Menu
Publications
2024
2023
2022
2021
2020
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
Editor-in-Chief
Nikiforov
Vladimir O.
D.Sc., Prof.
Partners
doi: 10.17586/2226-1494-2023-23-3-519-529
Review of national and international standards for categorizing of critical information infrastructure objects
Read the full article ';
Article in Russian
For citation:
Abstract
For citation:
Livshitz I.I. Review of national and international standards for categorizing of critical information infrastructure objects. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2023, vol. 23, no. 3, pp. 519–529 (in Russian). doi: 10.17586/2226-1494-2023-23-3-519-529
Abstract
Ensuring the security of critical information infrastructure facilities is an actual developing area of information security both at the national and global level. Categorization of critical infrastructure objects is an integral part of the common and holistic security process. With a dynamically changing threats level, the process of determining the category of an object is still not optimal enough. Based on the existing requirements both of Russian and International standards, the assessment of critical infrastructure facilities not always be carried out promptly and correctly, in addition, numerical estimates are not formed, the objectivity of the assessment and subsequent reassessment by independent experts is not ensured. This article presents an analysis of the current requirements in the field of categorization of critical infrastructure objects used in the Russian Federation. A comparative analysis of the national regulatory legal acts of the Russian Federation and the system of International standards in the field of IT-security is presented. Regulation of categorization processes of critical infrastructure objects is considered. The necessity of forming numerical values of significance criteria for the correct determination and subsequent independent evaluation (reassessment) of the category of critical infrastructure objects is substantiated. Recommendations for improving the process of categorizing critical infrastructure objects and the formation of numerical estimates are presented. The implementation of the recommendations made will improve the accuracy, objectivity and reliability of the process of creating modern information security systems.
Keywords: critical information infrastructure, categorization of critical information infrastructure objects, significance criteria, information security, information security management system, risks, residual risks
References
References
-
Smirnov E. Methodology for assessing the political significance of threats to a CII object on the example of an infocommunication object. Jekonomika i kachestvo sistem svjazi, 2020, no. 2, pp. 49–56. (in Russian)
-
Novikova E.F., Khalizev V.N. The development of a threat model for critical information infrastructure facilities considering social engineering methods. Caspian Journal: Management and High Technologies, 2019, no. 4, pp. 127–135. (in Russian). https://doi.org/10.21672/2074-1707.2019.48.4.127-135
-
Shchelkin K.E., Zvyagintseva P.A., Selifanov V.V. Possible approaches to categorization of critical information infrastructure objects. Interexpo GEO-Siberia, 2019, vol. 6, no. 1, pp. 128–133. (in Russian). https://doi.org/10.33764/2618-981X-2019-6-1-128-133
-
Erokhin S.D., Petukhov A.N., Pilyugin P.L. Principles and tasks of asymptotic security management of critical information infrastructures. T-Comm: Telecommunications in Transport Industry, 2019, vol. 13, no. 12, pp. 29–35. (in Russian). https://doi.org/10.24411/2072-8735-2018-10330
-
Gorelik V.Yu., Bezus M.Iu. About security of critical information infrastructure of the russian federation. StudNet, 2020, vol. 3, no. 9, pp. 1438–1448. (in Russian)
-
Oyun Ch.O., Popantonopulo E.V. Objects of critical information infrastructure. Interexpo GEO-Siberia, 2018, no. 9, pp. 45–49. (in Russian)
-
Livshitc I.I. Economic Support of Information Security. St. Petersburg, ITMO University, 2021, 69 p. (in Russian)
-
Livshitc I.I. Regulatory and Procedural Support of Information Security. St. Petersburg, ITMO University, 2021, 68 p. (in Russian)
-
Konyukhov V.Y., Livshitz I.I., Oparina T.A. Improving the quality of electricity in electrical supply networks of industrial enterprises. Proc. of the 2021 International Conference on Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS), 2021, pp. 156–160. https://doi.org/10.1109/itqmis53292.2021.9642875
-
Livshitz I.I., Lontsikh P.A., Lontsikh N.P., Golovina E.Y., Safonova O.M. Industrial Systems Security Assessments study. Proc. of the 2021 International Conference on Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS), 2021, pp. 161–164. https://doi.org/10.1109/itqmis53292.2021.9642828
-
Livshitz I.I., Lontsikh P.A., Lontsikh N.P., Golovina E.Y., Safonova O.M. A study of modern risk management methods for industrial safety assurance in the fuel and energy industry. Proc. of the 2021 International Conference on Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS), 2021, pp. 165–167. https://doi.org/10.1109/itqmis53292.2021.9642791
-
Lontsikh P.A., Gulov A.E., Livshitz I.I., Koksharov A.V., Golovina E.Y. System-oriented analysis and classification of process control methods for software development. Proc. of the 2021 International Conference on Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS), 2021, pp. 174–177. https://doi.org/10.1109/itqmis53292.2021.9642850
-
Breaux T.D., Gordon D.G., Papanikolaou N., Pearson S. Mapping legal requirements to IT controls. Proc. of the 6th International Workshop on Requirements Engineering and Law (RELAW), 2013, pp. 11–20. https://doi.org/10.1109/RELAW.2013.6671341
-
Hale G., Lenzner R. Introducing the National Security Cyber Assistance Program (NSCAP). Journal of Information Warfare, 2014, vol. 13, no. 2, pp. 39–45.
-
Lam D.D., Carayannis E.G. Standard insecurity: How, why and when standards can be a part of the problem. Journal of the Knowledge Economy, 2011, vol. 2, no. 2, pp. 234–248. https://doi.org/10.1007/s13132-010-0029-0
-
Gandhi R.A., Crosby K., Siy H., Mandal S. gauging the impact of FISMA on software security. Computer, 2014, vol. 47, no. 9, pp. 103–107. https://doi.org/10.1109/MC.2014.248
-
Murray A.T., Grubesic T.H. Overview of reliability and vulnerability in critical infrastructure. Critical Infrastructure: Reliability and Vulnerability. Berlin, Springer, 2007, pp. 1–8. https://doi.org/10.1007/978-3-540-68056-7_1
-
Taylor L.P. Categorizing data sensitivity. FISMA Compliance Handbook (Second Edition), 2013, pp. 63–78. https://doi.org/10.1016/B978-0-12-405871-2.00008-7
-
Calder A. NIST Cybersecurity Framework: A Pocket Guide. IT Governance Publishing, 2018, 78 p. https://doi.org/10.2307/j.ctv4cbhfx
-
Livshitz I., Sokolov E. Designing an internationally significant electronic document flow for holding companies. Voprosy kiberbezopasnosti, 2020, no. 5(39), pp. 61–68. (in Russian). https://doi.org/10.21681/2311-3456-2020-05-61-68
-
Basyrova A.A., Livshits I.I. Analyzing the methodology of enterprise cybersecurity audit with the help of outsourcing companies. Journal Automation in Industry, 2020, no. 7, pp. 6–9. (in Rusian). https://doi.org/10.25728/avtprom.2020.07.02