3.6 Operation of the ISMS
.6.1 Filling recommendations
To ensure the most effective operation of the ISMS Matrix in partial uncertainty, the author recommends starting the exploitation of the system by filling the lists of classifying elements with all known items independently of tasks or documents, i.e. enter the initially known description of the target organisation.lists of classifying elements can be edited in Elements lists (Списки елементів) form called form the main menu of the ISMS by the item Edit the elements lists (Редагувати списки елементів). It is possible to start with any classifying element except Risks (Ризики), because that list is built of elements from Assets (Активи) and Threats (Загрози). The logic of this dependence is described below in the subsection 3.6.3 Risk assessment.recommendations concerning definition of entries and presence of recommended values for each of the classifying elements are presented above in the subsection 3.4.2 Classifying elements.
In the process of further exploitation the lists of classifying elements are subject to changes, which is a normal part of the ISMS integration process. The mentioned changes may be caused primarily by the extension of knowledge about the target organisation, or by the changes in business processes or in the structure of the target organisation.task statuses list has to be filled just before the beginning of the tasks input. The list initially has some values that are system-critical, but the practical implementation experience suggests that it will be needed to add statuses for current, important and planned tasks.the lists of elements are ready, it is possible to start the input of tasks and knowledge. These two main branches can usually be filled independently and in parallel, but when the ISMS is used to implement a certain standard, it is better to start with filling the Knowledge - documents (Знання - документи) section.entering the documents with the Knowledge - documents input (Знання - Введення документів) form it is better to split the big document into small sections, which can be entirely classified by a certain item in each classifying element. If the document is initially divided into sections and subsections, it is recommended to enter each smallest subsection as a separate knowledge record. This will increase the efficiency of formation of security policy, post instructions or other documents. The section Knowledge - documents is also intended to store any kind of reference information on information security (classified as knowledge).operational tasks are entered and edited through the form Detailed tasks information (Детальна інформація щодо задач). It is a usual case, when third party is involved in the operational task execution process, or when there are more than one executor. For such case, the involved officials can be listed in Executors, contacts (Виконавці, контакти) field. If the task is aimed at compliance with a certain document, the field Task description and measures (Опис задачі та заходи) can duplicate the title of the corresponding document or its relevant section. The short reports on the task execution progress should be appended in the field Directives and execution state (Настанови та стан виконання). The problems that have to be addressed to the management should be listed in the field Problems (Проблеми).it is hard to classify the knowledge or task record with present classifying elements, it is possible to add new values to the lists. Nevertheless, it is wise to analyse the absolute necessity of such addition and forecast whether the new value of a classifying element can be used by other records. Flooding the classifying elements lists will strongly decrease the system approach classification efficiency and may cause incomplete selections.
The Matrix can produce analytical reports as documents (both for printing and export to MS Word). The report formation is performed the following way:
1.The selection parameters are chosen on the form Selection criteria (Умови відбору) from combo list boxes.
2.The type of report is specified. On the form Formation of documents and reports (Формування документів / звітів) a report is selected from drop-down list in case it is needed to form the list of tasks, or corresponding flags are ticked and Form the documents list (Скомпонувати список документів) button is pressed in case is needed to form a document.
.Report is formed for viewing and printing or exported into an *.rtf file, depending on the state of Create *.rtf file (Створити файл *.rtf) flag on the form Formation of documents and reports (Формування документів / звітів).documented reports can be used as post instructions. And in such case these instructions will cooperate different departments in achieving the global goal, such as international standard implementation.reports of the ISMS Matrix demanded the development of several custom functions. The listing of the program module for the report All tasks (Всі задачі) is presented in appendix F as an example.
3.6.3 Risk assessment
The risk assessment function is realised by approximate estimation mechanism.
1.First, the assets to be protected are defined and entered into the ISMS in the form of assets list. Each asset is assigned a loss value (збиток) i.e. approximate loss estimation in case of asset failure.
2.Next, the whole scope of threats typical to organisation in question is entered into the ISMS in the form of threats list. Each threat is assigned a frequency value (частота) i.e. approximate scaled estimation of appearance frequency.
.Finally, the risk list is formed by assigning threats to assets. This step is put instead of cross-joining assets with threats because many minor or even impossible risks may be formed (like physical damage to intellectual capital). The risk values are obtained automatically from multiplication of asset loss value by threat frequency value.are assigned automatically to tasks and document records when corresponding pair of asset and threat are stated in classification fields.pivot risk chart Оцінка ризиків (Risk assessment) provides the overview of the risks faced by organisation and asset-threat distributions with overall estimations by each asset and each threat.
3.6.4 Information security policy formation
The work  presents the definition of the IS policy as: the set of laws, rules, recommendations and practical experience that determine the administrative and project decisions in the information security sphere. The IS policy determines the organisation of management, protection and distribution of critical information in the system. It must encompass all the features of information processing procedures, determining the behaviour of the protected information system in different situations.work  also states that the information security policy can cover one of the three following levels:
1.Higher level - statements affecting organisation on the whole, having general character and, as a rule, coming from the management of the organisation;
2.Middle level - issues that cover the separate aspects of information security, but are important for the different systems applied in the organisation;
.Lower level - covers concrete services, including the two aspects - purposes and ways of their achievement, thus being the most detailed.common practice of creating the IS policies in commercial organisations limits to having two policies: a high-level and a low-level ones. The former describes the general goals of the IS in the target organisation, and the latter contains the detailed descriptions of the concrete technical means and measures.ISMS Matrix, as one of its main functions, can produce the high-level IS policy, classifying all the present knowledge. The knowledge elements in the document are grouped in the following order:
1.By directions of the target organisations IS;
2.By threats corresponding to each of the directions;
.By measures aimed at counteraction to these threats., classical threat-counteraction model is preserved while complying with the system approach to IS. Plus, the formed IS policy complies with all the IS documents considered in the target organisation (i.e. registered in the ISMS).
The contents of the policy document is composed of the information contained in the fields Description (Опис) of the knowledge section of the ISMS, so it is important to fill these fields when entering the document sections or knowledge elements. The recommendations concerning the contents of the field are presented in subsection 3.4.3 Main data storages.information security policy in the ISMS Matrix is formed by pressing the button Form the information security policy (Сформувати політику інформаційної безпеки) on the form Formation of documents or reports (Формування документів / звітів). The sample page of the formed IS policy is presented in appendix D. The sample IS policy is formed of several bank IS documents, including  and . It is possible to add official introduction to the IS policy template.
Conclusions to section
developed product is an information security management system (ISMS) capable of producing documents like information security policy or operational reports and performi