정보통신시스템에 대한 기술적 보안만으로는 안전한 정보통신시스템 운영을 보장할 수 없다. 따라서, 안전한 정보통신시스템 운영을 위한 정보보안관리시스템(ISMS)에 대한 연구와 표준화가 활발히 전개되고 있다. 우리나라는 2005년 “국가사이버안전관리규정”을 제정하고, “국가사이버안전매뉴얼”의 “보안관리 기준”에 의하여 국가공공기관이 자체적으로 “보안관리수준 평가”를 수행토록 함으로써 체계적인 정보보안관리 활동이 이루어지도록 하고 있다. 본 논문은 관련 표준들과 호주, 미국의 보안관리 체계에 대하여 조사하고, “보안관리수준 평가” 체계를 효율적인 보안관리 측면에서 분석하고, 이를 통하여 “보안관리수준 평가”의 개선방향에 대하여 연구하였다. 기존의 체계에 추가항목(A/C ; Additional Control), 선택적 보안관리 기준(Selective Controls) 구성을 도입하고 평가 준비 절차의 개선을 통하여 각 기관에 최적화된 보안관리 기준을 작성할 수 있도록 함으로써, 기관에 적합한 효율적 보안관리의 수행이 가능하고, 급변하는 정보통신 환경에 유연하게 대응할 수 있도록 하였다.

It will not be able to guarantee secure operation for the information and communication systems with only technical security. So, ISMS(Information Security Management System) research and standardization are active going on. Korea published “The national cyber security management regulation” and “The national cyber security manual” in 2005. According to the regulation and manual, the government organ and public institution must accomplish the security management assesment to itself for systematic management of an information security. We studied related standards and security management systems of the Australia and the USA, and analyzed the security management evaluation system in “The national cyber security manual” in efficient management focus. We presented the improvement direction of national security evaluation system through the research. We propose the additional control, selective control set and improvement of the evaluation process for efficient management. Proposed system possible composition of suitable to each organ and flexible adaptation of rapidly changed information environment.

• 요약
• ABSTRACT
• 1. 서론
• 2. 관련 연구
• 2.1 ISO/IEC 27001, 17799(BS 7799)
• 2.2 GMITS (ISO/IEC TR 13335)
• 2.3 ACSI33(Australian Government Informationand Communication TechnologySecurity Manual)
• 2.4 FISMA(Federal Information SecurityManagement Act)
• 3. 보안관리수준 평가
• 4. 보안관리수준 평가 체계 분석
• 4.1 단일 수준 보안관리 기준
• 4.2 다수준 보안관리 기준
• 4.3 미적용(N/A ; Not Applicable) 항목 적용
• 4.4 보안관리 요구 수준의 변화
• 4.5 보안관리수준 평가의 장단점
• 5. 보안관리수준 평가 체계 개선안
• 5.1 추가항목의 도입
• 5.2 선택적 보안관리 기준의 도입
• 5.3 보안관리수준 평가 준비 절차 개선
• 6. 결론
• 참고문헌

1 국가사이버안전센터, "국가사이버안전매뉴얼" 국가사이버안전센터 2005.

2 대통령훈령, "국가사이버안전관리규정(대통령훈령 제141호)" (141) : 2005.

3 International Standards Organization, "The Specification for Information Security Management Systems(ISO/IEC 27001 : 2005)" International Standards Organization 2005

4 International Standards Organization, "The Code of Practice for Information Se-curity Management(ISO/IEC 17799 : 2005)" International Standards Organization 2005

5 National Institute of Stan-dards and Technology, USA, "Standards for Security Categorization of Federal Information and Information Sys-tems(FIPS 199)" National Institute of Stan-dards and Technology, USA FIPS 199 : 2004.

6 National Institute of Stan-dards and Technology, USA, "Security Self-Assessment Guide for Infor-mation Technology Systems(NIST SP 800- 26, Rev. 1)" National Institute of Stan-dards and Technology, USA SP800 (SP800): 2005.

7 National Institute of Stan-dards and Technology, USA, "Recommended Security Controls for Fede-ral Information Systems(NIST SP 800-53, Rev. 1)" National Institute of Stan-dards and Technology, USA SP800 (SP800): 2006.

8 Attorney General’s Department, "Protective Security Manual(PSM 2005)" Attorney General’s Department Aus,2005.

9 http://ww.nist.gov, "National Institute of Standards and Tech-nology"

10 National Institute of Standards and Technology, USA, "Minimum Security Requirement for Federal Information and Information Systems(FIPS 200)" National Institute of Standards and Technology, USA FIPS 200 : 2006.

11 International Standards Organi-zation, "Information technology - Security techni-ques - GMITS Part 3 : Techniques for the management of IT Security(ISO/IEC TR 13335-3)" IEC TR 13335 (IEC TR 13335): 2006.12

12 International Stan-dards Organization, "Information technology - Guidelines for the management of IT Security Concepts and models for IT Security" International Stan-dards Organization IEC TR 13335 (IEC TR 13335): 1996.

13 International Stan-dards Organization, "Information technology - GMITS Part 2:Managing and planning IT Security(ISO/ IEC TR 13335-2)" International Stan-dards Organization IEC TR 13335 (IEC TR 13335): 1997.

14 International Stan-dards Organization, "Information technology - GMITS - Part 5:Management guidance on network se-curity(ISO/IEC TR 13335-5)" International Stan-dards Organization IEC TR 13335 (IEC TR 13335): 2000.

15 International Stan-dards Organization, "Information technology - GMITS - Part 4:Selection of safeguards(ISO/IEC TR 13335-4)" International Stan-dards Organization IEC TR 13335 (IEC TR 13335): 2000.

16 National Institute of Stan-dards and Technology, USA, "Guide for the Security Certification and Accreditation of Federal Information Sys-tems(NIST SP 800-37)" National Institute of Stan-dards and Technology, USA SP800 (SP800): 2004.

17 National Institute of Stan-dards and Technology, USA, "Guide for Developing Security Plans for Federal Information Systems(NIST SP 800- 18, Rev. 1)" National Institute of Stan-dards and Technology, USA SP800 (SP800): 2006.

18 National Institute of Stan-dards and Technology, USA, "Guide for Assessing the Security Controls in Federal Information Systems(NIST SP 800-53A)" National Institute of Stan-dards and Technology, USA SP800 (SP800): 2006.

19 US federal law : E-Govern-ment Act of 2002, "Federal Information Security Management Act of 2002 E-Govern-ment Act of 2002. USA" US federal law 2002.

20 British Standards Ins-titution, "BS 7799 Part 2:The Specification for In-formation Security Management Systems (BS 7799-2 : 2002)" British Standards Ins-titution BS 7799 (BS 7799): 2002

21 British Standards Institution, "BS 7799 Part 1:The Code of Practice for Information Security Management(BS 7799- 1 : 2005)" British Standards Ins-titution BS7799 (BS7799): 2005

22 Defence Signals Directorate, "Australian Government Information and Comunications Technology Security Man-ual" Defence Signals Directorate Aus,2005