-

6
, ,

,
,

 -

6: , ,
Creative Commons Attribution 3.0 License
.
http://creativecommons.org/licenses/by/3.0/ .
,
- .

- ,
, , ,
.
, -
.

- - - .
: , 3- , ,
7-50 -, -, ,
: +82 32 245 1700002
: +82 32 245 7712
-: info@unapcict.org
: http://www.unapcict.org

CopyrightUN-APCICT 2009
ISBN: 978-89-955886-4-2 [94560]

,
:
., -
:
., -
., -
., -

., -
., -
., -
., -
., -
., ,


21
, .
, ,
,
.
, ,
.
,
. -
,
1.4 . 2008

. 40 ,
39
.
,

. WSIS
// 2003

,
.
25
100 10 ,

100 80

.
, - ,

- -
, , ,
, , ,
.
- ....
, ,
, .... .
- ,

.
- -
- .
8 -
, , ,
.

6 , ,

 - - - - ,
5 . - ,
, , ,
, ,
, . - ,
, ,
- , - -
, ,
,
,

-
.

-
- ,


-
,
. ,

.
- -
20 ,
, ,
,
,
- - -
,
; -
.
,
,

.
8 ,
, -

. - -

8
.

,
, , ,
.
, .
- -


.
,
,
. ,
,
, ,
,
, ,
.

6 , ,

 8 ,
,
, .
, , ,
,
. ,
,
,
- -

.
,

. ,
, ,
.
, ,
- ,
, -
.

-
- -



,
.
,
,

.
- .
,
- .
-
, .
-

,
.
- ,
. ,
- ,
,
, .
, ,
- -
- - . :
1. -
,
2. - ,
,
3. , -
.
-

. -
,
.

, .

.

,
.
, .

6 , ,

 ,
.
, ,
.
. ,

.
,
-
. -

, .

(AVA - http://www.unapcict.org/academy)
Power Point .
, (APCICT) -
,
e-Collaborative Hub for ICTD (e-Co Hub - http://www.unapcict.org/ecohub)- .
-
,
.

 6

,
.
,
,
.

. :
1. ,
;
2.
;
3.

;
4.

.

.
:
1. ,
;
2. ;
3.
;
4.
.

6 , ,


....................................................................................................... 3
....................................................................................................... 5
.............................................................................. 7
6 .................................................................................................... 9
......................................................................................................9
............................................................................................9
.......................................................................................11
.......................................................................................................11
................................................................................................ 12
.................................................................................... 13

1. ............................. 15
1.1 ......................................15
1.2 .......................19

2. ..........23
2.1 .............................23
2.2 ......................................26
2.3 .............................................................................30

3. ...................35
3.1 .........................35
3.2 .....................43

4. ................................49
4.1 ............................................................49
4.2 ..............................................56

5. .............................................61
5.1 ...................................................................................61
5.2 ...................................................................62
5.3 (PIA) ...................................................68

6.
..................................... 73
6.1 - ...........................................................73
6.2 - .................................................................................83
6.3 - .....................................................................................84

7. .............87
7.1 ...........................................88
7.2 ..................................90
7.3 , ........................................................................98
7.4 .........................103

10

 .................................................................................................104
...............................................................................................104
..................................................................106
...................................................................................................107
- (KISA)- ...................108

1.
2.
3.
4.
5.

- 1.25

23
24
25
26
29

1. 4R
2.
3.
4.
5.
6. -
7. ISO/IEC 27001-
8. ---


9.
10. /
11. BS7799
12.
13. -
14.
15.
16.
17.
18.
19.
20. ,
21.
22.
23.

6 , ,

17
18
19
28
32
39
48
50
55
56
57
58
58
74
74
75
76
76
87
89
91
93
99

11


1.
16
2. 20
3. 2007
30
4.

,
42
5. ISO/IEC 27001-
49
6. ,
51
7.
53
8.
54
9.
59
10.
69
11.
70
12.


82
13. -
85
14.
96
15.


96
16. -
97
17. -
97
18.



99
19. ,


100
20.


101
21. ,


101
22.
102

12


APCERT Team-
()
APCICT -
()
APEC ()
BPM Manual- ()
BSI
BSI - ()
CC ()
CCRA ()
CECC ()
CERT ()
CERT/CC (/)
CIIP ()
CISA ()
CISSP ()
CM ()
CSEA ()
CSIRT ()
DoS ()
ECPA ()
EGC ()
ENISA , ()
ERM ()
ESCAP , , ()
ESM ()
FEMA ()
FIRST , ()
FISMA ()
FOI ()
ICTD , ()
IDS ()
IGF ()
IPS ()
ISACA , ()
ISMS ()
ISP/NSP ,
IT ()
ITU ()
ITU-D (-)
ITU-R (-)
ITU-T (-)
KISA ()
MIC - ()
NIS , ()
NISC ()

6 , ,

13

NIST - , ()
OECD , ()
OMB - , ()
OTP
PP ()
PSG ()
RFID ()
SAC ()
SFR ()
SME , ()
ST ()
TEL , ()
TOE ()
WPISP , ()
WSIS ()

14

1.

:
;

, () . ,
(hacking), ,
. ,
.
, ,

.

1.1
?
, .
. -
, ,
.
.
. IS/IEC 27001-
.

, .

.

. , ,
,
.


. ,
. 1-
.

6 , ,

15

 1.

(
)

1-
. .

,
.

. , ,
.
2- .
. :
- -

, ,
.
-

. , -

,
.
, -
/
. ,
.

.
- /
.
.
.

16

 ?


.
,
.
4R
4R (Right information),
(Right people), (Right time), (Right form) . 4R-
, .
1. 4R

4R- .
,
. ,

. . 2-
.

6 , ,

17

 2.

. :
=( , , )
, .
,
, . .
:
( )- /
. ,
, ,
. 0
.
- /
.
-

. .
- ,
,
.

18

 3- .
1 ,2
, 3 , 4 .
3.

H
/

L
L

. , , ,
.

1.2


.

.
(ISO/IEC)
,
- (Certified Information Systems Auditor)
- (Certified
Information System Security Professional)- .
,
, ,
, ,

.
2-
.

6 , ,

19

 2.

ISO/IEC 27001

IS

, ,

, ,

20

ISO/IEC270011 . ,
,
.
. ISO/IEC27001 ,
.
, ,
2- .
.
3 . ,
, .

1.
.
2.
?
.
3. ,
,

.
.
.

1. ?
2.

3. ?
.
4. (,
)

1.
2.
3.

ISO, ISO/IEC27001:2005 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm? csnumber=42103.

ISACA- , http://www.isaca.org/Template. cfm?Section=CISA_
Certification&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=16&ContentID=19566.
(ISC)- . CISSP - http://www.isc2.
org/cissp.

6 , ,

21

2.

:
;

2.1

(Hacking)
,
.
, .

.
.
,
4.

.

,
()
350
.
2001 4 30- 24
.

2001 4 30- 5 1- -
-
.
INFO-CON NORMAL- INFO-CON ALPHA .
2001 5 1-
-

.
(
) -



.
: Attrition.org, Cyberwar with China: Self

4.

Suresh Ramasubramanian, Salman Ansari Fuatai Purcell, Governing Internet Use: Spam, Cybercrime and
e-Commerce, in Danny Butt (ed.), Internet Governance: Asia-Pacific Perspectives (Bangkok: UNDP-APDIP, 2005), 95,
http://www.apdip.net/projects/igov/ICT4DSeries-iGov-Ch5.pdf.

6 , ,

23

 (Denial-of-Service)
- (Denial of Service)

.

,
.
5.

2007 5 4- , -


(DoS)
. , , ,
,
.
.
.
.

.
: Beatrix Toth, Estonia under cyber attack (Hun-CERT, 2007), http://www.cert.hu/
dmdocuments/Estonia_attack2.pdf.

(Malicious code)
.
, , .
,

.


.
.
.
/
,
.

5.

24

ESCAP, Module 3: Cyber Crime and Security, http://www.unescap.org/icstd/POLICY/publications /internet-use-forbusinessdevelopment/module3-sources.asp.

 1.25

2003 1 25- Slammer worm

. 9
(DNS)- .
200,000
500,000 . , 22.5
. .
worm
.

(ISP)
.


.

Social engineering
Social Engineering
.


. .

.
.

6 , ,

25



2007 1 19- .

.
. raking.zip
raking.exe
haxdoor.ki
.

. .ki

.
.

.

.
- 15
.
7-8 (USD 7,3008,300)
.


.
: Tom Espiner, Swedish bank hit by biggest ever online heist, ZDNet.co.uk (19 January
2007), http://news.zdnet.co.uk/security/0,1000000 189,39285547,00.htm

2.2 6

.
, ,

. ,

.

. :

CERT (http://www.cert.org/cert/)
Symantec (http://www.symantec.com/business/theme.jsp?themeid=threatreport)
IBM (http://xforce.iss.net/)

.
6.

26

This section is drawn from Tim Shimeall and Phil Williams, Models of Information Security Trend Analysis (Pittsburgh:
CERT Analysis Center, 2002), http://citeseerx.ist.psu.edu/viewdoc /summary?doi=10.1.1.11.8034

 7

.

.

, .
(cain&abel )
. ,
(firewall)

.


. - (antiforensic)
. .
(HTTP)

8. MSN . MSN (IM)-

. IM
.9

(Emergency
Response Team Coordination Center-CERT/CC)
2
.
.10
- ( -)

.11


.
.

7.

, CERT, Security of the Internet, Carnegie Mellon University, http://www.cert.org/

encyc_article/tocencyc.html
8. Suresh Ramasubrahmanian et al., op. cit., 94.
9. Munir Kotadia, Email worm graduates to IM, ZDNet.co.uk (4 April 2005), http://news.zdnet.co.uk /security/0,1000000
189,39193674,00.htm.
10. Suresh Ramasubrahmanian et al., op. cit.
11. Wikipedia, Zero day attack, Wikimedia Foundation Inc., http://en.wikipedia.org/wiki /Zero_day_attack.
12. Symantec, Symantec Internet Security Threat Report: Trends for JanuaryJune 07, Volume XII (September 2007), 13,
http://eval.symantec.com/mktginfo/enterprise/white_papers/ent-whitepaper _internet_security_ threat_report_xii_exec_
summary_09_2007.en-us.pdf

6 , ,

27



. MP
MP .


. MP 12
.


. ,

. , ,
.
. -botnet
-
. , .
.
-, , ,
. 4-
.

4.

Spam received per day-

28



,
.
: ,

: ,
,
ISP-

-

:
- ,

- PTF ITU SPAM

,
, -
.

.

.
, .

.
, ,

.
, , Social engineering
.
.
3-
.

6 , ,

29

 3. 2007

- (.)

(adware)

- 30 , 20 ,
10 , 2

(Malware
package),

$1,000 - $2,000

add-on

$ 20-

$ 0.99 - $ 1

2.5

$ 1.60 - $ 2

$4,

$80,


()

$100

10,000 PC

$1,000

$50-

1 (freshlyharvested) - ()

$8

:Trend Micro, 2007 Threat Report and Forecast (2007), 41, http://trendmicro.mediaroom.com/file.
php/66/2007+Trend+Micro+Report_FINAL.pdf

2.3

,
, , ,
.

.

.
,
, ,
, .
.

.
.


.

.
. ,
,
.

30


.
,
.
- .
, ,
.
.

, ,
, .
,
.
:
1.

.

.


.
2.
, ,
.
.
3.


.
.


.
, ,
.

Defense-In-Depth (DID)
.
(perimeter) . DID
, , .
( 5).

6 , ,

31

 5.
: Defense Science Board, Protecting the Homeland: Defensive Information Operations 2000 Summer
Study Volume II (Washington, D.C.: Defense Science Board, 2001), 5, http://www.acq.osd.mil/dsb/reports/dio.pdf)

,
. . :
1. (Cryptography)
( /plaintext/ ) ,
(ciphertext ) . (decryption)
.
.
(IPSec, SSH, SSL, VPN, OTP, ..)
:

IETF RFC (http://www.ietf.org/rfc.html)

RSA EMC-

. (http://www.rsa.com /rsalabs/node.asp?id=2152)

2. - - (One-Time Passport-OTP) ,
.
. -
.
-
.
3. (Firewall)
,

.
.

32

4.

.

. , ,
(script code injection), SQL (SQL injection)
(malware) .
.
.

.
:

INSECURE Security Tool (http://sectools.org)

FrSIRT Vulnerability Archive (http://www.frsirt.com/english)
Secunia Vulnerability Archive (http://secunia.com)
SecurityFocus Vulnerability Archive (http://www.securityfocus.com/bid)

,
.
,
.


.


. :
1. , , ,
,
.13
2. - (Intrusion Detection System -IDS)
,
.

.
3. - (Intrusion prevention system -IPS)
,
.

. ,
IP .14

13. Wikipedia, Antivirus software, Wikimedia Foundation, Inc., http://en.wikipedia.org/wiki /Antivirus_software.

14. SearchSecurity.com, Intrusion prevention, TechTarget, http://searchsecurity.techtarget.com /sDefinition/0,,sid14_
gci1032147,00.html.

6 , ,

33


, ,
. :
1. (Enterprise security managementESM) - ,
, .
,

.

,
-
. -
.
2. - (Enterprise risk management-ERM) -


. -

.
-
.

1.
, ? ?
2.
?
3. , ,
? ,
?
,
, ?

1.
?
2.
?
?
3. DID .
?

34

3.

:


;

.

3.1

-
2001 9 11- -

(Department of Homeland Security)- .

.
,

.
15 ,

, .

:

- 200216 (Cyber Security Enhancement
Act-CSEA) .
,

,
.
: 9/11- ,
- (Electronic Communications Privacy Act-ECPA)
(ISP ) ( ,
- .) . 2001 9 11-
15. The White House, The National Strategy to Secure Cyberspace (Washington, D.C.: The White House, 2003), http://
www.whitehouse.gov/pcipb.
16. Computer Crime and Intellectual Property Section, SEC. 225. Cyber Security Enhancement Act of 2002 (Washington,
D.C.: Department of Justice, 2002), http://www.usdoj.gov/criminal/cybercrime /homeland_CSEA.htm.

6 , ,

35

 - (USA Patriot Act)

ISP- -
,
.
-
.
, , ,
90
.
:

.
: ,
, ,
.

.
: -
,
. 9/11-
5 , 10
. 9/11-
10 , 20
.
20
; ,
.
: ,

.
- (Federal
Information Security Management Act- FISMA)17 2002
.
,
.
: (1)

; (2) / ,
,
.

2006 5 18

.
2002
, i2010
17. Office of Management and Budget, Federal Information Security Management Act: 2004 Report to Congress
(Washington, D.C.: Executive Office of the President of the United States, 2005), http://www.whitehouse.gov/omb/
inforeg/2004_fisma_report.pdf.
18. Europa, Strategy for a secure information society (2006 communication), European Commission, http://europa.eu/
scadplus/leg/en/lvb/l24153a.htm.

36

 2004 -
(European Network and Information Security Agency-ENISA)- .

,
(NIS) ,
( )
.
,
, -
,

. :

, -
:

. ,


;

. ,
.

, ,
. - :

;


. , ,

.

-
,
.

.
:

;
,

;

;
,

.

6 , ,

37


. :

ISP-
;
, , ,
, ID
,
;
, -
;


;
,

;

.

: Abridged from Europa, Strategy for a secure information society (2006 communication),
European Commission, http://europa.eu/scadplus/leg/en /lvb/l24153a.htm.

2001
(Council of Europe Convention on Cybercrime-CECC)


. , ,
.
2004 CECC-
.19
, -
2004 3 10-

, ,
,
.
2006 5 - (Permanent
Stakeholders Group -PSG) 20-
, -

. - ( 6):
19. Council of Europe, Cybercrime: a threat to democracy, human rights and the rule of law, http://www.coe.int/t/dc/files/
themes/cybercrime/default_en.asp.
20. Paul Dorey and Simon Perry, ed. The PSG Vision for ENISA (Permanent Stakeholders Group, 2006), http://www.enisa.
europa.eu/doc/pdf/news/psgvisionforenisafinaladoptedmay2006version.pdf.

38

 6. -
( : Paul Dorey and Simon Perry, ed. The PSG Vision for ENISA (Permanent Stakeholders Group, 2006),
http://www.enisa.europa.eu/doc/pdf/news/psgvisionforenisafinaladoptedmay2006version.pdf)

1.


. ,

, .
2.


.

,
.
3.

.

. -

,
.
, ,
.

6 , ,

39

4.

,

NIS- .
5. ,
NIS- ,


.
6.

.

.
7.

.
8.



.
, - ,
,
.
,

.
9.


(ISP/NSP)

. ,

. ISP-
.
: Abridged from Paul Dorey and Simon Perry, ed. The PSG Vision for ENISA (Permanent
Stakeholders Group, 2006),
http://www.enisa.europa.eu/doc/pdf/news/psgvisionforenisafinaladoptedmay2006version.pdf.

40

-


.

2004
, - (MIC)
.
(Privacy Impact Assessment- PIA)
.
, ,
,


.
: (1) ; (2) , ; (3) -
.
247.89 . (2005 43
, 2006 55.5 2008 80.1 .).
:

,
; ;

.
- , : -

, ,
.
.
- ,
,
. ,
,
,

.
:
,

. ,
(Internet Incident Response Service Centre)

.

. ,
.
,
.


.

6 , ,

41

 21
22
,
.
(Information Security Policy Council)
- (National Information Security Center- NISC)
.
(Cyber Clean Center)-
, ,
.
: (1)
;
(2) YYYY.
- - -
- .
-
.23 4 :
, , .
,
( 4).
4.
,

: NISC, Japanese Governments Efforts to Address Information Security Issues (November 2007), http://
www.nisc.go.jp/eng/.

-

-
;

21. : NISC, Japanese Governments Efforts to Address Information Security Issue (November 2007), http://
www.nisc.go.jp/eng/.
22. Information Security Policy Council, The First National Strategy on Information Security (2 February 2006), 5. http://
www.nisc.go.jp/eng/pdf/national_strategy _001_eng.pdf.
23. Ibid., 11

42

-

.
- ,

;
, / -
,
.

YYYY .
2007 159 2007
24 .
:

;

;

.

1.
?
2.

?
?

3.2

-
-
- (World Summit on the Information Society-)24
,
.
:

- ,

,

- ,
[]
-
,


25

24. World Summit on the Information Society, Basic Information: About , http://www.itu.int//basic/about.
html.
25. World Summit on the Information Society, Plan of Action (12 December 2003), http://www.itu.int//docs/geneva/
official/poa.htm

6 , ,

43

 (IGF)26 -
.
2 . 2007 11 12-15-
IGF ,
.
27-
, () (Organisation for
Economic Co-operation and Development -OECD)
, , ,
,
. -
- (Working Party on
Information Security and-Privacy WPISP) , ,
-

.
- : 2002
,
28
, :29-
.

2003 , ,
-APEC 2005 .
- : 1980

. 2002
:
, ,
. ,
.
: 1998

. 2002-2003 -
- , - . 2005
- .
2004 - , 2005
. , ,
(pervasive radio frequency identificationRFID), ,
.

26. Internet Governance Forum, http://www.intgovforum.org.

27. This section is drawn from WPISP, Working Party on Information Security and Privacy (May 2007).
28. OECD, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (Paris:
OECD,2002), http://www.oecd.org/dataoecd/16/22/15582260.pdf.
29. Ibid., 8.

44

30-
, - (Asia-Pacific
Economic Cooperation-APEC)
(Telecommunication and Information Working Group TEL) ,
.
: (Liberalization Steering Group), -
(ICT Development Steering Group), ,
(Security and Prosperity Steering Group)
.
2005


. -
-
.
- 55/6331-
32
. TEL (Cybercrime
Legislation Initiative) (Enforcement
Capacity Building Project)
.
- - (Computer
Emergency Response Teams- CERTs)-
.

.


. , -

.
,
,
TEL-
.


2007 .
- 33
- - .
191 700 , .
-
. (Radiocommunication Sector -)

. (Standardization Sector--) . ,
-
(
) . TELECOM
- .
30. : APEC, Telecommunications and Information Working Group, http://www.apec.org/apec/apec_groups/
som_committee_on_economic/working_groups/telecommunications_and_information.html
31. Combating the criminal misuse of information, which recognizes that one of the implications of technological advances
is increased criminal activity in the virtual world.
32. An Agreement undertaken in Budapest that aims to uphold the integrity of computer systems by considering as criminal
acts any action that violates said integrity. See http://conventions.coe.int /Treaty/EN/Treaties/Html/185.htm.
33. This section is drawn from ITU, About ITU, http://www.itu.int/net/about/index.aspx.

6 , ,

45

 - -
( Action Line C.5), -
(ITU Global Cybersecurity Agenda) -
(ITU Cybersecurity Gateway) .
C.5 (Action Line C.5)- :

-
;

;
;
, ;
,
;
, .

- (ITU Global Cybersecurity AgendaGCA)

- . GCA
, , ,
.
:

, /

;
,
;
,
,
;
,
;

,
;
,

;
.

. , ,
.
, , , , ,
, .
-

(ITU Cybersecurity Work Programme)- .
:

46

/ ,

-
StopSpamAlliance.org- ,
,
34, / 35,

36 .
ISO/IEC-
- (Information Security
Management System-ISMS)
.
, ,
.
2005 2
- . : IS
27001 - IS 17799:2005
IS 17799: 2000 .
BS 7799 1995
(British Standards Institution -BSI)
. 1998

1- , 2- . 1-
2- ,
(-- ).
1- 2000 ISO/IEC JTC 1/SC27 WG1- IS 17799 .
, IS 17799 (2,000 ),
2005 11 . IS 17799: 2000 10
126 . 2005 IS 17799 11
133 .
1999 BS 7799- 2-
. 2002 9 ISO 9001 ISO 14001-
. ISO -
BS7799 2- : 2002- ,
ISO27001 .

.


27000 ( : 9000 ,
: 14000 ). IS 17799:2005- IS 27001
-
IS17799:2005- 2007 IS27002 .
34. Suresh Ramasubramanian and Robert Shaw, ITU Botnet Mitigation Project: Background and Approach (ITU
presentation, September 2007), http://www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-botnet-mitigation-toolkit.pdf.
35. ITU-D Applications and Cybersecurity Division, Publications, ITU, http://www.itu.int/ITU-D/cyb/publications/.
36. ITU-D Applications and Cybersecurity Division, ITU National Cybersecurity / CIIP Self-Assessment Tool, ITU, http://
www.itu.int/ITU-D/cyb/cybersecurity/projects/readiness.html.

6 , ,

47

 , ,
JTC1SC27-
27000 .
7- - .
-

.
.
7. ISO/IEC 27001-
(ANSIL, Roadmap ISO/IEC 2700x, ISMS, Forum Eurosec 2007,
http://www.ansil.eu/files/pres-eurosec2007-23052007.pdf)

?
?

1.
?
?
2.
?

48

4.

,
.

4.1

,
.

, , .
, .
,
.

- . ISO/IEC27001
.
- ISO/IEC27001 BSI BS7799
. BS7799

. BS7799 1-
.
ISO/IEC27001- 2-
.
ISO/IEC27001- 133 11
( 5).
5. ISO/IEC27001-

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

15.

6 , ,

49

ISO/IEC27001 - Plan-Do-Check-Act
. ISO/IEC27001-
; 6
; - 3
.
8. ---
(Source: ISO/IEC JTC 1/SC 27)

. , ,
.
. :

(Gap analysis)

. 133 11
.
.
,
.
. , ,
.
.

#1

50

+ + =
: (2) + (3) + (3) =
(8)
: (2) + (3) + (1) = (6)
: (2) + (1) + (1) =
(5)

 :
.
. - Degree of Assurance
.

. ISO/IEC
.
ISO/IEC27001 . 6*
.
6. ,

2863*

11

433

11

368

10

202

10

174

10

108

10

82

74

71

66

54

38

36

28

26

26

26

26

20

20

17

16

15

14

4997

11

4987

: 2008 12 21- .
: International Register of ISMS Certificates, Number of Certificates per Country, ISMS International
User Group Ltd., http://www.iso27001certificates.com.

6 , ,

51


.
ISMS- ,
- (Federal
Emergency Management Agency - FEMA) 42637- .
426 .

,
- .38
427 ( Primer for the Design of Commercial Buildings to Mitigate Terrorist Attacks), 428
( Primer to Design Safe School Projects in Case of Terrorist Attacks), 429 (
, ,
-Insurance, Finance, and Regulation Primer for Terrorism Risk Management in
Buildings), 430 (), 438 ().
426
, , .
, 426
. 426-
.

. - (Common Criteria - CC)
.
39
-
.

, , , -
.
,
, -
.
.
57 11 136 .
40 9 86 .
-: (Target of
Evaluation-TOE)- .
7- SFR- .

37. FEMA, FEMA 426 - Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings, http://www.fema.gov/
plan/ prevent/rms/rmsp426.
38. Ibid.
39. Common Criteria, http://www.commoncriteriaportal.org.

52

 7.

FAU

,
,
, -

FCO

-
.

FCS

FDP

FIA

FMT

()
:
,

FPR

FPT

FRU

FTA

FTP

: Common Criteria, Common Methodology for Information Technology Security Evaluation, September
2007, CCMB-2007-09-004

-: -


. ,

.40 8- -
.

40. Common Criteria, Common Criteria for Information Technology Security Evaluation Part 3: Security assurance
requirements (August 1999, Vesion 2.1), http://www.scribd.com/doc/2091714 /NSA-Common-Critira-Part3.

6 , ,

53

 8.

APE

(Protection
Profile-PP)

,

-

ASE

(Security
Target -ST)

,

-

ADV

- .
ATE AVA

.

AGD

-
-

.

ALC

(Life-cycle
support)

- (Configuration
Management) , , ,
, ,
, , ,



.

ATE

.
.

AVA

-

.

ACO

,




.

: Common Criteria, Common Methodology for Information Technology Security Evaluation, September
2007, CCMB-2007-09-004

-
1. - :

.

. -
.

54

2. - : -
- , ,
.
- , , , ,
, .

.
- .

.
(Common Criteria Recognition Arrangement)
- (Common Criteria Recognition
Arrangement -CCRA)-
.
, -
,
- .
24 12 (Certificate Authorizing Participants- CAP), 12 (Certificate Consuming Participants- CCPs) .
.
.
2 - .
. -
/
. -
.
9.

6 , ,

55

4.2
- ,
- , - , - (US
National Institute of Standards and Technology-NIST)
,
. , :

;
;

;
, .

.
500 800 2
. 10- -
.
10. /

56

 (BS7799)
,
ISO27001 (BS7799 2- ), ISO27002 (BS7799
1- ) BS7799 .
11- .
11. BS7799

( 2.0- BS7799 2- : 2002 )

Ver2.0
2002 4 . BS7799 2-: 2002
.
.

. Ver2.0
. ,

.
12- .

6 , ,

57

 12.

(ISO/IEC27001 -
- (Korea Information Security
Agency) , - , BSI
ISO/IEC 27001- . - /

. ISO/IEC27001-
.
-
. 13- -
.
13. -
( : KISA, Procedure of Application for ISMS Certification (2005), http://www.kisa.or.kr/index.jsp)

58

 (- )
(Bundesamt fur Sicherheit in der Informationstechnik)
.
, -
.
-
ISO Guide 25[GUI25] EN45001-
- .
- , (-
) (- )
.
, (Baseline protection manual-BPM)
- : 100-X- . :
BSI 100-1 , 100-2, BPM
100-3 41 .

9- .
9.

(Communications
Security Establishment)

MG-4,
,

, ,
(Bureau of
Standards, Meteorology
and Inspection)

CNS 17799 & CNS 17800

(Information
Technology Standards
Committee)

SS493 : 1- (
)
& SS493 : 2- (

)

41. Antonius Sommer, Trends of Security Strategy in Germany as well as Europe (presentation made at the 2006 Cyber
Security Summit, Seoul, Republic of Korea, 10 April 2006), http://www.secure.trusted-site.de/download/newsletter/
vortraege/KISA.pdf.

6 , ,

59

5.
:
;
;

.

5.1
42
43 . , , ,
- , , ( , ,
), .
, , ,
,
.
, , , .
.

.
:

(.. ,
)
(..
, )
,
(.. CCTV cookies
)
( )

.
.


/ .

42. Cabinet Office, Privacy and Data-sharing: The way forward for public services (April 2002), http://www.epractice.eu/
resource/626.
43. EurLex, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data, http://eur-lex.europa.eu/
smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&lg= en&type_doc=Directive&an_doc=1995&nu_doc=46.

6 , ,

61

5.2
-
1980
- . 2002
: , - - .44
,

.
-

.
.
-
:
1.

, ,
.
2.

, .
3.



.
4.

,
.
5.
, ,
.
6.
,
. ,

, .

44. OECD, Privacy Online: OECD Guidance on Policy and Practice, http://www.oecd.org/document /49/0,3343,en_2649
_34255_19216241_1_1_1_1,00.html.

62

7.

a.
;
b.
;
c. (a), ()
;
d. ,
, , .
5.

.45
-
1960- ,
. UNESCO 1990
-
- .
.

:
1.
, ,
, - ,
.
2.

,
,
,
.
3.

,

:
a. ,
;
b.
;
c.
.
45. To read the entire document where these principles are listed, see the OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data, http://www.oecd.org/document/18/0,2340,en _2649_34255_1815186_1_1_1_1,00.
html.

6 , ,

63

4.
,
,
,
, ,
.
5.
6- , , ,
, , ,
, ,

, .
6.
1-4- ,
, , , ,
( )
, ,

.
5-


.
7.
, ,
,
.
8.

.
, ,

.

.
9.



.
,
.

64

10.


.

.46
E


,


1995 10 24-
. E-
, .
1- ,

.
, -
.47

.

8- , 95/46/EC (
), 2002/58/EC (- ) 2006/24/EC, 5-
( ) .48
-

. 2005 , 25 , 75
.49 -
.

,
.
.

.

46. The principles are quoted from the Office of the High Commissioner for Human Rights, Guidelines for the Regulation of
Computerized Personal Data Files, http://www.unhchr.ch/html/menu3/b/71.htm.
47. Domingo R. Tan, Comment, Personal Privacy in the Information Age: Comparison of Internet Data Protection Regulations
in the United States and the European Union, 21 LOY. L.A. INTL & COMP. L.J. 661, 666 (1999).
48. Justice and Home Affairs, Data Protection European Commission, http://ec.europa.eu/justice_ home/fsj/privacy/
index_en.htm.
49. Internet World Stats, Korea, Miniwatts Marketing Group, http://www.internetworldstats. com/asia/kr.htm.

6 , ,

65

 , u-SafeKorea-
-
2005 : (1)
; (2) - ;
(3) ; (4)
.

.
,

.
:
,
.
,
:
,
.
, , ,
.
, (privacy mediation
committee) .
:


.
.
:
,
, ;
.
( )

, .

.


.
-e,
.
1974
.
. , (Office of Management and BudgetOMB)
. (Federal
Trade Commission) ,
.

66

- :

(Privacy Act), 1974

(Consumer Credit Protection Act), 1984
(Electric Communications Privacy Act),
1986
-- (Gramm-Leach-Bliley Act), 1999
, (Health
Insurance Portability and Accountability Act), 1996
- (Sarbanes-Oxley Ac)t, 2002
(Childrens Online Privacy
Protection Act), 1998

1982 -
. 1988
. , 1997
, .
,

(Advanced Information and Telecommunications Society Promotion Headquarters)
.
(Data Protection Authority)-

.



.

.
:

(Act for the Protection of Computer Processed
Personal Data Held by Administrative Organs), 1988
1529 1999
(Regulations of Local Governments enacted in 1999 for
1,529 local governments)
(Act for the Protection of Personal
Information), 2003

(Act on the Protection of Personal Information Held by Administrative Organs), 2003

(Act for the Protection of Personal Information Retained by Independent
Administrative Institutions), 2003
(Board of Audit Law), 2003
RFID (Guidelines for
Privacy Protection with regard to RFID Tags), 2004

6 , ,

67

1. ,
?
2. , /
?
3. ( - )
,
?

5.3 (PIA)
?
- (Privacy Impact Assessment-PIA)

, ,
.
.
, ,
. ,
.
-

.
, ,

.

- 50
( 10).

50. This section is drawn from Information and Privacy Office, Privacy Impact Assessment: A Users Guide (Ontario:
Management Board Secretariat, 2001), http://www.accessandprivacy.gov.on.ca /english/pia/pia1.pdf.

68

 10.

,

-
.
(Freedom of Information
FOI),





. .




.
.







.

.




.
.

.

.
,
,
,










.

.

: Information and Privacy Office, Privacy Impact Assessment: A Users Guide (Ontario: Management
Board Secretariat, 2001), 5, http://www. accessandprivacy.gov.on.ca/english/pia/pia1.pdf.

-
- :
1. ,
;
2. ;
3. , ;
4. ,
, / .
.
- .

6 , ,

69

 -
11- .
11.

2002

208-
OMB OMB-M-03-22
.

2002 5


.

-
(
)
-

(2004, )
-
(2004, )

-
.

,
A

-
,

(


)

,


,


,

PIA- OMB .

70


1. ?
2. ?
3. -
?
4. ?

6 , ,

71

6.


:

(Computer Security Incident Response Team)-
;
-

.
2006
446 . 347 . .
2002 8,9 ,
2004 20 , 2005 50 . .
-
.

6.1 -
,
, , .

.51
1988
. (Defence
Advanced Research Projects Agency)
-
/- .
.
1990
- (Forum of Incident Response and Security
Teams - FIRST) . -
-
.
52
- . ,
,
.
1. ( - )
. ,
51. CERT, CSIRT FAQ, Carnegie Mellon University, http://www.cert.org/csirts/csirt_faq.html.
52. This section is drawn from Georgia Killcrece, Klaus-Peter Kossakowski, Robin Ruefle and Mark Zajicek, Organizational
Models for Computer Security Incident Response Teams (CSIRTs) (Pittsburgh: Carnegie Mellon University, 2003),
http://www.cert.org/archive/pdf/03hb001.pdf.

6 , ,

73

 - . ,
.

.
14.

2.
.

/ .

.
.

. :

, , ;

;

.
15.

74

3.

. ,
. ,
.
,
.
16.

4. -
.

// .
,
.
,
.
, .

6 , ,

75

 17.

5.
CSIRT .
,
- .
.
.

.

, , , ,
/ /, ,
,
.
18.

76

- : 53
. ,
.
1- -
1-
.
:
a. -

b. -

c.
d.
e. -

f. - ,

g. , , ,

h.

i.
j.

k.
2- - : 1- ,

2- 1- , -
. 1- ,
.
:
a. - .
,
,

b. -
c.
d. ( )
e.

f. ( ) ,

g. ,

h. - ,

53. This section is drawn from Georgia Killcrece, Steps for Creating National CSIRTs (Pittsburgh: Carnegie Mellon University,
2004), http://www.cert.org/archive/pdf/NationalCSIRTs.pdf.

6 , ,

77

i.

j. ,

k. , -

3- -
3- , - 1 2-
. :
a.
b. -
( )

c.

d. -
(.. , ,
)
e.
- ,
f. - ,
,
g. -

h. , ( ),

.
4- -
-
, ,
.
. :
a. -
b. -

c. -
d. , ,

e. - ,
5-

(4- ).
, -, -
,
. :
a. , ,
-,

78

b.
c.
d.
e.

,

-

,
-



.

- 54
- ,
.
- . :
1. ,
,
.
2. ,
, , .
:

, ,
. ,
,
.
,

, ,
.

.

3.
, .
4. , -,

.
5. -
. ,

. ISP- - , -
.
6. - ,
, ,
.

- ,
.

54. This section is drawn from Carnegie Mellon University, CSIRT Services (2002), http://www.cert.org/archive/pdf/CSIRTserviceslist.pdf.

6 , ,

79

(debugger)
.

- ,
.
.

, .
.

,
. ,
,
.

7. (artifact) ,
, , ,
, , .

-
, .

, -,
,
.

,
.
:
1. , ,
.
-
.
, ,
.
2.
, ,
.
,
.
3. -

, .
4. , , ,
,
, .

80

5.
, ,
, plug-in .
6. -
,
.
7.
,
.
,

. :
1. ,
,
- .
2.
,
.
3. -
, .
4. -
, , ,
.
5. /- ,
, ,
, ,
,
. , ,
.
6. , -


, .
12- - .. ,
.

6 , ,

81

 12. -

, ,

()

()

: Georgia Killcrece, Klaus-Peter Kossakowski, Robin Ruefle and Mark Zajicek, Organizational Models for
Computer Security Incident Response Teams (CSIRTs) (Pittsburgh: Carnegie Mellon University, 2003), http://www.cert.
org /archive/pdf/03hb001.pdf.

82

6.2 -
,
- .
- ,

.
- 55
41 -,
.
-/ (Computer Emergency Response Team
Coordination Center CERT/CC) - 191 .

. ,
, , ,
.
. :

, , , ,
, ;
, ,
;
;
, ,
;
, ,
.

56
- (Asia-Pacific Computer
Emergency Response Team-APCERT)

2003 2 .
- 2002 .
- 14 -
. 2007 8 14
, 6 .
-
,

.
- ,
.
- :

;

;
,
, ;
;

55. FIRST, About FIRST, FIRST.org, Inc., http://www.first.org/about/.

56. APCERT, Background, http://www.apcert.org/about/background/index.html

6 , ,

83

-
;

.

57
- (European Government CERT)
- . ,
, , , , , , , .
, :

;
,
, ;
, ;

;
.

, - 58
- -
, .
-
2004 1 . :

-
;
;
- .

- ,
.

6.3 -
- . 13-
- .

57. EGC, http://www.egc-group.org.

58. ENISA, About ENISA, http://www.enisa.europa.eu/pages/About_ENISA.htm.

84

 13. -

Computer Emergency Response Team http://www.arcert.gov.ar

of the Argentine Public Administration

Australia Computer Emergency

Response Team

Computer Emergency Response Team http://www.cert.br

Brazil

Brunei Computer Emergency

Response Team

http://www.brucert.org.bu

Public Safety Emergency

Preparedness Canada

http://www.psepc-sppcc.gc.ca/prg/
em/ccirc/index-en.asp

Chilean Computer Emergency

Response Team

http://www.clcert.cl

National Computer Network

http://www.cert.org.cn
Emergency Response Technical Ream
- Coordination Center of China

Danish Computer Emergency

Response Team

Response Team for Computer Security

Incidents

Finnish Communication Regulatory

Authority

http://www.cert.fi

CERT-Administration

http://www.certa.ssi.gouv.fr

CERT-Bund

http://www.bsi.bund.de/certbund

Hong Kong Computer Response

Coordination Centre

http://www.hkcert.org

CERT-Hungary

http://www.cert-hungary.hu

CERT-In

http://www.cert-in.org.in

Indonesia Computer Emergency

Response Team

http://www.cert.or.id

JP CERT Coordination Center

http://www.jpcert.or.jp

LITNET CERT

http://cert.litnet.lt

Malaysian Computer Emergency

Response Team

http://www.mycert.org.my

Universidad Nacional Autonoma de

Mexico

http://www.cert.org.mx

http://www.aucert.org.au

http://www.cert.dk

GOVCERT.NL

http://www.govcert.nl

Centre for Critical Infrastructure

Protection

http://www.ccip.govt.nz

Norwegian National Security Authority

http://www.cert.no

Philippines Computer Emergency

Response Team

http://www.phcert.org

Computer Emergency Response Team http://www.cert.pl

Polska

6 , ,

85

Qatar Computer Emergency Response http://www.qcert.org

Team

Computer Emergency Response Team http://www.cert.gov.sa

- Saudi Arabia

Singapore Computer Emergency

Response Team

http://www.singcert.org.sg

Slovenia Computer Emergency

Response Team

http://www.arnes.si/english/si-cert

CERT Coordination Center Korea

http://www.krcert.or.kr

IRIS-CERT

http://www.rediris.es/cert

Swedish IT Incident Centre

http://www.sitic.se

Thai Computer Emergency Response

Team

http://www.thaicert.nectec.or.th

Computer Emergency Response Team http://www.ansi.tn/en/about_cert- Tunisian Coordination Center

tcc.htm

TP-CERT

http://www.uekae.tubitak.gov.tr

GovCertUK

http://www.govcertuk.gov.uk

United States -Computer Emergency

Response Team

http://www.us-cert.gov

Viet Nam Computer Emergency

Response Team

http://www.vncert.gov.vn

: CERT, National Computer Security Incident Response Teams, Carnegie Mellon University, http://www.
cert.org/csirts/national/contact.html.

?
1.
.
2.

.

1. - ?
2. - - ?
3. ?

86

7.

:

;

.

, , , ,
. ,

.

.

.
, 4
: (1) ; (2)
; (3) ; (4) ( 19).

, , ,
,
.
19.

6 , ,

87

7.1

.

.

, ,
.

.

:

. :

. :

( 3, 6- )
, , (3- )

(4- )
,
(2, 6- )
(5- )

:

. ,
, , .
, ,

. , ,
.

.
.
,

.

88

 :
1. ,
, . , , ;
2. .

,
.
,
, , .
.

. , ,
, .

, , , , -
. , .

.

. 20-
.
.
.
20. ,

,
.

.
2-
.

. ,
:

6 , ,

89

,

.
.
:

.

.

7.2

: (1)
; (2) ,
; (3)
; (4) / ;
(5) .
1. ,
,
.
,
.
,

.

.


.
.
2.
59

. 21-
.
59. This section is drawn from Sinclair Community College, Information Security Organization-Roles and Responsibilities,http://
www.sinclair.edu/about/information/usepolicy/pub/infscply/Information_Security_Organization_-_Roles_and_
Responsibilities.htm.

90

 21.

,
.
.
,
.
,
.

, ,
.
(, , ..)
,
, , .


.
,

.
()
, .
,

.
. :

6 , ,

91

,
,

,
,

,

,

. ,
,
, ,

, ,
.


.
-
,

, .
, .
, ,
,
2 .
(CISO) ,

. ,
, ,
,
, ,
, ,
.
,
,

.
, , .

.

.
, ,
,
.

92



,
. ,

( )- .
.
,
.

,

.
ID- .
3.


. (,
, , )- ,
, , ,
. 22-
.
22.

6 , ,

93


. 5 . :
. : , ,
.
, :

,

.

, :

. : ,
, .

:

,
,



,

. :

( , .)

. :
. ,

. .
:

94

. , :
.

.

:

, , ,

-

. .
:

, ,

:
, .
:

,
,

. , :
,
, .
:

,
,

,
,

6 , ,

95

4.
/
.
. 14-16-
,
.

.

.
14.

ID-

/ , ,
- ./

15.

( 2002/21/EC)

(1995/46/EC)

6-24
(2004, 2005
)

( 2000/31/EC)

(2000/31/EC)

96

 16. -

2002

1999 -

2002
-

2003

5.
. 17-
.
17. -

2004

2005

848,967,000,000,000

855,195,000,000,000

267,000,000,000

288,000,000,000

0.03%

0.03%

2006

2007

2,709,000,000,000 .

2,770,000,000,000 .

5,512,000,000 .

5,759,000,000 .

0.203%

0.208%

6 , ,

97




. :
1.
2.
3.
4.
5.

5
.
.
1.
?
2. ?

?
3. ?
4.
?
5. ?
?

7.3 ,
,

. 23-
.

98

 23.

18-
,
.
18.

, :

, :


:


:

:

:

:

:

6 , ,

99

, ,
( .) -
, . . ,
, ,
.

.
19. ,

, :
,

, :
,
ISP-:

:
,

,

,
,
,
,
. ,

.

100

 20.

:
, , ,

:
, ,
:

,
:


:
,

: ,

:

, , /
- ,

, ,
.
.
.
. ,
.

.
US SP 800-16 (
) .
21. ,

- :

:

: ,
,

ISP, , :
, /

, /

6 , ,

101


,
,
.
22.

:
,

: /, /
,
:

:

:
,
,

.
.
, ,
/ . (
)
.

.

1.

.
.
2. 23-

, .

102

7.4


, .
.

. .

, .

. ,

.

.
.

.
() -
,

.

1.
? ?
, ?
2.
?

6 , ,

103



Butt, Danny, ed. 2005. Internet Governance: Asia-Pacific Perspectives. Bangkok: UNDPAPDIP.
http://www.apdip.net/publications/ict4d/igovperspectives.pdf.
CERT. CSIRT FAQ. Carnegie Mellon University. http://www.cert.org/csirts/csirt _faq.html.
CERT. Security of the Internet. Carnegie Mellon University. http://www.cert. org/encyc_article/
tocencyc.html.
Dorey, Paul and Simon Perry, ed. 2006. The PSG Vision for ENISA. Permanent Stakeholders Group.
http://www.enisa.europa.eu/doc/pdf/news/psgvisionfor
enisafinaladoptedmay2006version.
pdf.
ESCAP. Module 3: Cyber Crime and Security. http://www.unescap. org/icstd/POLICY/
publications/internet-use-for-business-development/module3-sources.asp.
Europa. Strategy for a secure information society (2006 communication). European
Commission. http://europa.eu/scadplus/leg/en/lvb/l24153a.htm.
Information and Privacy Office. 2001. Privacy Impact Assessment: A Users Guide. Ontario:
Management Board Secretariat. http://www.accessandprivacy.gov.on.ca /english/pia/pia1.
pdf.
Information Security Policy Council. The First National Strategy on Information Security. 2
February 2006. http://www.nisc.go.jp/eng/pdf/national _strategy_001_eng.pdf.
ISO. ISO/IEC27001:2005. http://www.iso.org/iso/iso_catalogue/catalogue_tc /catalogue_
detail.htm?csnumber=42103.
ITU and UNCTAD. 2007. Challenges to building a safe and secure Information Society. In
World Information Society Report 2007, 82-101. Geneva: ITU. http://www.itu.int/osg/spu/
publications/worldinformationsociety/2007/report.html.
ITU-D Applications and Cybersecurity Division. ITU National Cybersecurity / CIIP SelfAssessment Tool. ITU. http://www.itu.int/ITU-D/cyb/cybersecurity /projects/readiness.html.
Killcrece, Georgia. 2004. Steps for Creating National CSIRTs. Pittsburgh: Carnegie Mellon
University. http://www.cert.org/archive/pdf /NationalCSIRTs.pdf.
Killcrece, Georgia, Klaus-Peter Kossakowski, Robin Ruefle and Mark Zajicek. 2003.
Organizational Models for Computer Security Incident Response Teams (CSIRTs). Pittsburgh:
Carnegie Mellon University. http://www.cert.org/archive /pdf/03hb001.pdf.
OECD. 2002. OECD Guidelines for the Security of Information Systems and Networks: Towards
a Culture of Security. Paris: OECD. http://www.oecd.org /dataoecd/16/22 /15582260.pdf.
OECD. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal
Data. http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186 _1_1_1_1,00.
html.

104

Shimeall, Tim and Phil Williams. 2002. Models of Information Security Trend Analysis. Pittsburgh:
CERT Analysis Center. http://citeseerx.ist.psu.edu /viewdoc/summary? doi=10.1.1.11.8034.
The White House. 2003. The National Strategy to Secure Cyberspace. Washington, D.C.: The
White House. http://www.whitehouse.gov/pcipb.

6 , ,

105



, ,
. ,
.
, .

, .
,
-
.
: http://www.unapcict.org /academy

90

, . ( 1 5-
). Stress the need for appropriate and effective information security and privacy protection
policy.
3
. ,
.
. (2- ). ,
,
,
.
(6 )

-
. (7- )

.

- .
-
, -
.
(7.2- ).

.
- (3 4- ), /CSIRT/-
(6- )- .
-
1
.

106


.

.
- ,
. , -
.

6 , ,

107

-
(KISA)-
- (KISA)

1996 .
, , ,
, ,
,
,
.

108

/UN-APCICT/ -
- ,
- - , (UN-APCICT)
- , , (ESCAP)
. UN-APCICT- , ,
-
:
1. . - ,
, - , ;
2. . - ;
3. . - ,
.
UN-APCICT - .
http://www.unapcict.org

/ESCAP/ - ,

ESCAP - - ,
, . 53 , 9
.
,
.
,
, .
.
http://www.unescap.org

6 , ,

109

 -

http://www.unapcict.org/academy

8 -
, ,
, -
.
1- -
- -
.
2- , ,
- ,
, , .
3-
, , .
.
4- -
- , . .
5-
,
.
6- , ,
, ,
.
7- -
- ,
, ,
.
8- -
-
. -
.

,
. . ,

, 21- - .
(AVA http://ava.unapcict.org)

,


(e-Co Hub http://www.unapcict.org/ecohub)
- ,

, e-Co Hub- ,
- , .
AVA -Co Hub .
http://www.unapcict.org/join_form

110