Enterprise Information Security Assessment Using Balanced Scorecard

Author(s):  
R. Fatkieva ◽  
A. Krupina
2019 ◽  
Vol 4 (3) ◽  
pp. 188-197
Author(s):  
Dmytro DIACHKOV

Introduction. The purpose of the article was to develop methodological foundations for assessing and diagnosing the information security of agricultural enterprises. Methods of research. The tasks of the article were solved by means of general and special methods of research: analysis and synthesis, systematization and generalization, method of grouping, dialectical approach. Results. The ways and methods of the information security assessment of the enterprise were defined and characterized. Among them are: standard-based assessment, risk-oriented assessment and economic indicators. Much of the methodology for assessing the level of an enterprise information security, agrarian enterprise in particular, were based on the identification of information risks based on US and British methods CRAMM, FRAP, OCTAVE, NIST, MSAT, COBRA and Russian GRIF 2006 methodology. Originality. It was proved that for methodological bases development of estimation and diagnostics of enterprise information security level it is expedient to use advantages of estimation methods by standard, at risk of information system and using group and private indicators of economic component of information security estimation. Practical importance. The concept of the methodology development for economic assessment and information security diagnostics of agri-food enterprises was proposed, which takes into account the advantages of the considered diagnostics and assessment methods of the information security level of agricultural enterprises, offers a quantitative and qualitative assessment of its components, determines the impact of integrated indexes on the performance indicators and safety of subjects agricultural business, and, as a result, offer effective ways to optimize the management of information security companies in agri-food sector. The main scientific provisions of the article can be used in the practice of agricultural enterprises. Keywords: concept, economic indicators of assessment, enterprise of agro-food sphere, management of information security, methodology, methods of assessment of information security, risk-oriented approach, standard.


Author(s):  
Masuyoshi YACHIDA ◽  
Mototsugu Muroi ◽  
Taku Kitahara ◽  
Ryohta YAMASHINA

Author(s):  
Andrei V. Gavrilenko ◽  

The article considers an issue of information security of the distance education systems. It analyzes the functions and architecture of the typical distance education system. With considering the requirements of information security it also discusses the university information system for solving the distance learning problems. The author defines valuable assets and information resources and describes the existing security threats. The subjects of interaction in the distance learning mode are presented. There is a consideration of the principal directions of the university’s activity in the distance learning system, requiring constant monitoring of information security. A threat model is worked out and the main security vulnerabilities are highlighted. The analysis of the causes and consequences of information security violation in the distance learning system is carried out and most vulnerable and critical nodes were identified. The hardware and software requirements for the remote mode work are regarded. A recommended list of hardware and software tools that ensure compliance with safety requirements is presented. The major lines of protection for distance learning systems are highlighted. The article proves the necessity of conducting a regular security assessment as a means for monitoring an effectiveness of the protection system.


2019 ◽  
Vol 2 (2) ◽  
pp. 57-64
Author(s):  
Arini Arini

Information is one of the important assets for the survival of an organization / business, defense security and the integrity of the country, public trust between consumers, so that the availability, accuracy and integrity must be maintained, or commonly abbreviated as CIA (Confidentiality, Integrity & Availability). ISO 27001 is an information security standard published in October 2005 by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). However, until now there has been no tool for companies in Indonesia to do a pre-assessment of the level of information security. Plus the lack of socialization of the rules and the lack of ISO 270001 expert in Indonesia, these are reason why the authors conducted this research. The author begins research by collecting data, by studying literature and interviewing experts to identify problems. After that, in its implementation, this research will be directed (knowledge acquisition) and reviewed directly by an ISO 27001 expert from The British Standard Institution of the United Kingdom (BSI) so that the results are more accurate. After that, the writer determines the weighting method (decision making), scoring method, system development method, and simulation method (testing). The results of the study are in the form of pre-assessment to evaluate the information security assessment index, which will be displayed according to indicators pioneered from ISO 27001: 2013 using AHP (Analytical Hierarchy Process) decision-making methods, as well as web-based making it easier to review.


2022 ◽  
Vol 1 (13) ◽  
pp. 80-92
Author(s):  
Nguyễn Mạnh Thiên ◽  
Phạm Đăng Khoa ◽  
Nguyễn Đức Vượng ◽  
Nguyễn Việt Hùng

Tóm tắt—Hiện nay, nhiệm vụ đánh giá an toàn thông tin cho các hệ thống thông tin có ý nghĩa quan trọng trong đảm bảo an toàn thông tin. Đánh giá/khai thác lỗ hổng bảo mật cần được thực hiện thường xuyên và ở nhiều cấp độ khác nhau đối với các hệ thống thông tin. Tuy nhiên, nhiệm vụ này đang gặp nhiều khó khăn trong triển khai diện rộng do thiếu hụt đội ngũ chuyên gia kiểm thử chất lượng ở các cấp độ khác nhau. Trong khuôn khổ bài báo này, chúng tôi trình bày nghiên cứu phát triển Framework có khả năng tự động trinh sát thông tin và tự động lựa chọn các mã để tiến hành khai thác mục tiêu dựa trên công nghệ học tăng cường (Reinforcement Learning). Bên cạnh đó Framework còn có khả năng cập nhật nhanh các phương pháp khai thác lỗ hổng bảo mật mới, hỗ trợ tốt cho các cán bộ phụ trách hệ thống thông tin nhưng không phải là chuyên gia bảo mật có thể tự động đánh giá hệ thống của mình, nhằm giảm thiểu nguy cơ từ các cuộc tấn công mạng. Abstract—Currently, security assessment is one of the most important proplem in information security. Vulnerability assessment/exploitation should be performed regularly with different levels of complexity for each information system. However, this task is facing many difficulties in large-scale deployment due to the lack of experienced testing experts. In this paper, we proposed a Framework that can automatically gather information and automatically select suitable module to exploit the target based on reinforcement learning technology. Furthermore, our framework has intergrated many scanning tools, exploited tools that help pentesters doing their work. It also can be easily updated new vulnerabilities exploit techniques.


2018 ◽  
Vol 18 (3) ◽  
pp. 333-338
Author(s):  
E. A. Vitenburg ◽  
A. A. Levtsova

Introduction. Production processes quality depends largely on the management infrastructure, in particular, on the information system (IS) effectiveness. Company management pays increasingly greater attention to the safety protection of this sphere. Financial, material and other resources are regularly channeled to its support. In the presented paper, some issues on the development of a safety enterprise information system are considered.Materials and Methods. Protection of the enterprise IS considers some specific aspects of the object, and immediate threats to IT security. Within the framework of this study, it is accepted that IS are a complex of data resources. A special analysis is resulted in determining categories of threats to the enterprise information security: hacking; leakage; distortion; loss; blocking; abuse. The connection of these threats, IS components and elements of the protection system is identified.  The requirements of normative legal acts of the Russian Federation and international standards regulating this sphere are considered. It is shown how the analysis results enable to validate the selection of the elements of the IS protection system.Research Results. A comparative analysis of the regulatory literature pertinent to this issue highlights the following. Different documents offer a different set of elements (subsystems) of the enterprise IS protection system. To develop an IS protection program, you should be guided by the FSTEC Order No. 239 and 800-82 Revision 2 Guide to ICS Security.Discussion and Conclusions. The presented research results are the basis for the formation of the software package of intellectual support for decision-making under designing an enterprise information security system. In particular, it is possible to develop flexible systems that allow expanding the composition  of the components (subsystems).


Sign in / Sign up

Export Citation Format

Share Document