A study on security level management model for information system

The attempts to protect information and Information System (IS) from the threats are progressing variously and systematically, and the necessity to build security countermeasures by considering the characteristics of IS is gathering strength. In fact, to satisfy the proposition of information security, we don't have to invest excessive budget. Needless to say, it is important to protect information and IS, but it is not desirable to build uniform security countermeasures regardless of degree of importance. Depending on the purpose of building or operation, IS may have different degree of importance, meaning an IS may have higher degree of importance than other IS. Systems in same office can even have different degree of importance. In other words, some systems should be protected from the attack, even though some systems can be compromised from the same attack. In agreement with the degree of importance of IS, the strength of security countermeasure should be changed. For important systems, stronger security countermeasures should be selected, and stronger verification processes should be executed properly. As we can reduce unnecessary budget for IS which has a lower degree of importance, we can increase investment to IS which has higher degree of importance with the budget saved from other IS. Therefore, the most important factor is the decision of degree of importance of IS. From now on, this degree of importance will be called required security level or security level briefly. Depending on the selected security level, strength of security countermeasures should be decided. Security countermeasures can be formed after deciding the security level. In this thesis, after analysing previous research results, the author proposes some essential elements for security level definition and management of IS. After classifying, proper level was granted to threats and assets, and weights were assigned to each level. By summating these weights, the security level of an IS can be decided. After deciding the security level, basic technical and non-technical requirements for security level management are proposed in detail. Some items needed to ensure basic security state of IS are listed in this requirements. After this, level requirements to ensure security level required for each IS are proposed in detail. These level requirements should be applied differently for both technical and non-technical parts. Level requirements are designed by using step-model for technical areas, and continuous-model for non-technical areas.