Professional Documents
Culture Documents
6
, ,
,
,
-
6: , ,
Creative Commons Attribution 3.0 License
.
http://creativecommons.org/licenses/by/3.0/ .
,
- .
- ,
, , ,
.
, -
.
- - - .
: , 3- , ,
7-50 -, -, ,
: +82 32 245 1700002
: +82 32 245 7712
-: info@unapcict.org
: http://www.unapcict.org
CopyrightUN-APCICT 2009
ISBN: 978-89-955886-4-2 [94560]
,
:
., -
:
., -
., -
., -
., -
., -
., -
., -
., -
., ,
21
, .
, ,
,
.
, ,
.
,
. -
,
1.4 . 2008
. 40 ,
39
.
,
. WSIS
// 2003
,
.
25
100 10 ,
100 80
.
, - ,
- -
, , ,
, , ,
.
- ....
, ,
, .... .
- ,
.
- -
- .
8 -
, , ,
.
6 , ,
- - - - ,
5 . - ,
, , ,
, ,
, . - ,
, ,
- , - -
, ,
,
,
-
.
-
- ,
-
,
. ,
.
- -
20 ,
, ,
,
,
- - -
,
; -
.
,
,
.
8 ,
, -
. - -
8
.
,
, , ,
.
, .
- -
.
,
,
. ,
,
, ,
,
, ,
.
6 , ,
8 ,
,
, .
, , ,
,
. ,
,
,
- -
.
,
. ,
, ,
.
, ,
- ,
, -
.
-
- -
,
.
,
,
.
- .
,
- .
-
, .
-
,
.
- ,
. ,
- ,
,
, .
, ,
- -
- - . :
1. -
,
2. - ,
,
3. , -
.
-
. -
,
.
, .
.
,
.
, .
6 , ,
,
.
, ,
.
. ,
.
,
-
. -
, .
(AVA - http://www.unapcict.org/academy)
Power Point .
, (APCICT) -
,
e-Collaborative Hub for ICTD (e-Co Hub - http://www.unapcict.org/ecohub)- .
-
,
.
6
,
.
,
,
.
. :
1. ,
;
2.
;
3.
;
4.
.
.
:
1. ,
;
2. ;
3.
;
4.
.
6 , ,
....................................................................................................... 3
....................................................................................................... 5
.............................................................................. 7
6 .................................................................................................... 9
......................................................................................................9
............................................................................................9
.......................................................................................11
.......................................................................................................11
................................................................................................ 12
.................................................................................... 13
1. ............................. 15
1.1 ......................................15
1.2 .......................19
2. ..........23
2.1 .............................23
2.2 ......................................26
2.3 .............................................................................30
3. ...................35
3.1 .........................35
3.2 .....................43
4. ................................49
4.1 ............................................................49
4.2 ..............................................56
5. .............................................61
5.1 ...................................................................................61
5.2 ...................................................................62
5.3 (PIA) ...................................................68
6.
..................................... 73
6.1 - ...........................................................73
6.2 - .................................................................................83
6.3 - .....................................................................................84
7. .............87
7.1 ...........................................88
7.2 ..................................90
7.3 , ........................................................................98
7.4 .........................103
10
.................................................................................................104
...............................................................................................104
..................................................................106
...................................................................................................107
- (KISA)- ...................108
1.
2.
3.
4.
5.
- 1.25
23
24
25
26
29
1. 4R
2.
3.
4.
5.
6. -
7. ISO/IEC 27001-
8. ---
9.
10. /
11. BS7799
12.
13. -
14.
15.
16.
17.
18.
19.
20. ,
21.
22.
23.
6 , ,
17
18
19
28
32
39
48
50
55
56
57
58
58
74
74
75
76
76
87
89
91
93
99
11
1.
16
2. 20
3. 2007
30
4.
,
42
5. ISO/IEC 27001-
49
6. ,
51
7.
53
8.
54
9.
59
10.
69
11.
70
12.
82
13. -
85
14.
96
15.
96
16. -
97
17. -
97
18.
99
19. ,
100
20.
101
21. ,
101
22.
102
12
APCERT Team-
()
APCICT -
()
APEC ()
BPM Manual- ()
BSI
BSI - ()
CC ()
CCRA ()
CECC ()
CERT ()
CERT/CC (/)
CIIP ()
CISA ()
CISSP ()
CM ()
CSEA ()
CSIRT ()
DoS ()
ECPA ()
EGC ()
ENISA , ()
ERM ()
ESCAP , , ()
ESM ()
FEMA ()
FIRST , ()
FISMA ()
FOI ()
ICTD , ()
IDS ()
IGF ()
IPS ()
ISACA , ()
ISMS ()
ISP/NSP ,
IT ()
ITU ()
ITU-D (-)
ITU-R (-)
ITU-T (-)
KISA ()
MIC - ()
NIS , ()
NISC ()
6 , ,
13
NIST - , ()
OECD , ()
OMB - , ()
OTP
PP ()
PSG ()
RFID ()
SAC ()
SFR ()
SME , ()
ST ()
TEL , ()
TOE ()
WPISP , ()
WSIS ()
14
1.
:
;
, () . ,
(hacking), ,
. ,
.
, ,
.
1.1
?
, .
. -
, ,
.
.
. IS/IEC 27001-
.
, .
.
. , ,
,
.
. ,
. 1-
.
6 , ,
15
1.
(
)
1-
. .
,
.
. , ,
.
2- .
. :
- -
, ,
.
-
. , -
,
.
, -
/
. ,
.
.
- /
.
.
.
16
?
.
,
.
4R
4R (Right information),
(Right people), (Right time), (Right form) . 4R-
, .
1. 4R
4R- .
,
. ,
. . 2-
.
6 , ,
17
2.
. :
=( , , )
, .
,
, . .
:
( )- /
. ,
, ,
. 0
.
- /
.
-
. .
- ,
,
.
18
3- .
1 ,2
, 3 , 4 .
3.
H
/
L
L
. , , ,
.
1.2
.
.
(ISO/IEC)
,
- (Certified Information Systems Auditor)
- (Certified
Information System Security Professional)- .
,
, ,
, ,
.
2-
.
6 , ,
19
2.
ISO/IEC 27001
IS
, ,
, ,
20
ISO/IEC270011 . ,
,
.
. ISO/IEC27001 ,
.
, ,
2- .
.
3 . ,
, .
1.
.
2.
?
.
3. ,
,
.
.
.
1. ?
2.
3. ?
.
4. (,
)
1.
2.
3.
6 , ,
21
2.
:
;
2.1
(Hacking)
,
.
, .
.
.
,
4.
.
,
()
350
.
2001 4 30- 24
.
2001 4 30- 5 1- -
-
.
INFO-CON NORMAL- INFO-CON ALPHA .
2001 5 1-
-
.
(
) -
.
: Attrition.org, Cyberwar with China: Self
4.
Suresh Ramasubramanian, Salman Ansari Fuatai Purcell, Governing Internet Use: Spam, Cybercrime and
e-Commerce, in Danny Butt (ed.), Internet Governance: Asia-Pacific Perspectives (Bangkok: UNDP-APDIP, 2005), 95,
http://www.apdip.net/projects/igov/ICT4DSeries-iGov-Ch5.pdf.
6 , ,
23
(Denial-of-Service)
- (Denial of Service)
.
,
.
5.
2007 5 4- , -
(DoS)
. , , ,
,
.
.
.
.
.
: Beatrix Toth, Estonia under cyber attack (Hun-CERT, 2007), http://www.cert.hu/
dmdocuments/Estonia_attack2.pdf.
(Malicious code)
.
, , .
,
.
.
.
.
/
,
.
5.
24
1.25
2003 1 25- Slammer worm
. 9
(DNS)- .
200,000
500,000 . , 22.5
. .
worm
.
(ISP)
.
.
Social engineering
Social Engineering
.
. .
.
.
6 , ,
25
2007 1 19- .
.
. raking.zip
raking.exe
haxdoor.ki
.
. .ki
.
.
.
.
- 15
.
7-8 (USD 7,3008,300)
.
.
: Tom Espiner, Swedish bank hit by biggest ever online heist, ZDNet.co.uk (19 January
2007), http://news.zdnet.co.uk/security/0,1000000 189,39285547,00.htm
2.2 6
.
, ,
. ,
.
. :
CERT (http://www.cert.org/cert/)
Symantec (http://www.symantec.com/business/theme.jsp?themeid=threatreport)
IBM (http://xforce.iss.net/)
.
6.
26
This section is drawn from Tim Shimeall and Phil Williams, Models of Information Security Trend Analysis (Pittsburgh:
CERT Analysis Center, 2002), http://citeseerx.ist.psu.edu/viewdoc /summary?doi=10.1.1.11.8034
7
.
.
, .
(cain&abel )
. ,
(firewall)
.
. - (antiforensic)
. .
(HTTP)
8. MSN . MSN (IM)-
. IM
.9
(Emergency
Response Team Coordination Center-CERT/CC)
2
.
.10
- ( -)
.11
.
.
7.
6 , ,
27
. MP
MP .
. MP 12
.
. ,
. , ,
.
. -botnet
-
. , .
.
-, , ,
. 4-
.
4.
28
,
.
: ,
: ,
,
ISP-
-
:
- ,
.
, .
.
, ,
.
, , Social engineering
.
.
3-
.
6 , ,
29
3. 2007
- (.)
(adware)
- 30 , 20 ,
10 , 2
(Malware
package),
$1,000 - $2,000
add-on
$ 20-
$ 0.99 - $ 1
2.5
$ 1.60 - $ 2
$4,
$80,
()
$100
10,000 PC
$1,000
$50-
1 (freshlyharvested) - ()
$8
:Trend Micro, 2007 Threat Report and Forecast (2007), 41, http://trendmicro.mediaroom.com/file.
php/66/2007+Trend+Micro+Report_FINAL.pdf
2.3
,
, , ,
.
.
.
,
, ,
, .
.
.
.
.
.
. ,
,
.
30
.
,
.
- .
, ,
.
.
, ,
, .
,
.
:
1.
.
.
.
2.
, ,
.
.
3.
.
.
.
, ,
.
Defense-In-Depth (DID)
.
(perimeter) . DID
, , .
( 5).
6 , ,
31
5.
: Defense Science Board, Protecting the Homeland: Defensive Information Operations 2000 Summer
Study Volume II (Washington, D.C.: Defense Science Board, 2001), 5, http://www.acq.osd.mil/dsb/reports/dio.pdf)
,
. . :
1. (Cryptography)
( /plaintext/ ) ,
(ciphertext ) . (decryption)
.
.
(IPSec, SSH, SSL, VPN, OTP, ..)
:
2. - - (One-Time Passport-OTP) ,
.
. -
.
-
.
3. (Firewall)
,
.
.
32
4.
.
. , ,
(script code injection), SQL (SQL injection)
(malware) .
.
.
.
:
,
.
,
.
.
. :
1. , , ,
,
.13
2. - (Intrusion Detection System -IDS)
,
.
.
3. - (Intrusion prevention system -IPS)
,
.
. ,
IP .14
6 , ,
33
, ,
. :
1. (Enterprise security managementESM) - ,
, .
,
.
,
-
. -
.
2. - (Enterprise risk management-ERM) -
. -
.
-
.
1.
, ? ?
2.
?
3. , ,
? ,
?
,
, ?
1.
?
2.
?
?
3. DID .
?
34
3.
:
;
.
3.1
-
2001 9 11- -
(Department of Homeland Security)- .
.
,
.
15 ,
, .
:
- 200216 (Cyber Security Enhancement
Act-CSEA) .
,
,
.
: 9/11- ,
- (Electronic Communications Privacy Act-ECPA)
(ISP ) ( ,
- .) . 2001 9 11-
15. The White House, The National Strategy to Secure Cyberspace (Washington, D.C.: The White House, 2003), http://
www.whitehouse.gov/pcipb.
16. Computer Crime and Intellectual Property Section, SEC. 225. Cyber Security Enhancement Act of 2002 (Washington,
D.C.: Department of Justice, 2002), http://www.usdoj.gov/criminal/cybercrime /homeland_CSEA.htm.
6 , ,
35
36
2004 -
(European Network and Information Security Agency-ENISA)- .
,
(NIS) ,
( )
.
,
, -
,
. :
, -
:
. ,
;
. ,
.
, ,
. - :
;
. , ,
.
-
,
.
.
:
;
,
;
;
,
.
6 , ,
37
. :
ISP-
;
, , ,
, ID
,
;
, -
;
;
,
;
.
: Abridged from Europa, Strategy for a secure information society (2006 communication),
European Commission, http://europa.eu/scadplus/leg/en /lvb/l24153a.htm.
2001
(Council of Europe Convention on Cybercrime-CECC)
. , ,
.
2004 CECC-
.19
, -
2004 3 10-
, ,
,
.
2006 5 - (Permanent
Stakeholders Group -PSG) 20-
, -
. - ( 6):
19. Council of Europe, Cybercrime: a threat to democracy, human rights and the rule of law, http://www.coe.int/t/dc/files/
themes/cybercrime/default_en.asp.
20. Paul Dorey and Simon Perry, ed. The PSG Vision for ENISA (Permanent Stakeholders Group, 2006), http://www.enisa.
europa.eu/doc/pdf/news/psgvisionforenisafinaladoptedmay2006version.pdf.
38
6. -
( : Paul Dorey and Simon Perry, ed. The PSG Vision for ENISA (Permanent Stakeholders Group, 2006),
http://www.enisa.europa.eu/doc/pdf/news/psgvisionforenisafinaladoptedmay2006version.pdf)
1.
. ,
, .
2.
.
,
.
3.
.
. -
,
.
, ,
.
6 , ,
39
4.
,
NIS- .
5. ,
NIS- ,
.
6.
.
.
7.
.
8.
.
, - ,
,
.
,
.
9.
(ISP/NSP)
. ,
. ISP-
.
: Abridged from Paul Dorey and Simon Perry, ed. The PSG Vision for ENISA (Permanent
Stakeholders Group, 2006),
http://www.enisa.europa.eu/doc/pdf/news/psgvisionforenisafinaladoptedmay2006version.pdf.
40
-
.
2004
, - (MIC)
.
(Privacy Impact Assessment- PIA)
.
, ,
,
.
: (1) ; (2) , ; (3) -
.
247.89 . (2005 43
, 2006 55.5 2008 80.1 .).
:
,
; ;
.
- , : -
, ,
.
.
- ,
,
. ,
,
,
.
:
,
. ,
(Internet Incident Response Service Centre)
.
. ,
.
,
.
.
6 , ,
41
21
22
,
.
(Information Security Policy Council)
- (National Information Security Center- NISC)
.
(Cyber Clean Center)-
, ,
.
: (1)
;
(2) YYYY.
- - -
- .
-
.23 4 :
, , .
,
( 4).
4.
,
: NISC, Japanese Governments Efforts to Address Information Security Issues (November 2007), http://
www.nisc.go.jp/eng/.
-
-
;
21. : NISC, Japanese Governments Efforts to Address Information Security Issue (November 2007), http://
www.nisc.go.jp/eng/.
22. Information Security Policy Council, The First National Strategy on Information Security (2 February 2006), 5. http://
www.nisc.go.jp/eng/pdf/national_strategy _001_eng.pdf.
23. Ibid., 11
42
-
.
- ,
;
, / -
,
.
YYYY .
2007 159 2007
24 .
:
;
;
.
1.
?
2.
?
?
3.2
-
-
- (World Summit on the Information Society-)24
,
.
:
- ,
,
- ,
[]
-
,
25
24. World Summit on the Information Society, Basic Information: About , http://www.itu.int//basic/about.
html.
25. World Summit on the Information Society, Plan of Action (12 December 2003), http://www.itu.int//docs/geneva/
official/poa.htm
6 , ,
43
(IGF)26 -
.
2 . 2007 11 12-15-
IGF ,
.
27-
, () (Organisation for
Economic Co-operation and Development -OECD)
, , ,
,
. -
- (Working Party on
Information Security and-Privacy WPISP) , ,
-
.
- : 2002
,
28
, :29-
.
2003 , ,
-APEC 2005 .
- : 1980
. 2002
:
, ,
. ,
.
: 1998
. 2002-2003 -
- , - . 2005
- .
2004 - , 2005
. , ,
(pervasive radio frequency identificationRFID), ,
.
44
30-
, - (Asia-Pacific
Economic Cooperation-APEC)
(Telecommunication and Information Working Group TEL) ,
.
: (Liberalization Steering Group), -
(ICT Development Steering Group), ,
(Security and Prosperity Steering Group)
.
2005
. -
-
.
- 55/6331-
32
. TEL (Cybercrime
Legislation Initiative) (Enforcement
Capacity Building Project)
.
- - (Computer
Emergency Response Teams- CERTs)-
.
.
. , -
.
,
,
TEL-
.
2007 .
- 33
- - .
191 700 , .
-
. (Radiocommunication Sector -)
. (Standardization Sector--) . ,
-
(
) . TELECOM
- .
30. : APEC, Telecommunications and Information Working Group, http://www.apec.org/apec/apec_groups/
som_committee_on_economic/working_groups/telecommunications_and_information.html
31. Combating the criminal misuse of information, which recognizes that one of the implications of technological advances
is increased criminal activity in the virtual world.
32. An Agreement undertaken in Budapest that aims to uphold the integrity of computer systems by considering as criminal
acts any action that violates said integrity. See http://conventions.coe.int /Treaty/EN/Treaties/Html/185.htm.
33. This section is drawn from ITU, About ITU, http://www.itu.int/net/about/index.aspx.
6 , ,
45
- -
( Action Line C.5), -
(ITU Global Cybersecurity Agenda) -
(ITU Cybersecurity Gateway) .
C.5 (Action Line C.5)- :
-
;
;
;
, ;
,
;
, .
, /
;
,
;
,
,
;
,
;
,
;
,
;
.
. , ,
.
, , , , ,
, .
-
(ITU Cybersecurity Work Programme)- .
:
46
/ ,
-
StopSpamAlliance.org- ,
,
34, / 35,
36 .
ISO/IEC-
- (Information Security
Management System-ISMS)
.
, ,
.
2005 2
- . : IS
27001 - IS 17799:2005
IS 17799: 2000 .
BS 7799 1995
(British Standards Institution -BSI)
. 1998
1- , 2- . 1-
2- ,
(-- ).
1- 2000 ISO/IEC JTC 1/SC27 WG1- IS 17799 .
, IS 17799 (2,000 ),
2005 11 . IS 17799: 2000 10
126 . 2005 IS 17799 11
133 .
1999 BS 7799- 2-
. 2002 9 ISO 9001 ISO 14001-
. ISO -
BS7799 2- : 2002- ,
ISO27001 .
.
27000 ( : 9000 ,
: 14000 ). IS 17799:2005- IS 27001
-
IS17799:2005- 2007 IS27002 .
34. Suresh Ramasubramanian and Robert Shaw, ITU Botnet Mitigation Project: Background and Approach (ITU
presentation, September 2007), http://www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-botnet-mitigation-toolkit.pdf.
35. ITU-D Applications and Cybersecurity Division, Publications, ITU, http://www.itu.int/ITU-D/cyb/publications/.
36. ITU-D Applications and Cybersecurity Division, ITU National Cybersecurity / CIIP Self-Assessment Tool, ITU, http://
www.itu.int/ITU-D/cyb/cybersecurity/projects/readiness.html.
6 , ,
47
, ,
JTC1SC27-
27000 .
7- - .
-
.
.
7. ISO/IEC 27001-
(ANSIL, Roadmap ISO/IEC 2700x, ISMS, Forum Eurosec 2007,
http://www.ansil.eu/files/pres-eurosec2007-23052007.pdf)
?
?
1.
?
?
2.
?
48
4.
,
.
4.1
,
.
, , .
, .
,
.
- . ISO/IEC27001
.
- ISO/IEC27001 BSI BS7799
. BS7799
. BS7799 1-
.
ISO/IEC27001- 2-
.
ISO/IEC27001- 133 11
( 5).
5. ISO/IEC27001-
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
6 , ,
49
ISO/IEC27001 - Plan-Do-Check-Act
. ISO/IEC27001-
; 6
; - 3
.
8. ---
(Source: ISO/IEC JTC 1/SC 27)
. , ,
.
. :
(Gap analysis)
. 133 11
.
.
,
.
. , ,
.
.
#1
50
+ + =
: (2) + (3) + (3) =
(8)
: (2) + (3) + (1) = (6)
: (2) + (1) + (1) =
(5)
:
.
. - Degree of Assurance
.
. ISO/IEC
.
ISO/IEC27001 . 6*
.
6. ,
2863*
11
433
11
368
10
202
10
174
10
108
10
82
74
71
66
54
38
36
28
26
26
26
26
20
20
17
16
15
14
4997
11
4987
: 2008 12 21- .
: International Register of ISMS Certificates, Number of Certificates per Country, ISMS International
User Group Ltd., http://www.iso27001certificates.com.
6 , ,
51
.
ISMS- ,
- (Federal
Emergency Management Agency - FEMA) 42637- .
426 .
,
- .38
427 ( Primer for the Design of Commercial Buildings to Mitigate Terrorist Attacks), 428
( Primer to Design Safe School Projects in Case of Terrorist Attacks), 429 (
, ,
-Insurance, Finance, and Regulation Primer for Terrorism Risk Management in
Buildings), 430 (), 438 ().
426
, , .
, 426
. 426-
.
. - (Common Criteria - CC)
.
39
-
.
, , , -
.
,
, -
.
.
57 11 136 .
40 9 86 .
-: (Target of
Evaluation-TOE)- .
7- SFR- .
37. FEMA, FEMA 426 - Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings, http://www.fema.gov/
plan/ prevent/rms/rmsp426.
38. Ibid.
39. Common Criteria, http://www.commoncriteriaportal.org.
52
7.
FAU
,
,
, -
FCO
-
.
FCS
FDP
FIA
FMT
()
:
,
FPR
FPT
FRU
FTA
FTP
: Common Criteria, Common Methodology for Information Technology Security Evaluation, September
2007, CCMB-2007-09-004
-: -
. ,
.40 8- -
.
40. Common Criteria, Common Criteria for Information Technology Security Evaluation Part 3: Security assurance
requirements (August 1999, Vesion 2.1), http://www.scribd.com/doc/2091714 /NSA-Common-Critira-Part3.
6 , ,
53
8.
APE
(Protection
Profile-PP)
,
-
ASE
(Security
Target -ST)
,
-
ADV
- .
ATE AVA
.
AGD
-
-
.
ALC
(Life-cycle
support)
- (Configuration
Management) , , ,
, ,
, , ,
.
ATE
.
.
AVA
-
.
ACO
,
.
: Common Criteria, Common Methodology for Information Technology Security Evaluation, September
2007, CCMB-2007-09-004
-
1. - :
.
. -
.
54
2. - : -
- , ,
.
- , , , ,
, .
.
- .
.
(Common Criteria Recognition Arrangement)
- (Common Criteria Recognition
Arrangement -CCRA)-
.
, -
,
- .
24 12 (Certificate Authorizing Participants- CAP), 12 (Certificate Consuming Participants- CCPs) .
.
.
2 - .
. -
/
. -
.
9.
6 , ,
55
4.2
- ,
- , - , - (US
National Institute of Standards and Technology-NIST)
,
. , :
;
;
;
, .
.
500 800 2
. 10- -
.
10. /
56
(BS7799)
,
ISO27001 (BS7799 2- ), ISO27002 (BS7799
1- ) BS7799 .
11- .
11. BS7799
6 , ,
57
12.
(ISO/IEC27001 -
- (Korea Information Security
Agency) , - , BSI
ISO/IEC 27001- . - /
. ISO/IEC27001-
.
-
. 13- -
.
13. -
( : KISA, Procedure of Application for ISMS Certification (2005), http://www.kisa.or.kr/index.jsp)
58
(- )
(Bundesamt fur Sicherheit in der Informationstechnik)
.
, -
.
-
ISO Guide 25[GUI25] EN45001-
- .
- , (-
) (- )
.
, (Baseline protection manual-BPM)
- : 100-X- . :
BSI 100-1 , 100-2, BPM
100-3 41 .
9- .
9.
(Communications
Security Establishment)
MG-4,
,
, ,
(Bureau of
Standards, Meteorology
and Inspection)
(Information
Technology Standards
Committee)
SS493 : 1- (
)
& SS493 : 2- (
)
41. Antonius Sommer, Trends of Security Strategy in Germany as well as Europe (presentation made at the 2006 Cyber
Security Summit, Seoul, Republic of Korea, 10 April 2006), http://www.secure.trusted-site.de/download/newsletter/
vortraege/KISA.pdf.
6 , ,
59
5.
:
;
;
.
5.1
42
43 . , , ,
- , , ( , ,
), .
, , ,
,
.
, , , .
.
.
:
(.. ,
)
(..
, )
,
(.. CCTV cookies
)
( )
.
.
/ .
42. Cabinet Office, Privacy and Data-sharing: The way forward for public services (April 2002), http://www.epractice.eu/
resource/626.
43. EurLex, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data, http://eur-lex.europa.eu/
smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&lg= en&type_doc=Directive&an_doc=1995&nu_doc=46.
6 , ,
61
5.2
-
1980
- . 2002
: , - - .44
,
.
-
.
.
-
:
1.
, ,
.
2.
, .
3.
.
4.
,
.
5.
, ,
.
6.
,
. ,
, .
44. OECD, Privacy Online: OECD Guidance on Policy and Practice, http://www.oecd.org/document /49/0,3343,en_2649
_34255_19216241_1_1_1_1,00.html.
62
7.
a.
;
b.
;
c. (a), ()
;
d. ,
, , .
5.
.45
-
1960- ,
. UNESCO 1990
-
- .
.
:
1.
, ,
, - ,
.
2.
,
,
,
.
3.
,
:
a. ,
;
b.
;
c.
.
45. To read the entire document where these principles are listed, see the OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data, http://www.oecd.org/document/18/0,2340,en _2649_34255_1815186_1_1_1_1,00.
html.
6 , ,
63
4.
,
,
,
, ,
.
5.
6- , , ,
, , ,
, ,
, .
6.
1-4- ,
, , , ,
( )
, ,
.
5-
.
7.
, ,
,
.
8.
.
, ,
.
.
9.
.
,
.
64
10.
.
.46
E
,
1995 10 24-
. E-
, .
1- ,
.
, -
.47
.
8- , 95/46/EC (
), 2002/58/EC (- ) 2006/24/EC, 5-
( ) .48
-
. 2005 , 25 , 75
.49 -
.
,
.
.
.
46. The principles are quoted from the Office of the High Commissioner for Human Rights, Guidelines for the Regulation of
Computerized Personal Data Files, http://www.unhchr.ch/html/menu3/b/71.htm.
47. Domingo R. Tan, Comment, Personal Privacy in the Information Age: Comparison of Internet Data Protection Regulations
in the United States and the European Union, 21 LOY. L.A. INTL & COMP. L.J. 661, 666 (1999).
48. Justice and Home Affairs, Data Protection European Commission, http://ec.europa.eu/justice_ home/fsj/privacy/
index_en.htm.
49. Internet World Stats, Korea, Miniwatts Marketing Group, http://www.internetworldstats. com/asia/kr.htm.
6 , ,
65
, u-SafeKorea-
-
2005 : (1)
; (2) - ;
(3) ; (4)
.
.
,
.
:
,
.
,
:
,
.
, , ,
.
, (privacy mediation
committee) .
:
.
.
:
,
, ;
.
( )
, .
.
.
-e,
.
1974
.
. , (Office of Management and BudgetOMB)
. (Federal
Trade Commission) ,
.
66
- :
1982 -
. 1988
. , 1997
, .
,
(Advanced Information and Telecommunications Society Promotion Headquarters)
.
(Data Protection Authority)-
.
.
.
:
(Act for the Protection of Computer Processed
Personal Data Held by Administrative Organs), 1988
1529 1999
(Regulations of Local Governments enacted in 1999 for
1,529 local governments)
(Act for the Protection of Personal
Information), 2003
(Act on the Protection of Personal Information Held by Administrative Organs), 2003
(Act for the Protection of Personal Information Retained by Independent
Administrative Institutions), 2003
(Board of Audit Law), 2003
RFID (Guidelines for
Privacy Protection with regard to RFID Tags), 2004
6 , ,
67
1. ,
?
2. , /
?
3. ( - )
,
?
5.3 (PIA)
?
- (Privacy Impact Assessment-PIA)
, ,
.
.
, ,
. ,
.
-
.
, ,
.
- 50
( 10).
50. This section is drawn from Information and Privacy Office, Privacy Impact Assessment: A Users Guide (Ontario:
Management Board Secretariat, 2001), http://www.accessandprivacy.gov.on.ca /english/pia/pia1.pdf.
68
10.
,
-
.
(Freedom of Information
FOI),
. .
.
.
.
.
.
.
.
.
,
,
,
.
.
: Information and Privacy Office, Privacy Impact Assessment: A Users Guide (Ontario: Management
Board Secretariat, 2001), 5, http://www. accessandprivacy.gov.on.ca/english/pia/pia1.pdf.
-
- :
1. ,
;
2. ;
3. , ;
4. ,
, / .
.
- .
6 , ,
69
-
11- .
11.
2002
208-
OMB OMB-M-03-22
.
2002 5
.
-
(
)
-
(2004, )
-
(2004, )
-
.
,
A
-
,
(
)
,
,
,
PIA- OMB .
70
1. ?
2. ?
3. -
?
4. ?
6 , ,
71
6.
:
(Computer Security Incident Response Team)-
;
-
.
2006
446 . 347 . .
2002 8,9 ,
2004 20 , 2005 50 . .
-
.
6.1 -
,
, , .
.51
1988
. (Defence
Advanced Research Projects Agency)
-
/- .
.
1990
- (Forum of Incident Response and Security
Teams - FIRST) . -
-
.
52
- . ,
,
.
1. ( - )
. ,
51. CERT, CSIRT FAQ, Carnegie Mellon University, http://www.cert.org/csirts/csirt_faq.html.
52. This section is drawn from Georgia Killcrece, Klaus-Peter Kossakowski, Robin Ruefle and Mark Zajicek, Organizational
Models for Computer Security Incident Response Teams (CSIRTs) (Pittsburgh: Carnegie Mellon University, 2003),
http://www.cert.org/archive/pdf/03hb001.pdf.
6 , ,
73
- . ,
.
.
14.
2.
.
/ .
.
.
. :
, , ;
;
.
15.
74
3.
. ,
. ,
.
,
.
16.
4. -
.
// .
,
.
,
.
, .
6 , ,
75
17.
5.
CSIRT .
,
- .
.
.
.
, , , ,
/ /, ,
,
.
18.
76
- : 53
. ,
.
1- -
1-
.
:
a. -
b. -
c.
d.
e. -
f. - ,
g. , , ,
h.
i.
j.
k.
2- - : 1- ,
2- 1- , -
. 1- ,
.
:
a. - .
,
,
b. -
c.
d. ( )
e.
f. ( ) ,
g. ,
h. - ,
53. This section is drawn from Georgia Killcrece, Steps for Creating National CSIRTs (Pittsburgh: Carnegie Mellon University,
2004), http://www.cert.org/archive/pdf/NationalCSIRTs.pdf.
6 , ,
77
i.
j. ,
k. , -
3- -
3- , - 1 2-
. :
a.
b. -
( )
c.
d. -
(.. , ,
)
e.
- ,
f. - ,
,
g. -
h. , ( ),
.
4- -
-
, ,
.
. :
a. -
b. -
c. -
d. , ,
e. - ,
5-
(4- ).
, -, -
,
. :
a. , ,
-,
78
b.
c.
d.
e.
,
-
,
-
.
- 54
- ,
.
- . :
1. ,
,
.
2. ,
, , .
:
, ,
. ,
,
.
,
, ,
.
.
3.
, .
4. , -,
.
5. -
. ,
. ISP- - , -
.
6. - ,
, ,
.
- ,
.
54. This section is drawn from Carnegie Mellon University, CSIRT Services (2002), http://www.cert.org/archive/pdf/CSIRTserviceslist.pdf.
6 , ,
79
(debugger)
.
- ,
.
.
, .
.
,
. ,
,
.
7. (artifact) ,
, , ,
, , .
-
, .
, -,
,
.
,
.
:
1. , ,
.
-
.
, ,
.
2.
, ,
.
,
.
3. -
, .
4. , , ,
,
, .
80
5.
, ,
, plug-in .
6. -
,
.
7.
,
.
,
. :
1. ,
,
- .
2.
,
.
3. -
, .
4. -
, , ,
.
5. /- ,
, ,
, ,
,
. , ,
.
6. , -
, .
12- - .. ,
.
6 , ,
81
12. -
, ,
()
()
: Georgia Killcrece, Klaus-Peter Kossakowski, Robin Ruefle and Mark Zajicek, Organizational Models for
Computer Security Incident Response Teams (CSIRTs) (Pittsburgh: Carnegie Mellon University, 2003), http://www.cert.
org /archive/pdf/03hb001.pdf.
82
6.2 -
,
- .
- ,
.
- 55
41 -,
.
-/ (Computer Emergency Response Team
Coordination Center CERT/CC) - 191 .
. ,
, , ,
.
. :
, , , ,
, ;
, ,
;
;
, ,
;
, ,
.
56
- (Asia-Pacific Computer
Emergency Response Team-APCERT)
2003 2 .
- 2002 .
- 14 -
. 2007 8 14
, 6 .
-
,
.
- ,
.
- :
;
;
,
, ;
;
6 , ,
83
-
;
.
57
- (European Government CERT)
- . ,
, , , , , , , .
, :
;
,
, ;
, ;
;
.
, - 58
- -
, .
-
2004 1 . :
-
;
;
- .
- ,
.
6.3 -
- . 13-
- .
84
13. -
http://www.brucert.org.bu
http://www.psepc-sppcc.gc.ca/prg/
em/ccirc/index-en.asp
http://www.clcert.cl
http://www.cert.fi
CERT-Administration
http://www.certa.ssi.gouv.fr
CERT-Bund
http://www.bsi.bund.de/certbund
http://www.hkcert.org
CERT-Hungary
http://www.cert-hungary.hu
CERT-In
http://www.cert-in.org.in
http://www.cert.or.id
http://www.jpcert.or.jp
LITNET CERT
http://cert.litnet.lt
http://www.mycert.org.my
http://www.cert.org.mx
http://www.aucert.org.au
http://www.cert.dk
GOVCERT.NL
http://www.govcert.nl
http://www.ccip.govt.nz
http://www.cert.no
http://www.phcert.org
6 , ,
85
http://www.singcert.org.sg
http://www.arnes.si/english/si-cert
http://www.krcert.or.kr
IRIS-CERT
http://www.rediris.es/cert
http://www.sitic.se
http://www.thaicert.nectec.or.th
TP-CERT
http://www.uekae.tubitak.gov.tr
GovCertUK
http://www.govcertuk.gov.uk
http://www.us-cert.gov
http://www.vncert.gov.vn
: CERT, National Computer Security Incident Response Teams, Carnegie Mellon University, http://www.
cert.org/csirts/national/contact.html.
?
1.
.
2.
.
1. - ?
2. - - ?
3. ?
86
7.
:
;
.
, , , ,
. ,
.
.
.
, 4
: (1) ; (2)
; (3) ; (4) ( 19).
, , ,
,
.
19.
6 , ,
87
7.1
.
.
, ,
.
.
:
. :
. :
( 3, 6- )
, , (3- )
(4- )
,
(2, 6- )
(5- )
:
. ,
, , .
, ,
. , ,
.
.
.
,
.
88
:
1. ,
, . , , ;
2. .
,
.
,
, , .
.
. , ,
, .
, , , , -
. , .
.
. 20-
.
.
.
20. ,
,
.
.
2-
.
. ,
:
6 , ,
89
,
.
.
:
.
.
7.2
: (1)
; (2) ,
; (3)
; (4) / ;
(5) .
1. ,
,
.
,
.
,
.
.
.
.
2.
59
. 21-
.
59. This section is drawn from Sinclair Community College, Information Security Organization-Roles and Responsibilities,http://
www.sinclair.edu/about/information/usepolicy/pub/infscply/Information_Security_Organization_-_Roles_and_
Responsibilities.htm.
90
21.
,
.
.
,
.
,
.
, ,
.
(, , ..)
,
, , .
.
,
.
()
, .
,
.
. :
6 , ,
91
,
,
,
,
,
,
. ,
,
, ,
, ,
.
.
-
,
, .
, .
, ,
,
2 .
(CISO) ,
. ,
, ,
,
, ,
, ,
.
,
,
.
, , .
.
.
, ,
,
.
92
,
. ,
( )- .
.
,
.
,
.
ID- .
3.
. (,
, , )- ,
, , ,
. 22-
.
22.
6 , ,
93
. 5 . :
. : , ,
.
, :
,
.
, :
. : ,
, .
:
,
,
,
. :
( , .)
. :
. ,
. .
:
94
. , :
.
.
:
, , ,
-
. .
:
, ,
:
, .
:
,
,
. , :
,
, .
:
,
,
,
,
6 , ,
95
4.
/
.
. 14-16-
,
.
.
.
14.
ID-
/ , ,
- ./
15.
( 2002/21/EC)
(1995/46/EC)
6-24
(2004, 2005
)
( 2000/31/EC)
(2000/31/EC)
96
16. -
2002
1999 -
2002
-
2003
5.
. 17-
.
17. -
2004
2005
848,967,000,000,000
855,195,000,000,000
267,000,000,000
288,000,000,000
0.03%
0.03%
2006
2007
2,709,000,000,000 .
2,770,000,000,000 .
5,512,000,000 .
5,759,000,000 .
0.203%
0.208%
6 , ,
97
. :
1.
2.
3.
4.
5.
5
.
.
1.
?
2. ?
?
3. ?
4.
?
5. ?
?
7.3 ,
,
. 23-
.
98
23.
18-
,
.
18.
, :
, :
:
:
:
:
:
:
6 , ,
99
, ,
( .) -
, . . ,
, ,
.
.
19. ,
, :
,
, :
,
ISP-:
:
,
,
,
,
,
,
. ,
.
100
20.
:
, , ,
:
, ,
:
,
:
:
,
: ,
:
, , /
- ,
, ,
.
.
.
. ,
.
.
US SP 800-16 (
) .
21. ,
- :
:
: ,
,
ISP, , :
, /
, /
6 , ,
101
,
,
.
22.
:
,
: /, /
,
:
:
:
,
,
.
.
, ,
/ . (
)
.
.
1.
.
.
2. 23-
, .
102
7.4
, .
.
. .
, .
. ,
.
.
.
.
() -
,
.
1.
? ?
, ?
2.
?
6 , ,
103
Butt, Danny, ed. 2005. Internet Governance: Asia-Pacific Perspectives. Bangkok: UNDPAPDIP.
http://www.apdip.net/publications/ict4d/igovperspectives.pdf.
CERT. CSIRT FAQ. Carnegie Mellon University. http://www.cert.org/csirts/csirt _faq.html.
CERT. Security of the Internet. Carnegie Mellon University. http://www.cert. org/encyc_article/
tocencyc.html.
Dorey, Paul and Simon Perry, ed. 2006. The PSG Vision for ENISA. Permanent Stakeholders Group.
http://www.enisa.europa.eu/doc/pdf/news/psgvisionfor
enisafinaladoptedmay2006version.
pdf.
ESCAP. Module 3: Cyber Crime and Security. http://www.unescap. org/icstd/POLICY/
publications/internet-use-for-business-development/module3-sources.asp.
Europa. Strategy for a secure information society (2006 communication). European
Commission. http://europa.eu/scadplus/leg/en/lvb/l24153a.htm.
Information and Privacy Office. 2001. Privacy Impact Assessment: A Users Guide. Ontario:
Management Board Secretariat. http://www.accessandprivacy.gov.on.ca /english/pia/pia1.
pdf.
Information Security Policy Council. The First National Strategy on Information Security. 2
February 2006. http://www.nisc.go.jp/eng/pdf/national _strategy_001_eng.pdf.
ISO. ISO/IEC27001:2005. http://www.iso.org/iso/iso_catalogue/catalogue_tc /catalogue_
detail.htm?csnumber=42103.
ITU and UNCTAD. 2007. Challenges to building a safe and secure Information Society. In
World Information Society Report 2007, 82-101. Geneva: ITU. http://www.itu.int/osg/spu/
publications/worldinformationsociety/2007/report.html.
ITU-D Applications and Cybersecurity Division. ITU National Cybersecurity / CIIP SelfAssessment Tool. ITU. http://www.itu.int/ITU-D/cyb/cybersecurity /projects/readiness.html.
Killcrece, Georgia. 2004. Steps for Creating National CSIRTs. Pittsburgh: Carnegie Mellon
University. http://www.cert.org/archive/pdf /NationalCSIRTs.pdf.
Killcrece, Georgia, Klaus-Peter Kossakowski, Robin Ruefle and Mark Zajicek. 2003.
Organizational Models for Computer Security Incident Response Teams (CSIRTs). Pittsburgh:
Carnegie Mellon University. http://www.cert.org/archive /pdf/03hb001.pdf.
OECD. 2002. OECD Guidelines for the Security of Information Systems and Networks: Towards
a Culture of Security. Paris: OECD. http://www.oecd.org /dataoecd/16/22 /15582260.pdf.
OECD. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal
Data. http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186 _1_1_1_1,00.
html.
104
Shimeall, Tim and Phil Williams. 2002. Models of Information Security Trend Analysis. Pittsburgh:
CERT Analysis Center. http://citeseerx.ist.psu.edu /viewdoc/summary? doi=10.1.1.11.8034.
The White House. 2003. The National Strategy to Secure Cyberspace. Washington, D.C.: The
White House. http://www.whitehouse.gov/pcipb.
6 , ,
105
, ,
. ,
.
, .
, .
,
-
.
: http://www.unapcict.org /academy
90
, . ( 1 5-
). Stress the need for appropriate and effective information security and privacy protection
policy.
3
. ,
.
. (2- ). ,
,
,
.
(6 )
-
. (7- )
.
- .
-
, -
.
(7.2- ).
.
- (3 4- ), /CSIRT/-
(6- )- .
-
1
.
106
.
.
- ,
. , -
.
6 , ,
107
-
(KISA)-
- (KISA)
1996 .
, , ,
, ,
,
,
.
108
/UN-APCICT/ -
- ,
- - , (UN-APCICT)
- , , (ESCAP)
. UN-APCICT- , ,
-
:
1. . - ,
, - , ;
2. . - ;
3. . - ,
.
UN-APCICT - .
http://www.unapcict.org
/ESCAP/ - ,
ESCAP - - ,
, . 53 , 9
.
,
.
,
, .
.
http://www.unescap.org
6 , ,
109
-
http://www.unapcict.org/academy
8 -
, ,
, -
.
1- -
- -
.
2- , ,
- ,
, , .
3-
, , .
.
4- -
- , . .
5-
,
.
6- , ,
, ,
.
7- -
- ,
, ,
.
8- -
-
. -
.
,
. . ,
, 21- - .
(AVA http://ava.unapcict.org)
,
(e-Co Hub http://www.unapcict.org/ecohub)
- ,
, e-Co Hub- ,
- , .
AVA -Co Hub .
http://www.unapcict.org/join_form
110