What is a modern information security management system. Modern standards in the field of information security using the concept of risk management Goals and objectives of the study

Active Edition from 27.12.2006

Name document	"INFORMATION TECHNOLOGY. METHODS AND MEANS OF ENSURING SECURITY. MANAGEMENT SYSTEMS OF INFORMATION SECURITY. REQUIREMENTS. GOST R ISO / IEC 27001-2006" (approved by Order of Rostekhregulirovanie dated 27.12.2006 N 375-st)
Type of document	order, standard, gost, iso
Host body	Rostechregulation
Document Number	ISO / IEC 27001-2006
Date of adoption	01.01.1970
Date of revision	27.12.2006
Date of registration with the Ministry of Justice	01.01.1970
Status	acts
Publication	At the time of inclusion in the database, the document was not published
Navigator	Notes (edit)

"INFORMATION TECHNOLOGY. METHODS AND MEANS OF ENSURING SECURITY. MANAGEMENT SYSTEMS OF INFORMATION SECURITY. REQUIREMENTS. GOST R ISO / IEC 27001-2006" (approved by Order of Rostekhregulirovanie dated 27.12.2006 N 375-st)

8. Improvement of the management system information security

8.1. Continuous improvement

The organization shall continually improve the effectiveness of the ISMS by clarifying the IS policy, IS objectives, the use of audit results, analysis of controlled events, corrective and preventive actions, and management's use of the results of the ISMS analysis (see Clause 7).

8.2. Corrective action

The organization should take measures to eliminate the causes of nonconformities with the ISMS requirements in order to prevent their recurrence. A documented corrective action procedure should establish requirements for:

a) identifying nonconformities;

b) determining the causes of nonconformities;

C) evaluating the need for action to avoid recurrence of nonconformities;

d) identifying and implementing corrective actions needed;

e) maintaining records of the results of actions taken (see 4.3.3);

f) reviewing the corrective action taken.

8.3. Preventive action

The organization shall determine the actions necessary to eliminate the causes of potential nonconformities with the ISMS requirements in order to prevent their recurrence. The preventive actions taken must be commensurate with the consequences of the potential problems. A documented procedure for preventive action taken should establish requirements for:

a) identifying potential nonconformities and their causes;

b) evaluating the need for action to prevent the occurrence of nonconformities;

c) determining and implementing the preventive action required;

d) records of the results of the action taken (see 4.3.3);

e) reviewing the results of the action taken.

The organization shall identify changes in risk assessments and establish preventive action requirements, with particular attention to materially changed quantitative indicators risks.

The priorities for the implementation of preventive actions should be determined based on the results of the risk assessment.

NOTE In general, the cost of taking action to prevent nonconformities is more economical than corrective action.

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://www.allbest.ru/

"Information Security Management System"

management international standard

Vconducting

An information security management system is a set of processes that work in a company to ensure the confidentiality, integrity and availability of information assets. The first part of the essay examines the process of implementing a management system in an organization, and also provides the main aspects of the benefits of implementing an information security management system.

Fig. 1. Control cycle

The list of processes and recommendations on how best to organize their functioning are given in the international standard ISO 27001: 2005, which is based on the Plan-Do-Check-Act management cycle. In accordance with it, the life cycle of an ISMS consists of four types of activities: Creation - Implementation and operation - Monitoring and analysis - Maintenance and improvement (Fig. 1). This standard will be discussed in more detail in the second part.

WITHsystemmanagementinformationsecurity

The information security management system (ISMS) refers to that part common system management, which is based on a business risk approach in the creation, implementation, operation, monitoring, analysis, support and improvement of information security. ISMS processes are designed in accordance with the requirements of ISO / IEC 27001: 2005, which is based on the cycle

The work of the system is based on the approaches of the modern theory of management risks, which ensures its integration into the overall risk management system of the organization.

The implementation of an information security management system implies the development and implementation of a procedure aimed at systematic identification, analysis and mitigation of information security risks, that is, risks as a result of which information assets (information in any form and of any nature) will lose confidentiality, integrity and availability.

To ensure systematic mitigation of information security risks, based on the results of the risk assessment, the following processes are being implemented in the organization:

Management internal organization information security.

· Ensuring information security when interacting with third parties.

· Management of the register of information assets and the rules for their classification.

· Equipment safety management.

· Ensuring physical security.

· Ensuring information security of personnel.

Planning and adoption information systems.

· Backup.

· Securing the network.

Information security management system processes affect all aspects of the organization's IT infrastructure management, since information security is the result of the sustainable functioning of information technology-related processes.

When building an ISMS in companies, specialists carry out the following work:

· Organize project management, form a project group on the part of the customer and the contractor;

· Define the area of activity (OD) of the ISMS;

Survey the organization in the OD ISMS:

o in terms of the organization's business processes, including the analysis of the negative consequences of information security incidents;

o in terms of the organization's management processes, including the existing quality management and information security management processes;

o in terms of IT infrastructure;

o in terms of information security infrastructure.

Develop and agree on an analytical report containing a list of the main business processes and an assessment of the consequences of the implementation of information security threats in relation to them, a list of management processes, IT systems, information security subsystems (ISS), an assessment of the degree to which the organization fulfills all ISO 27001 requirements and an assessment of the maturity of processes organizations;

· Select the initial and target ISMS maturity level, develop and approve the ISMS Maturity Improvement Program; develop high-level information security documentation:

o Concept of information security,

o IS and ISMS policies;

· Select and adapt the risk assessment methodology applicable in the organization;

· Select, supply and deploy software used to automate ISMS processes, organize training for company specialists;

· Assess and process risks, during which, to reduce them, the measures of Appendix A of standard 27001 are selected and requirements for their implementation in the organization are formulated, technical means of information security are pre-selected;

· Develop sketch projects PIB, assess the cost of risk treatment;

· Arrange for the approval of the risk assessment by the top management of the organization and develop the Statement of Applicability; develop organizational measures to ensure information security;

· Develop and implement technical projects for the implementation of technical information security subsystems that support the implementation of the selected measures, including the supply of equipment, commissioning, development of operational documentation and user training;

· Provide consultations during the operation of the constructed ISMS;

· Organize training for internal auditors and conduct internal ISMS audits.

The result of these works is a functioning ISMS. Benefits from the implementation of an ISMS in a company are achieved through:

· Effective management of compliance with legal requirements and business requirements in the field of information security;

· Prevention of IS incidents and damage reduction in case of their occurrence;

· Increasing the culture of information security in the organization;

· Increasing maturity in the field of information security management;

· Optimization of spending on information security.

ISO / IEC27001-- internationalstandardoninformationsecurity

This standard was developed jointly The International Organization by Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard contains information security requirements for the creation, development and maintenance of an ISMS. ISO 27001 specifies requirements for an ISMS to demonstrate the ability of an organization to protect its information assets. The international standard uses the concept of "information security" and is interpreted as ensuring the confidentiality, integrity and availability of information. The basis of the standard is the information risk management system. This standard can also be used to assess conformity by interested internal and external parties.

To create, implement, operate, continuously monitor, analyze, maintain and improve the information security management system (ISMS), the standard adopts process approach... It consists in the application of a system of processes within an organization, together with the identification and interaction of these processes, as well as their management.

The international standard adopts the Plan-Do-Check-Act (PDCA) model, which is also called the Shewhart-Deming cycle. This cycle is used to structure all ISMS processes. Figure 2 shows how the ISMS takes information security requirements and stakeholder expectations as inputs and through the necessary actions and processes produces information security outcomes that meet those requirements and expectations.

Planning is the phase of creating an ISMS, creating an inventory of assets, assessing risks and choosing measures.

Figure 2. PDCA model applied to ISMS processes

Implementation is the stage of implementation and implementation of appropriate measures.

Review is the phase of evaluating the effectiveness and performance of the ISMS. Usually performed by internal auditors.

Action - Taking preventive and corrective actions.

Vconclusions

ISO 27001 describes a general model for the implementation and operation of an ISMS and actions to monitor and improve an ISMS. ISO intends to harmonize various management system standards such as ISO / IEC 9001: 2000, which deals with quality management, and ISO / IEC 14001: 2004, which deals with environmental management systems. The goal of ISO is to ensure consistency and integration of the ISMS with other management systems in the company. The similarity of standards allows the use of similar tools and functionality for implementation, management, revision, verification and certification. The implication is that if a company has implemented other management standards, it can use a unified audit and management system that is applicable to quality management, environmental management, safety management, etc. By implementing an ISMS, senior management gains the means to monitor and manage security, which reduces residual business risks. After implementing an ISMS, the company can formally ensure the security of information and continue to comply with the requirements of customers, legislation, regulators and shareholders.

It should be noted that in the legislation of the Russian Federation there is a document GOST R ISO / IEC 27001-2006, which is a translated version international standard ISO27001.

WITHsqueakliterature

1.Korneev I.R., Belyaev A.V. Information security of the enterprise. - SPb .: BHV-Petersburg, 2003 .-- 752 p .: ill.

2.International standard ISO 27001 (http://www.specon.ru/files/ISO27001.pdf) (date of access: 05/23/12)

3.National standard Russian Federation GOST R ISO / IEC 27003 - " Information Technology... Security methods. Information Security Management System Implementation Guide "(http://niisokb.ru/news/documents/IDT%20ISO%20IEC%2027003-2011-09-14.pdf) (date accessed: 23.05.12)

4. Skiba V.Yu., Kurbatov V.A. Guidelines for protecting against internal threats to information security. SPb .: Peter, 2008 .-- 320 p .: ill.

5. Article of the free encyclopedia "Wikipedia", "Management system

information security "(http://ru.wikipedia.org/wiki/%D0%A1%D0%9C%D0%98%D0%91) (date accessed: 23.05.12)

6. Sigurjon Thor Arnason and Keith D. Willett "How to Achieve 27001 Certification"

Posted on Allbest.ru

Introduction

A fast-growing company, as well as a giant in its segment, is interested in making a profit and protecting itself from the influence of intruders. If earlier the theft of material values was the main danger, then today the main role of theft occurs in relation to valuable information. Translation of a significant part of the information into electronic form, using local and global networks create qualitatively new threats to confidential information.

Banks are especially sensitive to information leakage, management organizations, insurance companies. Information protection in the enterprise is a set of measures that ensure the safety of customer and employee data, important electronic documents and all sorts of information, secrets. Each enterprise is equipped with computer technology and access to the World Wide Web. Attackers skillfully connect to almost every component of this system and use a large arsenal (viruses, malware, password guessing, etc.) to steal valuable information. An information security system must be implemented in every organization. Leaders need to collect, analyze and categorize all types of information that needs to be protected, and use an appropriate security system. But this will not be enough, because, in addition to technology, there is a human factor that can also successfully leak information to competitors. It is important to properly organize the protection of your enterprise at all levels. For these purposes, an information security management system is used, with the help of which the manager will establish a continuous process of monitoring the business and ensure a high level of security of his data.

1. Relevance of the topic

For everybody modern enterprise, company or organization, one of the most important tasks is precisely to ensure information security. When an enterprise stably protects its information system, it creates a reliable and secure environment for its operations. Damage, leakage, lack and theft of information are always losses for every company. Therefore, the creation of an information security management system at enterprises is topical issue modernity.

2. Goals and objectives of the study

Analyze the ways of creating an information security management system at the enterprise, taking into account the peculiarities of the Donetsk region.

analyze state of the art information security management systems at enterprises;
identify the reasons for the creation and implementation of an information security management system at enterprises;
to develop and implement an information security management system on the example of the enterprise PJSC Donetsk Mine Rescue Equipment Plant;
evaluate the effectiveness, efficiency and economic feasibility of introducing an information security management system at the enterprise.

3. Information security management system

Information security is understood as the state of protection of information and supporting infrastructure from accidental or deliberate influences of a natural or artificial nature (information threats, threats to information security) that can cause unacceptable damage to the subjects of information relations.

Availability of information - the property of the system to provide timely unimpeded access of authorized (authorized) subjects to information of interest to them or to carry out timely information exchange between them.

Integrity of information is a property of information that characterizes its resistance to accidental or deliberate destruction or unauthorized change. Integrity can be divided into static (understood as the immutability of information objects) and dynamic (related to the correct execution of complex actions (transactions)).

Confidentiality of information is the property of information to be known and accessible only to authorized subjects of the system (users, programs, processes). Confidentiality is the most developed aspect of information security in our country.

Information security management system (hereinafter ISMS) is a part of the general management system based on approaches to business risk, intended for the establishment, implementation, management, monitoring, maintenance and improvement of information security.

The main factors affecting the protection of information and data in the enterprise are:

Enhancement of the company's cooperation with partners;
Business process automation;
The tendency to an increase in the volume of information of the enterprise, which is transmitted through available communication channels;
The upward trend in computer crimes.

The tasks of the company's information security systems are multifaceted. For example, this is the provision of reliable data storage on various media; protection of information transmitted through communication channels; restricting access to some data; creating backups and more.

A full-fledged information security of a company is real only with the right approach to data protection. In the information security system, it is necessary to take into account all the current threats and vulnerabilities.

One of the most effective instruments information security management and protection is an information security management system built on the basis of the MS ISO / IEC 27001: 2005 model. The standard is based on a process approach to the development, implementation, operation, monitoring, analysis, maintenance and improvement of the company's ISMS. It consists in the creation and application of a system of management processes that are interconnected in a continuous cycle of planning, implementation, verification and improvement of the ISMS.

This International Standard has been prepared with the aim of creating a model for the implementation, implementation, operation, monitoring, analysis, maintenance and improvement of an ISMS.

The main factors for the implementation of an ISMS:

legislative - the requirements of the current national legislation in terms of IS, international requirements;
competitive - compliance with the level, elitism, protection of their intangible assets, superiority;
anti-crime - protection from raiders (white collars), prevention of mischief and secret surveillance, collection of evidence for proceedings.

The structure of information security documentation is shown in Figure 1.

Figure 1 - The structure of the documentation in the field of information security

4. Building an ISMS

ISO proponents use the PDCA model to create an ISMS. ISO applies this model to many of its management standards and ISO 27001 is no exception. In addition, following the PDCA model in organizing the management process allows you to use the same techniques in the future - for quality management, environmental management, safety management, as well as in other areas of management, which reduces costs. Therefore, PDCA is an excellent choice, fully meeting the tasks of creating and maintaining an ISMS. In other words, the PDCA stages define how to establish policies, goals, processes and procedures appropriate to the risks being handled (Plan stage), implement and use (Do stage), evaluate and, where possible, measure the results of the process from the point policy perspective (check stage), take corrective and preventive actions (improvement stage - Act). Additional concepts that are not part of the ISO standards that can be useful in creating an ISMS are: state as should (to-be); state as is (as-is); transition plan.

The basis of ISO 27001 is an information risk management system.

Stages of creating an ISMS

As part of the work on the creation of an ISMS, the following main stages can be distinguished:

Figure 2 - PDCA model for information security management (animation: 6 frames, 6 repetitions, 246 kilobytes)

5. Information Risk Management

Risk management is considered at the administrative level of information security, since only the management of the organization is able to allocate the necessary resources, initiate and control the implementation of the relevant programs.

The use of information systems is associated with a certain set of risks. When the potential damage is unacceptably large, it is necessary to take economically justifiable measures of protection. Periodic (re) risk assessment is necessary to monitor the effectiveness of security activities and to take account of changes in the environment.

The essence of risk management activities is to assess their size, develop effective and cost-effective measures to mitigate risks, and then ensure that risks are contained within acceptable limits (and remain so).

The risk management process can be divided into the following stages:

The choice of the analyzed objects and the level of detail of their consideration.
Choice of risk assessment methodology.
Identification of assets.
Analysis of threats and their consequences, identification of vulnerabilities in protection.
Risk assessment.
Selection of protective measures.
Implementation and verification of the selected measures.
Residual risk assessment.

Risk management, like any other activity in the field of information security, needs to be integrated into the IS life cycle. Then the effect is greatest, and the costs are minimal.

It is very important to choose a sound risk assessment methodology. The purpose of the assessment is to get an answer to two questions: are the existing risks acceptable, and if not, which protective equipment should be used. This means that the assessment should be quantitative, allowing comparison with pre-selected limits of admissibility and the costs of implementing new safety regulators. Risk management is a typical optimization problem, and there are quite a few software products that can help solve it (sometimes such products are simply attached to books on information security). The fundamental difficulty, however, lies in the inaccuracy of the initial data. You can, of course, try to get a monetary expression for all analyzed values, calculate everything to the nearest penny, but there is not much sense in this. It is more practical to use conventional units. In the simplest and perfectly acceptable case, you can use a three-point scale.

The main stages of risk management.

The first step in analyzing threats is identifying them. The types of threats under consideration should be selected based on considerations of common sense (excluding, for example, earthquakes, but not forgetting about the possibility of seizure of the organization by terrorists), but within the selected types, carry out the most detailed analysis.

It is advisable to identify not only the threats themselves, but also the sources of their occurrence - this will help in choosing additional means of protection.

After identifying the threat, it is necessary to assess the likelihood of its implementation. It is permissible to use a three-point scale (low (1), medium (2) and high (3) probability).

If any risks turned out to be unacceptably high, it is necessary to neutralize them by implementing additional protection measures. Typically, to eliminate or neutralize a vulnerability that made a threat real, there are several security mechanisms, differing in efficiency and cost.

As with any activity, the implementation and testing of new safety regulators should be planned in advance. The plan must take into account the presence financial resources and the timing of staff training. If we are talking about a software and hardware protection mechanism, you need to draw up a test plan (autonomous and complex).

When the intended measures are taken, it is necessary to check their effectiveness, that is, to make sure that the residual risks have become acceptable. If this is actually the case, then you can safely schedule the date of the next revaluation. Otherwise, you will have to analyze the mistakes made and re-run the risk management session immediately.

conclusions

Each head of the enterprise cares about his business and therefore must understand that the decision to implement an information security management system (ISMS) is an important step that will minimize the risks of loss of assets of the enterprise / organization and reduce financial losses, and in some cases avoid bankruptcy.

Information security is important for businesses, both private and public sectors. It should be seen as a tool for assessing, analyzing and minimizing the associated risks.

Security that can be achieved technical means, has its limitations and should be supported by appropriate management practices and procedures.

Determining controls requires careful planning and attention.

To effectively protect information, the most appropriate security measures should be developed, which can be achieved by identifying the main risks of information in the system and implementing appropriate measures.

Biyachuev T.A. Safety corporate networks/ ed. L.G. Osovetsky. - SPb.: Publishing house of SPb GU ITMO, 2006 .-- 161 p.

Gladkikh A.A., Dement'ev V.E. / Basic principles of information security of computer networks: tutorial for students; - Ulyanovsk: UlSTU publishing house, 2009 .-- 168 p.

The BS ISO / IEC 27001: 2005 standard describes an information security management system (ISMS) model and offers a set of requirements for organizing information security in an enterprise without reference to the implementation methods that are chosen by the organization's executors.

Check - The phase of evaluating the effectiveness and performance of the ISMS. Usually performed by internal auditors.

The decision on the creation (and subsequent certification) of an ISMS is taken by the top management of the organization. This demonstrates management support and reaffirmation of the value of the ISMS to the business. The organization's management initiates the creation of an ISMS planning team.

The group responsible for planning the ISMS should include:

· Representatives of the top management of the organization;

· Representatives of business units covered by the ISMS;

· Specialists of information security departments;

· Third-party consultants (if necessary).

The IS Committee provides support for the operation of the ISMS and its continuous improvement.

The working group should be guided by the regulatory and methodological framework, both in relation to the creation of an ISMS, and related to the field of activity of the organization, and, of course, by the general system of state laws.

Regulatory framework for creating an ISMS:

· ISO / IEC 27000: 2009 Vocabulary and definitions.

ISO / IEC 27001: 2005 General requirements to the ISMS.

ISO / IEC 27002: 2005 A practical guide on information security management.

· ISO / IEC 27003: 2010 Practical guidance for the implementation of an ISMS.

· ISO / IEC 27004: 2009 Metrics (Measurements) of information security.

· ISO / IEC 27005: 2011 Guidelines for information security risk management.

ISO / IEC Guide 73: 2002, Risk management - Vocabulary - Guidelines for use in standards.

ISO / IEC 13335-1: 2004, Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security managment.

ISO / IEC TR 18044 Information technology - Security techniques - Information security incident management.

ISO / IEC 19011: 2002 Guidelines for quality and / or environmental management systems auditing.

· British Standards Institution ISMS Methodology Series (formerly PD 3000 Series Documents).

The process of creating an ISMS consists of 4 stages:

Stage 1. Planning an ISMS.

Establishing policies, objectives, processes and procedures related to risk management and information protection in accordance with the overall policy and objectives of the organization.

a) Determining the scope and boundaries of the ISMS:

· Description of the type of activity and business goals of the organization;

· An indication of the boundaries of the systems covered by the ISMS;

· Description of the organization's assets (types of information resources, software and hardware, personnel and organizational structure);

· Description of business processes using the protected information.

A description of the system boundaries includes:

Description of the existing structure of the organization (with possible changes that may arise in connection with the development of an information system).

Information system resources to be protected (computers, information, system and application software). To assess them, a system of criteria and a methodology for obtaining assessments according to these criteria (categorization) should be selected.

Information processing technology and tasks to be solved. For the tasks to be solved, information processing models should be built in terms of resources.

Diagram of the organization's information system and supporting infrastructure.

As a rule, at this stage, a document is drawn up in which the boundaries of the information system are fixed, the information resources of the company to be protected are listed, a system of criteria and methods for assessing the value of the company's information assets is provided.

b) Definition of the organization's ISMS policy (expanded version of the ISS).

· Objectives, directions and principles of activity in relation to information protection;

· Description of the strategy (approaches) of risk management in the organization, structuring of countermeasures to protect information by type (legal, organizational, hardware and software, engineering and technical);

· Description of the criteria for the significance of the risk;

· The position of the management, determination of the frequency of meetings on the topic of information security at the management level, including periodic revision of the provisions of the information security policy, as well as the procedure for training all categories of users of the information system on information security.

c) Determining the approach to risk assessment in the organization.

The risk assessment methodology is selected depending on the ISMS, established business information security requirements, legal and regulatory requirements.

The choice of the risk assessment methodology depends on the level of requirements for the information security regime in the organization, the nature of the threats taken into account (the spectrum of threat impact) and the effectiveness of potential countermeasures to protect information. In particular, a distinction is made between basic and increased or complete requirements for the information security mode.

Minimum Requirements to the IS mode corresponds to the basic IS level. Such requirements apply, as a rule, to typical design solutions. There are a number of standards and specifications that consider the minimum (typical) set of the most likely threats, such as: viruses, equipment failures, unauthorized access, etc. To neutralize these threats, countermeasures must be taken, regardless of the likelihood of their implementation and vulnerability resources. Thus, it is not necessary to consider the characteristics of threats at a basic level. Foreign standards in this area ISO 27002, BSI, NIST, etc.

In cases where violations of the IB regime lead to serious consequences, additional requirements are imposed.

To formulate additional increased requirements, you must:

Determine the value of resources;

Add to the standard set a list of threats that are relevant to the studied information system;

Assess the likelihood of threats;

Determine resource vulnerabilities;

Assess the potential damage from the effects of intruders.

It is necessary to find a risk assessment methodology that can be used with minimal changes on an ongoing basis. There are two ways: to use existing methods and tools for risk assessment on the market, or to create your own methodology, adapted to the specifics of the company and the area of activity covered by the ISMS.

The latter option is the most preferable, since so far most of the products on the market that implement one or another risk analysis methodology do not meet the requirements of the Standard. Typical disadvantages of such techniques are:

· standard set threats and vulnerabilities that are often impossible to change;

Acceptance of only software and hardware and information resources as assets - without consideration human resources, services and other important resources;

· The overall complexity of the methodology in terms of its sustainable and repeatable use.

· Criteria for accepting risks and acceptable levels of risk (should be based on the achievement of the strategic, organizational and management objectives of the organization).

d) Risk identification.

Identification of assets and their owners

Informational input data;

Informational output;

Information records;

Resources: people, infrastructure, equipment, software, tools, services.

· Identification of threats (standards for risk assessment often suggest classes of threats that can be supplemented and expanded).

· Identification of vulnerabilities (there are also lists of the most common vulnerabilities that you can rely on when analyzing your organization).

· Determination of the value of assets (possible consequences from loss of confidentiality, integrity and availability of assets). Information about the value of an asset can be obtained from its owner or from a person to whom the owner has delegated all the authority over this asset, including ensuring its security.

e) Risk assessment.

· Assessment of the damage that can be caused to the business from the loss of confidentiality, integrity and availability of assets.

· Assessment of the likelihood of the implementation of threats through existing vulnerabilities, taking into account the available IS management tools and assessing the possible damage caused;

· Determination of the level of risk.

Application of risk acceptance criteria (acceptable / requiring treatment).

f) Risk treatment (in accordance with the selected risk management strategy).

Possible actions:

Passive actions:

Risk acceptance (decision on the acceptability of the resulting level of risk);

Risk aversion (the decision to change the activity that causes a given level of risk - moving the web server out of the border local network);

Active actions:

Reducing the risk (using organizational and technical countermeasures);

Risk transfer (insurance (fire, theft, software bugs)).

The choice of possible actions depends on the accepted risk criteria (an acceptable level of risk is set, levels of risk that can be reduced by means of information security management, levels of risk at which it is recommended to abandon or transform the type of activity that causes it, and risks that it is desirable to transfer to other parties) ...

g) Selecting objectives and controls for risk treatment.

Goals and controls should implement the risk management strategy, take into account the criteria for accepting risks and legal, regulatory and other requirements.

ISO 27001-2005 provides a list of objectives and controls as a basis for building a risk treatment plan (ISMS requirements).

The risk treatment plan contains a list of priority measures to reduce risk levels, indicating:

· Persons responsible for the implementation of these measures and funds;

· Terms of implementation of activities and priorities for their implementation;

· Resources for the implementation of such activities;

· Levels of residual risks after the implementation of measures and controls.

The top management of the organization is responsible for the adoption and oversight of the risk treatment plan. The fulfillment of the key activities of the plan is a criterion for making a decision on putting the ISMS into operation.

At this stage, the rationale for the choice of various countermeasures for IS are made, structured according to the regulatory, organizational, managerial, technological and hardware and software levels of information security. (Further, a set of countermeasures is implemented in accordance with the selected information risk management strategy). With the full version of the risk analysis, the effectiveness of countermeasures is additionally assessed for each risk.

h) Management approval of the proposed residual risk.

i) Obtain management approval for the implementation and commissioning of the ISMS.

j) Statement of Applicability (in accordance with ISO 27001-2005).

The date the ISMS is put into operation is the date when the company's top management approves the Statement of Applicability of Controls, which describes the objectives and means chosen by the organization to manage risks:

· The controls and controls selected during the risk treatment stage;

· Already existing in the organization means of management and control;

· Means to ensure compliance with legal requirements and requirements of regulatory organizations;

· Means to ensure the fulfillment of customer requirements;

· Means ensuring the fulfillment of general corporate requirements;

· Any other appropriate means of management and control.

Stage 2. Implementation and operation of the ISMS.

To implement and operate the information security policy, controls, processes and procedures in the field of information security, the following actions are performed:

a) Development of a risk treatment plan (description of planned controls, resources (software, hardware, personnel) that are required for their implementation, support, control, and management responsibilities for information security risk management (development of documents at the planning stage, support of information security objectives, determination roles and responsibilities, providing the necessary resources to establish an ISMS, auditing and reviewing).

b) Allocation of funding, roles and responsibilities for the implementation of the risk treatment plan.

c) Implementation of planned controls.

d) Establishment of performance benchmarks (metrics) of controls, methods of their measurement, which will provide comparable and reproducible results.

e) Improvement of qualifications, awareness of personnel in the field of information security in accordance with their job responsibilities.

f) Managing the operation of the ISMS, managing resources to maintain, monitor and improve the ISMS.

g) Implementation of procedures and other controls for rapid detection and response to information security incidents.

Stage 3: Continuous monitoring and analysis of the functioning of the ISMS.

This stage involves assessing or measuring key performance indicators of processes, analyzing the results and providing reports to management for analysis and includes:

a) Conducting continuous monitoring and analysis (allows you to quickly detect errors in the functioning of the ISMS, quickly identify and respond to security incidents, delineate the roles of personnel and automated systems in the ISMS, to prevent security incidents by analyzing unusual behavior, to determine the effectiveness of handling security incidents).

b) Conducting regular analysis of the effectiveness of the ISMS (reviewing compliance with the ISMS policy and objectives, audits, key indicators effectiveness, suggestions and stakeholder responses).

c) Measuring the effectiveness of controls to verify that security requirements are being met

d) Periodic reassessment of risks, analysis of residual risks and determination of acceptable levels of risk for any changes in the organization (business objectives and processes, identified threats, newly identified vulnerabilities, etc.)

e) Periodic internal audits of the ISMS.

ISMS audit - checking the compliance of the selected countermeasures with the goals and objectives of the business declared in the organization's IS, based on its results, residual risks are assessed and, if necessary, optimized.

f) Regular review of the scope and trend of the ISMS by management.

g) Updating risk management plans to capture monitoring and review results.

h) Maintaining a log of events that have a negative impact on the effectiveness or quality of the ISMS.

Stage 4. Maintaining and improving the ISMS.

Based on the results of the internal ISMS audit and management analysis, corrective and preventive actions are developed and implemented to continuously improve the ISMS:

a) Improvement of information security policy, information security objectives, audit, analysis of observed events.

b) Development and implementation of corrective and preventive actions to eliminate non-compliance with the ISMS requirements.

c) Monitoring improvements to the ISMS.

Conclusion

It should be noted that in the legislation of the Russian Federation there is a document GOST R ISO / IEC 27001-2006, which is a translated version of the international standard ISO27001.

Bibliography

1.Korneev I.R., Belyaev A.V. Information security of the enterprise. - SPb .: BHV-Petersburg, 2003 .-- 752 p.

2.International ISO standard 27001

(http://www.specon.ru/files/ISO27001.pdf) (date of access: 05/23/12).

3. National standard of the Russian Federation GOST R ISO / IEC 27003 - "Information technology. Methods of ensuring security. Guidelines for the implementation of Information Security Management System

(http://niisokb.ru/news/documents/IDT%20ISO%20IEC%2027003-2011-09-14.pdf) (date accessed: 23.05.12).

4. Skiba V.Yu., Kurbatov V.A. Guidelines for protecting against internal threats to information security. SPb .: Peter, 2008 .-- 320 p.

An information security management system is a part of an overall management system based on the use of business risk assessment methods for the development, implementation, operation, monitoring, analysis, support and improvement of information security.

The management system includes organizational structure, policies, planning activities, allocation of responsibilities, practical activities, procedures, processes and resources. [GOST R ISO / IEC 27001-2006]

The ISO 27001 standard defines the requirements for an information security management system (ISMS). The requirements of the standard are to a certain extent abstract and not tied to the specifics of any area of the company's activity.

The development of information systems in the early 90s led to the need to create a security management standard. At the request of the UK Government and Industry, the UK Department of Trade and Industry has developed ISMS Practices.

Initial standard BS 7799 has come a long way with a series of tests and adjustments. The most important stage in his "career" was in 2005, when the standard for evaluating an ISMS was recognized as international (that is, the consistency of its requirements for a modern ISMS was confirmed). From that moment on, leading enterprises around the world began to actively implement the ISO 27001 standard and prepare for certification.

ISMS structure

A modern ISMS is a process-oriented management system that includes organizational, documentary, and software and hardware components. The following "views" on the ISMS can be distinguished: process, documentary and maturity.

ISMS processes are created in accordance with the requirements of the ISO / IEC 27001: 2005 standard, which is based on the Plan-Do-Check-Act management cycle. In accordance with it, the life cycle of an ISMS consists of four types of activities: Creation - Implementation and operation - Monitoring and analysis - Maintenance and improvement. The documented ISMS processes ensure that all the requirements of standard 27001 are met.

The ISMS documentation consists of policies, documented procedures, standards and records and is divided into two parts: the ISMS management documentation and the ISMS operational documentation.

The ISMS maturity model determines the detail of the developed documentation and the degree of automation of the ISMS management and operation processes. The CobiT maturity model is used in assessment and planning. The ISMS Maturity Improvement Program provides the composition and timing of measures to improve the IS management processes and management of the operation of IS facilities.

The standard proposes the application of the PDCA (Plan-Do-Check-Act) model to life cycle ISMS, which includes design, implementation, operation, control, analysis, support and improvement (Figure 1).

Plan - the phase of creating an ISMS, creating a list of assets, risk assessment and selection of measures;

Do (Action) - the stage of implementation and implementation of the relevant measures;

Check - The phase of evaluating the effectiveness and efficiency of the ISMS. Usually performed by internal auditors.

Act (Improvements) - Take preventive and corrective actions.

The process of creating an ISMS consists of 4 stages:

A planning process that aims to identify, analyze and design ways to handle information security risks. When creating this process, a methodology should be developed for categorizing information assets and a formal risk assessment based on data on threats and vulnerabilities that are relevant to the information infrastructure under consideration. With regard to the PCI DSS audit area, two types of valuable information assets with different levels of criticality can be distinguished - cardholder data and critical authentication data.

The process of implementing planned risk treatment methods, describing the procedure for starting a new information security process, or modernizing an existing one. Particular attention should be paid to describing roles and responsibilities, and planning for implementation.

The process of monitoring the functioning ISMS processes (it is worth noting that both ISMS processes and the ISMS itself are subject to monitoring of effectiveness - after all, four management processes are not granite sculptures, and self-actualization is applicable to them).

The process of improving the ISMS processes in accordance with the monitoring results, which makes it possible to implement corrective and preventive actions.