Information security management system of a corporate network
IS management standards development. The national peculiarities of the IS management standards. The most integrated existent IS management solution. General description of the ISS model. Application of semi-Markov processes in ISS state description.
Рубрика | Программирование, компьютеры и кибернетика |
Вид | дипломная работа |
Язык | английский |
Дата добавления | 28.10.2011 |
Размер файла | 2,2 M |
Отправить свою хорошую работу в базу знаний просто. Используйте форму, расположенную ниже
Студенты, аспиранты, молодые ученые, использующие базу знаний в своей учебе и работе, будут вам очень благодарны.
Implementation of the ISMS “Matrix” provides a possibility to reduce financial expenses on bringing in external auditors and consultants.
The ISMS “Matrix” is based on the principles of the system approach to IS management, absorbing the knowledge and the best practices of the leading companies that provide IS. The system consists of database, containing the sets of operational tasks and knowledge. Each element of these sets is classified by Domarev's Matrix (element is assigned to a stage, a direction and a base). This allows systematising and uniting IS management and knowledge.
3.3 Improvements provided by the ISMS
ISMS application allows to:
1. increase the efficiency of management decisions;
2. systematise and unite the forces of different specialists for the achievement of common goal (implementation of one or several international IS standards simultaneously);
3. estimate the current state of ISS and its compliance to a certain IS standard;
4. obtain pivot reports on ISS state, current and finished jobs (in extension, updating, etc.)
According to the research of the analogous products presented in [12], there exist certain problems in IT GRCM software. The explanations of the solutions and their effects are presented below.
The following improvements became possible due to the application of the developed ISMS “Matrix”.
The situation when the product is concentrated more on assessment, than on managerial functions is resolved because the main function of the developed ISMS is high-level management. Thus the managerial efficiency of the product increased.
The problem of absence of the conditional branching in workflow algorithms is eliminated because the developed ISMS supports workflow that is not limited to business processes with strict algorithms. Thus the developed ISMS can be applied to the non-trivial business situations.
Limited flexibility in self-assessment is resolved because the operation of the developed ISMS is based on self-assessment data and is dynamically rebuilt in reply to any changes in the structure, operation or normative provision of the target organisation. Thus the developed ISMS extends the self-assessment abilities of the target organisation.
Situation when products may be concentrated on a single standard and not appropriate for broader use is resolved because the system approach to IS enables handling of any normative documents - from internal regulations to international standards. Thus the developed ISMS can be used to implement wider scope of standards.
The price of the developed ISMS for the customers is considerably lower than for analogous products because the system core is distributed freely and support pricing is low due to immaturity of the product. Thus the developed ISMS is more affordable than analogous products.
The situation when content is all based on bottom-up, IT-centric control management requirements is resolved because the developed ISMS is designed to operate only on high managerial levels, preventing from drowning in the vast amount of technical details. Thus overall clearance of the IS state at the target organisation is maintained.
The situation when maturity of the products makes their interfaces complex for users is resolved because the interfaces if the developed ISMS can be adapted on demand for each customer. Thus the developed ISMS is more convenient for the end users.
The configuration difficulties for the end users are eliminated because no end-user configuration is needed, except allowing MS VBA macros. Thus the developed ISMS has faster deployment.
The absence of predefined security policies is compensated by the availability of filling the developed ISMS according to any normative document or policy from product support unit. Thus the developed ISMS has the improved adaptability to the defined IS policy or other normative documents.
The presence of mostly compliance reporting with only a light treatment of risk is resolved in the developed ISMS because risk assessment is a dedicated function, providing both detailed risk estimations and pivot charts. Thus the balance between the treatments of compliance and risks is established in the developed ISMS.
The hardships in development of policy and control framework content for commercial regulations were eliminated because the system approach to IS used in the developed ISMS is equally effective in both state and commercial organisations. Thus the developed ISMS obtained wider application scope in terms of target organisation spheres.
The limited audit support is resolved in the developed ISMS by the presence of the variety of reports and pivot charts that allow to pass various audits without reassessment. Thus the developed ISMS shortens the preparation time before multiple audits conduction.
The appendix B generalises the problems solved in the developed ISMS “Matrix”.
Application of the developed ISMS also has financial advantages. The following numerical estimations were made.
1. The price of the product and technical support is 10 times lower in average.
2. The cost of training internal auditors (ranging from about 5000 to 8000 UAH) is compensated by the inherent audit capabilities of the ISMS “Matrix”.
3.4 Structure of the ISMS
3.4.1 Structure overview
The ISMS “Matrix” is implemented as a relational database with menus, screen forms and printable reports in Microsoft Office Access 2000 Database format (*.mdb).
The database itself consists of two main tables, risk list and common classifying elements lists (see appendix C). The tables are linked on the scheme not by ID fields (as it is classically made in database construction), but by the names of elements. This is arranged for better flexibility in case of changes in data structures during the ISMS development or customisation.
The first main table “Knowledge” (Тд_ЗНАНИЯ) contains the information about the input normative documents and regulations. The second main table “Tasks” (Ту_ЗАДАЧИ) contains the information about all the dispatched tasks: current, planned and archived.
Risk assessment is performed by forming asset-threat relations in the table “Risk list” (спис_риски). For quantitative estimations value fields are provided in tables of assets (спис_активы) and threats (спис_угрозы). For details see appendix C.
3.4.2 Classifying elements
The classification of sections from multiple documents as well as the classification of tasks is implemented by the introduction of the common classifying elements according to Domarev's Matrix of system approach to IS [2]. The classifying elements are listed below according to appendix C.
1. Directions (напрямки);
2. Objects (об'єкти);
3. Group of bases (основи);
3.1. Officials (співробітники);
3.2. Documents (документи);
3.3. Measures (заходи);
3.4. Means (засоби);
4. Stages (етапи);
5. Group of stage contents (зміст етапів);
5.1. Assets (активи);
5.2. Threats (загрози);
5.3. Requirements (вимоги);
5.4. Solutions (вирішення);
5.5. Implementations (впровадження);
5.6. Control (контроль).
The detailed descriptions of each of the classifying elements are presented further in this subsection.
Each set of classifying elements contains optional fields named “Level code 1” to “Level code 3” (Код рівня 1 - Код рівня 3). These fields are added for custom sorting of the set in case there are many entries and they are needed to be grouped. The filling of these fields is completely optional and does not affect the performance of the ISMS.
1. Directions (напрямки)
This element was initially intended to divide the IS by the types of ISS operation. The division was made considering the specificity of IS components and processes being protected. Presently, the best practice is to match the IS directions with business directions, or business processes. For example, if the bank provides card services, deposits and e-banking, it is recommended to list these as “directions”.
To define directions it is needed to consider what business directions does the target enterprise have and what major business processes run at the target enterprise.
The set of directions depends completely on the target enterprise or considered document. There are no standard directions, so the user has to fill the list on his own. Nevertheless, it is recommended to add “Whole enterprise” (Банк в цілому) or “All directions” (Всі напрямки) entries to the directions list. These entries might be needed when there are enterprise-wide or even enterprise-independent regulations.
2. Objects (об'єкти)
This element was not initially present in classic system approach to IS, but practical implementation experience has shown the necessity of its introduction. The objects are the major complex entities of the target organisation. The list of these elements might include the core objects of the organisation's business processes.
To define the objects, it is needed to list the core elements of the organisation's business processes, not getting in detail.
The set of objects may include physical or information systems, like “Computer network” (Комп'ютерна мережа), or “E-mail system” (Електронна пошта). It is also recommended to add “Object-independent” (Окрема задача) entry to the objects list. This entry might be needed when there are object-independent or enterprise-wide regulations.
3. Group of bases (основи)
This group of classifying elements corresponds to “Bases” group from classical system approach matrix (including normative base, structure, measures and means). In classification of documents and tasks within the ISMS, the table storing the list of structure officials (спис_сотр) is used twice: once to define the supervisor, and the second time to select the responsible employee.
3.1. Officials (співробітники)
This element initially described the structure of organisation's officials and departments that were responsible for the provision of information security. Presently, the list of officials contains all the officers and departments involved in solution of the IS tasks, because it is used to define both supervisors and the responsible. Practice shows that it is frequent that non-security officials are drawn in the IS processes. For example, according to the standard [3], the top management of the organisation must perform several security tasks, among which are the roles distribution among the employees and driving the importance of the IS management to non-security divisions so that the productive cooperation between IS service and other departments is ensured.
There is no criteria to define the officials that will be involved in IS processes.
To fill the officials list, it is first needed to list the IS department in person and in general. For the latter it is recommended to use a record like “IS department” (Підрозділ інформ. безпеки). It is also recommended to add the record for management in general like “Management” (Керівництво). Further, it will be needed to add each employee or department that would be mentioned in the IS tasks or documents. The cooperation with human resource department will be helpful to have the list of employees and departments.
3.2. Documents (документи)
Initially this element represented the legislative, normative-methodical and scientific base of documents that were involved in the legislative aspects of information security. In the current ISMS implementation this element defines the document, part of which is being stored in the documentation module, or within the scope of which the task is dispatched.
To compose the set of documents, it is needed to enter the names of all the documents that regulate the information security at the target organisation, plus the standards that are about to be implemented.
The short names of the documents must be entered in the set. The names of the document groups may optionally be added in case there are multi-document tasks or regulations, for example “Regulations of the Cabinet of ministers” (Постанови Кабміну) or “International documents” (Міжнародні документи).
3.3. Measures (заходи)
As in the classic system approach to IS, the set of measures is the set of actions aimed at providing the information security at the target organisation. These usually include measures executed at the creation of ISS, measures executed in the process of exploitation of the ISS and the measures of general profile.
To define the measures it is needed to check, what concrete processes and procedures aimed at IS support occur in the target organisation.
There is no standard set of measures, although the actions executed at organisations in order to provide and support information security are similar. The set can be large, including high- and low-level measures. One example of a high-level measure is “Access control” (Контроль доступу) and of a low-level measure - “Connection time limit” (Обмеження часу підключення).
3.4. Means (засоби)
As in the classic system approach to IS, this set includes program-technical means and methods of IS. They are the concrete tools used in IS or audit processes of the target organisation or considered document.
The author considers it worth noting that the set of means includes not only physical security items, but also the security methods like “Testing methods” (Методи тестування). To determine the IS means of the target organisation or considered document, it is needed to list all the concrete tools and names of the methods that are used in IS processes.
The set of means depends mostly on the target enterprise or considered document. Although there is a great variety of standard IS means and methods, this set will be varying largely depending on the size and business processes of the target organisation. As for the documents, the high-level standards (including ISO27k family, [3] and [4]) usually do not specify the concrete IS means. Common practice for documents is general naming like “Cryptographic means” (Криптографічні засоби).
4. Stages (етапи)
This element is intended to divide the IS processes into major steps. Initially, in the classic system approach to IS, the seven steps were formed based on the methodologies of ISS creation existent at the time of the research [2]. During the development of the ISMS “Matrix”, the need arose to adapt to various standards. This pushed the author (and developer) to separate the seven classical stages into a group of stage contents (зміст етапів) described below, and make the set of stages variable.
To define the IS stages of the target organisation or the considered document, it is needed to detect the major steps of ISS creation, maintenance and development.
The ISMS users can employ the seven classical stages (that coincide with the names of the elements listed below) or the stages explicitly stated in the considered document. For example, the standard [3] defines the model “Plan-Do-Check-Act” (Плануй-Виконуй-Перевіряй-Дій), so the stages set might consist of four entries with optional sub-stages.
5. Group of stage contents (зміст етапів)
This group of classifying elements corresponds to “Stages” group from classical system approach matrix, including definition of assets to be protected, definition of threats and information loss channels, risk estimation, definition of requirements to the ISS, selection of IS means, implementation of the selected means and methods of IS, control of the ISS integrity and IS management.
The practical implementation experience has shown that each stage of ISS creation and management has a broad varying set of sub-stages that depends completely on the target organisation or considered document. Nevertheless, risk assessment was separated into a distinct module, which does not classify, but simply provide the approximate numerical estimations or risks.
5.1. Assets (активи)
Initially, in the classic system approach to IS, this element represented the classified or sensitive information to be protected by an ISS. The information is considered sensitive if its disclosure may cause damage to the vital interests of the target organisation or to the personal safety of people. The practical ISMS implementation experience has shown that it is needed to amend the list of assets with everything that can be affected by IS threats. For example, the Ukrainian branch standard [3] defines the assets as “everything that has a value to the organisation”. This caused the appearance of such entries as “Operating systems” (Операційні системи) or “Internetwork screen” (Міжмережевий екран).
To determine the list of assets for the target enterprise or the considered document, it is needed to name all the low-level entities, present in the target organisation or mentioned in considered document, that may be affected by IS threats and thus cause IS risks. It is worth noting that the set of assets differs from the set of objects described above in the sense that objects are complex entities of the business processes, and the assets are more concrete and low-level entities that are affected by IS threats. For example, when “Computer network” (Комп'ютерна мережа) is an object with possibility to become an asset, “Cryptographic keys” (Криптографічні ключі) can only be an asset.
The list of assets depends completely on the structure and peculiarities of the target enterprise or the considered document, so there is no standard set of assets. The user has to fill it on his own. Some examples of the assets are “System files” (Системні файли), “Control logs” (Журнали контролю) and “Personal data” (Персональні дані). It is recommended to add “All assets” (Всі активи) entry for the case of enterprise-wide tasks or regulations. The entries in the set of assets contain the numerical field damage (збиток). Upon the entry of an asset, a value of damage in case of asset collapse has to be defined in order to get the numerical risk estimations later. It is proposed to scale the damage values from “high” to “low” with corresponding conventional marks 5 to 1 respectively. Nevertheless, the user may estimate the damage in case of asset collapse by concrete monetary amounts of loss.
5.2. Threats (загрози)
Initially, in the classic system approach to IS, this element represented the process of detection of threats and sensitive information loss channels. However at practical implementation of the ISMS “Matrix”, it was decided to move the threat detection process itself to the set of stages (етапи), and let the element “threats” (загрози) contain the list of threats detected at the target organisation or mentioned in the considered document.
To detect the IS threats of the target organisation, any method is applicable, from theoretical estimation to professional penetration test or expert commission. Such detection process can be performed either at the stage of information system planning, or at the stage of its functioning.
There exist some lists of threats issued by information security companies, but they include universal sets of threats, most of which is impossible or unimportant to the target organisation, or not mentioned in considered document. It is recommended to fill the set of threats gradually, adding entries at first mentioning of a concrete threat.
The entries in the set of threats contain the numerical field frequency (частота). Upon the entry of a threat, a value of its appearance frequency has to be defined in order to get the numerical risk estimations later. It is proposed to scale the frequency values from “frequent” to “very rare” with corresponding conventional marks 5 to 1 respectively. Nevertheless, the user may estimate the frequency of threat appearance in by concrete probability value, which is usually inaccurate and hard to determine due to peculiarities of concrete organisation and its business processes.
5.3. Requirements (вимоги)
As in the classic system approach to IS, this element represents the set of requirements to the information security system. These requirements may refer to the scope of certain ISS functions, levels of certain characteristics. In the proposed ISMS implementation, the set of requirements contains the titles or types of the regulations that define the requirements to the ISS in question.
To define the requirements to the ISS of the target organisation without assistance, it is needed to decide which security measures are planned to be used, what is the cost of the available hardware and software security means, how effective are the available security measures and means, how vulnerable are the ISS subsystems, is there a possibility to carry out a risk analysis. In case of implementing a certain standard using ISMS “Matrix”, the requirements can be taken directly from the considered document.
The set of requirements can be taken from the considered document, because they are usually explicitly stated there. The documents can be the technical tasks for the ISS creation, target organisation's security policy or a standard. For example the Ukrainian branch standard [3] is itself the set of demands to an ISMS. In such case the entries of the set of requirements will be the titles of corresponding document sections.
5.4. Solutions (вирішення)
This element initially represented the process of selection of the means and methods that will provide the achievement of the compliance with the set requirements. In the proposed ISMS implementation, the set of solutions represents the complex means and methods of information security (usually, mature commercial products) used to achieve the compliance with the requirements described above.
To define the set of solutions, firstly it is needed to decide what means and methods should be used to attain the established requirements in the target organisation or the considered document. Secondly, it is needed to explore the IS solutions market and find those that provide the most of demanded functions or best comply with the set requirements.
There exist a very large number of IS solutions. Each target organisation should select the solutions according to its needs, implementation potential and budget. The IS standards usually do not specify the concrete solutions in order to give some freedom (and thus ease) in implementation. It is the best practice if the set of solutions (вирішення) contains concrete names of the IS products used at the target enterprise, but general names like “Application of controls” (Застосування контролів) or “Access limitation” (Обмеження доступу) are also available.
5.5. Implementations (впровадження)
This element initially designated the actions taken in order to implement the selected IS solutions (that in turn satisfy the set requirements). The implementation may occur at different IS levels (administrative, organisational, technical) and at all stages (design, construction, testing or upgrade of an ISS).
To define the set of implementation entries, it is needed to decide what methods and organisational arrangements will be used to implement the selected IS solutions at the target organisation.
The set of implementations depends on the structure and other peculiarities of the target organisation and its personnel in particular. It is recommended to state the decree and control of the target organisation's management concerning the IS implementation, because practical implementation experience shows that personnel's unwillingness is one of the strongest obstructive factors on the way to establishment of the corporate information security. It is recommended to list the general names of the implementation procedures, like “Personnel training” (Навчання персоналу) or “Equipment tuning” (Налаштування обладнання).
5.6. Control (контроль)
As in the classic system approach to information security, this element represents the processes of the ISS integrity control and IS management. These processes encompass a wide scope of functions ranging from strictly-technical, like “Control of copying” (Контроль копіювання) to high-level managerial, like “Control of IS responsibilities” (Контроль відповідальностей за ІБ). The Ukrainian branch standard [4] defines controls as “means of risk management that include policy, procedures, directives, practice or organisational structures, which can have administrative, technical, managerial or legal character”. But in the proposed ISMS implementation control has the broader aspect, aimed not at risk management, but at the maintenance of IS and implementation of certain regulations. Thus risk control becomes a part of more complex IS mechanism.
To define the set of control it is necessary to compose the list of procedures that ensure the integrity of the target organisation's ISS, or check and manage the implementation of the considered document.
The security standards like [4] sometimes list the control entries explicitly, but the users can also fill the control set by all management and testing IS processes that take place at the target organisation. The list may include names of control groups with sub-controls, like “Control of personnel” (Контроль персоналу) and “Control of employment” (Контроль прийому на роботу) respectively.
As the sets of values in each of the classifying elements are formed by the end users for the target organisation or the considered document, so the obtained system complies both with the system approach to IS and the business processes of the target organisation, having the structure matching the system approach and the filling matching the target organisation and considered documents.
Consider the example if the end users have all the sets filled with minimal necessary amounts of items, i.e. that each task or document record can be classified at least in general. In this case the system will have the following elements of the system approach to IS:
1. Bases, consisting of the documents, employees, measures and means that exist in the target organisation;
2. Directions, corresponding to target organisation's major business processes;
3. Seven classical stages of the system approach to IS that have their results listed (for example, the asset definition as the first stage results in the list of assets);
4. The custom list of stages that represents the target organisation's IS process.
3.4.3 Main data storages
The main storages of the database in ISMS “Matrix” are the tables “Tasks” (Ту_ЗАДАЧИ) and “Knowledge” (Тд_ЗНАНИЯ).
The table “Tasks” (Ту_ЗАДАЧИ) contains two sets of fields: the group of classifying fields and the ones that constitute the operational task itself. The classifying fields group places each task in the systematised framework of the system approach to IS. The fields that constitute the task are listed below:
1. “Date set” (Коли поставлена) - the date of task setting;
2. “Execution term” (Строк виконання) - the final date of the task execution;
3. “Status” (Статус) - the general state of the task (current, urgent, cancelled, archived, etc.);
4. Date “Updated” (Оновлена) - the date of the last changes made to the task;
5. “Task description” (Опис задачі) - the list of necessary actions;
6. “Executors” (Виконавці) - regular and involved executors of the task and their contact information (if more than one employee is involved in execution);
7. “State” (Стан) - the degree of execution of the task and the list of performed actions and involved measures;
8. “Problems” (Проблеми) - questions and obstacles appeared during the execution of the task;
9. “Remarks” (Зауваження) - short remarks of the supervisor or management;
10. “Supplementary” (Додатково) - hyperlink to supplementary information;
11. “Man-hours” (Люд-год) - number of man-hours given to execute the task.
The second main data storage in the database structure of the ISMS “Matrix” is the table “Knowledge” (Тд_ЗНАНИЯ). Its strings are intended to store the sections of documents that can be referred entirely to a certain place of the system approach to IS, i.e. have assigned one of each classifying elements. In case when the document is small and has a narrow coverage (like a decree or a standard order), it can be stored in one record of the table entirely. The table “Knowledge” (Тд_ЗНАНИЯ) contains two sets of fields: the group of classifying fields and the ones that constitute the document section itself. The classifying fields group places each document section in the systematised framework of the system approach to IS. The fields constituting the document section are listed below:
1. Shortly (Коротко) - the short heading of the document section;
2. Completely (Повно) - the full heading of the document section;
3. Description (Опис) - description of the document section, including annotation or notes concerning the section content;
4. Contents (Зміст) - the full content of the document section. The field can contain only a small note if the link to the document file is used (see next item);
5. Reference (Посилання) - hyperlink to supplementary information or the file with the document itself (in this case the document content can be updated independently of the ISMS).
3.4.4 Program modules
The implementation of the ISMS “Matrix” required the development of program modules in Microsoft Visual Basic for Applications language (MS VBA). Such modules were used for forms and reports. One module was independent and contained the shared custom functions. This module is presented in appendix E as an example.
3.5 Interfaces of the ISMS
3.5.1 Main menu
The interaction of the end users with the ISMS “Matrix” starts from the main menu (see fig. 3.1), which is automatically opened at the start-up. The following functions are accessible from the main menu.
1. Management - operational tasks (Керування - оперативні задачі) - open the form “Detailed tasks information” (Детальна інформація щодо задач) to enter or edit the operational tasks;
2. Knowledge - documents (Знання - документи) - open the form “Knowledge - documents input” (Знання - Введення документів) to enter or edit the documents or their sections;
Fig. 3.1. The main menu of the ISMS “Matrix”
3. Risks estimation (Оцінка ризиків) - open the pivot table with the same name that presents the risks considered at the target enterprise;
4. Statistics of tasks and knowledge (Статистика задач та знань) - open the form “Statistics” (Статистика) to call pivot tables on various aspects of operational tasks and knowledge;
5. Conditions of records selection for reports or filters (Умови відбору записів для звітів/фільтрів) - open the form “Selection conditions” (Умови відбору) to select the filtering criteria used in input forms, compiled documents and task reports;
6. Formation of documents or reports (Формування документів / звітів) - open the form with the same name to produce the reports on operational tasks or compile the documents by various selections;
7. Edit the elements lists (Редагувати списки елементів) - open the form “Elements lists” (Списки елементів) to add or edit the entries of the classifying elements and statuses of the operational tasks;
8. Exit (Вихід) - close the ISMS.
The detailed description of the listed functions is presented below.
3.5.2 Form “Detailed tasks information”
The form “Detailed tasks information” (Детальна інформація щодо задач) is opened from the main menu of the ISMS “Matrix”. The fig. 3.2 presents the overview of the form. The fields on the form are arranged into two groups - the ones that constitute the operational task itself on the left hand side and the group of classifying fields on the right hand side.
Fig. 3.2. The form “Detailed tasks information” of the ISMS “Matrix”
The field “Task code” (Код задачі) contains the task ID and is assigned automatically. The task ID may be used for fast task search, because the pivot tables on the tasks state the task IDs.
The date field “Set” (Коли поставлена) contains the date of task setting and is assigned automatically on task record creation. Nevertheless, the users can change the date in case the task was set earlier than entered into the ISMS.
The date field “Execution term” (Строк виконання) contains the final date of the task execution. By this field the expiration of the task is detected. If the task is unlimited in time, the field may be left blank.
The numeric field “Man-hours” (Людино-годин) contains the estimated number of man-hours given to execute the task.
The date field “Information updated” (Інформація оновлена) contains the date of the last changes made to the task. The field is updated automatically upon any changes made to the record, but it can be also modified by the users.
The text field “Executors, contacts” (Виконавці, контакти) contains the names of the regular and involved executors of the task and their contact information, if more than one employee is involved in the execution of the task.
The combo list field “Status” (Статус) classifies the general state of the task (current, urgent, cancelled, archived, etc.). The field values can be added and edited using the form “Elements lists”, opened from the main menu of the ISMS.
The hyperlink field “Supplementary” (Додатково) contains the hyperlink to supplementary information on the task. The hyperlink is edited using the “Hyperlink” section of the field's context menu.
The text field “Task description and measures” (Опис задачі та заходи) contains the list of actions, necessary to accomplish. If the task is aimed at compliance with a certain document, the field can duplicate the title of the corresponding document or its relevant section.
The text field “Directives and execution state” (Настанови та стан виконання) describes the degree of execution of the task, the list of performed actions and involved measures. It is recommended to append the short notes during the task execution, starting each note with the appending date. The field may also contain the detailed instructions concerning the task execution.
The text field “Problems” (Проблеми) lists the questions and obstacles appeared during the execution of the task that should be addressed to the supervisor of the task or higher managers by the special report.
The text field “Remarks” (Зауваження) contains the short remarks of the supervisor or management concerning the solution of the appeared problems. This field can also be used by management of the task the supervisor to express the commentaries of high importance.
There is a group of three optional fields named “Levels” (Рівні), situated in the top central part of the form. These fields are added for custom sorting of the task records within objects in case there are many entries and they are needed to be grouped.
Fast print buttons “and are situated above the group of classifying fields on the right hand side of the form. The button “Print current task” (Друк поточної задачі) prints the task record that is currently displayed in the form. The button “Print task template” (Друк шаблона задачі) prints the template of an operational task record for handwritten filling (this is intended to be used if managers do not have direct access to the ISMS interfaces).
The classifying fields' meanings and descriptions are presented above in the subsection 3.4.2 “Classifying elements”.
The form contains a record filter which is opened by a button “Conditions of records selection” (Умови відбору записів) on the right side of the form. The operation of the filter is described in the subsection 3.5.4 “Input forms filter”.
3.5.3 Form “Knowledge - documents input”
The form “Knowledge - documents input” (Знання - Введення документів) is opened from the main menu of the ISMS “Matrix”. The fig. 3.3 presents the overview of the form. The fields on the form are arranged into two groups - the ones that constitute the document section itself on the left side and the group of classifying fields on the right side.
The text field “Short heading” (Короткий заголовок) contains the short heading of the document section or knowledge element. It may be descriptive or contain the common name of the document.
The text field “Full heading” (Повний заголовок) contains the full official heading of the document section or knowledge element. For example, for the standard [3] the full heading is “Інформаційні технології. Методи захисту. Система управління інформаційною безпекою. Вимоги (ISO/IEC 27001:2005, MOD)”, and the short heading is “ГСТУ СУІБ 1.0/ISO/IEC 27001:2010”. The field is also used for grouping the document sections or knowledge elements in the document compilations.
Fig. 3.3. The form “Knowledge - documents input” of the ISMS “Matrix”
The text field “Description” (Опис) contains the description of the document section or knowledge element, including annotation or notes concerning the content. It is important to fill this field because the higher level IS policy formed by the ISMS is compiled of descriptions of the document sections and knowledge elements.
The text field “Contents” (Зміст) contains the full content of the document section or knowledge element. The field can contain only a small note if the link to the document file is used in the field “Reference (Посилання)”. Please refer to the next paragraph for details.
The hyperlink field “Reference” (Посилання) contains the hyperlink to supplementary information source or the file with the document or knowledge element itself. The field is situated under the group of the classifying element fields at the bottom-right side of the form. It is possible to link the knowledge database record to an external document file. In this case the content of the document can be altered independently of the ISMS.
The field “Code” (Код) contains the ID of the document section or knowledge element and is assigned automatically. The ID field may be used for fast knowledge search, because the pivot tables on knowledge state the IDs.
There is a group of three optional fields named “Levels” (Рівні), situated in the top-right part of the form. These fields are added for custom sorting of the task records within a document in case there are many entries and they are needed to be grouped. If the document subsections have numeration, it is recommended to duplicate the numeration in the field group “Levels”.
The classifying fields' meanings and descriptions are presented above in the subsection 3.4.2 “Classifying elements”.
The form contains a record filter which is opened by a button “Conditions of records selection” (Умови відбору записів) on the right side of the form. The operation of the filter is described in the subsection 3.5.4 “Input forms filter”.
3.5.4 Input forms filter
The two input forms of the ISMS “Matrix”, “Detailed tasks information” (Детальна інформація щодо задач) and “Knowledge - documents input” (Знання - Введення документів) contain a record filter which is opened by a button “Conditions of records selection” (Умови відбору записів) on the upper-right side of each form. The fig. 3.4 presents the overview of the filter.
Upon the press of a button “Conditions of records selection”, the filter switch appears on the input form, and the form “Selection conditions” (Умови відбору) is opened automatically to select the filtering criteria. After the selection conditions are set in the corresponding fields, it is possible to switch back to the initial input form by pressing one of the buttons in the upper-right side of the “Selection conditions” form. It is possible to return to the “Selection conditions” form to change the filtering criteria by pressing the button “Conditions of records selection” on the input form.
Fig. 3.4. The input forms filter of the ISMS “Matrix”
The filter is capable to select the records by only one criterion at a time, which is selected by a radio buttons group named “Mode” (Режим). The following filtering modes are present, each selecting the records where the value in the corresponding field matches the one specified on the form “Selection conditions”.
1. “Show all” (Показати всі) - lists all records without disabling the filter;
2. “Responsible” (Відповідальний);
3. “Document” (Документ);
4. “Measures” (Заходи);
5. “Means” (Засоби);
6. “Assets” (Активи);
7. “Threats” (Загрози);
8. “Requirements” (Вимоги);
9. “Solutions” (Вирішення).
The button “Refresh selection” (Оновити вибірку) is used to re-filter in the selected mode. This action is usually needed in the two following situations. First, when some of the filtered records have been changed and do not fit the selection criterion anymore. Second, when the selection criterion has been changed and it is needed to filter the records in the same mode again.
The button “Conditions of records selection” (Умови відбору записів) is used to enable the filter and to switch to “Selection conditions” form. It is also possible to switch to the form and back by the standard means of MS Access.
The button “Disable filter” (Вимкнути фільтр) cancels the filtering selection, hides the filter controls and closes the form “Selection conditions”, unless that form is used by another filter or report formation.
3.5.5 Pivot table “Risks estimation”
The form “Risks estimation” (Оцінка ризиків) is opened from the main menu of the ISMS “Matrix”. The fig. 3.5 presents the overview of the pivot table. The form visualises the distribution of risks among the assets of the target organisation.
Fig. 3.5. The pivot table “Risks estimation” of the ISMS “Matrix”
The pivot table presents the distribution of risks as the correlation between threats and assets of the target organisation. The total risk estimations are provided for each threat, each asset and the whole organisation.
The values of the risk estimations can be conventional or be measured in terms of financial losses. The detailed description of the risk estimation mechanism is presented below in subsection 3.6.3 “Risk assessment”.
Filtering can be applied to the pivot chart by assets and threats. The display of certain elements of assets or threats is controlled by the standard means of MS Access for pivot charts. To enter the list of displayed elements, it is necessary to click the triangle next to the name of the element header. On the fig. 3.5 such filter-enabling triangles can be seen near the row heading “Asset” (Актив) and the column heading “Threat” (Загроза). The filters of the pivot table can be applied simultaneously.
3.5.6 Form “Statistics of tasks and knowledge”
The form “Statistics of tasks and knowledge” (Статистика задач та знань) is opened from the main menu of the ISMS “Matrix”. The fig. 3.6 presents the overview of the form. The form calls the pivot charts that display the general overviews of the IS state at the target enterprise from the different perspectives.
Fig. 3.6. The form “Statistics of tasks and knowledge” of the ISMS “Matrix”
The information from the pivot tables can be used to facilitate the ISS audit process. The statistics are provided for both tasks and documents sections of the ISMS.
The list of pivot tables opened from the form is the following.
1. Group “Statistics of tasks” (Статистика задач):
1.1. Tasks by the Matrix (Задачі по Матриці);
1.2. Tasks by employees (statuses) (Задачі по співробітникам (статусам));
1.3. Tasks by objects (Задачі по об'єктам);
1.4. Tasks by supervisors (Задачі по керівникам);
1.5. Expired tasks (Прострочені задачі);
2. Group “Statistics of knowledge” (Статистика знань):
2.1. Assets by responsible (Активи за відповідальними);
2.2. Assets by documents and responsible (Активи за документами та відповідальними);
2.3. Distribution of requirements by responsible (Розподіл вимог за відповідальними).
The detailed descriptions of the listed pivot tables are presented below in the subsection 3.5.10 “Pivot tables of statistics”.
3.5.7 Form “Selection conditions”
The form “Selection conditions” (Умови відбору) can be opened either from the main menu of the ISMS “Matrix”, tasks and knowledge input forms, or “Formation of documents or reports” (Формування документів / звітів) form. The fig. 3.7 presents the overview of the form. The fields on the form duplicate the group of the classifying fields in the input forms.
The combo list boxes of the classifying elements are intended to store the selection conditions for the tasks and knowledge input forms or formation of documents and reports. For example, if the field “Document” (Документ) is set to “НБУ СУІБ-1 27001” (the short name of [3]), then when the input form filters will be switched into the “Document” mode, all the records having “НБУ СУІБ-1 27001” in the “Document” field will be selected. This also applies to reports involving selection by document.
Fig. 3.7. The form “Selection conditions” of the ISMS “Matrix”
The form contains the group of fields “For tasks only” (Тільки для задач), including updating range limiters and “Show archived” (Відображати архівні) checkbox. The group is situated in the lower-right part of the form.
The date fields “From” (З) and “Till” (По) specify the range of task updating date. Both fields must be specified to use the task reports involving a time period. If the starting range is unknown, the users can enter any early date (like 01.01.1900).
The button “Close the form” (Зачинити форму) closes the form in no forms depend on it. For example, if a filter is on in the tasks input form, the “Selection conditions” form would not close upon the button press.
The button “Tasks input” (Введення задач) opens the form “Detailed tasks information” (Детальна інформація щодо задач) and enables its filter automatically.
The button “Documents input” (Введення документів) opens the form “Knowledge - documents input” (Знання - Введення документів) and enables its filter automatically.
The button “Formation of documents or reports” (Формування документів / звітів) opens the form with the same name to select a report or document compilation based on selected criteria.
3.5.8 Form “Formation of documents or reports”
The form “Formation of documents or reports” (Формування документів / звітів) is opened either from the main menu of the ISMS “Matrix” or from the form “Selection conditions” (Умови відбору). The fig. 3.8 presents the overview of the form. There are three groups of elements on the form situated vertically. The topmost group has the elements serving for common purposes. The next group forms the task reports. The group at the lower side of the form sets the document compilations.
Fig. 3.8. The form “Formation of documents or reports” of the ISMS “Matrix”
The button “Conditions of records selection” (Умови відбору записів) opens the corresponding form.
The checkbox “Create *.rtf file” (“Створити файл *.rtf”) triggers the export of selected report to an external file.
The list “Form the report on operational tasks” (Сформувати звіт з оперативних задач) is intended to select the report to be produced. The report is made immediately after the selection of the corresponding item in the list. The following reports are available for the operational tasks section of the ISMS “Matrix”.
1. All tasks (Всі задачі);
2. Archived tasks over a period (Архівні задачі за період);
3. Expired tasks for today (Прострочені задачі на сьогодні);
4. Tasks by direction (Задачі по напрямку);
5. Tasks by direction and responsible (Задачі по напрямку та відповідальному);
6. Tasks by direction and object (Задачі по напрямку та об'єкту);
7. Tasks by direction over a period (Задачі по напрямку за період);
8. Tasks over a period by responsible (Задачі за період по відповідальному);
9. Tasks over a period by supervisor (Задачі за період по керівнику);
10. Tasks over a period by object (Задачі за період по об'єкту);
11. Tasks over a period by object and responsible (Задачі за період по об'єкту та відповідальному);
12. All problems (Всі проблеми);
13. Problems by responsible (Проблеми по відповідальному);
14. Problems by object (Проблеми по об'єкту);
15. Problems over a period (Проблеми, що виникли за період);
16. Tasks by stage (Задачі по етапу);
17. Tasks by stage and direction (Задачі по етапу та напрямку).
The reports involving selection for the time period assume the range of updating dates and do not take into account the records with empty “Updated” fields.
The group “Compile the document” (Скомпонувати документ) contains the set of knowledge selection criteria checkboxes and two document compilation buttons. The knowledge can be selected from the database by any combination of the criteria. If none of the criteria is selected, the full list of documents and knowledge will be compiled.
The button “Compile” (Скомпонувати) launches the compilation of the document according to the ticked checkboxes of selection criteria. If none of the criteria are selected, the full list of documents and knowledge will be compiled.
The button “Form the information security policy” (Сформувати політику інформаційної безпеки) launches the formation of the high-level IS policy based on all the stored knowledge. The description of the formed policy is presented in the subsection 3.6.4 “Information security policy formation” below. The sample page of the formed IS policy is presented in appendix D.
3.5.9 Form “Elements lists”
The form “Elements lists” (Списки елементів) is opened from the main menu of the ISMS “Matrix”. The fig. 3.9 presents the overview of the form. The form is intended to edit the entries of classifying elements and statuses of operational tasks.
Fig. 3.9. The form “Elements lists” of the ISMS “Matrix”
The left side of the form is the group of radio buttons that select the list to edit. The selectors are grouped in the same way as are the classifying fields in the input forms. To the right side of the form the table of the selected list is loaded. The following list selectors are present on the form:
1. Directions (Напрямки);
2. Objects (Об'єкти);
3. Officials (Співробітники);
4. Documents (Документи);
5. Measures (Заходи);
6. Means (Засоби);
7. Stages (Етапи);
8. Assets (Активи);
Подобные документы
Consideration of a systematic approach to the identification of the organization's processes for improving management efficiency. Approaches to the identification of business processes. Architecture of an Integrated Information Systems methodology.
реферат [195,5 K], добавлен 12.02.2016Information security problems of modern computer companies networks. The levels of network security of the company. Methods of protection organization's computer network from unauthorized access from the Internet. Information Security in the Internet.
реферат [20,9 K], добавлен 19.12.2013Practical acquaintance with the capabilities and configuration of firewalls, their basic principles and types. Block specific IP-address. Files and Folders Integrity Protection firewalls. Development of information security of corporate policy system.
лабораторная работа [3,2 M], добавлен 09.04.2016Модули, входящие в пакет программного обеспечения. Project Menagement, Methodology Management, Portfolio Analysis, Timesheets, myPrimavera, Software Development Kit, ProjectLink. Иерархическая структура Primavera и ее взаимосвязь с программой MS Project.
контрольная работа [9,5 K], добавлен 18.11.2009Настройка web-сервера для установки CMS (Content Management System - "система управления содержимым"). Возможности CMS Drupal и Joomla, особенности работы с ними. Изучение редактора веб-страниц, позволяющего изменять опубликованные на сайте материалы.
отчет по практике [25,0 K], добавлен 14.11.2013Проблемы автоматизации менеджмента в турфирмах для повышения эффективности систем управления и безопасности, расширения числа клиентов, решения маркетинговых задач. Внедрение компьютерных систем бронирования на примере Fidelio Hotel Management System.
курсовая работа [268,3 K], добавлен 07.01.2015Обоснование потребности в web-сайте. Описание установки CMS Joomla. Постановка задачи при проектировании web-сайта. Обоснование выбора CMS (Content Management System). Разработка базы данных и интерфейса. Классификация и проектирование web-сайтов.
дипломная работа [1,9 M], добавлен 13.05.2009CMS как система управления контентом/содержимым сайта. Предназначение, принцип работы и примеры CMS. Инсталляция GMS на компьютер с помощью Denwer. Шаги установки Wordpress на Denwer. Работа в wordpress: пример создания блога, посвященного институту.
реферат [1,8 M], добавлен 23.02.2011Управление электронным обучением. Технологии электронного обучения e-Learning. Программное обеспечение для создания e-Learning решений. Компоненты LMS на примере IBM Lotus Learning Management System и Moodle. Разработка учебных курсов в системе Moodle.
курсовая работа [146,6 K], добавлен 11.06.2009The need for Colvir's functional modules to avoid the costs of training and to facilitate modification and interaction of system components. Description and practical use of Citrix server and CyberPlat - integrated universal banking online payments.
доклад [505,3 K], добавлен 05.09.2011