EFFECTIVENESS ASSESSMENT METHODOLOGY OF INFORMATION SECURITY MANAGEMENT SYSTEM THROUGH THE SYSTEM RESPONSE TIME TO INFORMATION SECURITY INCIDENTS

F. N. Shago


Read the full article 

Abstract

Quality assessment of information security management system is an important step for obtaining baseline data for analysis of the security system control effectiveness, and evaluating implementation of the specified information security requirements of the organization. Proceeding from current analysis practice of information security management systems effectiveness assessment, it can be concluded that, in most cases, independent measurement of security control is carried out without regard to their interaction. The uncertainty of the stochastic nature of the measured security controls is not taken into account. There is a list of related measures for control and management; however, structural elements for measuring of these interactions are absent. Thus, there is an important and urgent task of improving the effectiveness assessing methodology for information security management system that can be solved by introducing a new integral effectiveness indicator of the system, which would give the possibility to take into account the above-mentioned shortcomings.

The author proposes the usage of a new integral efficiency indicator - system response time to information security incidents. This efficiency indicator will make it possible to pass from the binary effectiveness assessment of the system "approve or disapprove" to a quantitative one. New performance indicator gives the possibility to take into account the uncertainty of the stochastic nature of the attributes and measures of management and control, provides a quantitative assessment of the information security state and has a clear physical interpretation for the organization management and information security officers. Dynamics of the indicator change from test to test will assess the information security management system state in general and effectiveness of taken control and management measures. The method for calculating of the new information security management system performance indicator is based on the experimental design theory. Its advantages are: information security service staff has an opportunity to control the attributes measurement, the same accuracy of estimates for attribute parameters during the measurement is provided, interaction degree between attributes and their importance in the computation of the effectiveness of information security management is revealed by means of the regression coefficients, and also an analytical model of performance indicator can be obtained.


Keywords: information security, effectiveness of information security management system, ISMS quality index, ISMS efficiency assessment

References
1.     ISO/IEC 19011:2011. Guidelines for auditing management systems. 11.11.2011. Geneva, International Organization for Standardization. 44 p.
2.     Аксенов В.В. Аудит системы менеджмента информационной безопасности. Руководство [Электронный ресурс]. Режим доступа: itsec.by/wp-content/uploads/2012/10/Auditors-Guide-ISO-27001-on-Russian.pdf, свободный. Яз. рус. (дата обращения 20.04.2014).
3.     ISO/IEC 27000:2013. Information security management systems – Overview and vocabulary. 14.01.2013. Geneva, International Organization for Standardization. 25 p.
4.     ISO/IEC 27001:2013, Information security management systems – Requirements. 25.09.2013. Geneva, International Organization for Standardization. 23 p.
5.     Приказ ФСТЭК России №17. Об утверждении требований о защите информации, не составляющей государственную тайну, содержащейся в государственных информационных системах. Введ. 11.02.2013. М.: ФСТЭК РФ. 37 с.
6.     Зикратов И.А., Одегов С.В., Смирных А.В. Оценка рисков информационной безопасности в облачных сервисах на основе линейного программирования // Научно-технический вестник информационных технологий, механики и оптики. 2013. № 1 (83). С. 141–144.
7.     ГОСТ Р ИСО/МЭК 27004-2011. Информационная технология. Методы и средства обеспечения безопасности. Менеджмент информационной безопасности. Измерения. Введ. 01.01.2012. М.: Стандартинформ, 2012. 62 с.
8.     Шаго Ф.Н., Зикратов И.А. Методика оптимизации планирования аудита системы менеджмента информационной безопасности // Научно-технический вестник информационных технологий, механики и оптики. 2014. № 2 (90). С. 111–117.
9.     Critical Security Controls for Effective Cyber Defense [Электронныйресурс]. Режим доступа: http://www.sans.org/critical-security-controls/, свободный. Яз. англ. (дата обращения 20.04.2014).
10.  Зикратов И.А., Одегов С.В. Оценка информационной безопасности в облачных вычислениях на основе байесовского подхода // Научно-технический вестник информационных технологий, механики и оптики. 2012. № 4 (80). С. 121–126.
11.  Catteddu D., Hogben G. Cloud computing: benefits, risks and recommendations for information security. Heraklion: ENISA, 2009. 125 p.
12.  Macaulay T. Upstream intelligence: anatomy, architecture, case studies and use-cases // Information Assurance Newsletter. 2011. V. 14. P. 18–22.
13.  Мартыщенко Л.А., Ивченко В.П., Монастырский М.Л. Теоретические основы информационно-статистического анализа сложных систем. СПб: Лань, 1997. 320 с.
14.  Айвазян С.А., Енюков И.С., Мешалкин Л.Д. Прикладная статистика. Исследование зависимостей. М.: Финансы и статистика, 1985. 487 с.
15.  Лебедев А.Н., Куприянов М.С., Недосекин Д.Д., Чернявский Е.А. Вероятностные методы в инженерных задачах: Справочник. СПб: Энергоатомиздат, 2000. 333 с.
16.  Зедгенидзе И.Г. Планирование эксперимента для исследования многокомпонентных систем. М.: Наука, 1976. 390 с.
17.  Бендат Дж., Пирсол А. Прикладной анализ случайных данных: Пер. с англ. М.: Мир, 1989. 540 с.
18.  Спиридонов А.А. Планирование эксперимента при исследовании технологических процессов. М.: Машиностроение, 1981. 184 с.
Copyright 2001-2017 ©
Scientific and Technical Journal
of Information Technologies, Mechanics and Optics.
All rights reserved.

Яндекс.Метрика