정보시스템 위험분석을 위한 분류와 평가기준체계 조사

[1] ISO/IEC TR 13335, 1부, “IT보안 개념 및 모델”(1996), 2부 “보안관리 및 계획”(1997).
[2] ISO/IEC TR 13335, 3부, “IT 보안관리 지침”(1998), 5부, “네트워크 연결관리 지침”(2000).
[3] British Standards Institution(BSI), “BS-7799”, 1999.
[4] Bundesamt fur Sicherheit in der Informationstechnik), `IT Baseline Protect Manual`, - Standard security safeguards, http://www.bsi.bund.de/gshb/english/menue.htm
[5] SSE-CMM, “Project, Systems Security Engineering Capability Maturity Model (SSE-CMM) - Model Description Document”, V.2, http://www.sse-cmm.org, 1999. 4. 1.
[6] 정보통신부, “전산망 보안을 위한 위험관리 지침서”, KICO.KO-10.0047, 1995.12.
[7] 이강수, “선진국 정보보호시스템의 평가제도에 관한 연구”, KISA 보고서, 1998. 3.
[8] 이강신, 김학범, 이홍섭, “국내외 정보보호 모델에 관한 연구”, 정보보호학회지, 11-3, 2001.6
[9] S. Vallabhaneni, “Auditing Computer Security- A Manual with Case Studies”, 1989.
[10] ISO/IEC 14598-1, “IT-Software product evaluation, Part 1. General overview”, 1997. 3.
[11] FIPS-65, “Guidelines for Automatic Data Processing Risk Analysis”, NIST, 1975 (Aug. 1995에 폐지됨).
[12] FIPS-191, “Specifications for Guideline for The Analysis Local Area Network Security”, NIST, Nov. 1994.
[13] NIST, “Risk Management Guide for Information Technology Systems”, NIST-SP-800-30, 2001.10.
[14] NISTIR-4387, “Simplified Risk Analysis Guideline”, NIST, 1990.
[15] NISTIR-4325, “Simplified Risk Analysis Guideline”, NIST, 1990.
[16] GAO, “Information Security Risk Assessment - Practices of Leading Organizations”, - Case Study 1, GAO/AIMD-00-33, 1999. 11.
[17] GAO, “Information Security Risk Assessment - Practices of Leading Organizations”, - Case Study 3, GAO/AIMD-00-33, 1999. 11.
[18] CSE, “A Guide to Security Risk Management for IT Systems”, Government of Canada, Communications Security Establishment(CSE)”, 1996.
[19] TTAS, “공공정보시스템 보안을 위한 위험분석 표준 - 개념과 모델”, TTAS.KO-12.007, 1998. 11.
[20] OCTAVE, “OCATVE Criteria, Version 2.0”, Carnegie Mellon Software Engineering Institute(2001. 12), OCATVE Method Implementation Guide Version 2.0, OCTAVE, 2001. 6, http://www.sei.cmu.edu/ publications/ pubweb.html.
[21] CRAMM, “A Practitioner`s View of CRAMM”, http://www.gammassl.co.uk/.
[22] 김기윤, 나관식, 김종석, “보안관리를 위한 위협, 자산, 취약성의 분류 체계”, 정보보호학회지, 6권 1호, 1995. 6.
[23] Will Ozier, “Risk Analysis and Assessment”, Information Security Management Handbook (4‘th Ed.), CRC Press, 2000.
[24] C. Hamilton, “Data-driven Security: How to Target, Focus and Justify the Security Program”, 28`th Annual Computer Security Conference & Exhibition, 2001.
[25] “시만텍사의 Expert 4.1 소개”, 1회 서울정보보안기술 국제컨퍼런스, 2000년 11월.
[26] 김정덕 (외), “위험 분석 도구 기초기술 개발에 관한 연구”, ETRI 연구보고서, 2001.
[27] 송관호(외), “정보시스템 보안을 위한 위험분석 소프트웨어 개발” 한국전산원 연구보고서, 1997. 12.
[28] J. Freeman, et al., “Risk Assessment for Large Heterogeneous Systems”, 13`rd Computer Application Conference, 1997.
[29] R. Craft, et al., “An Open Framework for Risk Management”, 21`st National Information System Security Conference, 1998.
[30] ISO/IEC 14598-5, “IT-Software product evaluation, Part 5. Process for evaluation”, 1997. 12.
[31] ISO/IEC 14598-6, “IT-Software product evaluation, Part 6. Documentation for evaluation modules, 1997. 3.
[32] ISO/IEC-9126 “IT-Software product evaluation -Quality characteristics and guidelines for their use, 1991. 12. 15.
[33] B. Boehm, “Software Engineering Economics”, Prentice-Hall, 1981.
[34] ｢소프트웨어사업대가의 기준(2001)｣, 정보통신부, 2001.
[35] Barry Boehm, et al., “COCOMO 2.0 Software Cost Estimation Model”, International Society of Parametric Analysts, May 1995, http://sunset.usc.edu/research/COCOMOII /index.html.
[36] CC, “Common Criteria for Information Technology Security Evaluation”, Version 2.1, CCIMB-99-031, August 1999, http://www. commoncriteria.org/site_index.html.
[37] CEM, “Common Evaluation Methodology”, Version 1.0, CEM-99/045, August 1999, http://www.commoncriteria.org/site_index.html
[38] European Community, “Information Technology Security Evaluation Criteria (ITSEC)”, Ver. 1.2, June 1991. http://www.cesg. gov.uk/assurance/iacs/ itsec/index.htm
[39] European Community, “Information Technology Security Evaluation Criteria (ITSEM)”, Ver. 1.0, 1993. http://www.cesg.gov. uk/assurance/iacs/ itsec/index.htm
[40] DoD, “Department of Defense Trusted Computer System Evaluation Criteria (TCSEC)”, Dec. 1985.
[41] Canadian System Security Centre, “The Canadian Trusted Computer Product Evaluation Criteria (CTCPEC)”, Ver.3e, Jan. 1993.
[42] “정보통신망 침입차단시스템 평가기준·평가지침서”, 정보통신부고시 1998-19호, 정보통신부, 1998.
[43] M. Swanson, “Security Self-Assessment Guide for Information Technology Systems”, NIST- SP-800-26, NIST, IT보안평가, 2001.11.
[44] G. Stonebumer, et al., “Risk Management Guide for Information Technology System”, NIST- SP-800-30, NIST, 2002.1.
[45] CIAO/VAF, “Vulnerability Assessment Framework 1.1”, Critical Infrastructure Assurance Office(CIAO), 1999.10.
[46] D. Peeples, “The Foundations of Risk Management”, 20`th National Information Security Conference, 1997.5.
[47] M. Timms, “A Practical Approach to Risk Assessment”, Compsec Computer Security Conference`90, 1990. 10.
[48] Z. Ruthber et al., “Guide to Auditing for Controls and Security: A System Development Lifecycle Approach”, NBS Special Publication 500-153, 1998.4.
[49] A. Finkelstein et al. (ed.), “Software Process Modeling and Technology”, John Wiley&Sons, 1994.
[50] A. Furretta, A. Wolf, (ed.), “Software Process”, John Wiley&Sons, 1996.
[51] W. Royce, “Software Project Management - Unified Framework”, Addison Wesley, 1998.
[52] 이병만, 윤정원, 박승규, “정보시스템 위험분석 모델에 관한 연구`, WISC-97, 1997.
[53] CVE, “Common Vulnerability and Exposure”, NIST, http://www.cve.mitre.org/cve/.