제4차 산업혁명과 산업보안전망
(중앙대학교 산업보안학과 장항배 교수)
미래 산업융합 환경과 보안 방향
The traditional "control" mindset(통제) of information security cannot keep pace with technological and behavioral change, resulting in policies and technologies that cause frustration and impede agility(반발을 유발하고 민첩성을 저해).
A new approach is required - one that recognizes how the relationships between IT, the business and individuals have been transformed irrevocably.
People-centric security is a strategy that represents an alternative to conventional information security practice. PCS aims to strike a balance between risk reduction and employee agility.
강압적이고 예방 중심의 통제가 아닌
임직원에 대한 신뢰를 기반으로 책임과 권한을 할당하고,
교육을 통해 보안 인식과 역량을 향상시키는 동시에
지속적인 모니터링을 통해 이상징후를 신속히 탐지하고
대응하는 접근방법의 중요성을 강조
[참고]
People-Centric Security: Transforming Your Enterprise Security Culture
People-Centric Security: Transforming Your Enterprise Security Culture
People Centric Security deals with the understanding, measuring and transformation of the security culture of an enterprise organisation. It is written in three distinct parts. The book starts by asserting that the world of IT is in a state of crisis brought about by data breaches leading to major security incidents.
Recognising that society has undergone a major culture shift brought about by adopting networked digital technology, the author claims that what is required to deal with these cultural changes is to furnish the individuals responsible for information security with a new set of concepts and techniques.
The book considers that a people-centric approach to security is not just simply addressing the threat brought about by humans in the operation of IT and designing procedures to cope with problems that may arise. An effective approach needs to go much further looking beyond the organisations immediate security needs to embrace the design of systems that put people at the centre. The author then considers cultural threats and risks in some considerable detail in order to round off part I.
Part II covers the measurement of security culture. It asserts that in any organisation there are multiple competing cultures each reflecting local values and priorities. It is highly unlikely that everyone in the organisation is sharing the same beliefs and assumptions regarding how security should and does work.
The author proposes a framework on how best to interpret and compare cultures. Tools are provided to allow the reader to survey and unravel cultures along with mapping techniques to allow them to be displayed and communicated diagrammatically. On the author’s own admission, this part is a fairly intense section of the book.
The steps and the work necessary to transform a security culture is the subject of part III. A FORCE behaviour model is proposed for the implementation of people centric security. The origins of the model are first discussed along with its five core value and applicable metrics. The book concludes by considering at length, amongst other things, the security value of failure, resilience and expertise.
The book is likely to appeal to a fairly narrow readership amongst project managers and IT culture-orientated specialists who are possibly seeking an alternative approach to the more traditional way in which culture is dealt within organisations.
I award the book five out of ten in terms of its readability and value for money.
Further information: McGraw Hill
January 2016
컨설팅 : ISMS-P, ISO27001, GDPR, PCI-DSS
취약점 진단 및 모의 침투
개인정보 비식별화 솔루션
보안솔루션 공급
070-7867-3721, ismsbok@gmail.com
070-7867-3721, ismsbok@gmail.com
댓글 없음:
댓글 쓰기