Information security management system of a corporate network
Дипломная работа - Компьютеры, программирование
Другие дипломы по предмету Компьютеры, программирование
?станови Кабміну) or International documents (Міжнародні документи).
.3.Measures (заходи)in the classic system approach to IS, the set of measures is the set of actions aimed at providing the information security at the target organisation. These usually include measures executed at the creation of ISS, measures executed in the process of exploitation of the ISS and the measures of general profile.define the measures it is needed to check, what concrete processes and procedures aimed at IS support occur in the target organisation.is no standard set of measures, although the actions executed at organisations in order to provide and support information security are words. The set can be large, including high- and low-level measures. One example of a high-level measure is Access control (Контроль доступу) and of a low-level measure - Connection time limit (Обмеження часу підключення).
.4.Means (засоби)in the classic system approach to IS, this set includes program-technical means and methods of IS. They are the concrete tools used in IS or audit processes of the target organisation or considered document.author considers it worth noting that the set of means includes not only physical security items, but also the security methods like Testing methods (Методи тестування). To determine the IS means of the target organisation or considered document, it is needed to list all the concrete tools and names of the methods that are used in IS processes.set of means depends mostly on the target enterprise or considered document. Although there is a great variety of standard IS means and methods, this set will be varying largely depending on the size and business processes of the target organisation. As for the documents, the high-level standards (including ISO27k family, [3] and [4]) usually do not specify the concrete IS means. Common practice for documents is general naming like Cryptographic means (Криптографічні засоби).
4.Stages (етапи)element is intended to divide the IS processes into major steps. Initially, in the classic system approach to IS, the seven steps were formed based on the methodologies of ISS creation existent at the time of the research [2]. During the development of the ISMS Matrix, the need arose to adapt to various standards. This pushed the author (and developer) to separate the seven classical stages into a group of stage contents (зміст етапів) described below, and make the set of stages variable.define the IS stages of the target organisation or the considered document, it is needed to detect the major steps of ISS creation, maintenance and development.ISMS users can employ the seven classical stages (that coincide with the names of the elements listed below) or the stages explicitly stated in the considered document. For example, the standard [3] defines the model Plan-Do-Check-Act (Плануй-Виконуй-Перевіряй-Дій), so the stages set might consist of four entries with optional sub-stages.
.Group of stage contents (зміст етапів)group of classifying elements corresponds to Stages group from classical system approach matrix, including definition of assets to be protected, definition of threats and information loss channels, risk estimation, definition of requirements to the ISS, selection of IS means, implementation of the selected means and methods of IS, control of the ISS integrity and IS management.practical implementation experience has shown that each stage of ISS creation and management has a broad varying set of sub-stages that depends completely on the target organisation or considered document. Nevertheless, risk assessment was separated into a distinct module, which does not classify, but simply provide the approximate numerical estimations or risks.
5.1.Assets (активи), in the classic system approach to IS, this element represented the classified or sensitive information to be protected by an ISS. The information is considered sensitive if its disclosure may cause damage to the vital interests of the target organisation or to the personal safety of people. The practical ISMS implementation experience has shown that it is needed to amend the list of assets with everything that can be affected by IS threats. For example, the Ukrainian branch standard [3] defines the assets as everything that has a value to the organisation. This caused the appearance of such entries as Operating systems (Операційні системи) or Internetwork screen (Міжмережевий екран).determine the list of assets for the target enterprise or the considered document, it is needed to name all the low-level entities, present in the target organisation or mentioned in considered document, that may be affected by IS threats and thus cause IS risks. It is worth noting that the set of assets differs from the set of objects described above in the sense that objects are complex entities of the business processes, and the assets are more concrete and low-level entities that are affected by IS threats. For example, when Computer network (Комп'ютерна мережа) is an object with possibility to become an asset, Cryptographic keys (Криптографічні ключі) can only be an asset.list of assets depends completely on the structure and peculiarities of the target enterprise or the considered document, so there is no standard set of assets. The user has to fill it on his own. Some examples of the assets are System files (Системні файли), Control logs (Журнали контролю) and Personal data (Персональні дані). It is recommended to add All assets (Всі активи) entry for the case of enterprise-wide tasks or regulations. The entries in the set of assets contain the numerical field damage (збиток). Upon the entry of an asset, a value of damage in case of asset collapse has to be defined in order to get the numerical risk estimations later. It is proposed to scale the damage values from high to low with corresponding conventional marks 5 to 1 respectively. Nevertheless, the user may estimate the damage in case of asset collapse by concrete monetary amounts of loss.
5.2.Threats (загрози), in the classic system approach to IS, this element represented the process of detection of threats and sensitive information loss channels. However at practical implementation of the ISMS Matrix, it was decided to move the threat detection process itself to the set of stages (етапи), and let the element threats (загрози) contain the list of threats detected at the target organisation or mentioned in the considered document.detect the IS threats of the target organisation, any method is applicable, from theoretical estimation to professional penetration test or expert commission. Such detection process can be performed either at the stage of information system planning, or at the stage of its functioning.exist some lists of threats issued by information security companies, but they include universal sets of threats, most of which is impossible or unimportant to the target organisation, or not mentioned in considered document. It is recommended to fill the set of threats gradually, adding entries at first mentioning of a concrete threat.entries in the set of threats contain the numerical field frequency (частота). Upon the entry of a threat, a value of its appearance frequency has to be defined in order to get the numerical risk estimations later. It is proposed to scale the frequency values from frequent to very rare with corresponding conventional marks 5 to 1 respectively. Nevertheless, the user may estimate the frequency of threat appearance in by concrete probability value, which is usually inaccurate and hard to determine due to peculiarities of concrete organisation and its business processes.
5.3.Requirements (вимоги)in the classic system approach to IS, this element represents the set of requirements to the information security system. These requirements may refer to the scope of certain ISS functions, levels of certain characteristics. In the proposed ISMS implementation, the set of requirements contains the titles or types of the regulations that define the requirements to the ISS in question.define the requirements to the ISS of the target organisation without assistance, it is needed to decide which security measures are planned to be used, what is the cost of the available hardware and software security means, how effective are the available security measures and means, how vulnerable are the ISS subsystems, is there a possibility to carry out a risk analysis. In case of implementing a certain standard using ISMS Matrix, the requirements can be taken directly from the considered document.set of requirements can be taken from the considered document, because they are usually explicitly stated there. The documents can be the technical tasks for the ISS creation, target organisations security policy or a standard. For example the Ukrainian branch standard [3] is itself the set of demands to an ISMS. In such case the entries of the set of requirements will be the titles of corresponding document sections.
5.4.Solutions (вирішення)element initially represented the process of selection of the means and methods that will provide the achievement of the compliance with the set requirements. In the proposed ISMS implementation, the set of solutions represents the complex means and methods of information security (usually, mature commercial products) used to achieve the compliance with the requirements described above.define the set of solutions, firstly it is needed to decide what means and methods should be used to attain the established requirements in the target org