Method of information security management system structure synthesizing

Authors

DOI:

https://doi.org/10.18372/2225-5036.26.14966

Keywords:

block, property, relationship, structural element, structure, information security management system, structure di-agram, SysML.

Abstract

The requirements, expectations, and related restrictions of interested parties are considered as input data for the specification of requirements for information security management systems. They are complemented with the establishment of internal and external factors that influence or can influence the activity of the organizations. According to the requirements specification, many interrelated functions with internal and external interfaces are defined. Each of them is decomposed according to the structural elements of information security management systems into the functions of subsystems, complexes, components. This shows the insufficiency of the definition of structural elements and their inherent functions. This is limited by the need to clarify the essence of information security management systems, taking into account the needs, goals, processes, structure of organizations. Therefore, they are considered as a set of subsystems, complexes, components, and relations between them. In general, this combination forms the structure of information security management systems. To represent it, diagrams in SysML graphic notation are used. Behind it, structural elements are reflected in blocks as modular units. Therefore, information security management systems are represented by a tree of modular units. Characteristics for them are determined by properties, among the properties stand out special classes - ports and restrictions. Their use allows to focus on the limitations and features of the interaction of blocks with each other. While the features of such interaction are taken into account by the types of relations. Therefore, by synthesizing the structure of information security management systems, its structural elements (subsystems, complexes, components) and the relationship between them are determined. Due to this, it is possible to set the properties of these systems regarding specific options for developing and demonstrating possible directions for achieving the goal. In particular, confidentiality, integrity and availability of information in organizations through risk assessment. This ensures that information security management systems achieve the planned implementation results. First of all, providing confidence to stakeholders to properly manage risks at an acceptable level.

References

ISO/IEC 27001:2013, Information technology. Security techniques. Information security management sys-tems. Requirements. [Electronic resource]. URL: https:// www.iso.org/standard/54534.html.

ISO/IEC/IEEE 24748-4:2016. Systems and software engineering. Life cycle management. Part 4: Systems engineering planning. [Electronic resource]. URL: https:// www.iso.org/standard/56887.html.

В. Мохор, В. Цуркан, "Структурні еле-менти системи управління інформаційною безпе-кою", Проблеми кібербезпеки інформаційно-телекомунікаційних систем: збірник матеріалів доповідей та тез міжнар. наук.-практ. конф., м. Київ, 12 черв. 2020 р., С. 332–334, 2020.

И. Прангишвили, Системный подход и общесистемные закономерности. Серия “Системы и проблемы управления”, Москва : СИНТЕГ, 2000, 528 с.

А. Антонов, Системный анализ, Москва: Высшая школа, 2004, 454 с.

K. Beckers, M. Heisel, B. Solhaug, K. Stolen, "ISMS-CORAS : A Structured Method for Establishing an ISO 27001 Compliant Information Security Man-agement System", Engineering Secure Future Internet Services and Systems: Lecture Notes in Computer Science, vol. 8431, Springer, Cham, pp. 315–344, 2014. DOI: 10.1007/978-3-319-07452-8_13.

A. Suhaimi, D. Bao, H. Chen, J. Cheng, "Usefulness of ISMEE for Supporting Organizations with ISMSs", Computer Science and its Applications : Lec-ture Notes in Electrical Engineering, vol. 330, Springer, Berlin, Heidelberg, pp. 1331-1336, 2015. DOI: 10.1007/978-3-662-45402-2_185.

A. Aginsa, I. Edward Matheus, W. Shalannanda, "Enhanced information security man-agement system framework design using ISO 27001 and Zachman framework – A study case of XYZ company", Wireless and Telematics (ICWT) : 2nd International Confer-ence, Yogyakarta, 1–2 Aug. 2016, Yogyakarta, pp. 62–66, 2016. DOI: 10.1109/ ICWT. 2016. 7870853.

В. Сиротюк, "Модели, методы и средства разработки и внедрения эффективной системы управления информационной безопасностью па-тентного ведомства", Науковедение, Т. 9, № 6, С. 1-19, 2017.

D. Proença, J. Borbinha, "Information Secu-rity Management Systems – A Maturity Model Based on ISO/IEC 27001", Business Information Systems. BIS 2018 : Lecture Notes in Business Information Processing, vol. 320, Springer, Cham, pp. 102-114, 2018. DOI: 10.1007/978-3-319-93931-5_8.

S. Mortazavi, F. Safi-Esfahani, A checklist based evaluation framework to measure risk of infor-mation security management systems", International Journal of Information Technology, Vol. 11, Iss. 3, pp. 517-534, 2019. DOI: 10.1007/s41870-019-00302-0.

В. Селифанов, Р. Мещеряков, "Методика формирования допустимых вариантов организаци-онного состава и структуры автоматизированной системы управления информационной безопасно-стью", Моделирование, оптимизация информационные технологии, Том 8, вып. 1, С. 1-13, 2020. DOI: 10.26102/2310-6018/2020.28.1.001.

ISO/IEC 27005:2018, Information technology. Security techniques. Information security risk management. [Electronic resource]. URL: https://www.iso.org/ru/standard/75281.html.

В. Цуркан, "Метод функціонального аналізування систем управління інформаційною безпекою", Кібербезпека: освіта, наука, техніка, Том 4, № 8, С. 192-201, 2020. DOI: 10.28925/2663-4023.2020.8.192201.

OMG Systems Modeling Language (OMG SysML™). [Electronic resource]. URL: https://sysml.org/ res/docs/specs/OMGSysML-v1.6-19-11-01.pdf.

A. Moore, R. Steiner, A Practical Guide to SysML. The Systems Modeling Language, Waltham: Else-vier, 2015, 640 p.

Model based systems engineering with Sparx Systems Enterprise Architect. [Electronic resource]. URL: https:// sparxsystems.com/resources/user-guides/.

А. Леоненков, Самоучитель UML 2, Санкт-Петербург : БХВ-Петербург, 2007, 576 с.

Unified Modeling Language® (OMG UML®). [Electronic resource]. URL: https://www.omg.org/spec/ UML/2.5.1/PDF.

ISO Guide 73:2009. Risk management. Vocabu-lary. [Electronic resource]. URL: https://www.iso.org/ standard/44651.html.

Published

2023-02-24

Issue

Section

Information Security Management