Information security management system of a corporate network
IS management standards development. The national peculiarities of the IS management standards. The most integrated existent IS management solution. General description of the ISS model. Application of semi-Markov processes in ISS state description.
Рубрика | Программирование, компьютеры и кибернетика |
Вид | дипломная работа |
Язык | английский |
Дата добавления | 28.10.2011 |
Размер файла | 2,2 M |
Отправить свою хорошую работу в базу знаний просто. Используйте форму, расположенную ниже
Студенты, аспиранты, молодые ученые, использующие базу знаний в своей учебе и работе, будут вам очень благодарны.
9. Threats (Загрози);
10. Risks (Ризики);
11. Requirements (Вимоги);
12. Solutions (Вирішення);
13. Implementations (Впровадження);
14. Control (Контроль);
15. Task statuses (Статуси задач).
The descriptions of the classifying elements are presented in the subsection 3.4.2 “Classifying elements”. The description of risk list is presented in the subsection 3.6.3 “Risk assessment”.
3.5.10 Pivot tables of statistics
3.5.10.1 Pivot table “Statistics of tasks by the Matrix”
The pivot table “Statistics of tasks by the Matrix” (Статистика задач по Матриці) is opened from the form “Statistics of tasks and knowledge” (Статистика задач та знань) of the ISMS “Matrix”. The fig. 3.10 presents the overview of the pivot table. The table displays the distribution of operational tasks by the Matrix of the system approach to IS. The two differences between this presentation and the classic Matrix are the absence of “Bases” group (because the bases are represented by several database fields) and the use of custom names for the directions and stages.
Fig. 3.10. The pivot table “Statistics of tasks by the Matrix” of the ISMS “Matrix”
The pivot table presents the total quantities of tasks and approximate amount of man-hours needed for their completion. The details are task IDs and their updating dates. To open the details for a certain direction or stage, it is needed to press the “plus” sign near the name of corresponding row or column. On the fig 3.10 the details are opened for the direction “Computer network” (Комп'ютерна мережа).
Except the filters by the names of directions and stages (opened by pressing triangle near the element's mane), the pivot table can also be filtered by the date of task setting and the date of updating. All the filters can be applied simultaneously.
3.5.10.2 Pivot table “Task statuses over a period”
The pivot table “Task statuses over a period” (Статуси задач за період) is opened from the form “Statistics of tasks and knowledge” (Статистика задач та знань) of the ISMS “Matrix”. The table is intended to present the distribution of tasks by the responsible employees.
The pivot table presents the total quantities of tasks and approximate amount of man-hours needed for their completion. The details are the objects referred by the tasks and the task IDs. To open the details for a certain row or column, it is needed to press the “plus” sign near its name.
Except the filters by the names of statuses and responsible (opened by pressing triangle near the element's mane), the pivot table can also be filtered by the date of task updating. All the filters can be applied simultaneously.
3.5.10.3 Pivot table “Tasks by objects”
The pivot table “Tasks by objects” (Задачі по об'єктам) is opened from the form “Statistics of tasks and knowledge” (Статистика задач та знань) of the ISMS “Matrix”. The table presents the complex distribution of tasks given to different employees by objects. The objects are grouped by the directions. To view the total results for a certain direction, it is needed to press the “plus” sign to the left of its name.
The pivot table presents the total quantities of tasks and approximate amount of man-hours needed for their completion. The details are the task statuses and the task IDs. To open the details for a certain row or column, it is needed to press the “plus” sign near its name.
Except the filters by the names of responsible, directions and objects (opened by pressing triangle near the element's mane), the pivot table can also be filtered by the date of task updating and task status. All the filters can be applied simultaneously.
3.5.10.4 Pivot table “Tasks by supervisors”
The pivot table “Tasks by supervisors” (Задачі по керівникам) is opened from the form “Statistics of tasks and knowledge” (Статистика задач та знань) of the ISMS “Matrix”. The table presents the complex distribution of tasks given by the different supervisors. The tasks are grouped by objects, which in turn are grouped by responsible officials. To view the total results for a certain responsible, it is needed to press the “plus” sign to the left of the corresponding name.
The pivot table presents the total quantities of tasks and number of expired tasks. The details are the task IDs, “Expired” labels, dates of the task setting and execution terms. To open the details for a certain row or column, it is needed to press the “plus” sign near its name.
Except the filters by the names of supervisors, responsible and directions (opened by pressing triangle near the element's mane), the pivot table can also be filtered by the date of task setting and task status. All the filters can be applied simultaneously.
3.5.10.5 Pivot table “Expired tasks”
The pivot table “Expired tasks” (Прострочені задачі) is opened from the form “Statistics of tasks and knowledge” (Статистика задач та знань) of the ISMS “Matrix”. The table presents the number of expired tasks on the objects which in turn are grouped by the responsible officials.
The details of the pivot table are task IDs, dates of the task setting and execution terms. To open the details for a certain row or column, it is needed to press the “plus” sign near its name. To view the total results for a certain responsible, it is needed to press the “plus” sign to the left of the corresponding name.
Except the filters by the names of responsible and objects (opened by pressing triangle near the element's mane), the pivot table can also be filtered by the date of task setting and task status. All the filters can be applied simultaneously.
3.5.10.6 Pivot table “Assets by responsible”
The pivot table “Assets by responsible” (Активи за відповідальними) is opened from the form “Statistics of tasks and knowledge” (Статистика задач та знань) of the ISMS “Matrix”. The fig. 3.11 presents the overview of the pivot table. The table presents the distribution of IS measures by directions, then objects, then assets.
Fig. 3.11. The pivot table “Statistics of tasks by the Matrix” of the ISMS “Matrix”
The pivot table presents the total quantities of IS measures. The details are the names of the measures and the corresponding knowledge IDs. To open the details for a certain row or column, it is needed to press the “plus” sign near its name. To view the total results for a certain object or direction, it is needed to press the “plus” sign to the left of the corresponding name.
The pivot table can be filtered by the names of the responsible, assets, objects and directions (opened by pressing triangle near the element's mane). All the filters can be applied simultaneously.
3.5.10.7 Pivot table “Assets by documents and responsible”
The pivot table “Assets by documents and responsible” (Активи за документами та відповідальними) is opened from the form “Statistics of tasks and knowledge” (Статистика задач та знань) of the ISMS “Matrix”. The table represents the distribution of assets mentioned in all the documents of the knowledge base between the responsible officials grouped by the directions.
The pivot table presents the total quantities of assets. The details are the names of the assets and the corresponding knowledge IDs. To open the details for a certain row or column, it is needed to press the “plus” sign near its name. To view the total results for a certain direction, it is needed to press the “plus” sign to the left of its name.
The pivot table can be filtered by the documents, responsible officials and directions (opened by pressing triangle near the element's mane). All the filters can be applied simultaneously.
3.5.10.8 Pivot table “Requirements by responsible”
The pivot table “Requirements by responsible” (Вимоги за відповідальними) is opened from the form “Statistics of tasks and knowledge” (Статистика задач та знань) of the ISMS “Matrix”. The table presents the distribution of the requirements of the implemented documents or knowledge elements by responsible officials.
The pivot table presents the total quantities of requirements. The details are the names of the requirements and the corresponding knowledge IDs. To open the details for a certain row or column, it is needed to press the “plus” sign near its name.
The pivot table can be filtered by the documents and responsible officials (opened by pressing triangle near the element's mane). All the filters can be applied simultaneously.
3.6 Operation of the ISMS
3.6.1 Filling recommendations
To ensure the most effective operation of the ISMS “Matrix” in partial uncertainty, the author recommends starting the exploitation of the system by filling the lists of classifying elements with all known items independently of tasks or documents, i.e. enter the initially known description of the target organisation.
The lists of classifying elements can be edited in “Elements lists” (Списки елементів) form called form the main menu of the ISMS by the item “Edit the elements lists” (Редагувати списки елементів). It is possible to start with any classifying element except “Risks” (Ризики), because that list is built of elements from “Assets” (Активи) and “Threats” (Загрози). The logic of this dependence is described below in the subsection 3.6.3 “Risk assessment”.
The recommendations concerning definition of entries and presence of recommended values for each of the classifying elements are presented above in the subsection 3.4.2 “Classifying elements”.
In the process of further exploitation the lists of classifying elements are subject to changes, which is a normal part of the ISMS integration process. The mentioned changes may be caused primarily by the extension of knowledge about the target organisation, or by the changes in business processes or in the structure of the target organisation.
The task statuses list has to be filled just before the beginning of the tasks input. The list initially has some values that are system-critical, but the practical implementation experience suggests that it will be needed to add statuses for current, important and planned tasks.
After the lists of elements are ready, it is possible to start the input of tasks and knowledge. These two main branches can usually be filled independently and in parallel, but when the ISMS is used to implement a certain standard, it is better to start with filling the “Knowledge - documents” (Знання - документи) section.
Before entering the documents with the “Knowledge - documents input” (Знання - Введення документів) form it is better to split the big document into small sections, which can be entirely classified by a certain item in each classifying element. If the document is initially divided into sections and subsections, it is recommended to enter each smallest subsection as a separate knowledge record. This will increase the efficiency of formation of security policy, post instructions or other documents. The section “Knowledge - documents” is also intended to store any kind of reference information on information security (classified as “knowledge”).
The operational tasks are entered and edited through the form “Detailed tasks information” (Детальна інформація щодо задач). It is a usual case, when third party is involved in the operational task execution process, or when there are more than one executor. For such case, the involved officials can be listed in “Executors, contacts” (Виконавці, контакти) field. If the task is aimed at compliance with a certain document, the field “Task description and measures” (Опис задачі та заходи) can duplicate the title of the corresponding document or its relevant section. The short reports on the task execution progress should be appended in the field “Directives and execution state” (Настанови та стан виконання). The problems that have to be addressed to the management should be listed in the field “Problems” (Проблеми).
If it is hard to classify the knowledge or task record with present classifying elements, it is possible to add new values to the lists. Nevertheless, it is wise to analyse the absolute necessity of such addition and forecast whether the new value of a classifying element can be used by other records. Flooding the classifying elements lists will strongly decrease the system approach classification efficiency and may cause incomplete selections.
3.6.2 Reporting
The “Matrix” can produce analytical reports as documents (both for printing and export to MS Word). The report formation is performed the following way:
1. The selection parameters are chosen on the form “Selection criteria” (“Умови відбору”) from combo list boxes.
2. The type of report is specified. On the form “Formation of documents and reports” (“Формування документів / звітів”) a report is selected from drop-down list in case it is needed to form the list of tasks, or corresponding flags are ticked and “Form the documents list” (“Скомпонувати список документів”) button is pressed in case is needed to form a document.
3. Report is formed for viewing and printing or exported into an *.rtf file, depending on the state of “Create *.rtf file” (“Створити файл *.rtf”) flag on the form “Formation of documents and reports” (“Формування документів / звітів”).
These documented reports can be used as post instructions. And in such case these instructions will cooperate different departments in achieving the global goal, such as international standard implementation.
The reports of the ISMS “Matrix” demanded the development of several custom functions. The listing of the program module for the report “All tasks” (Всі задачі) is presented in appendix F as an example.
3.6.3 Risk assessment
The risk assessment function is realised by approximate estimation mechanism.
1. First, the assets to be protected are defined and entered into the ISMS in the form of assets list. Each asset is assigned a loss value (збиток) i.e. approximate loss estimation in case of asset failure.
2. Next, the whole scope of threats typical to organisation in question is entered into the ISMS in the form of threats list. Each threat is assigned a frequency value (частота) i.e. approximate scaled estimation of appearance frequency.
3. Finally, the risk list is formed by assigning threats to assets. This step is put instead of cross-joining assets with threats because many minor or even impossible risks may be formed (like physical damage to intellectual capital). The risk values are obtained automatically from multiplication of asset loss value by threat frequency value.
Risks are assigned automatically to tasks and document records when corresponding pair of asset and threat are stated in classification fields.
The pivot risk chart “Оцінка ризиків” (“Risk assessment”) provides the overview of the risks faced by organisation and asset-threat distributions with overall estimations by each asset and each threat.
3.6.4 Information security policy formation
The work [2] presents the definition of the IS policy as: “the set of laws, rules, recommendations and practical experience that determine the administrative and project decisions in the information security sphere. The IS policy determines the organisation of management, protection and distribution of critical information in the system. It must encompass all the features of information processing procedures, determining the behaviour of the protected information system in different situations”.
The work [2] also states that the information security policy can cover one of the three following levels:
1. Higher level - statements affecting organisation on the whole, having general character and, as a rule, coming from the management of the organisation;
2. Middle level - issues that cover the separate aspects of information security, but are important for the different systems applied in the organisation;
3. Lower level - covers concrete services, including the two aspects - purposes and ways of their achievement, thus being the most detailed.
The common practice of creating the IS policies in commercial organisations limits to having two policies: a high-level and a low-level ones. The former describes the general goals of the IS in the target organisation, and the latter contains the detailed descriptions of the concrete technical means and measures.
The ISMS “Matrix”, as one of its main functions, can produce the high-level IS policy, classifying all the present knowledge. The knowledge elements in the document are grouped in the following order:
1. By directions of the target organisation's IS;
2. By threats corresponding to each of the directions;
3. By measures aimed at counteraction to these threats.
Thus, classical threat-counteraction model is preserved while complying with the system approach to IS. Plus, the formed IS policy complies with all the IS documents considered in the target organisation (i.e. registered in the ISMS).
The contents of the policy document is composed of the information contained in the fields “Description” (Опис) of the knowledge section of the ISMS, so it is important to fill these fields when entering the document sections or knowledge elements. The recommendations concerning the contents of the field are presented in subsection 3.4.3 “Main data storages”.
The information security policy in the ISMS “Matrix” is formed by pressing the button “Form the information security policy” (Сформувати політику інформаційної безпеки) on the form “Formation of documents or reports” (Формування документів / звітів). The sample page of the formed IS policy is presented in appendix D. The sample IS policy is formed of several bank IS documents, including [3] and [4]. It is possible to add official introduction to the IS policy template.
Conclusions to section
The developed product is an information security management system (ISMS) capable of producing documents like information security policy or operational reports and performing statistical analyses from various perspectives. The ISMS operation is based on input knowledge about the target organisation and other documented knowledge on IS, ISS and IS management.
The input elements of the product are the following:
1. Information about the target organisation;
2. IS standards;
3. Normative documents;
4. Knowledge;
5. Standard post descriptions;
6. Operational tasks statements.
The information about the target organisation is presented by the sets of elements arranged in accordance to the system approach to IS. The content of the element sets represents the known structure and peculiarities of business processes in the organisation.
The IS standards that are implemented (or intended to be) in the target organisation are stored in the knowledge section of the ISMS.
The normative documents are the legal papers concerning IS in the target organisation, like national law about confidentiality or enterprise regulation.
The other available knowledge about IS may include the results of the latest research in the field, or the best practices.
The standard post descriptions are general rules for a position in a generic company accepted broadly. It sometimes happens that such descriptions do not completely fit into a certain organisation. Nevertheless, they are perfect reference for the production of the customised post descriptions.
The operational tasks statements are the current tasks set by the management. They can be concrete or describe the main functions of the officials.
Based on the input information classified according to the system approach to IS, the outputs of the developed ISMS include the following:
1. Information security policy;
2. Statistical analyses;
3. Operational reports.
The high-level IS policy is formed by the developed ISMS of all the available knowledge. It is the set of general laws, rules, recommendations and practical experience that determine the administrative and project decisions, affecting the organisation at the top-management level. The formed IS policy describes the general goals of the IS in the target organisation.
The statistical analyses present the various distributions of tasks and knowledge that could be used in the internal audit procedures. The pivot charts display the general overviews of the IS state at the target enterprise from the different perspectives.
The operational reports on tasks can be used as analytical documents or post instructions cooperating different departments in achieving the common goal.
To add certain functions, the program modules were written (see appendixes E, F).
CONCLUSIONS
In the section 1 of the work the issues of information security management in corporate networks were explored. The results of the latest investigations in the branch, including the ones performed by the author, were overviewed. The general task of information security management system development was formulated.
The information about the normative documents guiding the information security management in the world and in Ukraine was presented.
The results of analysis of the present information security management solutions were provided. The most integrated solution in the Ukrainian market was considered.
The mathematical model of information security system state was described as a continuous process with random parameters.
In the section 2 of the work the demands to the information security management system (ISMS) were reviewed and the features needed in an effective information security management product were formulated.
The information security management system was developed according to the formulated task and defined effective ISMS features.
The database structure was developed to contain the knowledge on information security and operational tasks. Each of these records is placed in the framework of the system approach to information security by the classifying elements.
The program modules were developed in Microsoft Visual Basic for Applications language (MS VBA) to support the custom functions of the forms and reports in the ISMS.
In the section 3 of the work the detailed description of the product structure, interfaces and operation was presented. The fragment of generated high-level information security policy was presented as the ISMS outcome example.
The solutions of the twelve major problems in analogous information security management products and the improvements made by the developed ISMS application were presented.
The financial advantages of the developed ISMS application were estimated.
Due to scarcity of resources devoted to the development of the ISMS “Matrix”, wide encompassing of IS management processes is compensated by inability to operate at lower technical levels (for example, collecting or analyzing log files). To compensate these challenges and accelerate the development of the product, it is needed to invest money to support the developers or devote a professional development team.
The ISMS “Matrix” is capable of gaining economical profit to its developers. The product is developed as a freeware, but the income is obtained from providing the consulting, support and customisation of the product.
The author (and developer) of the ISMS “Matrix” continuously collects the feedback from its users to ensure the performance stability and to determine the necessary development trends. According to the latest demands, the following development perspectives are defined as necessary.
1. Development of the out-of-the-box content for most demanded Ukrainian and international standards, as well as for widespread types of enterprises;
2. Improvement of the method of internal IS audit execution to develop more clarity in IS state vision by the organisation's IS managers;
3. Creation of an expert system to provide more decision making support;
4. Creation of the informative help and reference system;
5. Improvement of the educational functions to increase the level of trained IS specialists;
6. Improvement of the personnel management functions, like tracking of tasks with several consecutive responsible persons;
7. Easy and comfortable adjustment of any reports, charts and diagrams;
8. Creation of wizards that will guide the users through the initial stages of exploitation.
REFERENCES
1. Information technology. Security techniques. Information security management systems. Overview and vocabulary [Text]: international standard ISO/IEC 27000:2009(E). - Switzerland: ISO/IEC, 2009. - 26 p.
2. Домарев, В.В. Безопасность информационных технологий. Системный подход [Текст] / В.В. Домарев. - К.: ООО «ТИД «ДС», 2004. - 992 с.
3. Інформаційні технології. Методи захисту. Система управління інформаційною безпекою. Вимоги (ISO/IEC 27001:2005, MOD) [Текст]: ГСТУ СУІБ 1.0/ISO/IEC 27001:2010. - К.: Національний банк України, 2010. - 49 с. - Код УКНД 35.040.
4. Інформаційні технології. Методи захисту. Звід правил для управління інформаційною безпекою (ISO/IEC 27002:2005, MOD) [Текст]: ГСТУ СУІБ 2.0/ISO/IEC 27002:2010. - К.: Національний банк України, 2010. - 163 с. - Код УКНД 35.040.
5. Про набрання чинності стандартами з управління інформаційною безпекою в банківській системі України [Текст]: постанова правління Національного банку України від 28 жовтня 2010 р. № 474. - К.: Національний банк України, 2010.
6. Domarev, D.V. Information security management system “Matrix” based on system approach [Text] / D.V. Domarev // Тези доповідей ХІ Міжнародної науково-практичної конференції студентів та молодих учених «Політ. Сучасні проблеми науки»: м. Київ, 6-7 квітня 2011 р. - К.: НАУ, 2011. Т. 1. - С 70.
7. Domarev, D.V. Analysis of Ukrainian legal documents on providing information security [Text] / N.A. Vinogradov, D.V. Domarev // Наука і молодь. Прикладна серія: Зб. наук. пр. - К.: НАУ, 2007. - № 7. - С. 78 - 81.
8. Домарев, Д.В. Применение полумарковских процессов в разработке и описании состояния систем защиты информации [Текст] / Д.В. Домарев // Системи обробки інформації. Безпека та захист інформації в інформаційних системах.: Зб. наук. пр. - Х.: ФОП «АЗАМАЄВА В.П.», 2009. - № 7(79). - С. 19 - 24.
9. Domarev, D.V. Information security management system “Matrix” based on system approach [Text] / D.V. Domarev // Проблеми інформатизації та управління: Зб. наук. пр. - К.: НАУ, 2011. - № 2(34).
10. ISO/IEC 27001 certification standard - ISO27k Forum [Electronic resource]. - Access mode: http: // www.iso27001security.com/ html/ 27001.html.
11. ISO/IEC 27002 code of practice - ISO27k Forum [Electronic resource]. - Access mode: http: // www.iso27001security.com/ html/ 27002.html.
12. Proctor, P. MarketScope for IT Governance, Risk and Compliance Management [Electronic resource]: Gartner RAS Core Research Note G0017S755 / P. Proctor, M. Nicolett. - Access mode: http: // www.gartner.com/ DisplayDocument?id=1361628
13. Lumension® Endpoint Management and Security Suite Datasheet [Electronic resource]. - Access mode: http: // www.lumension.com/ Media_Files/ Documents/ Marketing---Sales/Datasheets/Lumension-Endpoint-Management-Security-Suite.aspx.
14. Howard, R.A. System analysis of semi-Markov processes [Text] / R.A. Howard // IEEE Transactions on Military Electronics - New York: Institute of Electrical and Electronics Engineers, 1964. - Issue 2, vol. 8. - P. 114-124.
15. ISO/IEC 27000 series FAQ - ISO27k Forum [Electronic resource]. - Access mode: http: // www.iso27001security.com/ html/ faq.html.
16. Salah, O. Mandatory Information Security Management System Documents Required for ISO/IEC 27001 Certification [Electronic resource] / O. Salah, G. Hinson. - Access mode: http: // www.iso27001security.com/ ISO27k_mandatory_ISMS_documents.rtf.
Appendix A
Deduction hierarchy of ISS security level estimation
Fig. A.1. The logical deduction hierarchy of ISS security level estimation
Appendix B
The solutions of the problems in analogous products by ISMS “Matrix”
Problem |
Solution |
|
The product is concentrated more on assessment, than on managerial functions |
The main function of the “Matrix” is high-level management |
|
No conditional branching in workflow algorithms |
Workflow is not limited to business processes with strict algorithms |
|
Limited flexibility in self-assessment |
The operation of the “Matrix” is based on self-assessment data and is dynamically rebuilt according to any changes |
|
Products may be concentrated on a single standard and not appropriate for broader use |
System approach to IS enables handling of any normative documents - from internal regulations to international standards |
|
Cost is considered high by customers and evaluators |
The price is in average 10 times lower than in analogous products because: 1. The system core is distributed freely; 2. Support pricing is low due to immaturity of the product. |
|
Content is all based on bottom-up, IT-centric control management requirements |
The “Matrix” is designed to operate only on high managerial levels, preventing from drowning in the vast amount of technical details. Thus overall clearance is maintained |
|
The maturity of the products makes their interfaces complex for users |
Interfaces can be customised on demand for each customer |
|
End users have reported configuration difficulties |
No configuration needed, except allowing MS VBA macros |
|
No predefined security policies |
System filling with any normative document or policy is available from product support unit on demand |
|
Mostly compliance reporting with only a light treatment of risk |
Risk assessment is a dedicated function, providing both detailed risk estimations and pivot table |
|
Development of policy and control framework content for commercial regulations |
The system approach to IS is equally effective in both state and commercial organisations |
|
Limited audit support |
The variety of reports and pivot charts allows passing most audits without reassessment |
Appendix C
Database scheme
Fig. C.1. Database scheme of the ISMS “Matrix”
Appendix D
Excerpt of the IS policy formed by the product
Політика інформаційної безпеки верхнього рівня - генератор документів бази знань СУІБ "Матриця"
Напрямок: Банк в цілому
Загроза: Загрози Комп'ютерній мережі
Заходи: 06.2.1 Ідентифікація ризиків
4.1 Оцінка ризиків безпеки
Оцінка ризиків повинна ідентифікувати і визначити величини і пріоритети ризиків в залежності від критеріїв прийняття ризику і суттєвих цілей організації.
Національна примітка.
Банки України використовують декілька програмно-технічних комплексів автоматизації банківської іяльності, які постійно обмінюються інформацією, тому галуззю застосування оцінки ризиків повинен бути весь банк в цілому.
Напрямок: Банк в цілому
Загроза: Втрата цілісності
Заходи:
6.1 Внутрішня організація
Ціль: Управляти інформаційною безпекою в організації.
Напрямок: Всі напрямки ІБ
Загроза:
Заходи: 06.2 Зовнішні сторони
6.2 Зовнішні сторони
Ціль: Підтримування безпеки інформації організації та її засобів оброблення інформації, до яких мають доступ, обробляють, якими управляють або з якими підтримують зв'язок зовнішні сторони.
Безпека інформації і засобів оброблення інформації, які належать організації, не повинна знижуватись через введення в експлуатацію продуктів або послуг зовнішньої сторони.
Будь-який доступ до засобів оброблення інформації організації, а також оброблення та передавання інформації зовнішнім сторонам повинні бути контрольованими.
Якщо є бізнес-потреба в роботі з зовнішніми сторонами, яка може вимагати доступу до інформації або засобів оброблення інформації організації, або в отриманні від зовнішньої сторони чи наданні їй продукту та послуги, повинна виконуватись оцінка ризику для визначення вимог контролю та наслідків щодо безпеки. Контролі повинні бути погоджені та визначені в угоді з зовнішньою стороною.
Напрямок: Всі напрямки ІБ
Загроза:
Заходи: 06.2.1 Ідентифікація ризиків
4.2 Оброблення ризиків безпеки
До початку оброблення ризику, організація повинна встановити критерії прийняття ризиків.
Для кожного з ризиків, ідентифікованих після оцінки ризику, треба прийняти рішення щодо
оброблення ризику.
Визначити підхід організації до оцінки ризику (4.2.1.c Розроблення СУІБ)
Appendix E
Program module of the shared ISMS functions (listing)
Option Compare Database
Public Function IsFormOpen(fname As String) As Boolean
'check if a form is opened
On Error GoTo ErrFormOpen
Dim frm As Form
Set frm = Forms(fname)
IsFormOpen = True
Exit Function
ErrFormOpen:
IsFormOpen = False
End Function
Public Sub openRiskPivot()
'open pivot chart of risk estimations from main menu
DoCmd.OpenForm "Ф_своднОценРиск", acFormPivotTable
End Sub
Public Sub showArchived(rname As String)
'get current report's name
Dim rep As Report
Set rep = Reports(rname)
'check if need to show arcived
If (Forms![Ф_фильтры].[Флажок_показАрх] = 0) Then
rep.Filter = "NOT([Статус] = 'Архівна')"
rep.FilterOn = True
Else: rep.FilterOn = False
End If
End Sub
Public Sub hideParam(rname As String) 'hide text fields in head
'get current report's name
Dim rep As Report
Set rep = Reports(rname)
rep.Титул_изм.Visible = False
rep.Надп_титул_изм.Visible = False
rep.загол_изм.Visible = False
rep.Надп_загол_изм.Visible = False
End Sub
Continuation of appendix E
Public Sub hideDates(rname As String) 'hide date fields in head
'get current report's name
Dim rep As Report
Set rep = Reports(rname)
rep.Титул_ПолеС.Visible = False
rep.Титул_ПолеПо.Visible = False
rep.надп_Титул_2.Visible = False
rep.загол_ПолеС.Visible = False
rep.загол_ПолеПо.Visible = False
rep.надп_загол_2.Visible = False
End Sub
Public Sub filters_initiate(fname As String)
'get current form's name
Dim frm As Form
Set frm = Forms(fname)
frm.FilterOn = False
'hide filters
frm.Кн_закрФильтр.Visible = False
frm.Групп_фильтр.Visible = False
frm.Кн_обнов.Visible = False
End Sub
Public Sub filters_show(fname As String)
'get current form's name
Dim frm As Form
Set frm = Forms(fname)
'show filters
frm.Кн_закрФильтр.Visible = True
frm.Групп_фильтр.Visible = True
frm.Кн_обнов.Visible = True
DoCmd.OpenForm "ф_фильтры"
End Sub
Public Sub filter_apply(fname As String)
'get current form's name
Dim frm As Form
Set frm = Forms(fname)
'apply selected filter
Select Case frm.Групп_фильтр
Ending of appendix E
Case 1 'Ответственный
frm.Filter = "[Відповідальний]=[Forms]![ф_фильтры]![сотрудник]"
Case 2 'документ
frm.Filter = "[Документ]=[Forms]![ф_фильтры]![Документ]"
Case 3 'меры
frm.Filter = "[заходи]=[Forms]![ф_фильтры]![меры]"
Case 4 'средства
frm.Filter = "[засоби]=[Forms]![ф_фильтры]![средства]"
Case 100 'Активы
frm.Filter = "[Активи]=[Forms]![ф_фильтры]![Активы]"
Case 200 'угрозы
frm.Filter = "[загрози]=[Forms]![ф_фильтры]![угрозы]"
Case 400 'требования
frm.Filter = "[Вимоги]=[Forms]![ф_фильтры]![требования]"
Case 500 'решения
frm.Filter = "[Вирішення]=[Forms]![ф_фильтры]![решения]"
Case Else 'disable
frm.FilterOn = False
Exit Sub
End Select
frm.FilterOn = True
End Sub
Public Sub filters_close(fname As String)
'get current form's name
Dim frm As Form
Set frm = Forms(fname)
'close filters
frm.FilterOn = False
frm.Кн_закрФильтр.Visible = False
frm.Групп_фильтр.Visible = False
frm.Кн_обнов.Visible = False
If IsFormOpen("ф_отчеты") Then
MsgBox "Фільтр вимкнено, але вікно усмов відбору не буде зачинено, доки відчинене вікно компонування документів.", , "Попередження"
Else
DoCmd.Close acForm, "ф_фильтры", acSaveNo
End If
End Sub
Appendix F
Program module of the ISMS report (listing)
Option Compare Database
Private Sub Report_NoData(Cancel As Integer)
MsgBox "Інформація про задачі відсутня.", vbOKOnly, "Звіт порожній"
Cancel = True
End Sub
Private Sub Report_Open(Cancel As Integer)
Select Case Me.OpenArgs
Case "expired" 'expired tasks only
Me.загол_Надп.Caption = "Прострочені задачі на " & Date
Me.RecordSource = "Зу_Срок"
Case Else 'no conditions. List all tasks
Me.загол_Надп.Caption = "Повний перелік задач"
Me.RecordSource = "Зу_всеЗадачи"
showArchived (Me.Name) 'call public sub on this report
End Select
End Sub
Размещено на Allbest.ru
Подобные документы
Consideration of a systematic approach to the identification of the organization's processes for improving management efficiency. Approaches to the identification of business processes. Architecture of an Integrated Information Systems methodology.
реферат [195,5 K], добавлен 12.02.2016Information security problems of modern computer companies networks. The levels of network security of the company. Methods of protection organization's computer network from unauthorized access from the Internet. Information Security in the Internet.
реферат [20,9 K], добавлен 19.12.2013Practical acquaintance with the capabilities and configuration of firewalls, their basic principles and types. Block specific IP-address. Files and Folders Integrity Protection firewalls. Development of information security of corporate policy system.
лабораторная работа [3,2 M], добавлен 09.04.2016Модули, входящие в пакет программного обеспечения. Project Menagement, Methodology Management, Portfolio Analysis, Timesheets, myPrimavera, Software Development Kit, ProjectLink. Иерархическая структура Primavera и ее взаимосвязь с программой MS Project.
контрольная работа [9,5 K], добавлен 18.11.2009Настройка web-сервера для установки CMS (Content Management System - "система управления содержимым"). Возможности CMS Drupal и Joomla, особенности работы с ними. Изучение редактора веб-страниц, позволяющего изменять опубликованные на сайте материалы.
отчет по практике [25,0 K], добавлен 14.11.2013Проблемы автоматизации менеджмента в турфирмах для повышения эффективности систем управления и безопасности, расширения числа клиентов, решения маркетинговых задач. Внедрение компьютерных систем бронирования на примере Fidelio Hotel Management System.
курсовая работа [268,3 K], добавлен 07.01.2015Обоснование потребности в web-сайте. Описание установки CMS Joomla. Постановка задачи при проектировании web-сайта. Обоснование выбора CMS (Content Management System). Разработка базы данных и интерфейса. Классификация и проектирование web-сайтов.
дипломная работа [1,9 M], добавлен 13.05.2009CMS как система управления контентом/содержимым сайта. Предназначение, принцип работы и примеры CMS. Инсталляция GMS на компьютер с помощью Denwer. Шаги установки Wordpress на Denwer. Работа в wordpress: пример создания блога, посвященного институту.
реферат [1,8 M], добавлен 23.02.2011Управление электронным обучением. Технологии электронного обучения e-Learning. Программное обеспечение для создания e-Learning решений. Компоненты LMS на примере IBM Lotus Learning Management System и Moodle. Разработка учебных курсов в системе Moodle.
курсовая работа [146,6 K], добавлен 11.06.2009The need for Colvir's functional modules to avoid the costs of training and to facilitate modification and interaction of system components. Description and practical use of Citrix server and CyberPlat - integrated universal banking online payments.
доклад [505,3 K], добавлен 05.09.2011