Calculation of risks of information security of telecommunication enterprise

The goal of this work is to identify and assess information security risks for a typical distributed information system within three controlled areas. The main emphasis, application of information security in the considered information system is done to minimize damage from security threats, aimed at the integrity and availability of the hardware and software complex of the information system, and not to the confidentiality of information resources processed with their help. The study examined international and national standards in the field of information security, which regulate issues of information security risks management. In particular, the basic requirements for the assessment and processing of information security risks were established, based on the international standard “ISO 27001: 2013 Information technologies. Methods of protection. Information security management systems”, as well as a comparison of this standard with its version from 2005 is made. As a leading method of risk assessment and processing, the most economical the qualitative method was chosen, in the absence of ready data on the number of attacks implemented in the considered information system for a certain period of time. In the process, valuable assets of the organization were considered, and based on the business process of the telecommunication company, major and minor assets were allocated, as well as the corresponding information security threats in accordance with the security threat data bank of the Federal Service for Technical and Export Control. The result of this work was the calculation of information security risks, based on the allocation of valuable assets of the organization, the degree of potential damage in the implementation of threats to such assets and the probability of the implementation of threats to the information system of the telecommunication enterprise. In addition, acceptable risks were identified, the processing of which is not required due to the fact that the actual cost of minimizing them is greater than the losses from the implementation of threats over them. In conclusion, possible measures were proposed to minimize information security risks, including a backup system, a system for protecting against unauthorized access, an anti-virus protection system, firewalling, and organizational measures and physical protection measures. The proposed method makes it possible to reasonably assess information security risks of an organization in conditions of insufficient initial data, as well as the absence of additional hardware and software for assessing information security risks, which allows applying it to model organizations based only on scaling of the considered system, if there is no state information secret in the processed data. The risk management procedure helps not only to identify and eliminate the analysis of vulnerabilities and innovations in the field of risk assessment, but also to increase the literacy level of staff, involved in the assessment and risk management process.

1. Nekrylova N.V. Predposylki realizatsii elementov upravleniya riskami biznes-protsessov v standartakh na sistemy menedzhmenta promyshlennogo predpriyatiya. Izvestiya vysshikh uchebnykh zavedeniy. Povolzhskiy region. Obshchestvennye nauki. 2015. No. 2 (34). C. 204–215. (In Russ.)

2. Andreeva N.V. Funktsional’naya model’ sistemy upravleniya informatsionnoy bezopasnost’yu kak sredstvo vnedreniya standartov lineyki ISO/ IEC 2700x (BS 7799). Nauchno-tekhnicheskiy vestnik informatsionnykh tekhnologiy, mekhaniki i optiki. 2007. No. 39. P. 40–44. (In Russ.)

3. Pugin V.V., Gubareva O.Yu. Obzor metodik analiza riskov informatsionnoy bezopasnosti informatsionnoy sistemy predpriyatiya. T-Comm – Telekommunikatsii i Transport. 2012. No. 6. P. 54–57. (In Russ.)

4. Pletnev P.V., Belov V.M. Metodika otsenki riskov informatsionnoy bezopasnosti na predpriyatiyakh malogo i srednego biznesa. Doklady Tomskogo gosudarstvennogo universiteta sistem upravleniya i radioelektroniki. 2012. No. 1–2 (25). P. 83–86. (In Russ.)

5. Odintsova M.A. Metodika upravleniya riskami dlya malogo i srednego biznesa.. Ekonomicheskiy zhurnal. 2014. No. 3 (35). URL: https://cyberleninka.ru/article/n/metodika-upravleniyariskami-dlya-malogo-i-srednego-biznesa (accessed: 01.02.2018). (In Russ.)

6. Glushenko S.A. Primenenie sistemy Matlab dlya otsenki riskov informatsionnoy bezopasnosti organizatsii. Biznes-informatika. 2013. No. 4 (26). P. 35–42. (In Russ.)

7. Gubareva O.Yu. Otsenka riskov informatsionnoy bezopasnosti v telekommunikatsionnykh setyakh. Vestnik Volzhskogo universiteta im. V.N. Tatishcheva. 2013. No. 2 (21). P. 76–81. (In Russ.)

8. Dorofeev A.V. Menedzhment informatsionnoy bezopasnosti: perekhod na ISO 27001:2013. Voprosy kiberbezopasnosti. 2014. No. 3 (4). P. 69–73. (In Russ.)

9. ISO/IEC 27001:2013. Information technology. Security techniques. Information security management systems. Requirements. Berlin: ISO/IEC JTC 1/SC 27. 2013. 23 p.

10. Dorofeev A.V. Podgotovka k CISSP: telekommunikatsii i setevaya bezopasnost’. Voprosy kiberbezopasnosti. 2014. No. 4 (7). P. 69–74. (In Russ.)

11. Il’chenko L.M. Analiz sistemy menedzhmenta informatsionnoy bezopasnosti na baze standarta ISO 27001:2013.. Materialy 5 nauchnoprakticheskoy konferentsii studentov, aspirantov i kursantov «IT vchera, segodnya, zavtra». 2017. P. 51–61. (In Russ.)

12. GOST R ISO 31000-2010. Menedzhment riska. Printsipy i rukovodstvo.; Vveden s 01.09.2011. Moscow: Izd-vo Standartinform, 2012. (In Russ.)

13. GOST R ISO/MEK 27005-2010. Informatsionnaya tekhnologiya. Metody i sredstva obespecheniya bezopasnosti. Menedzhment riska informatsionnoy bezopasnosti. Vzamen GOST R ISO/MEK TO 13335-3-2007 i GOST R ISO/MEK TO 13335-4-2007; Vved. s 30.11.2010. Moskva: Izd-vo Standartinform, 2011. (In Russ.)

14. Bank dannykh ugroz bezopasnosti informatsii. Federal’naya sluzhba po tekhnicheskomu i eksportnomu kontrolyu URL: https://bdu.fstec.ru (accessed: 01.02.2018). (In Russ.)

15. Shago F.N., Zikratov I.A. Metodika optimizatsii planirovaniya audita sistemy menedzhmenta informatsionnoy bezopasnosti. Nauchnotekhnicheskiy vestnik informatsionnykh tekhnologiy, mekhaniki i optiki. 2014. No. 2 (90). P. 111–117. (In Russ.)

16. Vybornova O.N., Davidyuk N.V., Kravchenko K.L. Otsenka informatsionnykh riskov na osnove ekspertnoy informatsii (na primere GBUZ AO «Tsentr meditsinskoy profilaktiki»). Inzhenernyy vestnik Dona. 2016. No. 4 (43). P. 86. (In Russ.)

17. Pashchenko I.N., Vasil’ev V.I. Razrabotka trebovaniy k sisteme zashchity informatsii v intellektual’noy seti Smart Grid na osnove standartov ISO/IEC 27001 i 27005. Izvestiya YuFU. Tekhnicheskie nauki. 2013. No. 12 (149). P. 117–126 (In Russ.)

18. GOST R ISO/MEK 31010-2011. Menedzhment riska. Metody otsenki riska; Vved. s 01.12.2012. Moskva: Izd-vo Standartinform; 2012. (In Russ.)

19. Emanuel’ A.V., Ivanov G.A., Geyne M.D. Primenenie menedzhmenta riskov na osnove standarta ISO 14971: metodicheskie podkhody. Vestnik Roszdravnadzora. 2013. No. 3. P. 45–60. (In Russ.)

20. Lyutova I.I. Modelirovanie urovnya priemlemogo riska informatsionnoy bezopasnosti. Vestnik Adygeyskogo gosudarstvennogo universiteta. Series 5: Ekonomika. 2014. No. 2 (141). P. 175–180 (In Russ.)