Microsoft PowerPoint - SystemRiskControl_20210411.ppt [] 3 25
4 RACI 26 5~6 IT 27
7 IT 28
CERT/CC CSIRT 8~9 29
10 COBIT 30 11 31
12~14 32
15~16 COBIT 33
17 34
ERM 20 PKI 36
COBIT 21 37
COBIT 22 38
COBIT 23 39
COBIT 24 40~41

•
•
3
SARS
– (industry risk)
– (enterprise risk)
– (business process risk)( )
– (information process risk)
4
• Romney and Steinbart (AIS, 2017) – (botnet, bot herders), (zombies) – (denial-of-service attack) – (eavesdropping) – (hacking) – (hijacking) – (identity theft) – (key logger)
5
6
update)
–
•
– R. T. Morris19891986 MIT[]
• CERT – (TWCERT/CC)
First.orgCERT
8
CSIRT • CERT/CC
• CSIRTFirst.org10
Computer Security Incident Response Team) – (TWNCERT) – (CCCSIRT) – (ICRD-CSIRT) – (Onward Security) – (QNAP PSIRT)PSIRTP
– (Synology PSIRT) – (TWCERT/CC)
9
– (detective control)
– (corrective control)
10
11
) – 48
– Foreign Corrupt Practices Act (1977)
– Statements of Auditing Standards (SAS) No. 78 & 94 – Sarbanes-Oxley Act (2002, SOX)
– Dodd-Frank Act (2011, Dodd-Frank Wall Street Reform and Consumer Protection Act)2008
3-1
• 7


12
3-2



13
3-3



14







17
COSO 2-1

(risk assessment)
18
COSO 2-2
(information and communication)
(monitoring)
19
• COSO (ERM, 2004) 48 4
COSO 1992

COBIT • ISACA1996COBIT(Control Objectives for Information and related Technology)IT (ITGI)1998 ITGI – COBIT 4.1 (2007)COBIT 5 (2012
) COBIT 5COBIT 4.1Val IT 2.0Risk IT COBIT 2019
COBIT 4.1
• COBIT IT
22

– PO1.2IT
– PO1.3
– PO1.4IT
– PO1.5IT
– PO1.6IT
24
– PC2
– PC5IT
– PC6
25
RACI • COBITRACI
– IT (application control) IT ()
– IT ITITIT (general control)
•
– AC2
IT(0)(5)
0 1 2 3 4 5
32
• AIS
34

• (public key infrastructure, PKI)(digital signature)
35
• 2002/4/1PKI
–
–
–
–
–
36

text)
– (public key) (private key) SSL(Chrome )
37

•
•
– () …CA
– CA
39
ISACA
– CISM (certified information security manager) ISACA
• (AICPA) – WebTrustCA
– CFE( ) 125
• (certified internal auditor, CIA) – (IIA)
– CIA(125)(100 )(100)41