보안컨설턴트용 실무 가이드북

 

 

보안컨설턴트용 실무 가이드북

 

 

 

목차

제 1 장 서론 ············1

제1절 가이드북의 목적 ··3

제2절 가이드북의 구성 5

제3절 보안컨설팅의 개요 ·····························7

1. 보안컨설팅의 개념 ······························7

2. 보안컨설팅의 목적 ······························8

3. 보안컨설팅의 기대효과 ······················9

제4절 가이드북의 적용방법 ·······················10

1. 가이드북 이용대상 ····························10

2. 컨설팅 수행모델 ·10

3. 컨설팅 수행방법 ·10

4. 보안서류 양식의 활용 ······················14

5. 유의사항 ···············14

제 2 장 컨설팅 수행모델 ··················15

제1절 이론적 발전동향 17

1. Lewin 모델, 1951 17

2. Kolb & Frohman 모델, 1970 ·········18

3. Margerison 모델, 1986 ····················20

4. ILO(Milan) 모델, 1986 ·····················22

5. 한국능률협회컨설팅 모델, 1997 ·····24

제2절 보안컨설팅 수행방법론 ·················25

제 3 장 현황 및 환경분석 bytebyte················27

제1절 업무현황 및 요구사항 분석 bytebyte·············29

1. 업무현황 분석 bytebytebyte·····29

2. 요구사항 분석 bytebytebyte·····30

제2절 보안 자가진단 실시 bytebyte·························31

1. 자가진단 개요 bytebytebyte·····31

2. 자가진단 방법 bytebytebyte·····31

3. 자가진단 서식 구성 bytebyte··························31

4. 자가진단 결과의 활용 bytebyte······················31

제 4 장 보안취약점 진단 bytebyte··························45

제1절 정보자산의 식별 및 가치평가 bytebyte·······47

1. 자산 식별 bytebytebyte·············47

2. 자산 평가 bytebytebyte·············48

제2절 시스템 위협 및 취약점 진단 bytebyte·········50

1. 시스템 진단 bytebytebyte·········51

2. Web Application 진단 bytebyte····················68

3. 모의 해킹 진단 bytebytebyte···73

제3절 보안경영실태 진단 bytebyte···························77

1. 진단 개요 bytebytebyte·············77

2. 진단 항목 bytebytebyte·············77

3. 진단 방법 bytebytebyte·············78

4. 진단 기준 bytebytebyte·············80

제 5 장 보안 마스터플랜 수립 bytebyte·······87

제1절 마스터플랜 수립 단계 bytebyte·····················89

제2절 환경분석 결과 bytebytebyte····89

1. 환경 분석 bytebytebyte·············89

2. 자산 분석 bytebytebyte·············90

제3절 취약점 진단 결과 bytebyte·····························92

1. 기술적 보안 진단 bytebyte······························92

2. 보안경영실태 진단 bytebyte····························92

제4절 보안대책 수립 bytebytebyte····93

1. 보안경영체계 수립 bytebyte····························93

2. 단계별 보안대책 수립 bytebyte······················94

제 6 장 보안계획 실행 및 종료 bytebyte···97

제1절 보안경영체계 통제항목 bytebyte···················99

1. 관리적 보안 bytebytebyte·········99

2. 물리적 보안 bytebytebyte·······100

3. 네트워크 보안 bytebytebyte···100

4. 서버 보안 bytebytebyte···········101

5. 응용시스템 보안 bytebyte······························101

6. PC 보안 bytebytebyte·············102

제2절 보안경영 문서체계 확립 bytebyte···············103

1. 보안정책서 bytebytebyte·········103

2. 보안지침 bytebytebyte·············104

3. 보안절차 bytebytebyte·············106

제3절 보안시스템 구축 bytebyte···························107

1. 보안솔루션 개요 bytebyte······························107

2. 네트워크 보안 bytebytebyte···109

3. 서버 보안 bytebytebyte···········114

4. 응용 보안 bytebytebyte···········122

5. PC 보안 bytebytebyte·············126

6. 보안 관리 bytebytebyte·············127

제4절 컨설팅 종료 및 사후관리 bytebyte···········129

1. 최종보고서 제출 및 검수 bytebyte··············129

2. 임직원 대상 교육 bytebyte····························129

3. 사후관리 bytebytebyte·············129

부 록 bytebytebyte······················131

Ⅰ. 보안정책서 예시문 bytebyte······························133

1. 보안정책서 bytebytebyte·········135

Ⅱ. 표준 보안지침 예시문 bytebyte························141

1. 보안조직지침 bytebytebyte·····143

2. 자산분류지침 bytebytebyte·····147

3. 보안사고처리지침 bytebyte····························152

4. 보안감사지침 bytebytebyte·····154

5. 접근통제지침 bytebytebyte·····156

6. 네트워크보안지침 bytebyte····························162

7. 응용시스템보안지침 bytebyte························180

8. 서버보안지침 bytebytebyte·····200

9. 이동컴퓨터보안지침 bytebyte························227

10. 정보보안위반자징계지침 bytebyte················232

11. 개인보안지침 bytebytebyte·····234

Ⅲ. 보안서약서 예시문 bytebyte······························245

1. 입사자/재직자용 bytebyte·····························247

2. 외국인용 bytebytebyte·············249

3. 퇴직자용 bytebytebyte·············251

4. 협력업체-기업용 bytebyte······························253

5. 협력업체-개인용 bytebyte······························255

6. 프로젝트 참여자용 bytebyte··························257

7. NOTE PC 사용자용 bytebyte·······················259

8. 전산매체등 사용자용 bytebyte······················261

Ⅳ. 기술계약서 예시문 bytebyte······························263

1. 공동연구계약서 bytebytebyte·265

2. 투자유치계약서 bytebytebyte·272

3. 라이선스계약서 bytebytebyte·276

4. 제조위탁계약서 bytebytebyte·283

5. 인수합병계약서 bytebytebyte·287

6. 합작투자계약서 bytebytebyte·291

 

<표1-1> 가이드북의 구성 및 주요 내용 bytebyte········5

<표1-2> 보안의 특성 bytebytebyte···········7

<표3-1> 보안 수준 bytebytebyte·············32

<표4-1> 자산의 분류(예) bytebytebyte··47

<표4-2> 자산평가 기준 bytebytebyte·····48

<표4-3> 자산평가(예) bytebytebyte········49

<표4-4> 위협 및 취약점 진단 bytebyte························50

<표4-5> 계정관리 진단기준(Windows) bytebyte········52

<표4-6> 파일시스템 진단기준(Windows) bytebyte····53

<표4-7> 네트워크 서비스 진단기준(Windows) byte·························53

<표4-8> 로그관리 진단기준(Windows) bytebyte········54

<표4-9> 주요 응용설정 진단기준(Windows) byte·····························54

<표4-10> IIS 보안설정 진단기준(Windows) byte······························55

<표4-11> 시스템 보안설정 진단기준(Windows) byte·······················56

<표4-12> 바이러스 진단기준(Windows) bytebyte······57

<표4-13> 보안패치 진단기준(Windows) bytebyte······57

<표4-14> 계정관리 진단기준(Unix) bytebyte··············58

<표4-15> 파일시스템 진단기준(Unix) bytebyte··········58

<표4-16> 네트워크 서비스 진단기준(Unix) bytebyte59

<표4-17> 로그관리 진단기준(Unix) bytebyte··············60

<표4-18> 주요 응용설정 진단기준(Unix) bytebyte····60

<표4-19> Apache 보안설정 진단기준(Unix) byte······························61

<표4-20> SMTP 보안설정 진단기준(Unix) bytebyte··61

<표4-21> DNS 보안설정 진단기준(Unix) bytebyte····62

<표4-22> 시스템 보안설정 진단기준(Unix) bytebyte62

<표4-23> 바이러스/인터넷웜 감염 진단기준(Unix) byte·················63

<표4-24> 보안패치 진단기준(Unix) bytebyte··············63

<표4-25> 위협 진단(예) bytebytebyte····64

<표4-26> 취약점 진단(예) bytebytebyte65

<표4-27> 위험도 측정(예) bytebytebyte66

<표4-28> 접근통제 진단기준 bytebyte··························69

<표4-29> 계정관리 진단기준(Web Application) byte·······················70

<표4-30> 데이터 보호 진단기준 bytebyte····················70

<표4-31> 로깅/감사 진단기준 bytebyte·······················71

<표4-32> 설정 및 인증 진단기준 bytebyte··················71

<표4-33> 코딩 진단기준 bytebytebyte···72

<표4-34> 모의해킹 진단기준 bytebyte··························75

<표4-35> 부합률 계산 사례(보안정책 분야) byte······························79

<표6-1> 관리적 보안 통제항목 bytebyte······················99

<표6-2> 물리적 보안 통제항목 bytebyte····················100

<표6-3> 네트워크 보안 통제항목 bytebyte················100

<표6-4> 서버 보안 통제항목 bytebyte························101

<표6-5> 응용시스템 보안 통제항목 bytebyte············101

<표6-6> PC 보안 통제항목 bytebyte···························102

<표6-7> 보안지침 주요 내용 bytebyte························104

<표6-8> 보안절차의 종류(예) bytebyte·······················106

<표6-9> DB 암호화 구현방식별 장단점 비교 byte·························118

<표6-10> DRM 주요 기능 bytebyte····························122

 

 

<그림1-1> 보안컨설팅 추진을 위한 가이드라인 byte·························13

<그림2-1> Lewin 모델의 구성단계 bytebyte···············17

<그림2-2> Kolb & Frohman 모델의 구성단계 byte·························19

<그림2-3> Margerison 모델의 구성단계 bytebyte·····20

<그림2-4> ILO(Milan) 모델의 구성단계 bytebyte······22

<그림2-5> 한국능률협회컨설팅 모델의 구성단계 byte·····················24

<그림2-6> 보안컨설팅 수행방법론 bytebyte················25

<그림4-1> Web Application 진단절차 bytebyte·········68

<그림4-2> 모의 해킹 진단절차 bytebyte······················73

<그림5-1> 보안마스터플랜 수립 단계 bytebyte··········89

<그림5-2> 환경 분석 단계 bytebyte······························90

<그림5-3> 정보자산 분석 단계 bytebyte······················91

<그림5-4> 보안목표 및 보안경영체계 bytebyte··········93

<그림5-5> 과제별 보안대책(예) bytebyte·····················94

<그림5-6> 단계별 보안대책(예) bytebyte·····················96

<그림6-1> 보안경영 문서체계 bytebyte······················103

<그림6-2> IT보안 아키텍쳐 bytebyte··························107

<그림6-3> 보안위협에 대응할 수 있는 Best Case Model byte····108

<그림6-4> 침입방지시스템 설치 구성도 bytebyte····111

<그림6-5> NAC 설치 구성도 bytebyte·······················112

<그림6-6> SecureOS 구성도 bytebyte·························114

<그림6-7> API 방식의 DB 암호화 툴 bytebyte·······117

<그림6-8> Filter 방식의 DB 암호화 툴 bytebyte·····117

<그림1-1> 보안컨설팅 추진을 위한 가이드라인 byte·························13

<그림2-1> Lewin 모델의 구성단계 bytebyte···············17

<그림2-2> Kolb & Frohman 모델의 구성단계 byte·························19

<그림2-3> Margerison 모델의 구성단계 bytebyte·····20

<그림2-4> ILO(Milan) 모델의 구성단계 bytebyte······22

<그림2-5> 한국능률협회컨설팅 모델의 구성단계 byte·····················24

<그림2-6> 보안컨설팅 수행방법론 bytebyte················25

<그림4-1> Web Application 진단절차 bytebyte·········68

<그림4-2> 모의 해킹 진단절차 bytebyte······················73

<그림5-1> 보안마스터플랜 수립 단계 bytebyte··········89

<그림5-2> 환경 분석 단계 bytebyte······························90

<그림5-3> 정보자산 분석 단계 bytebyte······················91

<그림5-4> 보안목표 및 보안경영체계 bytebyte··········93

<그림5-5> 과제별 보안대책(예) bytebyte·····················94

<그림5-6> 단계별 보안대책(예) bytebyte·····················96

<그림6-1> 보안경영 문서체계 bytebyte······················103

<그림6-2> IT보안 아키텍쳐 bytebyte··························107

<그림6-3> 보안위협에 대응할 수 있는 Best Case Model byte····108

<그림6-4> 침입방지시스템 설치 구성도 bytebyte····111

<그림6-5> NAC 설치 구성도 bytebyte·······················112

<그림6-6> SecureOS 구성도 bytebyte·························114

<그림6-7> API 방식의 DB 암호화 툴 bytebyte·······117

<그림6-8> Filter 방식의 DB 암호화 툴 bytebyte·····117

 

직접 다운받기

중소기업청_보안컨설턴트용_실무가이드북(2007.12).pdf

출처:

화면 캡처