Information security management system of a corporate network
Дипломная работа - Компьютеры, программирование
Другие дипломы по предмету Компьютеры, программирование
y organisations including multiple overlapping and related activities within these three areas, e.g. internal audit, compliance programs, enterprise risk management, operational risk and incident management, etc.GRCMGovernance, risk and compliance management.Information security (IS)Preservation of confidentiality, integrity and availability of information. In addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved [1].Information security controlMeans of managing risk, including policies, procedures, guidelines, practices or organisational structures, which can be administrative, technical, management, or legal in nature.Information security system (ISS)Aggregate of security mechanisms that implement the defined rules and satisfy the defined requirements [2].Information security management system (ISMS)Part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security [3].INTRODUCTION
On October 28th 2010, the National bank of Ukraine introduced the two branch standards in information security management [5]. The documents [3, 4] are in fact replications of the ISO/IEC 27001 and ISO/IEC 27002 international information security management standards that define the requirements and rules of development of information security management systems.regulation 474 of the National bank of Ukraine was passed according to the article 7 of Law of Ukraine About the National bank of Ukraine, article 10 of Law of Ukraine, About information security in the information telecommunication systems and article 10 of Law of Ukraine About standardisation, with the purpose to strengthen the information security in the Ukrainian banking system [5].addition to mentioned above, the trend of attraction of foreign investments forces commercial organisations to introduce international management standards, and information security management standards in particular.facts explain the rise in demand for the introduction of international information security management standards in Ukrainian banks and commercial organisations.methodical instrument described in this work facilitates the introduction of international standards by providing a methodical apparatus of optimization of network parameters and structure.
Purpose and objectives of the investigation
The aim of the presented work is to define and develop the effective information security management system (ISMS) for a corporate network.
Investigation object of the presented work is the information security management in a corporate network.
Investigation subject of the presented work is the ISMS.
Investigation methods used in the research are the following:
1.System approach to IS by V.V. Domarev [2] for quantitative and qualitative estimation of the IS management efficiency;
2.Semi-Markov processes as the mathematical model of IS processes;
.Analytical overview of the legal documents to form the general demands to corporate IS management;
.Analytical overview of the existent IS management solutions to define the effective functions of an ISMS;
.Experimental implementation of the product during the development process.
Scientific novelty of the results
The ISMS Matrix has the following elements of scientific novelty.
1.The system approach to IS is applied in management for the first time.
Before the creation of the product, the system approach to IS was applied only in theoretical spheres. The examples of such applications are ISS high-level structure planning and ISS efficiency estimation. These applications are very important, but most businesses consider them too expensive in terms of money return. The ISMS Matrix applies the system approach to IS in practical operational management, which is more attractive for business applications, thus providing higher rates of investments return in case of deployment at enterprises.
2.The data elements are classified according to the system approach to IS, which allows uniting knowledge and current tasks in a single systematised framework.
The sets of values in each of the classifying elements are formed by the end users for the target organisation or the considered document, so the obtained system complies both with the system approach to IS and the business processes of the target organisation, having the structure matching the system approach and the filling matching the target organisation and considered documents.
3.System analysis of the IS state can be performed from multiple perspectives.
The proposed product is intended to facilitate the introduction of international standards. The final stage of any standard implementation is certification process, involving wide audit of compliance. It is known that different inspections analyse the enterprise IS sate from different perspectives, so theoretically, to pass the audit for several standards simultaneously, the organisation has to perform several analyses. The ISMS Matrix provides the systematisation of knowledge base (including internal audit results), thus allowing to present the enterprise IS state from different perspectives, using same internal audit results for different external checks.
4.Production of personalised post instructions directly from initial normative documents is available.
To comply with any standard, an organisation must have a coordinated documentation, that is security policies must conform to corporate regulation and post instructions must be oriented at enforcing the policies. The proposed product uses the single systematised knowledge base to generate the documents, so all the outcomes will be firstly concerted, secondly - compliant to the target standard, and thirdly - oriented at its implementation.
Practical significance of the results
The application of the proposed ISMS on state and commercial enterprises or educational institutions allows to:
1.manage enterprise information security;
2.teach and learn the system approach to IS;
.develop high-level technical task for information security system creation, considering the system approach and enterprise peculiarities;
.produce post instructions for international standards (ISO 27001(2), PCI DSS) implementation.lower price of the proposed ISMS (in comparison to analogous products present at the Ukrainian market) allows the small and medium enterprises to save up to 10 times on purchase of an ISMS. Thus, the total certification cost decreases.of the proposed ISMS provides a possibility to reduce financial expenses on bringing in external auditors and consultants.
Approbation of the results
The author presented the practical value of the proposed product at the xi international conference of young researchers and students Polit. Challenges of science today on April 6-7, 2011.report was awarded the second place in the section Mathematics and computer technologies. The thesis of the report can be found in [6].
Publications
The author has made publications [7] and [8] concerning the topic of the presented work before the beginning of the presented research.scientific value of the results of the performed research and product development is presented in the publication [9].these publications will be mentioned further in the work in more detail.
Structure and volume of the thesis
The presented masters degree thesis contains introduction, three sections, conclusions that include the main results of the work, reference list of 16 items, six appendixes. The full volume of the thesis is 114 pages, including 23 figures and one table.
SECTION 1. INFORMATION SECURITY MANAGEMENT IN CORPORATE NETWORKS
1.1 IS management standards development
.1.1 The ISO/IEC 27000-series
As the recently accepted information security standards are strongly based on international ISO/IEC 27000 standards series, the author considers it necessary to present the information about these documents.information security standards recently accepted by the National bank of Ukraine were developed on the basis of ISO/IEC 27000-series standards family (the so-called ISMS family, or ISO27k in short).ISO/IEC 27000-series comprises information security standards published jointly by the International Organisation for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standards are the product of ISO/IEC JTC1 (Joint Technical Committee 1) SC27 (Sub Committee 27), an international body that meets in person twice a year.series provides best practice recommendations on information security management, risks and controls within the context of an overall Information Security Management System (ISMS), words in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series).series is deliberately broad in scope, covering more than just privacy, confidentiality and IT or technical security issues. It is applicable to organisations of all shapes and sizes. All organisations are encouraged to assess their information security risks, then implement appropriate information security controls according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information security, the ISMS concept incorporates continuous feedback and improvement activities, summarized by Deming's "plan-do-check-act" approach, that seek to address changes in the threats, vulnerabilities or impacts of information security incidents.first standard of the family, named ISO/IEC 27000 [1] defines the scope and vocabulary of the whole series. International Stand