Information security management system of a corporate network
Дипломная работа - Компьютеры, программирование
Другие дипломы по предмету Компьютеры, программирование
use the system approach to IS enables handling of any normative documents - from internal regulations to international standards. Thus the developed ISMS can be used to implement wider scope of standards.price of the developed ISMS for the customers is considerably lower than for analogous products because the system core is distributed freely and support pricing is low due to immaturity of the product. Thus the developed ISMS is more affordable than analogous products.situation when content is all based on bottom-up, IT-centric control management requirements is resolved because the developed ISMS is designed to operate only on high managerial levels, preventing from drowning in the vast amount of technical details. Thus overall clearance of the IS state at the target organisation is maintained.situation when maturity of the products makes their interfaces complex for users is resolved because the interfaces if the developed ISMS can be adapted on demand for each customer. Thus the developed ISMS is more convenient for the end users.configuration difficulties for the end users are eliminated because no end-user configuration is needed, except allowing MS VBA macros. Thus the developed ISMS has faster deployment.absence of predefined security policies is compensated by the availability of filling the developed ISMS according to any normative document or policy from product support unit. Thus the developed ISMS has the improved adaptability to the defined IS policy or other normative documents.presence of mostly compliance reporting with only a light treatment of risk is resolved in the developed ISMS because risk assessment is a dedicated function, providing both detailed risk estimations and pivot charts. Thus the balance between the treatments of compliance and risks is established in the developed ISMS.hardships in development of policy and control framework content for commercial regulations were eliminated because the system approach to IS used in the developed ISMS is equally effective in both state and commercial organisations. Thus the developed ISMS obtained wider application scope in terms of target organisation spheres.limited audit support is resolved in the developed ISMS by the presence of the variety of reports and pivot charts that allow to pass various audits without reassessment. Thus the developed ISMS shortens the preparation time before multiple audits conduction.appendix B generalises the problems solved in the developed ISMS Matrix.of the developed ISMS also has financial advantages. The following numerical estimations were made.
1.The price of the product and technical support is 10 times lower in average.
2.The cost of training internal auditors (ranging from about 5000 to 8000 UAH) is compensated by the inherent audit capabilities of the ISMS Matrix.
3.4 Structure of the ISMS
.4.1 Structure overview
The ISMS Matrix is implemented as a relational database with menus, screen forms and printable reports in Microsoft Office Access 2000 Database format (*.mdb).database itself consists of two main tables, risk list and common classifying elements lists (see appendix C). The tables are linked on the scheme not by ID fields (as it is classically made in database construction), but by the names of elements. This is arranged for better flexibility in case of changes in data structures during the ISMS development or customisation.first main table Knowledge (Тд_ЗНАНИЯ) contains the information about the input normative documents and regulations. The second main table Tasks (Ту_ЗАДАЧИ) contains the information about all the dispatched tasks: current, planned and archived.assessment is performed by forming asset-threat relations in the table Risk list (спис_риски). For quantitative estimations value fields are provided in tables of assets (спис_активы) and threats (спис_угрозы). For details see appendix C.
3.4.2 Classifying elements
The classification of sections from multiple documents as well as the classification of tasks is implemented by the introduction of the common classifying elements according to Domarevs Matrix of system approach to IS [2]. The classifying elements are listed below according to appendix C.
.Directions (напрямки);
.Objects (обєкти);
.Group of bases (основи);
.1.Officials (співробітники);
.2.Documents (документи);
.3.Measures (заходи);
.4.Means (засоби);
.Stages (етапи);
.Group of stage contents (зміст етапів);
.1.Assets (активи);
.2.Threats (загрози);
.3.Requirements (вимоги);
.4.Solutions (вирішення);
.5.Implementations (впровадження);
.6.Control (контроль).detailed descriptions of each of the classifying elements are presented further in this subsection.set of classifying elements contains optional fields named Level code 1 to Level code 3 (Код рівня 1 - Код рівня 3). These fields are added for custom sorting of the set in case there are many entries and they are needed to be grouped. The filling of these fields is completely optional and does not affect the performance of the ISMS.
.Directions (напрямки)element was initially intended to divide the IS by the types of ISS operation. The division was made considering the specificity of IS components and processes being protected. Presently, the best practice is to match the IS directions with business directions, or business processes. For example, if the bank provides card services, deposits and e-banking, it is recommended to list these as directions.define directions it is needed to consider what business directions does the target enterprise have and what major business processes run at the target enterprise.set of directions depends completely on the target enterprise or considered document. There are no standard directions, so the user has to fill the list on his own. Nevertheless, it is recommended to add Whole enterprise (Банк в цілому) or All directions (Всі напрямки) entries to the directions list. These entries might be needed when there are enterprise-wide or even enterprise-independent regulations.
.Objects (обєкти)element was not initially present in classic system approach to IS, but practical implementation experience has shown the necessity of its introduction. The objects are the major complex entities of the target organisation. The list of these elements might include the core objects of the organisations business processes.
To define the objects, it is needed to list the core elements of the organisations business processes, not getting in detail.
The set of objects may include physical or information systems, like Computer network (Компютерна мережа), or E-mail system (Електронна пошта). It is also recommended to add Object-independent (Окрема задача) entry to the objects list. This entry might be needed when there are object-independent or enterprise-wide regulations.
3.Group of bases (основи)group of classifying elements corresponds to Bases group from classical system approach matrix (including normative base, structure, measures and means). In classification of documents and tasks within the ISMS, the table storing the list of structure officials (спис_сотр) is used twice: once to define the supervisor, and the second time to select the responsible employee.
3.1.Officials (співробітники)element initially described the structure of organisations officials and departments that were responsible for the provision of information security. Presently, the list of officials contains all the officers and departments involved in solution of the IS tasks, because it is used to define both supervisors and the responsible. Practice shows that it is frequent that non-security officials are drawn in the IS processes. For example, according to the standard [3], the top management of the organisation must perform several security tasks, among which are the roles distribution among the employees and driving the importance of the IS management to non-security divisions so that the productive cooperation between IS service and other departments is ensured.is no criteria to define the officials that will be involved in IS processes.fill the officials list, it is first needed to list the IS department in person and in general. For the latter it is recommended to use a record like IS department (Підрозділ інформ. безпеки). It is also recommended to add the record for management in general like Management (Керівництво). Further, it will be needed to add each employee or department that would be mentioned in the IS tasks or documents. The cooperation with human resource department will be helpful to have the list of employees and departments.
3.2.Documents (документи)this element represented the legislative, normative-methodical and scientific base of documents that were involved in the legislative aspects of information security. In the current ISMS implementation this element defines the document, part of which is being stored in the documentation module, or within the scope of which the task is dispatched.compose the set of documents, it is needed to enter the names of all the documents that regulate the information security at the target organisation, plus the standards that are about to be implemented.short names of the documents must be entered in the set. The names of the document groups may optionally be added in case there are multi-document tasks or regulations, for example Regulations of the Cabinet of ministers (П?/p>