Information security management system of a corporate network

.Be approved by management;security policy or policies specifies particular information security control objectives or requirements in one or more documents.

Information security management system of a corporate network

Дипломная работа

Компьютеры, программирование

Другие дипломы по предмету

Компьютеры, программирование

Сдать работу со 100% гаранией
rity system of the Ukrainian segment of external communication and data transfer network of space rocket complex «Cyclone». The list of documents in this section of the offered classification was presented.of normative-legal documents in remarked direction contained laws, normative documents and statements of Ukraine on providing of information security.conclusion was made about the necessity of concordance of terminology and statements of existent normative-legal documents in area of providing information security with the purpose of increasing of the Ukrainian legislative base efficiency.conducted analysis of normative documents allowed to improve the efficiency of providing information security in the external communication and data transfer network of space rocket complex «Cyclone».results of the research also formed the recommendations to the structure of the IS standards that will provide broader encompassing description of the legislative requirements.to the method described above, the Ukrainian branch standards in information security management [3, 4] can be positioned in the framework of the system approach to IS in the following way.to the system approach to IS by V.V. Domarev described in [2], the considered object is a document, so it falls in the base 001 Bases As it can be observed from the titles of the considered documents, they refer to the direction 050 - Security system management. More precise positioning is determined from the contents of the documents.

 

1.2.2 The scope of ГСТУ СУІБ 1.0/ISO/IEC 27001:2010

The section 0.1 General statements of the introduction to the document says This standard is created to supply the model of development, introduction, functioning, monitoring, revision, maintenance and perfection information security management system (ISMS). Thus the document [3] occupies the cells 451, 651, 751 which represent normative base of determination of requirements, introduction and use, control and management in security system management respectively.final position of the standard [3] in the framework of the system approach to IS is illustrated by the fig. 1.3. The descriptions of the cells in the Domarevs matrix can be found in [2].

 

. 1.3. The scope of ГСТУ СУІБ 1.0 in the system approach matrix

 

1.2.3 The scope of ГСТУ СУІБ 2.0/ISO/IEC 27002:2010

The section 1 Application sphere states that the standard establishes directives and general principles in relation to establishment, introduction, support and perfection of information security management in organisation. Thus the document [4] primarily occupies the cells 651 and 751 which represent respectively normative base of introduction and use, control and management in security system management.section 5 Security policy adds the cell 151 (normative base of determination of information to be protected in security system management) to the documents scope.final position of the standard [4] in the framework of the system approach to IS is illustrated by the fig. 1.4. The descriptions of the cells in the Domarevs matrix can be found in [2].

 

. 1.4. The scope of ГСТУ СУІБ 2.0 in the system approach matrix

 

1.3 IS management solutions overview

branch of software related to information security management named Governance, Risk and Compliance (GRC), appeared in response to the need of fitting the business security in certain rules. The document [12] provides the general information about GRC and software solutions in this area.governance, risk and compliance management (IT GRCM) is maturing as a technology. The market is growing steadily, but remains relatively small with a crowded field of vendors. IT GRCM products address requirements to automate risk management.IT GRCM market comprises vendors that provide software products to help organisations proactively measure and manage their IT technology and process controls.IT GRCM market benefits maturing organisations with existing processes for measuring, managing and reporting IT controls that are ready for automation.GRCM solutions have a repository; basic document management capabilities; good workflow, survey and reporting functions; and dashboarding, with policy content that's specific to IT controls, and support for the automated measurement and reporting of IT controls.between IT GRCM and enterprise GRC (EGRC) platforms depends on the focus of the effort. IT GRCM is recommended for bottom-up, IT-centric requirements, while EGRC platforms are recommended for top-down enterprise risk management requirements.GRCM technology continued to mature through 2009 and growth is steady, but the market remains relatively small ($117 million in 2009) because most organisations are not ready to implement. IT GRCM automation. The market continued to grow during the worldwide economic downturn in 2009, indicating that automating the mapping and measurement of compliance controls remains a priority for organisations.platforms serve organisations that take an enterprise approach to compliance and risk management, and that want to have all business units, including the IT organisation, on the same GRCM solution. Most vendors with EGRC platforms offer modest IT governance automation functions. At a minimum, most EGRC vendors offer the capability to document, survey, and report IT risks and controls, but lack IT-specific content. Some vendors also provide limited support for an IT asset repository and IT policy management. Organisations with a primary interest in IT-centric GRCM requirements should be aware that most EGRC platforms balance finance, operational and IT requirements at the expense of IT-centric depth.GRCM products support operation risk management through functions that measure, manage, and report on IT-centric technology and process controls. Organisations can use IT GRCM products to document and assess their IT-centric technology and process controls. The core IT GRCM functions are the following:

.Controls and policy mapping;

.Policy distribution and training attestation;

.IT control self-assessment and measurement;

.IT GRCM asset repository;

.Automated general computer control collection;

.Remediation and exception management;

.Basic compliance reporting;

.IT compliance dashboards;

.IT risk evaluation.software products also help organisations to proactively measure and manage their IT technology and process controls. The typical additional functions of these products are the following:

.Definition of IT policies, processes and controls that are based on best practices;

.Management of policy content;

.Mapping policies to process and technical controls, as appropriate;

.Automating the measurement of process and technical controls;

.Evaluating levels of compliance with various mandates;

.Automating the auditing and regulatory reporting of these elements.should define their basic approach as top-down or bottom-up, and use this to guide their requirements definition.top-down approach implies that IT GRCM is only one of the control categories that will be measured and reported, along with financial governance and operational requirements such as environmental, health and safety. Top-down usually requires less-detailed requirements for gathering general computer control data, such as configuration and patch data, but places a premium on higher-level reporting to executives. A top-down approach is more appropriately addressed with EGRC platforms.bottom-up approach implies greater detail in IT controls for an IT-centric audience. Many organisations use IT GRCM to organize their vulnerability scan, patch and configuration control data. Traditional IT GRCM tools are more appropriate for IT-specific requirements.most significant limiting factor for the IT GRCM and EGRC products is the divergence of requirements between top-down and bottom-up approaches. In many cases, organisations are buying two separate tools, indicating that this difference is more substantial than just vendor marketing and different buying centres.divergence is based on the differences in management and reporting requirements for top-down vs. bottom-up. Top-down tends to be led by enterprise risk management teams addressing business executive requirements, as opposed to bottom-up requirements, which are typically led by IT or information security operations teams, The vendors continue to add functions that overlap top-down and bottom-up requirements, but convergence will only happen when organisations stop buying multiple tools to address diverging requirements and agree on one tool as addressing both approaches comprehensively.comparison of GRC products the following evaluation criteria are used.understanding - capability of the vendor to understand the buyer and the major functional requirements of an IT-focused GRC deployment, as opposed to the requirements of finance or operational-risk-focused GRC deployments. This criterion is weighed high in general estimation.experience - feedback from customers that have evaluated or deployed IT GRCM solutions is assessed with regard to the fit of function to IT GRCM use cases, the maturity and stability of IT GRCM functions, the code quality, and the quality of support. This criterion is weighed standard in general estimation.strategy - an evaluation of the vendor's overall strategy for IT GRCM, including the sales strategy, product differentiation, capability to capitalize on an existing customer base, and the use of GRC capabilities to enhance other elements of a technology portfolio. This criterion is weighed low in general estimation./service - an evaluation of IT GRCM feature sets as they map to current and future requirements, with a focus on IT-specific GRC content, IT control assessment automation

Похожие работы

<< < 1 2 3 4 5 6 7 8 9 > >>