Methodology for Assessing the Risks of Information Enterprise Security Using Case Technologies-Reference-Cited by-同舟云学术

Methodology for Assessing the Risks of Information Enterprise Security Using Case Technologies

Published:2021-11-08 Issue:5 Volume:25 Page:41-49
ISSN:2079-5939
Container-title:Open Education
language:
Short-container-title:Otkryt. obraz. (Mosk.)

Author:

Gavrilov А. V.¹,Sizov V. A.¹,Yaroshenko E. V.¹

Affiliation:

1. Plekhanov Russian University of Economics

Abstract

Purpose of the study. Creating an effective information security system of an enterprise is impossible without an adequate assessment of the risks to which its assets are exposed. The results of such an assessment should become the basis for making decisions in the field of information security of the enterprise. Identification of information assets and assessment of their value, determination of the level of threats to the security of assets allow planning measures to create an enterprise information security system.This paper discusses a methodology for assessing the risks of information security of an enterprise, a distinctive feature and novelty of which is the use of modern tools and methods for constructing and analyzing business processes in order to identify the information assets of an enterprise to be protected.Materials and methods. It is proposed to identify information assets based on the model of business processes of the enterprise, performed using the IDEF0 methodology. Modeling of business processes was carried out in the Business Studio environment of the “Modern Management Technologies” company.The activity of a typical IT-industry company was considered as an example for the risk analysis.Results. The methodology for assessing the risks of information security of an enterprise described in the article has been successfully tested in the educational process. Its use in conducting laboratory classes in the discipline “Designing the information security system of enterprises and organizations” for masters studying in the direction of “Information security” allowed, according to the authors of the article, to increase the effectiveness of the formation of students’ professional competencies.Conclusion. The paper proposes a methodology for assessing information security risks for objects of an enterprise’s information infrastructure, which makes it possible to identify priority areas of information security at an enterprise. As a result of the application of the technique, a loss matrix is formed, showing the problem areas in the organization of information protection, which should be given priority attention when planning information security measures. Based on the data obtained, it is possible to form an economically justified strategy and tactics for the development of an enterprise information security system.

Publisher

Plekhanov Russian University of Economics (PRUE)

Subject

General Earth and Planetary Sciences,General Environmental Science

Reference20 articles.

1. GOST R ISO/MEK 27005-2010. Informatsionnaya tekhnologiya. Metody i sredstva obespecheniya bezopasnosti. Menedzhment riska informatsionnoy bezopasnosti. Vzamen GOST R ISO/MEK TO 13335-3-2007 i GOST R ISO/ MEK TO 13335-4-2007; Vved. s 30.11.2010 = GOST R ISO / IEC 27005-2010. Information technology. Methods and means of ensuring safety. Information security risk management. Instead of GOST R ISO / MEK TO 13335-3-2007 and GOST R ISO / MEK TO 13335-4-2007; Enter. from 30.11.2010. Moscow: Standartinform; 2011. (In Russ.)

2. GOST R ISO 31000-2010. Menedzhment riska. Printsipy i rukovodstvo.; Vveden s 01.09.2011 = GOST R ISO 31000-2010. Risk management. Principles and guidelines .; Introduced from 01.09.2011. Moscow: Standartinform; 2012. (In Russ.)

3. Mezhdunarodnyy standart ISO/IEC 27001- 2013. Informatsionnyye tekhnologii – Metody zashchity – Sistemy menedzhmenta informatsionnoy bezopasnosti – Trebovaniya = International standard ISO / IEC 27001-2013. Information technology - Security methods - Information security management systems - Requirements. (In Russ.)

4. GOST R ISO/MEK 17799-2005. Informatsionnaya tekhnologiya. Prakticheskiye pravila upravleniya informatsionnoy bezopasnost’yu. Utverzhden i vveden v deystviye Prikazom Federal’nogo agentstva po tekhnicheskomu regulirovaniyu i metrologii ot 29 dekabrya 2005 g. №447-st = GOST R ISO / IEC 17799-2005. Information technology. Practical rules for information security management. Approved and put into effect by the Order of the Federal Agency for Technical Regulation and Metrology dated December 29, 2005 No. 447-st. (In Russ.)

5. Il’chenko L.M., Bragina Ye.K., Yegorov I.E., Zaytsev S.I. Calculation of information security risks of a telecommunications enterprise. Otkrytoye obrazovaniye = Open education. 2018; 22; 2: 61-70. (In Russ.)