information security management system certification have been conducted on a larger scale than ever. However, there are continuous cases of infringement of information protection for companies with excellent information security evaluation and companies with excellent information security management system certification. The existing information security risk management methodology identifies and analyzes risks by identifying information assets inside the information system. Existing information security risk management methodology lacks a review of where cyber threats come from and whether security devices are properly operated for each route. In order to improve the current risk management plan, it is necessary to look at where cyber threats come from and improve the containment level for each inflow section to absolutely reduce unnecessary cyber threats. In addition, it is essential to measure and improve the appropriate configuration and operational level of security equipment that is currently overlooked in the risk management methodology. It is necessary to block and enter cyber threats as much as possible, and to detect and respond to cyber threats that inevitably pass through open niches and use security devices. Therefore, this paper proposes additional evaluation items for evaluating the containment level against cyber threats in the ISMS-P authentication items and vulnerability analysis and evaluation items for major information and communication infrastructures, and evaluates the level of security equipment configuration for each inflow.

Improvement Research for Information Protection Management System of Small and Medium Enterprises (중소기업의 정보보호 관리체계 개선방안 연구)

  • Hye-Joung Yun;Yong-Woo Lee;Hee-Doo Heo;Sam-Hyun Chun
    • The Journal of the Institute of Internet, Broadcasting and Communication
    • /
    • v.23 no.2
    • /
    • pp.15-20
    • /
    • 2023
  • Recently, digitalization is accelerating in all industries, and the use of information and personal information produced and used in the process of it is very important for the success or failure of a company. However, malicious attempts to steal or leak major information and personal information of a company as an adverse effect continue to increase, and appropriate defense and response are absolutely necessary. However, in the case of small and medium-sized enterprises, the priority of information protection and the possession of professional manpower are very insufficient compared to large enterprises. This paper studies the certification and audit implemented in Korea, and suggests ways to expand the certification of the information protection system suitable for SMEs and improve the effectiveness of the support system through the expansion of the privacy law notification standard and operation of support system.

Proposal of Security Control Plan for Outsourcing Personnel Based on Integrated ISMS and PIMS Certification Schemes (ISMSP와 PIMS 인증 제도 통합에 따른 외주인력 보안통제 방안 제시)

  • LEE, Hyun-Seok;Won, Dong-ho
    • Annual Conference of KIPS
    • /
    • 2018.05a
    • /
    • pp.224-227
    • /
    • 2018
  • 국민의 편의성과 효율성 제고를 위한 온라인 대국민 서비스가 증가함에 따라 보안 사고들이 빈번하게 일어나며, 인적작원을 통해 많은 개인정보가 유출되고 있다. 이에 따라서 정부에서 ISMS와 PIMS 인증제도를 통하여 안정성을 확보하기 위한 제도를 내놓았다. 하지만 두 가지 인증제도의 중복항목으로 담당자들의 업무 부담이 늘며 이를 통합을 발표하였다. 저자는 인증제도의 인력항목을 좀 더 효율적으로 관리 할 수 방안을 제시하고자 한다.

Prioritize Security Strategy based on Enterprise Type Classification Using Pair Comparison (쌍대비교를 활용한 기업 유형 분류에 따른 보안 전략 우선순위 결정)

  • Kim, Hee-Ohl;Baek, Dong-Hyun
    • Journal of Korean Society of Industrial and Systems Engineering
    • /
    • v.39 no.4
    • /
    • pp.97-105
    • /
    • 2016
  • As information system is getting higher and amount of information assets is increasing, skills of threatening subjects are more advanced, so that it threatens precious information assets of ours. The purpose of this study is to present a strategic direction for the types of companies seeking access to information security. The framework classifies companies into eight types so company can receive help in making decisions for the development of information security strategy depending on the type of company it belongs to. Paired comparison method survey conducted by a group of information security experts to determine the priority and the relative importance of information security management elements. The factors used in the security response strategy are the combination of the information security international certification standard ISO 27001, domestic information protection management system certification K-ISMS, and personal information security management system certification PIMS. Paired comparison method was then used to determine strategy alternative priorities for each type. Paired comparisons were conducted to select the most applicable factors among the 12 strategic factors. Paired comparison method questionnaire was conducted through e-mail and direct questionnaire survey of 18 experts who were engaged in security related tasks such as security control, architect, security consulting. This study is based on the idea that it is important not to use a consistent approach for effective implementation of information security but to change security strategy alternatives according to the type of company. The results of this study are expected to help the decision makers to produce results that will serve as the basis for companies seeking access to information security first or companies seeking to establish new information security strategies.

Audit Method for Personal Information Protection in On-line Games (온라인게임에서 개인정보보호 감리 모형)

  • Kim, Hee-Wan;Shin, Joong-Won;Kim, Dong-Soo
    • Journal of Digital Convergence
    • /
    • v.10 no.3
    • /
    • pp.23-37
    • /
    • 2012
  • Illegal game players' hacking and propagation of malignant code in online game exposes privacy of online game customers. So, online game companies have to support the standardized systems and operations of customers' privacies. Since online game companies implement authentication of information protection, which focuses on assets or physical, systemic security, they need a more professional system that is related to protection of individual privacy. We analyzed the individual information protection system, which includes ISO27001, ISMS of KISA, GMITS, ePrivacy, online game privacy protection guide, and BS10012. Using the suggested systems, we proposed the systemic tools that measure the level of individual information protection, which includes process and check items of each phase.

A Study for Limitations and Improvement of Information Security Management System (정보보호 관리의 한계점과 개선방안에 관한 연구)

  • Lee, Sujin;Choi, Sang-Yong;Kim, JaeKyoung;Oh, ChungShick;Seo, Changho
    • Journal of Digital Convergence
    • /
    • v.12 no.2
    • /
    • pp.563-570
    • /
    • 2014
  • As information security is becoming more important today, efforts in managing information security more efficiently is becoming greater. Each department such as Ministry of Security and Public Administration, Ministry of Science, Ministry of Education, National Intelligence Service, etc. is established screening criteria for information security and conducted the evaluation. Various information security certification and evaluation for public institutions effectively help to improve the level of information security. However, there are limitations of efficient security management because the examination to be performed frequently by each department. In this paper, we analyze screening criteria of the information security management that is being conducted in the public institutions. We also present limitations of information security management and the direction of improving the limitations.

A Study on the Improvement of Personal Information Protection in Small and Medium-sized Medical Institutions (중소형 의료기관의 개인정보 보안실태 및 개선방안)

  • Shin, Min ji;Lee, Chang Moo;Cho, Sung Phil
    • Convergence Security Journal
    • /
    • v.19 no.4
    • /
    • pp.123-132
    • /
    • 2019
  • Rapid developments of IT technology has been creating new security threats. There have been more attacks to get patients' sensitive personal information, targeting medical institutions that are relatively insufficient to prevent and defend against such attacks. Although the government has required senior general hospitals to get the ISMS certification since 2016, such a requirement has been burdensome for small and medium-sized medical institutions. Therefore, this study was designed to draw measures to identify and improve the privacy status of the medical institution by dividing it into management, physical and cyber areas for small and medium-sized medical institutions. The results of this study showed that the government should provide financial support and managerial supervision for the improvement of personal information protection of small and medium-sized medical institutions. They also suggested that the government should also provide medical security specialists, continuous medical security education, disaster planning, reduction of medical information management regulations not suitable for small and medium sized institutions.