Information security management system of a corporate network
Дипломная работа - Компьютеры, программирование
Другие дипломы по предмету Компьютеры, программирование
ndards, to which the accepted documents refer, or explain certain terms in more detail than the original standard does. The standard ГСТУ СУІБ 2.0/ISO/IEC 27002:2010 also contains national remarks with recommendations concerning security implementation procedures considering banking peculiarities.
1.2 IS management standards according to the system approach to IS
.2.1 General position of legal documents in the system approach
In 2007, the author conducted a research that formed the criteria of the classification and the existent normative-legal documents on providing of information security [7].a result of analysis of normative-legal documents in the field of providing information security, their classification was offered. A most essential section at creation of the information security system of the Ukrainian segment of external communication and data transfer network of space rocket complex Cyclone was remarked. A conclusion was made about the necessity of concordance of legislative base.creation of the effective information security system the legislative base, well-organized by the stages of construction is needed. At the time of the research conduction, providing of information technologies security is regulated by more than one hundred and twenty legislative, normative-legal and methodical documents, not coordinated on terminology, estimation criteria, sequence and directions of creation of the information security systems.task has been formulated: conduct the analysis of normative-legal documents in the field of information security technologies. Classify existent documents with the purpose of concordance of statements of Ukrainian legislative base.of analysis consisted in the following. The components of information security systems (ISS) can be divided into three groups, which are illustrated in fig. 1.1:
.Bases (what does ISS consist of);
.Directions (what is intended for);
.Stages (how it works).
. 1.1. Groups of ISS components
are four bases:
1.Legislative, normative-legal and scientific base;
2.Structure and tasks of subdivisions, providing security of information technologies;
.Organisationally-technical and regime means (policy of information security);
.Program-technical methods and tools.are formed based on the specific features of object to be defended. Taking into account the typical structure of information systems and historically obtained types of work on providing information security, it was suggested to consider the followings directions:
1.Providing security of objects of the information systems;
2.Providing security of processes, procedures and programs for information processing;
.Providing security of communication channels;
.Suppression of side electromagnetic radiations.
.Management of the security system.stages of creation and operation of ISS are the following:
1.Determination of informational and technical resources, along with objects of the information systems (IS), to be defended;
2.Definition of set of possible threats and information loss channels;
.Estimation of vulnerability and risks of information in IS according to present set of threats and loss channels;
.Determination of requirements for information security system;
.Choosing of means of providing information security and their specifications;
.Introduction and organisation of the use of the chosen, methods and means of security;
.Control of the integrity and management of the security system.each of directions is related to the bases listed above, in this report every element of "Legislative … base" is examined with every element of directions of creation of ISS (see fig. 1.2), namely:
1.Legislative … base of providing security of objects of the information systems;
2.Legislative … base of providing security of processes, procedures and programs…;
.Legislative … base of providing security of communication channels;
.Legislative … base of suppression of side electromagnetic radiations;
.Legislative … base on a management and control of the security system.
. 1.2. The observed segment of ISS creation
opened normative documents of the system of technical information defence of Ukraine have been reviewed. As a result, classification of legislative documents by the following directions of information security providing is offered:
.Legislative and conceptual aspects of information security;
.Organisation information security;
.Protecting information from a loss in technical channels ;
.Information security in the computer systems;
.Information security in communication and data transfer networks;
.Suppression of incidental electromagnetic radiations;
.Cryptographic defence of information;
.Special documents (methods of measuring and estimation parameters).Information security in communication and data transfer networks was selected as the most essential at creation of the information security system of the Ukrainian segment of external communication and data transfer network of space rocket complex Cyclone. The list of documents in this section of the offered classification was presented.of normative-legal documents in remarked direction contained laws, normative documents and statements of Ukraine on providing of information security.conclusion was made about the necessity of concordance of terminology and statements of existent normative-legal documents in area of providing information security with the purpose of increasing of the Ukrainian legislative base efficiency.conducted analysis of normative documents allowed to improve the efficiency of providing information security in the external communication and data transfer network of space rocket complex Cyclone.results of the research also formed the recommendations to the structure of the IS standards that will provide broader encompassing description of the legislative requirements.to the method described above, the Ukrainian branch standards in information security management [3, 4] can be positioned in the framework of the system approach to IS in the following way.to the system approach to IS by V.V. Domarev described in [2], the considered object is a document, so it falls in the base 001 Bases As it can be observed from the titles of the considered documents, they refer to the direction 050 - Security system management. More precise positioning is determined from the contents of the documents.
1.2.2 The scope of ГСТУ СУІБ 1.0/ISO/IEC 27001:2010
The section 0.1 General statements of the introduction to the document says This standard is created to supply the model of development, introduction, functioning, monitoring, revision, maintenance and perfection information security management system (ISMS). Thus the document [3] occupies the cells 451, 651, 751 which represent normative base of determination of requirements, introduction and use, control and management in security system management respectively.final position of the standard [3] in the framework of the system approach to IS is illustrated by the fig. 1.3. The descriptions of the cells in the Domarevs matrix can be found in [2].
. 1.3. The scope of ГСТУ СУІБ 1.0 in the system approach matrix
1.2.3 The scope of ГСТУ СУІБ 2.0/ISO/IEC 27002:2010
The section 1 Application sphere states that the standard establishes directives and general principles in relation to establishment, introduction, support and perfection of information security management in organisation. Thus the document [4] primarily occupies the cells 651 and 751 which represent respectively normative base of introduction and use, control and management in security system management.section 5 Security policy adds the cell 151 (normative base of determination of information to be protected in security system management) to the documents scope.final position of the standard [4] in the framework of the system approach to IS is illustrated by the fig. 1.4. The descriptions of the cells in the Domarevs matrix can be found in [2].
. 1.4. The scope of ГСТУ СУІБ 2.0 in the system approach matrix
1.3 IS management solutions overview
branch of software related to information security management named Governance, Risk and Compliance (GRC), appeared in response to the need of fitting the business security in certain rules. The document [12] provides the general information about GRC and software solutions in this area.governance, risk and compliance management (IT GRCM) is maturing as a technology. The market is growing steadily, but remains relatively small with a crowded field of vendors. IT GRCM products address requirements to automate risk management.IT GRCM market comprises vendors that provide software products to help organisations proactively measure and manage their IT technology and process controls.IT GRCM market benefits maturing organisations with existing processes for measuring, managing and reporting IT controls that are ready for automation.GRCM solutions have a repository; basic document management capabilities; good workflow, survey and reporting functions; and dashboarding, with policy content that's specific to IT controls, and support for the automated measurement and reporting of IT controls.between IT GRCM and enterprise GRC (EGRC) platforms depends on the focus of the effort. IT GRCM is recommended for bottom-up, IT-centric requirements, while EGRC platforms are recommended for top-down enterprise risk management requirements.G