Transcript 3. 역할

4장 정보보호 조직




 Information Security Architecture

Tudor 2장 보안조직 및 인프라  ISO 13335 

The Information Systems Security Officer's Guide: Establishing and Managing an Information Protection Program - Gerald L. Kovacich

 Information System Control & Audit by Weber 2

0. Introduction

People Technology 모니터링 보안전략/조직 정책/정보분류 보안기술 아키텍쳐 Process Data Application User System Network Physical 기밀성 무결성 Data Application User System Network Physical 가용성


사고대응 보안관리 아키텍쳐 사업연속 인력보안 보안교육 Validation/Audit/Measure/Certification Enterprise Architecture & IT Planning 외주보안 3

1. 보안조직의 규모

 보안조직은 depend on

 기업의 크기  시스템 환경(분산 vs. 집중)  운영환경내의 component의 수  기업의 조직 및 관리 구조  운영 sites의 수와 위치  sites의 상호연결  위험평가  IT 예산 4

2. The executive committee for security

 is comprised of director-level management who is the approval authority for all security plans relating to the protection of enterprise systems and assets  is responsible for ensuring that the objective of a secure operating environment is clearly defined in the enterprise strategic plans  is the project sponsors for the ISA  is responsible for reviewing the security policy and for ensuring that all implementation plans, procedures, and standards are consistent with the overall risk management and protection of senior management  조직의 규모에 따라 executive counsel, BOD, Information Technology counsel

 Member: CEO, CFO, COO, CIO, Security officer, department or BU directors, advisors to executive management, or members of BOD 5

3. 역할

 CIO  the mission: to provide technology vision & leadership for developing and implementing IT initiatives that create and maintain leadership for the enterprise in a constantly changing and intensely competitive marketplace.

 role in infosec is to communicate to executive management the business risks of implementing new and distributed technology and the necessity for developing the appropriate security infrastructure to carry out the ISA.

 CFO  managing IT risk becomes a major responsibility  CIO와 CFO는 정보와 기술위험에 대한 책임을 공유 6

3. 역할

 Security officer  the coordinator of all infosec activities  Main function is not to perform all security-related functions, but to ensure that security efforts are coordinated  Should report to executive-level management  조직의 위치? CFO, CIO 등에 reporting  Security team  Security officer + 각 부서에서의 보안 조정자+ 네트웍 및 애플리케이션 관리자 + 법률관련 부서, 인사부서, 정보시스템 부서 대표자  초기에는 정책, 지침, 표준, 절차 등의 작업수행 -> 이후에는 이행에 초점, 최근의 이슈에의 집중, 기존의 정책, 지침, 표준등에 대한 검토 및 수정, 주기적인 위험평가 7

3. 역할

 Security coordinator/ liaisons(연락자)  Departmental management  owner of information  responsible for establishing the overall security strategy for department information  Network & application administrators  Human resources  Legal counsel 8

3. 역할

 Helpdesk  Audit  internal, external  component audits- by system administrator  compliance audits

by security officer and Security Team  System Users 9

3. 역할

IT steering Committee IT security Forum IT representatives IT user representatives Corporate Management Corporate Security Officer Corporate IT Security Officer Department IT Security Officer IT project or System Security officer Corporate IT Security Policy & Directives Department IT Security Policy & Directives IT Project or System Security Policy

ISO/IEC TR 13335-2 10

3. 역할


• IT security forum

Advise the IT steering committee regarding strategic security planning Formulate a corporate IT security policy in support of the IT strategy and obtain approval from the IT steering committee Translate the corporate IT security policy into an IT security program Monitor the implementation of the IT security program Review the effectiveness of the corporate IT security policy Promote the awareness of IT security issues Advise on resources needed to support the planning process and IT security program implementation ISO/IEC TR 13335-2 11

3. 역할


• Corporate IT security officer

Act as the focus of all IT security aspects within the organization Oversight of the implementation of the IT security program Liaison with & reporting to the IT security forum & the corporate security officer Maintaining the corporate IT security policy & directives Coordinating incident investigations Managing corporate-wide awareness program Determining the terms of reference for IT project & system security officer -

• IT project and IT system security officer

May not be a full time role Liaison with & reporting to the corporate IT security manager Issuing & Maintaining the IT project or system security policy Developing & implementing if the security plan Day-to-day monitoring of implementation & use of the IT safeguards Initiating & assisting in incident investigation ISO/IEC TR 13335-2 12

4. 조직구조

 Centralized Security Administration  동일한 이슈에 대한 커뮤니테이션 원활, 내부 자원으로 문제해결  Accountability에 대한 중앙집중점 제공, 직무분리, 표준 솔루션을 통한 규모의 경제  보안 위험이 큰 경우 점검 full-time position을 가진 centralized 보안조직으로 이루어짐  보안 위험이 큰 기업

하거나 CISO의 선정 정보보호의 기능을 corporate legal or other line organization에 위치  CISO: BOD에 보고하며, 감사,법률, 라인 영역의 모든 정보보호 이슈를 조정 CISO Information security Engineer Business security Engineer - ISA의 생성 및 유지 - 보안평가, 훈련, 솔루션이행 - B.U.와의 조정 - B.U.의 보안정책수립 Security research & Development Security Administration Management - 발전하는 보안기술의 연구- - 보안관리 13

4. 조직구조

President President CIO (a)

작은 기업


패키지 주로사용

President (c) IS

기능에 초점

CIO IS Security Manager Accountant President Manager Security IS Security Manager (d)

전사적 보안에 통합됨 14

Operations Manager (b)






President CSO (e)

보안의 강화


5. Ownership


• Owner

The individual responsible for


properly safeguarded The individual who created.

ensuring that the asset is business manager of other person information asset who is responsible for that Responsible for determining the sensitivity and criticality of the information Periodically reviews that classification to ensure that it still meets the business needs Ensure that security controls are in place commensurate with the classification Reviews and ensures currency of the previously granted access rights 15

5.Data /Information

5. Ownership


• Custodian

Physically responsible for implementing safeguards such as ACL Can be designated by the owner of the information Information Systems person Perform backups according to requirements established by the information owner When necessary restore lost or damaged file -

• Coordinator/Liaison

The individual who has been delegated the responsibility of defining access 16

5. Ownership

No 2 1 3 Resource/Application 인사시스템 회계시스템 구매 시스템 유형 Business Application System Business Application System Business Application System Business Unit Reseource Owner Security Liason Security Custodian Level of Sensitivity 인사부 회계부 회계부 인사부 김말동 부장 인사부 김상동 과장 전산부 박동동 과장 high 김수동 부장 김길동 부장 김병동 과장 김을동 과장 17

6. Writing organization & Information/Resource ownership Matrix


정보보호 조직 정보보호 조직도 작성 조직도 상의 각 참여자에 대한 책임과 역할 기술 2. 자원 Ownership - 범위대상 자원 조사 - Owner, Liaison, Custodian의 기술 18