METHODOLOGY FOR DEVELOPMENT INFORMATION SECURITY MANAGEMENT SYSTEMS

Abstract

The construction of information security management systems as a proactive measure of preserving confidentiality, integrity, and availability of information is investigated. It is shown that a precondition for its implementation in organizations is the definition of external and internal conditions. Primarily, this concerns the establishment of boundaries for the construction of information security management systems, interactions with other systems and/or organizations. In addition, external and internal stakeholders, their needs, expectations, and constraints are identified. This confirms the relevance and necessity of developing a methodology for development information security management systems. According to the analysis of recent studies and publications, characteristic limitations for them have been established. They have been overcome by considering the technical processes of the information security management systems lifecycle. Therefore, the development of information security management systems is reduced to requirements analysis, function analysis, architecture synthesis. It is proposed to establish its compliance with the needs, expectations, and constraints of stakeholders by synthesizing behavior. Given this, it is proposed to evaluate the quality of the synthesized architecture by functional suitability. This choice is primarily due to its compliance with the ISO/IEC 27k series of international standards and, as a result, the ability to assess the degree of needs satisfaction, expectations, stakeholder’s restrictions by implementing information security management systems functions on a synthesized version of the architecture in organizations. The formulated tasks are performed based on the use of a developed model-oriented system approach. Therefore, the developed methodology for development information security management systems is implemented in five stages: requirements analysis, function analysis, architecture synthesis, behavior synthesis, and evaluation of the synthesized architecture functional suitability. This will ensure that stakeholders fulfill their needs, expectations, restrictions on maintaining the confidentiality, integrity, and accessibility of information in organizations. In addition, it will be possible to synthesize alternative architecture options and choose among them the best in the design of information security management systems.