Topical issues of IT risk management at critical information infrastructure facilities

Abstract

Today, the urgent issue of the security industry is to address the state of information security of critical infrastructure objects with the effective application of appropriate measures to maintain it in proper condition. This article emphasizes the particular relevance of these issues with an emphasis on the most significant aspects of ensuring information security at critical infrastructure facilities through risk management and strategies for responding to them. The essence of ways of responding to risks and their processing is revealed. Preliminary planning of the risk management process related to the information infrastructure is a key aspect of the security risk management process. A well-planned process involves matching the significance of the business process for the critical infrastructure object with the costs necessary to manage the risks affecting this business process. All business processes for which the value of the loss is greater than some predetermined value are declared critical. Risk management planning activities are most effectively carried out by a special working group consisting of the top manager, heads of other departments and the IT manager. The working group forms strategies for responding to identified, assessed and ranked risks. It should be emphasized that when analyzing risks, it is necessary to take into account not only the operation of systems in regular mode, but also the peak load on them. When making decisions about responding to relevant risks, costs must be taken into account, taking into account the full assessment of the level of risks characteristic of the operation of critical infrastructure objects. When managers of business units determine tasks to combat risks in their units, most often they accept any risks without understanding the consequences, since their real goals are related to the performance of the main official tasks that affect the final result of the activity. Risk treatment options should be evaluated based on the degree of risk reduction and the degree of any additional benefits or opportunities created. Special attention is paid to the risk-taking strategy, which requires significant professional and intellectual abilities of decision-makers. Taking into account the peculiarities of this method of response, it is necessary to develop an approach adapted for a specific object of information activity with the determination of the question of the economic feasibility of applying security measures in relation to the manifestation of possible information security incidents.