Information Security Management Process Research Articles

PROTECTION OF INFORMATION RESOURCES OF SMALL ENTERPRISES, INCLUDING THE SUBSYSTEM FOR MANAGEMENT OF NON-TECHNICAL ASPECTS OF INFORMATION SECURITY

Information is one of the key resources of a modern economic organization. Companies with access to up-to-date, unique, useful and reliable information can compete effectively with other economic entities in today’s turbulent economic environment. Information management takes place in the space of the information system. An increasing part of this system now constitutes the information system which has largely become the primary storage and processing environment for information resources.Information, regardless of the size of the enterprise, is exposed to similar threats and risks of loss or destruction. However, the size of an enterprise, through its material resources, its capabilities in hiring qualified staff, very often determines the range of possibilities to counter potential threats and minimize the potential risk of loss of intangible resources. In this paper, the author attempts to classify, identify the risk areas for small entities which generally have the least potential to implement effective, modern information security management processes. The empirical part presents the original design of a subsystem of the Information Security Management System supporting the processes of mitigating the risk of threats to intangible resources of small enterprises.

О ВОЗМОЖНОСТИ ЧИСЛЕННЫХ МЕТРИК В УПРАВЛЕНИИ ИНФОРМАЦИОННОЙ БЕЗОПАСНОСТЬЮ

Introduction. The existing information security management in information systems is a set of informal verbal models. They make it possible to determine a variety of measures but cannot conduct numerical assessments – to compare alternative strategies according to the introduced criterion, to numerically record changes in the level of information security, to perform mathematically justified optimization of control actions. Purpose: The purpose of the study is to substantiate the possibility of using numerical estimates in information security management. Methods: The search for alternative methods of modeling information security management processes begins with the modeling object classification. The modeling object (the information security management process) is considered as a complex system having irremediable uncertainty. A method using fuzzy algorithms can be classified as one of the possible methods in modeling such objects. Fuzzy algorithms are most widely used when modeling technical control systems, but this method potential allows us to hope for positive results when modeling more complex processes. The article offers an example of using fuzzy modeling algorithms based on Mamdani rules of inference algorithms for creating an information security management system model of an information system. Results: The sensitivity, continuity and qualitative adequacy of the described model are substantiated, the possibility of operational tracking of the influence of destabilizing influences on the level of information security in the information system using a numerical metric is shown. Practical relevance: The use of the proposed methods opens up the possibility of building an automatic information security management system of an information system.

Development of cyber-physical system security management process model

Cyber-physical systems (CPS) combine general-purpose information and telecommunication systems and industrial networks and devices (controllers), forming a heterogeneous hierarchical distributed information technology computing environment designed for control and monitoring of technological processes. FSCs are being actively implemented in the industrial, urban and household spheres, allowing for more efficient use of resources, as well as transferring management and feedback processes to a new level. CPS are formed as a result of the aggregation of several heterogeneous information and telecommunication systems, which makes them susceptible to the destructive factors of the digital environment – cyber attacks. The peculiarities of the construction and functioning of the CPS require a new approach to defining attack surfaces and modelling threats. This is due to the fact that the "traditional" goals of attackers - the availability, integrity and confidentiality of information processed in the system - are not the only ones. In addition, the value of the information itself can be extremely low. At the same time, control and feedback processes play a decisive role in a cyber-physical system. Their stability directly affects the ability of the FSC to perform target functions, as well as the physical safety of technological facilities, personnel and consumers. Depending on the degree of criticality of the technological processes of the real world, which are controlled by the cyber-physical system, the violation of these flows inside it can lead to serious consequences, such as large material damage or a threat to the life and health of people. The severity of the identified threats is confirmed by the constantly growing number of attacks on CPS and the consequences, including potential ones, to which these attacks lead. In addition, it should be noted that in the context of the rapid development and improvement of programmable control devices (Programmable Logic Controller (PLC)), making them more accessible in the mass market segment, as well as the proliferation of high-speed wireless data transmission networks, the concept of a smart home is gaining wider application. This approach implies the integration of PLCs that interact with each other and the control centre via multi-service broadband wireless networks into the domestic environment. Thus, the concept of a smart home is based on the implementation of FSCs in places of permanent residence of people with the transfer of automatic control functions of climatic equipment, lighting, household appliances, physical elements of protection against intrusions to them. At the same time, it is extremely important to ensure the information security of the CFS. To ensure the required level of their security, it is necessary to effectively solve the problems of managing the process of ensuring their information security. The article proposes an approach to the development of a model for the information security management process of a CFS operating in a smart home.

Науково-методичні засади оцінки ефективності процесу управління інформаційною безпекою підприємств малого та середнього бізнесу: кібербезпека та інтелектуальна власність

The aim of the article is to study the scientific and methodological foundations of assessing the efficiency of the information security management process of small and medium-sized businesses and develop recommendations for improving its efficiency in the face of growing challenges and threats to cybersecurity and intellectual property. The main research methods were: analysis, synthesis, generalization, tabular, graphical, and integrated approach. The importance and necessity of timely assessment of the efficiency of the information security management process of small and medium-sized businesses due to the growing cyberthreats to their intellectual property as a basis for innovative development in a pandemic, war, digitalization was highlighted. The process of information security management for the protection of intellectual property (IPR) was substantiated as a reliable basis for innovative development of small and medium-sized businesses. Emphasis is placed on the growing importance, role and importance of cybersecurity for the functioning and development of small and medium-sized businesses in the face of new challenges and threats. A scientific and methodological approach to assessing the efficiency of the information security management process in the context of IPR protection of small and medium-sized enterprises in the conditions of a growing number of challenges and threats has been developed and proposed for use. Emphasis was placed on the expediency of a detailed study of directions for improving the regulatory framework for information security to protect the IPR of small and medium-sized businesses in the face of countering the cyber threats. Prospective directions of research on this issue were highlighted: development of information security strategy for IPR protection in the context of prevention of new challenges and threats; improving the organizational aspects of information security management for the protection of IPR; development of digital culture of small and medium-sized businesses as a factor in improving the efficiency of the information security management process in the face of digitalization challenges.

Автоматизация обработки данных в процессе аудита информационной безопасности

According to the Russian standards in the field of information security management (IS), which are authentic international standards, such as [1, 2], the organization must regularly conduct an internal audit of the information security management system. An audit is an independent review and evaluation of an organization's activities by analyzing and evaluating processes, projects, reports, and products. Audit, as an activity, is not static, unchanging, it evolves. From the point of view of leading international audit companies, in particular [3, 4], the current stage of audit evolution is the transition from reactivity (identifying shortcomings after the fact) to proactivity (predicting the results of actions or events before their completion). The validity of the statement for the Russian Internal Audit is confirmed by the results of the IX National Scientific and Practical Conference [5]. The movement towards proactivity in the audit determines the relevance of the following tasks: 1) processing up to 100 % of the information generated by the activity that is the focus of the audit; 2) processing information in a close-to-online mode; 3) the availability of powerful tools for data analysis and modeling on their basis the further development of the investigated events, as well as the appropriate skills of working with it from the auditors. When conducting audits, the auditors have a dilemma – on the one hand, they are obliged to provide the owners/shareholders/management of the organization with data as close as possible to the reliable state of the information security management processes, information about the identified shortcomings and recommendations for their elimination, on the other hand: the audit time is strictly limited; unloading the initial data from the organization's information systems takes considerable time; the data obtained from various information systems and other sources have different, not always standard formats; the tools used have disadvantages, since the most frequently used spreadsheets (MSExcel, LOCalc), due to internal limitations, are no longer able to provide the required functionality. The above-mentioned factors, as well as other factors, such as unwillingness to cooperate, hidden opposition of the personnel of the audited organization, evaluation of the work of auditors only by quantitative indicators (the number of observations or the time spent on one observation), lead to the fact that the checks are carried out superficially. At the same time, shortcomings in the information security management processes can be detected, but it becomes difficult to explain their nature and give effective recommendations to the business auditor. As a result, the goal of independent audits defined in GOST ISO/IEC 27002-2012 – “ensuring confidence in the continued efficiency, adequacy and effectiveness of the organization's approach to information security management” [2] – cannot be achieved. One of the options for eliminating some of the above-mentioned shortcomings is the use of programs developed by the auditors themselves and designed for operational data processing, the so-called “small automation”, during audits. This approach, although it is a low-level link in the chain of automation of audit procedures and, nevertheless, is within the framework of the audit development paradigm in the direction of robotization of procedures and the use of artificial intelligence, which is discussed, for example, in the works [3, 6, 7], and also confirmed by the results of conferences of the Institute of Internal Auditors [8].

INFORMATION SECURITY MANAGEMENT FRAMEWORK SUITABILITY ESTIMATION FOR SMALL AND MEDIUM ENTERPRISE

Information security is one of the key concerns of an enterprise or organization. To assure suitable management of information security a list of information security management frameworks has been developed by a number of institutions and authors. A condensed information in information security management framework is very important to a small and medium enterprise as this type of enterprise usually lacks resources for information security expertise and deep analysis. Despite the fact, the information security management process and its frameworks, on the other hand, are very complex and require a big number of different elements. At the moment the comparison it is very shallow, as all properties of the comparison are treated equally important. In real life, the importance of different criteria of information security management framework and their suitability for small and medium enterprise vary. Therefore we use the Analytic Hierarchy Process to construct a hierarchy of information security management frameworks quality and applicability in small and medium enterprise and define the weights for each of the criteria. Weighted criteria express the importance of the criteria and executed the final comparison of alternatives (five information security management frameworks) is more realistic (similar to experts opinion) comparing to existing comparisons.

МОДЕЛЬ ЖИЗНЕННОГО ЦИКЛА СИСТЕМЫ ЗАЩИТЫ ИНФОРМАЦИИ

When building an information security system, one of the key problems is the creation of regulatory documents. Regulators in the field of information security determine the list of necessary documentation mainly in relation to protection mechanisms (authentication, anti-virus protection, etc.) and practically do not take into account the stages of the life cycle of information security tools and personnel of the organization. The article proposes an approach to formalization of the list of information security management processes that need regulation. This approach allows the formation of information security policy to take into account the processes of personnel management and the complex of software and hardware information security, which is necessary to ensure a high level of security of critical information infrastructure.

Business Model for the Security of a Large-Scale PACS, Compliance with ISO/27002:2013 Standard.

Data security is a critical issue in an organization; a proper information security management (ISM) is an ongoing process that seeks to build and maintain programs, policies, and controls for protecting information. A hospital is one of the most complex organizations, where patient information has not only legal and economic implications but, more importantly, an impact on the patient's health. Imaging studies include medical images, patient identification data, and proprietary information of the study; these data are contained in the storage device of a PACS. This system must preserve the confidentiality, integrity, and availability of patient information. There are techniques such as firewalls, encryption, and data encapsulation that contribute to the protection of information. In addition, the Digital Imaging and Communications in Medicine (DICOM) standard and the requirements of the Health Insurance Portability and Accountability Act (HIPAA) regulations are also used to protect the patient clinical data. However, these techniques are not systematically applied to the picture and archiving and communication system (PACS) in most cases and are not sufficient to ensure the integrity of the images and associated data during transmission. The ISO/IEC 27001:2013 standard has been developed to improve the ISM. Currently, health institutions lack effective ISM processes that enable reliable interorganizational activities. In this paper, we present a business model that accomplishes the controls of ISO/IEC 27002:2013 standard and criteria of security and privacy from DICOM and HIPAA to improve the ISM of a large-scale PACS. The methodology associated with the model can monitor the flow of data in a PACS, facilitating the detection of unauthorized access to images and other abnormal activities.

A Study on the Improvements of Information Security Management System for Environment Education Institutes

Recent information and communication technology (ICT, Information Communication Technology) environment for the rapid changes in the information security threats and vulnerabilities in assets than ever recognized as very important. For proper information security management process improvement activities as part of the Information Security Management System certification and operate subject to gradual institutionalization and growing. Information Security Management System (ISMS) is a systematic organization to protect the information assets of an organization from the threat of cyber breaches respond to organically mean a comprehensive management system. This paper presents a variety of serious security incidents occur and appropriate educational environment to develop information security management system model. Applying the learning environment to enhance the level of data protection and information security management and direction of efforts to find ways to improve the model for improvement to propose

Proposal for a Security Management in Cloud Computing for Health Care

Cloud computing is actually one of the most popular themes of information systems research. Considering the nature of the processed information especially health care organizations need to assess and treat specific risks according to cloud computing in their information security management system. Therefore, in this paper we propose a framework that includes the most important security processes regarding cloud computing in the health care sector. Starting with a framework of general information security management processes derived from standards of the ISO 27000 family the most important information security processes for health care organizations using cloud computing will be identified considering the main risks regarding cloud computing and the type of information processed. The identified processes will help a health care organization using cloud computing to focus on the most important ISMS processes and establish and operate them at an appropriate level of maturity considering limited resources.

정보보안관리에 영향을 미치는 기업환경요소와 규제자 영향의 조절효과

According to the higher dependence of contemporary firms on data digitalization and the information technology, the role and importance of Information Security Management (ISM) is getting higher. Thus, there is a need to arrange proper procedure and a series of device within the organization in order to reduce diverse security risks, which take place from the inside and the outside of firm. In other words, prior examination for reinforcing recognition of ISM, and of a systematic performance method in the refined form is important. This study investigate the key variables influencing the ISM. Thus, this study suggests firm environmental factors that include four exogenous variables, market volatility, task interdependence, perceived benefits, and coordination mechanism affecting awareness of ISM. In addition, it proposes a concept of the ISM process with awareness, development, and performance, and examines the moderating effects of regulatory influence. The research model was tested by using Structural Equation Modeling, via SmartPLS 2.0 analysis on a sample collected from 186 employees in various industries. The research results provide the evidence that supports the tested hypotheses except significance of coordination mechanism. The implications of the findings suggest a new theoretical framework of the ISM and offers important solutions for the practical application guidelines.

Information Security Management: An Approach to Combine Process Certification And Product Evaluation

Information Security (IS) is the key to the effective management of any organisation in today’s commercial and industrial sectors. Line managers’ performance, for instance, is rated according to the extent to which their operations conform to the IS policies of their respective organizations. In the same way, senior management’s performance is judged by how well the organization performs in terms of internationally accepted codes of IS practice. IS management, however, is not always a quantifiable entity and its evaluation is complicated by the fact that it can be viewed either from an electronic perspective, in which case the focus will fall solely on product and/or systems evaluation, or from a procedural and management perspective, in which case the focus will, instead, fall on the certification of the IS management process. This article will, therefore, be devoted to providing a consolidated approach to the evaluation of IS management, in terms of which full cognisance will be taken of both these perspectives.