ng statistical analyses from various perspectives. The ISMS operation is based on input knowledge about the target organisation and other documented knowledge on IS, ISS and IS management.input elements of the product are the following:
.Information about the target organisation;
.Standard post descriptions;
.Operational tasks statements.information about the target organisation is presented by the sets of elements arranged in accordance to the system approach to IS. The content of the element sets represents the known structure and peculiarities of business processes in the organisation.IS standards that are implemented (or intended to be) in the target organisation are stored in the knowledge section of the ISMS.normative documents are the legal papers concerning IS in the target organisation, like national law about confidentiality or enterprise regulation.other available knowledge about IS may include the results of the latest research in the field, or the best practices.standard post descriptions are general rules for a position in a generic company accepted broadly. It sometimes happens that such descriptions do not completely fit into a certain organisation. Nevertheless, they are perfect reference for the production of the customised post descriptions.operational tasks statements are the current tasks set by the management. They can be concrete or describe the main functions of the officials.on the input information classified according to the system approach to IS, the outputs of the developed ISMS include the following:
.Information security policy;
.Operational reports.high-level IS policy is formed by the developed ISMS of all the available knowledge. It is the set of general laws, rules, recommendations and practical experience that determine the administrative and project decisions, affecting the organisation at the top-management level. The formed IS policy describes the general goals of the IS in the target organisation.statistical analyses present the various distributions of tasks and knowledge that could be used in the internal audit procedures. The pivot charts display the general overviews of the IS state at the target enterprise from the different perspectives.operational reports on tasks can be used as analytical documents or post instructions cooperating different departments in achieving the common goal.add certain functions, the program modules were written (see appendixes E, F).
In the section 1 of the work the issues of information security management in corporate networks were explored. The results of the latest investigations in the branch, including the ones performed by the author, were overviewed. The general task of information security management system development was formulated.information about the normative documents guiding the information security management in the world and in Ukraine was presented.results of analysis of the present information security management solutions were provided. The most integrated solution in the Ukrainian market was considered.mathematical model of information security system state was described as a continuous process with random parameters.the section 2 of the work the demands to the information security management system (ISMS) were reviewed and the features needed in an effective information security management product were formulated.information security management system was developed according to the formulated task and defined effective ISMS features.database structure was developed to contain the knowledge on information security and operational tasks. Each of these records is placed in the framework of the system approach to information security by the classifying elements.program modules were developed in Microsoft Visual Basic for Applications language (MS VBA) to support the custom functions of the forms and reports in the ISMS.the section 3 of the work the detailed description of the product structure, interfaces and operation was presented. The fragment of generated high-level information security policy was presented as the ISMS outcome example.solutions of the twelve major problems in analogous information security management products and the improvements made by the developed ISMS application were presented.
The financial advantages of the developed ISMS application were estimated.
Due to scarcity of resources devoted to the development of the ISMS Matrix, wide encompassing of IS management processes is compensated by inability to operate at lower technical levels (for example, collecting or analyzing log files). To compensate these challenges and accelerate the development of the product, it is needed to invest money to support the developers or devote a professional development team.
The ISMS Matrix is capable of gaining economical profit to its developers. The product is developed as a freeware, but the income is obtained from providing the consulting, support and customisation of the product.
The author (and developer) of the ISMS Matrix continuously collects the feedback from its users to ensure the performance stability and to determine the necessary development trends. According to the latest demands, the following development perspectives are defined as necessary.
1.Development of the out-of-the-box content for most demanded Ukrainian and international standards, as well as for widespread types of enterprises;
2.Improvement of the method of internal IS audit execution to develop more clarity in IS state vision by the organisations IS managers;
.Creation of an expert system to provide more decision making support;
.Creation of the informative help and reference system;
5.Improvement of the educational functions to increase the level of trained IS specialists;
.Improvement of the personnel management functions, like tracking of tasks with several consecutive responsible persons;
7.Easy and comfortable adjustment of any reports, charts and diagrams;
8.Creation of wizards that will guide the users through the initial stages of exploitation.
1.Information technology. Security techniques. Information security management systems. Overview and vocabulary [Text]: international standard ISO/IEC 27000:2009(E). - Switzerland: ISO/IEC, 2009. - 26 p.
2.Домарев, В.В. Безопасность информационных технологий. Системный подход [Текст] / В.В. Домарев. - К.: ООО ТИД ДС, 2004. - 992 с.
3.Інформаційні технології. Методи захисту. Система управління інформаційною безпекою. Вимоги (ISO/IEC 27001:2005, MOD) [Текст]: ГСТУ СУІБ 1.0/ISO/IEC 27001:2010. - К.: Національний банк України, 2010. - 49 с. - Код УКНД 35.040.
.Інформаційні технології. Методи захисту. Звід правил для управління інформаційною безпекою (ISO/IEC 27002:2005, MOD) [Текст]: ГСТУ СУІБ 2.0/ISO/IEC 27002:2010. - К.: Національний банк України, 2010. - 163 с. - Код УКНД 35.040.
.Про набрання чинності стандартами з управління інформаційною безпекою в банківській системі України [Текст]: постанова правління Національного банку України від 28 жовтня 2010 р. № 474. - К.: Національний банк України, 2010.
.Domarev, D.V. Information security management system Matrix based on system approach [Text] / D.V. Domarev // Тези доповідей ХІ Міжнародної науково-практичної конференції студентів та молодих учених Політ. Сучасні проблеми науки: м. Київ, 6-7 квітня 2011 р. - К.: НАУ, 2011. Т. 1. - С 70.
7.Domarev, D.V. Analysis of Ukrainian legal documents on providing information security [Text] / N.A. Vinogradov, D.V. Domarev // Наука і молодь. Прикладна серія: Зб. наук. пр. - К.: НАУ, 2007. - № 7. - С. 78 - 81.
8.Домарев, Д.В. Применение полумарковских процессов в разработке и описании состояния систем защиты информации [Текст] / Д.В. Домарев // Системи обробки інформації. Безпека та захист інформації в інформаційних системах.: Зб. наук. пр. - Х.: ФОП АЗАМАЄВА В.П., 2009. - № 7(79). - С. 19 - 24.
9.Domarev, D.V. Information security management system Matrix based on system approach [Text] / D.V. Domarev // Проблеми інформатизації та управління: Зб. наук. пр. - К.: НАУ, 2011. - № 2(34).
.ISO/IEC 27001 certification standard - ISO27k Forum [Electronic resource]. - Access mode:
.ISO/IEC 27002 code of practice - ISO27k Forum [Electronic resource]. - Access mode:
12.Proctor, P. MarketScope for IT Governance, Risk and Compliance Management [Electronic resource]: Gartner RAS Core Research Note G0017S755 / P. Proctor, M. Nicolett. - Access mode:
.Lumension Endpoint Management and Security S