The goal of this work is to identify and assess information security risks for a typical distributed information system within three controlled areas. The main emphasis, application of information security in the considered information system is done to minimize damage from security threats, aimed at the integrity and availability of the hardware and software complex of the information system, and not to the confidentiality of information resources processed with their help. The study examined international and national standards in the field of information security, which regulate issues of information security risks management. In particular, the basic requirements for the assessment and processing of information security risks were established, based on the international standard “ISO 27001: 2013 Information technologies. Methods of protection. Information security management systems”, as well as a comparison of this standard with its version from 2005 is made. As a leading method of risk assessment and processing, the most economical the qualitative method was chosen, in the absence of ready data on the number of attacks implemented in the considered information system for a certain period of time. In the process, valuable assets of the organization were considered, and based on the business process of the telecommunication company, major and minor assets were allocated, as well as the corresponding information security threats in accordance with the security threat data bank of the Federal Service for Technical and Export Control. The result of this work was the calculation of information security risks, based on the allocation of valuable assets of the organization, the degree of potential damage in the implementation of threats to such assets and the probability of the implementation of threats to the information system of the telecommunication enterprise. In addition, acceptable risks were identified, the processing of which is not required due to the fact that the actual cost of minimizing them is greater than the losses from the implementation of threats over them. In conclusion, possible measures were proposed to minimize information security risks, including a backup system, a system for protecting against unauthorized access, an anti-virus protection system, firewalling, and organizational measures and physical protection measures. The proposed method makes it possible to reasonably assess information security risks of an organization in conditions of insufficient initial data, as well as the absence of additional hardware and software for assessing information security risks, which allows applying it to model organizations based only on scaling of the considered system, if there is no state information secret in the processed data. The risk management procedure helps not only to identify and eliminate the analysis of vulnerabilities and innovations in the field of risk assessment, but also to increase the literacy level of staff, involved in the assessment and risk management process.
Read full abstract