• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.13 no.9
• /
• pp.4224-4233
• /
• 2012

As Internet usage is rapidly spreading, tasks that were only possible offline are now available in cyber space but at the same time, new security threats such as hacking and viruses have also increased. For that reason, Comprehensive and methodical information security systems are therefore required in enterprises and organizations. Consequently, the Information Security Management System certification system has been in effect in Korea since July 2001. As of December 2012, 130 enterprises have been certified, and more than 120 ISO27001 certifications have been issued. As such, since the introduction of the ISMS certification system in Korea, the demand for the certification has been steadily increasing, and it is now recognized as an integral part of maintaining the competitiveness in an enterprise. However, the qualitative aspects of certification regarding the effectiveness of ISMS have been continuously questioned by actual customers. In order to clarify the situation and remove such doubts, this study will substantiate the fact that development and certification of ISMS positively affect the business performance of enterprises so that they will recognize the effect of obtaining ISMS certification and eventually prevent security accidents and improve their business performance by developing ISMS.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.2
• /
• pp.375-381
• /
• 2015

In the past few years, data leakage of information assets has become prominent issue. According to the NIS in South Korea, they found 375 cases of data leakage from 2003 to 2013, especially 49 of cases have been uncovered in 2013 alone. These criminals are increasing as time passes. Thus, it constitutes a reason for establishment, operation and certification of ISMS, even for private enterprises. The purpose of this study is to examine the factors influencing the certification intention of ISMS using EFA (Exploratory Factor Analysis) and regression analysis. We identified expectation factors for certification of ISMS from 13 elements using EFA (Strengthening practical ability & economic effect factor and Improvement of security level & handling incident factor). Next, we examined that the certification intention of ISMS using regression analysis. As a result of regression analysis, Strengthening practical ability & economic effect factor is not significant for the certification intention of ISMS (p<.05). Also, Improvement of security level & handling incident factor have a significant and positive effect on the certification intention of ISMS (p<.05).

• Journal of the Korea Convergence Society
• /
• v.7 no.6
• /
• pp.237-247
• /
• 2016

This study analyzed quantitative effects of ISMS certification. To measure the company value change the stock data was used and the methodology of event study was also applied. Event study methodology is a method of analyzing the effects of information or public announcement about certain events on the stock market through abnormal return of stock price. First, ISMS certification was acquired followed by the measurement of abnormal excess return of company. Based on the increase or decrease of abnormal excess return, the group was classified. There are 3 types of groups("Increase", "Reduce", "Maintain"). Next, the cluster analysis was performed for each group. Cluster analysis or clustering is the task of grouping a set of objects in such a way that objects in the same group (called a cluster) are more similar (in some sense or another) to each other than to those in other groups(clusters). The purpose of this study is to have a quantitative measurement of performance of ISMS certification. So, the result of this study will be promoted a company's ISMS certification acquisition. And it would further be beneficial to your company's information security activities.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.18 no.3
• /
• pp.761-769
• /
• 2014

We propose an improved M-ISMS(Military-ISMS) model which is based on common ISMS model for regarding military's unique characteristics. Our model focuses on 'Internal Security Audit' and 'Management of external activity' as military circumstances. So, we added the six control new items as internal security audits. Because the confidentiality is more important than availability in military service as compared with private sectors. In addition, we propose some control suggestions for establishing security management standards and keeping level maintenance when it will becomes to lose a value as confidential. The M-ISMS model in this paper has effectiveness which prevents security incidents in advance rapidly throughout a variety of common ISMS's advantages and security incidents of private sectors in consideration of military characteristics.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.15 no.9
• /
• pp.5783-5789
• /
• 2014

Since 2002, many domestic companies have been certified for ISMS. On the other hand, certification, such as the need for ost-effectiveness evaluation, is not specifically enforced. Therefore, for more than 10 years, the ISMS implementation and certification system has been used for performance and cost effective business management. In this study, a model for analyzing the effect of certification organizations, ISMS development, and an analysis of the effect of a standardized system for the study was prepared. To this end, the existing maintenance organizations ISMS certification survey was conducted through an analysis of the economic effects. ISMS certification continues to expand or maintain the policy for improvement. The survey data collected by the analysis mechanism for the economic effects of CVM was analyzed.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.21 no.1
• /
• pp.634-640
• /
• 2020

The information security management system (ISMS) and the personal information management system (PIMS) have been integrated into a personal information & information security management system (ISMS-P) certification scheme in response to requests to reduce the time and cost to prepare certification schemes. Integration of the certification system has made it possible for the system operator to gain the advantage of easy management of the ISMS-P certification system, and the certification target organization can enjoy the advantage of easy acquisition and maintenance of certification. However, ambiguity in the application criteria of the target organization, and ambiguity in the certification criteria control items require the target organization to operate an excessive management system, and the legal basis to be applied to the certification target organization is ambiguous. In order to improve these problems, this paper uses case studies to identify the types of certification bodies that apply the certification criteria, and to change the control items applied during certification audits based on the types of certification bodies. Institutions that wish to obtain only ISMS certification have proposed three solutions, excluding controls covered by the ISMS-P. This paper suggests ways to operate an efficient certification system, and can be used as a basis for improving problems in the ISMS-P certification system.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.5
• /
• pp.951-959
• /
• 2014

In the past few years, data leakage of information assets has become a prominent issue. According to the National Intelligence Service in South Korea, they found 375 cases of data leakage from 2003 to 2013, especially 49 of cases have been uncovered in 2013 alone. These criminals are increasing as time passes. Thus, it constitutes a reason for establishment and operation of ISMS (Information Security Management System) even for private enterprises. But to be ISMS certified, there are many exposed or unexposed barriers, moreover, sufficient amount of studies has not been conducted on the barriers of ISMS Certification. In this study, we analyse empirically through exploratory factor analysis (EFA) to find the obstacle factors of ISMS Certification. The result shows that there are six obstacle factors in ISMS Certification; Auditing difficulty and period, Consulting firm related, Certification precedence case and consulting qualification, Internal factor, CA reliability and auditing cost, Certification benefit.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.6
• /
• pp.1309-1318
• /
• 2014

In the past few years, data leakage of information assets has become a prominent social issue. According to the National Industrial Security Center in South Korea, 71 percent who suffer from technology leakage are small and medium sized enterprises. Hence, establishment and operation of ISMS (Information Security Management System) for small and medium sized enterprises become an important issue. Since it is not easy to obtain ISMS certification for a small or medium sized enterprise by itself, consultation with an expert firm in information security is necessary before the security implementation. However, how to select a proper security consulting company for a small or medium sized firm has not been studied yet. In this study, we analyze empirically the selection factors of ISMS certification consulting company for a small or medium sized firm through exploratory factor analysis (EFA). Our study identified the following four important factors in selecting a security consulting company: expertise of the staffs and human resource management proficiency, market leading capability, competence to make progress during the consultation, and the performance and the size of the physical assets and human resources.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.4
• /
• pp.873-883
• /
• 2017

As Ransomware spreads, the target of the attack shifted from a single personal to organizations which lead attackers to be more intelligent and systematic. Thus, Ransomware's threats to domestic infrastructure, including the financial industry, have grown to a level that cannot be ignored. As a measure against these security issues, organizations use ISMS, which is an information protection management system. However, it is difficult for management to make decisions on the loss done by the security issues since amount of the damage done can not be calculated with just ISMS. In this paper, through FAIR-based loss measurement model based on scenario's to identify the extent of damage and calculate the reasonable damages which has been considered to be the problem of the ISMS, we identified losses and risks of Ransomeware on the financial industry and method to reduce the loss by applying the current ISMS and ISO 27001 control items rather than modifying the ISMS.

• Journal of Information Technology Applications and Management
• /
• v.26 no.4
• /
• pp.19-30
• /
• 2019

Many organizations need to comply with ISMS-P for information systems and personal information management for ISMS-P certification. Organizations should safeguard vulnerablities to information systems. However, as the kinds of information systems are diversified and the number of information systems increases, management of such vulnerabilities manually accompanies with many difficulties. SCAP is a protocol to manage the vulnerabilities of information system automatically with security standards. In this paper, for the introduction of SCAP in domestic domains we verify the applicability of server-oriented system which is one of ISMS-P certification targets. For SCAP applicability, For obtaining this goal, we analyze the structures and functions of SCAP. Then we propose schemes to check vulnerabilities of the server-oriented system. Finally, we implement the proposed schemes with SCAP to show the applicability of SCAP for verifying vulnerabilities of the server-oriented system.