Abstract
The relevance of this work is due to the approval by the Administration of the State Service for Special Communications and Information Protection of Ukraine “Methodological recommendations for increasing the level of cyber protection of critical information infrastructure” in October 2021. The recommendations were developed based on the world's best approaches - the NIST CyberSecurity Framework. At the moment, the developed Recommendations of the State Special Communications Service have partially lost their relevance and require adjustment with the release of NIST Special Publication 800-53A Revision 5 “Assessing Security and Privacy Controls in Information Systems and Organizations” Governance Oversight”, publication date: January 2022. These documents complete the cycle of integrating cybersecurity risk management (CSRM) and enterprise risk management (ERM). These projects describe methods for combining risk information of all system assets, an organization (enterprise) network, including conditional examples for aggregating and normalizing results from cybersecurity risk registers (CSRR) taking into account risk parameters, criteria and impact on the continuous functioning of communication systems. As a result, the integration and normalization of risk information enables decision-making and monitoring of risks at all levels of the system, which allows you to create a comprehensive picture of the overall cyber risk. These documents describe the creation of an Organizational Risk Profile (ERP) that supports the comparison and management of cyber risks along with other risk types in general.Quite interesting are the views of the authors of the developed documents regarding the control of confidentiality associated with systems and their distribution environment, their functioning. It is substantiated that a qualitative system assessment helps to determine the existing controls contained in the organization in accordance with the security and confidentiality plan, which are subsequently used in organizational systems and the operating environment. In this environment, the assessment control is an indication of the implementation of specific steps in the risk management structure, which contributes around the clock to an effective approach to sustainable risk management processes by identifying weaknesses or deficiencies in systems, which allows the organization to determine how to respond to certain cyber threats. Therefore, in order to solve the problems of settling and implementing the norms and rules of international organizations in the field of cybersecurity and cyberdefence, it is proposed to analyze the above documents and put forward appropriate proposals for correcting and supplementing the previously approved State Communications “Methodological recommendations ...”. In turn, this will allow not only to ensure the protection of the state's critical information infrastructure from cyber attacks, but also to conduct preventive offensive operations in cyberspace, which includes disabling critical enemy infrastructure facilities by destroying communication systems that control such facilities.
Published Version (
Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call