Promotion on Information Security Certification Programs

Transcription

1 Promotion on Information Security Certification Programs Wan S. Yi Ph.D., CISSP. ISC2 APAC Korea Internet & Security Agency

2 1 KISA Introduction 2 Certification Concept 3 Certification

3 Ⅰ. KISA Introduction

4 1. Introduction History History Korea Internet & Security Agency (merger of KISA, NIDA and KIICA) Korea IT International Cooperation Agency (KIICA) National Internet Development Agency (NIDA) Korea Information Security Agency (KISA) Responsibility Internet Development Information Security on Public and Private sector International Cooperation

5 2. Internet Security Framework Senior Secretary to the President for National Crisis Management National Intelligence Service Ministry of Science, ICT & Future Planning Ministry of National Defense Public Private National Defense National Cyber Security Center Korea Internet & Security Agency Military Cyber Command & Control Center

6 2. Internet Security Framework Cyber crisis response cooperation system Related organizations in Korea Responsible Organization Investigative Agency NIS MND Supreme Prosecutor s office National Police Agency Share incident analysis Raise public awareness and treat malicious codes Share malicious codes & analysis result, Remove zombie PC, Block C&C server access Related organizations abroad CERT abroad Organizations abroad FIRST APCERT MS Symantec McAfee FireEye Checkpoint Block malicious site, notify zombie PC and request treatment Share security incident information request to check failure of network Share malicious codes and produce dedicated vaccines KT LG U+ SK broadband Dreamline Onse telecom, 112 others IDC service provider (ex. KIDC) Control organization (ex. SK Infosec) Communications ISAC, finance ISAC IGLOOSECURITY AhnLab (V3) Security Global Alliance REDBC Hauri (Virobot) Eastoft(AlYac) SG advantec (virus chaser)

7 3. Mission Security Incident Prevention & Response Monitor internet network in Korea for abnormal signs 24/7 Check 2.3 million Korean websites for malicious codes Inspect information security vulnerability and take measures for protection Information protection inspection on ICT service providers Make remote inspection on website vulnerability and take protection measure Operate KrCERT for rapid response of cyber security incident and cooperate at home and abroad Cyber exercise for security incident response with AP regional CERT and related agencies in Korea twice a year

8 3. Mission Information Security Protection Public Key Infrastructure(PKI) for user identification & authentication More than 32million people uses for e-trade, e-bank, stock exchange, public service, etc. Critical Information Infrastructure Protection 14 : 292 facilities are identified(99 are in private sector), 17 : targeting 400 facilities Information Security Product Evaluation CC Testing Facilities are evaluating against Common Criteria Information Security Management System(ISMS), G-ISMS 272 organizations received ISMS or G-ISMS Information Security Training & Education In-class, cyber range, on-line training on Financial security, Forensic, etc.

9 3. Mission Healthy Cyber Culture Run national campaign for healthy cyber culture Set up national association Established in August, 2010 With 65 organizations including the government, internet companies and private organizations Initiated campaign and signed a MOU for good replies for 100 days Korea Internet Star(KIS) Comprised of elementary and middle school students to lead healthy cyber culture Internet ethics education Educate teenagers, parents, teachers and children on internet ethics Produce and distribute Internet ethics B.I(Brand Identity) Develop and utilize character and logo song for Internet ethics to give impression on people

10 3. Mission Promote ICT Service Abroad Support ICT business to advance into the global market Global Market for Digital Convergence Roadshow, showcase, government consulting service Support ICT strategic items Items: Smart 4G, media contents, broadband, information protection, mobile TV, IPTV, etc ICT Expert Training Program (K-LINK: Korea-Global ICT Leaders Information Network) 12 courses, 330 trainees in 2013 Provide education for overseas experts (about 4,300 officials, 145 countries) since 1998 International conference and international organization activities WICS ITU-PP 14, Telecom World OECD World Bank

11 3. Mission 118 Call Center Run related to the Internet call center to provide consulting service Receive complaints and provide consulting service related to the Internet (hacking, virus, spam, PI disclosure) Q&A and counseling service for PI protection act Easy to remember, anytime/anywhere Call : free consulting service 24/7 the average number of call per day in 2011: 1,300 Website : Twitter & Facebook ID : kisa Illegal spam Personal information Hacking, virus Loss of certificate Others Connect to related agencies

12 Ⅱ. Certification Concept

13 1. Type of Certification Users C&C X DNS Internet ISP DDoS system At IX node ISMS Company PC Zombie PC Notebook Zombie Notebook Domain Security System ISP 6 Kr DNS ISP SME website Vul. Check for web site VoIP service provider 9개 VoIP service monitoring ISP Tablet PC Smart Phone Wireless network Security verification ISP DNS cyber shelter MC collection System Web hard, P2P App security system Mobile office, Cloud service provider ISMS Organization and companies CC Evaluation Information Security Products Professional Certification People Public Key Infrastructure Certificate Device and users

14 Ⅲ. Certification

15 1. ISMS - Objective Objective To secure stability in an information communications network and reliability of information by assessing the ISMS of a certain organization to determine whether or not it meets the certification criteria. Legal Background Created in 2001 and first certificate was issued in 2002 Until 2013, it was recommendation but became mandatory for companies sales over 10 million dollars a year or has one million visitors a day In 2014, 482 organizations and companies received certificates

16 1. ISMS - Definition Comprehensive system that ensures a consistent management and operation of information security, by putting proper procedures and processes in place. ㆍ Partialㆍ One time ㆍ Sporatic ㆍ Balanced ㆍ Sustained ㆍ Systematic <Security Level> <Security Level> Evaluated Level Evaluated Level Islanded Faci lity Equip ment Orga nizati on Doc. Policy Integrated Faci lity Equip ment Orga nizat ion Doc. Policy Without Management System With Management System

17 1. ISMS Who needs ISMS Bidding Companies participating in public or private bidding ISMS Major Assets Finance : Account, Transaction Info. Education : Student info. Medical : Diagnose Info. Communication : Customer info. Portal : Member info. Etc. : Industrial Tech. Info. External Audit Companies who needs IT management evaluation, credit evaluation or financial audit. Outsourcing Company Contracted companies to manage and operate customer s critical assets

18 1. ISMS - Criteria

19 1. ISMS - Procedure 1 certification application 2 pre-assessment and contract certification committee certification body 3 compose assessment team assessment team 4 certification assessment certification applicant 7 request to deliberate assessment result 6 certification assessment report 5 supplement deficiency 8 notify the deliberation result 9 issue certification

20 2. Information Security Product Evaluation - Overview Objective Gain global trust and reliability of IT security system Contribute to the realization of a sound information society Improve IT security level of national communication networks Improve international competitiveness of IT products Legal Background CC : Common Criteria for Information Technology Security Evaluation CEM : Common Evaluation Methodology for Information Technology Security CCRA : Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security

21 2. Information Security Product Evaluation - Overview Background Provide secure products, proven by 3 rd party, for the people to use to build safe and secure information society Evaluation Act of analyzing and testing of an IT product security against evaluation criteria using evaluation methodology Certification Act of oversight evaluation process and reviewing final evaluation report thus result in issuing certificate Accreditation Act of testing certified products in real environment and decide whether the product is suitable for operation or not

22 2. Information Security Product Evaluation Who needs CC Consumers - as a guide for the procurement of products with IT security features Product Developers and Integrators - as a basis for the development of products with IT security features Evaluators - as the basis for the evaluation of IT security products Auditors, Certifiers, Accreditors - to support their specific needs

23 2. Information Security Product Evaluation - Process Document Mission Phase 1 Definition SSAA Phase 2 Verification Regis tration Negotia tion No Agree ment Yes SSAA System Develop Revision Certi. Analysis Accept able ReanalysisNo Yes Ready For Eval. No Yes SSAA Phase 3 Validation SSAA Phase 4 Accreditation Eval & Cert. System Operation No Change Requir. Certify System Develop Recom. No Yes No Verifi cation Yes No Accredit ation Yes Yes 23

24 2. Information Security Product Evaluation - Process Apply for Validate Certification Maintain Evaluation Deliverables Board Certificate Review Validate TOE FR Issue Certificate Reevaluation deliverables Validate Register TOE in Sign Contract Vulnerability CL 24

25 2. Information Security Product Evaluation - CCRA 인증서발행국(CAP) : 17개국 ( 98) ( 98) ( 98) ( 98) ( 98) ( 99) ( 99) 미국 캐나다 영국 프랑스 독일 호주 뉴질랜드 ( 03) ( 06) ( 06) ( 06) ( 06) ( 08) ( 09) 일본 네덜란드 노르웨이 한국 스페인 스웨덴 이탈리아 ( 10) ( 11) ( 13) 터키 말레이시아 인도 인증서수용국(CCP) : 9개국 ( 00) ( 00) ( 00) ( 02) 그리스 핀란드 이스라엘 오스트리아 헝가리 ( 03) 체코 ( 04) ( 05) ( 06) ( 08) 싱가폴 덴마크 파키스탄 25

26 3. Information System Security Professional ISC2 (International Information System Security Certification Consortium) CAP Certified Authorization Professional CCFP Certified Cyber Forensics Professional CCSP Certified Cloud Security Professional CISSP Certified Information System Security Professional(#3) CCLP Certified Secure Software Lifecycle Professional HCISPP HealthCare Information Security and Privacy Practitioner SSCP Systems Security Certified Practitioner Information Security Professional National certification program

27 4. PKI Certificate Objective A system of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction. Security Services Threat Solution Root-CA Certificate Authority (CA) Authenticity Confidentiality Integrity Non-repudiation Unauthorized User Data Leakage Data Forgery Repudiation Digital Signature Encryption Digital Signature Digital Signature C Certificate R CRL Management Y T Operation O Management G Registration Authority (RA) R Registrarion A P Certificate Y Management P U B L I C K E Y Issue Revoke Renew Individual Corporation Server S/MiME

28 4. PKI Certificate u-authentication BIO OTP RFID/USN Environment Broadcasting Telecommunication Environment U-City Environment Certs. i-pin ID/Pass Internet Banking, Log-in SSL Server, ETC U-home Environment U-health Environment Human Device

29 4. PKI Certificate Framework

30 4. PKI Certificate Business Model(Banking)

31 4. PKI Certificate Business Model

32 4. PKI Certificate Oversea Cooperation

33 Conclusion and Q&A