문서의 이전 판입니다!
보안정책 지침
(출처: wikipedia)
Security policy is a definition of what it means to be secure for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls. For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people.
보안 정책은 시스템을 위협하는 주요 위험요소로부터 기업의 자산을 보호하기 위한 정책이다. 정보 위험도를 서열화한 문서, 수용 가능한 보안 목표 식별, 목표를 달성하는 메커니즘의 식별로 구성된다
기업 고객과 정부 기관이 준수해야 하는 몇 가지 표준 및 규정(출처:symantec)
Standard/Regulation | Industry | Type | Comments/URLs |
---|---|---|---|
ISO/IEC 17799 | International - Baseline | Standard | “The International Organization for Standardization” www.iso-17799.com |
BS 7799 Part 1 | British Government | Standard | British Standard. Predecessor to ISO 17799 standard |
AS4444/NZS4444 | Australian Government | Standard | Australian Standard/New Zealand Standard. Replaced by ISO 17799 standard |
HIPAA | Health Care | Regulation | Health Insurance Portability And Accountability Act of 1996. |
CIS Benchmarks | Worldwide Consortium | Standard | The Center for Internet Security Solaris Benchmark |
Gramm-Leach-Bliley Act (GLBA) | US Financial Services Law | Regulation | US Legislation passed Nov. 1999. |
SANS/FBI Top 20 List | General Security | Standard | System Administration, Networking and Security/Federal Bureau of Investigation |
CVE | General Security | Standard | MITRE's Common Vulnerabilities and Exposures |
VISA | Banking | Standard | Visa International and Visa USA |
ISO 15408 (Common Criteria) | International Security Program - Systems | Standard | May be replacing NSA's Red Book and Orange Book |
CASPR | GNU Best Practices | Standard | Commonly Accepted Security Practices & Recommendations |
OCC | Banking | Regulation | Office of the Comptroller of the Currency |
FDIC | Banking | Regulation | Federal Deposit Insurance Corporation |
SysTrust | AICPA | Standard | American Institute of Certified Public Accountants |
FISCAM | GAO (Federal Govt.), Financial Systems | Regulation | Federal Information Systems Control Audit Manual |
CobiT | ISACA | Standard | Control Objectives for Information and Related Technology |
IETF Security Handbooks | Internet Community | Standard | The Internet Engineering Task Force |
SEC | Brokerage | Regulation | U.S. Securities and Exchange Commission |
Rainbow Series (Orange Book) | Military commands and contractors | Regulation | Being replaced by Common Criteria |
FDA | Pharmaceutical | Regulation | Food and Drug Administration |
NPG 2810 (NASA) | Facilities and Contractors | Regulation | NASA Policy Guideline |
1974 Privacy Act and Amendments | US Companies | Regulation | www.usdoj.gov/04foia/privstat.htm |
ISO 13335(Parts 1,2,3,4,5) | International - Educational | Technical Report | A five-part technical report giving guidance on security management. |
SAS70 | Auditing | Standard | Statement on Auditing Standards |
GASSP | Older than CASPR | Standard | Generally Accepted Systems Security Principles |
DITSCAP/NIACAP | Department of Defense (DOD) | Regulation | DoD Information Technology Security Certification and AccreditationProcess |
AS/NZS 4360:1999 | Australian/New Zealand Government | Standard | Australian Standard / New Zealand Standard |
FCC | US Government | Regulation | Federal Communications Commission |
Other Standards | — | Standard and Regulation | — |