TECHNIQUE OF OPTIMAL AUDIT PLANNING FOR INFORMATION SECURITY MANAGEMENT SYSTEM

F. N. Shago, I. A. Zikratov


Read the full article 
Article in Russian


Abstract

Complication of information security management systems leads to the necessity of improving the scientific and methodological apparatus for these systems auditing. Planning is an important and determining part of information security management systems auditing. Efficiency of audit will be defined by the relation of the reached quality indicators to the spent resources. Thus, there is an important and urgent task of developing methods and techniques for optimization of the audit planning, making it possible to increase its effectiveness. The proposed technique gives the possibility to implement optimal distribution for planning time and material resources on audit stages on the basis of dynamics model for the ISMS quality. Special feature of the proposed approach is the usage of a priori data as well as a posteriori data for the initial audit planning, and also the plan adjustment after each audit event. This gives the possibility to optimize the usage of audit resources in accordance with the selected criteria. Application examples of the technique are given while planning audit information security management system of the organization. The result of computational experiment based on the proposed technique showed that the time (cost) audit costs can be reduced by 10-15% and, consequently, quality assessments obtained through audit resources allocation can be improved with respect to well-known methods of audit planning.


Keywords: information security, information security management systems (ISMS), ISMS audit, audit planning

References
1.        ISO/IEC 19011:2011. Guidelines for auditing management systems. 11.11.2011. Geneva, International Organization for Standardization. 44 p.
2.        Aksenov V.V. Audit sistemy menedzhmenta infotmatsionnoi bezopasnosti. Rukovodstvo [Audit of the management system of information security. Manual]. Available at: http://itsec.by/wp-content/uploads/2012/10/Auditors-Guide-ISO-27001-on-Russian.pdf (accessed 09.09.2013).
3.        ISO/IEC 27007:2011.Information technology - Security techniques - Guidelines for information security management systems auditing. 14.11.2011. Geneva, International Organization for Standardization. 34 p.
4.        Martyshenko L.A., Ivchenko V.P., Monastyrskii M.L. Teoreticheskie osnovy informatsionno-statisticheskogo analiza slozhnykh system [Theoretical foundations of information and statistical analysis of complex systems]. St. Petersburg, Lan' Publ., 1997, 320 p.
5.        Astakhov A.M. Iskusstvo upravleniya informatsionnymi riskami [Art of information risk management]. Moscow, DMK Press, 2010, 312 p.
6.        GOST R 51897-2011. Rukovodstvo ISO 73:2009 Menedzhment riska. Terminy i opredeleniya.[GOST R 51897-2011. ISO Guid 73:2009. Risk management. Terms and definition]. М.: Moscow, Standartinform Publ., 16 p.
7.        ISO/IEC 31000:2009.Risk management – Principles and guidelines. 15.11.2009. Geneva, International Organization for Standardization. 32 p.
8.        Gvozdev A.V., Zikratov I.A., Lebedev I.S., Lapshin S.V., Solov’ev I.N. Prognoznaya otsenka zashchishchennosti arkhitektur programmnogo obespecheniya [Prediction of software architecture protection level]. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2012, no. 4 (80), pp. 126–130.
9.        Zikratov I.A., Odegov S.V. Otsenka informatsionnoi bezopasnosti v oblachnykh vychisleniyakh na osnove baiesovskogo podkhoda [Evaluation of information security in cloud computing based on the Bayesian approach]. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2012, no. 4 (80), pp. 121–126.
10.     Lebedev A.N., Kupriyanov M.S., Nedosekin D.D. Chernyavskii E.A. Veroyatnostnye metody v inzhenernykh zadachakh [Handbook of the probabilistic methods in engineering problems]. St. Petersburg, Energoatomizdat Publ., 2000, 333 p.
11.     ISO/IEC 27000:2013. Information security management systems – Overview and vocabulary. 14.01.2013. Geneva, International Organization for Standardization. 34 p.
12.     ISO/IEC 27001:2013. Information security management systems – Requirements.01.10.2013. Geneva, International Organization for Standardization. 29 p.
13.     GOST R ISO/MEK 27004-2011. Informatsionnaya tekhnologiya. Metody i sredstva obespecheniya bezopasnosti. Menedzhment informatsionnoi bezopasnosti. Izmereniya[State Standard ISO/IEK 27004-2011. Information technology - Security techniques - Information security management - Measurement]. 01.01.2012. Moscow, Standartinform Publ., 62 p.
14.     GOST R ISO/MEK 27005-2010. Informatsionnaya tekhnologiya. Metody i sredstva obespecheniya bezopasnosti. Menedzhment riska informatsionnoi bezopasnosti [State standard ISO/IEK 27005-2010. Information technology - Security techniques - Information security risk management]. Moscow, Standartinform Publ., 51 с.
15.     GOST R ISO/MEK 27006-2008. Informatsionnaya tekhnologiya. Metody i sredstva obespecheniya bezopasnosti. Trebovaniya k organam, osushchestvlyayushchim audit i sertifikatsiyu system menedzhmenta informatsionnoi bezopasnosti. [State standard ISO/IEK 27006-2008. Information technology - Security techniques – Requirements for bodies providing audit and certification of information security management systems]. Moscow, Standartinform Publ., 40 с.
Copyright 2001-2017 ©
Scientific and Technical Journal
of Information Technologies, Mechanics and Optics.
All rights reserved.

Яндекс.Метрика