Developing a Framework for the Implementation of Evidence Collection System: Focusing on the Evaluation of Information Security Management in South Korea

Abstract

Recently, as evaluation of information security (IS) management become more diverse and complicated, the contents and procedure of the evidence to prepare for actual assessment are rapidly increasing. As a result, the actual assessment is a burden for both evaluation agencies and institutions receiving assessments. However, most of them reflect the evaluation system used by foreign government agencies, standard organizations, and commercial companies. It is necessary to consider the evaluation system suitable for the domestic environment instead of reflecting the overseas evaluation system as it is. The purpose of this study is as follows. First, we will present the problems of the existing information security assessment system and the improvement direction of the information security assessment system through analysis of existing information security assessment system. Second, it analyzes the technical guidance for information security testing and assessment and the evaluation of information security management in the Special Publication 800-115 'Technical Guide to Information Security Testing and Assessment' of the National Institute of Standards and Technology (NIST). Third, we will build a framework to implement the evidence collection system and present a system implementation method for the ‘6. Information System Security’ of ‘information security management actual condition evaluation index’. The implications of the framework development through this study are as follows. It can be expected that the security status of the enterprises will be improved by constructing the evidence collection system that can collect the collected evidence from the existing situation assessment. In addition, it is possible to systematically assess the actual status of information security through the establishment of the evidence collection system and to improve the efficiency of the evaluation. Therefore, the management system for evaluating the actual situation can reduce the work burden and improve the efficiency of evaluation.