KR102375784B1 - Security-by-design methodology using evidence-based security approach - Google Patents

Abstract

According to some embodiments of the present disclosure, a security internalization method is disclosed. The security internalization method includes: mapping the security internalization methodology and the evidence-based security methodology; and storing the mapping result in a database.

Description

Security internalization methodology using evidence-based security technique {SECURITY-BY-DESIGN METHODOLOGY USING EVIDENCE-BASED SECURITY APPROACH}

The present disclosure relates to a security internalization methodology, and more specifically, to a security internalization methodology using an evidence-based security technique.

Since the 1970s, the US government has improved computing products through mock hacking. However, there was a problem in that in the method through mock hacking, the presence or absence of vulnerabilities is determined according to the competency and execution period of the mock hacking team, and just because vulnerabilities are not found does not guarantee that the target product has no vulnerabilities.

Since then, the United States has recognized that the development process itself must be systematically and strictly managed, rather than relying only on finding and patching vulnerabilities, in order to improve the security quality of products. It began to publish standards related to the evaluation and procurement system.

Here, security internalization may be to reduce product complexity and achieve reliability by considering security from the initial stage of development, such as product requirements analysis and design. And, the development process including such security internalization may be referred to as "Secure Software Development Life Cycle (SDLC)" or "Security Engineering Process".

However, it is not easy to build Secure SDLC in the actual field because the currently published standards and guidelines of Secure SDLC only list abstract security activities.

Therefore, there is a demand for a security internalization methodology to materialize Secure SDLC according to the level desired by the enterprise.

US Patent Publication US 2013-0019315

The present disclosure has been devised in response to the above-described background technology, and is intended to provide a security internalization method using an evidence-based security technique.

The technical problems of the present disclosure are not limited to the technical problems mentioned above, and other technical problems not mentioned will be clearly understood by those skilled in the art from the following description.

According to an embodiment of the present disclosure for solving the problems as described above, there is provided a method of embodying a security internalization methodology using a processor of a computing device, the method comprising: mapping the security internalization methodology and the evidence-based security methodology; and storing the mapping result in a database; may include

Also, the mapping result may include at least one security level, at least one security activity, and at least one detailed security activity and product.

In addition, the at least one security step may include a first step related to security education, a second step related to initiation and planning, a third step related to requirements analysis, a fourth step related to acquisition, a fifth step related to design, It may include at least one of a sixth step related to implementation, a seventh step related to verification, an eighth step related to distribution, a ninth step related to operation, and a tenth step related to disposal.

In addition, recognizing the characteristics of the enterprise and the status of the security internalization methodology of the enterprise; recognizing the level of the security internalization methodology of the enterprise based on the security internalization methodology status; recognizing a competitor related to the enterprise based on the characteristics and the status of the security internalization methodology; recognizing the average security internalization methodology level of the competitor; and providing first information by quantitatively analyzing a difference in security internalization methodology level between the competitor and the enterprise based on the average security internalization methodology level of the competitor and the security internalization methodology level of the enterprise; may further include.

In addition, the step of recognizing the average security internalization methodology level of the competitor may include: acquiring status information on security standards of information protection products performed by the competitor; and recognizing the average security internalization methodology level of the competitor based on the status information; may include

In addition, the mapping result includes security internalization methodology level information in which a security internalization methodology level assigned to each of a plurality of detailed security activities included in each of the at least one security activity is recorded, and the mapping result and the security internalization methodology Based on the current status, the step of recognizing the security internalization methodology level of the enterprise may include: Based on the security internalization methodology level information and the security internalization methodology status, the security internalization methodology of the enterprise for each of the at least one security activity recognizing the level; may include

In addition, after providing the first information, receiving an appropriate level of security internalization methodology desired by the enterprise; and providing second information on at least one essential security activity related to the appropriate security internalization methodology level among at least one security activity included in the mapping result; may include

In addition, the second information may include at least one essential product mapped to each of the at least one essential security level including the at least one essential security activity.

In addition, the first information may quantitatively represent the difference in the level of the security internalization methodology in a graph format.

In addition, the graph includes an x-axis indicating each of the at least one detailed security activity, a y-axis indicating a security internalization methodology level for each of the at least one detailed security activity, and a first indicating the average security internalization methodology level of the competitor It may include a line and a second line indicating the level of the security internalization methodology of the enterprise.

In addition, the graph may quantitatively represent the difference in the level of the security internalization methodology between the competitor and the enterprise based on a gap formed by a gap between the first line and the second line.

In addition, a mapping unit for mapping the security internalization methodology and the evidence-based security methodology; and a database unit for storing the mapping result; may include

In addition, it recognizes the characteristics of the enterprise and the status of the security internalization methodology of the enterprise, recognizes the level of the security internalization methodology of the enterprise based on the status of the security internalization methodology, and based on the characteristics and the status of the security internalization methodology, a level extracting unit for recognizing a related competitor and recognizing an average security internalization methodology level of the competitor; a level difference analysis unit providing first information by quantitatively analyzing the difference in security internalization methodology level between the competitor and the enterprise based on the average security internalization methodology level of the competitor and the security internalization methodology level of the enterprise; and an information generator providing second information on at least one essential security activity related to an appropriate security internalization methodology level desired by the enterprise among at least one security activity included in the mapping result; may further include.

The technical solutions obtainable in the present disclosure are not limited to the above-mentioned solutions, and other solutions not mentioned are clearly to those of ordinary skill in the art to which the present disclosure belongs from the description below. can be understood

According to some embodiments of the present disclosure, it is possible to provide a security internalization methodology that can easily identify a problem of a user's security level.

Effects obtainable in the present disclosure are not limited to the above-mentioned effects, and other effects not mentioned will be clearly understood by those of ordinary skill in the art to which the present disclosure belongs from the description below. .

Various aspects are now described with reference to the drawings, wherein like reference numbers are used to refer to like elements collectively. In the following example, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of one or more aspects. It will be apparent, however, that such aspect(s) may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to facilitate describing one or more aspects.
1 is a block diagram illustrating an example of a server according to some embodiments of the present disclosure.
2 is a flowchart illustrating an example of a method for a server to store a mapping result in a database according to some embodiments of the present disclosure.
3 is a diagram for explaining an example of a mapping result stored in a database unit according to some embodiments of the present disclosure.
4 is a diagram for explaining an example of a mapping result according to some embodiments of the present disclosure.
5 is a flowchart illustrating an example of a method for a server to provide second information according to some embodiments of the present disclosure.
6 is a flowchart illustrating an example of a method for a server to recognize an average security internalization methodology level of a competitor according to some embodiments of the present disclosure.
7 is a diagram for explaining an example of a graph generated by a server to analyze a difference between a company and a competitor according to some embodiments of the present disclosure;
8 depicts a general schematic diagram of an example computing environment in which embodiments of the present disclosure may be implemented.

Various embodiments and/or aspects are now disclosed with reference to the drawings. In the following description, for purposes of explanation, numerous specific details are set forth to provide a thorough understanding of one or more aspects. However, it will also be appreciated by one of ordinary skill in the art that such aspect(s) may be practiced without these specific details. The following description and accompanying drawings set forth in detail certain illustrative aspects of one or more aspects. These aspects are illustrative, however, and some of various methods may be employed in the principles of the various aspects, and the descriptions set forth are intended to include all such aspects and their equivalents. Specifically, as used herein, “embodiment”, “example”, “aspect”, “exemplary”, etc. are not to be construed as advantageous or advantageous over any aspect or design described herein. It may not be.

Hereinafter, the same or similar components are assigned the same reference numerals regardless of reference numerals, and overlapping descriptions thereof will be omitted. In addition, in describing the embodiments disclosed in the present specification, if it is determined that detailed descriptions of related known technologies may obscure the gist of the embodiments disclosed in the present specification, the detailed description thereof will be omitted. In addition, the accompanying drawings are only for easy understanding of the embodiments disclosed in the present specification, and the technical ideas disclosed in the present specification are not limited by the accompanying drawings.

Although the first, second, etc. are used to describe various elements or elements, these elements or elements are not limited by these terms, of course. These terms are only used to distinguish one element or component from another. Accordingly, it goes without saying that the first element or component mentioned below may be the second element or component within the spirit of the present invention.

Unless otherwise defined, all terms (including technical and scientific terms) used herein may be used with the meaning commonly understood by those of ordinary skill in the art to which the present invention belongs. In addition, terms defined in a commonly used dictionary are not to be interpreted ideally or excessively unless clearly defined in particular.

In addition, the term “or” is intended to mean an inclusive “or” rather than an exclusive “or.” That is, unless otherwise specified or clear from context, "X employs A or B" is intended to mean one of the natural implicit substitutions. That is, X employs A; X employs B; or when X employs both A and B, "X employs A or B" may apply to either of these cases. It should also be understood that the term “and/or” as used herein refers to and includes all possible combinations of one or more of the listed related items.

Also, the terms "comprises" and/or "comprising" mean that the feature and/or element is present, but excludes the presence or addition of one or more other features, elements, and/or groups thereof. should be understood as not Also, unless otherwise specified or unless it is clear from context to refer to a singular form, the singular in the specification and claims should generally be construed to mean “one or more”.

In addition, as used herein, the terms “information” and “data” can often be used interchangeably.

When a component is referred to as being “connected” or “connected” to another component, it is understood that it may be directly connected or connected to the other component, but other components may exist in between. it should be On the other hand, when it is said that a certain element is "directly connected" or "directly connected" to another element, it should be understood that the other element does not exist in the middle.

The suffixes "module" and "part" for the components used in the following description are given or used in consideration of only the ease of writing the specification, and do not have distinct meanings or roles by themselves.

Objects and effects of the present disclosure, and technical configurations for achieving them will become clear with reference to the embodiments described below in detail in conjunction with the accompanying drawings. In describing the present disclosure, if it is determined that a detailed description of a well-known function or configuration may unnecessarily obscure the subject matter of the present disclosure, the detailed description thereof will be omitted. In addition, the terms described below are terms defined in consideration of functions in the present disclosure, which may vary according to intentions or customs of users and operators.

However, the present disclosure is not limited to the embodiments disclosed below and may be implemented in various different forms. Only the present embodiments are provided so that the present disclosure is complete, and to fully inform those of ordinary skill in the art to which the present disclosure belongs, the scope of the disclosure, and the present disclosure is only defined by the scope of the claims . Therefore, the definition should be made based on the content throughout this specification.

1 is a block diagram illustrating an example of a server according to some embodiments of the present disclosure.

Referring to FIG. 1 , the server 100 includes a processor 110 , a mapping unit 120 , a database unit 130 , a level extracting unit 140 , a level difference analyzing unit 150 , and an information generating unit 160 . may include However, since the above-described components are not essential in implementing the server 100 , the server 100 may have more or fewer components than those listed above.

Server 100 may include any type of computer system or computer device, such as, for example, microprocessors, mainframe computers, digital processors, portable devices and device controllers, and the like. However, the present invention is not limited thereto.

Meanwhile, the processor 110 may typically process the overall operation of the server 100 . The processor 110 processes signals, data, information, etc. input or output through the components of the server or by driving an application program stored in the database unit 130 to provide or process appropriate information or functions to the user. .

Meanwhile, the mapping unit 120 may map the security internalization methodology and the evidence-based security methodology. Here, the security internalization methodology may include Secure SDLC standards and guidelines. As an example, the security internalization methodology may include Secure SDLC standards and guidelines such as Microsoft SDL, NIST SSDLC, CSA SDF, OWASP CLASP, McGraw, Touchpoints, SAFECode, OWASP BSIMM, OWASP SAMM, NIST RMF, and SAEJ3061. However, the present invention is not limited thereto. On the other hand, evidence-based security methodologies are ISO/IEC 15408-CC (Common Criteria), ISO/IEC 27001 Information Security Management System (ISMS), ISO/IEC 27701-PIMS (Privacy Information Management System) and ISO/IEC 8405- Common Evaluation Methodology (CEM), etc. may be included. However, the present invention is not limited thereto. Hereinafter, a description of the mapping unit 120 will be described with reference to FIG. 2 .

Meanwhile, according to some embodiments of the present disclosure, the mapping unit 120 may compare and analyze steps included in the security internalization methodology.

Specifically, the mapping unit 120 may combine the duplicated security activities among the security activities included in each of the plurality of Secure SDLC standards and guidelines included in the security internalization methodology. For example, the mapping unit 120 may compare and analyze each step of 10 types of Secure SDLC and normalize and generalize to 10 steps. In addition, the mapping unit 120 may combine all security activities to be performed in each step by deriving overlapping security activities into one security internalization methodology. For example, the mapping unit 120 may generate a mapping result having 10 steps and 66 security activities. However, the present invention is not limited thereto. Hereinafter, an example of a method for the mapping unit 120 to generate a mapping result will be described later with reference to FIG. 3 .

Meanwhile, the database unit 130 may pre-store the above-described security internalization methodologies and evidence-based security methodologies. However, the present invention is not limited thereto, and the framework can be extended by adding related data when a reliable Secure SDLC is introduced to academics and industries in the future.

Meanwhile, in the present disclosure, the database unit 130 may store the mapping result mapped by the mapping unit 120 . Hereinafter, a description of the database unit 130 will be described with reference to FIG. 2 .

Meanwhile, according to some embodiments of the present disclosure, the schema of the database unit 130 may include a plurality of tables. Here, the schema may be a size of a record constituting the database unit 130 , a definition of a key, a relationship between a record and a record, a search method, and the like. However, the present invention is not limited thereto.

Meanwhile, 10 steps of the integrated security internalization methodology may be stored in a first table among a plurality of tables included in the database unit 130 . In addition, 66 security activities to be performed for each step may be stored in the second table. In addition, the 3rd table contains 63 assurance requirements components defined in ISO/IEC 15408-CC Part 3 and ISO/IEC 8405-CEM, 104 detailed check items defined in ISO/IEC 27001 ISMS, and ISO/IEC Including 54 detailed evaluation items defined in 27701-PIMS, a total of 221 detailed security activities may be stored. In addition, in the fourth table, templates of documents to be calculated, which are the results of mapping with assurance requirements items of ISO/IEC 15408-CC and ISO/IEC 8405-CEM, may be stored. However, the present invention is not limited thereto.

Meanwhile, the database unit 130 may include a memory and/or a permanent storage medium. The memory includes a flash memory type, a hard disk type, a multimedia card micro type, a card type memory (eg SD or XD memory, etc.), and a random access memory (RAM). Memory, RAM), SRAM (Static Random Access Memory), ROM (Read-Only Memory, ROM), EEPROM (Electrically Erasable Programmable Read-Only Memory), PROM (Programmable Read-Only Memory), magnetic memory, magnetic disk, optical disk It may include at least one type of storage medium.

On the other hand, the level difference analysis unit 150 may be for quantitatively analyzing the difference between the competitor and the company based on the level generated by the level extraction unit 140 .

Specifically, the level difference analysis unit 150 can provide first information by strategically analyzing the difference in the level of the security internalization methodology between the competitor and the enterprise based on the competitor's average security internalization methodology level and the enterprise security internalization methodology level. there is. Here, the first information may be information quantitatively indicating a difference in the level of security internalization methodology in a graph format. However, the present invention is not limited thereto.

For example, the level difference analysis unit 150 may generate a graph for quantitatively representing the difference in the level of the security internalization methodology between the enterprise and the competitor when the enterprise and the competitor of the enterprise are selected. In this case, the user can grasp the insufficient steps and security activities among the security internalization methodologies at a glance, and it can be easy to identify the problems of the company's security internalization methodological activities. Hereinafter, content related to the level difference analyzer 150 and the graph generated by the level difference analyzer 150 will be described later with reference to FIG. 6 .

Meanwhile, in the present disclosure, the security internalization methodology level is an index in consideration of correctness (functional correctness), stability (safety integrity), and security (security assurance), and may consist of a plurality of steps.

For example, the security internalization methodology level may consist of 7 steps, and a higher level may mean that the security internalization methodology level is systematically and strictly managed.

Meanwhile, in the present disclosure, when only one attribute among accuracy, stability, and security is mapped, the level extractor 140 may calculate the level of the corresponding attribute. Alternatively, when two or more attributes are mapped, the level extractor 140 may adjust the level through the security activity performance status. The level calculated through this process can be derived for each security activity. And the result is output in graph format so that the level of security internalization methodology can be grasped at a glance. However, the present invention is not limited thereto.

Meanwhile, the information generating unit 160 may provide second information on at least one essential security activity related to an appropriate security internalization methodology level desired by an enterprise among at least one security activity included in the mapping result.

For example, the information generating unit 160 is based on the result generated by the level difference analysis unit 150, at least one of a security internalization methodology level, a security activity, a detailed security activity, and a document to be calculated. can be derived. However, the present invention is not limited thereto. Hereinafter, the content of the second information provided by the information generating unit 160 will be described later with reference to FIG. 5 .

On the other hand, according to some embodiments of the present disclosure, the information generating unit 160 considers the current situation of the enterprise because it is difficult to reach the level of the competitor at once when the difference in the level of the security internalization methodology between the enterprise and the competitor is too large. It is possible to build the level of security internalization methodologies that companies want. However, the present invention is not limited thereto.

Meanwhile, in the present disclosure, the server 100 may receive information about a company and a competitor from a user through a user input unit or a communication unit. In this case, the information generating unit 160 may select security activities related to the company and the competitor from among 66 security activities generated through the mapping unit 120 based on the characteristics of the company and the competitor. In addition, the information generating unit 160 may generate detailed security activities and documents to be calculated to achieve the level of the security internalization methodology desired by the enterprise, based on the information received from the enterprise. In this case, the document to be calculated can be easily derived so that traceability can be secured. In addition, when a security problem occurs in the field, it is possible to identify the cause and respond quickly. However, the present invention is not limited thereto.

2 is a flowchart illustrating an example of a method for a server to store a mapping result in a database according to some embodiments of the present disclosure.

Referring to FIG. 2 , the mapping unit 120 of the server 100 may map the security internalization methodology and the evidence-based security methodology ( S110 ).

Specifically, the mapping unit 120 may compare and analyze each step of a plurality of Secure SDLC standards and guidelines included in the security internalization methodology. And, the mapping unit 120 may combine the duplicated security activities among the security activities included in the security internalization methodology. For example, the mapping unit 120 may compare and analyze each step of 10 types of Secure SDLC and normalize and generalize to 10 steps. In addition, the mapping unit 120 may combine all security activities to be performed in each step by deriving overlapping security activities into one security internalization methodology. In this case, the mapping unit 120 may generate a security internalization methodology having 10 steps and 66 security activities. Hereinafter, a security internalization methodology having 10 steps and 66 security activities will be described later with reference to FIG. 3 .

Meanwhile, when the security internalization methodology is integrated and generated, the mapping unit 120 may map the evidence-based security methodology to the security internalization methodology.

Specifically, the mapping unit 120 uses 63 assurance requirements defined in Part 3 of ISO/IEC 15408-CC and ISO/IEC 8405-CEM, among the evidence-based security methodologies, to the security internalization methodology first. Mapping can be done.

Meanwhile, among the 66 security activities generated by the mapping unit 120 of the server 100 , there may be items not covered by ISO/IEC 15408-CC. For example, training related to security and personal information protection, scheduling related to security training, and establishment of a roadmap for security training may not be included in ISO/IEC 15408-CC. Accordingly, the mapping unit 120 may perform mapping to the security internalization methodology by utilizing 104 detailed check items defined in ISO 27001-ISMS.

Meanwhile, among the 66 security activities generated by the mapping unit 120, items not covered by ISO/IEC 15408-CC and ISO 27001-ISMS may further exist. For example, personal information protection impact assessment, etc. may not be included in ISO/IEC 15408-CC and ISO 27001-ISMS. Accordingly, the mapping unit 120 may perform mapping to the security internalization methodology by utilizing 54 detailed evaluation items defined in ISO/IEC 27701-PIMS for security activities to be performed from the viewpoint of personal information protection.

As a result, the mapping unit 120 sums up 63 assurance requirements components of ISO/IEC 15408-CC, 104 detailed check items of ISO 27001-ISMS, and 54 detailed evaluation items of ISO/IEC 27701-PIMS, for a total of 221 By performing mapping between 6 detailed items and 66 security activities, detailed security activities and documents to be calculated can be generated. However, the present invention is not limited thereto. Meanwhile, 221 detailed security activities for which the mapping unit 120 according to the present disclosure performs mapping on 66 security activities will be described later with reference to FIG. 4 .

Meanwhile, according to some embodiments of the present disclosure, the mapping unit 120 of the server 100 may derive a list of products by mapping the evidence-based security methodology standard to the security internalization methodology. Here, the product may be a document calculated by the existing software engineering, and a security-related item may be added. However, the present invention is not limited thereto.

On the other hand, when all 66 security activities are mapped with ISO/IEC 15408-CC, a representative evidence-based security methodology standard, and all products are derived, the security activities for organizations or personal information are ISO 27001-ISMS and ISO/IEC 27701-PIMS can be supplemented with

Specifically, ISO/IEC 15408-CC may include the security requirements of Part 2 to evaluate security, Part 3 to evaluate the assurance level, and the assurance requirements of ISO/IEC 8405-CEM. Here, part 3 of ISO/IEC 15408-CC and assurance requirements of ISO/IEC 8405-CEM can be classified into requirements analysis, development, installation and operation, life-cycle support, testing and vulnerability analysis stages. And, since the assurance requirements are similar to the steps of the security internalization methodology, they can cover most security activities. In addition, the assurance requirements include detailed items to be performed in each step, and detailed requirements to be satisfied by the documents to be calculated may be included. Therefore, it is possible to use this to define detailed detailed security activities and create templates of documents to be calculated. Here, the template may be a sample document including a form for generating a document related to a product. However, the present invention is not limited thereto. However, the present invention is not limited thereto.

As described above, when the mapping unit 120 of the server 100 maps the security internalization methodology and the evidence-based security methodology, at least one security step, at least one security activity, at least one detailed security activity and product A mapping result can be generated that includes. However, the present invention is not limited thereto.

Meanwhile, the processor 110 of the server 100 may store the mapping result in a database ( S120 ). Hereinafter, the mapping result according to the present disclosure will be described later with reference to FIGS. 3 and 4 .

Meanwhile, according to some embodiments of the present disclosure, the mapping result may include security internalization methodology level information. In this case, the level extractor 140 may recognize the security internalization methodology level of the enterprise based on the security internalization methodology level information. Hereinafter, a method for the level extraction unit 140 to recognize the level of the security internalization methodology of the enterprise based on the security internalization methodology level information included in the mapping result will be described later with reference to FIG. 5 .

3 is a diagram for explaining an example of a mapping result stored in a database unit according to some embodiments of the present disclosure.

Referring to FIG. 3 , the mapping result of the security internalization methodology stored in the database unit 130 of the server 100 may include at least one security step, at least one security activity, and a product. However, the present invention is not limited thereto.

The first step may be a step for security training. And, the first step may include three security activities.

Specifically, the security activity of the first stage may include at least one of a basic security training, an in-depth security training, and a schedule related to security training. However, the present invention is not limited thereto.

On the other hand, in the first stage, a plan for the training schedule, subjects to receive training, training curriculum, etc. and a list of those who completed the training were included, but as security is considered, security-related training contents may be added to the existing training. . Accordingly, the list of products of the first step may include at least one of a security training plan and a list of training participants. However, the present invention is not limited thereto.

On the other hand, the second step may be a step for initiation and planning (Initiation). And, the second step may include nine security activities.

Specifically, the security activities of the second phase include project categorization, role identification, selection of tools to be used in the project, identification of sources of security requirements, definition of minimum quality and security level, establishment of compensation system for handling security issues, planning and management of security schedule, It may include at least one of security activities of setting security objectives and verifying consistency and completeness of security objectives. However, the present invention is not limited thereto.

Meanwhile, in the second step, the current process analysis document and the current system analysis document can be calculated in the same way as the existing security internalization methodology. However, the project plan dealing with the project schedule, project scope, role, etc. and the requirements definition document specifying user requirements calculate the scope to consider security and may additionally include security function requirements. Accordingly, the output list of the second step may include at least one of a current process analysis document, a current system analysis document, a project plan, and a requirements definition document. However, the present invention is not limited thereto.

Meanwhile, the third step may be a step for requirements analysis. And, the third step may include nine security activities.

Specifically, the security activities of the third stage include project security analysis scope calculation, impact assessment, interface definition, personal information protection impact assessment, business impact assessment, safety impact assessment, existing software assessment, functional requirements derivation, security requirements derivation , it may include at least one of determining conformity and conflict with the requirements for each field, and verifying requirements according to security goals. However, the present invention is not limited thereto.

On the other hand, in the third stage, the existing security internalization methodology could only analyze the business impact. However, in the present disclosure, an impact assessment report that additionally analyzes the impact on security and privacy may be calculated. In addition, the interface definition that specifies the identifier, purpose, and method of use of the existing interface may be specified by classifying the interface according to the degree to which the security function is performed (direct execution, indirect execution, etc.). Accordingly, the list of products of the third step may include at least one of an impact assessment document and an interface definition document. However, the present invention is not limited thereto.

Meanwhile, the fourth step may be a step for acquisition. And, the fourth step may include three security activities.

Specifically, the security activities of the fourth stage may include at least one of establishing an acquisition scope and plan, defining security requirements for third-party components, and evaluating and testing security requirements for third-party components. However, the present invention is not limited thereto.

On the other hand, in the fourth step, an acquisition inspection document that inspects the components developed by the third-party should be calculated. Accordingly, the product list of the fourth step may include the acquisition inspection document. However, the present invention is not limited thereto.

The fifth step may be a step for design. And, the fifth step may include 12 security activities.

Specifically, the security activities of the fifth stage include design and specification of security functions, compliance with design best practices and principles, structural design for the integration process, asset identification, data flow diagram preparation, threat derivation, attack library collection, risk analysis, and mitigation measures , privacy analysis, identification of use and misuse cases, and design validation according to requirements. However, the present invention is not limited thereto.

Meanwhile, in the fifth step, a design specification specifying a design for a class, a component, a database, etc. may have to be specified by classifying the module according to the degree to which the security function is performed. In addition, the software architecture design and the system architecture design may have to be specified to prove that the security function operates correctly and there is no bypass path according to the security policy. In addition, the integration test plan and test scenario for designing modules and verifying integration between modules may additionally include integration between security modules. Accordingly, the product list of the fifth step may include at least one of a design specification, a SW architecture design, a system architecture design, an integration test plan, and an integration test scenario. However, the present invention is not limited thereto.

The sixth step may be a step for implementation. And, the sixth step may include three security activities.

Specifically, the security activity of the sixth step may include at least one of compliance with coding guidelines, generation of distribution guide documents and tools, and implementation verification according to design. However, the present invention is not limited thereto.

On the other hand, in the sixth step, the source code developed in compliance with the security coding guidelines in consideration of security should be calculated, and a unit test plan and test scenario for testing the security module may need to be calculated. Accordingly, the product list of the sixth step may include at least one of a source code, a unit test plan, a test scenario, and a unit test result. However, the present invention is not limited thereto.

Meanwhile, the seventh step may be a step for verification. And, the seventh step may include eight security activities.

Specifically, the security activity of the seventh stage includes at least one of manual static analysis, automatic static analysis, dynamic analysis, integration and acceptance testing, penetration testing, threat model review and update, minimum quality and security level review, and security document review and update may include However, the present invention is not limited thereto.

Meanwhile, in the seventh step, a test plan and test scenario for integration, system, and acceptance tests in consideration of security may need to be calculated. In addition, as a vulnerability analysis not performed in the existing development process is performed, a vulnerability analysis report may have to be calculated. Accordingly, the product list of the seventh step may include at least one of an integration/system/acceptance test plan and test scenario, an integration/system/acceptance test result, and a vulnerability analysis report. However, the present invention is not limited thereto.

The eighth step may be a step for release. And, the eighth step may include seven security activities.

Specifically, the security activity of the 8th stage is at least one of final security review, final personal information protection review, derivation of requirements for production, production procedure decision, production verification, emergency incident response plan, and security review on distribution process may include However, the present invention is not limited thereto.

On the other hand, in the 8th step, the final review of quality was previously performed, but as the final review on security and privacy is added, a rehearsal plan and rehearsal result may have to be calculated. In addition, the distribution request may have to be calculated in consideration of both physical and logical security measures in the existing distribution process. In addition, in the output list of the eighth step, an emergency accident response plan and an emergency accident response result may have to be calculated in preparation for an emergency accident after distribution. Accordingly, the product list of the eighth step may include at least one of a rehearsal plan and a rehearsal result, a distribution request, an emergency accident response plan, and an emergency accident response result. However, the present invention is not limited thereto.

Meanwhile, the ninth step may be a step for operation. And, the ninth step may include seven security activities.

Specifically, the security activity of the ninth stage includes at least one of monitoring target indicators and data collection, reporting strategy identification, continuous monitoring, vulnerability reporting, vulnerability evaluation, solution establishment, vulnerability disclosure and update management, and configuration management after deployment. may include However, the present invention is not limited thereto.

On the other hand, in the ninth step, installation results, operator's guide, and user's guide, which include safe installation and operation guidelines for security, error messages to limit information to attackers, and security measures to be met in the operating environment, may have to be calculated. . In addition, a response plan and patch results may have to be calculated for vulnerabilities that occurred during the operation stage. Accordingly, the product list of the ninth step may include at least one of an installation result sheet, an operator guide, a user guide, a vulnerability response plan, and a vulnerability patch result sheet. However, the present invention is not limited thereto.

Meanwhile, the tenth step may be a step for disposal. And, the tenth step may include five security activities.

Specifically, the security activity of the tenth step may include at least one of establishing a revocation and transition plan, preserving important information, completely erasing the medium, retiring hardware and software, and shutting down the system. However, the present invention is not limited thereto.

On the other hand, in the 10th step, a system implementation plan and implementation result may need to be calculated for planning and implementing the system use in project execution, and planning and implementing for transferring or disposing of the system. Accordingly, the product list of the tenth step may include at least one of a system implementation plan and a system implementation result. However, the present invention is not limited thereto.

Meanwhile, in the present disclosure, the database unit 130 may include a mapping table including the source of the evidence-based security methodology standard for securing the traceability of each step.

For example, the 3rd step among 10 steps included in the security internalization methodology may be a 'requirements analysis step'. And, the 19th security activity included in the third step may be 'security requirements derivation'. At this time, in the case of 'deduction of security requirements' security activity, detailed inspection of 'ASE_REQ.1 security requirements' assurance requirements component of ISO/IEC 15408-CC and '8.1.1 security requirements definition' of ISO/IEC 27001 ISMS It can be mapped to an item. In this case, the document to be calculated in the 'requirement analysis stage', which is the third stage, may be 'security-considered SRS (Software Requirement Specification)'. And, since the template of the document includes a mapping table between the interface and the security functional requirements, it is possible to secure traceability between the two elements. Therefore, when a security problem occurs in the actual field, the cause can be identified through the mapping table and security measures can be taken quickly. However, the present invention is not limited thereto.

As described above, the security internalization methodology according to the present disclosure may include a list of 10 steps and 66 security activities and products.

Meanwhile, according to some embodiments of the present disclosure, at least one detailed security activity may be further included in the mapping result. Hereinafter, a mapping result according to the present disclosure will be described in more detail with reference to FIG. 4 .

4 is a diagram for explaining an example of a mapping result according to some embodiments of the present disclosure.

Referring to FIG. 4 , the mapping unit 120 of the server 100 may utilize detailed items included in the evidence-based security methodology. For example, the mapping unit 120 may utilize detailed items included in three standards, such as ISO/IEC 15408-CC, ISO 27001-ISMS, and ISO/IEC 27701-PIMS.

Specifically, the mapping unit 120 may utilize 63 assurance requirements components included in the ISO/IEC 15408-CC standard. More specifically, the mapping unit 120 includes 10 components included in the ST classification, 19 components included in the development classification, 2 components included in the installation and operation classification, and 18 components included in the life cycle support classification. Assurance requirements components such as 9 components included in the test and vulnerability evaluation classifications can be utilized.

Meanwhile, the mapping unit 120 may utilize 104 detailed inspection items included in the ISO 27001-ISMS standard. Specifically, the mapping unit 120 includes 6 detailed inspection items included in the information protection policy, 4 detailed inspection items included in the information protection organization, 3 detailed inspection items included in outsider security, and included in information asset classification 3 detailed check items included in information security education, 5 detailed check items included in human security, 9 detailed check items included in physical security, 10 detailed check items included in system development security Check items, 2 detailed check items included in password control, 14 detailed check items included in access control, 22 detailed check items included in operational security, 7 detailed check items included in incident management, IT disaster Detailed inspection items such as three detailed inspection items included in recovery and 12 detailed inspection items included in information security management can be utilized.

Meanwhile, the mapping unit 120 may utilize 54 detailed evaluation items included in the ISO/IEC 27701-PIMS standard. Specifically, the mapping unit 120 includes eight detailed evaluation items included in the personal information protection management system of the target institution, 6 detailed evaluation items included in the personal information protection management system of the target system, and protection measures for each stage of personal information processing Detailed evaluation items such as 12 detailed evaluation items included in the technical protection measures of the target system, and 9 detailed evaluation items included in personal information protection information protection when using specific IT technologies can be utilized.

As a result, the mapping unit 120 generates a document to define and calculate at least one detailed security activity by performing mapping of 221 detailed items derived from three standards and 66 security activities. can However, the present invention is not limited thereto.

5 is a flowchart illustrating an example of a method for a server to provide second information according to some embodiments of the present disclosure.

Referring to FIG. 5 , the level extraction unit 140 of the server 100 may recognize the characteristics of the enterprise and the status of the security internalization methodology of the enterprise ( S210 ).

For example, the level extractor 140 may determine the characteristics and status of the enterprise based on information received from the enterprise through a user input unit (not shown) or a communication unit (not shown). Here, the characteristics of the enterprise may be the type of business or type of business the enterprise is performing. However, the present invention is not limited thereto.

On the other hand, the level extractor 140 of the server 100 may recognize the level of the security internalization methodology of the enterprise based on the status of the security internalization methodology (S220).

Specifically, the level extractor 140 may recognize the level of the security internalization methodology of the enterprise after quantitatively analyzing the status of the security internalization methodology performed by the enterprise. Here, the security internalization methodology level is an index in consideration of functional correctness, safety integrity, and security assurance, and may consist of a plurality of steps.

For example, the security internalization methodology level may consist of 7 steps, and a higher level may mean that the security internalization methodology level is systematically and strictly managed. However, the present invention is not limited thereto.

Meanwhile, according to some embodiments of the present disclosure, the mapping result stored in the database unit 130 of the server 100 may include security internalization methodology level information. In this case, the security internalization methodology level information may be a security internalization methodology level assigned to each of a plurality of detailed security activities included in each of at least one security activity. In this case, the level extractor 140 may recognize the level of the security internalization methodology of the enterprise for each of the at least one security activity based on the security internalization methodology level information and the status of the security internalization methodology. However, the present invention is not limited thereto.

On the other hand, according to some embodiments of the present disclosure, the level extraction unit 140 of the server 100 determines the security internalization level of the enterprise for at least one step or at least one security activity among 10 steps included in the mapping result. may recognize it.

For example, when the enterprise is performing content related to at least one step included in the mapping result, the level extractor 140 may select the corresponding step and security activity. As another example, the level extractor 140 may select a corresponding step and a security activity when the company is not performing contents related to at least one step included in the mapping result.

On the other hand, the level difference analysis unit 150 of the server 100 may recognize a competitor related to the enterprise based on the characteristics of the enterprise and the status of the security internalization methodology (S230).

As an example, the level difference analysis unit 150 may recognize a company having a similar industry or business type as a competitor based on the characteristics of the company.

As another example, the level difference analyzer 150 may receive information about a competitor from a company through a user input unit or a communication unit. However, the present invention is not limited thereto.

As another example, the level difference analysis unit 150 may recognize a competitor having a similar security internalization methodology level among existing competitors when information on the security internalization methodology level of at least one competitor previously analyzed is stored. there is. However, the present invention is not limited thereto.

On the other hand, the level extractor 140 of the server 100 may recognize the average security internalization methodology level of the competitor (S240).

Specifically, the level extractor 140 may acquire status information on the security standards of information protection products performed by the competitor, and recognize the average security internalization methodology level of the competitor. However, the present invention is not limited thereto. Hereinafter, a method for the level extraction unit 140 to recognize the average security internalization methodology level of the competitor will be described later with reference to FIG. 6 .

Meanwhile, in the present disclosure, the level extraction unit 140 of the server 100 may receive information on the average security internalization methodology level of the competitor from the enterprise through the communication unit or the user input unit. However, the present invention is not limited thereto.

On the other hand, the level difference analysis unit 150 of the server 100 is based on the competitor's average security internalization methodology level and the company's security internalization methodology level, and strategically analyzes the difference in the security internalization methodology level between the competitor and the company to obtain the first information can be provided (S160).

Specifically, the level difference analysis unit 150 may provide the first information indicating the difference between the level of the security internalization methodology of the enterprise and the level of the security internalization methodology of the competitor in the form of a graph. However, the present invention is not limited thereto. Hereinafter, the content of the first information according to the present disclosure will be described later with reference to FIG. 7 .

Meanwhile, in the present disclosure, when the first information is generated, the level difference analyzer 150 of the server 100 may output the first information through a display unit (not shown). As another example, when the first information is generated, the level difference analyzer 150 may transmit the first information to a terminal associated with a company. However, the present invention is not limited thereto.

On the other hand, after providing the first information, the information generating unit 160 of the server 100 may receive an appropriate level of security internalization methodology desired by the enterprise (S260).

For example, the information generating unit 160 may receive an appropriate level of security internalization methodology desired by the enterprise from the enterprise through the user input unit or the communication unit. However, the present invention is not limited thereto.

Meanwhile, the information generating unit 160 of the server 100 may provide second information on at least one essential security activity related to an appropriate security internalization methodology level among at least one security activity included in the mapping result (S270). ). Here, the second information may include at least one essential product mapped to each of at least one essential security level including at least one essential security activity. However, the present invention is not limited thereto.

On the other hand, in the present disclosure, the information generating unit 160 may select at least one essential security step among ten steps of the security internalization methodology in the database unit 130 based on the appropriate security internalization methodology level of the level desired by the enterprise. there is. In this case, at least one essential product mapped to the at least one essential security level may be calculated. In addition, the information generating unit 160 may generate a template to be provided to the enterprise based on at least one essential product. Here, the template may be a sample document including a form for generating a document related to a product. However, the present invention is not limited thereto.

Meanwhile, in the present disclosure, when the second information is generated, the information generating unit 160 of the server 100 may transmit the second information to a terminal associated with a company. However, the present invention is not limited thereto.

6 is a flowchart illustrating an example of a method for a server to recognize an average security internalization methodology level of a competitor according to some embodiments of the present disclosure.

Referring to FIG. 6 , the level extracting unit 140 of the server 100 may obtain status information about the security standard of the information protection product performed by the competitor (S241).

As an example, the level extractor 140 may receive status information from a company through a user input unit or a communication unit. However, the present invention is not limited thereto.

On the other hand, the level extractor 140 of the server 100 may recognize the average security internalization methodology level of the competitor based on the current status information (S242).

Specifically, the level extraction unit 140 may generate the average security internalization methodology level according to the current status information on the security standard of the information protection product that the competitor is currently performing. However, the present invention is not limited thereto.

More specifically, the database unit 130 may store a preset value for the level of the 7-step security internalization methodology. In this case, the level extractor 140 may compare the mapping result previously generated by the mapping unit 120 with the current status information performed by the competitor. In addition, the level extractor 140 may generate the security internalization methodology level of the competitor by using the comparison result and the preset value. However, the present invention is not limited thereto.

7 is a diagram for explaining an example of a graph generated by a server to analyze a difference between a company and a competitor according to some embodiments of the present disclosure; The x-axis of the graph shown in FIG. 7 may represent each of at least one detailed security activity, and the y-axis may represent a security internalization methodology level for each of the at least one detailed security activity. In addition, the first line of FIG. 7 may be a line indicating the average security internalization methodology level of the competitor, and the second line may be a line indicating the security internalization methodology level of the enterprise. G1 and g2 of FIG. 7 may be used to explain a gap formed by a gap between the first line and the second line.

In FIG. 7 , when the level difference analysis unit 150 of the server 100 recognizes that the enterprise is performing all from the initial development stage to the distribution and operation stages, the level difference analysis unit 150 has a similar feature. It can be recognized that the competitor is Microsoft, a representative software developer. Hereinafter, it is assumed that the competitor is Microsoft Corporation and will be described below.

On the other hand, the level extractor 140 of the server 100 may recognize the average security internalization level of Microsoft.

Specifically, the level extraction unit 140 may calculate the average security internalization level of Microsoft based on a case in which Microsoft has previously obtained ISO/IEC 15408-CC certification.

For example, Microsoft's standard for the last 5 years may be ISO/IEC 15408-CC certification cases for 5 database products and 7 types of operating systems. In this case, the level extraction unit 140 may recognize that the average security internalization level of Microsoft is 4 levels based on the authentication case.

On the other hand, the level difference analysis unit 150 of the server 100 may determine the level of the security internalization methodology of the enterprise, based on the status of the security internalization methodology being performed by the enterprise. In addition, the level extraction unit 140 may select a list of steps and security activities associated with the enterprise based on the mapping result stored in the database unit 130 .

For example, the level extractor 140 may select a total of eight steps, such as security education, initiation and planning, requirements analysis, design, implementation, verification, deployment and operation steps, among 10 steps included in the mapping result. there is. Also, the level extractor 140 may select 58 security activities out of 66 security activities. And, the level extraction unit 140 may generate a security internalization level for each of the 58 security activities.

Meanwhile, the level difference analysis unit 150 may generate a graph for representing the quantitative difference between the enterprise and the competitor when the security internalization level of the enterprise and the competitor is generated. And, the generated graph may appear as shown in FIG. 7 .

Referring to FIG. 7 , the graph may quantitatively represent the difference in security internalization methodologies between competitors and enterprises based on a gap formed by the gap between the first line and the second line. Here, the first line may indicate the average security internalization methodology level of the competitor, and the second line may indicate the security internalization methodology level of the enterprise. However, the present invention is not limited thereto.

For example, referring to g1, in the case of security activities related to the selection of tools to be used in the project among the phase 2, which is the phase for the initiation and planning phase, the enterprise's security internalization methodology level is 2, and the competitor's security internalization methodology level is 4 can be

For another example, referring to g2, in the case of security activities related to business impact assessment among the three steps for requirements analysis, the security internalization methodology level of the enterprise is 0, and the security internalization methodology level of the competitor is 4 days. can However, the present invention is not limited thereto.

On the other hand, in the present disclosure, when the difference between the security internalization level between the enterprise and the competitor is analyzed, the information generating unit 160 of the server 100 may provide the second information for achieving the desired security internalization methodology level by the enterprise. .

For example, the information generating unit 160 of the server 100 may recognize that the level of the current security internalization methodology of the enterprise is difficult to reach the level of the security internalization methodology of Microsoft. In this case, the information generating unit 160 may generate at least one essential product mapped to each of the at least one essential security step that allows to reach a preset level, based on the level of the corporate security internalization methodology.

As another example, the information generating unit 160 may generate at least one detailed security activity, product, and the like so that the deviation of the level of the security internalization methodology for each of the at least one security activity can be reduced. However, the present invention is not limited thereto.

As discussed above, the Secure SDLC standard or guidelines of the security internalization methodology that are currently used as representatives are too general and do not contain specific details, so it can be very difficult to use in the actual field. In particular, in the case of a calculation document that is absolutely necessary to ensure traceability between steps, an example template may not be disclosed or the content of the template may not be specific. On the other hand, according to the present invention, it is possible to provide a security internalization framework based on the security internalization methodology level in order to materialize the security internalization methodology according to the level desired by the enterprise.

In addition, when the security internalization framework based on the security internalization methodology according to the present invention is used, the difference in security internalization level can be quantitatively analyzed through gap analysis between the company and its competitors. In addition, by providing detailed detailed security activities necessary to establish the level of security internalization desired by organizations that need security internalization and sample templates for documents that need to be calculated, it is designed to be easily utilized when building security internalization in the actual field. can do.

8 depicts a general schematic diagram of an example computing environment in which embodiments of the present disclosure may be implemented.

Although the present disclosure has been described above generally in the context of computer-executable instructions that may be executed on one or more computers, those skilled in the art will appreciate that the present disclosure may be implemented as a combination of hardware and software and/or in combination with other program modules. you will know

Generally, modules herein include routines, procedures, programs, components, data structures, etc. that perform particular tasks or implement particular abstract data types. In addition, those skilled in the art will appreciate that the methods of the present disclosure can be applied to single-processor or multiprocessor computer systems, minicomputers, mainframe computers as well as personal computers, handheld computing devices, microprocessor-based or programmable consumer electronics, etc. (each of which is It will be appreciated that other computer system configurations may be implemented, including those that may operate in connection with one or more associated devices.

The described embodiments of the present disclosure may also be practiced in distributed computing environments where certain tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.

Computers typically include a variety of computer-readable media. Media accessible by a computer includes volatile and nonvolatile media, transitory and non-transitory media, removable and non-removable media. By way of example, and not limitation, computer-readable media may include computer-readable storage media and computer-readable transmission media.

Computer readable storage media includes volatile and nonvolatile media, temporary and non-transitory media, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. includes media. A computer-readable storage medium may be RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital video disk (DVD) or other optical disk storage device, magnetic cassette, magnetic tape, magnetic disk storage device, or other magnetic storage device. device, or any other medium that can be accessed by a computer and used to store the desired information.

Computer readable transmission media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism, and Includes any information delivery medium. The term modulated data signal means a signal in which one or more of the characteristics of the signal is set or changed so as to encode information in the signal. By way of example, and not limitation, computer-readable transmission media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared, and other wireless media. Combinations of any of the above are also intended to be included within the scope of computer-readable transmission media.

An example environment 1100 implementing various aspects of the disclosure is shown including a computer 1102 , the computer 1102 including a processing unit 1104 , a system memory 1106 , and a system bus 1108 . do. A system bus 1108 couples system components, including but not limited to system memory 1106 , to the processing device 1104 . The processing device 1104 may be any of a variety of commercially available processors. Dual processor and other multiprocessor architectures may also be used as processing unit 1104 .

The system bus 1108 may be any of several types of bus structures that may further interconnect a memory bus, a peripheral bus, and a local bus using any of a variety of commercial bus architectures. System memory 1106 includes read only memory (ROM) 1110 and random access memory (RAM) 1112 . A basic input/output system (BIOS) is stored in non-volatile memory 1110, such as ROM, EPROM, EEPROM, etc., the BIOS is the basic input/output system (BIOS) that helps transfer information between components within computer 1102, such as during startup. contains routines. RAM 1112 may also include high-speed RAM, such as static RAM, for caching data.

The computer 1102 may also include an internal hard disk drive (HDD) 1114 (eg, EIDE, SATA) - this internal hard disk drive 1114 may also be configured for external use within a suitable chassis (not shown). Yes—a magnetic floppy disk drive (FDD) 1116 (eg, for reading from or writing to removable diskette 1118), and an optical disk drive 1120 (eg, a CD-ROM) for reading disk 1122 or for reading from or writing to other high capacity optical media such as DVD). The hard disk drive 1114 , the magnetic disk drive 1116 , and the optical disk drive 1120 are connected to the system bus 1108 by the hard disk drive interface 1124 , the magnetic disk drive interface 1126 , and the optical drive interface 1128 , respectively. ) can be connected to The interface 1124 for external drive implementation includes, for example, at least one or both of Universal Serial Bus (USB) and IEEE 1394 interface technologies.

These drives and their associated computer-readable media provide non-volatile storage of data, data structures, computer-executable instructions, and the like. For computer 1102, drives and media correspond to storing any data in a suitable digital format. Although the description of computer readable storage media above refers to HDDs, removable magnetic disks, and removable optical media such as CDs or DVDs, those skilled in the art will use zip drives, magnetic cassettes, flash memory cards, cartridges, It will be appreciated that other tangible computer-readable storage media and the like may also be used in the exemplary operating environment and any such media may include computer-executable instructions for performing the methods of the present disclosure. .

A number of program modules may be stored in the drive and RAM 1112 , including an operating system 1130 , one or more application programs 1132 , other program modules 1134 , and program data 1136 . All or portions of the operating system, applications, modules, and/or data may also be cached in RAM 1112 . It will be appreciated that the present disclosure may be implemented in various commercially available operating systems or combinations of operating systems.

A user may enter commands and information into the computer 1102 via one or more wired/wireless input devices, for example, a pointing device such as a keyboard 1138 and a mouse 1140 . Other input devices (not shown) may include a microphone, IR remote control, joystick, game pad, stylus pen, touch screen, and the like. Although these and other input devices are connected to the processing unit 1104 through an input device interface 1142 that is often connected to the system bus 1108, parallel ports, IEEE 1394 serial ports, game ports, USB ports, IR interfaces, It may be connected by other interfaces, etc.

A monitor 1144 or other type of display device is also coupled to the system bus 1108 via an interface, such as a video adapter 1146 . In addition to the monitor 1144, the computer typically includes other peripheral output devices (not shown) such as speakers, printers, and the like.

Computer 1102 may operate in a networked environment using logical connections to one or more remote computers, such as remote computer(s) 1148 via wired and/or wireless communications. Remote computer(s) 1148 may be workstations, server computers, routers, personal computers, portable computers, microprocessor-based entertainment devices, peer devices, or other common network nodes, and are generally Although including many or all of the components described, only memory storage device 1150 is shown for simplicity. The logical connections shown include wired/wireless connections to a local area network (LAN) 1152 and/or a larger network, eg, a wide area network (WAN) 1154 . Such LAN and WAN networking environments are common in offices and companies, and facilitate enterprise-wide computer networks, such as intranets, all of which can be connected to a worldwide computer network, for example, the Internet.

When used in a LAN networking environment, the computer 1102 is coupled to the local network 1152 through a wired and/or wireless communication network interface or adapter 1156 . Adapter 1156 may facilitate wired or wireless communication to LAN 1152 , which LAN 1152 also includes a wireless access point installed therein for communicating with wireless adapter 1156 . When used in a WAN networking environment, the computer 1102 may include a modem 1158 , connected to a communication server on the WAN 1154 , or otherwise establishing communications over the WAN 1154 , such as over the Internet. have the means A modem 1158 , which may be internal or external and a wired or wireless device, is coupled to the system bus 1108 via a serial port interface 1142 . In a networked environment, program modules described for computer 1102 , or portions thereof, may be stored in remote memory/storage device 1150 . It will be appreciated that the network connections shown are exemplary and other means of establishing a communication link between the computers may be used.

The computer 1102 may be associated with any wireless device or object that is deployed and operates in wireless communication, for example, a printer, scanner, desktop and/or portable computer, portable data assistant (PDA), communication satellite, wireless detectable tag. It operates to communicate with any device or place and phone. This includes at least Wi-Fi and Bluetooth wireless technologies. Accordingly, the communication may be a predefined structure as in a conventional network or may simply be an ad hoc communication between at least two devices.

Wi-Fi (Wireless Fidelity) makes it possible to connect to the Internet, etc. without a wired connection. Wi-Fi is a wireless technology such as cell phones that allows these devices, eg, computers, to transmit and receive data indoors and outdoors, ie anywhere within range of a base station. Wi-Fi networks use a radio technology called IEEE 802.11 (a, b, g, etc.) to provide secure, reliable, and high-speed wireless connections. Wi-Fi can be used to connect computers to each other, to the Internet, and to wired networks (using IEEE 802.3 or Ethernet). Wi-Fi networks may operate in unlicensed 2.4 and 5 GHz radio bands, for example, at 11 Mbps (802.11a) or 54 Mbps (802.11b) data rates, or in products that include both bands (dual band). there is.

Those of ordinary skill in the art of the present disclosure will recognize that the various illustrative logical blocks, modules, processors, means, circuits, and algorithm steps described in connection with the embodiments disclosed herein include electronic hardware, (convenience For this purpose, it will be understood that it may be implemented by various forms of program or design code (referred to herein as "software") or a combination of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. A person skilled in the art of the present disclosure may implement the described functionality in various ways for each specific application, but such implementation decisions should not be interpreted as a departure from the scope of the present disclosure.

The various embodiments presented herein may be implemented as methods, apparatus, or articles of manufacture using standard programming and/or engineering techniques. The term “article of manufacture” includes a computer program or media accessible from any computer-readable device. For example, computer-readable storage media include magnetic storage devices (eg, hard disks, floppy disks, magnetic strips, etc.), optical disks (eg, CDs, DVDs, etc.), smart cards, and flash drives. memory devices (eg, EEPROMs, cards, sticks, key drives, etc.). The term “machine-readable medium” includes, but is not limited to, wireless channels and various other media that can store, hold, and/or convey instruction(s) and/or data.

The description of the presented embodiments is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the scope of the present disclosure. Thus, the present disclosure is not intended to be limited to the embodiments presented herein, but is to be construed in the widest scope consistent with the principles and novel features presented herein.

Claims (13)

A method of embodying a security internalization methodology using a processor of a computing device, the method comprising:
mapping the security internalization methodology and the evidence-based security methodology; and
storing the mapping result in a database;
including,
The mapping result is
comprising at least one security level, at least one security activity, at least one detailed security activity and artifact,
How to internalize security.
delete The method of claim 1,
The at least one security step,
1st stage related to security training, 2nd stage related to initiation and planning, 3rd stage related to requirements analysis, 4th stage related to acquisition, 5th stage related to design, 6th stage related to implementation, verification related comprising at least one of a seventh stage, an eighth stage relating to distribution, a ninth stage relating to operation and a tenth stage relating to disposal;
How to internalize security.
The method of claim 1,
Recognizing the characteristics of the enterprise and the status of the security internalization methodology of the enterprise;
recognizing the level of the security internalization methodology of the enterprise based on the security internalization methodology status;
recognizing a competitor related to the enterprise based on the characteristics and the status of the security internalization methodology;
recognizing the average security internalization methodology level of the competitor; and
providing first information by quantitatively analyzing a difference in security internalization methodology level between the competitor and the enterprise based on the average security internalization methodology level of the competitor and the security internalization methodology level of the enterprise;
further comprising,
How to internalize security.
5. The method of claim 4,
The step of recognizing the average security internalization methodology level of the competitor is,
obtaining status information on security standards of information protection products performed by the competitor; and
recognizing the average security internalization methodology level of the competitor based on the status information;
containing,
How to internalize security.
5. The method of claim 4,
The mapping result is
and security internalization methodology level information in which the security internalization methodology level given to each of a plurality of detailed security activities included in each of the at least one security activity is recorded,
The step of recognizing the level of the security internalization methodology of the enterprise based on the mapping result and the status of the security internalization methodology comprises:
recognizing the level of the security internalization methodology of the enterprise for each of the at least one security activity based on the security internalization methodology level information and the status of the security internalization methodology;
containing,
How to internalize security.
5. The method of claim 4,
after providing the first information, receiving an appropriate level of security internalization methodology desired by the enterprise; and
providing second information on at least one essential security activity related to the appropriate security internalization methodology level among at least one security activity included in the mapping result;
containing,
How to internalize security.
8. The method of claim 7,
The second information is
at least one required artifact mapped to each of the at least one required security level including the at least one required security activity;
How to internalize security.
5. The method of claim 4,
The first information is
Quantitatively representing the difference in the security internalization methodology level in a graph format,
How to internalize security.
10. The method of claim 9,
The graph is
The x-axis representing each of the at least one detailed security activity, the y-axis representing the security internalization methodology level for each of the at least one detailed security activity, the first line representing the average security internalization methodology level of the competitor, and the security of the enterprise comprising a second line indicating the level of internalization methodology;
How to internalize security.
11. The method of claim 10,
The graph is
based on a gap formed by a gap between the first line and the second line, quantitatively representing the difference in the level of the security internalization methodology of the competitor and the enterprise,
How to internalize security.
a mapping unit that maps the security internalization methodology and the evidence-based security methodology; and
a database unit for storing mapping results;
including,
The mapping result is
comprising at least one security level, at least one security activity, at least one detailed security activity and artifact,
Security internalization device.
13. The method of claim 12,
Recognize the characteristics of the enterprise and the status of the security internalization methodology of the enterprise, recognize the level of the security internalization methodology of the enterprise based on the status of the security internalization methodology, and based on the characteristics and the status of the security internalization methodology, competitors related to the enterprise a level extraction unit that recognizes and recognizes the average security internalization methodology level of the competitor;
a level difference analysis unit that provides first information by quantitatively analyzing a difference in security internalization methodology level between the competitor and the enterprise based on the average security internalization methodology level of the competitor and the security internalization methodology level of the enterprise; and
an information generating unit providing second information on at least one essential security activity related to an appropriate security internalization methodology level desired by the enterprise among the at least one security activity included in the mapping result;
further comprising,
Security internalization device.

Images