원문정보
A Study on the Improvement of Information Security Management Condition Evaluation in Public Sector through the SCAP Analysis by NIST in U.S.
초록
영어
The 129 public institutions in Korea are subject to Information Security Management Condition Evaluation (ISMCE) as a part of the government management evaluation system by the Ministry of Economy and Finance. ISMCE is started in 2006 with the central government institutions, and applied to the all public institutions in 2009. This evaluation is annually conducted by the National Intelligence Service through the site visits, and the number of the evaluated institutions is increasing year by year. However, the process of ISMCE - identifying existing vulnerabilities in the information system - is conducted manually. To improve this inconvenience, this paper introduces the various evaluation system in the major countries, especially in the United States, and analyzes the Security Content Automation Protocol (SCAP) by NIST. SCAP is automation protocol for the system vulnerability management (in technical fields) and security policy compliance evaluation. Based on SCAP, this paper suggests an improvement plan for the ISMCE of Korea.
목차
1. 서론
2. 국내외 정보보안관리체계
2.1 개요
2.2 미국의 정보보호관리 법ㆍ제도 분석
2.3 일본의 정보보호관리 법ㆍ제도 분석
3. 미국 NIST의 SCAP(Security Content Automation Protocol)
3.1 개요
3.2 SCAP
3.2 SCAP의 구성
4. SCAP의 활용방안
4.1 보안설정 검증 자동화
4.2 요구사항 추적
4.3 취약점 평가
5. 결론
5.1 결론 및 시사점
5.2 연구의 한계점 및 제언
References