Methodology for Assessing the Risks of Information Enterprise Security Using Case Technologies

Purpose of the study. Creating an effective information security system of an enterprise is impossible without an adequate assessment of the risks to which its assets are exposed. The results of such an assessment should become the basis for making decisions in the field of information security of the enterprise. Identification of information assets and assessment of their value, determination of the level of threats to the security of assets allow planning measures to create an enterprise information security system.
This paper discusses a methodology for assessing the risks of information security of an enterprise, a distinctive feature and novelty of which is the use of modern tools and methods for constructing and analyzing business processes in order to identify the information assets of an enterprise to be protected.
Materials and methods. It is proposed to identify information assets based on the model of business processes of the enterprise, performed using the IDEF0 methodology. Modeling of business processes was carried out in the Business Studio environment of the “Modern Management Technologies” company.
The activity of a typical IT-industry company was considered as an example for the risk analysis.
Results. The methodology for assessing the risks of information security of an enterprise described in the article has been successfully tested in the educational process. Its use in conducting laboratory classes in the discipline “Designing the information security system of enterprises and organizations” for masters studying in the direction of “Information security” allowed, according to the authors of the article, to increase the effectiveness of the formation of students’ professional competencies.
Conclusion. The paper proposes a methodology for assessing information security risks for objects of an enterprise’s information infrastructure, which makes it possible to identify priority areas of information security at an enterprise. As a result of the application of the technique, a loss matrix is formed, showing the problem areas in the organization of information protection, which should be given priority attention when planning information security measures. Based on the data obtained, it is possible to form an economically justified strategy and tactics for the development of an enterprise information security system.

1. GOST R ISO/MEK 27005-2010. Informatsionnaya tekhnologiya. Metody i sredstva obespecheniya bezopasnosti. Menedzhment riska informatsionnoy bezopasnosti. Vzamen GOST R ISO/MEK TO 13335-3-2007 i GOST R ISO/ MEK TO 13335-4-2007; Vved. s 30.11.2010 = GOST R ISO / IEC 27005-2010. Information technology. Methods and means of ensuring safety. Information security risk management. Instead of GOST R ISO / MEK TO 13335-3-2007 and GOST R ISO / MEK TO 13335-4-2007; Enter. from 30.11.2010. Moscow: Standartinform; 2011. (In Russ.)

2. GOST R ISO 31000-2010. Menedzhment riska. Printsipy i rukovodstvo.; Vveden s 01.09.2011 = GOST R ISO 31000-2010. Risk management. Principles and guidelines .; Introduced from 01.09.2011. Moscow: Standartinform; 2012. (In Russ.)

3. Mezhdunarodnyy standart ISO/IEC 27001- 2013. Informatsionnyye tekhnologii – Metody zashchity – Sistemy menedzhmenta informatsionnoy bezopasnosti – Trebovaniya = International standard ISO / IEC 27001-2013. Information technology - Security methods - Information security management systems - Requirements. (In Russ.)

4. GOST R ISO/MEK 17799-2005. Informatsionnaya tekhnologiya. Prakticheskiye pravila upravleniya informatsionnoy bezopasnost’yu. Utverzhden i vveden v deystviye Prikazom Federal’nogo agentstva po tekhnicheskomu regulirovaniyu i metrologii ot 29 dekabrya 2005 g. №447-st = GOST R ISO / IEC 17799-2005. Information technology. Practical rules for information security management. Approved and put into effect by the Order of the Federal Agency for Technical Regulation and Metrology dated December 29, 2005 No. 447-st. (In Russ.)

5. Il’chenko L.M., Bragina Ye.K., Yegorov I.E., Zaytsev S.I. Calculation of information security risks of a telecommunications enterprise. Otkrytoye obrazovaniye = Open education. 2018; 22; 2: 61-70. (In Russ.)

6. Pletnev P.V., Belov V.M. Methodology for assessing information security risks at small and medium-sized businesses. Doklady Tomskogo gosudarstvennogo universiteta sistem upravleniya i radioelektroniki = Reports of the Tomsk State University of Control Systems and Radioelectronics. 2012; 1–2(25): 83–86. (In Russ.)

7. Odintsova M.A. Methodology of risk management for small and medium-sized businesses. Ekonomicheskiy zhurnal = Economic Journal. 2014: 3(35). (In Russ.)

8. Vybornova O.N., Davidyuk N.V., Kravchenko K.L. Assessment of information risks based on expert information (on the example of GBUZ JSC «Center for Medical Prevention»). Inzhenernyy vestnik Dona = Engineering Bulletin of the Don. 2016; 4(43): 86. (In Russ.)

9. Gavrilov A.V., Sizov V.A. Increasing the effectiveness of the formation of professional competencies of masters in the direction of «Information Security» based on the use of CASE- technologies. Otkrytoye obrazovaniye = Open Education. 2019; 23; 3: 25-32. (In Russ.)

10. R 50.1.028-2001. Metodologiya funktsional’nogo modelirovaniya. Rekomendatsii po standartizatsii. Prinyaty i vvedeny v deystviye Postanovleniyem Gosstandarta Rossii ot 2.07.201 № 256 st = R 50.1.028-2001. Functional modeling methodology. Recommendations for standardization. Adopted and put into effect by the Resolution of the Gosstandart of Russia dated 2.07.201 No. 256 Art. (In Russ.)

11. Ofitsial’nyy sayt kompanii «Sovremennyye tekhnologii upravleniya». Instrument dlya proyektirovaniya – sistema Business Studio = Official site of the company «Modern technologies of management». Design tool - Business Studio system [Internet]. Available from: https://www.businessstudio.ru/products/business_studio/intro/ (cited 20.05.2021). (In Russ.)

12. Baranova Ye.K. Methods of analysis and assessment of information security risks. Vestnik Moskovskogo universiteta im. S.YU. Vitte = Bulletin of the Moscow University. S.Yu. Witte. 2015; 1: 73- (In Russ.)

13. Sukharevskaya Ye.V., Mikhal’chenko S.V., Shamin I.M., Nikishova A.V. Analysis of risk assessment methods when using ERP systems [Internet]. Sovremennyye nauchnyye issledovaniya i innovatsii = Modern scientific research and innovations. 2016: 9. Available from: http://web.snauka.ru/issues/2016/09/72016. (cited 21.05.2021). (In Russ.)

14. Fayzulayev D. F., Morozov B. B. Methods and tools for risk analysis of information security of an enterprise. Bezopasnost’ informatsionnykh tekhnologiy = Security of information technologies. 2017; 24; 3: 72-77. (In Russ.)

15. Pugin V.V., Gubareva O.YU. Review of methods for analyzing information security risks of an enterprise information system. T-COMM – Telekommunikatsii i transport = T-COMM - Telecommunications and transport. 2012; 6: 54-57. (In Russ.)

16. Abramov A.S., Pisarev V.D., Shilov A.K. Application of the MSAT methodology for assessing the security of an enterprise. Alleya nauki = Alley of Science. 2017; 3; 13: 961-965. (In Russ.)

17. Gavrilov A.V. The use of modern CASE- tools for structural design in teaching students in the direction of training «Applied Informatics». Otkrytoye obrazovaniye = Open Education. 2015; 4(111): 22-27. (In Russ.)

18. Gavrilov A.V Analysis of the functionality of free CASE database design tools. Otkrytoye obrazovaniye = Open education. 2016; 20; 4: 39-43. (In Russ.)

19. Primer funktsional’noy modeli (IDEF0) promyshlennogo predpriyatiya v Business Studio = An example of a functional model (IDEF0) of an industrial enterprise in Business Studio [Internet]. Available from: http://www.businessstudio.ru/publication/proizv_predpr_abc/businessmodel.php?lang=ru-ru. (cited 21.05.2021). (In Russ.)

20. Primer funktsional’noy modeli kompanii, osushchestvlyayushchey deyatel’nost’ po proyektirovaniyu, montazhu i obsluzhivaniyu inzhenerno-tekhnicheskikh system = An example of a functional model of a company engaged in the design, installation and maintenance of engineering systems [Internet]. Available from: http://publication.businessstudio.ru/businessmodel.php?lang=ru-ru&oguid=2be70b1c-a108-4228-b272-1c9eefbc464e. (cited 21.05.2021). (In Russ.)