양수미 정보보호관련표준
차례 IETF 표준 ISO/IEC JTC1 표준 SC27 SC27 이외 ITU-T 표준
IETF 표준 IETF (Internet Engineering Task Force) 의 IESG (Internet Engineering Steering Grou p) 내의 Security Area 에서제정한표준들로여러 Working Group 에서연구 / 제정된다. It is established to support internet protocol engineering and development tool at 1986 under the ISOC( internet society).
IETF (Internet Engineering Task Force) 의주요한목표는인터넷의운영상, 기술상의문제점을해결하기위하여프로토콜및구조에대한표준을제안하고개발하는것
Internet standards and RFCs The Internet society IAB (Internet Architecture Board) : responsible for defining the overall architecture of the Internet, providing guidance and broad direction to the IETF IETF (Internet Engineering Task Force) : The protocol engineering and development arm of the Internet, 비영리단체인 IAB(Internet Archetecture Board) 의하위조직. TCP/IP 와인터넷에관한정책과표준안작성을담당 IESG (Internet Engineering Steering Group) : responsible for technical management of IETF activities and the Internet standards process Henric Johnson 5
IETF 표준화과정 Standard development stages Internet drafts : they are on working documents for RFC(request for comments), register on directory during 6M. Proposed standard : implement and test protocol( 6M-2Y) Draft standard : at least 2 independent and interoperated products, need more field test on different wide environments( 4M-2Y) Internet standard : successfully implemented operated protocol
IETF Working Groups(Active) APPLICATIONS INTERNET OPERATIONS and MANAGEMENT REAL-TIME APPLICATIONS and INFRASTR UCTURE ROUTING SECURITY TRANSPORT
Security area Working Groups abfab Application Bridging for Federated Access Beyond web dkim Domain Keys Identified Mail emu EAP Method Update hokey Handover Keying ipsecme IP Security Maintenance and Extensions isms Integrated Security Model for SNMP keyprov Provisioning of Symmetric Keys
Security area Working Groups kitten Common Authentication Technology Next Generation krb-wg Kerberos ltans Long-Term Archive and Notary Services msec Multicast Security nea Network Endpoint Assessment pkix Public-Key Infrastructure (X.509) tls Transport Layer Security
차례 IETF 표준 ISO/IEC JTC1 표준 SC27 SC27 이외 ITU-T 표준
ISO/IEC JTC1 표준 ISO( International Organizaton for Standardization)/ IEC(International Electronical Commission) JTC(Joint Technical Committee) 1 A combined organization ( ISO/TC97 : information processing system fields and IEC/TC 83 : information equipments) 정보처리시스템에대한국제표준화활동과정보기기에대한국제표준화활동을통합하여구성된정보기술분야의국제표준화활동을위한공동기술위원회 SC20( data cryptographic techniques) was expended into SC27( security techniques).
ISO/IEC JTC1 표준 Standard development stages Preliminary stage : preliminary work item (PWI) Proposal stage : new work item proposal ( NP) Preparatory stage : working drafts (WD) Committee stage : committee drafts (CD) Enquire stage : enquire drafts i.e. draft international standard (ISO) (DIS), committee draft for vote(iec) (CDV) Approval stage : final draft international standard (FDIS) Publication stage : international standard(iso,iec,iso/iec)
ISO/IEC JTC1 표준 SC27 : IT Security techniques IT 보안에관한일반적인방법과기술에대한표준을주로연구 / 제정한다. 응용에보안메커니즘을삽입하는것을제외한정보기술보안을위한일반적방법과기술에대한표준화 암호화알고리즘의표준화, 정보기술시스템보안서비스를위한일반적요구명세, 보안기술및메커니즘개발, 문서및표준을지원하는관리개발을포함 SC27 이외
SC27 이외
ISO/IEC 13335-1:2004 Information technology -- Security techniques -- Management of information and communications technology security -- Part 1: Concepts and models for information and communications technology security management ISO/IEC 13335-1:2004 presents the concepts and models fundamental to a basic understanding of ICT security, and addresses the general management issues that are essential to the successful planning, implementation and operation of ICT security. Part 2 of ISO/IEC 13335 (currently 2nd WD) provides operational guidance on ICT security. Together these parts can be used to help identify and manage all aspects of ICT security.
ISO/IEC 27002:2005(2007) BS 7799:1999으로부터발전 -> 17799 -> 27002 12 main sections Risk assessment Security policy - management direction Organization of information security - governance of information security Asset management - inventory and classification of information assets Human resources security - security aspects for employees joining, moving and leaving an organization Physical and environmental security - protection of the computer facilities Communications and operations management - management of technical security controls in systems and networks Access control - restriction of access rights to networks, systems, applications, functions and data Information systems acquisition, development and maintenance - building security into applications Information security incident management - anticipating and responding appropriately to information security breaches Business continuity management - protecting, maintaining and recovering business-critical processes and systems Compliance - ensuring conformance with information security policies, standards, laws and regulations
차례 IETF 표준 ISO/IEC JTC1 표준 SC27 SC27 이외 ITU-T 표준
ITU-T 표준 ITU-T (International Telecommunication Union-Tele communication Standardization Sector) 통신표준을정했던국제적인기관인 CCITT (Consultative Committee for International Telegraph and Telephone) 가개칭한단체. 디지털전송을위한표준과아날로그전송을위한인터페이스표준을정의
ITU-T 표준 SG 2, 3, 5, 9, 11, 12, 13, 15, 16, 17, TSAG(Telecommunication Standardization Advisory Group) SG 17 : Security [, languages and telecommunication software] 국내에서는한국정보통신기술협회 (TTA : Telecommunication Technology Association) : 민간단체성격의정보통신표준제정기관이담당 TC10 : security committee( IT security management, crypto technology, system security group)
ITU-T SG17 주요내용 NGN(Next Generation Network) Security Framework Multimedia Security Frameworks Guidelines Security Management Awareness Secure Communication Services
기타 ECMA(European computer manufacturers association) establish for data processing standard in Europe at 1961 TC 17( include communication), TC 36(IT security).tc 32( communication, network and interoperability, security) ETSI(European telecommunication standards institute) establish for communication/information/broadcasting standards in Europe at 1988 Standard process Inception : start development of standard Conception : define concept Drafting : propose standard Adoption ; adopt standard Promotion ; implement standard TC sec is security standard technical committee -> OGG(Operational Co-ordination Group)
기타 인터넷보안기술포럼 (ISTF : Information Security Technology Forum) : 인터넷보안기술분야의민간업체들이중심이되어구성된포럼으로시장수요를반영한사실 (de-facto) 표준을개발 Establish at 2000 for public internet security standard Network, PKI, mobile group.
NIST NIST (National Institute of Standards and Technology) To establish at 1901, named NBS(national bureau of standards) and then renamed NIST at 1988 under DoC(Department of Commerce). 10 research laboratories Building and fire research Chemical science and technology Electronics and electrical engineering Information technology Manufacturing engineering Materials science and engineering Nanoscale science and technology Neutron research Physics Technology services
NIST information technology lab. : 6 research areas Advanced Network Technologies Computer Security Information Access Mathematical & Computational Sciences Software & Systems Statistical Engineering
NIST 암호화기술 첨단인증기술 공개키기반구조 인터네트워킹보안 평가기준및제도 보안관리및지원 컴퓨터보안자원정보센터
ANSI ANSI(American national standards institute) To establish a non-profit organization at 1918. Have three characteristics : don t develop standards, ANS is used all industries, ANS is voluntary. Major fields : all technical fields ( accreditation 인정서, patent,etc) contribute ISO, IEC ANSI certifies other standard organizations of USA
KATS
KATS
정보보호평가기준 ITSEC(Information Technology Security Evaluation Criteria) : 유럽 TCSEC(Trusted Computer System Evaluation Criteria) : 미국 1) D(Minimal Protection : 최소한의보호 ) 2) C1(Discretionary Security Protection : 임의적접근보호 ) 3) C2(Controlled Access Protection : 통제된접근보호 ) 4) B1(Labeled Security Protection : 레이블된보호 ) 5) B2(Structured Protection : 구조적보호 ) 6) B3(Security Domain : 보안영역 ) 7) A1(Verified Design : 검증된설계 ) K Series : 한국 K1~ 7 국제공통평가기준 CC(Common Criteria) : EAL 1 ~ 7
42