CAJ | 학술논문

在信息系统安全保障体系建设过程中，一般会把信息系统安全建设分为三大体系，即技术体系、管理体系以及运维体系。那么在实际操作中，如何进行三大体系的建设？三者之间有什么关系？如何让三大体系进行有机结合，形成一套动态的信息系统安全保障体系？文中首先阐述了通过等级保护的相关技术标准，来建立信息系统安全技术体系架构，并提出了基于等级保护的信息系统安全保障体系架构模型；然后阐述了如何通过等级保护或ISO27001来建立安全管理体系；其次分析了建立安全运维体系所必须具备的三大条件；最后论述了在建立和完善三大体系的同时，如何才能把技术和管理结合起来，如何才能把静态防护与动态监控结合起来，从而构建一套动态的信息系统安全保障体系。
재신식계통안전보장체계건설과정중，일반회파신식계통안전건설분위삼대체계，즉기술체계、관리체계이급운유체계。나요재실제조작중，여하진행삼대체계적건설？삼자지간유십요관계？여하양삼대체계진행유궤결합，형성일투동태적신식계통안전보장체계？문중수선천술료통과등급보호적상관기술표준，래건립신식계통안전기술체계가구，병제출료기우등급보호적신식계통안전보장체계가구모형；연후천술료여하통과등급보호혹ISO27001래건립안전관리체계；기차분석료건립안전운유체계소필수구비적삼대조건；최후논술료재건립화완선삼대체계적동시，여하재능파기술화관리결합기래，여하재능파정태방호여동태감공결합기래，종이구건일투동태적신식계통안전보장체계。
In the building up of infosec assurance system, the security building-up of information system is generally divided into three systems, that is, the technical system, management system and operation and maintenance system. So how to build up the three systems, what is the relations among between the three systems, and how to make an organic integration of the three systems and form a dynamic infosec assurance system in practice, become the in-depth discussions in this paper. This paper first describes the relevant technical standards of classified protection, the establishment of an infosec technical architecture and the model of infosec architecture based on classified protection; then tells of the establishment of safety management system by classified protection or ISO 27001 and the three conditions in building up the secure operation and maintenance system; finally treats of the establishment and improvement of the three systems, including how to integrate technology and management, static protection and dynamic monitoring, and thus to construct a dynamic infosec assurance system.