Information Technology and Security

The problems of information security management system development in the organization are considered. Conceptual bases of its architecture description are presented. Basic concepts regarding the information security management system architecture are disclosed through its context. The context of the architecture description is represented by the main elements. These include: parties involved, purpose, information security management system, environment, architecture, architecture descriptions. The parties involved are interested in the system. Such interest is driven by the need to maintain the confidentiality, integrity and accessibility of the organization's information assets. In view of this, the aim is to develop a defined system that is focused on providing information security with acceptable risk. The organization is interpreted as the environment of the functioning of the information security management system. It determines its effects during its life cycle, taking into account the interaction of the system with the environment. The architecture reflects what is significant to the information security management system. Whereas to describe the architecture of a designated system, its description is used. The information security management system architecture is described by an architectural view. It presents architecture from the point of view. This view is characterized by two aspects: a structural representation of the interests of the parties involved; structural representation of architecture features. The architectural representation of the information security management system is reflected by the architecture model. This model describes the features of the designated system architecture, taking into account the interests of the parties involved. Architecture features are reflected by the type of model through which the model is influenced. The relationships between the architectural description elements are shown in the links. Their use makes it possible to represent the attitude of architecture to the interest within its description. Thus, this conceptual description of the information security management system architecture will allow both to develop and justify its development taking into account the interests of the organization and the parties involved.

Information security management system; system architecture; system architecture description; architectural representation; architecture model; model kind.

International Organization for Standardization. (2011, Febr. 1). ISO/IEC 42010, Systems and software engineering. Architecture description. Geneva, 2011, 46 p.

DP “UkrNDNTs”. (2015, Dec. 18). DSTU ISO/IEC 27001, Information technology. Security techniques. Information security management systems. Requirements. (ISO/IEC 27001:2013; Cor 1:2014, IDТ). Kyiv, 2016, 22 p.

E. Hall, K. Dzhekson, and Dzh. Dik, Requirements engineering. Moskow: DMK Press, 2017.

DP “UkrNDNTs”. (2015, Dec. 18). DSTU ISO/IEC 27002, Information technology. Security techniques. Code of practice for information security controls. (ISO/IEC 27002:2013; Cor 1:2014, IDТ). Kyiv, 2016, 72 p.

DP “UkrNDNTs”. (2017, Jan. 1). DSTU ISO/IEC 27005, Information technology. Security techniques. Information security risk management. (ISO/IEC 27005:2011, IDТ). Kyiv, 2016, 68 p.

International Organization for Standardization. (2018, Febr. 15). ISO 31000, Risk management. Guidelines. Geneva, 2018, 16 p.

Ministry for Development of Economy, Trade and Agriculture of Ukraine. (2014, July 1). DSTU IEC/ISO 31010, Risk management. Risk assessment techniques. (IEC/ISO 31010:2009, IDТ). Kyiv, 2015, 80 p.

National Institute of Standards and Technology. (2017, June 8). SP 800-12 Rev. 1, An Introduction to Information Security. [Online]. Available: https://csrc.nist.gov/ publications/ detail/sp/800-12/rev-1/final. Accessed on: June. 15, 2019.

National Institute of Standards and Technology. (2006, March 9). FIPS 200. Minimum Security Requirements for Federal Information and Information Systems. [Online]. Available: https://csrc.nist.gov/publications/detail/fips/200/final. Accessed on: June 15, 2019.

Bundesamt für Sicherheit in der Informationstechnik. BSI-Standard 200-1:2017. Managementsysteme für Informationssicherheit. [Online]. Verfügbar: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Kompendium/ standard_200_1.html. Zugriff am: Juni 15, 2019.

Bundesamt für Sicherheit in der Informationstechnik. BSI-Standard 200-2:2017. IT-Grundschutz-Methodik. [Online]. Verfügbar: https://www.bsi.bund.de/SharedDocs/ Downloads/ DE/BSI/Grundschutz/Kompendium/standard_200_2.html. – Zugriff am: Juni 15, 2019.

V.V. Mokhor, V.V. Tsurkan, and O.O. Bakalynskyi, “Information security management system architecture”, in Proc. ХX Anniversary International Scientific Conference on Information Security in Information and Telecommunication Systems. Kyiv, 2018, pp. 38.

M. Komarov, S. Gonchar, A. Onyskova, “Legal aspects of construction and implementation of information security management system for critical infrastructure”, Modeling and Information Technology. no. 82, pp. 40–48, 2018.

M. Komarov, and S. Gonchar, “Method of constructing information security management system for critical infrastructure”, Modeling and Information Technology. no. 81, pp. 12–19, 2017.

V.V. Mokhor, O.O. Bakalynskyi, O.M. Bohdanov, and V.V. Tsurkan, “Descriptive analysis of analogies between information security management and queuing systems”, Zahist ìnformacìï, vol. 2, no. 2, pp. 119–126, 2017, doi: 10.18372/2410-7840.19.11435.

T.Y. Zyryanova, “Methods of risk assessment and forecasting in information systems”, in Proc. IХ International scientific-practical conference Integration of educational, scientific and educational activities in organizations of general and vocational education. Ekaterinburg, 2017, pp. 58–68.

А.А. Kornienko, and А.P. Glukhov, “Models and methods of risk-oriented proactive management of information security of the railway transport system”, Bulletin of Joint Scientifi c Council of JSC Russian Railways, no. 3, pp. 42–54, 2018.

B.B. Akhmetov, O.H. Korchenko, O.Ye. Arkhipov, and S.V. Kazmirchuk. Postroenie sistem analiza i otsenivaniya riskov informatsionnoy bezopasnosti. Teoriya i prakticheskie resheniya. Aktau, 2018.

V.M. Horytskyi, and A.V. Mokii, “Research methods of handling risks in information security management system”, in Proc. International Science and Technology Conference Telecommunication Perspectives. Kyiv, 2018, pp. 1–3.

A.G. Serova, “Analysis of the theoretical foundations and audit software tools for information security management system”, in Proc. conferences Socio-economic and natural-science paradigms of our time. Rostov-on-Don, 2018, pp. 829–837.

V.A. Boiprav, V.V. Kovalev, and L.L. Utin, “Software for audit of information protection system of the organization”, Doklady Belorusskogo gosudarstvennogo universiteta informatiki i radioèlektroniki, no. 5 (115), pp. 44–49, 2018.

O. Yudin, R. Ziubina, O. Matviichuk-Yudina, “The modern practices of implementation of the information security audit system on the critical infrastructure objects”, Science-Based Technologies, no. 1 (41), pp. 36–43, 2019, doi: 10.18372/2310-5461.41.13527.

V.A. Voevodin, “Conceptual model of information security auditobject”, Comp. Nanotechnol, no., 3, pp. 92–95, 2019, doi: 10.33693/2313-223X-2019-6-3-92-95.

Y. Dorogyy, V. Tsurkan, S. Telenyk, and O. Doroha-Ivaniuk, “А comparison enterprise architecture frameworks for critical IT infrastructure design”, Information Technology and Security, vol. 5, iss. 2 (9), pp. 90-118, 2017.