T T

A S

t a n

d a

r d

()

TTAK.KO-12.0009/R1 : 2013 12 18

A Guide to the Contingency and Disaster

Recovery Plan for the Public Information

Systems

()

TTAK.KO-12.0009/R1 : 2013 12 18

A Guide to the Contingency and Disaster

Recovery Plan for the Public Information

Systems

TTA , TTA

.

Copyright Telecommunications Technology Association 2013. All Rights Reserved.

()

TTAK.KO-12.0009/R1i

1.

.

2.

1) , 2) , 3)

3 .

/ .

.

3.

, .

4. ()

4.1. ()

- .

4.2.

- KS A ISO 22300:2012,

- KS A ISO 22301:2012,

- KS X ISO IEC 24762:2008,

5. ()

5.1. ()

TTAS.KO-12.0009

.

()

TTAK.KO-12.0009/R1ii

TTAK.KO-12.0009/R1 KS A ISO 22301:2012 KS X ISO IEC

24762:2008

1. - - -

2. - - -

3. () - - -

4. - -KS X ISO IEC

22300

5.

- -

6.

- - -

6.1.

- - -

6.2. 4. ~7. -

6.3. - - -

6.4. 9.~10. -

7.

-

5.6 ,

7.

5.2. ()

6.

TTA .

,

.

.

7.

7.1.

- .

7.2.

- .

()

TTAK.KO-12.0009/R1iii

8.

8.1.

1 2000.03.28.

TTAS.KO-12.0009

2 2013.12.18.

TTAK.KO-12.0009/R1

8.2.

.

TTAK.KO-12.0009/R1 TTAK.KO-12.0009

1. 1.

2. 2.

3. ()

4.

5. 3.

6. 4.

7. 5.

1.

2.

A. 3.

4.

5.

6.

I.

()

TTAK.KO-12.0009/R1iv

Preface

1. Purpose of Standard

The purpose of this guideline is to guide public organizations to establish its

own business continuity plan by providing methodologies and related information

on the contingency management and disaster recovery to improve continuity of

public information systems services

2. Summary of Contents

This guideline provides the new trend on business continuity management and

related concepts. The activities for business continuity management are explained

in the 1) plan, 2) operation and 3) review and improvement phases of business

continuity management system. Major processes and activities, required technique

and tools/methods are provided for the phases. Public organizations usually

outsource their information systems environment and the issues and management

practices are explained.

3. Applicable Fields of Industry and its Effect

This standard could be used by Information systems people in charge of

contingency plan and disaster recovery in public organizations and be used in

establishing business continuity, planing contingency and disaster recovery

procedures.

4. Reference Standards(Recommendations)

4.1. International Standards(Recommendations)

- None.

4.2. Domestic Standards

- KS A ISO 22300:2012 Societal security Terminology

- KS A ISO 22301:2012 Societal security Business continuity management

systems Requirements

- KS X ISO IEC 24762:2011 Information technology Security techniques

Guidelines for information and communications technology disaster recovery

services

()

TTAK.KO-12.0009/R1v

TTAK.KO-12.0009/R1KS A ISO

22301:2012

KS X ISO IEC

24762:2008Remarks

1. Introduction - - -

2. Constitution and

Scope- - -

3. Reference standards

(Recommendation)- - -

4. Terms and Definitions - -Selected from KS

A ISO IEC 22300

5. Concepts of business

continuity management- - -

6. Methodology on

establishing business

continuity management

- - -

6.1. BCM Process - - -

6.2. Planing phase

4. Context of

organization

~7. Support

-Abstract

introduction

6.3. Operation phase - - -

6.4. Review and

improvement phase

9. Performance

evaluation

~10. Improvement

-Abstract

introduction

7. Consideration on

outsourcing

environment

-

5.6 Outsourcing

arrangements,

7. Outsourced

service providers

capability

Introduction and

providing further

reference

5. Relationship to Reference Standards(Recommendations)

5.1. Relationship of Reference Standards(Recommendations)

This standard is revised from TTAS.KO-12.0009 A Guide to the contingency and

Disaster Recovery Plan for the Public Information Systems reflecting global and local

trends on business continuity management.

5.2. Differences between Reference Standard(Recommendation) and this Standard

()

TTAK.KO-12.0009/R1vi

Edition Issued date Outline

The 1st edition 2000.03.28.Established

TTAS.KO-12.0009

The 2nd edition 2013.12.18.Revised

TTAK.KO-12.0009/R1

6. Statement of Intellectual Property Rights

IPRs related to the present document may have been declared to TTA. The

information pertaining to these IPRs, if any, is available on the TTA Website.

No guarantee can be given as to the existence of other IPRs not referenced on

the TTA website.

And, please make sure to check before applying the standard.

7. Statement of Testing and Certification

7.1. Object of Testing and Certification

- None.

7.2. Standards of Testing and Certification

- None.

8. History of Standard

8.1. Change History

()

TTAK.KO-12.0009/R1vii

TTAK.KO-12.0009/R1 TTAK.KO-12.0009 Remarks

1. Introduction 1. Introduction Revised

2. Constitution and scope 2. Constitution and scope Revised

3. Reference standards

(Recommendations)Added

4. Definitions Added

5. Concepts of business continuity

management

3. Concepts of business continuity

management

Revised by

addition

6. Methodology on establishing

business continuity management4. BCM Processes and activities

Revised by

rearrangement

and addition

7. Consideration on outsourcing

environment5. Common applications of BCM

Revised by

addition

Appendix

1. Definitions Deleted

2. List of business continuity

management Processes and

actions

Deleted

Annex A. Business continuity

management output

samples

3. Format of major BCM outputs Equivalent

4. Method on business impact

measurement for business

impact analysis

Deleted

5. Example of business continuity

planning policyDeleted

6. Casse studies of BCM Deleted

Appendix I. References ReferencesRevised by

addition

8.2. Revisions

Current trend on business continuity management and outsourcing service

environment is added.

()

TTAK.KO-12.0009/R1viii

1. 1

2. 2

3. () 2

4. 2

5. 5

5.1. 5

5.2. 7

5.3. 9

6. 11

6.1. 11

6.2. 13

6.3. 17

6.4. 50

7. 55

7.1. 55

7.2. 55

7.3. 57

7.4. 57

7.5 58

A. 60

. 64

()

TTAK.KO-12.0009/R1ix

Contents

1. Introduction 1

2. Constitution and Scope 2

3. Reference Standards (Recommendations) 2

4. Terms and Definitions 2

5. Concepts of Business Continuity Management 5

5.1. Disaster Recovery Concepts Change 5

5.2. New Trend on Business Continuity Management 7

5.3. Relationships on Business Continuity Management and Related Elements 9

6. Methodology on Establishing Business Continuity Management 11

6.1. BCM Process 11

6.2. Planning Phase 13

6.3. Operation Phase 17

6.4. Review and Improvement Phase 50

7. Consideration on Outsourcing Environment 55

7.1. General Consideration and Accountability When Outsourcing 55

7.2. Business Impact Analysis and Risk Analysis 55

7.3. Consideration on Outsourcing Contract 57

7.4. Control on Outsourcer 57

7.5. Required Changes on Business Continuity Plan 58

Annex A. Business Continuity Management Output Samples 60

Appendix. References 64

()

TTAK.KO-12.0009/R11

(A Guide to the Contingency and Disaster Recovery Plan

for the Public Information Systems)

1.

1.1.

. 2009

2 ,

2011 SSO/LDAP

6 .

,

.

.

1.2. ICT

ICT

.

,

.

, , , .

, , , ,

.

, ,

.

()

TTAK.KO-12.0009/R12

1.3. ICT

.

. ,

(business continuity management)

.

.

,

.

,

.

2.

. 4 5

. 6

1) , 2) , 3) 3

.

/ .

7 .

3. ()

- KS A ISO 22300:2012,

- KS A ISO 22301:2012,

- KS X ISO IEC 24762:2008,

4.

4.1.

KS A ISO 22300:2012 .

()

TTAK.KO-12.0009/R13

4.1.1. (Business continuity)

(disruptive incident)

[ISO 22300]

4.1.2. (risk)

[KS A ISO/IEC GUIDE 73]

1 .

2 (, , ) ,

(, , , ) .

3 , .

4 ( )

.

5

() .

4.1.3. (risk management)

[KS A ISO 22300]

4.1.4. (disaster)

,

, , [KS A ISO

22300]

4.1.5. (incident)

, ,

[KS A ISO 22300]

4.1.6. (mitigation)

, , ,

[KS A ISO 22300]

()

TTAK.KO-12.0009/R14

4.1.7. (policy)

(2.2.9)

4.1.8. (objective)

1 , .

2 (, , )

, [ , ,

] .

3 , , ,

[, (aim), (goal)

(target)] .

4.1.9. (management system)

(2.2.9)

,

1 .

2 , , , .

3 , ,

1 .

4.1.10. (business impact analysis)

4.1.11. (organization)

, ,

1 , ,

, , , , , ,

.

()

TTAK.KO-12.0009/R15

4.1.12. (performance)

1 .

2 , , ( ),

.

4.1.13. (monitoring)

,

1 , .

5.

5.1.

5.1.1.

1960 ,

.

,

.

.

.

. ,

,

, .

5.1.2.

. 1970

.

grandfather-father-son" 3 .

,

.

. (data vaulting)

.

()

TTAK.KO-12.0009/R16

5.1.3.

1980

.

SunGard, Comdisco, CHI/COR

.

ComPAS, RecoveryPAC, Rexsys, Sunrise TRPS

. 80

( Seattle , LA , )

.

,

, ,

,

.

(first-come first-serve)

.

5.1.4.

1990 ,

,

.

,

(business issue) .

.

(business

continuity plan), / (business recovery/resumption plan)

1990 .

5.1.5.

2001

. (Back-up) 2

()

TTAK.KO-12.0009/R17

100% , Bank Of America

, 2

,

.

, CIT ,

SARS

.

,

,

.

.

5.2.

5.2.1.

.

,

. , ,

, ,

.

, .

. ,

,

, , ,

.[ISO

22300]

5.2.2.

, .

. ,

, , , ,

, , .

()

TTAK.KO-12.0009/R18

ICT ,

,

,

,

.

5.2.3.

----- - 7 .

,

.

---

.

,

.

. , , ,

, , ,

. 4

-- 3 .

,

.

, ,

,

.

, ,

. 6 .

5.2.4.

,

.

KSAISO/PAS 22301:2012 ISO/IEC 22301:2012

. 2010 (BS 25999)

2014

ISO .

()

TTAK.KO-12.0009/R19

5.3.

5.3.1.

.

(business strategy) (technology strategy)

.

.

, ,

.

, .

.

.

5.3.2.

(contingency plan) (disaster recovery plan)

,

.

(availability

management) ,

.

.

.

(business issue)

, .

5.3.3.

.

.

;

()

TTAK.KO-12.0009/R110

( , )

.

.

.

. .

IT IT

.

. IT ,

.

.

.

.

;

,

(outsourcing) , ,

, 3

,

, ,

, , ,

.

.

(upgrade) . ,

, .

(safety-net)

.

()

TTAK.KO-12.0009/R111

.

.

, ,

.

.

IT ,

IT .

,

, IT

.

,

.

6.

6.1.

6.1.1.

5.2.3 3 .

, , . .

.

, ,

. ,

-

,

- ,

- ,

-

()

TTAK.KO-12.0009/R112

.

,

.

-

-

-

- .

.

,

,

.

. , , ,

, .

-

-

- .

6.1.2.

, 3 1

, 2

. , 2

3

.

,

. , , , , IT ,

,

.

()

TTAK.KO-12.0009/R113

6.2.

6.2.1.

.

,

. .

- , , , , ,

-

- ( )

-

, .

-

-

-

-

.

.

.

, ,

.

.

.

,

.

.

, ,

,

()

TTAK.KO-12.0009/R114

.

(, , )

,

.

6.2.2.

.

,

.

.

,

.

. . . . . . . .

.

.

,

,

.

. , .

,

.

()

TTAK.KO-12.0009/R115

-

-

- ( )

.

.

.

,

.

6.2.3.

.

,

. , ,

,

.

,

.

,

.

.

,

.

.

.

,

.

. , .

, .

()

TTAK.KO-12.0009/R116

, ,

, , , .

6.2.4.

.

.

.

,

. ,

.

, ,

.

, .

.

,

, .

,

.

.

.

-

-

-

.

-

- , , ,

- ,

()

TTAK.KO-12.0009/R117

-

- ,

-

6.3.

6.3.1.

, 6.1

, .

a)

b)

c)

, .

.

6.3.2.

.

1)

(BIA, Business Impact Analysis)

, . (risk analysis)

,

.

,

.

,

, .

,

.

.

()

TTAK.KO-12.0009/R118

2)

(BIA) . ,

. ,

.

:

, ,

, ,

, ,

, ,

(BIA) :

(impact scenario)

(potential business impact)

(business process)

. (, )

. , ,

. ,

.

,

.

.

:

(BPR: Business Process Re-engineering)

(organizational information models)

.

()

TTAK.KO-12.0009/R119

.

,

.

3)

, (disruption) .

( ) ,

.

.

, , , ,

.

. , ,

, ,

. , 1-2

.

15 , 1, 3, 12, 1, 2, 1, 2, 1, 2

.

( )

, .

4)

.

. (financial or hard)

(non-financial or soft) ( ) .

, .

.

l - ( ), , (

), (goodwill or credibility) , .

()

TTAK.KO-12.0009/R120

l () - , ,

, , , .

(marginal) . ,

1,000,000 400,000 ,

600,000 . ,

.

,

. ( , HAWK,

CCTA's CRAMM )

.

5)

.

.

.

:

12 , 1

.

2 .

2 , 4

.

.

6)

, , .

, .

, , ,

.

:

-

-

-

()

TTAK.KO-12.0009/R121

1.

2. ( )

3.

4.

5. , (, ),

(, IBM AS400),

6. . 5

.

7. . 6

(network access points) .

8. , ,

9.

10. .

.

- ,

-

-

(minimum requirements)

.

. ,

, , .

.

. ,

, , ,

.

()

TTAK.KO-12.0009/R122

A

()20 12

20 486/50

3

1

2

Bridge 1

X.25 Switch 1

Mega Stream A 1 2Mps

Telesales S/W 20 lcopy

B 50 2

50 486/50

3

1

4

Bridge 2 A

X.25 Switch 1 A

Mega Stream B 1 8Mps

Telesales S/W 50 lcopy

/

15

1 3 12 1 2 1 2 1

2

()

A

B

C

20

10

50 30

50

50

20

30 50 30 50 70

A

B

C

20

10

50

30

30 80

A

B

C

4

2

6

, ,

6)

.

.

()

TTAK.KO-12.0009/R123

Tier1

+

()86 4

Tier2 ()+

32 24

Tier3

122

21

(0~2 )

Tier4 ~

Tier6 779

21 ~ 45

(

)

Tier7 - - 5

1,024

Tier 1 3

Tier 2 3 24

()

Tier 3

24 , 7

, 24

Tier 4 7 , 21

Tier 5 45 ,

Tier 6

Tier 7

.

.

()

TTAK.KO-12.0009/R124

1 58 4

2 54 24

- 54 21

- 00

- ,

,

-

-

()

TTAK.KO-12.0009/R125

.

1)

,

(risk assessment) . (BIA)

.

.

-

-

-

2)

(asset) (threat)

.

,

. , , /

, /, , , ,

.

.

( (severity)) . (source)

(internal & external) , (perpetrator)

(human & non-human) , (intent)

(accidental & intentional) (Loch,

Carr, and Warkentin, 1992). , , ,

.

, (, , , ),

(, , ,

, ,

, , ),

( ),

( , , ,

) .

()

TTAK.KO-12.0009/R126

3)

(threat)

(vulnerability) .

, , , ,

.

. ( , , ,

, ), (,

, , , , ), (,

) .

. ,

.

-

-

-

-

-

-

4)

.

, .

.

.

(ALE, Annual Loss

Expectancy).

.

, (exponential)

. ,

, .

100 200 , 100

, .

. ,

10(100 k$) , (ALE) 400

.

()

TTAK.KO-12.0009/R127

($)

1 100 1 k 10 k 100 k 1m 10m 1b

1 min 526 52,6k 525.6k

1 hour 9 876 8.8k 87.6k 876k

1 day 37 365 3.7k 36.5k 365k

1week 5 52 521 5.2k 52.1k 521.4k

1month 1 12 120 1.2k 12k 120k

3month 4 40 400 4k 40k

1 year 1 10 100 1k 10k 1m

5 year 2 20 200 2k 200k

10 year 1 10 100 1k 100k

20 year 1 5 50 500 50k

50 year 2 20 200 20k

100 year 1 10 100 10k

300 year 3 33 3.3k

ALE

5)

, , (question-

naires), (fuzzy metrics) .

, , , , ,

, (stochastic dominance) .

, , , ,

. /

. Perry & Kuong(1981)

.

- :

- : /

- :

- :

- :

- :

- :

.

()

TTAK.KO-12.0009/R128

.

.

.

(value chain analysis) (Rainer, Snyder & Carr,

1991).

.

6.3.3.

. .

:

-

-

-

.

.

,

:

-

- ,

- , ,

- ,

()

TTAK.KO-12.0009/R129

.

S/W

,

,

.

1.

.

2.

.

3.

4.

a.

b.

c. PC/

call-off

/

.

.

5. 3

.

6.

7.

.

8.

.

S/W

1.

.

2.

s/w

,

1. S/W

2.

3. S/W

.

()

TTAK.KO-12.0009/R130

1. (,

, , CD-ROM)

,

2. (journalling),

(vaulting)

,

3.

,

,

1.

2.

3.

(node)

4.

5.

PABX

ACD

1. ,

,

PABX

.

,

.

1. .

2.

3.

4.

1.

/ .

2.

.

3.

-

()

TTAK.KO-12.0009/R131

.

, ,

1.

.

.

2. /

,

3.

a.

b.

.

4. 3(,

) 3 .

5. .

.

6. (:

) .

1. .

2. (fiche)

.

3. /

3 . .

1.

.

2.

3.

()

TTAK.KO-12.0009/R132

H/W

S/W

DBMS

DBMS SQL(Structured

Query Language)

DBMS

6-9>

.

.

.

.

-

- , , , , ,

, ,

- , ,

, , .

-

.

.

. ,

.

- /

-

-

- CCTV

()

TTAK.KO-12.0009/R133

, ,

, , ,

, , CCTV , ,

, ,

, , ,

,

, , ,

,

, ,

, ,

6-10>

-

- , , , ,

.

.

.

.

CCTA(Central Computer and Telecommunications Agency, 1990)

9

.

1) (do nothing) -

.

.

2) (clerical backup procedures) -

()

TTAK.KO-12.0009/R134

.

3) (reciprocal arrangement) -

,

.

(change management system) .

4) (the "fortress" approach) -

,

. ,

.

5) ("cold" start fixed centre) -

cold start

. , , ,

.(provision of a building

accommodation only) .

, ,

, .

6) ("cold" start portable

centre) - 5) .

. ( , )

,

3 10

.

7) ("hot"

start- external) - hot start , ,

( )

(provision of computer

accommodation accommodation and equipment) .

.

, ,

.

,

, .

,

.

()

TTAK.KO-12.0009/R135

8) ("hot" start-internal) -

7) ,

.

,

.

9) (mobile hot start

or "computer on the back of a lorry") -

.

. ,

.

, ,

,

.

6.3.4.

. .

-

-

-

-

-

.

. :

- , , (Command, Control, and Communication)

-

-

1) , ,

, ,

()

TTAK.KO-12.0009/R136

( 6-1) , ,

. ( 6-1) /, ,

, ,

.

) /

/

:

(, , )

)

/ .

,

.

.

, , , , , , ,

()

TTAK.KO-12.0009/R137

, ,

(Salvage)

.

.

.

.

)

.

.

.

)

()

TTAK.KO-12.0009/R138

.

. :

/ , .

.

.

.

.

.

.

2)

, , , ,

, , ,

. ,

. ( 6-2)

.

( 6-2)

:

: ,

()

TTAK.KO-12.0009/R139

( 6-3) ''

:

:

. ( 6-2)

.

( 6-3)

;

- /

- , , /

-

, , , ,

.

/ .

3)

:

-

-

()

TTAK.KO-12.0009/R140

-

,

.

.

1)

, ,

. :

- , , ,

-

-

-

-

-

-

-

-

, ,

.

:

-

-

)

.

-

-

-

:

()

TTAK.KO-12.0009/R141

-

- , , ,

- , ,

,

- (mobile service) ,

-

)

, ,

.

. , ,

.

2)

,

.

.

.

1)

;

- : , , ,

- :

- :

. :

-

-

()

TTAK.KO-12.0009/R142

)

;

-

-

-

-

)

:

-

-

.

.

.

.

.

2)

:

- /

- , , /

-

)

:

-

-

-

-

- , , 3

()

TTAK.KO-12.0009/R143

-

-

/ .

/ .

)

.

.

:

-

-

-

- , , ,

-

- (:

)

-

)

.

.

.

.

-

- , ,

-

- (ex , LAN)

-

-

()

TTAK.KO-12.0009/R144

.

)

. ,

.

.

.

- , ,

- , ,

-

-

-

.

.

.

,

.

)

, .

.

. ,

,

.

.

:

-

-

)

/

.

()

TTAK.KO-12.0009/R145

, , . ,

.

, , ,

.

3

:

-

- FAQ

-

-

.

.

.

.

.

;

-

-

-

-

.

,

.

. .

-

- CCTV

1)

,

,

.

()

TTAK.KO-12.0009/R146

. 6 :

-

-

-

-

-

-

)

;

-

-

- , ,

-

)

4 .

o (Walkthroughs)

o

:

-

-

-

.

o

()

TTAK.KO-12.0009/R147

.

o

)

.

:

- 3 7 .

.

- . 1 24

.

- .

- .

)

. .

:

- ; .

-

- (, , ,

)

-

-

.

.

.

)

.

(test diary) .

.

()

TTAK.KO-12.0009/R148

-

-

-

- 3

-

-

)

,

, , .

6.3.5.

.

.

.

,

.

.

(, , , )

.

.

.

.

, .

.

.

.

.

,

.

.

()

TTAK.KO-12.0009/R149

.

.

.

:

- .

-

.

- .

:

-

-

-

-

Q&A

.

.

. :

-

-

-

.

.

()

TTAK.KO-12.0009/R150

6.4.

6.4.1.

,

, , ,

.

.

.

- ,

-

- ,

- ,

- , ,

-

, , .

, , ,

. ,

.

.

.

6.4.2.

.

. .

.

6.4.3.

. ,

()

TTAK.KO-12.0009/R151

.

, , , , .

, .

.

.

o .

.

o :

.

o :

.

o :

. ,

, .

o :

.

6.4.4.

.

.

,

.

.

-

-

-

- (assumptions)

-

-

-

()

TTAK.KO-12.0009/R152

-

-

-

-

-

- ,

- ,

- ,

.

.

- ;

.

, , .

- ;

. , , ,

.

:

-

-

-

-

1)

. :

-

.

- . (:

)

.

()

TTAK.KO-12.0009/R153

.

.

, , ,

/.

2)

.

.

.

-

-

-

- (, )

-

.

.

3)

.

, /

:

- ( )

, ,

-

-

-

-

- ,

()

TTAK.KO-12.0009/R154

/

:

-

-

- ,

.

:

-

-

-

-

4)

.

.

.

.

6 .

-

-

-

-

- ,

- , ,

6

.

. 6

.

()

TTAK.KO-12.0009/R155

.

7.

. , (core

competence)

,

. ,

.

.

7.1.

.

.

, , ,

.

,

.

,

.

.

. (service level agreement)

.

.

7.2.

.

.

.

()

TTAK.KO-12.0009/R156

.

. :

-

-

-

-

- ,

.

.

, :

-

.

.

-

.

-

. (,

.

.)

.

:

-

- ,

-

-

()

TTAK.KO-12.0009/R157

-

-

-

-

-

-

, .

7.3.

.

.

. (1 ) .

, ,

.

7.4.

.

, , .

, 3

.

.

.

-

-

-

-

-

()

TTAK.KO-12.0009/R158

7.5

.

. :

- (in-house back up)

- 2

.

:

- ,

-

-

-

-

. , ,

, , ,

. , . ,

.

.

.

.

:

- ,

-

- (. , )

-

()

TTAK.KO-12.0009/R159

.

:

-

-

-

-

- ,

-

.

. ,

.

.

.

. ,

.

. ,

, ,

.

.

.

.

. ,

KS X ISO/IEC 24762:2011

.

()

TTAK.KO-12.0009/R160

.

;

-

-

-

-

-

,

-

?

-

?

- , , ?

- ?

-

?

-

?

A

()

TTAK.KO-12.0009/R161

.

.

,

.

;

-

-

-

-

,

, ,

- PID ?

- ?

- ?

-

?

()

TTAK.KO-12.0009/R162

, .

.

;

-

-

-

-

, ,

, ,

- ,

?

- ?

-

?

- ?

-

?

-

?

()

TTAK.KO-12.0009/R163

.

.

;

-

-

-

-

-

, ,

,

- ?

- ?

-

?

- ?

- ?

- ?

()

TTAK.KO-12.0009/R164

[1] , , , 1995.

[2] Butler, J., Contingency Planning and Disaster Recovery Strategies, Computer

Technology Research Corp., 1994.

[3] Carlton, R. A., Telecommunications Disaster Planning, , DATAPRO, 1994.

[4] CCTA, An Introduction to Business Continuity Management, The Government

Centre for Information Systems, 1995.

[5] Cerullo, M. and R. McDuffie, "Computer Contingency Plans and the Auditors: A

Survey of Businesses Affected by Hurricane Hugo, " Computers & Security,

(Vol. 11, No. 7) Nov. 1992, pp.620622.

[6] Collins, B. and S. Mathews, "Securing Your Business Process," Computers &

Security, (Vol. 12, No. 7) Nov. 1993, pp.629-633.

[7] Commission of the European Communities Security Investigations Projects,

Final and Strategy Report, Project S2014 Risk Analysis, Report Number 9744

(S2014/WP08), Version 1.0, Feb. 1993.

[8] Corby, M., "Disaster Recovery Testing in a Client/Server Environment,"

DATAPRO, July 1994, pp.101-107.

[9] Devlin, E., C. Emerson, and L. Wrobel, Business Resumption Planning,

Auerbach, 1998.

[10] Earl, Michael J. "Experience in Strategic Information Systems Planning," MIS

Quarterly, Mar. 1993, pp. 1-20.

[11] FIPS PUB 41, Computer Security Guidelines for Implementing the Privacy Act

of 1974, U.S. Department of Commerce/National Bureau of Standards, May.

1975.

[12] FIPS PUB 65, Guidelines for Automatic Data Processing Risk Analysis, U.S.

Department of Commerce/National Bureau of Standards, Aug. 1979.

[13] , , 1997. 12.

[14] , , 1997. 2.

[15] , , 1995. 12.

[16] C. Wood, W. Bank, S. Guarro, A. Garcia, V. Hampel, E. Viktor, and H.

Sartorio,

[17] , : ,

, 1994.

[18] FIPS PUB 73, Guidelines for Security of Computer Applications, U.S.

Department of Commerce/National Bureau of Standards, Jun. 1980.

()

TTAK.KO-12.0009/R165

[19] Haar, David J., "How Activity Accounting Works in Government," Management

Accounting, September 1990, 3640.

[20] Highland, H., "Disaster Recovery at the WTC, " Computers & Security, (Vol.

12, No. 3) May 1993, pp.216-217.

[21] ISO/IEC JTC1/SC27 N442, Key Management Parti: Framework, ISO, Mar.

1994.

[22] ISO/IEC JTC1/SC27 N689, Guidelines for the Management of IT System

Security: Part3~Techniques for the Management of IT Security, ISO, Mar.

1993.

[23] ISO/IEC JTC1/SC27 N720, Guidelines for the Management of IT Security

(GMITS): Part2 ~ Managing and Planning IT Security, ISO, May. 1993.

[24] ISO/IEC JTC1/SC27 N777, Guidelines for the Management of IT System

Security (GMITS): Parti - Concepts and Models for IT Security, ISO, Oct.

1993.

[25] Jackson, Carl B., "Business Continuity Planning: The Need and the Approach,"

DATA PRO, February 1994, 101-109.

[26] Keefer, Donald L. & Bodily, Samuel E., "ThreePoint Approximations For

Continuous Random Variables," Management Science, Vol.29, No.5, May

1983, pp.595-609.

[27] Menkus, B., "A High Rise Building Fire Case Study," Computers & Security,

(Vol. 11, No. 1) Jan. 1992a, pp.19-23.

[28] Menkus, B., "The Lessons of the Great Chicago Flood of 1992, " Computers

& Security, (Vol. 11, No. 5) Sept. 1992b, pp.417-420.

[29] Menkus, B., "The New Importance of "Business Continuity" in Data Processing

Disaster Recovery Planning," Computers & Security, (Vol. 13, No. 2) May

1994, pp.115-118.

[30] Miora, Michael, "Protecting the Enterprise: Seven Steps to Safety, " Carolina

Computer News, April 1997.

[31] Moeller, M. "World Trade Center bombing tests disaster recovery," Computer

Fraud and Security Bulletin, March 1993, pp.12.

[32] Moore, Pat, "How to Plan for Enterprise-Wide Business and Service

Continuity," Strohl Systems, 1997.

[33] Moses, Robin., "Risk Analysis and Management," Computer Security Reference

Book edited by Jackson, K. M. & Hruska, J. & Parker, Donn B., CRC Press,

Inc., 1992, pp.227-263.

[34] NIST, U.S. Department of Justice Simplified Risk Analysis Guidelines, NISTIR

4387, Aug. 1990.

[35] Ozier, Will., "Issues in Quantitative Versus Qualitative Risk Analysis, " Datapro

Reports on Information Security, March 1992, ppl01-107.

()

TTAK.KO-12.0009/R166

[36] Perry, William E. & Kuong, Javier F., EDP Risk Analysis and Control

Justification, Management Advisory Publications 1981.

[37] Rainer, Rex Kelly, Jr. & Snyder, Charles A. & Carr, Houston H., Risk Analysis

for Information Technology, Journal of Management Information Systems,

1991, Vol.8, No.l, pp.129147.

[38] Robak, Edward. & Security and Emergency Planning Staff, U.S. Department of

Justice, Simplified Risk Analysis Guidelines(SRAG), National Institute of

Standards and Technology, 1990.

[39] Smith, M. and J. Sherwood, "Business Continuity Planning, " Computers &

Security, (Vol. 14, No. 1) Jan. 1995, pp.14-23.

[40] UCG (United Communications Group), "Trends in Disaster Recovery, " I/S

Analyzer, (Vol. 26, No. 11) Nov. 1988, pp.l-12.

[41] Wold, Geoffrey H. & Shriver, Robert F., "Risk Analysis Techniques, " Basic DR

Articles, Disaster Recovery Journal, December, 1997.

[42] "CCTA Risk Analysis and Management Methodology(CRAMM), " Datapro

Reports on Information Security, December 1992, pp.101110.

[43] , KS X ISO IEC 22300:2012 , 2012. 12

[44] , KS X ISO IEC 22301:2012

, 2012. 12

[45] , KS X ISO IEC 24762:2008

, 2008

()

TTAK.KO-12.0009/R167

: TTAK.KO-12.0009/R1

.

(E-mail )

() PG 504 khoh@tcaservices.kr TCA

PG 504 khoh@tcaservices.kr TCA

PG 504 khoh@tcaservices.kr TCA

PG 504 jhnah@rtri.re.kr ETRI

TC5 02-405-6410

yjwon@kisa.or.krKISA

031-724-0110

ykim@tta.or.krTTA

031-724-0083

hroh@tta.or.krTTA

031-724-0117

jej@tta.or.krTTA

()

(A Guide to the Contingency and Disaster Recovery

Plan for the Public Information Systems)

:

:

463-824, 47

Tel : 031-724-0114, Fax : 031-724-0109

: 2013.12.