Information security management system of a corporate network
IS management standards development. The national peculiarities of the IS management standards. The most integrated existent IS management solution. General description of the ISS model. Application of semi-Markov processes in ISS state description.
Рубрика | Программирование, компьютеры и кибернетика |
Вид | дипломная работа |
Язык | английский |
Дата добавления | 28.10.2011 |
Размер файла | 2,2 M |
Отправить свою хорошую работу в базу знаний просто. Используйте форму, расположенную ниже
Студенты, аспиранты, молодые ученые, использующие базу знаний в своей учебе и работе, будут вам очень благодарны.
Размещено на http://www.allbest.ru/
Kyiv 2011
Міністерство Освіти та науки, молоді та спорту України
НАЦІОНАЛЬНИЙ АВІАЦІЙНИЙ УНІВЕРСИТЕТ
Кафедра Комп'ютерних систем та мереж
ДОПУСТИТИ ДО ЗАХИСТУ
Завідувач кафедри
_______________ Жуков І.А.
“____”_______________ 2011
ДИПЛОМНА РОБОТА
(ПОЯСНЮВАЛЬНА ЗАПИСКА)
ВИПУСКНИКА ОСВІТНЬО-КВАЛІФІКАЦІЙНОГО РІВНЯ “МАГІСТР”
Тема: «Система управління інформаційною безпекою корпоративної мережі»
Виконавець: студент спеціальності 8.091501 Домарєв Дмитро Валерійович
Керівник: д.т.н. проф. Віноградов М.А.
Консультанти з окремих розділів:
Нормоконтролер: Клименко І.А.
Ministry of Education, science, youth and sports of Ukraine
NATIONAL AVIATION UNIVERSITY
Computer Systems and Networks Department
Permission to defend granted
Head of the Department
______________ Zhukov I.A.
“____”_______________ 2011
Master's degree thesis
Topic: “Information security management system of a corporate network”
Completed by: student of speciality 8.091501 Domariev Dmytro
Supervisor: Doctor of technical sciences professor Vinogradov N.A.
Advisers on Individual Sections:
Standards Inspector: Klymenko I.A.
НАЦІОНАЛЬНИЙ АВІАЦІЙНИЙ УНІВЕРСИТЕТ
Факультет Комп'ютерних систем
Кафедра Комп'ютерних систем та мереж
Освітньо-кваліфікаційний рівень: магістр комп'ютерної інженерії
Спеціальність: 8.091501 Комп'ютерні системи та мережі
ЗАТВЕРДЖУЮ
Завідувач кафедри
_____________ Жуков І.А.
“____”_____________ 2011
Завдання на виконання дипломної роботи
П.І.Б. випускника:
Домарєва Дмитра Валерійовича
1. Тема дипломної роботи: «Система управління інформаційною безпекою корпоративної мережі»
затверджена наказом ректора від « 15 » квітня 2011р. № 749
2. Термін виконання роботи: з 15 квітня 2011 р. по 26 червня 2011 р.
3. Вихідні дані до роботи: При розробці концепції системи управління інформаційною безпекою корпоративної мережі керуватися галузевими стандартами Національного банку України та міжнародними стандартами ISO/IEC. Застосувати системний підхід до оцінки ефективності системи управління інформаційною безпекою. Розглядати систему управління інформаційною безпекою як стохастичну систему з частковою керованістю і спостережуваністю.
4. Зміст пояснювальної записки: Аналітичний огляд управління інформаційною безпекою в корпоративних мережах; Огляд стандартів з управління інформаційною безпекою; Огляд існуючих вирішень (продуктів); Математична модель системи інформаційної безпеки; Визначення ефективних характеристик системи; Покращення, забезпечені системою; Структура системи; Робота з оболонкою та використання головних функцій.
5. Перелік обов'язкового графічного (ілюстративного) матеріалу: Логічне дерево виведення оцінки рівня безпеки; Розв'язання проблем аналогічних продуктів; Схема бази даних системи; Витяг з політики інформаційної безпеки, що формується системою; програмні модулі спеціальних функцій (тексти програм).
6. Календарний план
№пор. |
Етапи виконання дипломної роботи |
Термін виконання |
Примітка |
|
1. |
Науково-дослідна практика |
17.01.11-13.02.11 |
||
2. |
Переддипломна практика |
14.02.11-06.03.11 |
||
3. |
Аналіз поточного стану проблеми |
07.03.11-20.03.11 |
||
4. |
Розробка вимог до системи |
21.03.11-10.04.11 |
||
5. |
Складання опису пропонованої системи |
11.04.11-30.04.11 |
||
6. |
Оформлення пояснювальної записки |
01.05.11-29.05.11 |
||
7. |
Нормоконтроль виконання роботи |
30.05.11-02.06.11 |
||
8. |
Попередній захист дипломної роботи |
03.06.11 |
||
9. |
Остаточне оформлення роботи |
04.06.11-05.06.11 |
||
10. |
Отримання відгуку на роботу |
06.06.11-10.06.11 |
||
11. |
Рецензування роботи |
11.06.11-15.06.11 |
||
12. |
Подання роботи до захисту |
до 16.06.11 |
7. Дата видачі завдання «____»_____________ 2011 р.
Керівник: (підпис керівника)
Завдання прийняв до виконання (підпис випускника)
«____»_____________ 2011 р.
NATIONAL AVIATION UNIVERSITY
Computer Systems Faculty
Computer Systems and Networks Department
Educational and Qualifications level: Master of Computer Engineering
Specialty: 8.091501 Computer Systems and Networks
APPROVED BY
Head of the Department
___________ Zhukov I.A.
“____”_____________ 2011
Graduate Student's Degree Thesis Assignment
Name: Domariev Dmytro
1. The Thesis topic: “Information security management system of a corporate network”
approved by the Rector's order of “ 15 ” April 2011 № 749
2. The Thesis to be completed between 15 April 2011 and 26 June 2011
3. Initial data for the thesis: During the development of the corporate network information security management system concept, act in accordance with the branch standards of the National bank of Ukraine and the international standards ISO/IEC. Apply the system approach in efficiency estimation of the information security management system. Consider the information security management system as a stochastic system with partial controllability and observability.
4. The content of the explanatory note (the list of problems to be considered): Analytical overview of information security management in corporate networks; Information security management standards overview; Existent information security management solutions overview; Mathematical model of information security system; Definition of the effective system's features; Improvements provided by the system; Structure of the system; Interfaces operation and the use of the main functions.
5. The mandatory graphic materials: Deduction hierarchy of security level estimation; Solutions of the problems in analogous products; System's database scheme; Excerpt of the information security policy formed by the system; Program modules of the custom functions (listing).
6. TIMETABLE
# |
Completion stages of Degree Thesis |
Stage Completion Dates |
Remarks |
|
1. |
Scientific-research internship |
17.01.11-13.02.11 |
||
2. |
Pre-thesis internship |
14.02.11-06.03.11 |
||
3. |
Analysis of the problem's current state |
07.03.11-20.03.11 |
||
4. |
Development of requirements to the system |
21.03.11-10.04.11 |
||
5. |
Describing the proposed system |
11.04.11-30.04.11 |
||
6. |
Drawing up of explanatory note |
01.05.11-29.05.11 |
||
7. |
Standards inspection |
30.05.11-02.06.11 |
||
8. |
Preliminary defence of the thesis |
03.06.11 |
||
9. |
Final drawing up of explanatory note |
04.06.11-05.06.11 |
||
10. |
Supervisor's review |
06.06.11-10.06.11 |
||
11. |
Criticising of the thesis |
11.06.11-15.06.11 |
||
12. |
Submission of thesis to defence |
before 16.06.11 |
7. Assignment issue date “____”_____________ 2011.
Supervisor: (signature)
Assignment accepted for completion (student's signature)
Date: “____”_____________ 2011.
Анотація
Домарєв Д.В. Система управління інформаційною безпекою корпоративної мережі: магістерська робота / Домарєв Дмитро Валерійович, Національний авіаційний університет, факультет Комп'ютерних систем, кафедра Комп'ютерних систем та мереж. - Київ 2011. - 114 с., 23 рис., 1 табл., 6 додат., 16 бібліогр.
В роботі застосовано системний підхід до інформаційної безпеки як універсальну модель процесів інформаційної безпеки. Представлено математичну модель напів-Марківського процесу для використання в моделюванні систем захисту інформації. Проведено аналітичний огляд нормативних документів та існуючих вирішень задля визначення вимог до ефективної системи управління інформаційною безпекою. Виконане експериментальне впровадження системи в процесі розробки для випробування запропонованих функцій. Зроблені кількісні оцінки покращень при застосуванні розробленої системи. Наведено перелік проблем, що розв'язуються при застосуванні розробленої системи.
В результаті проведених дослідження та розробки, в пропонованій системі управління інформаційною безпекою системний підхід до інформаційної безпеки вперше застосовано в управлінні. Інформація в базі даних системи структурована згідно з системним підходом до інформаційної безпеки. Уможливлено проведення системного аналізу стану інформаційної безпеки з багатьох точок зору. Забезпечено створення персоналізованих посадових інструкцій напряму з первинних нормативних документів.
Наведені рекомендації щодо впровадження та використання розробленої системи на підприємствах. Практична цінність розробки підтверджена апробацією.
СИСТЕМА УПРАВЛІННЯ ІНФОРМАЦІЙНОЮ БЕЗПЕКОЮ, СУІБ, МАТРИЦЯ, СИСТЕМНИЙ ПІДХІД ДО ІНФОРМАЦІЙНОЇ БЕЗПЕКИ, ISO27K, ГСТУ СУІБ
Abstract
Domariev D.V. Information security management system of a corporate network: master's degree thesis / Domariev Dmytro, National aviation university, Computer systems faculty, Computer systems and networks department. - Kyiv 2011. - 114 pages, 23 figures, 1 table, 6 appendixes, 16 references.
In the presented thesis the system approach to information security is applied as a universal model of information security processes. Mathematical model of semi-Markov process is presented for the use in information security systems modelling. Analytical overview of legal documents and existent solutions is performed to define the demands to an effective information security management system. Experimental implementation of the system during the development process was performed to test the introduced functions. Numerical estimations of the improvements due to developed system application are made. The list of problems solved due to developed system application is presented.
As a result of the performed research and development, in the proposed information security management system the system approach to information security is applied in management for the first time. The information in the system's database is classified according to the system approach to information security. System analysis of the information security state from multiple perspectives became possible. Production of personalised post instructions directly from initial normative documents became available.
Recommendations are provided for the implementation of the developed system at the enterprises. The practical value of the product is supported by approbation.
INFORMATION SECURITY MANAGEMENT SYSTEM, ISMS, MATRIX, SYSTEM APPROACH TO INFORMATION SECURITY, ISO27K, ГСТУ СУІБ
Аннотация
Домарев Д.В. Система управления информационной безопасностью корпоративной сети: магистерская работа / Домарев Дмитрий Валериевич, Национальный авиационный университет, факультет Компьютерных систем, кафедра Компьютерных систем и сетей. - Киев 2011. - 114 с., 23 рис., 1 табл., 6 прил., 16 библ.
В работе применен системный подход к информационной безопасности в качестве универсальной модели процессов информационной безопасности. Представлена математическая модель полумарковского процесса для использования в моделировании систем защиты информации. Проведен аналитический обзор нормативных документов и решений с целью определения требований к эффективной системе управления информационной безопасностью. Выполнено экспериментальное внедрение системы в процессе разработки для испытания предлагаемых функций. Сделаны количественные оценки улучшений при применении разработанной системы. Приведен перечень проблем, решаемых применением разработанной системы.
В результате проведенных исследования и разработки, в предлагаемой системе управления информационной безопасностью системный подход к информационной безопасности впервые применен в управлении. Информация в базе данных системы структурирована согласно системному подходу к информационной безопасности. Сделано возможным проведение системного анализа состояния информационной безопасности с различных точек зрения. Обеспеченно создание личных должностных инструкций напрямую из первичных нормативных документов.
Приведены рекомендации относительно внедрения и использования разработки на предприятиях. Практическая ценность подтверждена апробацией.
СИСТЕМА УПРАВЛЕНИЯ ИНФОРМАЦИОННОЙ БЕЗОПАСНОСТЬЮ, СУИБ, МАТРИЦА, СИСТЕМНЫЙ ПОДХОД К ИНФОРМАЦИОННОЙ БЕЗОПАСНОСТИ, ISO27K, ОСТУ СУИБ
Contents
- LIST OF TERMS AND ABBREVIATIONS
- INTRODUCTION
- SECTION 1. INFORMATION SECURITY MANAGEMENT IN CORPORATE NETWORKS
- 1.1 IS management standards development
- 1.1.1 The ISO/IEC 27000-series
- 1.1.2 The ISO/IEC 27001
- 1.1.3 The ISO/IEC 27002
- 1.1.4 The national peculiarities of the IS management standards
- 1.2 IS management standards according to the system approach to IS
- 1.2.1 General position of legal documents in the system approach
- 1.2.2 The scope of ГСТУ СУІБ 1.0/ISO/IEC 27001:2010
- 1.2.3 The scope of ГСТУ СУІБ 2.0/ISO/IEC 27002:2010
- 1.3 IS management solutions overview
- 1.4 Modern IS management solutions
- 1.4.1 Analytical overview of the existent solutions
- 1.4.2 The most integrated existent IS management solution
- 1.4.3 Common problems of the existent solutions
- 1.5 Mathematical model of IS
- 1.5.1 General description of the ISS model
- 1.5.2 Semi-Markov process definition
- 1.5.3 ISS state as a semi-Markov process
- 1.5.4 Application of semi-Markov processes in ISS development
- 1.5.5 Application of semi-Markov processes in ISS state description
- Conclusions to section
- SECTION 2. DEFINITION OF THE EFFECTIVE ISMS FEATURES
- 2.1 The mandatory ISMS documents
- 2.2 Content management system for an isms
- 2.3 The information security metrics
- 2.4 Internal audit capabilities
- Conclusions to section
- SECTION 3. INFORMATION SECURITY MANAGEMENT SYSTEM “MATRIX”
- 3.1 Purpose of the ISMS
- 3.2 General description of the ISMS
- 3.3 Improvements provided by the ISMS
- 3.4 Structure of the ISMS
- 3.4.1 Structure overview
- 3.4.2 Classifying elements
- 3.4.3 Main data storages
- 3.4.4 Program modules
- 3.5 Interfaces of the ISMS
- 3.6 Operation of the ISMS
- 3.6.1 Filling recommendations
- 3.6.2 Reporting
- 3.6.3 Risk assessment
- 3.6.4 Information security policy formation
- Conclusions to section
- CONCLUSIONS
- REFERENCES
- Appendix A. Deduction hierarchy of ISS security level estimation
- Appendix B. The solutions of the problems in analogous products by ISMS “Matrix”
- Appendix C. Database scheme
- Appendix D. Excerpt of the IS policy formed by the product
- Appendix E. Program module of the shared ISMS functions (listing)
- Appendix F. Program module of the ISMS report (listing)
LIST OF TERMS AND ABBREVIATIONS
EGRC |
Enterprise governance, risk and compliance. |
|
Governance, risk and compliance (GRC) |
An integrated approach adopted by organisations including multiple overlapping and related activities within these three areas, e.g. internal audit, compliance programs, enterprise risk management, operational risk and incident management, etc. |
|
GRCM |
Governance, risk and compliance management. |
|
Information security (IS) |
Preservation of confidentiality, integrity and availability of information. In addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved [1]. |
|
Information security control |
Means of managing risk, including policies, procedures, guidelines, practices or organisational structures, which can be administrative, technical, management, or legal in nature. |
|
Information security system (ISS) |
Aggregate of security mechanisms that implement the defined rules and satisfy the defined requirements [2]. |
|
Information security management system (ISMS) |
Part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security [3]. |
INTRODUCTION
Actuality
On October 28th 2010, the National bank of Ukraine introduced the two branch standards in information security management [5]. The documents [3, 4] are in fact replications of the ISO/IEC 27001 and ISO/IEC 27002 international information security management standards that define the requirements and rules of development of information security management systems.
The regulation 474 of the National bank of Ukraine was passed according to the article 7 of Law of Ukraine “About the National bank of Ukraine”, article 10 of Law of Ukraine, “About information security in the information telecommunication systems” and article 10 of Law of Ukraine “About standardisation”, with the purpose to strengthen the information security in the Ukrainian banking system [5].
In addition to mentioned above, the trend of attraction of foreign investments forces commercial organisations to introduce international management standards, and information security management standards in particular.
These facts explain the rise in demand for the introduction of international information security management standards in Ukrainian banks and commercial organisations.
The methodical instrument described in this work facilitates the introduction of international standards by providing a methodical apparatus of optimization of network parameters and structure.
Purpose and objectives of the investigation
The aim of the presented work is to define and develop the effective information security management system (ISMS) for a corporate network.
Investigation object of the presented work is the information security management in a corporate network.
Investigation subject of the presented work is the ISMS.
Investigation methods used in the research are the following:
1. System approach to IS by V.V. Domarev [2] for quantitative and qualitative estimation of the IS management efficiency;
2. Semi-Markov processes as the mathematical model of IS processes;
3. Analytical overview of the legal documents to form the general demands to corporate IS management;
4. Analytical overview of the existent IS management solutions to define the effective functions of an ISMS;
5. Experimental implementation of the product during the development process.
Scientific novelty of the results
The ISMS “Matrix” has the following elements of scientific novelty.
1. The system approach to IS is applied in management for the first time.
Before the creation of the product, the system approach to IS was applied only in theoretical spheres. The examples of such applications are ISS high-level structure planning and ISS efficiency estimation. These applications are very important, but most businesses consider them too expensive in terms of money return. The ISMS “Matrix” applies the system approach to IS in practical operational management, which is more attractive for business applications, thus providing higher rates of investments return in case of deployment at enterprises.
2. The data elements are classified according to the system approach to IS, which allows uniting knowledge and current tasks in a single systematised framework.
The sets of values in each of the classifying elements are formed by the end users for the target organisation or the considered document, so the obtained system complies both with the system approach to IS and the business processes of the target organisation, having the structure matching the system approach and the filling matching the target organisation and considered documents.
3. System analysis of the IS state can be performed from multiple perspectives.
The proposed product is intended to facilitate the introduction of international standards. The final stage of any standard implementation is certification process, involving wide audit of compliance. It is known that different inspections analyse the enterprise IS sate from different perspectives, so theoretically, to pass the audit for several standards simultaneously, the organisation has to perform several analyses. The ISMS “Matrix” provides the systematisation of knowledge base (including internal audit results), thus allowing to present the enterprise IS state from different perspectives, using same internal audit results for different external checks.
4. Production of personalised post instructions directly from initial normative documents is available.
To comply with any standard, an organisation must have a coordinated documentation, that is security policies must conform to corporate regulation and post instructions must be oriented at enforcing the policies. The proposed product uses the single systematised knowledge base to generate the documents, so all the outcomes will be firstly concerted, secondly - compliant to the target standard, and thirdly - oriented at its implementation.
Practical significance of the results
The application of the proposed ISMS on state and commercial enterprises or educational institutions allows to:
1. manage enterprise information security;
2. teach and learn the system approach to IS;
3. develop high-level technical task for information security system creation, considering the system approach and enterprise peculiarities;
4. produce post instructions for international standards (ISO 27001(2), PCI DSS) implementation.
The lower price of the proposed ISMS (in comparison to analogous products present at the Ukrainian market) allows the small and medium enterprises to save up to 10 times on purchase of an ISMS. Thus, the total certification cost decreases.
Implementation of the proposed ISMS provides a possibility to reduce financial expenses on bringing in external auditors and consultants.
Approbation of the results
The author presented the practical value of the proposed product at the xi international conference of young researchers and students “Polit. Challenges of science today” on April 6-7, 2011.
The report was awarded the second place in the section “Mathematics and computer technologies”. The thesis of the report can be found in [6].
Publications
The author has made publications [7] and [8] concerning the topic of the presented work before the beginning of the presented research.
The scientific value of the results of the performed research and product development is presented in the publication [9].
All these publications will be mentioned further in the work in more detail.
Structure and volume of the thesis
The presented master's degree thesis contains introduction, three sections, conclusions that include the main results of the work, reference list of 16 items, six appendixes. The full volume of the thesis is 114 pages, including 23 figures and one table.
SECTION 1. INFORMATION SECURITY MANAGEMENT IN CORPORATE NETWORKS
1.1 IS management standards development
1.1.1 The ISO/IEC 27000-series
As the recently accepted information security standards are strongly based on international ISO/IEC 27000 standards series, the author considers it necessary to present the information about these documents.
The information security standards recently accepted by the National bank of Ukraine were developed on the basis of ISO/IEC 27000-series standards family (the so-called “ISMS family”, or “ISO27k” in short).
The ISO/IEC 27000-series comprises information security standards published jointly by the International Organisation for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standards are the product of ISO/IEC JTC1 (Joint Technical Committee 1) SC27 (Sub Committee 27), an international body that meets in person twice a year.
The series provides best practice recommendations on information security management, risks and controls within the context of an overall Information Security Management System (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series).
The series is deliberately broad in scope, covering more than just privacy, confidentiality and IT or technical security issues. It is applicable to organisations of all shapes and sizes. All organisations are encouraged to assess their information security risks, then implement appropriate information security controls according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information security, the ISMS concept incorporates continuous feedback and improvement activities, summarized by Deming's "plan-do-check-act" approach, that seek to address changes in the threats, vulnerabilities or impacts of information security incidents.
The first standard of the family, named ISO/IEC 27000 [1] defines the scope and vocabulary of the whole series. International Standards for management systems provide a model to follow in setting up and operating a management system. This model incorporates the features on which experts in the field have reached a consensus as being the international state of the art. ISO/IEC JTC 1 SC 27 maintains an expert committee dedicated to the development of international management systems standards for information security, otherwise known as the Information Security Management System (ISMS) family of standards.
Through the use of the ISMS family of standards, organisations can develop and implement a framework for managing the security of their information assets and prepare for an independent assessment of their ISMS applied to the protection of information, such as financial information, intellectual property, and employee details, or information entrusted to them by customers or third parties.
The ISMS family of standards is intended to assist organisations of all types and sizes to implement and operate an ISMS. The ISMS family of standards consists of the following International Standards, under the general title Information technology - Security techniques.
1.1.2 The ISO/IEC 27001
ISO/IEC 27001 is the formal set of specifications against which organisations may seek independent certification of their Information Security Management System (ISMS). The standard specifies requirements for the establishment, implementation, monitoring and review, maintenance and improvement of a management system - an overall management and control framework - for managing an organisation's information security risks. It does not mandate specific information security controls but stops at the level of the management system.
The standard covers all types of organisations (e.g. commercial enterprises, government agencies and non-profit organisations) and all sizes from micro-businesses to huge multinationals. This is clearly a very wide brief.
Bringing information security under management control is a prerequisite for sustainable, directed and continuous improvement. An ISO/IEC 27001 ISMS therefore incorporates several Plan-Do-Check-Act (PDCA) cycles: for example, information security controls are not merely specified and implemented as a one-off activity but are continually reviewed and adjusted to take account of changes in the security threats, vulnerabilities and impacts of information security failures, using review and improvement activities specified within the management system.
According to JTC1/SC27, the ISO/IEC committee responsible for ISO27k and related standards, ISO/IEC 27001 is intended to be suitable for several different types of use, including the following.
1. Use within organisations to formulate security requirements and objectives;
2. Use within organisations as a way to ensure that security risks are cost-effectively managed;
3. Use within organisations to ensure compliance with laws and regulations;
4. Use within an organisation as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organisation are met;
5. The definition of new information security management processes;
6. Identification and clarification of existing information security management processes;
7. Use by the management of organisations to determine the status of information security management activities;
8. Use by the internal and external auditors of organisations to demonstrate the information security policies, directives and standards adopted by an organisation and determine the degree of compliance with those policies, directives and standards;
9. Use by organisations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organisations that they interact with for operational or commercial reasons;
10. Implementation of a business enabling information security;
11. Use by organisations to provide relevant information about information security to customers.
The document [10] provides the history of the ISO/IEC 27001 development.
The standard works in the following way. Most organisations have a number of information security controls. Without an ISMS however, the controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Maturity models typically refer to this stage as "ad hoc". The security controls in operation typically address certain aspects of IT or data security, specifically, leaving non-IT information assets (such as paperwork and proprietary knowledge) less well protected on the whole. Business continuity planning and physical security, for examples, may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organisation.
ISO/IEC 27001 imposes the following requirements on the management.
1. Systematically examine the organisation's information security risks, taking account of the threats, vulnerabilities and impacts;
2. Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable;
3. Adopt an overarching management process to ensure that the information security controls continue to meet the organisation's information security needs on an ongoing basis.
1.1.3 The ISO/IEC 27002
ISO/IEC 27002 is entitled “Information technology - Security techniques - Code of practice for information security management”. The standard provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). Information security is defined within the standard in the context of the C-I-A triad: the preservation of confidentiality (ensuring that information is accessible only to those authorised to have access), integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorised users have access to information and associated assets when required).
ISO/IEC 27002:2005 has developed from BS7799, published in the mid-1990's. The British Standard was adopted by ISO/IEC as ISO/IEC 17799:2000, revised in 2005, and renumbered in 2007 to align with the other ISO/IEC 27000-series standards. The document [11] provides the history of the ISO/IEC 27002 development.
ISO/IEC 27001 formally defines the mandatory requirements for an Information Security Management System (ISMS). It uses ISO/IEC 27002 to indicate suitable information security controls within the ISMS, but since ISO/IEC 27002 is merely a code of practice/guideline rather than a certification standard, organisations are free to select and implement other controls, or indeed adopt alternative complete suites of information security controls) as they see fit. ISO/IEC 27001 incorporates a summary (little more that than the section titles in fact) of controls from ISO/IEC 27002 under its Annex A. In practice, organisations that adopt ISO/IEC 27001 also substantially adopt ISO/IEC 27002.
ISO/IEC 27002 is a code of practice - a generic, advisory document, not truly a standard or formal specification such as ISO/IEC 27001. It lays out a reasonably well structured set of suggested controls to address information security risks, covering confidentiality, integrity and availability aspects. Organisations that adopt ISO/IEC 27002 must assess their own information security risks and apply suitable controls, using the standard for guidance. Strictly speaking, none of the controls are mandatory but if an organisation chooses not to adopt something as common as, say, antivirus controls, they should certainly be prepared to demonstrate that this decision was reached through a rational risk management decision process, not just an oversight, if they anticipate being certified compliant to ISO/IEC 27001.
Like governance, information security is a broad topic with ramifications in all parts of the modern organisation. Information security, and hence ISO/IEC 27002, is relevant to all types of organisation including commercial enterprises of all sizes (from one-man-bands up to multinational giants), not-for-profits, charities, government departments and quasi-autonomous bodies - in fact any organisation that handles and depends on information. The specific information security requirements may be different in each case but the whole point of ISO27k is that there is a lot of common ground.
The standard is explicitly concerned with information security, meaning the security of information assets, and not just IT/systems security. The IT department usually contains a good proportion of the organisation's information assets and is commonly charged with securing them by the information asset owners - the business managers who are accountable for the assets. However a large proportion of written and intangible information (e.g. the knowledge and experience of non-IT workers) is irrelevant to IT.
1.1.4 The national peculiarities of the IS management standards
As the international standards were introduced in Ukraine by the National bank and renamed to “branch standards of Ukraine”, certain changes were made in a standard, predefined by the legal requirements and concrete necessities of banking industry. Technical divergences and additional information were attached directly to the sections which they refer to. These attachments are entitled „National divergence”, „National explanation” or „National remark”.
The “national” insertions primarily explain references to other international standards, to which the accepted documents refer, or explain certain terms in more detail than the original standard does. The standard “ГСТУ СУІБ 2.0/ISO/IEC 27002:2010” also contains national remarks with recommendations concerning security implementation procedures considering banking peculiarities.
1.2 IS management standards according to the system approach to IS
1.2.1 General position of legal documents in the system approach
In 2007, the author conducted a research that formed the criteria of the classification and the existent normative-legal documents on providing of information security [7].
As a result of analysis of normative-legal documents in the field of providing information security, their classification was offered. A most essential section at creation of the information security system of the Ukrainian segment of external communication and data transfer network of space rocket complex «Cyclone» was remarked. A conclusion was made about the necessity of concordance of legislative base.
For creation of the effective information security system the legislative base, well-organized by the stages of construction is needed. At the time of the research conduction, providing of information technologies security is regulated by more than one hundred and twenty legislative, normative-legal and methodical documents, not coordinated on terminology, estimation criteria, sequence and directions of creation of the information security systems.
A task has been formulated: conduct the analysis of normative-legal documents in the field of information security technologies. Classify existent documents with the purpose of concordance of statements of Ukrainian legislative base.
Conduction of analysis consisted in the following. The components of information security systems (ISS) can be divided into three groups, which are illustrated in fig. 1.1:
1. Bases (what does ISS consist of);
2. Directions (what is intended for);
3. Stages (how it works).
Fig. 1.1. Groups of ISS components
There are four bases:
1. Legislative, normative-legal and scientific base;
2. Structure and tasks of subdivisions, providing security of information technologies;
3. Organisationally-technical and regime means (policy of information security);
4. Program-technical methods and tools.
Directions are formed based on the specific features of object to be defended. Taking into account the typical structure of information systems and historically obtained types of work on providing information security, it was suggested to consider the followings directions:
1. Providing security of objects of the information systems;
2. Providing security of processes, procedures and programs for information processing;
3. Providing security of communication channels;
4. Suppression of side electromagnetic radiations.
5. Management of the security system.
The stages of creation and operation of ISS are the following:
1. Determination of informational and technical resources, along with objects of the information systems (IS), to be defended;
2. Definition of set of possible threats and information loss channels;
3. Estimation of vulnerability and risks of information in IS according to present set of threats and loss channels;
4. Determination of requirements for information security system;
5. Choosing of means of providing information security and their specifications;
6. Introduction and organisation of the use of the chosen, methods and means of security;
7. Control of the integrity and management of the security system.
As each of directions is related to the bases listed above, in this report every element of "Legislative … base" is examined with every element of directions of creation of ISS (see fig. 1.2), namely:
1. Legislative … base of providing security of objects of the information systems;
2. Legislative … base of providing security of processes, procedures and programs…;
3. Legislative … base of providing security of communication channels;
4. Legislative … base of suppression of side electromagnetic radiations;
5. Legislative … base on a management and control of the security system.
Fig. 1.2. The observed segment of ISS creation
The opened normative documents of the system of technical information defence of Ukraine have been reviewed. As a result, classification of legislative documents by the following directions of information security providing is offered:
1. Legislative and conceptual aspects of information security;
2. Organisation information security;
3. Protecting information from a loss in technical channels ;
4. Information security in the computer systems;
5. Information security in communication and data transfer networks;
6. Suppression of incidental electromagnetic radiations;
7. Cryptographic defence of information;
8. Special documents (methods of measuring and estimation parameters).
Section «Information security in communication and data transfer networks» was selected as the most essential at creation of the information security system of the Ukrainian segment of external communication and data transfer network of space rocket complex «Cyclone». The list of documents in this section of the offered classification was presented.
List of normative-legal documents in remarked direction contained laws, normative documents and statements of Ukraine on providing of information security.
A conclusion was made about the necessity of concordance of terminology and statements of existent normative-legal documents in area of providing information security with the purpose of increasing of the Ukrainian legislative base efficiency.
The conducted analysis of normative documents allowed to improve the efficiency of providing information security in the external communication and data transfer network of space rocket complex «Cyclone».
The results of the research also formed the recommendations to the structure of the IS standards that will provide broader encompassing description of the legislative requirements.
According to the method described above, the Ukrainian branch standards in information security management [3, 4] can be positioned in the framework of the system approach to IS in the following way.
According to the system approach to IS by V.V. Domarev described in [2], the considered object is a document, so it falls in the base “001 Bases” As it can be observed from the titles of the considered documents, they refer to the direction “050 - Security system management”. More precise positioning is determined from the contents of the documents.
1.2.2 The scope of ГСТУ СУІБ 1.0/ISO/IEC 27001:2010
The section “0.1 General statements” of the introduction to the document says “This standard is created to supply the model of development, introduction, functioning, monitoring, revision, maintenance and perfection information security management system (ISMS)”. Thus the document [3] occupies the cells 451, 651, 751 which represent normative base of determination of requirements, introduction and use, control and management in security system management respectively.
The final position of the standard [3] in the framework of the system approach to IS is illustrated by the fig. 1.3. The descriptions of the cells in the Domarev's matrix can be found in [2].
Fig. 1.3. The scope of ГСТУ СУІБ 1.0 in the system approach matrix
1.2.3 The scope of ГСТУ СУІБ 2.0/ISO/IEC 27002:2010
The section “1 Application sphere” states that the standard “establishes directives and general principles in relation to establishment, introduction, support and perfection of information security management in organisation”. Thus the document [4] primarily occupies the cells 651 and 751 which represent respectively normative base of introduction and use, control and management in security system management.
The section “5 Security policy” adds the cell 151 (normative base of determination of information to be protected in security system management) to the document's scope.
The final position of the standard [4] in the framework of the system approach to IS is illustrated by the fig. 1.4. The descriptions of the cells in the Domarev's matrix can be found in [2].
Fig. 1.4. The scope of ГСТУ СУІБ 2.0 in the system approach matrix
1.3 IS management solutions overview
The branch of software related to information security management named Governance, Risk and Compliance (GRC), appeared in response to the need of fitting the business security in certain rules. The document [12] provides the general information about GRC and software solutions in this area.
IT governance, risk and compliance management (IT GRCM) is maturing as a technology. The market is growing steadily, but remains relatively small with a crowded field of vendors. IT GRCM products address requirements to automate risk management.
The IT GRCM market comprises vendors that provide software products to help organisations proactively measure and manage their IT technology and process controls.
The IT GRCM market benefits maturing organisations with existing processes for measuring, managing and reporting IT controls that are ready for automation.
IT GRCM solutions have a repository; basic document management capabilities; good workflow, survey and reporting functions; and dashboarding, with policy content that's specific to IT controls, and support for the automated measurement and reporting of IT controls.
Choosing between IT GRCM and enterprise GRC (EGRC) platforms depends on the focus of the effort. IT GRCM is recommended for bottom-up, IT-centric requirements, while EGRC platforms are recommended for top-down enterprise risk management requirements.
IT GRCM technology continued to mature through 2009 and growth is steady, but the market remains relatively small ($117 million in 2009) because most organisations are not ready to implement. IT GRCM automation. The market continued to grow during the worldwide economic downturn in 2009, indicating that automating the mapping and measurement of compliance controls remains a priority for organisations.
EGRC platforms serve organisations that take an enterprise approach to compliance and risk management, and that want to have all business units, including the IT organisation, on the same GRCM solution. Most vendors with EGRC platforms offer modest IT governance automation functions. At a minimum, most EGRC vendors offer the capability to document, survey, and report IT risks and controls, but lack IT-specific content. Some vendors also provide limited support for an IT asset repository and IT policy management. Organisations with a primary interest in IT-centric GRCM requirements should be aware that most EGRC platforms balance finance, operational and IT requirements at the expense of IT-centric depth.
IT GRCM products support operation risk management through functions that measure, manage, and report on IT-centric technology and process controls. Organisations can use IT GRCM products to document and assess their IT-centric technology and process controls. The core IT GRCM functions are the following:
1. Controls and policy mapping;
2. Policy distribution and training attestation;
3. IT control self-assessment and measurement;
4. IT GRCM asset repository;
5. Automated general computer control collection;
6. Remediation and exception management;
7. Basic compliance reporting;
8. IT compliance dashboards;
9. IT risk evaluation.
GRC software products also help organisations to proactively measure and manage their IT technology and process controls. The typical additional functions of these products are the following:
1. Definition of IT policies, processes and controls that are based on best practices;
2. Management of policy content;
3. Mapping policies to process and technical controls, as appropriate;
4. Automating the measurement of process and technical controls;
5. Evaluating levels of compliance with various mandates;
6. Automating the auditing and regulatory reporting of these elements.
Organisations should define their basic approach as top-down or bottom-up, and use this to guide their requirements definition.
A top-down approach implies that IT GRCM is only one of the control categories that will be measured and reported, along with financial governance and operational requirements such as environmental, health and safety. Top-down usually requires less-detailed requirements for gathering general computer control data, such as configuration and patch data, but places a premium on higher-level reporting to executives. A top-down approach is more appropriately addressed with EGRC platforms.
A bottom-up approach implies greater detail in IT controls for an IT-centric audience. Many organisations use IT GRCM to organize their vulnerability scan, patch and configuration control data. Traditional IT GRCM tools are more appropriate for IT-specific requirements.
The most significant limiting factor for the IT GRCM and EGRC products is the divergence of requirements between top-down and bottom-up approaches. In many cases, organisations are buying two separate tools, indicating that this difference is more substantial than just vendor marketing and different buying centres.
This divergence is based on the differences in management and reporting requirements for top-down vs. bottom-up. Top-down tends to be led by enterprise risk management teams addressing business executive requirements, as opposed to bottom-up requirements, which are typically led by IT or information security operations teams, The vendors continue to add functions that overlap top-down and bottom-up requirements, but convergence will only happen when organisations stop buying multiple tools to address diverging requirements and agree on one tool as addressing both approaches comprehensively.
In comparison of GRC products the following evaluation criteria are used.
Market understanding - capability of the vendor to understand the buyer and the major functional requirements of an IT-focused GRC deployment, as opposed to the requirements of finance or operational-risk-focused GRC deployments. This criterion is weighed high in general estimation.
Customer experience - feedback from customers that have evaluated or deployed IT GRCM solutions is assessed with regard to the fit of function to IT GRCM use cases, the maturity and stability of IT GRCM functions, the code quality, and the quality of support. This criterion is weighed standard in general estimation.
Offering strategy - an evaluation of the vendor's overall strategy for IT GRCM, including the sales strategy, product differentiation, capability to capitalize on an existing customer base, and the use of GRC capabilities to enhance other elements of a technology portfolio. This criterion is weighed low in general estimation.
Product/service - an evaluation of IT GRCM feature sets as they map to current and future requirements, with a focus on IT-specific GRC content, IT control assessment automation, and the capability to assess at IT asset level. This criterion is weighed high.
Sales execution/pricing - an evaluation of the vendor's success in the market, based on the size and growth rates of the customer base and revenue. This criterion is weighed low in general estimation.
Operations - the capability of the organisation to meet its goals and commitments in sales, development and product support. This criterion is weighed low.
1.4 Modern IS management solutions
1.4.1 Analytical overview of the existent solutions
The document [12] provides the information for the analysis of GRC solutions present on the worldwide market as of April 2010. The research considers products of dominating vendors (Agiliance, BWise, ControlCase, EMC (RSA), MetricStream, Modulo, OpenPages, Rsam, Symantec, Telos, Trustwave, Lumension).
Agiliance
Agiliance remains a leader in the IT GRCM market. Although one of the original vendors to provide an out-of-the-box architecture, Agiliance moved to a modular offering in late 2009. The highlight of the RiskVision offering remains its intuitive interface and its top-down approach to managing IT-related controls. Agiliance continues with a Strong Positive rating in 2010, and should be considered by organisations that require balanced IT GRCM functionality across all categories.
The product's main strengths are the following.
1. Good out-of-the-box policy and assessment data;
Подобные документы
Consideration of a systematic approach to the identification of the organization's processes for improving management efficiency. Approaches to the identification of business processes. Architecture of an Integrated Information Systems methodology.
реферат [195,5 K], добавлен 12.02.2016Information security problems of modern computer companies networks. The levels of network security of the company. Methods of protection organization's computer network from unauthorized access from the Internet. Information Security in the Internet.
реферат [20,9 K], добавлен 19.12.2013Practical acquaintance with the capabilities and configuration of firewalls, their basic principles and types. Block specific IP-address. Files and Folders Integrity Protection firewalls. Development of information security of corporate policy system.
лабораторная работа [3,2 M], добавлен 09.04.2016Модули, входящие в пакет программного обеспечения. Project Menagement, Methodology Management, Portfolio Analysis, Timesheets, myPrimavera, Software Development Kit, ProjectLink. Иерархическая структура Primavera и ее взаимосвязь с программой MS Project.
контрольная работа [9,5 K], добавлен 18.11.2009Настройка web-сервера для установки CMS (Content Management System - "система управления содержимым"). Возможности CMS Drupal и Joomla, особенности работы с ними. Изучение редактора веб-страниц, позволяющего изменять опубликованные на сайте материалы.
отчет по практике [25,0 K], добавлен 14.11.2013Проблемы автоматизации менеджмента в турфирмах для повышения эффективности систем управления и безопасности, расширения числа клиентов, решения маркетинговых задач. Внедрение компьютерных систем бронирования на примере Fidelio Hotel Management System.
курсовая работа [268,3 K], добавлен 07.01.2015Обоснование потребности в web-сайте. Описание установки CMS Joomla. Постановка задачи при проектировании web-сайта. Обоснование выбора CMS (Content Management System). Разработка базы данных и интерфейса. Классификация и проектирование web-сайтов.
дипломная работа [1,9 M], добавлен 13.05.2009CMS как система управления контентом/содержимым сайта. Предназначение, принцип работы и примеры CMS. Инсталляция GMS на компьютер с помощью Denwer. Шаги установки Wordpress на Denwer. Работа в wordpress: пример создания блога, посвященного институту.
реферат [1,8 M], добавлен 23.02.2011Управление электронным обучением. Технологии электронного обучения e-Learning. Программное обеспечение для создания e-Learning решений. Компоненты LMS на примере IBM Lotus Learning Management System и Moodle. Разработка учебных курсов в системе Moodle.
курсовая работа [146,6 K], добавлен 11.06.2009The need for Colvir's functional modules to avoid the costs of training and to facilitate modification and interaction of system components. Description and practical use of Citrix server and CyberPlat - integrated universal banking online payments.
доклад [505,3 K], добавлен 05.09.2011