2. The risk assessment functions are comprehensive;

3. Good detail and flexibility for confidentiality, integrity and availability assessments.

However, the product has a problem. It is concentrated more on assessment, than on managerial functions.

BWise

BWise is an EGRC platform. Specific IT GRCM support includes an asset repository, IT-specific policy and control content, and policy mapping. Although BWise provides a general computer control integration interface, there's no integration with specific applications or platforms, BWise has particular strengths for buyers that are looking for a company-wide approach to GRC rather than an IT-specific solution, but it will be less appealing to buyers that are specifically focused on IT security and configuration management controls.

The product's main strengths are the following.

1. Filtering reports to provide targeted views of risks and controls;

2. Productized rules and connectors;

3. Product provides assertion, review and override workflows that are needed for audit and self-assessment activities.

However, the product has the following problems.

1. No IT-configuration-level content;

2. No out-of-the-box support for common third-party general computer control data sources;

3. No conditional branching in workflow;

4. Limited flexibility in self-assessment compared with other products in the market.

ControlCase

ControlCase offers IT GRCM as software and as a service, ControlCase's primary business is Payment Card Industry (PCI) assessment services, and many of its IT GRCM customers are also using ControlCase services. The ControlCase GRC framework is composed of nine modules: Compliance Manager; Vendor Manager; Merchant Manager; Policy Manager; Audit Manager; Asset and Vulnerability Manager; Incident Manager; Compliance Manager; and Data Discovery, The product natively collects firewall configuration data and evaluates it against PCI requirements, which is unique among IT GRCM vendors. There are also automated sensitive data discovery functions, Self-assessment capabilities are present, but results analysis is basic. ControlCase is most appropriate for organisations with PCI-centric IT GRCM requirements and a need for bundled services.

The product's main strengths are the following.

1. Good overall IT GRCM functions;

2. Automated general computer control capabilities are provided natively through a bundled solution and through integrations with a few other vulnerability assessment tools.

However, the product has the following problems.

1. Exception management functions are limited;

2. As a PCI-centric vendor, ControlCase's offerings may not be appropriate for organisations seeking broader IT GRCM use cases.

EMC (RSA)

Archer Technologies (EMC/RSA) offers very good IT GRCM capability, which also supports a promising EGRC function. Archer was acquired by RSA, the Security Division of EMC, in 2009. Archer's SrnartSuite Framework provides a suite that's composed of eight management modules (policy, incident, asset, threat, risk, vendor, business continuity and compliance) that can be integrated. It is oriented toward large companies that value the ability to customize the product to match existing processes. The customizable framework supports the enablement of additional use cases, which is required for Archer's expansion into the EGRC market Archer's SmartSuite Framework is sold primarily as software, but is also provided as a software-as-a-service offering that's sometimes used as a quick start for new customers.

The product's main strengths are the following.

1. The software offering provides a flexible framework that can be adapted to resolve a variety of GRC use cases;

2. The ability to customize to fit needs and existing processes;

3. Pending integration with other products in the EMC/RSA portfolio.

However, the product has the following problems.

1. Cost is frequently raised as an issue by customers and other evaluators;

2. The Archer Technologies road map may be at risk after the acquisition - especially the support for providing EGRC platform functions, due to the IT-centric nature of EMC's core businesses.

MetricStream

MetricStream offers the EGRC Platform. The company recently introduced the MetricStream IT GRC Solution to address IT GRCM use cases. Control self-assessment survey, policy distribution and attestation support is provided. The product provides basic support for the general computer control use case through out-of-the-box integrations with BigFix for security configuration assessment, Nessus (through a third party) for vulnerability assessment, and others through a user-configurable adapter. Native automated IT assessment capabilities are not provided. Control management mappings are all based on unified compliance framework, thereby making MetricStream most appropriate for organisations seeking a top-down approach to IT GRCM,

The product's main strengths are the following.

1. Good survey functions, including automatically generated surveys from controls and some out-of-the-box survey content;

2. Native connectors to selected third-party vulnerability management products;

3. Good customer support.

However, the product has a problem. Content is all based on unified compliance framework that supports the approach of using single assessment result as a part of different reports, thereby limiting applicability for bottom-up, IT-centric control management requirements.

Modulo

Modulo is an established IT GRCM vendor with executive management in Brazil and the U.S., with European operations, and with a growing North American presence. It has the ability to address EGRC use cases. The company is large and the products have a good track record, which positions them to do well in North America. Modulo continued to improve its sales and marketing presence in North America through 2009. Modulo has a sales office in the U.S., but its visibility in competitive evaluations remains limited. IBM Global Services uses Modulo in its risk assessment consulting engagements. Modulo's Risk Manager supports the self-assessment, audit support and automated general computer control use cases. In addition, Risk Manager delivers a large amount of content for IT technical controls, as well as predefined policy content for most major security configuration standards. Version 7, which is scheduled to be released in May 2010, provides a new user interface.

The product's main strengths are the following.

1. Mature products and a strong company;

2. Good auditor workflow support;

3. Large amount of vendor-developed content for IT technical controls, and predefined policy content for most major security configuration standards;

4. Native support for general computer control and formal support for multiple vulnerability assessment products.

However, the product has the following problems.

1. The maturity of the product has made its interface complex for users;

2. End users have reported configuration difficulties.

OpenPages

OpenPages is an EGRC product, but it has recently introduced the component named ITG that provides support for some IT GRCM use cases that are dependent on unified compliance framework. The majority of OpenPages customers use ITG for policy management, risk management and compliance reporting. Policy distribution and attestation functions are flexible and customizable, but the product currently lacks IT-specific content in this area. The major weakness of the product is in the area of automated general computer control measurement. There are no predefined security configuration policies and no native capability of supported integrations for security configuration assessment or vulnerability assessment. OpenPages is most appropriate for organisations taking a top-down approach to GRCM requirements.

The product's main strengths are the following.

1. Use cases that focus primarily on EGRC and secondarily on IT GRCM;

2. Policy management and self-assessment.

However, the product has the following problems.

1. Automated collection for general computer control support is limited to a generic integration interface, and integration with only one product from third-party vendor is available;

2. Vulnerability assessment support is in development;

3. IT-specific content is dependent on unified compliance framework mappings.

Rsam

Relational Security has rebranded to Rsam to reflect the evolving usage of its product beyond traditional IT security use cases. The Rsam product is a strong IT GRCM offering with the ability to support non-IT requirements. Although Rsam doesn't have its own data collection service, it supports a third-party application programming interfaces for customers to execute their own scripts, and supports multiple formats for import from third-party data collection products. Rsam also supports remediation and exception management with good workflow, and the risk management function has the capability to create scoring and correlation among objects, survey responses and control states. Organisations seeking to automate operational risk assessment, audit automation and IT control management should consider Rsam.

The product's main strengths are the following.

1. Strong, flexible survey functions with a large amount of predefined content, and 30 or more predefined surveys;

2. Good workflow to manage the identification and remediation of threats;

3. An application programming interface that customers have used to integrate with other third-party data collection products;

4. Formal integration with 17 commercial scanners;

5. Flexible drag-and-drop customization for interface and reporting.

However, the product has the following problems.

1. Rsam lacks a native general computer control collection capability;

2. No predefined security configuration policies.

Symantec

Symantec's Control Compliance Suite (CCS) is specifically focused on IT GRCM and comprises three modules: Policy Manager, Standards Manager and Response Assessment Manager. Automated general computer control is provided by the CCS Standard Manager, which is widely deployed by customers for configuration policy compliance in the security operations role. Symantec has the largest installed base of security configuration policy compliance customers, which is spread across its CCS Standards Manager and Enterprise Security Manager products. Symantec is selling Control Compliance Suite into this installed base, and is beginning to sell it to buying centres that are oriented toward risk and policy management; however, automated computer control measurement often isn't the initial focus of these other buying centres. The solution is not optimal for organisations that want integration with third-party assessment technologies, because Control Compliance Suite does not provide out-of-the-box integration with non-Symantec sources. Control Compliance Suite is most appropriate for Symantec-centric organisations, but not recommended for organisations with top-down EGRC requirements.

The product's main strengths are the following.

1. Automated general computer control definition and measurement, especially for Symantec products;

2. Largest installed base of general computer control and measurement users;

3. Potential to capitalize on a large service organisation;

4. Symantec has strong native security configuration assessment capabilities, and also has native network vulnerability assessment functions.

However, the product has the following problems.

1. Use cases that aren't focused on Symantec technologies for configuration assessment;

2. Third-party general computer control support is limited to generic interface - no formal support of specific third-party sources;

3. Symantec integrates with third-party ticketing systems, but has only basic support for remediation workflow within CCS;

4. Mostly compliance reporting with only a light treatment of risk.

Telos

Telos provides services and software products primarily to the U.S. federal government, and is still in the early stages of its expansion into commercial segments. Telos Xacta IA Manager is primarily oriented to compliance with government regulations, such as the U.S. Federal Information Security Management Act (FISMA), automated general computer control measurement, risk assessment (of technical controls) and tracking mitigation activities. Telos has expanded Xacta content for common commercial regulations and control frameworks, but the company still lacks significant experience in servicing commercial organisations. U.S. federal agencies with FISMA requirements should put Telos on their shortlists for IT GRCM products.

The product's main strengths are the following.

1. Appropriate for organisations that need to comply with government regulations;

2. Strong support for automated general computer control measurement and mitigation workflow;

3. Comprehensive asset-oriented technical assessment, survey evaluation, and reporting. general computer control - strong native capability in combination with formal integration, with a few major scanners.

However, the product has the following problems.

1. Development of policy and control framework content for commercial regulations;

2. Little support for some aspects of commercial use cases, such as audit support;

3. No policy distribution and attestation function.

Trustwave

The IT GRCM capability complements Trustwave's other business units, which specialize in consulting and PCI compliance. Trustwave GRC has great flexibility through customization, but little out-of-the-box content. While the product does provide some out-of-the-box mappings into common regulations and frameworks, there are gaps for major regulations and control standards. The product lacks a native automated general computer control collection capability, and it does not support out-of-the-box integrations with common third-party products to import configuration and vulnerability data -- although there is a general data integration interface. Trustwave is developing a new technology base for its IT GRCM offering that will support unified compliance framework. Trustwave will need to carry both products and define a migration path to the new technology.

The product's main strengths are the following.

1. Product is a good fit for organisations that are looking for a flexibility, and that wish to have consultants customize and configure their IT GRCM functions;

2. Surveys, workflow and policy attestation support control self-assessment.

However, the product has the following problems.

1. Although Trustwave GRC supports drag-and-drop associations between controls and control objectives, it doesn't provide out-of-the-box mappings into common regulations and frameworks;

2. The product doesn't provide native general computer control collection, nor does it support out-of-the-box integrations with common third-party products to import configuration and vulnerability data (although it can be customized to do so);

3. Trustwave will be moving to a new technology base - and it will need to carry both products and define a migration path to the new technology.

1.4.2 The most integrated existent IS management solution

Information security management products presently offered on the Ukrainian market include mostly the narrow solutions: risk managers, compliance scanners and penetration tests (network perimeter tests).

The most integrated IS management solution present in the Ukrainian market today is “Lumension Endpoint Management and Security Suite” (L.E.M.S.S.) produced by Lumension Security, Inc., a worldwide leader in operational security. The company became famous due to its developments, integrations and marketing of endpoint security software solutions that help businesses protect their critical information and manage the most important risks in the computer network assets.

The product itself is a composition of five special-purpose sections: vulnerability management, endpoint protection, data protection, compliance and it risk management, endpoint operations. The fig. 1.5 below is a generalised scheme of the product's structure from the official datasheet [13].



Fig. 1.5. The official illustration of the Lumension Endpoint Management and Security Suite structure

Two of the sections are subdivided into product modules. Endpoint Operations Product Modules are Patch and Remediation, Security Configuration Management, Enterprise Reporting. Endpoint Security and IT Risk Management Product Modules are Application Control, AntiVirus, Device Control, Risk Manager. The structure is described more in detail below.

1. Endpoint operations product modules

1.1. Patch and Remediation: Reduces corporate risk and optimizes IT operations through the timely, proactive elimination of operating system and application vulnerabilities across all endpoints and servers.

1.2. Security Configuration Management: Ensures that endpoints are securely configured and in compliance with industry best practices and regulatory mandates.

1.3. Enterprise Reporting: Provides centralized visibility of IT assets and consolidates vulnerability and configuration data across the enterprise.

2. Endpoint security and it risk management product modules

2.1. Application Control: Enables the enforcement of application usage policies to ensure that only software that is explicitly authorized or trusted is allowed to execute.

2.2. AntiVirus: Provides comprehensive protection against all malware including viruses, spyware, Trojans and adware.

2.3. Device Control: Identifies all removable devices that are now or have ever been connected to your endpoints and enforces device / port access and data encryption policies to prevent data loss and/or theft.

2.4. Risk Manager: Automates compliance and IT risk management workflows and provides necessary visibility of people, processes and technology across the entire organisation. Imports scan data from multiple Lumension products and 3rd party scanning devices to its standalone interface.

L.E.M.S.S. is positioned as a solution that will provide an extended control over the corporate workstations, at the same time reducing the control complexity by centralising the management functions and automating the network data mining.

Today's rapidly changing IT network is more distributed and virtual than ever sensitive data is often stored on remote endpoints, such as laptops and mobile PDAs, and accessed through public Wi-Fi networks connected to an organisation's IT network via the Internet. Mounting budget pressures are forcing companies to look increasingly at virtual and cloud-based computing alternatives. In addition, traditional point-based technologies and solutions have added more complexity and cost to organisations, because IT teams are focusing on the integration of disparate technologies and have to use many different consoles across multiple products.

As IT environments have become increasingly dynamic and distributed with data flowing across a myriad of devices and platforms, companies have effectively lost control of their information.

New approaches and solutions are required to ensure enhanced security and compliance with the lowest total cost of ownership possible. The once-separate IT functions of operations and security must collaborate and share information seamlessly to proactively address IT risk in a more effective and efficient manner. Lumension Endpoint Management and Security Suite is an extensible solution suite developed on the Lumension Endpoint Management Platform that reduces management complexity, minimizes TCO, improves visibility and delivers information control back to IT.

L.E.M.S.S. is intended to provide the following:

1. Reduced complexity and TCO via an agile infrastructure, which delivers modularly licensed product capabilities through an integrated console and single-agent architecture;

2. Greater visibility and control with an end-to-end approach that includes capabilities to meet endpoint operations, security, compliance and IT risk management needs;

3. Enhanced security, reduced operational friction and greater control of endpoints via Lumension Intelligent Whitelisting, which combines Lumension AntiVirus, Lumension Application Control, and Lumension Patch and Remediation with a trusted change management engine into a unified workflow;

4. Endpoint power management which reduces power consumption costs and enables the management and security of both online and offline endpoints.

The key benefits of the product are stated to be the following:

1. Reduce it environment complexity;

2. Decrease endpoint total cost of ownership;

3. Provide greater visibility into and control over customer's network's endpoints;

4. Raise security and compliance posture;

5. Support customer's it operational and security mandates within a dynamic business environment;

6. Rationalize endpoint management and security workflows;

7. Ensure continuous endpoint protection.

Key features of the product are stated as the following

1. Integrated endpoint management console: Web-based console and workflow-based navigation simplify and optimize IT operations.

2. Modularly licensed capabilities: An extensible platform that enables both Lumension capabilities as well as 3rd party developed capabilities to be easily integrated.

3. Comprehensive and automated reporting: Delivers a holistic view of your environmental risk with a full range of operational and management reports that consolidate information within a single management console.

4. Continuous and full discovery of the it Environment: Integrates award-winning solution capabilities to provide complete discovery of what's in your IT environment, including capabilities such as application whitelisting, device control, patch management, anti-virus and configuration management.

5. Scalable and agile architecture: Delivers both pull and push approaches to endpoint communication and policy distribution.

6. Optimized compliance and it risk management: Streamlines compliance and IT risk management workflows and ensures continuous monitoring of compliance and IT risk postures.

7. Power management policy enforcement: Centralizes power management policies to achieve maximum energy efficiency for both online and offline machines. Wake- On-LAN capability ensures that offline machines receive critical patches and software updates.

8. Single promotable agent: Flexible agent architecture delivers services on the fly without requiring burdensome upgrades or agent bloat, provides easy agent install / uninstall capabilities, and offers self-monitoring and recovery capabilities.

Nevertheless, L.E.M.S.S. lacks top-level management instruments that would provide understandable control interface for anyone from the board of directors, independently on profession.

1.4.3 Common problems of the existent solutions

Of existent solutions on the Ukrainian market, none covers all the aspects (requirements) of the standards.

Even the most integrated IS management solution present on the Ukrainian market today, uniting the narrow functional modules into a broader security coverage, lacks certain features that would make it an effective management tool.

1.5 Mathematical model of IS

1.5.1 General description of the ISS model

The author conducted the research [8] on the mathematical models of IS. The state of the information systems and information security systems was modelled as a semi-Markov process. Application of semi-Markov processes in development of the ISS was classified through the matrix of connections of elements. A conclusion was made about applicability of models, based on semi-Markov processes, in development and state description of the ISS for the increase of exactness of their efficiency estimation.

Because of intense development and wide distribution of IT, the development of the ISS became important part of the information systems creation process. At the time of the research a problem of combating the newest threats (the so-called "zero-day attacks"). For the increase of the modelling efficiency in design of functioning and attack reactions of the information systems, the Semi-Markov processes can be applied.

The information security system (ISS) is a complex of legislative, organisational, technical and other measures and tools, providing the protection of important information from threats and loss channels in accordance with the stated requirements.

ISS has a special purpose which at formalised level acquires multidimensional character. The multidimensional (integral) task of information security requires the implementation of the system approach including the modelling of defence processes based on scientific methods.

The specific features of the solution for such a task are the following.

1. Presence of multiple criterions, related to the necessity of account of large number of individual indexes (requirements);

2. Incompleteness and vagueness of initial information;

3. Impossibility to apply the classic optimization methods;

4. Necessity of obtaining both qualitative and quantitative indexes of the information security system efficiency.

The system approach to information security is a way of thinking and analysis, in obedience to which the security system is examined as an aggregate of associate elements, having a common goal - to provide the information security. In case of purposeful interconnection of elements, ISS acquires specific properties, initially inherent to none of its components. Thus those properties of elements, which determine the degree of their co-operation and influence the system as a whole, have a primary value.

From a methodical point of view, determination of ISS efficiency consists in measuring the proper indexes and producing judgement about the accordance of certain methods and tools of defence to the set requirements and the purpose of ISS.

Consequently, the process of ISS creation is implied by establishing hard logical and functional connections between the heterogeneous security elements. Thus, the importance of properties of separate ISS elements decreases, and general system tasks are pulled out on the first plan. As practice shows, it is the quality of stated connections determines the efficiency of the security system as a whole.

To increase the ISS efficiency, it is possible to use the system approach to IS offered by V.V. Domariev in [2]. The approach determines the interconnections between concepts, definitions, principles, methods and mechanisms of security. The system approach is applicable not only in ISS development, but also on all the stages of the information systems life cycle. Thus all the tools, methods and measures, being in use for maintaining security are united into a single mechanism.

Model of IS, used in the system approach is separated on three groups of elements: bases (what consists of), directions (what is intended for), stages (how works). The relations between the components are presented as a matrix of knowledge (presented in fig. 1.6), where the contents of every element describes the interconnection of constituents.

Fig. 1.6. The numeration of elements in the Matrix of knowledge

1.5.2 Semi-Markov process definition

The work [14] is devoted to the mathematical description of semi-Markov process. A semi-Markov process is a Markovian process with random transition intervals, thus being Markovian only at the transition instants. Describing a semi-Markov process with N states, it is needed to specify N2 transition probabilities pij determining the transition to state j, if the present state is i, satisfying the conditions (1.1).

i = 1,2,...,N; pij ? 0, 1 ? i, j ? N.(1.1)

The time interval between the transitions is determined by random variable ?ij, governed by a corresponding set of N2 holding-time density functions (1.2).

hij(·), 1 ? i, j ? N.(1.2)

Thus, it is convenient to define a semi-Markov process by transition probability and holding-time density functions matrices of size NN, respectively P={pij} and H(·)={hij(·)}.

Whenever a process enters a state, the next state and holding time are determined by transition probabilities and holding-time density functions. After holding in state i for the time ?ij, the process makes the transition to state j and repeats the whole procedure.

Let the current state be ?(t). Taking into account that the modelling is applied to ISS, transitions of the system to the same state would not be considered (pii=0). The chart of a semi-Markov process is presented in fig. 1.7, a.

Let ccW(t)={ccwi(t)} be the diagonal matrix of probabilities that the system will not leave the state i until after time t.

The matrix flow graph representing semi-Markovian transitions is presented on fig. 1.7, b.

a b

Fig. 1.7. Semi-Markov process chart and its matrix flow graph

Finally, semi-Markov process is described by the interval-transition probability matrix (1.3).

?e(s)=[I-P?He(s)]-1 ccWe(s),(1.3)

where I - unit matrix, ? - element by element matrix multiplication, e(s) - the exponential (Laplace) transform matrix (1.4).

(1.4)

1.5.3 ISS state as a semi-Markov process

The state of an information system as well as an ISS can be described as a continuous-time semi-Markov process that has an arbitrary transition probability matrix and all holding times given by an exponential distribution (1.5).

hij(t) = ?e-?t, 1 ? i, j ? N.(1.5)

Then the interval-transition probability matrix will be described by the formula (1.6).

(1.6)

and the state graph will have either of the two forms shown in fig. 1.8.

a b

Fig. 1.8. Matrix flow graphs of the continuous time semi-Markov process

The foregoing description of the information system state can be accepted as a basis of its generalised functioning model. The basic purpose of generalised models consists in creating the pre-conditions for the objective estimation of the general information system state from the view of either vulnerability measure or information protection level. A necessity for such estimations usually arises at the analysis of general situation with the purpose of making strategic decisions during organisation of information security. The general models of the systems and information security processes are ones that allow to determine (to estimate) the general characteristics of the considered systems and processes, unlike local and private models, which provide determination (estimation) of some local or private descriptions of systems or processes.

A short list and descriptions of models, in which the Semi-Markov processes can be applied, is presented below.

General model of information security process. This model, in the most general view and for the most general object being protected, must display the information security process as a process of co-operation of random destabilising factors, affecting information, and information security tools that hinder the action of these factors. The result of co-operation will be a certain level of information security;

Generalised model of the ISS. Being further development of general information security process model, the generalised model of the ISS must display the basic procedures, carried out inside this system with the purpose of rationalisation of information security processes. These processes in the most general view can be presented as distribution and use of information security resources as reactions on random changes in influence of destabilising factors;

Model of general estimation of information threats. The basic purpose of this model is estimating not simply the information threats, but also those losses which can take place as results of different threats. The models of this direction are also important because exactly in them those conditions, at which estimations can be adequate to the real information security processes, are exposed in the most degree;

Models of analysis of the systems that differentiate access to the information system resources. The models of this class are intended to support the decision of tasks of analysis and synthesis of the systems (mechanisms) that differentiate access to the different types of information system resources and foremost to the data arrays. The separation of these models into an independent class of general models is supported by the fact that that the mechanisms of access differentiation belong to the most substantial components of the ISS, and the general efficiency of information security in information system depends no the efficiency of access differentiation to a great extent. In these models the Semi-Markov process can illustrate the access to the information with the different degree of secrecy, where the states will be authentications on the different security levels.

1.5.4 Application of semi-Markov processes in ISS development

Planning, organisation and application of ISS are actually related to the unknown events in the future and always contain the elements of vagueness. In addition, other sources of ambiguousness are present, such as incomplete information for making administrative decisions or social-psychological factors. Therefore, it is natural that considerable vagueness accompanies the stage of ISS planning. The ambiguousness level can be lowered by application of the most adequate models.

The Semi-Markov processes can be applied in ISS development as a universal tool of information systems functioning modelling on the stages of possible threats and information loss channels, and estimation of vulnerability and risks. The Semi-Markov processes application domain corresponds to elements 204 and 304 (fig. 1.9). A zero in the second digit means coverage of all the directions. Thus, the Semi-Markov processes are included in means that perform the following tasks.

1. Provide efficiency and quality in definition of set of possible threats and information loss channels on objects in information system, in processes and applications of information system, at an information transfer along communication channels, due to side electromagnetic radiations, and also in the process of security system management;

2. Determine the conduction of estimation of vulnerability and risks of information on objects in information system, in processes and applications of information system, at an information transfer along communication channels, due to side electromagnetic radiations, and also in the process of security system management.

Fig. 1.9. The scope of semi-Markov processes application in the Matrix of knowledge

1.5.5 Application of semi-Markov processes in ISS state description

According to the modern theory of systems efficiency estimation, ISS quality shows up only in the process of its use on purpose (special purpose functioning), therefore an evaluation on the efficiency of application is the most objective.

As a basis of complex of indexes and criteria of ISS efficiency estimation, probability of the objective fulfilment by the system (providing the required security level) must be used. Thus the concepts of suitability and optimality serve as criteria of estimation. Suitability means implementation of all the requirements set to ISS, and optimality is achievement by one of characteristics its extreme value at the observance of limitations and conditions applied to other properties of the system.

To describe the ISS state, it is enough to make the Matrix of estimations (an example is presented in fig. 1.10), containing in its cells the estimations of efficiency of the proper system elements. In case of change in any information system parameter one or more Matrix of estimations elements may change due to logical connections. That influences the generalised indexes. Consequently, the general ISS state changes. The logical deduction hierarchy of ISS security level estimation is presented in Appendix A.

Fig. 1.10. Matrix of estimations

Taking into account the character of these changes, it is possible to suppose that the functioning of ISS is also a Semi-Markov process. This conclusion allows describing the changes of the ISS state through relatively simple mathematical model. Mathematical models of information system functioning based on the Semi-Markov processes can be used in simulation of attacks on information system, which will promote the efficiency of threats counteraction measures development.

The conclusion can be made that the semi-Markov processes can be applied in design and state description of the ISS. The models of the information systems activity based on semi-Markov processes can be used to increase the accuracy of the ISS efficiency estimation, as well as in ISS development.

Conclusions to section

The development of the IS management standards was presented.

The main modern international IS management standards were described.

The national peculiarities of the IS management standards were highlighted.

The IS management standards were positioned according to the system approach to information security. The places of the national IS management standards in the system approach framework were illustrated.

The existent IS management solutions were overviewed and the most integrated existent IS management solution was highlighted. The major strengths and problems of the existent IS management solutions were stated.

Semi-Markov processes were suggested as a mathematical model of IS.

Considering the current state, problems and demands of the information security management branch, the author concludes that an ISMS with analytical potential is needed to satisfy the requirements of the branch, as well as to rise the sufficiency of the IS management in organisations. The analytical functions of the product should facilitate the IS audit and management in the target organisation.

IS maintenance can be considered as a stochastic system with partial observability and controllability. These properties must be accounted in the development of an ISMS.

The features needed in an effective ISMS are defined in the section 2.

SECTION 2. DEFINITION OF THE EFFECTIVE ISMS FEATURES

2.1 The mandatory ISMS documents

The branch standards of Ukraine “ГСТУ СУІБ 1.0/ISO/IEC 27001:2010” [3] and “ГСТУ СУІБ 2.0/ISO/IEC 27002:2010” [4], imply certain requirements to an ISMS. The document [15] describes the main of these requirements.

To begin with, the ISMS must operate based on certain policies. Otherwise, such policies may be produced in the process of its development or functioning. The work [16] proposes the following mandatory ISMS documents.

Records of key management decisions regarding the ISMS, for example, minutes of management meetings, investment decisions, mandating of policies, reports etc., not individually specified in the standard apart from the following specific items.

Information security policy set matches the characteristics of the business, the organisation, its location, information assets and technology, including an ISMS policy and information security policy.

An ISMS policy defines the objective-setting management framework for the ISMS, giving it an overall sense of direction/purpose and defining key principles. The ISMS policy must possess the following properties:

1. Take account of information security compliance obligations defined in laws, regulations and contracts;

2. Align with the organisation's strategic approach to risk management in general;

3. Establish information security risk evaluation criteria;

4. Be approved by management;

Information security policy or policies specifies particular information security control objectives or requirements in one or more documents. This document should also be approved by management to have full effect.

ISMS scope defines the boundaries of the ISMS in relation to the characteristics of the business, the organisation, its location, information assets and technology. Any exclusions from the ISMS scope must be explicitly justified.

Information security procedures, that are written descriptions of information security processes and activities, for example, procedures for user ID provisioning and password changes, security testing of application systems, information security incident management response etc.

Controls documentation, for example, technical security standards, security architectures/designs etc. and referencing ISO/IEC 27002 (details vary between ISMSs).

Risk assessment methods, which are policies, procedures and/or standards describing how information security risks are assessed.

Risk assessment reports document the results, outcomes, recommendations of information security risk assessments using the methods noted above. For identified risks to information assets, possible treatments are applying appropriate controls, knowing and objectively accepting the risks (if they fall within the information security risk evaluation criteria), avoiding them; or transferring them to third parties. The information security control objectives and controls should be identified in these reports.

Risk treatment plan, which is a project plan describing how the identified information security control objectives are to be satisfied, with notes on funding, roles and responsibilities.

ISMS operating procedures, that are written descriptions of the management processes and activities necessary to plan, operate and control the ISMS, for example, policy review and approvals process, continuous ISMS improvement process.

Information security metrics describes how the effectiveness of the ISMS as a whole, plus key information security controls where relevant, are measured, analyzed, presented to management and ultimately used to drive ISMS improvements.

Statement of Applicability states the information security control objectives and controls that are relevant and applicable to the ISMS, generally a consolidated summary of the results of the risk assessments, cross-referenced to the control objectives from ISO/IEC 27002 that are in scope.

Document control procedure explains how ISMS documents are approved for use, reviewed, updated, re-approved as necessary, version managed, disseminated as necessary, marked etc.

Records control procedure explains how records proving conformity to ISMS requirements and the effective operation of the ISMS (as described elsewhere in the standard) are protected against unauthorized changes or destruction. Again, this procedure may be copied from the QMS or other management systems.

Security awareness, training and education records document the involvement of all personnel having ISMS responsibilities in appropriate activities (for example, security awareness programs and security training courses such as new employee security induction/orientation classes). While not directly stated, the requirement for information security awareness materials, training evaluation/feedback reports etc. may be inferred.

Internal ISMS audit plans and procedures state the auditors' responsibilities in relation to auditing the ISMS, the audit criteria, scope, frequency and methods. While not stated directly, ISMS audit reports, agreed action plans and follow-up/verification/closure reports should be retained and made available to the certification auditors on request.

Corrective action procedure documents the way in which nonconformities which exist are identified, root-causes are analyzed and evaluated, suitable corrective actions are carried out and the results thereof are reviewed.

Preventive action procedure, which is similar to the corrective action procedure but focuses more on preventing the occurrence of nonconformities in the first place, with such activities being prioritized on the basis of the assessed risk of such nonconformities.

2.2 Content management system for an isms

The ISMS may rely on a content management system to support the exchange of information, for example, audit reports, policies, etc. The content management system must be selected knowing specific requirements of the enterprise. It is recommended to consider a structured specification and evaluation process such as that for choosing risk analysis/management methods.

There exist free or open source and commercial products designed to support ISMSs and ISO27k. Their types are Content Management Systems (CMS), Document Management Systems (DMS), Learning Management Systems (LMS) and Policy Management System (PMS).

Such a system is nevertheless optional, and information exchange can be directly supported by an ISMS or be performed manually for relatively small businesses or at higher managerial levels.

2.3 The information security metrics

The quality of the IS can be measured through various parameters, ranging from number of blocked spam messages to the degree of attaining a strategic goals. As for an ISMS, the author strongly insists on measuring the effectiveness by managerial indexes, such as number of completed low-level tasks, the conventional risk value, eliminated by a security measure, etc. Such evaluation yields better understanding at high executive levels.

2.4 Internal audit capabilities

The second ultimate goal of implementing an ISMS, except providing a comprehensive IS management for the enterprise, is the certification of accordance to one or several of the ISO27k standards.

The certification process assumes the external audit of the corporate ISS to define the compliance with the standard. To guarantee the successful external audit, a company may induce internal security audits preliminary to certification.

As the ISMS contains and manipulates the most important security assessment data, the introduction of audit functions may seriously facilitate the internal audit procedures.

Conclusions to section

management standard development national

Taking into consideration the stated problems and requirements to an ISMS, the following features and functional capabilities are needed in an information security management product.

1. High-level managerial presentation by the introduction of simple interfaces and reports oriented specifically at the high-level management;

2. Monitoring and management of the IS risks at the enterprise with immediate reassessment in case of any changes in the sets of assets and threats;

3. Planning of external or internal IS audit, control of the audit procedures progress by pivot reports;

4. Registration of violations, deviations and remarks in the process of audit procedures fulfilment by supplying the needed information in a specialised report;

5. Use of templates for policies, descriptions and other working documents. These templates must comply with the national standards;

6. Creation and keeping all the necessary dispositive and regulation documents on IS (functional duties, instructions, security policies, etc.) by storing, updating and supplying the corporate IS information to the documents directly;

7. Maintaining the common databases of knowledge and methodical materials, archiving to supply management decisions with actual data;

8. The conduction of analysis of the IS state (matrix of the state) and forming of management-level reports as comprehensible tables and charts, as it is usually hard to deliver the IS issues to unfamiliar people;

9. Rational distribution of the roles and plenary powers, allocation of resources to officials and tasks;

10. Informative-analytical support of decisions by organisation's management as to the process of IS management, because having clear and actual information, it is easier to take rational decisions;

11. Providing the forming of requirements (matrix of requirements) and ISMS efficiency estimation indexes (matrix of estimations), which is important in controlling the achievement of the set objectives;

12. Estimation and management of the budget of the ISMS creation and exploitation, to control the expenditures on the ISMS in particular, or the overall organisation's IS;

13. Monitoring of tasks execution and rendering of recommendations to boost the overall performance for the projects.

SECTION 3. INFORMATION SECURITY MANAGEMENT SYSTEM “MATRIX”

3.1 Purpose of the ISMS

The basic task of the ISMS is the informative-analytical support of the process of the ISS creation attributable to the precise estimation of the accepted decisions efficiency, and choice of the rational hardware, software and organisational solutions.

ISMS “Matrix” is based on system approach to information security by Domarev V.V. as well as on universal experience of different companies.

The proposed ISMS provides the following functional capabilities:

1. Development of documentation;

2. Personnel management;

3. Rational choice of software and hardware IS means and solutions;

4. Forming the terms of reference and projects management;

5. Management of information assets and resources;

6. Analysis of threats;

7. Estimation of risks;

8. Planning, development and implementation of organisational and technical measures of IS;

9. Estimation of the IS efficiency;

10. Accumulation of informative-analytical knowledge and experience;

11. Training and education of organisation's specialists in information security.

3.2 General description of the ISMS

The “Matrix” is positioned as an information security management, international IT standard implementation and decision support system. The ISMS is an information-methodological instrument of IS management, which is the simple, versatile and effective mean of creation, management, control and estimation of the efficiency of the IS providing processes in organisations.

The “Matrix” is a systematic decision that is intended to organize the cooperation of the organisation's management, IT department, IS service, specialists of internal audit and other departments in the process of IS management in the organisation.

The ISMS “Matrix” is projected for organisation of information security management processes in accordance with the requirements of standards of the National bank of Ukraine or other normative documents. The system also allows to independently organize the work for the creation of the ISS and easily adapts itself for the solution of concrete IS providing tasks with taking the business processes peculiarities into consideration.