the different security levels.
1.5.4 Application of semi-Markov processes in ISS development
Planning, organisation and application of ISS are actually related to the unknown events in the future and always contain the elements of vagueness. In addition, other sources of ambiguousness are present, such as incomplete information for making administrative decisions or social-psychological factors. Therefore, it is natural that considerable vagueness accompanies the stage of ISS planning. The ambiguousness level can be lowered by application of the most adequate models.Semi-Markov processes can be applied in ISS development as a universal tool of information systems functioning modelling on the stages of possible threats and information loss channels, and estimation of vulnerability and risks. The Semi-Markov processes application domain corresponds to elements 204 and 304 (fig. 1.9). A zero in the second digit means coverage of all the directions. Thus, the Semi-Markov processes are included in means that perform the following tasks.
1.Provide efficiency and quality in definition of set of possible threats and information loss channels on objects in information system, in processes and applications of information system, at an information transfer along communication channels, due to side electromagnetic radiations, and also in the process of security system management;
2.Determine the conduction of estimation of vulnerability and risks of information on objects in information system, in processes and applications of information system, at an information transfer along communication channels, due to side electromagnetic radiations, and also in the process of security system management.
. 1.9. The scope of semi-Markov processes application in the Matrix of knowledge
1.5.5 Application of semi-Markov processes in ISS state description
According to the modern theory of systems efficiency estimation, ISS quality shows up only in the process of its use on purpose (special purpose functioning), therefore an evaluation on the efficiency of application is the most objective.a basis of complex of indexes and criteria of ISS efficiency estimation, probability of the objective fulfilment by the system (providing the required security level) must be used. Thus the concepts of suitability and optimality serve as criteria of estimation. Suitability means implementation of all the requirements set to ISS, and optimality is achievement by one of characteristics its extreme value at the observance of limitations and conditions applied to other properties of the system.describe the ISS state, it is enough to make the Matrix of estimations (an example is presented in fig. 1.10), containing in its cells the estimations of efficiency of the proper system elements. In case of change in any information system parameter one or more Matrix of estimations elements may change due to logical connections. That influences the generalised indexes. Consequently, the general ISS state changes. The logical deduction hierarchy of ISS security level estimation is presented in Appendix A.
. 1.10. Matrix of estimations
into account the character of these changes, it is possible to suppose that the functioning of ISS is also a Semi-Markov process. This conclusion allows describing the changes of the ISS state through relatively simple mathematical model. Mathematical models of information system functioning based on the Semi-Markov processes can be used in simulation of attacks on information system, which will promote the efficiency of threats counteraction measures development.conclusion can be made that the semi-Markov processes can be applied in design and state description of the ISS. The models of the information systems activity based on semi-Markov processes can be used to increase the accuracy of the ISS efficiency estimation, as well as in ISS development.
Conclusions to section
development of the IS management standards was presented.main modern international IS management standards were described.national peculiarities of the IS management standards were highlighted.IS management standards were positioned according to the system approach to information security. The places of the national IS management standards in the system approach framework were illustrated.existent IS management solutions were overviewed and the most integrated existent IS management solution was highlighted. The major strengths and problems of the existent IS management solutions were stated.Markov processes were suggested as a mathematical model of IS.the current state, problems and demands of the information security management branch, the author concludes that an ISMS with analytical potential is needed to satisfy the requirements of the branch, as well as to rise the sufficiency of the IS management in organisations. The analytical functions of the product should facilitate the IS audit and management in the target organisation.maintenance can be considered as a stochastic system with partial observability and controllability. These properties must be accounted in the development of an ISMS.features needed in an effective ISMS are defined in the section 2.
SECTION 2. DEFINITION OF THE EFFECTIVE ISMS FEATURES
2.1 The mandatory ISMS documents
branch standards of Ukraine ГСТУ СУІБ 1.0/ISO/IEC 27001:2010  and ГСТУ СУІБ 2.0/ISO/IEC 27002:2010 , imply certain requirements to an ISMS. The document  describes the main of these requirements.begin with, the ISMS must operate based on certain policies. Otherwise, such policies may be produced in the process of its development or functioning. The work  proposes the following mandatory ISMS documents.of key management decisions regarding the ISMS, for example, minutes of management meetings, investment decisions, mandating of policies, reports etc., not individually specified in the standard apart from the following specific items.security policy set matches the characteristics of the business, the organisation, its location, information assets and technology, including an ISMS policy and information security policy.ISMS policy defines the objective-setting management framework for the ISMS, giving it an overall sense of direction/purpose and defining key principles. The ISMS policy must possess the following properties:
1.Take account of information security compliance obligations defined in laws, regulations and contracts;
2.Align with the organisations strategic approach to risk management in general;
.Establish information security risk evaluation criteria;
.Be approved by management;security policy or policies specifies particular information security control objectives or requirements in one or more documents. This document should also be approved by management to have full effect.scope defines the boundaries of the ISMS in relation to the characteristics of the business, the organisation, its location, information assets and technology. Any exclusions from the ISMS scope must be explicitly justified.security procedures, that are written descriptions of information security processes and activities, for example, procedures for user ID provisioning and password changes, security testing of application systems, information security incident management response etc.documentation, for example, technical security standards, security architectures/designs etc. and referencing ISO/IEC 27002 (details vary between ISMSs).assessment methods, which are policies, procedures and/or standards describing how information security risks are assessed.assessment reports document the results, outcomes, recommendations of information security risk assessments using the methods noted above. For identified risks to information assets, possible treatments are applying appropriate controls, knowing and objectively accepting the risks (if they fall within the information security risk evaluation criteria), avoiding them; or transferring them to third parties. The information security control objectives and controls should be identified in these reports.treatment plan, which is a project plan describing how the identified information security control objectives are to be satisfied, with notes on funding, roles and responsibilities.operating procedures, that are written descriptions of the management processes and activities necessary to plan, operate and control the ISMS, for example, policy review and approvals process, continuous ISMS improvement process.security metrics describes how the effectiveness of the ISMS as a whole, plus key information security controls where relevant, are measured, analyzed, presented to management and ultimately used to drive ISMS improvements.of Applicability states the information security control objectives and controls that are relevant and applicable to the ISMS, generally a consolidated summary of the results of the risk assessments, cross-referenced to the control objectives from ISO/IEC 27002 that are in scope.control procedure explains how ISMS documents are approved for use, reviewed, updated, re-approved as necessary, version managed, disseminated as necessary, marked etc.control procedure explains how records proving conformity to ISMS requirements and the effective operation of the ISMS (as described elsewhere in the standard) are protected against unauthorized changes or destruction. Again, this procedure may be copied from the QMS or other management systems.awareness, training and education records document the involvement of all personnel having ISMS responsibilities in appropriate activities (for example, security awareness programs and security training courses such as new employee security induction/orientation classes). While not dire