Information security management system of a corporate network

.Be approved by management;security policy or policies specifies particular information security control objectives or requirements in one or more documents.

Information security management system of a corporate network

Дипломная работа

Компьютеры, программирование

Другие дипломы по предмету

Компьютеры, программирование

Сдать работу со 100% гаранией
e base (including internal audit results), thus allowing to present the enterprise IS state from different perspectives, using same internal audit results for different external checks.

4.Production of personalised post instructions directly from initial normative documents is available.

To comply with any standard, an organisation must have a coordinated documentation, that is security policies must conform to corporate regulation and post instructions must be oriented at enforcing the policies. The proposed product uses the single systematised knowledge base to generate the documents, so all the outcomes will be firstly concerted, secondly - compliant to the target standard, and thirdly - oriented at its implementation.

Practical significance of the results

The application of the proposed ISMS on state and commercial enterprises or educational institutions allows to:

1.manage enterprise information security;

2.teach and learn the system approach to IS;

.develop high-level technical task for information security system creation, considering the system approach and enterprise peculiarities;

.produce post instructions for international standards (ISO 27001(2), PCI DSS) implementation.lower price of the proposed ISMS (in comparison to analogous products present at the Ukrainian market) allows the small and medium enterprises to save up to 10 times on purchase of an ISMS. Thus, the total certification cost decreases.of the proposed ISMS provides a possibility to reduce financial expenses on bringing in external auditors and consultants.

Approbation of the results

The author presented the practical value of the proposed product at the xi international conference of young researchers and students Polit. Challenges of science today on April 6-7, was awarded the second place in the section Mathematics and computer technologies. The thesis of the report can be found in [6].


The author has made publications [7] and [8] concerning the topic of the presented work before the beginning of the presented research.scientific value of the results of the performed research and product development is presented in the publication [9].these publications will be mentioned further in the work in more detail.

Structure and volume of the thesis

The presented masters degree thesis contains introduction, three sections, conclusions that include the main results of the work, reference list of 16 items, six appendixes. The full volume of the thesis is 114 pages, including 23 figures and one table.



1.1 IS management standards development


.1.1 The ISO/IEC 27000-series

As the recently accepted information security standards are strongly based on international ISO/IEC 27000 standards series, the author considers it necessary to present the information about these documents.information security standards recently accepted by the National bank of Ukraine were developed on the basis of ISO/IEC 27000-series standards family (the so-called ISMS family, or ISO27k in short).ISO/IEC 27000-series comprises information security standards published jointly by the International Organisation for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standards are the product of ISO/IEC JTC1 (Joint Technical Committee 1) SC27 (Sub Committee 27), an international body that meets in person twice a year.series provides best practice recommendations on information security management, risks and controls within the context of an overall Information Security Management System (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series).series is deliberately broad in scope, covering more than just privacy, confidentiality and IT or technical security issues. It is applicable to organisations of all shapes and sizes. All organisations are encouraged to assess their information security risks, then implement appropriate information security controls according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information security, the ISMS concept incorporates continuous feedback and improvement activities, summarized by Deming's "plan-do-check-act" approach, that seek to address changes in the threats, vulnerabilities or impacts of information security incidents.first standard of the family, named ISO/IEC 27000 [1] defines the scope and vocabulary of the whole series. International Standards for management systems provide a model to follow in setting up and operating a management system. This model incorporates the features on which experts in the field have reached a consensus as being the international state of the art. ISO/IEC JTC 1 SC 27 maintains an expert committee dedicated to the development of international management systems standards for information security, otherwise known as the Information Security Management System (ISMS) family of standards.the use of the ISMS family of standards, organisations can develop and implement a framework for managing the security of their information assets and prepare for an independent assessment of their ISMS applied to the protection of information, such as financial information, intellectual property, and employee details, or information entrusted to them by customers or third parties.ISMS family of standards is intended to assist organisations of all types and sizes to implement and operate an ISMS. The ISMS family of standards consists of the following International Standards, under the general title Information technology - Security techniques.


1.1.2 The ISO/IEC 27001

ISO/IEC 27001 is the formal set of specifications against which organisations may seek independent certification of their Information Security Management System (ISMS). The standard specifies requirements for the establishment, implementation, monitoring and review, maintenance and improvement of a management system - an overall management and control framework - for managing an organisations information security risks. It does not mandate specific information security controls but stops at the level of the management system.standard covers all types of organisations (e.g. commercial enterprises, government agencies and non-profit organisations) and all sizes from micro-businesses to huge multinationals. This is clearly a very wide brief.information security under management control is a prerequisite for sustainable, directed and continuous improvement. An ISO/IEC 27001 ISMS therefore incorporates several Plan-Do-Check-Act (PDCA) cycles: for example, information security controls are not merely specified and implemented as a one-off activity but are continually reviewed and adjusted to take account of changes in the security threats, vulnerabilities and impacts of information security failures, using review and improvement activities specified within the management JTC1/SC27, the ISO/IEC committee responsible for ISO27k and related standards, ISO/IEC 27001 is intended to be suitable for several different types of use, including the following.

1.Use within organisations to formulate security requirements and objectives;

2.Use within organisations as a way to ensure that security risks are cost-effectively managed;

.Use within organisations to ensure compliance with laws and regulations;

.Use within an organisation as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organisation are met;

.The definition of new information security management processes;

.Identification and clarification of existing information security management processes;

.Use by the management of organisations to determine the status of information security management activities;

.Use by the internal and external auditors of organisations to demonstrate the information security policies, directives and standards adopted by an organisation and determine the degree of compliance with those policies, directives and standards;

.Use by organisations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organisations that they interact with for operational or commercial reasons;

.Implementation of a business enabling information security;

.Use by organisations to provide relevant information about information security to customers.document [10] provides the history of the ISO/IEC 27001 development.standard works in the following way. Most organisations have a number of information security controls. Without an ISMS however, the controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Maturity models typically refer to this stage as "ad hoc". The security controls in operation typically address certain aspects of IT or data security, specifically, leaving non-IT information assets (such as paperwork and proprietary knowledge) less well protected on the whole. Business continuity planning and physical security, for examples, may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organisation./IEC 27001 imposes the following requirements on the management.

1.Systematically examine the organisation's information security risks, taking account of the threats, vulnerabilities and impacts;


Похожие работы

<< < 1 2 3 4 5 6 7 > >>