Improving the efficiency of the formation of professional competencies Masters in “Information Security” based on the use o CASE-technologies

Purpose of the study. In modern conditions, building an effective information security system for an enterprise requires specialists with appropriate professional competencies and systems approach skills in analyzing a combination of factors that influence the state of information security of an enterprise. For the preparation of such kind of specialists, qualitative changes in the content of educational disciplines are required, based on the use of methods and means of system analysis in the process of building an information security system.

The current approaches to assessing the risk of an enterprise are based on the formation of a register of its information resources necessary for the further processing of risks. Adequate assessment of the value of a resource is impossible without a correct understanding of the semantics of this resource and its role in the implemented business processes. Modern approaches to the formation of the register of enterprise information resources, according to the authors, do not offer an effective method of identifying resources and estimating their value.

This paper considers an approach based on the use of structural and functional analysis methods and CASE-technologies in the formation of a register of information resources of the enterprise in the training of masters in the direction of “Information Security”.

Materials and methods. For the formation of the register of enterprise information resources, it is proposed to build a structural-functional enterprise model using the IDEF0 notation. Business process modeling was performed in the Business Studio environment of «Modern Control Technologies».

As an example for risk analysis, the activities of a typical IT-industry company engaged in the development and implementation of enterprise management information systems were considered.

Results. The technique was successfully tested in the educational process. According to the authors of the article, the use of this technique in conducting laboratory classes for masters enrolled in the “Information Security” direction has made it possible to increase the efficiency of the formation of professional competencies in students and, consequently, in general, the quality of education.

The results obtained can be used not only as a training method for specialists in the field of information security. The application of the methodology of forming the register of information resources of an enterprise considered in the article in practical activities to ensure the information security of an enterprise will increase the validity of decisions to protect the information of the enterprise.

Conclusion. The paper proposes a method to justify the choice of the main directions for the protection of enterprise information based on the analysis of its business processes. A distinctive feature of the technique is the use of modern CASE-technologies for decision-making in the field of enterprise information security.

The implementation of the methodology allows you to create a register of information resources of the enterprise, including an assessment of the likely damage for each resource. The registry shows the bottlenecks in the organization of protection, which should be given priority when planning measures to protect information. On the basis of the data obtained, it is possible to form a strategy and tactics for developing an enterprise information protection system that is reasonable from an economic point of view. 

1. GOST R ISO / IEC 27005-2010. Information technology. Methods and means of security. Information security risk management. Instead, GOST R ISO / IEC 13335-3-2007 and GOST R ISO / IEC 13335-4-2007; Enter from 11/30/2010. Moscow: Standardinform; 2011. (In Russ.)

2. GOST R ISO 31000-2010. Risk management. Principles and guidelines .; Entered from 09/01/2011. Moscow: Standardinform; 2012. (In Russ.)

3. The international standard ISO / IEC 27001-2013. Information technology - Protection methods - Information security management systems - Requirements. (In Russ.)

4. GOST R ISO / IEC 17799-2005. Information technology. Practical rules of information security management. Approved and enacted by the Order of the Federal Agency for Technical Regulation and Metrology of December 29; 2005 No. 447-st. (In Russ.)

5. Krivyakin K.S., Izotova A.R., Fedorov V.M. Methodical approach to risk assessment of information security of an enterprise. Ekonominfo. 2018; 15 (2): 82-90. (In Russ.)

6. Il’chenko L.M., Bragina E.K., Egorov I.E., Zaytsev S.I. Calculation of risks of information security of a telecommunications enterprise. Otkrytoye obrazovaniye = Open Education. 2018; 22 (2): 61-70. (In Russ.)

7. Pletnev P.V., Belov V.M. Methods of assessing information security risks in small and medium-sized businesses. Doklady Tomskogo gosudarstvennogo universiteta sistem upravleniya i radioelektroniki = Reports of Tomsk State University of Control Systems and Radioelectronics. 2012; 1–2 (25): 83– 86. (In Russ.)

8. Odintsova M.A. Risk Management Technique for Small and Medium Businesses. Ekonomicheskiy zhurnal = Economic Journal. 2014; 3 (35). (In Russ.)

9. Vybornova O.N., Davidyuk N.V., Kravchenko K.L. Information risk assessment based on expert information (for example, GBUZ JSC “Center for Medical Prevention”). Inzhenernyy vestnik Dona = Engineering Bulletin of the Don. 2016; 4 (43): 86. (In Russ.)

10. Baranova E.K. Methods of analysis and risk assessment of information security. Vestnik Moskovskogo universiteta im. S.YU. Vitte = Bulletin of Vitte Moscow University. 2015 (1): 73- 79. (In Russ.)

11. Astakhov A.M. Iskusstvo upravleniya informatsionnymi riskami = The art of information risk management. Moscow: DMK Press; 2010. 312 p. (In Russ.)

12. Sizov V.A. The use of business games in the preparation of masters program “Protection of the information space of subjects of economic activity”. Otkrytoye obrazovaniye = Open Education. 2018; 22 (6): 59-64. (In Russ.)

13. Zamula A.A., Odarchenko A.S., Dey-neko A.A. Methods of evaluation and information risk management. Prikladnaya radioelektronika = Applied Radio Electronics. 2015 (3): 182-187. (In Russ.)

14. Zaripova A. I., Kovalenko: V. Financial Risks in Ensuring the Economic Security of Enterprises [Internet]. Molodoy uchenyy = Young scientist. 2018; 1: 61-63. URL: https://moluch.ru/archive/187/47652/ (Cited: 16.05.2019). (In Russ.)

15. R 50.1.028-2001. Methodology of functional modeling. Recommendations for standardization. Adopted and put into effect by the Resolution of the State Standard of Russia of July 2; 2001 No. 256, Art. (In Russ.)

16. Gavrilov A.V. Methods of selecting CASE-tools of structural design for training in the direction of training “Applied Informatics”. (IP&UZ-2015): sbornik nauchnykh trudov XVIII nauchno-prakticheskoy konferentsii = (IP & UZ- 2015): collection of scientific papers of the XVIII scientific-practical conference (April 21-24, 2015, Moscow) Ed. Yu. F. Telnov. Moscow: Moscow State University of Economics, Statistics and Informatics (MESI); 2015: 230-241. (In Russ.)

17. Gavrilov A.V. Analysis of the functionality of free CASE-database design tools. Otkrytoye obrazovaniye = Open Education. 2016; 20 (4): 39- 43. (In Russ.)

18. An example of a functional model (IDEF0) of an industrial enterprise in Business Studio. [Internet] URL: http://www.businessstudio.ru/publication/proizv_predpr_abc/businessmodel. php?lang=ru-ru (Cited 02.02.2019). (In Russ.)

19. An example of a functional model of a company engaged in the design, installation and maintenance of engineering systems. [Internet] URL http://publication.businessstudio.ru/businessmodel.php?lang=ru-ru&oguid=2be70b1c-a108-4228-b272-1c9eefbc464e (Cited 02.02.2019). (In Russ.)

20. Federal State Educational Standard of Higher Education in the field of preparation 10.04.01 Information security (master’s level). Approved by order of the Ministry of Education and Science of the Russian Federation of 01.12.2016, № 1513. (In Russ.)