문서의 이전 판입니다!


보안정책 지침

(출처: wikipedia)
Security policy is a definition of what it means to be secure for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls. For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people.


보안 정책은 시스템을 위협하는 주요 위험요소로부터 기업의 자산을 보호하기 위한 정책이다. 정보 위험도를 서열화한 문서, 수용 가능한 보안 목표 식별, 목표를 달성하는 메커니즘의 식별로 구성된다

기업 고객과 정부 기관이 준수해야 하는 몇 가지 표준 및 규정(출처:symantec)

Standard/Regulation Industry Type Comments/URLs
ISO/IEC 17799 International - Baseline Standard “The International Organization for Standardization” www.iso-17799.com
BS 7799 Part 1 British Government Standard British Standard. Predecessor to ISO 17799 standard
AS4444/NZS4444 Australian Government Standard Australian Standard/New Zealand Standard. Replaced by ISO 17799 standard
HIPAA Health Care Regulation Health Insurance Portability And Accountability Act of 1996.
CIS Benchmarks Worldwide Consortium Standard The Center for Internet Security Solaris Benchmark
Gramm-Leach-Bliley Act (GLBA) US Financial Services Law Regulation US Legislation passed Nov. 1999.
SANS/FBI Top 20 List General Security Standard System Administration, Networking and Security/Federal Bureau of Investigation
CVE General Security Standard MITRE's Common Vulnerabilities and Exposures
VISA Banking Standard Visa International and Visa USA
ISO 15408
(Common Criteria)
International Security Program - Systems Standard May be replacing NSA's Red Book and Orange Book
CASPR GNU Best Practices Standard Commonly Accepted Security Practices & Recommendations
OCC Banking Regulation Office of the Comptroller of the Currency
FDIC Banking Regulation Federal Deposit Insurance Corporation
SysTrust AICPA Standard American Institute of Certified Public Accountants
FISCAM GAO (Federal Govt.), Financial Systems Regulation Federal Information Systems Control Audit Manual
CobiT ISACA Standard Control Objectives for Information and Related Technology
IETF Security Handbooks Internet Community Standard The Internet Engineering Task Force
SEC Brokerage Regulation U.S. Securities and Exchange Commission
Rainbow Series
(Orange Book)
Military commands and contractors Regulation Being replaced by Common Criteria
FDA Pharmaceutical Regulation Food and Drug Administration
NPG 2810 (NASA) Facilities and Contractors Regulation NASA Policy Guideline
1974 Privacy
Act and Amendments
US Companies Regulation www.usdoj.gov/04foia/privstat.htm
ISO 13335(Parts 1,2,3,4,5) International - Educational Technical Report A five-part technical report giving guidance on security management.
SAS70 Auditing Standard Statement on Auditing Standards
GASSP Older than CASPR Standard Generally Accepted Systems Security Principles
DITSCAP/NIACAP Department of Defense (DOD) Regulation DoD Information Technology Security Certification and AccreditationProcess
AS/NZS 4360:1999 Australian/New Zealand Government Standard Australian Standard / New Zealand Standard
FCC US Government Regulation Federal Communications Commission
Other Standards Standard and Regulation

지침 작성시 유의사항