9. Threats (Загрози);

10. Risks (Ризики);

11. Requirements (Вимоги);

12. Solutions (Вирішення);

13. Implementations (Впровадження);

14. Control (Контроль);

15. Task statuses (Статуси задач).

The descriptions of the classifying elements are presented in the subsection 3.4.2 “Classifying elements”. The description of risk list is presented in the subsection 3.6.3 “Risk assessment”.

3.5.10 Pivot tables of statistics

3.5.10.1 Pivot table “Statistics of tasks by the Matrix”

The pivot table “Statistics of tasks by the Matrix” (Статистика задач по Матриці) is opened from the form “Statistics of tasks and knowledge” (Статистика задач та знань) of the ISMS “Matrix”. The fig. 3.10 presents the overview of the pivot table. The table displays the distribution of operational tasks by the Matrix of the system approach to IS. The two differences between this presentation and the classic Matrix are the absence of “Bases” group (because the bases are represented by several database fields) and the use of custom names for the directions and stages.

Fig. 3.10. The pivot table “Statistics of tasks by the Matrix” of the ISMS “Matrix”

The pivot table presents the total quantities of tasks and approximate amount of man-hours needed for their completion. The details are task IDs and their updating dates. To open the details for a certain direction or stage, it is needed to press the “plus” sign near the name of corresponding row or column. On the fig 3.10 the details are opened for the direction “Computer network” (Комп'ютерна мережа).

Except the filters by the names of directions and stages (opened by pressing triangle near the element's mane), the pivot table can also be filtered by the date of task setting and the date of updating. All the filters can be applied simultaneously.

3.5.10.2 Pivot table “Task statuses over a period”

The pivot table “Task statuses over a period” (Статуси задач за період) is opened from the form “Statistics of tasks and knowledge” (Статистика задач та знань) of the ISMS “Matrix”. The table is intended to present the distribution of tasks by the responsible employees.

The pivot table presents the total quantities of tasks and approximate amount of man-hours needed for their completion. The details are the objects referred by the tasks and the task IDs. To open the details for a certain row or column, it is needed to press the “plus” sign near its name.

Except the filters by the names of statuses and responsible (opened by pressing triangle near the element's mane), the pivot table can also be filtered by the date of task updating. All the filters can be applied simultaneously.

3.5.10.3 Pivot table “Tasks by objects”

The pivot table “Tasks by objects” (Задачі по об'єктам) is opened from the form “Statistics of tasks and knowledge” (Статистика задач та знань) of the ISMS “Matrix”. The table presents the complex distribution of tasks given to different employees by objects. The objects are grouped by the directions. To view the total results for a certain direction, it is needed to press the “plus” sign to the left of its name.

The pivot table presents the total quantities of tasks and approximate amount of man-hours needed for their completion. The details are the task statuses and the task IDs. To open the details for a certain row or column, it is needed to press the “plus” sign near its name.

Except the filters by the names of responsible, directions and objects (opened by pressing triangle near the element's mane), the pivot table can also be filtered by the date of task updating and task status. All the filters can be applied simultaneously.

3.5.10.4 Pivot table “Tasks by supervisors”

The pivot table “Tasks by supervisors” (Задачі по керівникам) is opened from the form “Statistics of tasks and knowledge” (Статистика задач та знань) of the ISMS “Matrix”. The table presents the complex distribution of tasks given by the different supervisors. The tasks are grouped by objects, which in turn are grouped by responsible officials. To view the total results for a certain responsible, it is needed to press the “plus” sign to the left of the corresponding name.

The pivot table presents the total quantities of tasks and number of expired tasks. The details are the task IDs, “Expired” labels, dates of the task setting and execution terms. To open the details for a certain row or column, it is needed to press the “plus” sign near its name.

Except the filters by the names of supervisors, responsible and directions (opened by pressing triangle near the element's mane), the pivot table can also be filtered by the date of task setting and task status. All the filters can be applied simultaneously.

3.5.10.5 Pivot table “Expired tasks”

The pivot table “Expired tasks” (Прострочені задачі) is opened from the form “Statistics of tasks and knowledge” (Статистика задач та знань) of the ISMS “Matrix”. The table presents the number of expired tasks on the objects which in turn are grouped by the responsible officials.

The details of the pivot table are task IDs, dates of the task setting and execution terms. To open the details for a certain row or column, it is needed to press the “plus” sign near its name. To view the total results for a certain responsible, it is needed to press the “plus” sign to the left of the corresponding name.

Except the filters by the names of responsible and objects (opened by pressing triangle near the element's mane), the pivot table can also be filtered by the date of task setting and task status. All the filters can be applied simultaneously.

3.5.10.6 Pivot table “Assets by responsible”

The pivot table “Assets by responsible” (Активи за відповідальними) is opened from the form “Statistics of tasks and knowledge” (Статистика задач та знань) of the ISMS “Matrix”. The fig. 3.11 presents the overview of the pivot table. The table presents the distribution of IS measures by directions, then objects, then assets.



Fig. 3.11. The pivot table “Statistics of tasks by the Matrix” of the ISMS “Matrix”

The pivot table presents the total quantities of IS measures. The details are the names of the measures and the corresponding knowledge IDs. To open the details for a certain row or column, it is needed to press the “plus” sign near its name. To view the total results for a certain object or direction, it is needed to press the “plus” sign to the left of the corresponding name.

The pivot table can be filtered by the names of the responsible, assets, objects and directions (opened by pressing triangle near the element's mane). All the filters can be applied simultaneously.

3.5.10.7 Pivot table “Assets by documents and responsible”

The pivot table “Assets by documents and responsible” (Активи за документами та відповідальними) is opened from the form “Statistics of tasks and knowledge” (Статистика задач та знань) of the ISMS “Matrix”. The table represents the distribution of assets mentioned in all the documents of the knowledge base between the responsible officials grouped by the directions.

The pivot table presents the total quantities of assets. The details are the names of the assets and the corresponding knowledge IDs. To open the details for a certain row or column, it is needed to press the “plus” sign near its name. To view the total results for a certain direction, it is needed to press the “plus” sign to the left of its name.

The pivot table can be filtered by the documents, responsible officials and directions (opened by pressing triangle near the element's mane). All the filters can be applied simultaneously.

3.5.10.8 Pivot table “Requirements by responsible”

The pivot table “Requirements by responsible” (Вимоги за відповідальними) is opened from the form “Statistics of tasks and knowledge” (Статистика задач та знань) of the ISMS “Matrix”. The table presents the distribution of the requirements of the implemented documents or knowledge elements by responsible officials.

The pivot table presents the total quantities of requirements. The details are the names of the requirements and the corresponding knowledge IDs. To open the details for a certain row or column, it is needed to press the “plus” sign near its name.

The pivot table can be filtered by the documents and responsible officials (opened by pressing triangle near the element's mane). All the filters can be applied simultaneously.

3.6 Operation of the ISMS

3.6.1 Filling recommendations

To ensure the most effective operation of the ISMS “Matrix” in partial uncertainty, the author recommends starting the exploitation of the system by filling the lists of classifying elements with all known items independently of tasks or documents, i.e. enter the initially known description of the target organisation.

The lists of classifying elements can be edited in “Elements lists” (Списки елементів) form called form the main menu of the ISMS by the item “Edit the elements lists” (Редагувати списки елементів). It is possible to start with any classifying element except “Risks” (Ризики), because that list is built of elements from “Assets” (Активи) and “Threats” (Загрози). The logic of this dependence is described below in the subsection 3.6.3 “Risk assessment”.

The recommendations concerning definition of entries and presence of recommended values for each of the classifying elements are presented above in the subsection 3.4.2 “Classifying elements”.

In the process of further exploitation the lists of classifying elements are subject to changes, which is a normal part of the ISMS integration process. The mentioned changes may be caused primarily by the extension of knowledge about the target organisation, or by the changes in business processes or in the structure of the target organisation.

The task statuses list has to be filled just before the beginning of the tasks input. The list initially has some values that are system-critical, but the practical implementation experience suggests that it will be needed to add statuses for current, important and planned tasks.

After the lists of elements are ready, it is possible to start the input of tasks and knowledge. These two main branches can usually be filled independently and in parallel, but when the ISMS is used to implement a certain standard, it is better to start with filling the “Knowledge - documents” (Знання - документи) section.

Before entering the documents with the “Knowledge - documents input” (Знання - Введення документів) form it is better to split the big document into small sections, which can be entirely classified by a certain item in each classifying element. If the document is initially divided into sections and subsections, it is recommended to enter each smallest subsection as a separate knowledge record. This will increase the efficiency of formation of security policy, post instructions or other documents. The section “Knowledge - documents” is also intended to store any kind of reference information on information security (classified as “knowledge”).

The operational tasks are entered and edited through the form “Detailed tasks information” (Детальна інформація щодо задач). It is a usual case, when third party is involved in the operational task execution process, or when there are more than one executor. For such case, the involved officials can be listed in “Executors, contacts” (Виконавці, контакти) field. If the task is aimed at compliance with a certain document, the field “Task description and measures” (Опис задачі та заходи) can duplicate the title of the corresponding document or its relevant section. The short reports on the task execution progress should be appended in the field “Directives and execution state” (Настанови та стан виконання). The problems that have to be addressed to the management should be listed in the field “Problems” (Проблеми).

If it is hard to classify the knowledge or task record with present classifying elements, it is possible to add new values to the lists. Nevertheless, it is wise to analyse the absolute necessity of such addition and forecast whether the new value of a classifying element can be used by other records. Flooding the classifying elements lists will strongly decrease the system approach classification efficiency and may cause incomplete selections.

3.6.2 Reporting

The “Matrix” can produce analytical reports as documents (both for printing and export to MS Word). The report formation is performed the following way:

1. The selection parameters are chosen on the form “Selection criteria” (“Умови відбору”) from combo list boxes.

2. The type of report is specified. On the form “Formation of documents and reports” (“Формування документів / звітів”) a report is selected from drop-down list in case it is needed to form the list of tasks, or corresponding flags are ticked and “Form the documents list” (“Скомпонувати список документів”) button is pressed in case is needed to form a document.

3. Report is formed for viewing and printing or exported into an *.rtf file, depending on the state of “Create *.rtf file” (“Створити файл *.rtf”) flag on the form “Formation of documents and reports” (“Формування документів / звітів”).

These documented reports can be used as post instructions. And in such case these instructions will cooperate different departments in achieving the global goal, such as international standard implementation.

The reports of the ISMS “Matrix” demanded the development of several custom functions. The listing of the program module for the report “All tasks” (Всі задачі) is presented in appendix F as an example.

3.6.3 Risk assessment

The risk assessment function is realised by approximate estimation mechanism.

1. First, the assets to be protected are defined and entered into the ISMS in the form of assets list. Each asset is assigned a loss value (збиток) i.e. approximate loss estimation in case of asset failure.

2. Next, the whole scope of threats typical to organisation in question is entered into the ISMS in the form of threats list. Each threat is assigned a frequency value (частота) i.e. approximate scaled estimation of appearance frequency.

3. Finally, the risk list is formed by assigning threats to assets. This step is put instead of cross-joining assets with threats because many minor or even impossible risks may be formed (like physical damage to intellectual capital). The risk values are obtained automatically from multiplication of asset loss value by threat frequency value.

Risks are assigned automatically to tasks and document records when corresponding pair of asset and threat are stated in classification fields.

The pivot risk chart “Оцінка ризиків” (“Risk assessment”) provides the overview of the risks faced by organisation and asset-threat distributions with overall estimations by each asset and each threat.

3.6.4 Information security policy formation

The work [2] presents the definition of the IS policy as: “the set of laws, rules, recommendations and practical experience that determine the administrative and project decisions in the information security sphere. The IS policy determines the organisation of management, protection and distribution of critical information in the system. It must encompass all the features of information processing procedures, determining the behaviour of the protected information system in different situations”.

The work [2] also states that the information security policy can cover one of the three following levels:

1. Higher level - statements affecting organisation on the whole, having general character and, as a rule, coming from the management of the organisation;

2. Middle level - issues that cover the separate aspects of information security, but are important for the different systems applied in the organisation;

3. Lower level - covers concrete services, including the two aspects - purposes and ways of their achievement, thus being the most detailed.

The common practice of creating the IS policies in commercial organisations limits to having two policies: a high-level and a low-level ones. The former describes the general goals of the IS in the target organisation, and the latter contains the detailed descriptions of the concrete technical means and measures.

The ISMS “Matrix”, as one of its main functions, can produce the high-level IS policy, classifying all the present knowledge. The knowledge elements in the document are grouped in the following order:

1. By directions of the target organisation's IS;

2. By threats corresponding to each of the directions;

3. By measures aimed at counteraction to these threats.

Thus, classical threat-counteraction model is preserved while complying with the system approach to IS. Plus, the formed IS policy complies with all the IS documents considered in the target organisation (i.e. registered in the ISMS).

The contents of the policy document is composed of the information contained in the fields “Description” (Опис) of the knowledge section of the ISMS, so it is important to fill these fields when entering the document sections or knowledge elements. The recommendations concerning the contents of the field are presented in subsection 3.4.3 “Main data storages”.

The information security policy in the ISMS “Matrix” is formed by pressing the button “Form the information security policy” (Сформувати політику інформаційної безпеки) on the form “Formation of documents or reports” (Формування документів / звітів). The sample page of the formed IS policy is presented in appendix D. The sample IS policy is formed of several bank IS documents, including [3] and [4]. It is possible to add official introduction to the IS policy template.

Conclusions to section

The developed product is an information security management system (ISMS) capable of producing documents like information security policy or operational reports and performing statistical analyses from various perspectives. The ISMS operation is based on input knowledge about the target organisation and other documented knowledge on IS, ISS and IS management.

The input elements of the product are the following:

1. Information about the target organisation;

2. IS standards;

3. Normative documents;

4. Knowledge;

5. Standard post descriptions;

6. Operational tasks statements.

The information about the target organisation is presented by the sets of elements arranged in accordance to the system approach to IS. The content of the element sets represents the known structure and peculiarities of business processes in the organisation.

The IS standards that are implemented (or intended to be) in the target organisation are stored in the knowledge section of the ISMS.

The normative documents are the legal papers concerning IS in the target organisation, like national law about confidentiality or enterprise regulation.

The other available knowledge about IS may include the results of the latest research in the field, or the best practices.

The standard post descriptions are general rules for a position in a generic company accepted broadly. It sometimes happens that such descriptions do not completely fit into a certain organisation. Nevertheless, they are perfect reference for the production of the customised post descriptions.

The operational tasks statements are the current tasks set by the management. They can be concrete or describe the main functions of the officials.

Based on the input information classified according to the system approach to IS, the outputs of the developed ISMS include the following:

1. Information security policy;

2. Statistical analyses;

3. Operational reports.

The high-level IS policy is formed by the developed ISMS of all the available knowledge. It is the set of general laws, rules, recommendations and practical experience that determine the administrative and project decisions, affecting the organisation at the top-management level. The formed IS policy describes the general goals of the IS in the target organisation.

The statistical analyses present the various distributions of tasks and knowledge that could be used in the internal audit procedures. The pivot charts display the general overviews of the IS state at the target enterprise from the different perspectives.

The operational reports on tasks can be used as analytical documents or post instructions cooperating different departments in achieving the common goal.

To add certain functions, the program modules were written (see appendixes E, F).

CONCLUSIONS

In the section 1 of the work the issues of information security management in corporate networks were explored. The results of the latest investigations in the branch, including the ones performed by the author, were overviewed. The general task of information security management system development was formulated.

The information about the normative documents guiding the information security management in the world and in Ukraine was presented.

The results of analysis of the present information security management solutions were provided. The most integrated solution in the Ukrainian market was considered.

The mathematical model of information security system state was described as a continuous process with random parameters.

In the section 2 of the work the demands to the information security management system (ISMS) were reviewed and the features needed in an effective information security management product were formulated.

The information security management system was developed according to the formulated task and defined effective ISMS features.

The database structure was developed to contain the knowledge on information security and operational tasks. Each of these records is placed in the framework of the system approach to information security by the classifying elements.

The program modules were developed in Microsoft Visual Basic for Applications language (MS VBA) to support the custom functions of the forms and reports in the ISMS.

In the section 3 of the work the detailed description of the product structure, interfaces and operation was presented. The fragment of generated high-level information security policy was presented as the ISMS outcome example.

The solutions of the twelve major problems in analogous information security management products and the improvements made by the developed ISMS application were presented.

The financial advantages of the developed ISMS application were estimated.

Due to scarcity of resources devoted to the development of the ISMS “Matrix”, wide encompassing of IS management processes is compensated by inability to operate at lower technical levels (for example, collecting or analyzing log files). To compensate these challenges and accelerate the development of the product, it is needed to invest money to support the developers or devote a professional development team.

The ISMS “Matrix” is capable of gaining economical profit to its developers. The product is developed as a freeware, but the income is obtained from providing the consulting, support and customisation of the product.

The author (and developer) of the ISMS “Matrix” continuously collects the feedback from its users to ensure the performance stability and to determine the necessary development trends. According to the latest demands, the following development perspectives are defined as necessary.

1. Development of the out-of-the-box content for most demanded Ukrainian and international standards, as well as for widespread types of enterprises;

2. Improvement of the method of internal IS audit execution to develop more clarity in IS state vision by the organisation's IS managers;

3. Creation of an expert system to provide more decision making support;

4. Creation of the informative help and reference system;

5. Improvement of the educational functions to increase the level of trained IS specialists;

6. Improvement of the personnel management functions, like tracking of tasks with several consecutive responsible persons;

7. Easy and comfortable adjustment of any reports, charts and diagrams;

8. Creation of wizards that will guide the users through the initial stages of exploitation.

REFERENCES

1. Information technology. Security techniques. Information security management systems. Overview and vocabulary [Text]: international standard ISO/IEC 27000:2009(E). - Switzerland: ISO/IEC, 2009. - 26 p.

2. Домарев, В.В. Безопасность информационных технологий. Системный подход [Текст] / В.В. Домарев. - К.: ООО «ТИД «ДС», 2004. - 992 с.

3. Інформаційні технології. Методи захисту. Система управління інформаційною безпекою. Вимоги (ISO/IEC 27001:2005, MOD) [Текст]: ГСТУ СУІБ 1.0/ISO/IEC 27001:2010. - К.: Національний банк України, 2010. - 49 с. - Код УКНД 35.040.

4. Інформаційні технології. Методи захисту. Звід правил для управління інформаційною безпекою (ISO/IEC 27002:2005, MOD) [Текст]: ГСТУ СУІБ 2.0/ISO/IEC 27002:2010. - К.: Національний банк України, 2010. - 163 с. - Код УКНД 35.040.

5. Про набрання чинності стандартами з управління інформаційною безпекою в банківській системі України [Текст]: постанова правління Національного банку України від 28 жовтня 2010 р. № 474. - К.: Національний банк України, 2010.

6. Domarev, D.V. Information security management system “Matrix” based on system approach [Text] / D.V. Domarev // Тези доповідей ХІ Міжнародної науково-практичної конференції студентів та молодих учених «Політ. Сучасні проблеми науки»: м. Київ, 6-7 квітня 2011 р. - К.: НАУ, 2011. Т. 1. - С 70.

7. Domarev, D.V. Analysis of Ukrainian legal documents on providing information security [Text] / N.A. Vinogradov, D.V. Domarev // Наука і молодь. Прикладна серія: Зб. наук. пр. - К.: НАУ, 2007. - № 7. - С. 78 - 81.

8. Домарев, Д.В. Применение полумарковских процессов в разработке и описании состояния систем защиты информации [Текст] / Д.В. Домарев // Системи обробки інформації. Безпека та захист інформації в інформаційних системах.: Зб. наук. пр. - Х.: ФОП «АЗАМАЄВА В.П.», 2009. - № 7(79). - С. 19 - 24.

9. Domarev, D.V. Information security management system “Matrix” based on system approach [Text] / D.V. Domarev // Проблеми інформатизації та управління: Зб. наук. пр. - К.: НАУ, 2011. - № 2(34).

10. ISO/IEC 27001 certification standard - ISO27k Forum [Electronic resource]. - Access mode: http: // www.iso27001security.com/ html/ 27001.html.

11. ISO/IEC 27002 code of practice - ISO27k Forum [Electronic resource]. - Access mode: http: // www.iso27001security.com/ html/ 27002.html.

12. Proctor, P. MarketScope for IT Governance, Risk and Compliance Management [Electronic resource]: Gartner RAS Core Research Note G0017S755 / P. Proctor, M. Nicolett. - Access mode: http: // www.gartner.com/ DisplayDocument?id=1361628

13. Lumension® Endpoint Management and Security Suite Datasheet [Electronic resource]. - Access mode: http: // www.lumension.com/ Media_Files/ Documents/ Marketing---Sales/Datasheets/Lumension-Endpoint-Management-Security-Suite.aspx.

14. Howard, R.A. System analysis of semi-Markov processes [Text] / R.A. Howard // IEEE Transactions on Military Electronics - New York: Institute of Electrical and Electronics Engineers, 1964. - Issue 2, vol. 8. - P. 114-124.

15. ISO/IEC 27000 series FAQ - ISO27k Forum [Electronic resource]. - Access mode: http: // www.iso27001security.com/ html/ faq.html.

16. Salah, O. Mandatory Information Security Management System Documents Required for ISO/IEC 27001 Certification [Electronic resource] / O. Salah, G. Hinson. - Access mode: http: // www.iso27001security.com/ ISO27k_mandatory_ISMS_documents.rtf.

Appendix A

Deduction hierarchy of ISS security level estimation

Fig. A.1. The logical deduction hierarchy of ISS security level estimation

Appendix B

The solutions of the problems in analogous products by ISMS “Matrix”

Problem	Solution
The product is concentrated more on assessment, than on managerial functions	The main function of the “Matrix” is high-level management
No conditional branching in workflow algorithms	Workflow is not limited to business processes with strict algorithms
Limited flexibility in self-assessment	The operation of the “Matrix” is based on self-assessment data and is dynamically rebuilt according to any changes
Products may be concentrated on a single standard and not appropriate for broader use	System approach to IS enables handling of any normative documents - from internal regulations to international standards
Cost is considered high by customers and evaluators	The price is in average 10 times lower than in analogous products because: 1. The system core is distributed freely; 2. Support pricing is low due to immaturity of the product.
Content is all based on bottom-up, IT-centric control management requirements	The “Matrix” is designed to operate only on high managerial levels, preventing from drowning in the vast amount of technical details. Thus overall clearance is maintained
The maturity of the products makes their interfaces complex for users	Interfaces can be customised on demand for each customer
End users have reported configuration difficulties	No configuration needed, except allowing MS VBA macros
No predefined security policies	System filling with any normative document or policy is available from product support unit on demand
Mostly compliance reporting with only a light treatment of risk	Risk assessment is a dedicated function, providing both detailed risk estimations and pivot table
Development of policy and control framework content for commercial regulations	The system approach to IS is equally effective in both state and commercial organisations
Limited audit support	The variety of reports and pivot charts allows passing most audits without reassessment

Appendix C

Database scheme

Fig. C.1. Database scheme of the ISMS “Matrix”

Appendix D

Excerpt of the IS policy formed by the product

Політика інформаційної безпеки верхнього рівня - генератор документів бази знань СУІБ "Матриця"

Напрямок: Банк в цілому

Загроза: Загрози Комп'ютерній мережі

Заходи: 06.2.1 Ідентифікація ризиків

4.1 Оцінка ризиків безпеки

Оцінка ризиків повинна ідентифікувати і визначити величини і пріоритети ризиків в залежності від критеріїв прийняття ризику і суттєвих цілей організації.

Національна примітка.

Банки України використовують декілька програмно-технічних комплексів автоматизації банківської іяльності, які постійно обмінюються інформацією, тому галуззю застосування оцінки ризиків повинен бути весь банк в цілому.

Напрямок: Банк в цілому

Загроза: Втрата цілісності

Заходи:

6.1 Внутрішня організація

Ціль: Управляти інформаційною безпекою в організації.

Напрямок: Всі напрямки ІБ

Загроза:

Заходи: 06.2 Зовнішні сторони

6.2 Зовнішні сторони

Ціль: Підтримування безпеки інформації організації та її засобів оброблення інформації, до яких мають доступ, обробляють, якими управляють або з якими підтримують зв'язок зовнішні сторони.

Безпека інформації і засобів оброблення інформації, які належать організації, не повинна знижуватись через введення в експлуатацію продуктів або послуг зовнішньої сторони.

Будь-який доступ до засобів оброблення інформації організації, а також оброблення та передавання інформації зовнішнім сторонам повинні бути контрольованими.

Якщо є бізнес-потреба в роботі з зовнішніми сторонами, яка може вимагати доступу до інформації або засобів оброблення інформації організації, або в отриманні від зовнішньої сторони чи наданні їй продукту та послуги, повинна виконуватись оцінка ризику для визначення вимог контролю та наслідків щодо безпеки. Контролі повинні бути погоджені та визначені в угоді з зовнішньою стороною.

Напрямок: Всі напрямки ІБ

Загроза:

Заходи: 06.2.1 Ідентифікація ризиків

4.2 Оброблення ризиків безпеки

До початку оброблення ризику, організація повинна встановити критерії прийняття ризиків.

Для кожного з ризиків, ідентифікованих після оцінки ризику, треба прийняти рішення щодо

оброблення ризику.

Визначити підхід організації до оцінки ризику (4.2.1.c Розроблення СУІБ)

Appendix E

Program module of the shared ISMS functions (listing)

Option Compare Database

Public Function IsFormOpen(fname As String) As Boolean

'check if a form is opened

On Error GoTo ErrFormOpen

Dim frm As Form

Set frm = Forms(fname)

IsFormOpen = True

Exit Function

ErrFormOpen:

IsFormOpen = False

End Function

Public Sub openRiskPivot()

'open pivot chart of risk estimations from main menu

DoCmd.OpenForm "Ф_своднОценРиск", acFormPivotTable

End Sub

Public Sub showArchived(rname As String)

'get current report's name

Dim rep As Report

Set rep = Reports(rname)

'check if need to show arcived

If (Forms![Ф_фильтры].[Флажок_показАрх] = 0) Then

rep.Filter = "NOT([Статус] = 'Архівна')"

rep.FilterOn = True

Else: rep.FilterOn = False

End If

End Sub

Public Sub hideParam(rname As String) 'hide text fields in head

'get current report's name

Dim rep As Report

Set rep = Reports(rname)

rep.Титул_изм.Visible = False

rep.Надп_титул_изм.Visible = False

rep.загол_изм.Visible = False

rep.Надп_загол_изм.Visible = False

End Sub

Continuation of appendix E

Public Sub hideDates(rname As String) 'hide date fields in head

'get current report's name

Dim rep As Report

Set rep = Reports(rname)

rep.Титул_ПолеС.Visible = False

rep.Титул_ПолеПо.Visible = False

rep.надп_Титул_2.Visible = False

rep.загол_ПолеС.Visible = False

rep.загол_ПолеПо.Visible = False

rep.надп_загол_2.Visible = False

End Sub

Public Sub filters_initiate(fname As String)

'get current form's name

Dim frm As Form

Set frm = Forms(fname)

frm.FilterOn = False

'hide filters

frm.Кн_закрФильтр.Visible = False

frm.Групп_фильтр.Visible = False

frm.Кн_обнов.Visible = False

End Sub

Public Sub filters_show(fname As String)

'get current form's name

Dim frm As Form

Set frm = Forms(fname)

'show filters

frm.Кн_закрФильтр.Visible = True

frm.Групп_фильтр.Visible = True

frm.Кн_обнов.Visible = True

DoCmd.OpenForm "ф_фильтры"

End Sub

Public Sub filter_apply(fname As String)

'get current form's name

Dim frm As Form

Set frm = Forms(fname)

'apply selected filter

Select Case frm.Групп_фильтр

Ending of appendix E

Case 1 'Ответственный

frm.Filter = "[Відповідальний]=[Forms]![ф_фильтры]![сотрудник]"

Case 2 'документ

frm.Filter = "[Документ]=[Forms]![ф_фильтры]![Документ]"

Case 3 'меры

frm.Filter = "[заходи]=[Forms]![ф_фильтры]![меры]"

Case 4 'средства

frm.Filter = "[засоби]=[Forms]![ф_фильтры]![средства]"

Case 100 'Активы

frm.Filter = "[Активи]=[Forms]![ф_фильтры]![Активы]"

Case 200 'угрозы

frm.Filter = "[загрози]=[Forms]![ф_фильтры]![угрозы]"

Case 400 'требования

frm.Filter = "[Вимоги]=[Forms]![ф_фильтры]![требования]"

Case 500 'решения

frm.Filter = "[Вирішення]=[Forms]![ф_фильтры]![решения]"

Case Else 'disable

frm.FilterOn = False

Exit Sub

End Select

frm.FilterOn = True

End Sub

Public Sub filters_close(fname As String)

'get current form's name

Dim frm As Form

Set frm = Forms(fname)

'close filters

frm.FilterOn = False

frm.Кн_закрФильтр.Visible = False

frm.Групп_фильтр.Visible = False

frm.Кн_обнов.Visible = False

If IsFormOpen("ф_отчеты") Then

MsgBox "Фільтр вимкнено, але вікно усмов відбору не буде зачинено, доки відчинене вікно компонування документів.", , "Попередження"

Else

DoCmd.Close acForm, "ф_фильтры", acSaveNo

End If

End Sub

Appendix F

Program module of the ISMS report (listing)

Option Compare Database

Private Sub Report_NoData(Cancel As Integer)

MsgBox "Інформація про задачі відсутня.", vbOKOnly, "Звіт порожній"

Cancel = True

End Sub

Private Sub Report_Open(Cancel As Integer)

Select Case Me.OpenArgs

Case "expired" 'expired tasks only

Me.загол_Надп.Caption = "Прострочені задачі на " & Date

Me.RecordSource = "Зу_Срок"

Case Else 'no conditions. List all tasks

Me.загол_Надп.Caption = "Повний перелік задач"

Me.RecordSource = "Зу_всеЗадачи"

showArchived (Me.Name) 'call public sub on this report

End Select

End Sub

Размещено на Allbest.ru