기업보안 및 개인정보보호 동향
1. 기업보안 배경 및 목적
2. 개인정보보호법
3. 위반사례
4. 보안의 범위
5. 보안체계 수립 절차
Ⅱ. 기술적 보안수준 현황 (As-Is)
Ⅲ. 기업보안 및 개인정보보호를 위한 기술적 조치방안 (To-Be)
Ⅳ. 상세솔루션 방안(案) – ( ISMS PIMS )
1.1 UTM (NW 통합보안 시스템)
1.2 DLP(정보유출방지)
1.3 DRM(문서암호화)
1.4 DB암호화
1.5 WIPS (무선침입방지시스템)
1.6 EMM (모바일 보안)
1.7 물리적 보안 (보안스티커, 보안 봉인커버)
Ⅵ. 최종 제언
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.
This document summarizes a security awareness training presentation that covered topics such as why security training is important, 21st century security threats, PCI compliance, security objectives and challenges, data classification, and security responsibilities. It provided examples of security incidents, the costs of data breaches, PCI DSS requirements, and outlined the company's security framework including defenses, controls, and challenges around excessive data retention, vulnerable infrastructure, lack of documentation and logging.
This document provides an overview of information security awareness training from Mount Auburn Hospital. It covers protecting electronic protected health information at work and at home. Key points include understanding what PHI is and why security is important. It describes potential security threats like malware, social engineering, and data theft. Guidelines are provided for secure practices like strong passwords, email safety, and disposing of media properly. Tips for securing data at home involve using antivirus software, backups, and safe internet practices. The goal is to protect patient privacy and comply with HIPAA security requirements.
5 Steps to a Zero Trust Network - From Theory to PracticeAlgoSec
A Zero Trust network abolishes the quaint idea of a “trusted” internal network demarcated by a corporate perimeter. Instead it advocates microperimeters of control and visibility around the enterprise’s most sensitive data assets and the ways in which the enterprise uses its data to achieve its business objectives.
In this webinar, guest speaker John Kindervag, Vice President and Principal Analyst at Forrester Research, and Nimmy Reichenberg, VP of Strategy at AlgoSec will explain why a Zero Trust network should be the foundation of your security strategy, and present best practices to help companies achieve a Zero Trust state.
The webinar will cover:
• What is a Zero Trust network, and why it should be a core component of your threat detection and response strategy
• Turning theory into practice: Five steps to achieve Zero Trust information security
• How security policy management can help you define and enforce a Zero Trust network
기업보안 및 개인정보보호 동향
1. 기업보안 배경 및 목적
2. 개인정보보호법
3. 위반사례
4. 보안의 범위
5. 보안체계 수립 절차
Ⅱ. 기술적 보안수준 현황 (As-Is)
Ⅲ. 기업보안 및 개인정보보호를 위한 기술적 조치방안 (To-Be)
Ⅳ. 상세솔루션 방안(案) – ( ISMS PIMS )
1.1 UTM (NW 통합보안 시스템)
1.2 DLP(정보유출방지)
1.3 DRM(문서암호화)
1.4 DB암호화
1.5 WIPS (무선침입방지시스템)
1.6 EMM (모바일 보안)
1.7 물리적 보안 (보안스티커, 보안 봉인커버)
Ⅵ. 최종 제언
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.
This document summarizes a security awareness training presentation that covered topics such as why security training is important, 21st century security threats, PCI compliance, security objectives and challenges, data classification, and security responsibilities. It provided examples of security incidents, the costs of data breaches, PCI DSS requirements, and outlined the company's security framework including defenses, controls, and challenges around excessive data retention, vulnerable infrastructure, lack of documentation and logging.
This document provides an overview of information security awareness training from Mount Auburn Hospital. It covers protecting electronic protected health information at work and at home. Key points include understanding what PHI is and why security is important. It describes potential security threats like malware, social engineering, and data theft. Guidelines are provided for secure practices like strong passwords, email safety, and disposing of media properly. Tips for securing data at home involve using antivirus software, backups, and safe internet practices. The goal is to protect patient privacy and comply with HIPAA security requirements.
5 Steps to a Zero Trust Network - From Theory to PracticeAlgoSec
A Zero Trust network abolishes the quaint idea of a “trusted” internal network demarcated by a corporate perimeter. Instead it advocates microperimeters of control and visibility around the enterprise’s most sensitive data assets and the ways in which the enterprise uses its data to achieve its business objectives.
In this webinar, guest speaker John Kindervag, Vice President and Principal Analyst at Forrester Research, and Nimmy Reichenberg, VP of Strategy at AlgoSec will explain why a Zero Trust network should be the foundation of your security strategy, and present best practices to help companies achieve a Zero Trust state.
The webinar will cover:
• What is a Zero Trust network, and why it should be a core component of your threat detection and response strategy
• Turning theory into practice: Five steps to achieve Zero Trust information security
• How security policy management can help you define and enforce a Zero Trust network
If you don't already have a security training program, this presentation is a great tool for a new hire orientation or company-wide meeting. It includes all of our top 10 tips, plus examples of relevant news stories to drive home the point. You can customize it to include your own tips or insert individual slides in other presentations.
Download a customizable PPT here: www.sophos.com/staysafe
This document provides an overview of security awareness training from the University of Memphis' ITS department. It covers topics like password security, email security, safe browsing, ransomware, privacy, data encryption, mobile security, and two-factor authentication. University policies on data access and security are also referenced. Reporting security incidents and additional resources are outlined. The training emphasizes that technology can only address some risks and that users are the primary targets of hackers seeking access to systems and data.
The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive function. Exercise causes chemical changes in the brain that may help protect against mental illness and improve symptoms for those who already suffer from conditions like anxiety and depression.
This document provides an overview of threat hunting using Splunk. It begins with an introduction to threat hunting and why it is important. The presentation then discusses key building blocks for driving threat hunting maturity, including search and visualization, data enrichment, ingesting data sources, and applying machine learning. It provides examples of internal data sources that can be used for hunting like IP addresses, network artifacts, DNS, and endpoint data. The presentation demonstrates hunting using the Microsoft Sysmon endpoint agent, walking through an example attack scenario matching the Cyber Kill Chain framework. It shows how to investigate a potential compromise by searching across web, DNS, proxy, firewall, and endpoint data in Splunk to trace suspicious activity back to a specific user.
How to Hunt for Lateral Movement on Your NetworkSqrrl
The document discusses threat hunting for lateral movement. It begins with an overview of lateral movement, describing it as techniques attackers use to access and control systems within a network. It then covers the lateral movement process, including initial compromise, reconnaissance, credential theft, and lateral movement events. The document demonstrates Sqrrl's lateral movement detectors, which use data science techniques like graph analysis and machine learning to detect lateral movement in network data. It discusses building a lateral movement detector by aligning it with TTPs, using classifiers to rank events, and implementing it at scale in Spark.
Information Security Awareness, Petronas Marketing SudanAhmed Musaad
A two hours security awareness session that I presented for Petronas Marketing Sudan employees. The session includes -- but not limited to -- many topics like Passwords, Email Security, Social Networks Security, Physical Security, and Laptop Security.
You can use this as an introductory session for your security awareness training, but not as a sufficient one time session at all.
Your comments, feedback, and suggestions are much appreciated.
This document provides an overview of security awareness training at the University of Memphis. It discusses how individuals are now primary targets of hackers and the importance of security basics like strong passwords, email security, safe browsing, and data protection. Specific threats covered include phishing, malware, email spoofing, and ransomware. The document provides best practices for securing accounts, devices, and data through policies, encryption, software updates, and secure storage of sensitive information.
This document provides an overview of privilege escalation techniques. It begins with an introduction to the speaker and defines vertical privilege escalation as moving from a lower privilege user to a higher privilege user. It then covers common privilege escalation vectors for both Linux and Windows systems, such as exploiting kernel vulnerabilities, weak passwords, sudo misconfigurations, vulnerable services, and file permission issues. Specific techniques discussed include dirty cow, password cracking, escaping restricted shells, abusing cron jobs and SUID files. The document emphasizes that credentials are often found in insecure configurations, backup files, logs and other unprotected locations.
The document discusses the OS Credential Dumping technique used by attackers to obtain login and password information from the Local Security Authority Subsystem Service (LSASS) process memory. It describes three main methods attackers use - dumping LSASS memory using Windows Task Manager, ProcDump tool, or Comsvcs.dll. Detection rules are provided to monitor for these activities in Splunk, including monitoring for dumping files, ProcDump and Comsvcs.dll execution, and LSASS process access. Finally, it mentions attackers can use Mimikatz to extract passwords from the dumped LSASS memory files.
SIEM : Security Information and Event Management SHRIYARAI4
SIEM refers to security information and event management. It collects, aggregates, normalizes, and analyzes log and event data according to preset rules and presents it in a human readable format. This allows IT security teams to filter through large amounts of network traffic and log data to detect threats and ensure compliance. A SIEM system performs functions like collection, aggregation, parsing, normalization, categorization, enrichment, indexing, and storage of log files to facilitate analysis and alert security professionals of suspicious activities.
The document provides information on information security awareness and basic training. It covers topics such as why information security is important, data classification, the 90/10 rule of security, phishing, email attachments, spam, passwords, malware, internet safety, public Wi-Fi, IoT devices, HTTPS, web content filtering, and search engine safety. The document provides tips and explanations for each topic to help improve user security practices.
This document provides an overview of network security concepts. It discusses the importance of protecting information assets as the most valuable company assets. It then covers key network security topics like the CIA triad of confidentiality, integrity and availability. It defines threats at both the network and application levels, and discusses how to overcome threats through policies, user awareness training, and security technologies like firewalls, IDS/IPS, antivirus software, VPNs, spam filters and web content filtering. The document aims to educate about network threats and appropriate security controls and protections.
Security Incident Event Management
Real time monitoring of Servers, Network Devices.
Correlation of Events
Analysis and reporting of Security Incidents.
Threat Intelligence
Long term storage
SIEM systems provide security event monitoring and log management by collecting security data from across an organization's network and systems. The first SIEM was developed in 1996 and major players today include IBM QRadar, HP ArcSight, and McAfee Nitro. SIEMs aggregate logs from various sources, use correlation engines to identify related security events, and generate alerts when multiple events indicate a higher risk threat. They provide visibility across an organization's security infrastructure and help with compliance, operations, and forensic investigations. SIEM is important for threat detection, compliance, and gaining insights from security event data.
A Zero Trust approach should extend throughout the entire digital estate and serve as an integrated security philosophy and end to end strategy.
Identities. Identities whether they represent people, services, or IOT devices define the Zero Trust control plane. When an identity attempts to access a resource, we need to verify that identity with strong authentication, ensure access is compliant and typical for that identity, and follows least privilege access principles.
Devices. Once an identity has been granted access to a resource, data can flow to a variety of different devices From IoT devices to smartphones, BYOD to partner managed devices, and on premises workloads to cloud hosted servers. This diversity creates a massive attack surface area, requiring we monitor and enforce device health and compliance for secure access.
Applications. Applications and APIs provide the interface by which data is consumed. They may be legacy on premises, lift and shifted to cloud workloads, or modern SaaS applications. Controls and technologies should be applied to discover Shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, monitor for abnormal behavior, control of user actions, and validate secure configuration options.
Data. Ultimately, security teams are focused on protecting data. Where possible, data should remain safe even if it leaves the devices, apps, infrastructure, and networks the organization controls. Data should be classified, labeled, and encrypted, and access restricted based on those attributes.
Infrastructure. Infrastructure (whether on premises servers, cloud based VMs, containers, or micro services) represents a critical threat vector. Assess for version, configuration, and JIT access to harden defense, use telemetry to detect attacks and anomalies, and automatically block and flag risky behavior and take protective actions.
Networks. All data is ultimately accessed over network infrastructure. Networking controls can provide critical “in pipe” controls to enhance visibility and help prevent attackers from moving laterally across the network. Networks should be segmented (including deeper in network micro segmentation) and real time threat protection, end to end encryption, monitoring, and analytics should be employed.
Each of these six foundational elements serves as a source of the signal, a control plane for enforcement, and a critical resource to defend. You should appropriately spread your investments across each of these elements for maximum protection.
This webinar covered the importance of security awareness education for employees. It discussed how human error is the primary security risk for most companies and how training employees can help reduce that risk. The webinar provided an overview of the key elements of a security awareness program, including content, delivery methods, and reinforcement strategies. It also reviewed the benefits of implementing a program, such as a potential seven-fold return on investment, and the typical costs involved, which range from $10-14 per user per year. The presentation recommended that security awareness education be one part of a company's overall security strategy.
If you don't already have a security training program, this presentation is a great tool for a new hire orientation or company-wide meeting. It includes all of our top 10 tips, plus examples of relevant news stories to drive home the point. You can customize it to include your own tips or insert individual slides in other presentations.
Download a customizable PPT here: www.sophos.com/staysafe
This document provides an overview of security awareness training from the University of Memphis' ITS department. It covers topics like password security, email security, safe browsing, ransomware, privacy, data encryption, mobile security, and two-factor authentication. University policies on data access and security are also referenced. Reporting security incidents and additional resources are outlined. The training emphasizes that technology can only address some risks and that users are the primary targets of hackers seeking access to systems and data.
The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive function. Exercise causes chemical changes in the brain that may help protect against mental illness and improve symptoms for those who already suffer from conditions like anxiety and depression.
This document provides an overview of threat hunting using Splunk. It begins with an introduction to threat hunting and why it is important. The presentation then discusses key building blocks for driving threat hunting maturity, including search and visualization, data enrichment, ingesting data sources, and applying machine learning. It provides examples of internal data sources that can be used for hunting like IP addresses, network artifacts, DNS, and endpoint data. The presentation demonstrates hunting using the Microsoft Sysmon endpoint agent, walking through an example attack scenario matching the Cyber Kill Chain framework. It shows how to investigate a potential compromise by searching across web, DNS, proxy, firewall, and endpoint data in Splunk to trace suspicious activity back to a specific user.
How to Hunt for Lateral Movement on Your NetworkSqrrl
The document discusses threat hunting for lateral movement. It begins with an overview of lateral movement, describing it as techniques attackers use to access and control systems within a network. It then covers the lateral movement process, including initial compromise, reconnaissance, credential theft, and lateral movement events. The document demonstrates Sqrrl's lateral movement detectors, which use data science techniques like graph analysis and machine learning to detect lateral movement in network data. It discusses building a lateral movement detector by aligning it with TTPs, using classifiers to rank events, and implementing it at scale in Spark.
Information Security Awareness, Petronas Marketing SudanAhmed Musaad
A two hours security awareness session that I presented for Petronas Marketing Sudan employees. The session includes -- but not limited to -- many topics like Passwords, Email Security, Social Networks Security, Physical Security, and Laptop Security.
You can use this as an introductory session for your security awareness training, but not as a sufficient one time session at all.
Your comments, feedback, and suggestions are much appreciated.
This document provides an overview of security awareness training at the University of Memphis. It discusses how individuals are now primary targets of hackers and the importance of security basics like strong passwords, email security, safe browsing, and data protection. Specific threats covered include phishing, malware, email spoofing, and ransomware. The document provides best practices for securing accounts, devices, and data through policies, encryption, software updates, and secure storage of sensitive information.
This document provides an overview of privilege escalation techniques. It begins with an introduction to the speaker and defines vertical privilege escalation as moving from a lower privilege user to a higher privilege user. It then covers common privilege escalation vectors for both Linux and Windows systems, such as exploiting kernel vulnerabilities, weak passwords, sudo misconfigurations, vulnerable services, and file permission issues. Specific techniques discussed include dirty cow, password cracking, escaping restricted shells, abusing cron jobs and SUID files. The document emphasizes that credentials are often found in insecure configurations, backup files, logs and other unprotected locations.
The document discusses the OS Credential Dumping technique used by attackers to obtain login and password information from the Local Security Authority Subsystem Service (LSASS) process memory. It describes three main methods attackers use - dumping LSASS memory using Windows Task Manager, ProcDump tool, or Comsvcs.dll. Detection rules are provided to monitor for these activities in Splunk, including monitoring for dumping files, ProcDump and Comsvcs.dll execution, and LSASS process access. Finally, it mentions attackers can use Mimikatz to extract passwords from the dumped LSASS memory files.
SIEM : Security Information and Event Management SHRIYARAI4
SIEM refers to security information and event management. It collects, aggregates, normalizes, and analyzes log and event data according to preset rules and presents it in a human readable format. This allows IT security teams to filter through large amounts of network traffic and log data to detect threats and ensure compliance. A SIEM system performs functions like collection, aggregation, parsing, normalization, categorization, enrichment, indexing, and storage of log files to facilitate analysis and alert security professionals of suspicious activities.
The document provides information on information security awareness and basic training. It covers topics such as why information security is important, data classification, the 90/10 rule of security, phishing, email attachments, spam, passwords, malware, internet safety, public Wi-Fi, IoT devices, HTTPS, web content filtering, and search engine safety. The document provides tips and explanations for each topic to help improve user security practices.
This document provides an overview of network security concepts. It discusses the importance of protecting information assets as the most valuable company assets. It then covers key network security topics like the CIA triad of confidentiality, integrity and availability. It defines threats at both the network and application levels, and discusses how to overcome threats through policies, user awareness training, and security technologies like firewalls, IDS/IPS, antivirus software, VPNs, spam filters and web content filtering. The document aims to educate about network threats and appropriate security controls and protections.
Security Incident Event Management
Real time monitoring of Servers, Network Devices.
Correlation of Events
Analysis and reporting of Security Incidents.
Threat Intelligence
Long term storage
SIEM systems provide security event monitoring and log management by collecting security data from across an organization's network and systems. The first SIEM was developed in 1996 and major players today include IBM QRadar, HP ArcSight, and McAfee Nitro. SIEMs aggregate logs from various sources, use correlation engines to identify related security events, and generate alerts when multiple events indicate a higher risk threat. They provide visibility across an organization's security infrastructure and help with compliance, operations, and forensic investigations. SIEM is important for threat detection, compliance, and gaining insights from security event data.
A Zero Trust approach should extend throughout the entire digital estate and serve as an integrated security philosophy and end to end strategy.
Identities. Identities whether they represent people, services, or IOT devices define the Zero Trust control plane. When an identity attempts to access a resource, we need to verify that identity with strong authentication, ensure access is compliant and typical for that identity, and follows least privilege access principles.
Devices. Once an identity has been granted access to a resource, data can flow to a variety of different devices From IoT devices to smartphones, BYOD to partner managed devices, and on premises workloads to cloud hosted servers. This diversity creates a massive attack surface area, requiring we monitor and enforce device health and compliance for secure access.
Applications. Applications and APIs provide the interface by which data is consumed. They may be legacy on premises, lift and shifted to cloud workloads, or modern SaaS applications. Controls and technologies should be applied to discover Shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, monitor for abnormal behavior, control of user actions, and validate secure configuration options.
Data. Ultimately, security teams are focused on protecting data. Where possible, data should remain safe even if it leaves the devices, apps, infrastructure, and networks the organization controls. Data should be classified, labeled, and encrypted, and access restricted based on those attributes.
Infrastructure. Infrastructure (whether on premises servers, cloud based VMs, containers, or micro services) represents a critical threat vector. Assess for version, configuration, and JIT access to harden defense, use telemetry to detect attacks and anomalies, and automatically block and flag risky behavior and take protective actions.
Networks. All data is ultimately accessed over network infrastructure. Networking controls can provide critical “in pipe” controls to enhance visibility and help prevent attackers from moving laterally across the network. Networks should be segmented (including deeper in network micro segmentation) and real time threat protection, end to end encryption, monitoring, and analytics should be employed.
Each of these six foundational elements serves as a source of the signal, a control plane for enforcement, and a critical resource to defend. You should appropriately spread your investments across each of these elements for maximum protection.
This webinar covered the importance of security awareness education for employees. It discussed how human error is the primary security risk for most companies and how training employees can help reduce that risk. The webinar provided an overview of the key elements of a security awareness program, including content, delivery methods, and reinforcement strategies. It also reviewed the benefits of implementing a program, such as a potential seven-fold return on investment, and the typical costs involved, which range from $10-14 per user per year. The presentation recommended that security awareness education be one part of a company's overall security strategy.
Monitoring solution for all action in enterpriseslunchNtouch
Monitoring solution for all action in enterprises
You can also check it in Sales Sharing Site "www.lunchntouch.com"
If you want a brochure in your language,
send E-mail below E-mail address unquestioningly!
(English, Chinese, Japanese, french, Portuguese, Spanish, etc)
Import & Export discussion Welcome, too!
Thank you for your touch!
E-mail address : yun@lunchntouch.com
"We can Make happy place for small business! Let's do it!!"
= Lunch N Touch =
김경환 법무법인 민후 대표변호사가 지난 19일, 특허청이 주최하고 한국지식재산보호원이 주관한 '2019 중소/중견 기업의 사내 영업비밀 관리를 위한 전략 세미나'에서 발표한 자료입니다.
우리나라 기술보호의 현황과 기술유출로 인한 피해현황, 기술관리방안 및 기술유출시 구제방안에 대해 자세히 담겨있습니다.
[2013 CodeEngn Conference 09] 김홍진 - 보안컨설팅 이해 및 BoB 보안컨설팅 인턴쉽GangSeok Lee
2013 CodeEngn Conference 09
기업의 보안 취약점을 분석하고 이에 대한 대응 방안을 제시하는 보안 컨설팅에 대해 알아본다. 아울러, 보안컨설턴트 양성을 위해 BoB에서 진행하고 있는 보안컨설팅 인턴쉽과정에 대해 소개한다.
http://codeengn.com/conference/09
http://codeengn.com/conference/archive
2. 보안의 개념와 종류
보안의 개념
► 허락받은 사람만이 누릴 수 있는 권리
► 소중한 것을 지키기 위한 최소한의 수단
► 모두가 관심속에 지켜야할 의무
3. 보안의 정의와 분류
보안의 종류
보안정책, 지침 및 절차, 처벌
가. 관리보안
방화벽, 바이러스백신
나. 기술보안
출입통제시스템, CCTV, 경비원
다. 물리보안
4. 보안의 관리 목적
임직원 및 외부관련 인력에 의한 정보자산의 오남용,훼손,변조,유출 등의 위협으로부터
중요 정보자산을 보호
회사 및 고객사 정보가 침해됨에 따라 발생하는 피해를 막기 위한 활동
(1건당 10억 2000만원의 피해를 본 중소기업이 있음)
회사가 보유 및 운영하고 있는 데이터 베이스 및 데이터 파일, 소프트웨어 자산, 물리적
자산, 사람, 서비스, 회사 이미지 및 명성 등을 포함하고 가치를 지닌 유무형자산, 영업
비밀자료, 개인정보 등 모든 것
고객사 정보자산 : 고객사에 투입되어 업무를 수행하는 도중 발생하거나 취득한 정보자산
보안의 의의
정보자산이란
5. 보안규정
주 요 내 용
<보안규정 제7장 19조> : 보안사고의 종류
당사 정보자산 및 고객사 정보자산의 도난, 분실, 파손, 유출, 변조 및 파괴 : 자의에 의한 위반
악성 소프트웨어(바이러스, 백 도어, 트로이 목마, 백오리피스 등)에 의한 침해 : 타의에 의한 위반
대내외의 비 인가된 해킹 시도 : 타의에 의한 위반
기타 고객사의 보안요구사항을 위반하였을 경우 : 자의에 의한 위반
※ 타의에 의한 위반일 경우, 본인이 보안사고 방지를 위해 얼마만큼 노력하였는지가 주요 쟁점
<보안규정 제7장 22조> : 보안사고 발생 시 처리절차
보안사고 발생시 지체없이 소속 보안담당자(팀장)와 보안책임자(사업부장/그룹장)에게 구두보고
보안책임자가 지시한 내용에 따라 선 조치 후 보안사고 경위서 작성 및 보안책임자에게 제출
보안책임자가 재발방지대책을 수립하여 보안사고 경위서에 내용보충 후 대표이사에게 보고
인사위원회에서 징계여부 결정
6. 보안서약서 작성
인피닉 직원은 입사시 다음과 같은
보안서약서를 작성함으로써, 스스로
보안에 대한 경각심을 가지고, 보안준
수에 대한 의무를 확인하고 있습니다.
7. 보안규정
<보안규정 제2장 6조 15항> : 보안사고 발생 시 책임범위
본인의 귀책사유로 발생한 보안사고로 인해 당사 및 고객사가 입은 모든 손해에 대한 책임은 본인에게
있다. 책임의 범위는 변상 및 복구 이외에도 관련 법령에 의한 민/형사상의 책임, 협력사의 관련 규정
에
따른 징계조치 등도 포함된다.
보안사고 발생에 따른 책임
<취업규칙> 관련규정에 의거 에 따라 회사에 대한 기밀정보를 불법누설하거나 당사의 보안규정
및 고객사의 보안요구사항를 위반하는 경우 인사위원회 심의에 따라 아래의 징계조치를 받게 된다.
구두경고 : 경고 및 시말서 징구
견책 : 서면경고 및 시말서 징구
감봉 : 일정기간 동안 급여 감액
정직 : 6개월 이내 출근 정지(정직기간은 무급)
강등 : 직위 또는 직급 강하 및 급여 감액
대기발령 : 회사 내 일정장소에 대기 또는 출근 정지(대기발령 기간은 기본급여만 지급)
징계해고
8. 보안사고 사례
▣ 일시 : 2009년 11월
▣ 내용 : 고객사 개발 제품에 대해 개인 블로그 기재
▣ 경위 : 고객사 신제품 개발중인 모델에 대해 개인
적으로 이용 중인 웹사이트 카페에 개인적
인 의견과 함께 10일 정도 제품 정보를 노출
▣ 고객대응 : 사건 발생 즉시 개인 블로그의
내용물 삭제 및 고객사의 재발방지
공문서의 제출과 재발방지 대책 마련
약속
▣ 후속조치 : 해당 프로젝트 배제
징계 조치(2주간 근신)
▣ 일시 : 2010년 03월
▣ 내용 : 저장 매체 무단 반출(USB)
▣ 경위 : 고객사 협업 미팅 참석 시 개인 소지한 USB
메모리의 미 인지로 출문 시 보안 검색 발각
및 출입 제한 조치 당함
▣ 고객대응 : 현업 사유서 제출 및 보안부서 승인 후
출입 제한 해제
▣ 후속조치 : 시말서 제출
9. 보안사고 사례
▣ 일시 : 2010년 11월
▣ 내용 : 고객사 내부 문서가 메일을 통해 외부 유출
▣ 경위 : 업무 진행 편의를 위해 무단으로
별도 Dual OS를 설치 사용(고객사 미통보/
보안프로그램 미설치)하던 중 해킹 또는
악성 코드로 인하여 고객사 자료가 외부로
유출
▣ 고객대응 : 유출된 본인 개인 메일 영구 삭제
사건 경위서 작성
재발 방지 교육을 수행
▣ 후속조치 : 프로젝트 배정 배제
내부 징계 처리
▣ 일시 : 2013년 09월
▣ 내용 : 시료 사진이 웹으로 유출
▣ 경위 : 시료를 촬영하는 Test 도중 사진파일이
Test 폰의 구글 계정으로 자동 업로드되어
웹으로 유출
▣ 고객대응 : 해당 업체의 보안점수 삭감 및 재발
방지대책 마련 요구
▣ 후속조치 : 보안집체교육 실시
내부 징계 처리
10. 보안사고 사례
▣ 일시 : 2013년 09월
▣ 내용 : Test 시료 관리소흘
▣ 원인 : 이석/퇴근시 Test 시료를 자리에 방치 또는
근무장소 외 지역으로 이동하여 고객사가
이를 발견, 문제점 제기
▣ 고객대응 : 당사자 및 책임자 인사 경고
▣ 후속조치 : 모든 자리에 Test 시료 보관용 거치대
설치
▣ 일시 : 2013년 08월
▣ 내용 : 타인에게 설명하기 위해 개발시료를 잠시
보여주는 과정에서 잠깐 자리를 이석한
(화장실) 틈에 무단으로 시료를 촬영을 하고
유포 및 관계자로부터 획득한 물동량 정보,
스펙 등을 유출한 행위
▣ 원인 : 잠시 시료를 방치하여도 괜찮을 것이라는
안이한 생각
▣ 고객대응 : 원인제공자 퇴사조치 요청
▣ 후속조치 : 게시물 삭제 요청 및 원인제공자 퇴사
11. 보안사고 사례
▣ 일시 : 2014년
▣ 내용 : Benchmark Tool
▣ 원인 : 보안이 허술한 Benchmark Tool 사용으로
인하여 제품의 Spec 정보가 웹으로 자동
업로드 발생
▣ 고객대응 : 당사자 및 책임자 인사 경고
▣ 후속조치 : 허가받지 않은 Benchmark Tool 사용
금지
12. 보안사고 예방방법
중요문서는 반드시 분쇄기를 이용하여 파쇄
보안규정 및 고객사 보안요구사항 숙지
상급자에게 적극적으로 보안을 위해 숙지해야 할 내용 및 절차 질문
업무로 인해 취득한 정보는 타인에게 자랑하지 않기
개인 휴대폰 및 카메라를 이용해 고객 업무공간 내 시설을 동영상, 사진 촬영하지 않기
업무상 필요한 경우라도 사진, 관련 정보 등을 임의로 업로드 하지 않기
승인받지 않은 저장매체(휴대폰, MP3, 디지털카메라, 게임기기, USB, SD card 등)를 반입
/
반출하지 않기
고객사에서 요구하는 접속 금지 웹사이트에 대한 접근하지 않기
고객사에서 허용하지 않는 메신저를 사용하지 않기
잠시 자리를 비울 경우라도 테스트 중인 제품을 시건장치 없이 방치하지 않기
물리적 예방
13. 보안사고 예방방법
업무용PC의 경우 반드시 암호설정
백신프로그램 설치(소프트웨어관리규정에 위반되지 않도록 공개프로그램으로 설치)
P2P 사이트 사용 금지
스팸메일은 바로 삭제
기술적 예방