Mathematical model-based security management framework for future ICT outsourcing project

Moon, Jewook,Lee, Chanwoo,Park, Sangho,Kim, Yanghoon,Chang, Hangbae Elsevier 2018 Discrete Applied Mathematics Vol.241 No.-

<P><B>Abstract</B></P> <P>The information communication technology (ICT) outsourcing market is growing larger every year from the increasing number of companies that utilize ICT outsourcing, as industry scale increases and industrial specialization intensifies. However, the current circumstance is that security accidents related to ICT outsourcing are continuously occurring at an increasing scale. There is a lack of studies measuring the level of security management of organizational ICT outsourcing, which is the first step in performing security management of ICT outsourcing. In addition, most studies focus on general organizational security management. Accordingly, this paper aimed to design a model to measure the level of security management of companies utilizing ICT outsourcing. Specifically, this paper analyzed security vulnerabilities that could occur in ICT outsourcing that may be mapped with the accorded security measures as solutions to deduce items for ICT outsourcing security inspections. Next, this paper developed an ICT outsourcing security level quantification model by verifying the validity of the security inspection items deduced and by estimating item-specific weighted points. Additionally, the applicability of the ICT outsourcing security level quantification model developed was verified by applying it to actual companies.</P>

행정기관 정보시스템 운영아웃소싱 실태 분석

정명주(Myung Ju Chung),이재근(Jae Guen Lee),이영환(Young Hwan Lee),김동현(Dong Hyun Kim) 서울행정학회 2005 한국사회와 행정연구 Vol.16 No.3

Since 1997, our government has promoted the reform in public area. Especially outsourcing policy was sentenced to public functions, except core competence functions in public aspects. At that time with information system areas, system development has widely been outsourced, but with system management, many public agencies adapted internal delivery method. But from then. outsourcing guidelines have been applied to information system management. Due to that top-down approach of outsourcing policy, many agencies that adapted system management outsourcing method, were confused for contract type, objectives of outsourcing, manual of outsourcing management and so on. The purpose of this study is to examine the system management outsourcing status of two agencies-The Korean Intellectual Property Office and Korea Customs Service, especially with objectives of outsourcing, contract type and management style with outsourcing. And this three aspects impact the security of public DB, dependence to service provider and finance of outsourcing. So in final section. this paper analyzed this three aspects of outsourcing connecting with objectives, contract type and management type.

IT 아웃소싱환경에서 성공적인 정보 보호에 관한 연구

Cha, Kyung Jin 한국로고스경영학회 2019 로고스경영연구 Vol.17 No.1

One of important factor besides the administrative and technical aspects of security accidents, such as personal information leakage from IT outsourcing environments, is the release by internal project staff from the complex subcontracting environment of IT industry. Hacking, administrator negligence, etc. can be solved through reinforcement of internal training and continuous security solutions, but leakage of internal project staff can not be easily solved not only by client companies but also by supplier companies and their subcontractors. Therefore, this study was designed to analyze the risk factors of information security in the IT outsourcing environment through a qualitative research method and to examine an effective data protection strategy within IT outsourcing environment. Based on information security characteristics in outsourcing environment obtained through preliminary research examination and expert interview, Delphi study was conducted with 25 expert from both client, supplier companies and academians in Korea. As a result of the first round of the Delphi, the security risk factors of the IT suppliers were derived as the main factors: security capabilities, organizational relationships, and structural governance. The second and third rounds of delphi study showed that the absence of SLA-related agreements, unclear data security responsibilities, and the average value of frequent personnel moves were the highest factor. On the other hand, the lack of security control processes by business partners and the absence of stable technical institutional mechanisms were also found as important factors. Finally, lack of trust between organizations, various interests between organizations, and communication between organizations were important risk factors. Most notably, the difference in perception between the client company and subcontractors was the difference in perception, such as the level of security, the difference in purpose, and the perception of critical information between the vendors, which could be a barrier to maintaining the high level of information security. This study is intended to provide an information security strategy that is applicable to IT outsourcing environment, through a delphi study of expert from client and supplier companies and subcontractors. The result of this study can be used as a guideline for developing security practices in IT outsourcing environment. IT 아웃소싱환경에서의 개인정보 유출과 같은 보안사고의 원인 중 관리적, 기술적 측면 이외에 또 다른 중요한 요인은 복잡한 하청 구조의 성격을 띠는 아웃소싱 환경에서 비롯된 프로젝트 내부직원에 의한 유출이다. 해킹, 관리자 부주의 등의 경우 내부 교육 및 지속적인 보안 솔루션의 강화를 통해 해소할 수 있으나, 내부 직원에 대한 유출은 발주업체뿐만 아니라 하청업체 직원에서도 발생할 수 있다는 점에서 해결하기 쉽지 않은 문제이다. 따라서 본 연구는 질적 연구방법을 통해 아웃소싱환경에서의 정보보안 위험요인을 분석하고 발주업체와 하청업체 간 효과적인 정보보호 전략을 살펴보고자 하였다. 선행연구고찰과 전문가 인터뷰를 통해 얻어진 아웃소싱환경에서의 정보보안 특성을 토대로, IT아웃소싱산업(또는 SI산업)에 10년 이상 종사하는 발주업체의 PM 8명과 프로젝트 경험이 10년 이상 있는 협력업체 관리자와 하도급업체대표 7명, 정보보호 연구경력 5년 이상의 연구자 5명의 전문가들을 패널로 총 25명을 선정하여. 델파이 1차 라운드 결과, 정보보안 위험요인으로 협력 업체의 보안 역량, 조직적 관계, 구조적 거버넌스가 주요요인으로 도출되었다. 2차와 3차에 걸친 라운드를 통해 구조적 거버넌스 관련 요인으로는 SLA 보안관련 계약내용의 부재, 데이터보안의 책임소재 불분명, 직원의 잦은 이동의 평균값이 가장 높게 나타났다. 한편, 인력의 보안역량과 관련해서는 협력업체의 보안통제프로세스의 부재, 안정된 기술적 제도적 매커니즘의 부재가 중요한 요인으로 도출되었다. 마지막으로 조직적 관계 관련 요인으로는 조직간 신뢰부족, 조직간 다양한 이해관계, 조직간 커뮤니케이션이 중요 위험요인으로 나타났다. 무엇보다 본연구와 선행연구와의 차별성이 가장 두드러지는 부분은 발주 업체와 하청 업체의 인식 차이를 확인할 수 있었다는 점이며, 이러한 서로의 인식차이는 업체 간 보안의 수준, 목적의 차이 및 중요 정보의 인지 등 인식의 차이로 이어질 수 있으며, 향후 보안 수준 유지 및 솔루션 진행에 장애가 될 수 있다는 점이다. 본 연구는 기존의 기술적 관리적 정보보호 관점에서 벗어나, 발주 업체 및 하청 업체의 현업인원들의 델파이기법을 통해 IT아웃소싱이라는 특수한 환경에 적용 가능한 정보보안 전략을 제시한다는 것에 그 의의가 있다. 또한 현업 종사자들의 검증된 모델을 통해 해당 연구가 실무에 적용할 수 있는 가능성이 크다는 점에서 실무 종사자들이 보안 방안을 수립하는 데 있어 가이드라인으로도 활용이 가능할 것이다.

기업의 내부 인력 보안을 위한 IT 외주 용역 특성 분석

김지연,김형종 한국지식정보기술학회 2012 한국지식정보기술학회 논문지 Vol.7 No.1

As many enterprises implement an information system to manage their business, IT outsourcing that operates and manages the system is increasing. Information systems can integrate all business resources and manage business processes, which enables the outsourced employees to obtain critical information about enterprise business. Actually, a large portion of security incidents regarding information leakage of enterprises are being caused by IT outsourcing. However, there is a lack of guidelines that can be used to establish security measures for the outsourcing, because domestic and foreign information security management systems (ISMS) do not specify various types of IT outsourcing even though they provide security requirements for organizations. In this paper, we classify various types of IT outsourcing and define their characteristics considering information system’s architecture, such as the status of network isolation, IT resource type, employees’ location and their access authorization.

AHP를 이용한 정보보안 요소의 중요도 평가: 국방기관 정보시스템 외주개발 사례

박동수,윤한성 (사)디지털산업정보학회 2018 디지털산업정보학회논문지 Vol.14 No.3

In this paper, we identify and evaluate the information security factors considered in outsourcing development of information systems for defense agency with analytic hierarchy process(AHP). To assess the information security elements, we prepared three groups including the experts of a defense agency, subcontractor managers and subcontractor practitioners who are involved in developing information systems. And the relative importance of security factors were analyzed using questionnaires and responses. As a result of analysis of 27 security factors, factors corresponding to human and physical security as a whole were evaluated as having higher importance. Although there are some differences in the ranking of some importance according to human roles, they can be positive for the implementation of complementary information security. And administrative security and technical security can be relatively insignificant considering that they can be considered as infrastructure of the overall information environment. The result of this paper will be helpful to recognize the difference of perception of information security factors among the persons in the organization where collaboration is activated and to prepare countermeasures against them.

Soft Systems are Ubiquitous-Defenses are Rare: A Case for Contingent Outsourcing of Patch Management

Arnett Kirk P. Korea Association of Information Systems 2005 情報시스템硏究 Vol.14 No.3

Computer attacks on vulnerable software are ubiquitous. Today's attacks on client PCs can be used to create armies of zombie computers that are capable of wide reach attacks on high profile businesses and governments. The simple act of patching software vulnerabilities will certainly mitigate this problem, but patching has its own set of problems. Further, it is frequently the case that patches which are available to mitigate vulnerabilities are not being made on a timely basis and sometimes are not being made at all. One solution to the patch management dilemma is outsourcing. This paper notes that outsourcing is not a carte blanche decision that can be made based on dollars, but rather that a contingency decision matrix can provide guidance on outsourcing solutions for patch management and other security components as well. The matrix recognizes that IS staff expertise and employee security awareness are two important factors in the outsourcing decision.

A Fast and Secure Scheme for Data Outsourcing in the Cloud

( Yanjun Liu ),( Hsiao-ling Wu ),( Chin-chen Chang ) 한국인터넷정보학회 2014 KSII Transactions on Internet and Information Syst Vol.8 No.8

Data outsourcing in the cloud (DOC) is a promising solution for data management at the present time, but it could result in the disclosure of outsourced data to unauthorized users. Therefore, protecting the confidentiality of such data has become a very challenging issue. The conventional way to achieve data confidentiality is to encrypt the data via asymmetric or symmetric encryptions before outsourcing. However, this is computationally inefficient because encryption/decryption operations are time-consuming. In recent years, a few DOC schemes based on secret sharing have emerged due to their low computational complexity. However, Dautrich and Ravishankar pointed out that most of them are insecure against certain kinds of collusion attacks. In this paper, we proposed a novel DOC scheme based on Shamir`s secret sharing to overcome the security issues of these schemes. Our scheme can allow an authorized data user to recover all data files in a specified subset at once rather than one file at a time as required by other schemes that are based on secret sharing. Our thorough analyses showed that our proposed scheme is secure and that its performance is satisfactory.

다면평가제도의 산업보안 분야에 대한 활용방안과 효과성 분석

황윤희,정호준,유진호 한국산업보안연구학회 2015 한국산업보안연구 Vol.5 No.2

최근 내부자에 의한 정보유출 사건이 이슈화됨에 따라 정보보안업계에서의 인 사관리가 주목받고 있으나, 현실적인 대안은 제시되지 못하고 있다. 특히나 정보 보안업계의 특성 상 비용절감을 이유로 아웃소싱 이용비율이 증가함에도 불구하 고 해당 업계에 효과적으로 반영되지 못하고 있는 듯하다. 본 연구에서는 이를 개선하기 위해 정보보안업계 인력관리 현황 및 관련제도 조사결과를 바탕으로 다면평가제를 도입하고자 하였다. 세부적으로 ISO 27001과 ISMS의 ‘인적보 안’ 관리항목을 분석하고, 다면평가제 도입 As-Is vs To-Be 모형을 완성하여 외주업체 인력이 인사평가에 참여하는 다면평가제 도입의 당위성을 설명하였다. 다면평가제의 적합성은 대표적 유출사고 6건에 대해 인사관리 변화 후 가상시나 리오를 작성하는 것으로 검증하였다. 본 연구의 결과를 활용하여 기업은 다면평 가제를 채택함에 따라 아웃소싱 인력의 원활한 관리를 통해 보안성을 증진시킬 것으로 기대된다. Recently, the human resource management has been highlighted in the information security business because of insider’s information spill but, there is no realistic alternatives. Specially, it seems that this problem is not reflected since many companies use the outsourced service to reduce the cost. So, in order to solve this problem, this study introduces the multi source assessment on the findings of the human resources management and related system on information security business. Making detailed comparisons between ISO 27001 and ISMS of human resources managemnet, this study makes the model of introducing the multi source assessment on As-Is Vs To-Be and explains needs of the multi source assessment that employees of the outsourced service participate in performance appraisal. After changing human resource management, Multi-source assessment’s suitability was verified by setting virtual scenario about representative 6 data leak examples. This research results expect that Introducing the multi source assessment which successfully manages the outsourcing worker improves the information security.

글로벌 아웃소싱의 노동법적 문제

김기선(Ki Sun Kim) 한국고용노사관계학회 2016 産業關係硏究 Vol.26 No.3

사업 또는 사업의 일부를 해외로 아웃소싱하는, 이른바 글로벌 아웃소싱을 시도하는 기업의 리스트가 점점 늘어나고 있다. 이러한 트렌드는 경제의 근본적인 구조변화로서 경제가 한 국가 단위를 초월하여 국제적인 가치사슬(Value Chain)을 형성하게 되었음을 보여주는 것이다. 글로벌 아웃소싱이 고용 및 일자리 등 국내 노동시장에 어떠한 영향을 미칠 것인지를 이론적으로 예측하기란 어려운 문제이다. 다만 확실한 것은 글로벌 아웃소싱이 각 생산요소의 국제적 이동가능성을 비대칭적으로 증가시킨다는 점이다. 글로벌 아웃소싱에 의해 자본이라는 요소의 이동성은 급격히 증가하는 반면, 노동이라는 요소는 그 속성상 일정한 지역과 결합되어 있는 경우가 대부분이어서 여전히 이동성이 제약되기 때문이다. 이 글은 글로벌 아웃소싱을 둘러싸고 벌어지는 노동법적 문제와 그 과제를 다룬다. 이와 관련하여 이 글에서는 우선 글로벌 아웃소싱으로 인한 고용관계의 이전의 문제를 살핀다. 이후 글로벌 아웃소싱으로 인한 경영상 이유에 의한 해고의 문제를 검토한다. 또한 글로벌 아웃소싱과 관련해서는 구조조정의 쟁의행위의 정당성이 문제될 수 있다. 끝으로, 이 글에서는 고용안정협약과 관련된 문제를 검토한다. The list of companies that performs a shift operating locations abroad, is getting longer. This development is an expression of a fundamental structural change in the economy that creates international value chains. The impact of these developments on the labor market in general are difficult to assess. The starting point is indisputable that the opportunities for cross-border Moblität for the factors of production grow asymmetrically. While the mobility of the factor capital has grown dramatically by these developments, the factor work remains localized for structural reasons. This paper deals with labor law issues of global outsourcing. In this context, first focus is the question of the transfer of employment. Following this, the legality of the dismissal for business reasons should be stated. Then the question arises whether the strike against the dismissal for business reasons is unlawful. Finally, this paper deals with the legal problems of securing employment agreement.

보안관리 공정성이 IT 외주개발자의 보안준수 의지에 미치는 영향

이재구,박현애,유영천,이환수 한국산업보안연구학회 2020 한국산업보안연구 Vol.10 No.2

Companies are using IT outsourcing to efficiently use their core competencies. However, the lack of security awareness of IT outsourcing developers and inadequate security management of ordering companies are suggested as one of the causes of security incidents. Therefore, this study examines how the fairness of security management affects the willingness to comply with security targeting IT outsourced developers. As a result of conducting an empirical analysis based on 103 samples, it was analyzed that procedural fairness in the external site and interaction fairness in the internal site were important antecedents. This means that security procedures are clearly set at the site, and within the site, the willingness to comply with security can be improved when communication between employees is active. The results of this study have academic significance in that the organizational fairness theory is applied to the security field and presented as a new security theory, and practical implications are in that it suggests the direction of security management for outsourced developers. 기업은 핵심 역량을 효율적으로 사용하기 위해 IT 아웃소싱을 활용하고 있다. 그러나, IT 외주개발자의 보안인식 결여 및 발주기업의 보안관리 미흡 등이 보안사고의 한 원인으로 제시되고 있다. 이에 본 연구는 실제 IT 외주개발자를 대상으로 보안관리 공정성이 보안준수 의지에 어떻게 영향을 미치는지를 고찰하였다. 103명의연구 표본을 바탕으로 실증분석을 수행한 결과, 고객사에서는 절차공정성이, 외주기업에서는 상호작용공정성이 중요한 선행요인인 것으로 분석되었다. 이는 고객사에서 보안절차가 명확히 설정되어 있고, 외주기업에서는 직원 상호 간의 의사소통이 원활해야 보안준수 의지가 향상될 수 있다는 것을 의미한다. 본 연구결과는 조직공정성 이론을 보안 분야에 적용하여 새로운 보안이론으로 제시하였다는 점에서학술적 의의가 있고, 외주개발자들의 보안관리 방향을 제시한다는 점에서 실무적시사점이 있다.