2016 년도 1 학기 정보보호관리체계 (ISMS) 인증 이 강 신

이강신 Profile  DACOM(‘90~’92), NIA(‘92~’00), KISA(’00~’11), K&C(‘11~ 현재 )  한양대 수학 ( 학사 / 석사 ), 고려대 ( 공학박사 )  활동내역  한국정보보호학회 부회장 ( 현 )  PIPL 인증위원회 위원 ( 현 )  현대홈쇼핑 정보보호위원회 위원 ( 현 )  ISMS/PIMS 인증위원회 위원  ISO/IEC SC27 WG1 멤버  행정자치부 개인정보보호포럼 산업기술분과위원장  대통령 직속 국가정보화전략위원회 정보화역기능 전문위원  개인정보보호위원회 조사 · 분석 전문위원  쿠팡 개인정보보호위원회 위원  금융보안연구원 IT 컴플라이언스 자문위원  금융위원회 F-ISMS 태스크포스 자문위원  저술 : " 개인정보보호 기초와 활용 ", , 인포더북스  자격 : ISMS/ISO27001/PIMS/PIPL 인증심사원, CISSP/CISA/CPPG  연락처 :

수강생 소개  경력사항  현 position  관심분야 ( 전공, 취미 등 )  본 수업에서 기대하는 사항

강의 일반  강의목표 : 정보보호관리체계 수립, 인증에 대한 방법과 절차 습득  학습내용  정보보호관리에 관한 국내외 다양한 방법 ( 강의 )  ISO Series 를 이용한 체계수립 및 인증 방법 ( 세미나 발표 방식 ) ※ ISMS, NIST SP-Series, 독일의 IT Baseline Protection Manual 등 참고  인증심사 절차와 방법 ( 강의 )  진행방식  각자 40 분 발표, 참석자 질문 및 교수의 보충강의  발표자료는 1 주일 전 게시판에 업로드  평가 : 세미나 발표 (30%), 중간시험 (30%), 기말시험 (30%), 출석 (10%)

강의 일반  1 주 : 1 학기 강의일정, 방법, 교재 등 안내  2 주 : 국내외 ISMS 비교  3, 4 주 : ISO27000 ( 세미나 발표 )  5, 6 주 : ISO27001 ( 세미나 발표 )  7, 9, 10, 11, 12, 13 주 : ISO27002 ( 세미나 발표 )  14, 15 주 : ISO27005 ( 세미나 발표 )  8, 16 주 : 중간 / 기말시험

ISO/IEC JTC1  ISO/IEC JTC1 SC27 WG? 중 JTC1 까지만 공식적인 위원회임  SC27(IT Security Techniques) 는 작업 조직으로 명실상부한 위원회는 아님  Chair – Secretariat 구조  SC27 산하에 WG1 ~ 5 까지 존재  WG1~5 는 다음페이지  Convenor 구조  표준화 절차 : NP  WD  CD  (FCD)  DIS  FDIS  IS  WD 까지는 SC 범위 내에서 진행 (WD 결정은 JTC 에서 결정, 에디터 선정 )  CD 에서 3~6 개월 검토 후 3 개월 이내에 DIS 등록  DIS 에서 IS 까지 4 개월 소요 NP: New Work Item Proposal, WD : Working Draft, CD : Committee Draft, FCD : Final Committee Draft, DIS : Draft International Standard, FDIS : Final Draft International Standard, IS : International Standard P-Members : Voting, O-Members : Observing

ISO/IEC JTC1 SC27 WG1 : Information security management systems, WG2 : Cryptography & Security Mechanisms, WG3 : Security Evaluation, WG4 : Security Control & Services, WG5 : Privacy, Identity & Biometric Security

isms family of standards ( Source : ISO/IEC : 2014) 27000:2014, 27001:2013, 27003:2010, 27004:2009, 27005:2011, 27009:2012

ISO/IEC JTC1 SC27 WG1 의 ISMS 표준  ISO/IEC 27000:2014 Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary  ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management systems -- Requirements ISO/IEC 27001:2013  ISO/IEC 27002:2013 Information technology -- Security techniques -- Code of practice for information security management ISO/IEC 27002:2013  SO/IEC 27003:2010 Information technology -- Security techniques -- Information security management system implementation guidance SO/IEC 27003:2010  ISO/IEC 27004:2009 Information technology -- Security techniques -- Information security management -- Measurement ISO/IEC 27004:2009  ISO/IEC 27005:2011 Information technology -- Security techniques -- Information security risk management ISO/IEC 27005:2011  ISO/IEC 27006:2011 Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems ISO/IEC 27006:2011  ISO/IEC 27007:2011 Information technology -- Security techniques -- Guidelines for information security management systems auditing ISO/IEC 27007:2011  ISO/IEC TR 27008:2011 Information technology -- Security techniques -- Guidelines for auditors on information security controls ISO/IEC TR 27008:2011  ISO/IEC CD 27009:2012 The Use and Application of ISO/IEC for Sector/Service-Specific Third-Party Accredited Certifications ISO/IEC CD 27009:2012  ISO/IEC 27010:2012 Information technology -- Security techniques -- Information security management for inter-sector and inter-organizational communications ISO/IEC 27010:2012

ISO/IEC JTC1 SC27 WG1 의 ISMS 표준  ISO/IEC 27011:2008 Information technology -- Security techniques -- Information security management guidelines for telecommunications organizations based on ISO/IEC ISO/IEC 27011:2008  ISO/IEC 27013:2012 Information technology -- Security techniques -- Guidance on the integrated implementation of ISO/IEC and ISO/IEC ISO/IEC 27013:2012  ISO/IEC 27014:2013 Information technology -- Security techniques -- Governance of information security  ISO/IEC TR 27015:2012 Information technology -- Security techniques -- Information security management guidelines for financial services ISO/IEC TR 27015:2012  ISO/IEC TR 27016:2014 Information technology -- Security techniques -- Information security management – Organizational economics  ISO/IEC DIS Information technology -- Security techniques – Code of practice for information security controls based on ISO/IEC for cloud services ISO/IEC DIS  ISO/IEC 27018:2014 Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors ISO/IEC 27018:2014  ISO/IEC TR 27019:2013  Information technology -- Security techniques -- Information security management guidelines based on ISO/IEC for process control systems specific to the energy utility industry  ISO/IEC NP Information technology -- Security techniques -- Competence requirements for information security management systems professionals ISO/IEC NP  ISO/IEC TR Information technology -- Security techniques -- Mapping the revised editions of ISO/IEC and ISO/IEC ISO/IEC TR 27023

ISO/IEC JTC1 SC27 WG1 의 ISMS 표준  ISO/IEC 27031:2011 Information technology -- Security techniques -- Guidelines for information and communication technology readiness for business continuity ISO/IEC 27031:2011  ISO/IEC 27032:2012 Information technology -- Security techniques -- Guidelines for cybersecurity ISO/IEC 27032:2012  ISO/IEC :2009 Information technology -- Security techniques -- Network security -- Part 1: Overview and concepts ISO/IEC :2009  ISO/IEC :2012 Information technology -- Security techniques -- Network security -- Part 2: Guidelines for the design and implementation of network security ISO/IEC :2012  ISO/IEC :2010 Information technology -- Security techniques -- Network security -- Part 3: Reference networking scenarios -- Threats, design techniques and control issues ISO/IEC :2010  ISO/IEC :2014 Information technology -- Security techniques -- Network security -- Part 4: Securing communications between networks using security gateways ISO/IEC :2014  ISO/IEC :2013 Information technology -- Security techniques -- Network security -- Part 5: Securing communications across networks using Virtual Private Networks (VPNs) ISO/IEC :2013  ISO/IEC DIS Information technology -- Security techniques -- Network security -- Part 6: Securing wireless IP network access ISO/IEC DIS

ISO/IEC JTC1 SC27 WG1 의 ISMS 표준  ISO/IEC :2011 Information technology -- Security techniques -- Application security -- Part 1: Overview and concepts ISO/IEC :2011  ISO/IEC FDIS Information technology -- Security techniques -- Application security -- Part 2: Organization normative framework ISO/IEC FDIS  ISO/IEC NP Information technology -- Security techniques -- Application security -- Part 3: Application security management process ISO/IEC NP  ISO/IEC CD Information technology -- Security techniques -- Application security -- Part 4: Application security validation ISO/IEC CD  ISO/IEC CD Information technology -- Security techniques -- Application security -- Part 5: Protocols and application security controls data structure ISO/IEC CD  ISO/IEC CD Information technology -- Security techniques -- Application security -- Part 6: Security guidance for specific applications ISO/IEC CD  ISO/IEC NP Information technology -- Application security -- Part 7: Application security assurance prediction ISO/IEC NP  ISO/IEC NP Information technology -- Application security -- Part 5-1: Protocols and application security controls data structure -- XML schemas ISO/IEC NP

ISO/IEC JTC1 SC27 WG1 의 ISMS 표준  ISO/IEC 27035:2011 Information technology -- Security techniques -- Information security incident management ISO/IEC 27035:2011  ISO/IEC CD Information technology -- Security techniques -- Information security incident management -- Part 1: Principles of incident management ISO/IEC CD  ISO/IEC CD Information technology -- Security techniques -- Information security incident management -- Part 2: Guidelines to plan and prepare for incident response ISO/IEC CD  ISO/IEC CD Information technology -- Security techniques -- Information security incident management -- Part 3: Guidelines for CSIRT operations ISO/IEC CD  ISO/IEC :2014 Information technology -- Security techniques -- Information security for supplier relationships -- Part 1: Overview and concepts ISO/IEC :2014  ISO/IEC :2014 Information technology -- Security techniques -- Information security for supplier relationships -- Part 2: Requirements ISO/IEC :2014  ISO/IEC :2013 Information technology -- Security techniques -- Information security for supplier relationships -- Part 3: Guidelines for information and communication technology supply chain security ISO/IEC :2013  ISO/IEC WD Information technology -- Information security for supplier relationships -- Part 4: Guidelines for security of Cloud services ISO/IEC WD  ISO/IEC 27037:2012 Information technology -- Security techniques -- Guidelines for identification, collection, acquisition and preservation of digital evidence ISO/IEC 27037:2012  ISO/IEC 27038:2014 Information technology -- Security techniques -- Specification for digital redaction ISO/IEC 27038:2014  ISO/IEC 27039:2015 Information technology -- Security techniques -- Selection, deployment and operations of intrusion detection systems (IDPS) ISO/IEC 27039:2015

ISO/IEC JTC1 SC27 WG1 의 ISMS 표준  ISO/IEC 27040:2015 Information technology -- Security techniques -- Storage security ISO/IEC 27040:2015  ISO/IEC FDIS Information technology -- Security techniques -- Guidance on assuring suitability and adequacy of incident investigative method ISO/IEC FDIS  ISO/IEC DIS Information technology -- Security techniques -- Guidelines for the analysis and interpretation of digital evidence ISO/IEC DIS  ISO/IEC Information technology -- Security techniques -- Incident investigation principles and processes ISO/IEC  ISO/IEC WD Guidelines for Security Information and Event Management (SIEM) ISO/IEC WD  ISO/IEC CD Information technology -- Security techniques -- Electronic discovery -- Part 1: Overview and concepts ISO/IEC CD  ISO/IEC NP Information technology -- Security techniques -- Electronic discovery -- Part 2: Guidance for governance and management of electronic discovery ISO/IEC NP  ISO/IEC NP Information technology -- Security techniques -- Electronic discovery -- Part 3: Code of Practice for electronic discovery ISO/IEC NP  ISO/IEC NP Information technology -- Security techniques -- Electronic discovery -- Part 4: ICT readiness for electronic discovery ISO/IEC NP Source : ISO 표준화 6 단계 : NP(New work item Proposal)  WD(Working Draft)  CD(Committee Draft)  DIS(Draft International Standard)  FDIS(Fianl Draft International Standard)  IS(International Standard)

Q & A

[ 참고 ] NIST risk management framework security life cycle