一类自动化系统的信息安全风险评估方法

I. Litvinchuk, Ruslan Korchomnyi, Nataliia Korshun, Maksym Vorokhob
{"title":"一类自动化系统的信息安全风险评估方法","authors":"I. Litvinchuk, Ruslan Korchomnyi, Nataliia Korshun, Maksym Vorokhob","doi":"10.28925/2663-4023.2020.10.98112","DOIUrl":null,"url":null,"abstract":"The article is devoted to the assessment of information security risks in automated systems of class \"1\". An adapted approach to the assessment of information security risks in such automated systems using the Methodology and requirements of the standards of GSTU SUIB 1.0 / ISO / IEC 27001: 2010 and GSTU SUIB 2.0 / ISO / IEC 27002: 2010 is proposed. The efficiency and methods of implementation of the approach are proved on the example of consideration of real threats and vulnerabilities of class 1 automated systems. The main requirement for the creation of information security management system in the organization is risk assessment and identification of threats to information resources that are processed in information and telecommunications systems and speakers. The basic standards on information security in Ukraine are considered, which give general recommendations for the construction and assessment of information security risks within the ISMS. The most common methods and methodologies for assessing information security risks of international standard are analyzed, their advantages and disadvantages are identified. The order of carrying out of works on an estimation of risks of information security of the AS of a class \"1\" is defined. The vulnerabilities considered by the expert according to the standard ISO/IEC 27002:2005 and the Methodology are given. A conditional scale for determining the impact on the implementation of threats to integrity, accessibility, observation is given. Measures and means of counteracting the emergence of threats are proposed. This approach can be used both for direct information risk assessment and for educational purposes. It allows to get the final result regardless of the experience and qualifications of the specialist who conducts risk assessment, with the subsequent implementation and improvement of the existing risk management system in the organization.","PeriodicalId":198390,"journal":{"name":"Cybersecurity: Education, Science, Technique","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"APPROACH TO INFORMATION SECURITY RISK ASSESSMENT FOR A CLASS «1» AUTOMATED SYSTEM\",\"authors\":\"I. Litvinchuk, Ruslan Korchomnyi, Nataliia Korshun, Maksym Vorokhob\",\"doi\":\"10.28925/2663-4023.2020.10.98112\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The article is devoted to the assessment of information security risks in automated systems of class \\\"1\\\". An adapted approach to the assessment of information security risks in such automated systems using the Methodology and requirements of the standards of GSTU SUIB 1.0 / ISO / IEC 27001: 2010 and GSTU SUIB 2.0 / ISO / IEC 27002: 2010 is proposed. The efficiency and methods of implementation of the approach are proved on the example of consideration of real threats and vulnerabilities of class 1 automated systems. The main requirement for the creation of information security management system in the organization is risk assessment and identification of threats to information resources that are processed in information and telecommunications systems and speakers. The basic standards on information security in Ukraine are considered, which give general recommendations for the construction and assessment of information security risks within the ISMS. The most common methods and methodologies for assessing information security risks of international standard are analyzed, their advantages and disadvantages are identified. The order of carrying out of works on an estimation of risks of information security of the AS of a class \\\"1\\\" is defined. The vulnerabilities considered by the expert according to the standard ISO/IEC 27002:2005 and the Methodology are given. A conditional scale for determining the impact on the implementation of threats to integrity, accessibility, observation is given. Measures and means of counteracting the emergence of threats are proposed. This approach can be used both for direct information risk assessment and for educational purposes. It allows to get the final result regardless of the experience and qualifications of the specialist who conducts risk assessment, with the subsequent implementation and improvement of the existing risk management system in the organization.\",\"PeriodicalId\":198390,\"journal\":{\"name\":\"Cybersecurity: Education, Science, Technique\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"1900-01-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Cybersecurity: Education, Science, Technique\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.28925/2663-4023.2020.10.98112\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Cybersecurity: Education, Science, Technique","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.28925/2663-4023.2020.10.98112","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2

摘要

本文对“1”类自动化系统的信息安全风险进行了评估。提出了一种采用GSTU sub 1.0 / ISO / IEC 27001: 2010和GSTU sub 2.0 / ISO / IEC 27002: 2010标准的方法和要求来评估此类自动化系统中的信息安全风险的适应方法。通过考虑一类自动化系统的真实威胁和漏洞的实例,证明了该方法的有效性和实现方法。组织建立信息安全管理体系的主要要求是对在信息和电信系统中处理的信息资源的威胁进行风险评估和识别。考虑了乌克兰信息安全的基本标准,为ISMS内信息安全风险的构建和评估提供了一般建议。分析了国际标准中评估信息安全风险最常用的方法和方法,指出了它们的优缺点。定义了“1”级AS的信息安全风险评估工作的执行顺序。给出了专家根据ISO/IEC 27002:2005标准所考虑的漏洞和方法。给出了一个有条件的尺度,用于确定对完整性、可及性、可观察性的威胁的实施影响。提出了应对威胁出现的措施和手段。这种方法既可用于直接信息风险评估,也可用于教育目的。它允许无论进行风险评估的专家的经验和资格如何,都能得到最终结果,并随后在组织内实施和改进现有的风险管理体系。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
APPROACH TO INFORMATION SECURITY RISK ASSESSMENT FOR A CLASS «1» AUTOMATED SYSTEM
The article is devoted to the assessment of information security risks in automated systems of class "1". An adapted approach to the assessment of information security risks in such automated systems using the Methodology and requirements of the standards of GSTU SUIB 1.0 / ISO / IEC 27001: 2010 and GSTU SUIB 2.0 / ISO / IEC 27002: 2010 is proposed. The efficiency and methods of implementation of the approach are proved on the example of consideration of real threats and vulnerabilities of class 1 automated systems. The main requirement for the creation of information security management system in the organization is risk assessment and identification of threats to information resources that are processed in information and telecommunications systems and speakers. The basic standards on information security in Ukraine are considered, which give general recommendations for the construction and assessment of information security risks within the ISMS. The most common methods and methodologies for assessing information security risks of international standard are analyzed, their advantages and disadvantages are identified. The order of carrying out of works on an estimation of risks of information security of the AS of a class "1" is defined. The vulnerabilities considered by the expert according to the standard ISO/IEC 27002:2005 and the Methodology are given. A conditional scale for determining the impact on the implementation of threats to integrity, accessibility, observation is given. Measures and means of counteracting the emergence of threats are proposed. This approach can be used both for direct information risk assessment and for educational purposes. It allows to get the final result regardless of the experience and qualifications of the specialist who conducts risk assessment, with the subsequent implementation and improvement of the existing risk management system in the organization.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信