KR101505079B1 - System and method of supporting task of information security - Google Patents

Abstract

Provided are a system and a method for supporting information security work which can authenticate and maintain an information security management system without consulting. The system for supporting information security work comprises: a work instructing unit for transmitting a work instruction to a terminal of a person in charge of each work item in the case that an event occurs under the condition that work items included in a work procedure to process an event requiring information security are connected to control items of each control requirement of an information security management system required to perform the work procedure; and a sorting unit for sorting the outcomes which are the work results received from the terminal of the person in charge according to the control items, and storing the sorted outcomes in a database based on the sorting.

Description

[0001] SYSTEM AND METHOD OF SUPPORTING TASK OF INFORMATION SECURITY [0002]

The present invention relates to a system and method for supporting an information security business, and more particularly, to an information security business process created by a person in charge of carrying out an information security business in the field, When an event related to the information security service procedure is reflected in the state where the control items of the information security management system are reflected, a task instruction is issued to the task person in charge of each of the control items, And accumulating the information as evidence.

The information security management system is a certification system for comprehensive management system including administrative, technical and physical protection measures that are established and operated to secure the stability of information and communication network. In other words, the information security management system is a management information security system, which establishes a systematic management framework for the management of the organization and conducts continuous information security management tasks and is required to manage the evidence to prove it.

Recently, as a result of the enactment of the Personal Information Protection Act and the surge of large-scale security accidents, the information security system certification from the management point of view has been changed from the recommendation to the compulsory information and it has been implemented since 2013 and it is recognized as an objective indicator that the minimum protection measure obligation has been fulfilled. It can be used as a means of indemnification in case of protection accidents, 50% reduction of fines, fines and lawsuits.

This information protection management system includes the US Federal Information Security Management Act (FISMA), ISO 27001 as an international standard, KISA-ISMS (KISA-Inforamtion Security Management System) Management: PIMS). Among these, KISA-ISMS and PIMS certification should be obtained in Korea.

This information protection management system consists of control items that are defined on proposition basis and that are to be performed in order to comply with these control requirements. However, in actual work sites, business procedures are defined based on events. In other words, the information protection management system is defined as proposition-based, and since the business processes in the business are event-driven, there is a gap between the information protection management system and the business processes in the business. In addition, a high level of information security knowledge is required in order to carry out information security work in the business. Due to these reasons, companies are relying on professional information security consulting for the certification and maintenance of the information protection management system.

On the other hand, if there is a security administrator who manages the information protection policy in the enterprise, the security manager confirms whether the control items of the information protection management system related to the event processing are properly performed when an event requiring information protection occurs in the actual business site, To the auditors by arranging them according to the control items of the information security management system.

In other words, when an event that requires protection of information in the enterprise in the actual workplace, for example, a retired person, the security manager confirms whether a person in charge of the work is designated for the control items of the information protection management system related to the occurrence of the employee, After that, each task manager is provided with task information and form necessary to perform the control item, and the result of the action of each task manager is obtained as a trace. After that, the security administrator arranges the trace according to the control items of the information protection management system, and then provides it to the auditor. On the other hand, each worker receives work information and forms from the security officer, and after performing the work, provides the result to the security manager in a statistical manner.

This operation is repeated to accumulate the necessary indications for authentication only when the event occurs, thereby causing the worker and the security manager to only work.

A prior art related to the present invention is Korean Patent No. 10-1008148 (registered on January 06, 2011).

A system and method for supporting the information security work that enables the certification and maintenance of the information security management system to be carried out without consulting is suggested.

In addition, a security support system and method are proposed to prevent the work load of the security administrator and the person in charge of performing the control items due to the authentication of the information protection management system.

The problems to be solved by the present invention are not limited to the above-mentioned problems, and other problems that are not mentioned can be clearly understood by those skilled in the art from the following description.

An information security service support system according to an aspect of the present invention includes a task information item included in a business procedure for processing an event requiring information protection and an information security management system A task instruction unit for sending a task instruction to a terminal of a task manager for each task item when the event is generated in a state that control items for each of the control requirements are connected; And a classifying unit for classifying the outputs as work results received from the terminal of the task manager according to the control items and storing them in a database in a database.

The business process for processing the event requiring the information protection may be a standardized business process modified or supplemented by the security manager that manages the information protection management system after being created by the person in charge of the task for each business item, It may be a business procedure standardized by the security manager from the beginning without going through the process generated by the person in charge of the task by items.

The connection between the business items included in the business procedure and the control items may be performed by a security manager managing the information protection management system.

The task assignment to the terminal of the task manager for each task item and the reception of the task result as the task result may be performed through groupware.

The system may further include a management unit for calculating a performance rate of the control requirements using the performance score of the control items by the control requirements of the information security management system.

The management unit may calculate the execution rate of the control requirements using the performance score of the lowest level control items among the control items.

The performance score of the control items may be determined as to whether the corresponding control item meets the control item scoring criteria using a score item of the control item score including a score that varies depending on whether the control item satisfies the control item scoring criteria .

The performance score of the control items may be calculated by applying a weight according to the importance set in the control item to a score obtained by determining whether the control item meets the control item scoring criteria.

The criteria for scoring the control item may include a standard that indicates whether or not the items of control included in the business procedure for processing the event requiring the information protection and the control items of the information protection management system necessary for performing the business procedure are linked Whether or not a document indicating whether or not at least one of a policy document, a guidebook, a procedure document and a form document for linking a control procedure item is linked to the control item, whether or not a document is registered, And whether or not all of the business procedures started indicating whether the business order has been completed have been completed.

The performance rate of the above control requirements can be calculated by using the scores when the performance score of the control items of the control requirement is perfect score and the performance scores of the control items of the control requirement.

The management unit may provide an accuracy evaluation interface for receiving an evaluation as to whether or not the performance of the control items has been correctly performed, and may store evaluation information inputted through the accuracy evaluation interface in the database.

According to another aspect of the present invention, there is provided a method for supporting an information security service, including: a task item included in a business procedure for processing an event requiring information protection; and an information security management system Transmitting a task indication to a terminal of a task manager for each task item when the event occurs, in a state where control items for each of the control requirements are connected; And classifying the outputs as work results received from the terminal of the task manager according to the control items and storing them in a database as a trace.

The method may further include calculating a performance rate of the control requirements using the performance score of the control items by the control requirements of the information security management system.

The step of calculating the execution rate of the control requirements may calculate the execution rate of the control requirements using the execution score of the lowest level control items among the control items.

The method includes providing an accuracy evaluation interface for receiving an evaluation of whether or not the performance of the control items has been correctly performed; And storing the evaluation information input through the accuracy evaluation interface in the database.

According to the system and method for supporting the information security service according to the embodiment of the present invention, the information security service procedure created by the person in charge of the information security service in the field, When an event related to the information security service procedure is reflected in the state where the control items of the information security management system are reflected, a task instruction is issued to the task person in charge of each of the control items, , It is possible to carry out the certification and maintenance of the information security management system without consulting.

In addition, it is possible to prevent the work load of the security manager and the person in charge of performing the control item due to the authentication of the information security management system.

FIG. 1 is a diagram illustrating a configuration of an information protection network including an information security service support system according to an embodiment of the present invention.
FIG. 2 is a diagram illustrating a configuration of an application for supporting an information security service according to an embodiment of the present invention. Referring to FIG.
3 is a diagram illustrating a business procedure for processing retirees.
Figure 4 is a bar graph and a radar chart showing the performance of control requirements.
FIG. 5 is a diagram illustrating control items of an information protection policy as a control requirement.
6 is a diagram illustrating a control item scoring table.
7 is a flowchart of a method of scoring a control item.
8 is a flowchart of a process of calculating the execution rate of the control requirement.
9 is a diagram illustrating an accuracy evaluation interface.
10 is a flowchart illustrating a method of supporting an information security service according to an embodiment of the present invention.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

Embodiments of the present invention are provided to more fully describe the present invention to those skilled in the art, and the following embodiments may be modified in various other forms, The present invention is not limited to the following embodiments. Rather, these embodiments are provided so that this disclosure will be more thorough and complete, and will fully convey the concept of the invention to those skilled in the art.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms "a", "an," and "the" include plural forms unless the context clearly dictates otherwise. Also, " comprise "and / or" comprising "when used herein should be interpreted as specifying the presence of stated shapes, numbers, steps, operations, elements, elements, and / And does not preclude the presence or addition of one or more other features, integers, operations, elements, elements, and / or groups. As used herein, the term "and / or" includes any and all combinations of one or more of the listed items.

Although the terms first, second, etc. are used herein to describe various elements, regions and / or regions, it should be understood that these elements, components, regions, layers and / Do. These terms do not imply any particular order, top, bottom, or top row, and are used only to distinguish one member, region, or region from another member, region, or region. Thus, the first member, region or region described below may refer to a second member, region or region without departing from the teachings of the present invention.

Hereinafter, embodiments of the present invention will be described with reference to the drawings schematically showing embodiments of the present invention. In the figures, for example, variations in the shape shown may be expected, depending on manufacturing techniques and / or tolerances. Accordingly, embodiments of the present invention should not be construed as limited to any particular shape of the regions illustrated herein, including, for example, variations in shape resulting from manufacturing.

FIG. 1 is a diagram illustrating a configuration of an information protection network including an information security service support system according to an embodiment of the present invention.

1, an information security service support system 2 can transmit and receive data to and from a security manager terminal 1, a database 3, and a plurality of service personnel terminals 4 via a network, for example, the Internet . Therefore, the information security service support system 2 includes a communication module (not shown) that can access the network and transmit and receive data.

The information protection task support system 2 is composed of an application, a framework, a middleware, and an operating system. The middleware can be implemented as any one of Tomcat and Apache HTTP server , The operating system can be implemented with CentOS, but it is not limited thereto.

2, the application includes an operation instruction unit 21, a classification unit 22, and a management unit 23, . In the embodiment of the present invention, it is exemplified that the support of the information security service is performed by the application (App). However, it should be noted that the present invention is not limited to this but may be implemented by hardware. That is, the business instruction unit 21, the classifying unit 22, and the management unit 23 in the application (App) may be configured by hardware.

The task instructing unit 21 may be configured to perform tasks in the work procedure for handling events requiring information protection and control items of the information security management system necessary for performing the task procedures, , And transmits a business instruction to the terminal (4) of the task person in charge of each business item when an event requiring the information protection is generated. In this way, the task assignment to the terminal 4 by the task manager can be performed through the groupware 5 as shown in FIG. 1. The task instruction includes task information required to perform task items, Forms may be included.

In this case, the business procedure for processing the event requiring the information protection may be a standardized business procedure modified or supplemented by the security administrator who manages the information protection management system after being created by the person in charge of the task for each business item, Or it may be a business procedure standardized by the security manager from the beginning without going through a process generated by the person in charge of the task by each business item. It should be noted that the creation of the business procedure for processing the event requiring the information protection is exemplified as being performed by the person in charge of the task by each business item, but is not limited thereto.

The connection between the business items in the business procedure and the control items may be performed by a security manager managing the information protection management system. At this time, a plurality of (two or more) control items may be connected to one business item, or one control item may be connected. And a business item or a plurality of control items linked to a business item may belong to a single compliance or may belong to a different kind of compliance. It should be noted here that compliance can be, but is not limited to, the control requirements of the information protection management system or the internal regulations of the company. As shown in FIG. 4 and FIG. 5, the above-mentioned control requirements of the information protection management system include: 1. information protection policy, 2. information protection organization, 3. outsider security, 4. information asset classification, 5. information protection education , 6. Personal security, 7. Physical security, 8. System development security, 9. Password control, 10. Access control, 11. Operational management, 12. Electronic transaction security, 13. Security incident management, 14. Review monitoring and auditing , 15. Business continuity management, 16. Personal information protection. However, it should be noted that this is only an example.

Hereinafter, the connection between the business items and the control items included in the business procedure will be described taking as an example a case where an event requiring information protection is a retirement occurrence.

It is assumed that there are five kinds of control items defined by the information protection management system for retirees when a retiree occurs:

1. Are personnel changes due to departments and job changes, leave of absence, and retirement being shared among human resources departments, information protection departments, and information systems management departments?

2. Are there any changes in the organization of the workforce (permanent employees, temporary employees, outsourcing contractors, etc.) in the organization or are they being carried out without delay in accordance with established procedures such as returning information assets, adjusting and reclaiming access rights and confirming results at the time of retirement?

3. Do you receive a letter of confidentiality when you retire?

4. Are records of internal and external access to each protected area kept for a certain period of time and periodically examined access records and access rights?

ㆍ Removing and adjusting the right of access to retirees or job changers and collecting pass

5. Have access to information systems and critical information reviewed, reviewed, reviewed, and carried out periodic reviews?

ㆍ Delete your account without delay when you retire. (If you can not delete your account, please stop your account after collecting your rights.) ※ If you suspend or deactivate your account, you need to make it impossible to activate your account.

On the other hand, it is assumed that the work procedure for processing retirees is as shown in Fig. - "Return of the property (charge: finance department) -> Removal of the pass and deletion of the right of access (charge: the guard department) ) -> Adjustment of access right to information system and important information (charge: security department) -> Notice of retiree personnel (charge: HR department) ->

In this regard, the security administrator links the control items specified in the information protection management system for the retirement process and the business process items for the retirement process.

 The result of this connection is as follows. (Control Item 2 - Provision Form: Return Confirmation Form) -> Revoke the pass and remove the right of access. (2) Control item 4 - Provision form: Passbook receipt confirmation letter, access right deletion confirmation letter) -> Adjustment of access right to information system and important information (control item 5, control item 2 - Provision form: confirmation of access right adjustment statement) (Control Item 1 - Provision Form: Notice of Confirmation) -> End of Retiree Business Procedure ".

It should be noted that the connection information between the business items included in the business procedure and the control items is stored in the security manager terminal 1 shown in FIG. 1, but is not limited thereto. In addition, the business information included in the business procedure and the connection information between the control items include a form for carrying out the control item, for example, the control information for the control item 2, Information to carry out the control item (for example, in the case of a confidentiality agreement, the charge is the Treasury Department) may be further included.

On the other hand, the classification unit 22 receives the outputs as the result of the performance of the person in charge of the task from the terminal 4 of the task manager, classifies them according to the control items, and stores them as evidence in the database. At this time, the reception of the outputs as a result of the task execution can be performed through the groupware 5. The database for storing the vouchers may be a memory device (not shown) in the information security service support system 2 or a database 3 installed outside the information security service support system 2 as shown in Fig. have. The database 3 includes a DBMS (Data Base Management System) and a cryptographic module. The DBMS is responsible for functions such as addition, change, deletion, and retrieval of a certificate. And encrypts and stores the encrypted data.

Thus, since the accumulation of the information can be easily performed in preparation for the information security audit, it is possible to prevent the work load of the security manager and the person in charge of performing the control item from being weighted.

In addition, connection between the work items of the information protection work procedure made by the person in charge of the work in charge of the information protection work and the control items of the information security management system necessary for carrying out the above information protection work procedure Is performed by the internal security manager, not by the external information security specialist, so that the information protection business procedure can be established according to the characteristics of the enterprise.

2, the management unit 23 in the application 20 of the information security service support system 2 calculates the performance rate using the performance score of the lower level control items according to the control requirements of the information security management system, and outputs the performance ratio .

This will be described with reference to FIGS. 4 and 5. FIG. Referring to FIG. 4, the information security management system is illustrated as being composed of 16 control requirements. In other words, the information protection management system is constituted by the information protection policy, information security organization, external security, information asset classification, information protection education, human security, physical security, system development security, , Operational management, electronic transaction security, security incident management, review monitoring and audit, business continuity management, privacy ".

Each of these control requirements can be made up of four kinds of lower level control items as shown in FIG. In other words, each control requirement can be composed of the control field which is one level control item, the control item which is a 2-level control item, the control purpose which is a 3-level control item, and the inspection item which is a 4-level control item. In this case, the level of the control item is shifted from the upper level to the lower level toward the one level control item -> the 2 level control item -> the 3 level control item -> the 4 level control item. That is, the top level control item among the first level control item, the second level control item, the third level control item, and the fourth level control item is the one level control item and the lowermost level control item is the four level control item.

For example, the control requirement " information protection policy "shown in FIG. 5 is composed of a control level of a level 1 control level, a control level of a level 2 control level, a control level of a level 3 control level, .

The first level of control, the control sector, consists of the approval and release of the 1.1 policy, the system of the 1.2 policy, and the control of the maintenance of the 1.3 policy.

1.1 Level 2 control items, which are low level control items for approval and publication of policies, can be made with the approval of the 1.1.1 policy and the publication of the 1.1.2 policy. 1.1.1 The level 3 control level, which is the lower level control level for the policy approval, is defined as "the information security policy should be reviewed by the interested parties and approved by the CEO," and 1.1.2 lower level control Item 3 level control item is "Information protection policy document should be communicated to all employees and related persons in easy-to-understand format."

1.1.1. The control items (level 4 control items), which are subordinate to the lower level control items (level 3 control items) for approval of policy, are those that are reviewed by the interested parties in the revision and revision of information protection policies and policy implementation documents Is the approval of the chief executive officer (CISO, etc.) delegated by the chief executive officer at the revision or amendment of the policy implementation documents such as "Are they approved? "to be. And 1.1.2 The lower level control items (level 4 control items) for the lower level control items (third level control item) for the publication of policy are "related to the contents of the information protection policy and policy implementation documents Are they publishing to employees? Is the information protection policy and policy implementation document communicated to relevant employees in an easy-to-understand format and provided with the latest version? "

The system of 1.2 policy and the maintenance of 1.3 policy, which are the control level of the first level control item, are composed of the second level control level, the third level control level, and the fourth level control level as in the case of the approval and publicity of the policy. Since the types are shown in Fig. 5, a description thereof will be omitted here.

The execution rate of the control requirement can be calculated using the performance score of the inspection item, which is the 4th level control item, the lowest level control item among the lower level control items of the control requirement.

The reason for using the performance score of the lowest level control item (level 4 control item) as a condition for calculating the execution rate of the control requirement is that the lowest level control item (level 4 control item) Because they are consistent with or most similar to the work items in the business process. Therefore, the lowest level of the control requirements of the Information Security Management System (4 levels of control items), which are necessary for carrying out the above information protection business procedure, The work items of the information protection work procedure made by the person in charge of the work in charge of the field can be linked.

The management unit 23 first calculates the performance score for each of the lowest level control items of the control requirement, and calculates a score obtained when the performance score of the corresponding control item is perfect for each of the lowest level control items, , The execution rate of the control requirement to which the lowest level control items belong belongs is calculated.

First, the performance score of the lowest level control items included in the control requirement is calculated using the control item score table including scores that vary depending on satisfaction of the control item score criteria of the lowest level control item, Level control items satisfy the control item scoring criteria.

In this case, the criteria for scoring the control item may include a link between control items for the control items of the information protection management system necessary for the operation of the business procedure and the business items included in the business procedure for processing the event requiring the information protection Whether or not the standard business procedure is represented,

Whether or not a document indicating whether at least one of the policy document, the guidebook, the procedure document and the form document for carrying out the control item is linked to the corresponding control item, and

Completion of all started business procedures indicating whether or not the business order has been completed to the terminal of the business person in charge by the business items ", but it should be noted that the present invention is not limited thereto .

In the part for determining whether the standard business procedure is connected, the business procedure is a standardized business procedure modified or supplemented by the security manager that manages the information security management system after being created by the task person in charge of the business items, It may be a standardized business procedure by a security manager who manages the information security management system from the beginning.

An example of the control item scoring table is shown in FIG. Referring to FIG. 6, the control item scoring table is composed of scoring standards for the control item, an implementation status indicating that the lowest level control item satisfies the control item scoring criteria, and a score corresponding to the implementation status . For example, is the lowest level control item linked to the standardized business process (whether the standard business process is connected), whether the document is registered (whether the document is registered), all completed business processes have been completed Completion status), the implementation status is YES grade, and the score for YES grade is '10'.

FIG. 7 shows a flowchart of a method of scoring a control item to determine whether the lowest level control items included in the control requirement satisfies the control item scoring criteria and calculates the performance score of the lowest level control item. Referring to FIG. 7, the management unit 23 confirms whether the lowest level control item (the inspection item as the fourth level control item in FIG. 5) is linked to the standardized business procedure, and if not, the lowest level control item If the implementation status is "NO" and if it is linked, check whether the document of the lowest level control item is registered. At this time, the document of the lowest level control item may include at least one of policy document, guidebook, procedure, and form document for the execution of the lowest level control item.

As a result of checking, if the document of the lowest level control item is registered, the management unit 23 confirms whether all the started tasks have been completed. That is, it is confirmed whether or not at least one lowest level control item connected to the task item, that is, the task item, has been delivered to the terminal of the task person in charge of each task item. It should be noted that this can be done through, but not limited to, an acknowledgment of the lowest control item of the person in charge of the task (this acknowledgment can be received via the groupware 5 of FIG. 1). If all tasks started are checked, the implementation status of the lowest level control item is determined as "YES", and if all the tasks started are not terminated, the implementation status of the lowest level control item is determined as "P3".

On the other hand, if the document of the lowest level control item is not registered, the management unit 23 confirms whether all the started tasks have been completed. As a result of confirmation, if all the tasks started are completed, the implementation status of the lowest level control item is determined as "P2", and if all tasks started are not ended, the implementation status is determined as "P1".

As shown in Fig. 6, the determined score of the implementation status is set to 10 points for YES, 8 points for P3, 5 points for P2, 2 points for P1, and 0 point for NO. However, it should be noted that the score thus set is not limited thereto.

After the performance score of the lowest level control items included in the control requirement is calculated, when the management unit 23 confirms whether the importance level is set for each of the lowest level control items, if the importance level is set, the weight of the importance level is set to the lowest level This can be reflected in the performance score of the control item. In this case, the importance may be high, normal, or low. The weight of high may be 1.5, the weight of normal may be 1, and the weight of low may be 0.5. It should be noted that the weights of the types of importance and the types of importance are not limited thereto and can be variously changed.

In this way, when importance is set on the lowest level control item, the significance is reflected in the performance score of the lowest level control item. First, the execution score of the lowest level control item is calculated according to the control item scoring method as shown in FIG. 7, and the weight of the lowest level control item calculated above is reflected in the calculated execution score of the lowest level control item do. For example, if the calculated score of the lowest level control item is 15, and the importance is high and the weight of importance is 1.5, the score of the lowest level control item is changed to 22.5 (= 15 × 1.5) .

When the performance score for the lowest level control items included in the control requirement is calculated, the management unit 23 calculates the score of the performance score of the control item for each of the lowest level control items and the score of the calculated control item Using the performance score, the execution rate of the control requirement to which the lowest level control items belong belongs is calculated.

The process of calculating the execution rate of the control requirements to which the lowest level control items belongs will be described with reference to the control item score table shown in FIG.

Referring to FIG. 8, the control item score table is illustrated to include the five lowest level control items included in the control requirement, that is, the control item score table is defined in 1.1.1.1 information protection policy and policy enforcement document 1.1.1.2 Has the CEO been approved at the time of revising or revising the information protection policy? ", 1.1.1.3 Amendment or amendment of policy implementation documents such as guidelines and procedures (CISO, etc.)? ", 1.1.1.4" Is the information published in the revision or revision of the information protection policy and policy implementation document released to relevant employees? Do you provide protection policy and policy enforcement documents in an easy-to-understand format and provide them as up-to-date versions? "Includes information on implementation status, importance, score, and full marks. In this case, the "score score" indicates the score when the implementation status of each of the lowest level control items is "YES " irrespective of the importance, and" score "indicates the lowest score calculated by the control item score method Indicates the performance score of the control item.

The performance rate of the control requirement to which the lowest level control items belong can be calculated using the formula (sum of the scores of the lowest level control items / sum of the scores of the lowest level control items) × 100. Therefore, the execution rate of the control requirement including the lowest level control items included in the control item score table in FIG. 8 is 50 (= (27.5 ÷ 55) × 100)%. The implementation rate of this control requirement will change as the implementation status changes.

The management unit 23 outputs the execution rate of the control requirements calculated in the form of a bar graph (not shown) or a radial chart 32 shown in FIG. 4 on the screen of the security manager terminal 1 or the worker terminal 4 can do.

This enables the security administrator or the task person to grasp the performance rate of the control requirements of the information security management system at a glance. This concerns conformance testing to determine the degree of performance of the control requirements of the information protection management system.

In addition, the management unit 23 provides an accuracy evaluation interface for receiving an evaluation as to whether the control item has been correctly performed through the evidence for each of the control items, And stores the information in the database. This accuracy evaluation interface can be performed by the security manager, and accordingly, the accuracy evaluation interface can be output to the screen of the security manager terminal 1. [ An example of such an accuracy evaluation interface is shown in FIG. Through the accuracy evaluation interface shown in FIG. 9, information on the importance of the lowest level control items of the information security policy among the control requirements, the implementation status, the number of the marks, and the related documents are outputted and the accuracy evaluation of the lowest level control items In addition, menus are provided for the control items, operation details, and evaluation. The security administrator can select the number of the correctness evaluation interface for the accuracy evaluation and download the related vouchers from the database. After reviewing the traces downloaded, the security administrator can perform the accuracy evaluation of the lowest level control items on the control requirements through the application of the control items, operation contents, and the evaluation menu in the accuracy evaluation interface. Such an accuracy assessment can modify internal procedures and prepare for responses to external audits.

Before the accuracy evaluation interface shown in FIG. 9 is output to the screen of the security manager terminal 1, the selection of the control requirement and the task execution period should be made. That is, the management unit 23 selects the control requirement and the task execution period to be subjected to the accuracy evaluation from the security manager and confirms it in the database and outputs it to the accuracy evaluation interface as shown in FIG.

10 is a flowchart illustrating a method of supporting an information security service according to an embodiment of the present invention.

The method for supporting the information security service shown in FIG. 10 can be performed by the information security service support system 2 shown in FIG. 1, but it is not limited thereto.

The business instruction unit 21 may control the items included in the business procedure for processing events requiring information protection and the control items of the information security management system necessary for performing the business procedure In the connected state, when the event occurs, a task instruction is transmitted to the terminal 4 of the task manager of each business item (S10).

Thereafter, the classification unit 22 classifies the outputs, which are the business results received from the terminal 4 of the task manager, by the control items, and stores them in the database as a trace (S20).

Further, the method for supporting the information security service may further include a step of the management unit 23 calculating the performance ratio of the control requirements using the performance score of the control items by the control requirements of the information security management system. At this time, the performance rate of the control requirements can be calculated using the performance score of the lowest level control items among the above control items.

The performance score of the control items may be determined as to whether the corresponding control item meets the control item scoring criteria using a score item of the control item score including a score that varies depending on whether the control item satisfies the control item scoring criteria .

The performance score of the control items may be calculated by applying a weight according to the importance set in the control item to a score obtained by determining whether the control item meets the control item scoring criteria.

The control item scoring criteria may be such that the control item scoring criteria comprise at least one of the following: task items included in a business procedure for processing the event requiring the information protection and control requirements of the information protection management system required to perform the business procedure Whether or not standard business procedures indicating whether or not the individual control items are connected,

Whether or not a document indicating whether at least one of the policy document, the guidebook, the procedure document and the form document for carrying out the control item is linked to the corresponding control item, and

Completion of all started business procedures indicating whether or not the business order has been completed to the terminal of the business person in charge by the business items ", but it should be noted that the present invention is not limited thereto .

In the part for determining whether the standard business procedure is connected, the business procedure is a standardized business procedure modified or supplemented by the security manager that manages the information security management system after being created by the task person in charge of the business items, It may be a standardized business procedure by a security manager who manages the information security management system from the beginning.

The performance rate of the above-mentioned control requirements can be calculated by using scores obtained when the performance score of the control items of the relevant control requirement is perfect score and performance scores of the corresponding control items.

The management unit 23 may provide an accuracy evaluation interface for receiving an evaluation as to whether or not the performance of the control items has been correctly performed, and may store evaluation information inputted through the accuracy evaluation interface in the database.

The present invention has been described above with reference to the embodiments. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the disclosed embodiments should be considered in an illustrative rather than a restrictive sense. Therefore, the scope of the present invention is not limited to the above-described embodiments, but should be construed to include various embodiments within the scope of the claims and equivalents thereof.

Claims (22)

After a business procedure for processing an event requiring information protection is determined, a control item for each of the business items included in the business procedure, which is necessary for performing the business procedure, A task instruction unit for transmitting a task instruction to a terminal of a task person in charge in the event of occurrence of the event in a state where at least one of the control items is connected to the task item, ) Or belong to different heterogeneous compliances;
A classifying unit for classifying the outputs as work results received from the terminal of the worker in accordance with the control items and storing the classified results in a database; And
The score of the lowest level control item of the control requirement is calculated and the score of the lowest score of the control item of the lowest level and the performance score of the calculated lowest level control item calculated are used And a management unit for calculating the execution rate of the control requirement and outputting the execution rate of the calculated control requirement in a bar graph or a radar chart format,
The execution score of the lowest level control item is determined as whether the lowest level control item satisfies the control item scoring criteria by using a control item scoring table including a score that varies depending on satisfaction of the control item scoring criteria of the lowest level control item And the weighted value according to the importance level set in the lowest level control item is applied to the score, and the control item scoring table shows the degree of satisfaction of the control item scoring criteria with the control item scoring criteria and the lowest level control item And the score corresponding to the implementation status -
The criteria for scoring the control item may include a standard that indicates whether or not the items of control included in the business procedure for processing the event requiring the information protection and the control items of the information protection management system necessary for performing the business procedure are linked Whether or not a document indicating whether or not at least one of a policy document, a guidebook, a procedure document and a form document for linking a control procedure item is linked to the control item, whether or not a document is registered, Whether or not the work order has been completed, and whether or not all of the started work procedures indicating completion of the work order have been completed. The method according to claim 1,
The business process for processing the event requiring the information protection includes:
A standardized business procedure modified or supplemented by a security administrator who manages the information protection management system after being created by a task manager for each business item, Wherein the information processing system is a standardized business procedure by the security administrator. The method according to claim 1,
The connection between the business items included in the business procedure and the control items,
Wherein the information security management system is performed by a security manager that manages the information security management system. The method according to claim 1,
Wherein the task information of the task person in charge of the task items and the task information in the task information are received through groupware. delete delete delete delete delete delete The method according to claim 1,
Wherein,
Wherein the accuracy evaluation interface is provided to receive an evaluation of whether or not the performance of the control items has been accurately performed, and the evaluation information inputted through the accuracy evaluation interface is stored in the database. After a business procedure for processing an event requiring information protection is determined, a control item for each of the business items included in the business procedure, which is necessary for performing the business procedure, Sending a task indication to a terminal of a task manager for each of the task items when the event occurs, wherein one or more of the control items connected to the task item has a single compliance, Or belong to different heterogeneous compliance;
Categorizing artifacts as work results received from the terminal of the worker in accordance with the control items and storing them in a database as a trace; And
The score of the lowest level control item of the control requirement is calculated and the score of the lowest score of the control item of the lowest level and the performance score of the calculated lowest level control item calculated are used Calculating a performance ratio of the control requirement and outputting the performance ratio of the calculated control requirement in a bar graph or a radar chart format,
The execution score of the lowest level control item is determined as whether the lowest level control item satisfies the control item scoring criteria by using a control item scoring table including a score that varies depending on satisfaction of the control item scoring criteria of the lowest level control item And the weighted value according to the importance level set in the lowest level control item is applied to the score, and the control item scoring table shows the degree of satisfaction of the control item scoring criteria with the control item scoring criteria and the lowest level control item And the score corresponding to the implementation status -
The criteria for scoring the control item may include a standard that indicates whether or not the items of control included in the business procedure for processing the event requiring the information protection and the control items of the information protection management system necessary for performing the business procedure are linked Whether or not a document indicating whether or not at least one of a policy document, a guidebook, a procedure document and a form document for linking a control procedure item is linked to the control item, whether or not a document is registered, And whether or not all of the business procedures started indicating whether the business order has been completed are included. The method of claim 12,
The business process for processing the event requiring the information protection includes:
A standardized business procedure modified or supplemented by a security administrator who manages the information protection management system after being created by a task manager for each business item, Wherein the security manager is a standardized business procedure from the security manager. The method of claim 12,
The connection between the business items included in the business procedure and the control items,
Wherein the information security management system is performed by a security administrator who manages the information security management system. The method of claim 12,
Wherein instructions for a task to a terminal of a task manager for each of the task items and reception of outputs of the task result are performed through groupware. delete delete delete delete delete delete The method of claim 12,
Providing an accuracy evaluation interface for receiving an evaluation of whether or not the performance of the control items has been correctly performed; Wow
And storing the evaluation information input through the accuracy evaluation interface in the database.

Images