F1-1(수정).ppt

, thcho@kisaorkr IPAK (Information Protection Assessment Kit) IAM (INFOSEC Assessment Methodology) 4 VAF (Vulnerability Assessment Framework) 5 OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) 6 Risk Management Guide for IT Systems 7 8

) ( ) ) PDD6 National Plan for Information Systems Protection ) (00) (007) (007) (008) (00) : (), (), (7), () : 50 /6, ( ) - 8 5 (,,, ) /6

, / IT ( ), /,, /6 ) (Asset) ) (Threat) ) (Vulnerability) 4) (Risk), 5) (Impact) 6) (Safeguard), 7) (Residual Risk) 4/6

= * * 5/6 6/6

: : :, 7/6 ) / Y N 8/6

) 9/6 4 5 ) ) IT IT 0/6

IPAK(Information Protection Assessment Kit) IPAK IPAK,, 0, 0 (Information Protection Program and Administration) (Personal Policy and Practices) (Physical Security) (Business Process Controls) (Backup and Recovery Measures) (End-User Controls) (Network Security Controls) (Internet Security Controls) (Web Security Controls) (Telecommunication & Remote Access Security Controls) ((Internet Commerce Controls) /6 IPAK(Information Protection Assessment Kit) IPAK (Personal Policy and Practices) 4? 7?? (Physical Security)?? (End-User Controls) 8, H/W S/W? 9? (Internet Security Controls)?? 4? 8? /6

IPAK(Information Protection Assessment Kit) IPAK (6 ) : (Relevance) : (Impact) Low Moderate High (Impact),,, /6 IPAK(Information Protection Assessment Kit) IPAK : (Compliance) Excellent Good Adequate Marginal Poor (Compliance) 90-00%, 80-89%, 70-79%, 50-69%, 50 4/6

IPAK(Information Protection Assessment Kit) IPAK 4 : (Documentation) (Standard manual) (Policy statement) (Specification) (User manual) (Practice Guideline) (Operating Procedure) (Recovery Plan) (Intranet accessible protected file) 5 : (Comments) 5/6 IPAK(Information Protection Assessment Kit) IPAK 6 : (Scoring) = I x 6 = I x ( C + D ) ( I :, C :, D : ) : (High), (Moderate), (Low) : 5(Excellent), 4 (Good), (Adequate), (Marginal), (Poor) : ( ) ) : Moderate : 85% (good) : (), x 6 = x (4 +) = 0 6/6

IAM(INFOSEC Assessment Methodology) IAM INFOSE? NSA5 7/6 IAM(INFOSEC Assessment Methodology) IAM ) ) (-) (-4) (-) (-) 8/6

IAM(INFOSEC Assessment Methodology) ) IAM INFOSEC / 4 - - 9/6 IAM(INFOSEC Assessment Methodology) ) IAM ) - - - NSA 8 CSI 0 (-) (-4) (-) (-) 0/6

IAM(INFOSEC Assessment Methodology) IAM ) (Opening meeting) - - - - - = - : 0~ - : = = : : : / /6 IAM(INFOSEC Assessment Methodology) ) IAM ) (-) (-4) (-) (-) /6

IAM(INFOSEC Assessment Methodology) IAM NSA INFOSEC documentation INFOSEC Roles and Responsibilities Identification & Authentication 4 Account Management 5 Session Controls 6 External Connectivity 7 Telecommunications 8 Auditing 9 Virus Protection 0 Contingency Planning Maintenance Configuration Management Back-up 4 Labeling 5 Media Sanitization /Disposal 6 Physical Environment 7 Personal Security 8 Training and Awareness CSI Information Protection Program & Administration Personnel Policies and Practices Physical Security 4 Business Process Controls 5 Backup and Recovery Planning 6 End-User Controls 7 Network Security Controls 8 Internet Security Controls 9 Web Security Controls 0 Telecommunications and Remote Access Security Controls Internet Commerce Controls /6 4 VAF(Vulnerability Assessment Framework) VAF MEI (Minimum Essential Infrastructure), MEI & 4/6

4 VAF(Vulnerability Assessment Framework) : (mission) VAF 4 5 6 7 8,, 9 5/6 4 VAF(Vulnerability Assessment Framework) : MEI VAF Area of Control :,, MEI Resource Elements : Areas of Potential Compromise : MEI 6/6

4 VAF(Vulnerability Assessment Framework) :, VAF 7/6 4 VAF(Vulnerability Assessment Framework) VAF 8/6

4 VAF(Vulnerability Assessment Framework) VAF 9/6 4 VAF(Vulnerability Assessment Framework) VAF 0/6

4 VAF(Vulnerability Assessment Framework) VAF /6 5 OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) OCTAVE Self-Direction Analysis Team Workshop-Based Catalogs of Info, IT ( - 5) /6

5 OCTAVE(Operationally Critical Threat, Asset, and Vulnerability Evaluation) OCTAVE Phase Build Asset-Based Threat Profiles Phase Identify Infrastructure Vulnerabilities Phase Develop Security Strategy and Plans Process : Identify Senior Management Knowledge Process : Identify Operational Area Knowledge Process : Identify Staff Knowledge Process 4 : Create Threat Profiles Process 5 : Identify Key Components Process 6 : Evaluate Selected Components Process 7 : Conduct Risk Analysis Process 8 : Develop Protection Strategy /6 5 OCTAVE(Operationally Critical Threat, Asset, and Vulnerability Evaluation) ) : : : : ) OCTAVE 4/6

5 OCTAVE(Operationally Critical Threat, Asset, and Vulnerability Evaluation) Phase, Build Asset-Based Threat Profiles OCTAVE (,, ) : : : : : : / 4 : 4 :,,,, 5/6 5 OCTAVE(Operationally Critical Threat, Asset, and Vulnerability Evaluation) Phase, Identify Infrastructure Vulnerability,,,, OCTAVE 5 : 6 : * (CVE) 6/6

5 OCTAVE(Operationally Critical Threat, Asset, and Vulnerability Evaluation) Phase, Develop Security Strategy Plans OCTAVE 7 : 8 : / / / / 7/6 6 Risk Management Guide for IT Systems NIST :,, 8/6

6 Risk Management Guide for IT Systems NIST H/W, S/W,,,, / / -,, / / / : : : 4 : 5 : 6 : 7 : 8 : 9 : 9/6 / / 6 Risk Management Guide for IT Systems : IT ( ) IT IT NIST 4 5 6 7 8 9 40/6

6 Risk Management Guide for IT Systems : : - :,, :,,, (, ) (, ) NIST 4 5 6 7 8 9 -,,,,,,, /,,,,,,,,,,,,,,,,, 4/6 6 Risk Management Guide for IT Systems : :,, IT IT / / NIST -CAT (http://icatnistgov) FedCIRC, DoE CIAC NIST 4 5 6 7 8 9 4/6

6 Risk Management Guide for IT Systems : - NIST 7 ID 8 9 XYZ XYZ telnet inbound telnet, guest ID guest ID, 4 5 6 4/6 6 Risk Management Guide for IT Systems :, / NIST 4 5 6 7 8 9 (,, ), 44/6

6 Risk Management Guide for IT Systems 4 : /,,,, / / :,, :, NIST 4 5 6 7 8 9 45/6 6 Risk Management Guide for IT Systems 5 : - NIST 4 5 6 7 8 9 -, -, -, 46/6

6 Risk Management Guide for IT Systems 6 : : (IT ) ( ),, NIST 4 5 6 7 8 9, (, ), ( ), 47/6 6 Risk Management Guide for IT Systems 7 : IT (0) (05) (0) (0) (0 * 0 = 0) (0 * 05 = 5) (0 * 0 = ) (50) (50 * 0 = 50) (50 * 05 = 5) (50 * 0 = 5) (00) (00 * 0 = 00) (00 * 05 = 50) (00 * 0 = 0) NIST 4 5 6 7 8 9 : (50 00 ); (0 50 ); ( 0 ), 48/6

6 Risk Management Guide for IT Systems 8 : ( ) NIST 4 5 6 7 8 9 9 : -,,,,,, 49/6 6 Risk Management Guide for IT Systems NIST,,,, (,,,,, ) -? Exploit? & < > 50/6

6 Risk Management Guide for IT Systems NIST : :, : ( ), 4 : 5 : 6 :,,, /, /, 7 : 5/6 6 Risk Management Guide for IT Systems NIST, - - IT IT / 5/6

7, / IT ( ), /,, 5/6 7 Business Process Process ( ) 54/6

7 7 / Mapping Mapping / Mapping Mapping 55/6 7 7 / / 56/6

7 7 Mapping Mapping Mapping Mapping 57/6 7 7,,, / 4 4 DB DB DB DB DB DB 58/6

7 7 (CI RA M) 59/6 7 7 (CI RA M) 60/6

7 7 (CI RA M) 6/6 8 8 / DB /, 6/6

6/6