Abstract

The goal of this work is to identify and assess information security risks for a typical distributed information system within three controlled areas. The main emphasis, application of information security in the considered information system is done to minimize damage from security threats, aimed at the integrity and availability of the hardware and software complex of the information system, and not to the confidentiality of information resources processed with their help. The study examined international and national standards in the field of information security, which regulate issues of information security risks management. In particular, the basic requirements for the assessment and processing of information security risks were established, based on the international standard “ISO 27001: 2013 Information technologies. Methods of protection. Information security management systems”, as well as a comparison of this standard with its version from 2005 is made. As a leading method of risk assessment and processing, the most economical the qualitative method was chosen, in the absence of ready data on the number of attacks implemented in the considered information system for a certain period of time. In the process, valuable assets of the organization were considered, and based on the business process of the telecommunication company, major and minor assets were allocated, as well as the corresponding information security threats in accordance with the security threat data bank of the Federal Service for Technical and Export Control. The result of this work was the calculation of information security risks, based on the allocation of valuable assets of the organization, the degree of potential damage in the implementation of threats to such assets and the probability of the implementation of threats to the information system of the telecommunication enterprise. In addition, acceptable risks were identified, the processing of which is not required due to the fact that the actual cost of minimizing them is greater than the losses from the implementation of threats over them. In conclusion, possible measures were proposed to minimize information security risks, including a backup system, a system for protecting against unauthorized access, an anti-virus protection system, firewalling, and organizational measures and physical protection measures. The proposed method makes it possible to reasonably assess information security risks of an organization in conditions of insufficient initial data, as well as the absence of additional hardware and software for assessing information security risks, which allows applying it to model organizations based only on scaling of the considered system, if there is no state information secret in the processed data. The risk management procedure helps not only to identify and eliminate the analysis of vulnerabilities and innovations in the field of risk assessment, but also to increase the literacy level of staff, involved in the assessment and risk management process.

Highlights

  • Целью данной работы является определение и оценка рисков информационной безопасности для типовой распределенной информационной системы телекоммуникационного предприятия, расположенной в пределах трех контролируемых зон

  • The main emphasis, application of information security in the considered information system is done to minimize damage from security threats, aimed at the integrity and availability of the hardware and software complex of the information system, and not to the confidentiality of information resources processed with their help

  • As a leading method of risk assessment and processing, the most economical the qualitative method was chosen, in the absence of ready data on the number of attacks implemented in the considered information system for a certain period of time

Read more

Summary

Определение ценности активов

Описывающих требования к методу обработки и оценки рисков является международный стандарт «ISO 27001: Информационные технологии. Процесс расчета рисков информационной безопасности актуален на всех этапах работы системы защиты информации и является интересным для владельца информации в первую очередь с точки зрения потерь в экономической сфере. – в процессе оценки рисков должны быть установлены критерии приемлемости риска и критерии для оценки рисков ИБ;. – а также, должна производиться идентификация владельца риска, где под владельцем понимается физическое, юридическое лицо или подразделение, отвечающее за управление риском и обладающее необходимыми для этого полномочиями, в данном случае, речь может идти о руководителях, специалистах по информационной защите, отделах по ИБ и пр.; [8]. – в процессе анализа рисков ИБ должна быть произведена оценка потенциальных потерь в случае реализации риска;. – в процессе оценки рисков ИБ должно быть произведено сопоставление рисков с установленными критериями, а также определен вектор приоритетных направлений по их обработке. Менеджмент риска информационной безопасности» ценные активы организации условно можно разделить на основные и вспомогательные. Соответствующим национальным законам о неприактивы косновенности частной жизни

Место функционирования организации
Оценка рисков информационной безопасности
Отчет об оценке рисков ИБ
Возможные контрмеры
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call