ö̾ ô αװ
ۼ 2008-12-02
ȸ : 11,631
By Anton Chuvakin, Loglogic
Computerworld, July 16,2007
ղ ħ Ǵ ο , ߿伺 ָϱ⡱ κ ITȰ , ɵ , ⼭ ϰ ֳ? ϴ ٲپ ϴ. IT ý , ߿ϰԴ, Ϳ ϴ ϵ ϱ α鿡 Ǹ ִ.
α ſ ӵ - ָ - IT Ȱ û ָ鼭 ҽκ ȴ. ǵ Ϸ Ҹ ִ ͺ̽ Ѵٸ, , , Ǵ ֵ ִ Ȱ αװ ̴. α״ ǰ ִ Ǵϴ ڵ θ ϴµ ִ ν() Ѵ.
α ϸ 鿡 ̵ ڵ. װ͵ Ȳ ν ϰ ȿ 縦 ϵ ƴ ο Ȯϰ ϵ ´. ϻ α ɵ м ذϴµ Ӹ ƴ϶ , å , Ȱ ̰͵ Ŀ ĺ ϴµ ſ ϴ.
αװ , α м Ϲ Ⱦ best practice ƴϴ. , ټ ؾ Ѵ١ ؾ߸ Ѵ١ α ϸ鼭 Ȯϰ α , , 並 䱸ϰ ִ. Ϻδ α NIST SP(National Institute of Standards and Technology Computer Security Special Publications) ϰ ִ.
翡, (FISMA,HIPAA,PCI-DSS) ġ ƶ ߴ. 3 α Ӹ ƴ϶ ϵ 䱸Կ α ģ.
The Federal Information Security Management Act of 2002 (FISMA)
̵ documentation̰ FISMA Ѵ ص, ڻ ϴ ý ȣϱ α , ȭ, ؾ ʿ伺 Ѵ. [NIST SP 800-53, Recommended Security Controls for Federal Information Systems] ϵ , , ȣ 쿡 ߰ ġ α ϰ ִ.
[NIST 800-92, Guide to Computer Security Log Management] FISMA ö̾ ȭϱ µ, α ϰ ִ. ̰ α , м, 鿡 α ʿ伺 ̰ ȿ α ϴ ϰ ִ.
NIST 800-92 ٸ ҽκ ٸ α мϴ Ͱ α ε Ұ å Ȯϰ ϴ ߿伺 ִ. Section 4.2 α ȣӸ ƴ϶ α , , ó Ͽ α ϰ α ϱ å 䱸( 鿡 ) Ȯ ʿ伺 ϰ ִ.
HIPAA
1996 The Health Insurance Portability and Accountability Act(HIPAA-̱ Ƿ ȣ) Ƿ ǥ Ѵ. [NIST SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act Security Rule] ںȣ Ƿ ȣϱ α ٷ. NIST 800-66 Section 4.1 α, Ʈ, Ʈ ý Ȱ ʿ伺 ٷ. Section 4.22 Ȱ ּ 6Ⱓ Ǿ ʿ䰡 ϰ ִ.
α ִ ʾ, Ϻ ٸ Ͻ ŭ α ϴ ϰ ִ. Appendix A ý Ȱ ݰ 뼺 ߰ ϱ ǽð ý α мϴµ ִ θ Ͽ α õ پ ϵ ݷϰ ִ.
PCI-DSS
ſī ŷ ٷ 鿡 Ǵ The Payment Card Industry Data Security Standard(PCI-DSS) ſī , ó Ǵ ϴ ȸ ſī , ŷ ٸ õ ȣϱ α α ǹȭߴ.
α PCI ǿ Ÿ ִ ݸ, PCI DSS α α Requirement 10 ϰ ִ. ǿ ϸ, ý ҵ α Ǿ ϰ, α ħŽ ý, authentication, authorization accounting protocol server ɵ ϴ ؾ Ѵ.
Դٰ, PCI-DSS ϴ α Ͱ ٴ Ȯϵ, α鿡 Ἲ Ž Ʈ ν α Ἲ Ȯؾ Ѵ. ֿ Ե ý۵κ α ּ 1Ⱓ Ǿ Ѵ.
ռ 3 Ȯϱ , α ɷ 䱸ϴ پ ִ. , California Bill 1386 ȭ Ǵ 㰡ִ (state) ó, Ǵ ü ħػ ΰ ȹ ȣȭ ĶϾ ֹε鿡 ϵ 䱸ϰ ִ.
IT Ȱ ϵ ϴ α , , ħذ Ͽ° ϴ ּ ̴. Ƿ α Ͱ Ǿ Ǵ Ǿ°, 뺸 ʿ ֳ ϴ ּ ̴.
αװ ġ ִ ö̾ ô ֿ αװ ǰ ƴ϶ 䱸 ߴ ̰, ȭ Ȯ 鿡 鿡 Ǿ. α ߿ϸ, FISMA, HIPAA PCI-DSS ֿ 鿡 Ȯϰ Ե αװ Ȱ ʿ伺Ӹ ƴ϶ ȿ ٽ ΰǴ ƴ ̶ ̴.