- Email: [email protected]
Common defects in information security management system of Korean companies
The Journal of Systems and Software 80 (2007) 1631–1638 www.elsevier.com/locate/jss
Common defects in information security management system of Korean companies Sungho Kwon a
a,*
, Sangsoo Jang a, Jaeill Lee a, Sangkyun Kim
b
IT Infrastructure Protection Division, Korea Information Security Agent (KISA), 78 Garakdong, Seoul, Republic of Korea b Department of Industrial Engineering, Kangwon National University, Chunchon, Republic of Korea Available online 27 January 2007
Abstract To reduce the possible trials and errors while promoting the establishment and certification of the information security management system (ISMS) by enterprises is the purpose of this paper. To satisfy this purpose, this study presents the defects by item found during the certification process of the ISMS of a number of enterprises by government certification agency in Korea. As a result, by analyzing the derived defects, this paper has outlined the issues to be attended to among enterprises at each stage of the establishment of the ISMS. Furthermore, this study presents a reference model for conducting a self assessment, so that companies may be able to self verify the completeness of their establishment of the ISMS. The case study is also provided to prove the practical value of this study. Ó 2007 Elsevier Inc. All rights reserved. Keywords: Information security management system; Reference model; Self assessment
1. Introduction Due to the rapid development of the Internet, information leakage and financial loss among enterprises have been increasing as a result of information dysfunctions. With the looming necessity for protecting important information from information dysfunction, and for managing information security systematically, international interest in information security management has increased, and systematic efforts in terms of information security management are expanding. In Korea, to keep up with this trend, a study on the certification system of the ISMS has been being conducted since 2000, and detailed assessment standards and a guide based on the Act on Promotion of Information and Communication Network Utilization and information Protection was prepared under
*
Corresponding author. E-mail addresses: [email protected] (S. Kwon), [email protected] (S. Jang), [email protected] (J. Lee), [email protected] (S. Kim). 0164-1212/$ - see front matter Ó 2007 Elsevier Inc. All rights reserved. doi:10.1016/j.jss.2007.01.015
Article 47 in 2001 (MIC, 2004a,b,c). The certification system of the ISMS was addressed as of May, 2005. To date, in order to facilitate the certification system, a number of initiatives have been developed, including those pertaining to technical advice, guideline distribution, prior advice for certification assessment, and cultivation and education of certification auditors. The certification system of the ISMS represents one which established and documents procedures and process, and is continuously managed and operated to realize the purpose of information security, confidentiality, integrity, and availability of information assets. The system is on under which a third-party certification authority entitled Korea Information Security Agent objectively and independently assesses the organically integrated system of numerous measures for information security as implemented by the information security management process, including the establishment of policy and organization, risk management, measure implementation and consequence management and so on for an information security regime suitable for each body, thereafter certifying the eligibility for the standard (KAB, 2005a,b).
1632
S. Kwon et al. / The Journal of Systems and Software 80 (2007) 1631–1638
This study summarizes the legal basis for the certification system of the ISMS and its certification scheme, in order to develop an understanding of the basic concepts of the certification system being enforced in Korea. In addition, the analysis on defects found in obtaining certification has been conducted on the basis of the bodies to have obtained the certification of the information security management system. Through this, the study presents a reference model for conducting a self check, aimed at helping enterprises self verify the completeness levels of their establishment of the information security management system. Finally, the effectiveness of this study has been identified through the case study of enterprises wherein the
reference model for the self check proposed in this study was applied. 2. Certification method 2.1. Certification index In Korea, the study on the certification index of the ISMS has been being conducted since 2000, and is based on Article 47 of the Act on Promotion of Information and Communication Network Utilization and Information Protection with the standards for certification assessment announced by the Ministry of Information and Telecom-
Table 1 Index for certification assessment Category
Index
Assessment standards
Management procedures
Establishment of an information protection policy Establishment of the scope of the information protection management system Risk management
Establishment of an information protection policy, Establishment of organization and responsibility Establishment of the scope of the information protection management system, Identification of information assets
Realizations After the fact management
Documentation
Control of information protection management
Establishment of a risk management strategy and plan, risk analysis, risk assessment, selection of information protection countermeasures, establishment of an information protection plan Effective realization of information protection countermeasures, education and training of information protection Re-examination of the information protection management system, monitoring and improvement of the information protection management system, internal audit Document requisite Control of documents Control of recording documents
Information protection policy Information protection organization Outsider security Classification of information assets Education and training of information protection Personnel security Physical security System development securities Cryptography control Access control Operation management
Electronic transaction security Security accident management Examination, monitoring and auditing Job continuity management
Approval and announcement of the policy, policy system, policy maintenance management System of organization, responsibility and role Security management of contract and service level agreement, outsider security implementation management Inspection and allocation of responsibility of information assets, classification and handling of information assets Establishment of an education and training program, implementation and assessment Allocation and regulation of responsibility, qualification examination and management of staff in charge of major jobs, confidentiality Physical security countermeasures, data center security, equipment protection, office protection Analysis and design of security management, realization and implementation of security management, change management Cryptography policy, cryptography use, key management Access control policy, user access management, access control region Operating procedure and responsibility, system operation, network operation, media and document management, malicious software control, mobile computing and remote works Exchange agreement, electronic transaction security management, e-mail, open server security management, user public notice item Response plan and system, response and restoration, after the fact management Compliance examination of legal requirement items, compliance examination of information protection policies, monitoring, security audit Establishment of job continuity management system, establishment and realization of a job continuity plan, testing and maintenance management of the job continuity plan
S. Kwon et al. / The Journal of Systems and Software 80 (2007) 1631–1638
munications in February, 2002 (Notice No. 2002-32). It comprises 137 items, including 14 pertaining to management processes, three to documentation requirements, and 120 regarding measures for establishing information security. The general standards for certification assessment are as illustrated in Table 1 (BSI, 2000, 2004; ISACA, 2005; ISO, 1996, 1997, 1998, 1999a,b). The certification application body establishes and operates the ISMS according to the five stages of the information security management process: the establishment of information security policy, the ranging of the information security management system, risk management, implementation, and consequence management. The assessment team of the certification authority proceeds with the assessment based on the assessment standards for eligibility of the establishment and operation of the information security management system. In a document assessment, the team examined whether the documents relevant to the information security management system, from the certification application body, satisfied the requirements of the standards for certification assessment. They also established whether the regulations which the documents detail as having supposed to have been carried out, have in fact been carried out, developed a checklist required in a technical assessment, and created a detailed schedule. In a technical assessment, the team checked for any major problems found during document assessment through an interview with a person in charge, conducting a simulation diagnosis for the system and network, where necessary (MIC, 2002). 2.2. Certification scheme The process of certification for the ISMS consists of four stages: the preparation stage for the preparation of the
1633
application and contract of certification, the assessment stage, wherein the assessment team proceeds with document and technical assessments, and in which the application body compensates for any defects found in the assessments, the certification stage, wherein the certification committee deliberates the results of the certification assessment, subsequently issuing a certificate, and the consequence management stage, where an examination of whether the certification-acquired body continuously operates the ISMS occurs. At the consequence management stage, the certification-acquired body needs to undergo an assessment of consequence management on more than one occasion per year after having obtained the certification. When the validity of the certification for three years has expired, the body needs to extend the certification period through a renewal audit. The basic flow of the above certification procedure of the ISMS is illustrated in Fig. 1 (KISA, 2003a,b). 3. Analysis on common defects 3.1. Survey methods On the basis of the 28 bodies which had acquired certification of the ISMS from February, 2002 (the time at which the standards for certification assessment were announced) to April, 2005, we have analyzed the defects, and conducted a study on the reference model that supports the self checking of the ISMS. The 28 bodies which had acquired the certification are enterprises from across a range of sectors, including information security consulting agencies, communication companies, certified certification authorities, and financial institutions, etc. They are leading enterprises in Korea, and among those which initiatively established and operated the management system for information security. 3.2. Analysis of defects Table 2 illustrates the details of defects found among the 28 bodies which have acquired certification of the ISMS by frequency, with the analysis results illustrated in Table 3. Table 4 shows the details of the top 25 defect areas which gave rise to 93.4% of defects (Koo, 2002; Woo, 2002). 3.3. Reference model for self assessment
Fig. 1. Certification procedure.
The reference model for the self assessment on completeness of the ISMS, which this study plans to provide, consists of five maturity stages, and is based on the defect item versus frequency of defect, as outlined in Table 3. Stage 1, wherein the defect item value versus frequency of defect was 14.2, indicates that 85 defects out of the total 152 defect frequencies (55.9%) occurred across six items of a total of 137 defect items (4.4%). Stage 2 indicates that 39 defects of a total of 152 defect frequencies
1634
S. Kwon et al. / The Journal of Systems and Software 80 (2007) 1631–1638
Table 2 Rank and frequency of defects Rank
Frequency
1 2 3 4 5 6 7 8 9 10
19 18 17 16 15 14 13 12 7 6
11
5
12
4
13
3
14
2
15
1
16
0
Total
152
Defect item Security grade and handling Response plan establishment User registration Change management of information assets, media handling and storage Entrance control Access control regulations, backup and restoration management Open server security management, compliance examination, maintenance management of the job continuity plan Documentation-control of documents, mobile computing Allocation of responsibility Network access, establishment of a job continuity plan, allocation of responsibility per information asset, management of staff in charge of major jobs, confidentiality agreement, change management procedures Implementation and assessment, types of policy documents, database access, establishment of job continuity management procedure, testing of the job continuity plan Access control policy examination, operating procedure documentation, performance management, log management, security audit plan and conduct, classification of information assets, physical protection area Management procedures-effective realization of information protection countermeasures, management procedures-internal audit, cryptography use, application program access, obstacle management, security system operation, media discarding, system documents security, establishment of a security accident countermeasures system, security accident report, analysis of job effects, inspection of information assets, main system protection, safe disposal and recycling of equipment Management procedures-establishment of an information protection policy, management procedures-establishment of the scope of the information protection management system, management procedures-risk analysis, management procedures-selection of information protection countermeasures, key management, policy documentation, special right management, user password management, user’s responsibility, operating system access, capacity management, security accident response and re-training, access and use monitoring, composition of organization, education and training plan, definition of security requirement, realization and testing Documentation-control of recording documents, management procedures-establishment of a risk management strategy and plan, management procedures-risk assessment, management procedures-establishment of an information protection plan, management procedures-re-examination of the information protection management system, cryptography policy, approval of the policy, announcement of the policy, consistency with the upper policy, periodic examination, policy contents, access control method, user’s access right examination, job separation, network operation countermeasures, remote works, security accident treatment and restoration, prevention of re-occurrences, identification of requirement items, policy compliance, technical inspection, audit record analysis and storage, audit results and after the fact management, realization of the job continuity plan, utilization of external experts, information protection committee, security requirement in the case of a contract with a third party, outsider security implementation management, targets of education and training, content of education and training, personnel regulations, physical access control, location and structure condition, input data verification, operation environment implementation security, security of test data, source program access security Documentation-document requisite, management procedures-establishment of organization and responsibility, management procedures-identification of information assets, management procedures-education and training of information protection, management procedures-monitoring and improvement of the information protection management system, office protection, malicious software control, exchange agreement, electronic transaction security management, e-mail, user public notice item, separation of the development and operation environment, outside operation of facility management, system introduction, system acceptance, internet access management, remote operation management, analysis and information sharing of security accidents, evidence data collection, examination plan, viewpoint synchronization, framework establishment for the job continuity plan, information protection manager, security requirement when signing contracts with outsiders, third-party security management, personnel regulations, internal facility, equipment deployment, power supply, cable protection, equipment repairs, internal processing verification, output data verification, authorization and cryptography, security record management, examination at the time of changing the operating system, change of software packages 137
(25.7%) occurred across seven items of a total of 137 defect items (5.1%). Stage 3 indicates that 18 defects of a total of 152 defect frequencies (11.8%) occurred across 12 items of a total of 137 defect items (8.8%). Stage 4 indicates that ten defects of a total of 152 defect frequencies (6.6%) occurred across 75 items of a total of 137 defect items (54.7%). Finally, stage 5 indicates that no defect occurred across 37 items out of the total 137 defect items (27%). The diagram of the reference model for the self assessment on completeness of ISMS for this study is
illustrated in Fig. 2, with the self assessment results shown in Table 5. The reference model for the self assessment presented in this study may be used to internally examine the status of the ISMS of enterprises and by this, those enterprises will be able to assess the completeness of their ISMS implementation prior to the application for a certification assessment of their ISMS to government agency. Generally, those enterprises that pass stage 2 of the reference model for self assessment are considered to have carried out the assess-
S. Kwon et al. / The Journal of Systems and Software 80 (2007) 1631–1638
1635
corresponding to the aforementioned four items, and acquired certification.
Table 3 Analysis result Frequency of defect (1)
Defect item (2)
No.
Subtotal
No.
Subtotal
19 18 17 16 15 14 13 12 07 06 05 04 03 02 01 00
85
01 01 01 02 01 02 03 02 01 06 05 07 14 17 37 37
06
39
18
10
00
152
137
(2) vs. (1)
5. Conclusion 14.2
07
5.6
12
1.5
75
0.1
37
0 –
ment without difficulty, even when they requested certification of their ISMS to an external certification authority. This is because it can be readily determined through a reference model that 124 defects of a total of 152 defect frequencies (81.6%) occurred among 13 defect items, the accumulated defect items of stage 2 (9.5%). In addition, those enterprises which have passed stage 3 may be considered to have almost completed the establishment of the ISMS. The reason is that 142 defects of a total of 152 defect frequencies (93.4%) occurred among 18.2% of defects, the accumulated percentage of defect items of stage 3 (25 items). This essentially refers to almost all defect items. 4. Case study The case study was designed to apply the defect items found during the certification assessment of the ISMS of firm K which is in the communication sector to the reference model for the self assessment of the establishment completeness of the ISMS, thereafter comparing the results. On the basis of the reference model for the self assessment in this study, the assessment results, after applying the defect items from the certification assessment of the ISMS of firm K, are illustrated in Table 6. As outlined in Table 6, the defect items of the certification assessment of the ISMS certification of firm K number four items, and consist of one item from stage 3, and three items from stage 4. This company is assumed to enter stage 4 beyond stage 3, and their status can be inferred as such as the company deals with an internal inspection, and applies to the reference model to conduct a self assessment. That is to say, the company is assumed to be able to complete the establishment of the ISMS. In actual fact, firm K immediately enacted a series of back-up measures for the defects
With the introduction of broadband high speed networks, information dysfunctions are increasing at a rapid rate, as the internet technology becomes increasingly advanced. Accordingly, information leakages and financial losses among enterprises have increased significantly. This kind of information dysfunction is not that treated by the enterprise or the state. The problem has become a common international issue. Therefore, as international interest in information security management is mounting, systematic efforts in information security management have been made. To keep up with these trends, our country is endeavoring to strengthen its ability to develop formidable information security of organizations, and improve the level of information security by enforcing the certification system of the information security management system. The certification system of the ISMS is one that identifies 137 certification standards for the management process to be considered to have been systematically and efficiently managed and operated, according to the life cycle of information security, and is thereafter applied. However, it is not easy to establish whether the bodies preparing for the establishment of, or are establishing, the ISMS are at any stage of the information security management system, or what stage they currently stand. To achieve an efficient self assessment for the information security management system, it is necessary to place priorities based on importance by each certification standard, and to develop a reference model for conducting a self check on establishment completeness of the information security management system. This model highlights the relationships among certification standards and helps estimate the completeness of the information security management system. The reference model for the self examination of the completion rate of the ISMS will help the enterprises check their levels of information security on their own, and help them to make complements by presenting the shortcomings of the information security. And it will also help the enterprises check on their own the possibility of obtaining the certification before handing in the application for the information security management system. Moreover, it can also be utilized to notify the enterprises intending to adopt or enhance their information security based on their selfcheck reference model where they should begin. To develop this model, this study has identified and analyzed the defects found during the certification system, on the basis of enterprises that had established the information security management system. It is then presented a reference model allowing enterprises to self verify the completeness of their information security management system. This study is considered helpful for a number of enterprises attempting to establish the information security management system. However, since there are differences in the characteristics
1636
S. Kwon et al. / The Journal of Systems and Software 80 (2007) 1631–1638
Table 4 Details of the 25 defect areas with the highest defect frequencies Frequency of defect
Defect item
Contents
19
Security grade and handling
The classified information asset according to the degree of importance shall have a security grade and shall have tags attached of physical and electronic security grade and managed accordingly. In addition, the handling procedures shall be defined according to the security grade and implemented
18
Response plan establishment
AOs shall establish and implement a security accident response plan including a definition of security accidents and its scope, establishment of an emergency contacts system, reporting and responding procedure at times of security accidents, composition of accident restoration organization, and an education plan
17
User registration
Formal procedures of user registration and cancellation shall be prepared to control access to the information system and services
16
Change management of information assets Media handling and storage
Official management responsibilities and procedures shall be established to investigate information system related assets and to reflect all changed items To protect information from unauthorized outflow or abuse, procedures for handling and storing media shall be established before the operation
15
Entrance control
Entrance into the data center shall follow appropriate entrance control procedures and the identity of entering people must be verified and a record of entrance must be managed. In addition, the entrance record log must be inspected regularly
14
Access control regulations
Classification of regulations that exist always and regulations that exist for a certain or selected period of time and classification of regulations that require approval from the manager and regulations that do not require the approval of the manager before implementation shall be stated clearly in the rules of access control AOs shall establish and implement a backup plan to maintain the integrity and availability of data and equipment and shall manage to restore these immediately on time if an accident occurs
Backup and restoration management 13
Open server security management
Compliance examination
Maintenance management of the job continuity plan 12
Documentation-control of documents
Mobile computing
In cases when information is revealed on a web server, AOs shall establish permit and posting procedures including the collection, storage and opening of information and shall establish and operate physical and logical security countermeasure for open servers Compliance with the relevant acts and regulations of intellectual property rights such as the information and communication network use promotion and information protection act and information protection related acts, protection of the use of credit information related acts, personal information protection related acts, authors’ rights, and computer program protection acts shall be examined AOs shall conduct regular education and training for the job continuity plan and shall implement constant examination, assessment, and change management Documents prepared by bDocument requisitec shall establish procedures with the definition of controls such as the approval of feasibility before the issue of documents, periodic or random examination of documents when necessary, revision and re-approval, identification of changes to the documents and current status of revision, distribution of documents, and prohibition of the use of discarded documents AOs shall establish security policies to protect business information when using portable information communication devices and shall establish policies for connecting to internal networks and use in public places
07
Allocation of responsibility
The role and responsibility of implementing information protection tasks must be documented. What should be documented shall include the general responsibility of the establishment, realization, and operation of the information protection policy and specific responsibility of protection and activities for specific information assets
06
Network access
A network access policy shall be established and it includes connection control of internal/ external networks, control of physical and logical paths between user terminals and computer services, user authorization, and access control to the fault diagnosis port to prevent unauthorized accesses AOs shall establish a strategy for job continuity by evaluating diverse countermeasures to realize the business restoration goals and minimum requirements and shall establish a plan for realizing countermeasures The owner, manager, and user of the investigated information asset shall be identified and its responsibility shall be clearly settled for appropriate control When a job with an information system access permit is newly allocated, the particular person handling important information such as financial information or confidential information shall be separately controlled
Establishment of a job continuity plan Allocation of responsibility per information asset Management of staff in charge of major jobs
S. Kwon et al. / The Journal of Systems and Software 80 (2007) 1631–1638
1637
Table 4 (continued) Frequency of defect
Defect item
Contents
Confidentiality agreement
AOs shall have their employees sign a confidentiality agreement and also have third parties sign a confidentiality agreement when granting the right to access information. When an employee changes his/her status of employment contract, in particular when one retires from the company, the person must be reminded of the confidentiality agreement Formal procedures of change management shall be established and implemented to minimize the destruction and damage to the information system
Change management procedures 05
Implementation and assessment
Management procedures-types of policy documents Database access
Establishment of job continuity management procedure
Testing of the job continuity plan
The education and training program shall be implemented regularly and shall be implemented any time changes are made to the information protection policy, information protection system procedures, and its roles and also such implemented programs. In addition, upon the completion of education and training, through an examination, results must be reflected in the next education Information protection guidelines, procedures and standards in order to implement the standard information protection policy specifically shall be established. Also, if necessary, AOs can establish a detailed information protection policy for special systems or services Information in the database shall be protected through access control to data in the database view, record or field level, access control to data dictionaries and database utilities, and cryptography for sensitive information AOs shall define the processes of job continuity management in advance such as the starting phase, establishing phase of the job continuity strategy, realizing phase, and operating management phase. The starting phase shall include policy establishment and scope establishment and allocation of resources for job continuity and the establishing phase of the job continuity strategy shall be conducted through an analysis of business impacts. The realizing phase shall include disaster restoration and risk reduction countermeasures, and documentation of the job continuity plan and the operating management phase shall include testing, education and training, examination, and updates AOs shall conduct testing continuously to eliminate errors due to changes in the environment or incorrect presumptions and such test plans shall include timing, methods, and procedures
Fig. 2. Reference model for the self check.
of each type of enterprise, it is also concluded that applying the reference model presented in this study to all enterprises regardless of industry, is likely to be problematic. For this
study to be fully effective, it is required that an in depth study for developing a reference model for each type of enterprise be undertaken.
1638
S. Kwon et al. / The Journal of Systems and Software 80 (2007) 1631–1638
Table 5 Self assessment results by stage Stage
Status of the ISMS
Defect item (%)
Frequency of defect (%)
1 2 3 4 5
Early stage of ISMS Progress stage of ISMS Almost completed stage of ISMS Completed stage of ISMS Matured stage of ISMS
4.4 5.1 8.8 54.7 27
55.9 25.7 11.8 6.6 0
Table 6 Assessment results of firm K Defect item
Stage of the reference model for self assessment
Confidentiality agreement Management of special rights Documentation of operating procedure Backup and restoration of security incident
Stage 3 Stage 4
References BSI, 2000. Information Security Management – Specification for Information Security Management System. British Standard Institute, London, UK. BSI, 2004. Information Security Management – Code of Practice for Information Security Management. British Standard Institute, London, UK. ISACA, 2005. COBIT Management Guideline, fourth ed. IT Governance Institute, Information Systems Audit and Control Association, IL, USA. ISO, 1996. Guidelines for the Management of IT System Security: Part 1 – Concepts and Models for IT Security. International Organization for Standardization, Geneva, Switzerland. ISO, 1997. Guidelines for the Management of IT System Security: Part 2 – Managing and Planning IT Security. International Organization for Standardization, Geneva, Switzerland. ISO, 1998. Guidelines for the Management of IT System Security: Part 3 – Techniques for the Management of IT Security. International Organization for Standardization, Geneva, Switzerland.
ISO, 1999a. Guidelines for the Management of IT System Security: Part 4 – Selection of Safeguards. International Organization for Standardization, Geneva, Switzerland. ISO, 1999b. Guidelines for the Management of IT System Security: Part 5 – Management Guidelines of Network Security. International Organization for Standardization, Geneva, Switzerland. KAB, 2005a. Accreditation Standards of Certification Authority of the Information Security Management System, Notice No. 2005-62, Korea Accreditation Board, Seoul, Korea. KAB, 2005b. Operational Rules on Pilot Certification System of the Information Security Management System (KAB-PSP-01), Korea Accreditation Board, Seoul, Korea. KISA, 2003a. Guide for Certification of the Information Security Management System. Korea Information Security Agency, Seoul, Korea. KISA, 2003b. Procedures for Certification Assessment of the Information Security Management System. Korea Information Security Agency, Seoul, Korea. Koo, Y., 2002. Study on analyzing tools of vulnerabilities for the establishment of ISMS. Master Thesis, Dongguk University, Seoul, Korea. MIC, 2002. Standards for Certification Assessment of the Information Security Management System. Ministry of Information and Telecommunications Notice, No. 2002-22. Ministry of Information and Communication, Seoul, Korea. MIC, 2004a. Act on the Promotion of Information and Communication Network Utilization and Information Protection etc. Act No. 7262 Article 47, Ministry of Information and Communication, Seoul, Korea. MIC, 2004b. Act on the Promotion of Information and Communication Network Utilization and Information Protection etc., Enforcement Decree. Article 23-2, Ministry of Information and Communication, Seoul, Korea. MIC, 2004c. Act on the Promotion of Information and Communication Network Utilization and Information Protection etc., Enforcement Regulation. Article 6, Ministry of Information and Communication, Seoul, Korea. Woo, Y., 2002. Study on effective establishment methods of the information security management system of IT-related small & medium business. Master Thesis, Hanyang University, Seoul, Korea.
Common defects in information security management system of Korean companies Sungho Kwon a
a,*
, Sangsoo Jang a, Jaeill Lee a, Sangkyun Kim
b
IT Infrastructure Protection Division, Korea Information Security Agent (KISA), 78 Garakdong, Seoul, Republic of Korea b Department of Industrial Engineering, Kangwon National University, Chunchon, Republic of Korea Available online 27 January 2007
Abstract To reduce the possible trials and errors while promoting the establishment and certification of the information security management system (ISMS) by enterprises is the purpose of this paper. To satisfy this purpose, this study presents the defects by item found during the certification process of the ISMS of a number of enterprises by government certification agency in Korea. As a result, by analyzing the derived defects, this paper has outlined the issues to be attended to among enterprises at each stage of the establishment of the ISMS. Furthermore, this study presents a reference model for conducting a self assessment, so that companies may be able to self verify the completeness of their establishment of the ISMS. The case study is also provided to prove the practical value of this study. Ó 2007 Elsevier Inc. All rights reserved. Keywords: Information security management system; Reference model; Self assessment
1. Introduction Due to the rapid development of the Internet, information leakage and financial loss among enterprises have been increasing as a result of information dysfunctions. With the looming necessity for protecting important information from information dysfunction, and for managing information security systematically, international interest in information security management has increased, and systematic efforts in terms of information security management are expanding. In Korea, to keep up with this trend, a study on the certification system of the ISMS has been being conducted since 2000, and detailed assessment standards and a guide based on the Act on Promotion of Information and Communication Network Utilization and information Protection was prepared under
*
Corresponding author. E-mail addresses: [email protected] (S. Kwon), [email protected] (S. Jang), [email protected] (J. Lee), [email protected] (S. Kim). 0164-1212/$ - see front matter Ó 2007 Elsevier Inc. All rights reserved. doi:10.1016/j.jss.2007.01.015
Article 47 in 2001 (MIC, 2004a,b,c). The certification system of the ISMS was addressed as of May, 2005. To date, in order to facilitate the certification system, a number of initiatives have been developed, including those pertaining to technical advice, guideline distribution, prior advice for certification assessment, and cultivation and education of certification auditors. The certification system of the ISMS represents one which established and documents procedures and process, and is continuously managed and operated to realize the purpose of information security, confidentiality, integrity, and availability of information assets. The system is on under which a third-party certification authority entitled Korea Information Security Agent objectively and independently assesses the organically integrated system of numerous measures for information security as implemented by the information security management process, including the establishment of policy and organization, risk management, measure implementation and consequence management and so on for an information security regime suitable for each body, thereafter certifying the eligibility for the standard (KAB, 2005a,b).
1632
S. Kwon et al. / The Journal of Systems and Software 80 (2007) 1631–1638
This study summarizes the legal basis for the certification system of the ISMS and its certification scheme, in order to develop an understanding of the basic concepts of the certification system being enforced in Korea. In addition, the analysis on defects found in obtaining certification has been conducted on the basis of the bodies to have obtained the certification of the information security management system. Through this, the study presents a reference model for conducting a self check, aimed at helping enterprises self verify the completeness levels of their establishment of the information security management system. Finally, the effectiveness of this study has been identified through the case study of enterprises wherein the
reference model for the self check proposed in this study was applied. 2. Certification method 2.1. Certification index In Korea, the study on the certification index of the ISMS has been being conducted since 2000, and is based on Article 47 of the Act on Promotion of Information and Communication Network Utilization and Information Protection with the standards for certification assessment announced by the Ministry of Information and Telecom-
Table 1 Index for certification assessment Category
Index
Assessment standards
Management procedures
Establishment of an information protection policy Establishment of the scope of the information protection management system Risk management
Establishment of an information protection policy, Establishment of organization and responsibility Establishment of the scope of the information protection management system, Identification of information assets
Realizations After the fact management
Documentation
Control of information protection management
Establishment of a risk management strategy and plan, risk analysis, risk assessment, selection of information protection countermeasures, establishment of an information protection plan Effective realization of information protection countermeasures, education and training of information protection Re-examination of the information protection management system, monitoring and improvement of the information protection management system, internal audit Document requisite Control of documents Control of recording documents
Information protection policy Information protection organization Outsider security Classification of information assets Education and training of information protection Personnel security Physical security System development securities Cryptography control Access control Operation management
Electronic transaction security Security accident management Examination, monitoring and auditing Job continuity management
Approval and announcement of the policy, policy system, policy maintenance management System of organization, responsibility and role Security management of contract and service level agreement, outsider security implementation management Inspection and allocation of responsibility of information assets, classification and handling of information assets Establishment of an education and training program, implementation and assessment Allocation and regulation of responsibility, qualification examination and management of staff in charge of major jobs, confidentiality Physical security countermeasures, data center security, equipment protection, office protection Analysis and design of security management, realization and implementation of security management, change management Cryptography policy, cryptography use, key management Access control policy, user access management, access control region Operating procedure and responsibility, system operation, network operation, media and document management, malicious software control, mobile computing and remote works Exchange agreement, electronic transaction security management, e-mail, open server security management, user public notice item Response plan and system, response and restoration, after the fact management Compliance examination of legal requirement items, compliance examination of information protection policies, monitoring, security audit Establishment of job continuity management system, establishment and realization of a job continuity plan, testing and maintenance management of the job continuity plan
S. Kwon et al. / The Journal of Systems and Software 80 (2007) 1631–1638
munications in February, 2002 (Notice No. 2002-32). It comprises 137 items, including 14 pertaining to management processes, three to documentation requirements, and 120 regarding measures for establishing information security. The general standards for certification assessment are as illustrated in Table 1 (BSI, 2000, 2004; ISACA, 2005; ISO, 1996, 1997, 1998, 1999a,b). The certification application body establishes and operates the ISMS according to the five stages of the information security management process: the establishment of information security policy, the ranging of the information security management system, risk management, implementation, and consequence management. The assessment team of the certification authority proceeds with the assessment based on the assessment standards for eligibility of the establishment and operation of the information security management system. In a document assessment, the team examined whether the documents relevant to the information security management system, from the certification application body, satisfied the requirements of the standards for certification assessment. They also established whether the regulations which the documents detail as having supposed to have been carried out, have in fact been carried out, developed a checklist required in a technical assessment, and created a detailed schedule. In a technical assessment, the team checked for any major problems found during document assessment through an interview with a person in charge, conducting a simulation diagnosis for the system and network, where necessary (MIC, 2002). 2.2. Certification scheme The process of certification for the ISMS consists of four stages: the preparation stage for the preparation of the
1633
application and contract of certification, the assessment stage, wherein the assessment team proceeds with document and technical assessments, and in which the application body compensates for any defects found in the assessments, the certification stage, wherein the certification committee deliberates the results of the certification assessment, subsequently issuing a certificate, and the consequence management stage, where an examination of whether the certification-acquired body continuously operates the ISMS occurs. At the consequence management stage, the certification-acquired body needs to undergo an assessment of consequence management on more than one occasion per year after having obtained the certification. When the validity of the certification for three years has expired, the body needs to extend the certification period through a renewal audit. The basic flow of the above certification procedure of the ISMS is illustrated in Fig. 1 (KISA, 2003a,b). 3. Analysis on common defects 3.1. Survey methods On the basis of the 28 bodies which had acquired certification of the ISMS from February, 2002 (the time at which the standards for certification assessment were announced) to April, 2005, we have analyzed the defects, and conducted a study on the reference model that supports the self checking of the ISMS. The 28 bodies which had acquired the certification are enterprises from across a range of sectors, including information security consulting agencies, communication companies, certified certification authorities, and financial institutions, etc. They are leading enterprises in Korea, and among those which initiatively established and operated the management system for information security. 3.2. Analysis of defects Table 2 illustrates the details of defects found among the 28 bodies which have acquired certification of the ISMS by frequency, with the analysis results illustrated in Table 3. Table 4 shows the details of the top 25 defect areas which gave rise to 93.4% of defects (Koo, 2002; Woo, 2002). 3.3. Reference model for self assessment
Fig. 1. Certification procedure.
The reference model for the self assessment on completeness of the ISMS, which this study plans to provide, consists of five maturity stages, and is based on the defect item versus frequency of defect, as outlined in Table 3. Stage 1, wherein the defect item value versus frequency of defect was 14.2, indicates that 85 defects out of the total 152 defect frequencies (55.9%) occurred across six items of a total of 137 defect items (4.4%). Stage 2 indicates that 39 defects of a total of 152 defect frequencies
1634
S. Kwon et al. / The Journal of Systems and Software 80 (2007) 1631–1638
Table 2 Rank and frequency of defects Rank
Frequency
1 2 3 4 5 6 7 8 9 10
19 18 17 16 15 14 13 12 7 6
11
5
12
4
13
3
14
2
15
1
16
0
Total
152
Defect item Security grade and handling Response plan establishment User registration Change management of information assets, media handling and storage Entrance control Access control regulations, backup and restoration management Open server security management, compliance examination, maintenance management of the job continuity plan Documentation-control of documents, mobile computing Allocation of responsibility Network access, establishment of a job continuity plan, allocation of responsibility per information asset, management of staff in charge of major jobs, confidentiality agreement, change management procedures Implementation and assessment, types of policy documents, database access, establishment of job continuity management procedure, testing of the job continuity plan Access control policy examination, operating procedure documentation, performance management, log management, security audit plan and conduct, classification of information assets, physical protection area Management procedures-effective realization of information protection countermeasures, management procedures-internal audit, cryptography use, application program access, obstacle management, security system operation, media discarding, system documents security, establishment of a security accident countermeasures system, security accident report, analysis of job effects, inspection of information assets, main system protection, safe disposal and recycling of equipment Management procedures-establishment of an information protection policy, management procedures-establishment of the scope of the information protection management system, management procedures-risk analysis, management procedures-selection of information protection countermeasures, key management, policy documentation, special right management, user password management, user’s responsibility, operating system access, capacity management, security accident response and re-training, access and use monitoring, composition of organization, education and training plan, definition of security requirement, realization and testing Documentation-control of recording documents, management procedures-establishment of a risk management strategy and plan, management procedures-risk assessment, management procedures-establishment of an information protection plan, management procedures-re-examination of the information protection management system, cryptography policy, approval of the policy, announcement of the policy, consistency with the upper policy, periodic examination, policy contents, access control method, user’s access right examination, job separation, network operation countermeasures, remote works, security accident treatment and restoration, prevention of re-occurrences, identification of requirement items, policy compliance, technical inspection, audit record analysis and storage, audit results and after the fact management, realization of the job continuity plan, utilization of external experts, information protection committee, security requirement in the case of a contract with a third party, outsider security implementation management, targets of education and training, content of education and training, personnel regulations, physical access control, location and structure condition, input data verification, operation environment implementation security, security of test data, source program access security Documentation-document requisite, management procedures-establishment of organization and responsibility, management procedures-identification of information assets, management procedures-education and training of information protection, management procedures-monitoring and improvement of the information protection management system, office protection, malicious software control, exchange agreement, electronic transaction security management, e-mail, user public notice item, separation of the development and operation environment, outside operation of facility management, system introduction, system acceptance, internet access management, remote operation management, analysis and information sharing of security accidents, evidence data collection, examination plan, viewpoint synchronization, framework establishment for the job continuity plan, information protection manager, security requirement when signing contracts with outsiders, third-party security management, personnel regulations, internal facility, equipment deployment, power supply, cable protection, equipment repairs, internal processing verification, output data verification, authorization and cryptography, security record management, examination at the time of changing the operating system, change of software packages 137
(25.7%) occurred across seven items of a total of 137 defect items (5.1%). Stage 3 indicates that 18 defects of a total of 152 defect frequencies (11.8%) occurred across 12 items of a total of 137 defect items (8.8%). Stage 4 indicates that ten defects of a total of 152 defect frequencies (6.6%) occurred across 75 items of a total of 137 defect items (54.7%). Finally, stage 5 indicates that no defect occurred across 37 items out of the total 137 defect items (27%). The diagram of the reference model for the self assessment on completeness of ISMS for this study is
illustrated in Fig. 2, with the self assessment results shown in Table 5. The reference model for the self assessment presented in this study may be used to internally examine the status of the ISMS of enterprises and by this, those enterprises will be able to assess the completeness of their ISMS implementation prior to the application for a certification assessment of their ISMS to government agency. Generally, those enterprises that pass stage 2 of the reference model for self assessment are considered to have carried out the assess-
S. Kwon et al. / The Journal of Systems and Software 80 (2007) 1631–1638
1635
corresponding to the aforementioned four items, and acquired certification.
Table 3 Analysis result Frequency of defect (1)
Defect item (2)
No.
Subtotal
No.
Subtotal
19 18 17 16 15 14 13 12 07 06 05 04 03 02 01 00
85
01 01 01 02 01 02 03 02 01 06 05 07 14 17 37 37
06
39
18
10
00
152
137
(2) vs. (1)
5. Conclusion 14.2
07
5.6
12
1.5
75
0.1
37
0 –
ment without difficulty, even when they requested certification of their ISMS to an external certification authority. This is because it can be readily determined through a reference model that 124 defects of a total of 152 defect frequencies (81.6%) occurred among 13 defect items, the accumulated defect items of stage 2 (9.5%). In addition, those enterprises which have passed stage 3 may be considered to have almost completed the establishment of the ISMS. The reason is that 142 defects of a total of 152 defect frequencies (93.4%) occurred among 18.2% of defects, the accumulated percentage of defect items of stage 3 (25 items). This essentially refers to almost all defect items. 4. Case study The case study was designed to apply the defect items found during the certification assessment of the ISMS of firm K which is in the communication sector to the reference model for the self assessment of the establishment completeness of the ISMS, thereafter comparing the results. On the basis of the reference model for the self assessment in this study, the assessment results, after applying the defect items from the certification assessment of the ISMS of firm K, are illustrated in Table 6. As outlined in Table 6, the defect items of the certification assessment of the ISMS certification of firm K number four items, and consist of one item from stage 3, and three items from stage 4. This company is assumed to enter stage 4 beyond stage 3, and their status can be inferred as such as the company deals with an internal inspection, and applies to the reference model to conduct a self assessment. That is to say, the company is assumed to be able to complete the establishment of the ISMS. In actual fact, firm K immediately enacted a series of back-up measures for the defects
With the introduction of broadband high speed networks, information dysfunctions are increasing at a rapid rate, as the internet technology becomes increasingly advanced. Accordingly, information leakages and financial losses among enterprises have increased significantly. This kind of information dysfunction is not that treated by the enterprise or the state. The problem has become a common international issue. Therefore, as international interest in information security management is mounting, systematic efforts in information security management have been made. To keep up with these trends, our country is endeavoring to strengthen its ability to develop formidable information security of organizations, and improve the level of information security by enforcing the certification system of the information security management system. The certification system of the ISMS is one that identifies 137 certification standards for the management process to be considered to have been systematically and efficiently managed and operated, according to the life cycle of information security, and is thereafter applied. However, it is not easy to establish whether the bodies preparing for the establishment of, or are establishing, the ISMS are at any stage of the information security management system, or what stage they currently stand. To achieve an efficient self assessment for the information security management system, it is necessary to place priorities based on importance by each certification standard, and to develop a reference model for conducting a self check on establishment completeness of the information security management system. This model highlights the relationships among certification standards and helps estimate the completeness of the information security management system. The reference model for the self examination of the completion rate of the ISMS will help the enterprises check their levels of information security on their own, and help them to make complements by presenting the shortcomings of the information security. And it will also help the enterprises check on their own the possibility of obtaining the certification before handing in the application for the information security management system. Moreover, it can also be utilized to notify the enterprises intending to adopt or enhance their information security based on their selfcheck reference model where they should begin. To develop this model, this study has identified and analyzed the defects found during the certification system, on the basis of enterprises that had established the information security management system. It is then presented a reference model allowing enterprises to self verify the completeness of their information security management system. This study is considered helpful for a number of enterprises attempting to establish the information security management system. However, since there are differences in the characteristics
1636
S. Kwon et al. / The Journal of Systems and Software 80 (2007) 1631–1638
Table 4 Details of the 25 defect areas with the highest defect frequencies Frequency of defect
Defect item
Contents
19
Security grade and handling
The classified information asset according to the degree of importance shall have a security grade and shall have tags attached of physical and electronic security grade and managed accordingly. In addition, the handling procedures shall be defined according to the security grade and implemented
18
Response plan establishment
AOs shall establish and implement a security accident response plan including a definition of security accidents and its scope, establishment of an emergency contacts system, reporting and responding procedure at times of security accidents, composition of accident restoration organization, and an education plan
17
User registration
Formal procedures of user registration and cancellation shall be prepared to control access to the information system and services
16
Change management of information assets Media handling and storage
Official management responsibilities and procedures shall be established to investigate information system related assets and to reflect all changed items To protect information from unauthorized outflow or abuse, procedures for handling and storing media shall be established before the operation
15
Entrance control
Entrance into the data center shall follow appropriate entrance control procedures and the identity of entering people must be verified and a record of entrance must be managed. In addition, the entrance record log must be inspected regularly
14
Access control regulations
Classification of regulations that exist always and regulations that exist for a certain or selected period of time and classification of regulations that require approval from the manager and regulations that do not require the approval of the manager before implementation shall be stated clearly in the rules of access control AOs shall establish and implement a backup plan to maintain the integrity and availability of data and equipment and shall manage to restore these immediately on time if an accident occurs
Backup and restoration management 13
Open server security management
Compliance examination
Maintenance management of the job continuity plan 12
Documentation-control of documents
Mobile computing
In cases when information is revealed on a web server, AOs shall establish permit and posting procedures including the collection, storage and opening of information and shall establish and operate physical and logical security countermeasure for open servers Compliance with the relevant acts and regulations of intellectual property rights such as the information and communication network use promotion and information protection act and information protection related acts, protection of the use of credit information related acts, personal information protection related acts, authors’ rights, and computer program protection acts shall be examined AOs shall conduct regular education and training for the job continuity plan and shall implement constant examination, assessment, and change management Documents prepared by bDocument requisitec shall establish procedures with the definition of controls such as the approval of feasibility before the issue of documents, periodic or random examination of documents when necessary, revision and re-approval, identification of changes to the documents and current status of revision, distribution of documents, and prohibition of the use of discarded documents AOs shall establish security policies to protect business information when using portable information communication devices and shall establish policies for connecting to internal networks and use in public places
07
Allocation of responsibility
The role and responsibility of implementing information protection tasks must be documented. What should be documented shall include the general responsibility of the establishment, realization, and operation of the information protection policy and specific responsibility of protection and activities for specific information assets
06
Network access
A network access policy shall be established and it includes connection control of internal/ external networks, control of physical and logical paths between user terminals and computer services, user authorization, and access control to the fault diagnosis port to prevent unauthorized accesses AOs shall establish a strategy for job continuity by evaluating diverse countermeasures to realize the business restoration goals and minimum requirements and shall establish a plan for realizing countermeasures The owner, manager, and user of the investigated information asset shall be identified and its responsibility shall be clearly settled for appropriate control When a job with an information system access permit is newly allocated, the particular person handling important information such as financial information or confidential information shall be separately controlled
Establishment of a job continuity plan Allocation of responsibility per information asset Management of staff in charge of major jobs
S. Kwon et al. / The Journal of Systems and Software 80 (2007) 1631–1638
1637
Table 4 (continued) Frequency of defect
Defect item
Contents
Confidentiality agreement
AOs shall have their employees sign a confidentiality agreement and also have third parties sign a confidentiality agreement when granting the right to access information. When an employee changes his/her status of employment contract, in particular when one retires from the company, the person must be reminded of the confidentiality agreement Formal procedures of change management shall be established and implemented to minimize the destruction and damage to the information system
Change management procedures 05
Implementation and assessment
Management procedures-types of policy documents Database access
Establishment of job continuity management procedure
Testing of the job continuity plan
The education and training program shall be implemented regularly and shall be implemented any time changes are made to the information protection policy, information protection system procedures, and its roles and also such implemented programs. In addition, upon the completion of education and training, through an examination, results must be reflected in the next education Information protection guidelines, procedures and standards in order to implement the standard information protection policy specifically shall be established. Also, if necessary, AOs can establish a detailed information protection policy for special systems or services Information in the database shall be protected through access control to data in the database view, record or field level, access control to data dictionaries and database utilities, and cryptography for sensitive information AOs shall define the processes of job continuity management in advance such as the starting phase, establishing phase of the job continuity strategy, realizing phase, and operating management phase. The starting phase shall include policy establishment and scope establishment and allocation of resources for job continuity and the establishing phase of the job continuity strategy shall be conducted through an analysis of business impacts. The realizing phase shall include disaster restoration and risk reduction countermeasures, and documentation of the job continuity plan and the operating management phase shall include testing, education and training, examination, and updates AOs shall conduct testing continuously to eliminate errors due to changes in the environment or incorrect presumptions and such test plans shall include timing, methods, and procedures
Fig. 2. Reference model for the self check.
of each type of enterprise, it is also concluded that applying the reference model presented in this study to all enterprises regardless of industry, is likely to be problematic. For this
study to be fully effective, it is required that an in depth study for developing a reference model for each type of enterprise be undertaken.
1638
S. Kwon et al. / The Journal of Systems and Software 80 (2007) 1631–1638
Table 5 Self assessment results by stage Stage
Status of the ISMS
Defect item (%)
Frequency of defect (%)
1 2 3 4 5
Early stage of ISMS Progress stage of ISMS Almost completed stage of ISMS Completed stage of ISMS Matured stage of ISMS
4.4 5.1 8.8 54.7 27
55.9 25.7 11.8 6.6 0
Table 6 Assessment results of firm K Defect item
Stage of the reference model for self assessment
Confidentiality agreement Management of special rights Documentation of operating procedure Backup and restoration of security incident
Stage 3 Stage 4
References BSI, 2000. Information Security Management – Specification for Information Security Management System. British Standard Institute, London, UK. BSI, 2004. Information Security Management – Code of Practice for Information Security Management. British Standard Institute, London, UK. ISACA, 2005. COBIT Management Guideline, fourth ed. IT Governance Institute, Information Systems Audit and Control Association, IL, USA. ISO, 1996. Guidelines for the Management of IT System Security: Part 1 – Concepts and Models for IT Security. International Organization for Standardization, Geneva, Switzerland. ISO, 1997. Guidelines for the Management of IT System Security: Part 2 – Managing and Planning IT Security. International Organization for Standardization, Geneva, Switzerland. ISO, 1998. Guidelines for the Management of IT System Security: Part 3 – Techniques for the Management of IT Security. International Organization for Standardization, Geneva, Switzerland.
ISO, 1999a. Guidelines for the Management of IT System Security: Part 4 – Selection of Safeguards. International Organization for Standardization, Geneva, Switzerland. ISO, 1999b. Guidelines for the Management of IT System Security: Part 5 – Management Guidelines of Network Security. International Organization for Standardization, Geneva, Switzerland. KAB, 2005a. Accreditation Standards of Certification Authority of the Information Security Management System, Notice No. 2005-62, Korea Accreditation Board, Seoul, Korea. KAB, 2005b. Operational Rules on Pilot Certification System of the Information Security Management System (KAB-PSP-01), Korea Accreditation Board, Seoul, Korea. KISA, 2003a. Guide for Certification of the Information Security Management System. Korea Information Security Agency, Seoul, Korea. KISA, 2003b. Procedures for Certification Assessment of the Information Security Management System. Korea Information Security Agency, Seoul, Korea. Koo, Y., 2002. Study on analyzing tools of vulnerabilities for the establishment of ISMS. Master Thesis, Dongguk University, Seoul, Korea. MIC, 2002. Standards for Certification Assessment of the Information Security Management System. Ministry of Information and Telecommunications Notice, No. 2002-22. Ministry of Information and Communication, Seoul, Korea. MIC, 2004a. Act on the Promotion of Information and Communication Network Utilization and Information Protection etc. Act No. 7262 Article 47, Ministry of Information and Communication, Seoul, Korea. MIC, 2004b. Act on the Promotion of Information and Communication Network Utilization and Information Protection etc., Enforcement Decree. Article 23-2, Ministry of Information and Communication, Seoul, Korea. MIC, 2004c. Act on the Promotion of Information and Communication Network Utilization and Information Protection etc., Enforcement Regulation. Article 6, Ministry of Information and Communication, Seoul, Korea. Woo, Y., 2002. Study on effective establishment methods of the information security management system of IT-related small & medium business. Master Thesis, Hanyang University, Seoul, Korea.