1 / 25

3 장 정보보호 전략

3 장 정보보호 전략. 2005.9. 신수정. Reference. Information Security Architecture – Tudor 2 장 보안조직 및 인프라 ISO 13335 The Information Systems Security Officer's Guide: Establishing and Managing an Information Protection Program - Gerald L. Kovacich

paul-maldonado
Download Presentation

3 장 정보보호 전략

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 3장 정보보호 전략 2005.9 신수정

  2. Reference • Information Security Architecture – Tudor 2장 보안조직 및 인프라 • ISO 13335 • The Information Systems Security Officer's Guide: Establishing and Managing an Information Protection Program - Gerald L. Kovacich • Developing an IT security Strategy – Erik Guldentops , ASIA CACS 2002 • Crafting and Implementing Strategy – Thompson Stickland, McGrawHill • Information Technology for Management – Turban 등, Wiley

  3. 0. Introduction Data Data Application Application User User System System Network Network Physical Physical People 보안전략/조직 정책/정보분류 보안기술 아키텍쳐 Process Technology 무결성 기밀성 가용성 Identification Authentication Authorization Administration Audit 보안관리 아키텍쳐 모니터링 사고대응 사업연속 인력보안 보안교육 외주보안 Validation/Audit/Measure/Certification Enterprise Architecture & IT Planning

  4. 1. 전략이란? 목표를 달성을 위해 외부환경(External Environment) 및내부능력(Internal Capability)에대한 분석을바탕으로장단기의관점에서기업의자원과노력을특정한방향으로 집중시켜효율적방안을모색하는과정임. - Objectives are “ends”., strategy is the “means” of achieving them. • Strategy is a combination of planned actions and on-the-spot adaptive reactions to freshly developing industry and competitive events. 2. 우리는 어디를 가기를 원하는가? Mission Vision Objectives 3. 어떻게 그곳에 갈 것인가? Strategies CSF Plan 1. 현재 우리는 어디에 있는가? SWOT Need Analysis

  5. 1. 전략이란? Implementation VISION & Mission Strategy Objectives Evaluation Strategic Vision: A view of an organization’s future direction and business makeup; a guiding concept for what the organization is trying to do and to become. Mission: answer to the question “What is our business and what are we trying to accomplish on behalf of customers. The targets management has established for the organization’s financial performance, overall business position and competitive vitality. The pattern of actions and business approaches managers employ to please customers, build an attractive market position, and achieve organizational objectives. An action-oriented, make-it-happen activity- developing competencies and capabilities, budgeting, policy making, motivating, culture building, and leading are all part of the process A company’s vision, objectives, strategy and approach to implementation are never final; evaluating performance, monitoring changes in the surrounding environment, and making adjustments are normal and necessary parts of the strategic management process

  6. 2. IT 전략이란? Business Strategy • Business Decisions • Objective & Direction • Change Where is the business going & why Supports business Direction for business IS Strategy • Business Based • Demand Orientated • Application Focused What is required Infra & services Needs & Priorities IT Strategy • Activity Based • Supply Orientated • Technology Focused How it can be delivered

  7. 3. IT PLAN Operational Planning Managerial Planning Overall direction in terms of infra and resource requirements for IT activities Strategic Plan (5-10 years) Application portfolio A list of major approved IS projects Master Plan (2-5 years) Budgets and schedules for current –year projects and activities Tactical(Annual) Plan (1 year)

  8. 4. IT PLANNING Strategic IT planning Information requirements Analysis Resource Allocation Project Planning Revised Set IS Mission Assess Environment Assess Organizational Objectives & Strategies Set IS Policies, objectives & Strategies Assess Organization’s Information requirements Assemble Master Development plan • Overall information architecture identification • Current information needs • Projected information needs • Information system project definition • Project ranking • Multiyear development schedule • IS Charter • Current IS capabilities • New Opportunities • Current Biz Environment • New Technology • Current Application • IS image • Stage of IS maturity • IS personnel skills assessment • Review strategic organization plan • Identify major claimant groups and their objectives • Determine IS strategies to support corporate strategies • Organizational structure • Technical Focus • Resource allocation mechanism • Management Processes • Functional capability objectives

  9. 4. IT PLANNING Strategic IT planning Information requirements Analysis Resource Allocation Project Planning Develop Resource Requirement plan Evaluate project And Develop Project plan • Trend identification • Hardware plan • Software plan • Personnel plan • Data communication network plan • Facilities plan • Financial plan • Project Evaluation • Task Identification • Cost Estimates • Time Estimates • Checkpoints • Completion Data

  10. 5. IT Security Strategy & Plan Business Strategy Business Strategy Where is the business going & why • Business Decisions • Objective & Direction • Change • Business Decisions • Objective & Direction • Change Supports business Direction for business Supports business Direction for business IS Strategy Infosec Strategy • Business Based • Demand Orientated • Application Focused What is required • Business & Technique Based • Demand Orientated Infra & services Needs & Priorities Infosec Strategy • Activity Based • Supply Orientated • Technology Focused How it can be delivered

  11. 5. IT Security Strategy & Plan Strategic Business Plan Infosec Strategic Plan Business Master Plan Infosec Master Plan Annual Business Plan Infosec Annual Plan

  12. 5. IT Security Strategy & Plan The first step of the ISA is to include security in the goals and objectives of the Strategic IT Plan. Integrated Framework Security Policy Security Assessment User Awareness Program DRP/BCP Classification Methodology Compliance Program ISA is the process of developing an awareness of risk, an assessment of the current controls, and the alignment of controls to meet the security requirements of the organization Security Architecture Information Accessibility Strategic Goals For IT Strategic Information Technology Plan Strategic Business Plan

  13. 5. IT Security Strategy & Plan IT Security Objective, Strategy, and Policy IT Security Objectives and Strategy IT Security Policy Corporate Risk Analysis Strategy Options Baseline Approach Informal Approach Detailed Risk Analysis Combined Approach Combined Approach High Level Risk Analysis Detailed Risk Analysis Baseline Approach Section of Safeguard Risk Acceptance IT System Security Policy IT Security Plan Implementation of the IT Security Plan Awareness Training Safeguards Accreditation Follow up Monitoring Security Compliance Checking Maintenance Change Management Incident Handling Management of IT security

  14. 8.Security Management 5. IT Security Strategy & Plan How valuable the asset? • IT 지원 없이 수행할 수 없는 업무는? • IT에 의해 처리되는 정보 중 CIA중 무엇이 중요? 최신성은? • 보호되어야 하는 기밀정보는? • 보안문제 발생시의 결과는? 예) to ensure the integrity of the information Objective How to achieve the objective? • 위험평가 전략과 방법 • 각 시스템에 대한 IT 시스템 보안 정책의 필요성, 보안운영절차의 필요성 • 조직 전체적인 정보 민감도 분류방법 • Connection에서의 보안조건의 필요성 • 사고처리 스킴 Strategy • 최고경영층에 의해 승인되어야 함. • 유지할 책임자의 선정필요 – corporate IT security officer • Directive, security awareness program • 내용: 범위 목적, 보안목표, 보안요구사항, 정보보안의 관리, 위험평가 방향, 대책이행을 위한 우선순위 방법, 전반적인 위험, 접근통제에 대한 일반적인 룰, 보안인식 및 훈련에 대한 접근법, 보안의 점검 및 유지보수를 위한 절차, 일반적인 인력보안 이슈, 정책이 communication되는 방법, 정책이 검토되는 환경, 변경통제 Corporate IT security policy

  15. 2.security Management Concepts & Principles 6. Enterprise approach for IT Security • Know what questions to ask • 사람들이 보안사고를 볼때 이를 인식하는가? 무시하는가? 그들은 어떻게 행동할지 아는가? • 기업이 얼마나 많은 컴퓨터를 보유하고 있는지 아는가? • 기업은 최근 바이러스 공격으로 고생하고 있는가? 작년에는 어떠했는가? • 기업의 가장 중요한 자산은 무엇인가? 관리자는 기업에서 가장 취약한 부분이 어디인지 아는가? • 관리자는 기업의 비밀정보가 새는것을 염려하는가? • 기업은 외부인에게 네트웍 보안을 점검케 하고 있는가? • IT 관리 미팅에서 보안이 정기적으로 다루는 항목이 되고 있는가? Source: Erik Guldentops

  16. 2.security Management Concepts & Principles 6. Enterprise approach for IT Security 2) Have a clarity of purpose Leadership Benchmarking Cost of non-compliance Industry Reference Site Good Practice Baseline Operation Cowboy Operation Cost of security and control vs. IT Budget Source: Erik Guldentops

  17. 2.security Management Concepts & Principles 6. Enterprise approach for IT Security 3) Raise awareness at the top How to sell to top management Different style - FUD(fear, uncertainty, doubt) • cost reduction • Responsibility • Differentiator Cost of security Strategic approach - benchmark Source: Erik Guldentops

  18. 2.security Management Concepts & Principles 6. Enterprise approach for IT Security 4) Know what is needed • Business driver • Technology drivers : Manage risk, leverage opportunities • Threat & Vulnerabilities • Regulators and Law • Identification , authentication, authorization Source: Erik Guldentops

  19. 2.security Management Concepts & Principles 6. Enterprise approach for IT Security 5) Measure Your performance • Policies and procedures • Security Management • Human behavior and culture • Application security • System Access control • Network segregation Source: Erik Guldentops

  20. 2.security Management Concepts & Principles 6. Enterprise approach for IT Security 6) Keep on doing Evaluate Secure Improve Metrics Monitor Source: Erik Guldentops

  21. 2.security Management Concepts & Principles 6. Enterprise approach for IT Security Business Requirement IT Security strategy approach Security Requirement Business Risk Analysis Business Policy Where you are -current architecture Technical Risk Analysis Cost-benefit Analysis Technical Requirement Benchmarking Inventory Of solutions Plan Standards Where you’d like to be -Target architecture Security Architecture

  22. 7. Writing Infosec Plan Annual earning, market share, expansion goal, IT goal… Strategic Business Plan Vision, Mission, Infosec Strategic Goals, Infosec Strategies->Business Strategies Mapping Infosec Strategic Plan Business Master Plan Spec of Infosec strategic Goals Infosec Strategies<-Tactics Mapping Infosec Tactics-> Biz Tactics Mapping Infosec Master Plan Annual Business Plan Spec of Infosec annual Goals Spec of the Infosec Projetcs Infosec Projects<-Biz Annual Plan Mapping Infosec Annual Plan Projects: 목적, 기간, 예산, 책임

  23. 7. Writing Infosec Plan (IT 예시) IT Strategic Goal 1 최상의/ 업무지향적 응용시스템을 제공함으로써 고객의 만족도를 향상시킨다. Strategies • Core Business Strategies를 지원하는 Application system을 성공적으로 구축한다. • IT Infrastructure이 모든 새로운 Application들을 지원할 수 있도록 한다. • Application Systems의 Reliability를 향상시킨다. • Custom software의 개발보다는 package software의 구매에 초점을 둔다. • 정보를 Intranet, Internet을 통해 제공하는 것을 강화함으로써 정보에 대한 가용성을 증가시키고 내, 외부고객의 정보에 대한 요구를 만족을 강화시킨다.

  24. 7. Writing Infosec Plan (IT 예시) IT Strategic Goal 2 안전한(Secure) 인프라를 구축한다. Strategies • 보안인식 프로그램을 개발한다. • 안전한 금융 트랙잭션, 데이터 전송을 제공한다. • 회사 전체적인 접근제어를 이행한다. • 보안의 모니터링 프로그램을 수립한다.

  25. 2.security Management Concepts & Principles 8. Homework • IT Strategic Goal을 기술 - 예) IT Strategic Goal: IT고객에게 높은 품질의 서비스를 제공한다. 2) IT Strategic Goal과 연결된 Infosec Strategic Goal기술

More Related