The purpose of the work is to systematize the available knowledge about information security models presented in standards and scientific research to solve the problem of labor intensity: analysis and selection of an information security model relevant to the information infrastructure of the enterprise; and assessment of the current level of information security of the enterprise.
When in identifying and analyzing the information security models used, standards, regulatory legal acts and scientific research in the field of information security are considered within the framework of this work. The systematization of knowledge about information security models was carried out with the help of analysis of standards, scientific research, normative legal acts on information security; identifying common properties of information security models; grouping criteria and evidence confirming the implementation of information security measures by common signs; identifying ways to automate the assessment of the current level of information security.
In the course of the work: the main criteria of the information security model were identified; a list of certificates was formed that allow monitoring the implementation of information security measures; common features of criteria, certificates sufficient for grouping were revealed; types of certificates were identified; an algorithm for assessing the current level of information security of an enterprise was formed; methods of automatization of collecting information about models of information security used by an enterprise and evidence of the implementation of information security measures were identified .
This work systematizes knowledge about the existing models and allows analyzing the criteria of information security without a need to study all the standards and scientific papers considered in this work, which reduces the labor intensity of the analysis and selection of an information security model relevant to the information infrastructure of an enterprise. The results of this work will be applied to identify the possibility of automating the assessment of the current level of information security of an enterprise.
1. Order of the FSTEC of Russia No. 17 dated February 11, 2013 “On the approval of the Requirements for the protection of information that does not constitute a state secret contained in state information systems”. (In Russian). Available at: https://fstec.ru/normotvorcheskaya/akty/53-prikazy/702 (accessed 03.03.2023).
2. Order of the FSTEC of Russia No. 21 dated February 18, 2013 “On the approval of the Composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems”. (In Russian). Available at: https://fstec.ru/normotvorcheskaya/akty/53-prikazy/691-prikaz-fstek-rossii-ot-18-fevralya-2013-g-n-21 (accessed 03.03.2023).
3. Order of the FSTEC of Russia No. 239 dated December 25, 2017 “On approval of requirements for ensuring the security of significant objects of critical information infrastructure of the Russian Federation”. (In Russian). Available at: https://fstec.ru/en/53-normotvorcheskaya/akty/prikazy/1592-prikaz-fstek-rossii-ot-25-dekabrya-2017-g-n-239 (accessed 03.03.2023).
4. Methodical document of the FSTEC of Russia dated February 11, 2014 “Information protection measures in state information systems”. (In Russian). Available at: https://fstec.ru/tekhnicheskaya-zashchita-informatsii/dokumenty/114-spetsialnye-normativnye-dokumenty/805-metodicheskij-dokument (accessed 03.03.2023).
5. GOSTR ISO/MEK 27000–2021. Metody i sredstva obespecheniya bezopasnosti. Sistemy menedzhmenta informatsionnoi bezopasnosti. Obshchii obzor i terminologiya [State standard GOST R ISO/MEK 27000–2021. Information technology. Security techniques. Information security management systems. Overview and vocabulary]. Moscow, Russian Standardization Institute Publ., 2021. 28 p.
6. GOST R ISO/MEK 27001–2021. Metody i sredstva obespecheniya bezopasnosti. Sistemy menedzhmenta informatsionnoi bezopasnosti. Trebovaniya [State standard GOST R ISO/MEK 27001–2021. Information technology. Security techniques. Information security management systems. Requirements]. Moscow, Russian Standardization Institute Publ.,2021. 23 p.
7. GOST ISO 27002–2021. Metody i sredstva obespecheniya bezopasnosti. Svod norm i pravil primeneniya mer obespecheniya informatsionnoi bezopasnosti [State standard GOST ISO 27002–2021. Information technology. Security techniques. Code of practice for information security controls]. Moscow, Russian Standardization Institute Publ.,2021. 68 p.
8. NIST SP 800-53 Rev. 5. Security and privacy controls for information systems and organizations. September 2020. 492 p.
9. NIST SP 800-53A Rev. 5. Security and privacy controls for Information systems and organizations. January 2022. 733 p.
10. NIST SP 800-53B Rev. 5. Security and privacy controls for information systems and organizations. October 2022. 85 p.
11. NIST. Framework for Improving Critical Infrastructure Cybersecurity. Version 1.1. April 16, 2018. 55 p.
12. Payment Card Industry Data Security Standard (PCI DSS). Requirements and Security Assessment Procedures. Version 3.2.1. May 2018. 139 p.
13. Secure Controls Framework. Website. Available at: https://www.securecontrolsframework.com/ (accessed 03.03.2023).
14. Sommestad T. A framework and theory for cyber security assessments. Dr. of Philosophy diss. Royal Institute of Technology. Stockholm, Sweden, 2012. 248 p.
15. Levshun D., Gaifulina D., Chechulin A., Kotenko I. Problemnye voprosy informatsionnoi bezopasnosti kiberfizicheskikh sistem [Problematic issues of information security of cyber-physical systems]. Informatika i avtomatizatsiya = Informatics and Automation, 2020, vol. 19, no. 5, pp. 1050–1088.
16. Kolomeec M., Gonzalez-Granadillo G., Doynikova E., Chechulin A., Kotenko I., Debar H. Choosing models for security metrics visualization. Computer Network Security. MMM-ACNS 2017. Springer-Verlag, 2017, pp. 75–87.
Klishin D.V., Chechulin A.A. Analiz standartov obespecheniya informatsionnoi bezopasnosti [Analysis of information security standards]. Sistemy analiza i obrabotki dannykh = Analysis and Data Processing Systems, 2023, no. 1 (89), pp. 37–54. DOI: 10.17212/2782-2001-2023-1-37-54.