Identity and Access Management: High-level Conceptual Framework

Information security is shifting from a traditional perimeter-based approach to an identity-based approach where the organization's boundaries are where their digital identities exist. The organization has multiple stakeholders having access to various organization resources. Systems and applications are part of organization resources that help them achieve their business goals. These systems and applications are internally or externally exposed to allow all stakeholders to have seamless access, thus making identity and access management a big challenge. Identity and Access Management (IAM) is a fundamental part of information security. It plays a critical role in keeping the organization's information security posture resilient to cyber attacks. This paper will identify various components of an IAM solution that are essential and should be considered while implementing and assessing the IAM solution and provides a high-level IAM framework that will allow information security professionals to assess the IAM security posture of an organization.

INFORMATION SECURITY AUDIT OF AN OPTOELECTRONIC DEVICE ENGINEERING ENTERPRISE

Automated systems play a key role in supporting business processes of commercial and state enterprises. The widespread use of automated information systems for storing, processing and transmitting information makes the issues of their protection relevant, especially given the global trend towards an increase in the number of information attacks, leading to significant financial and material losses. The article demonstrates the importance of conducting an audit in the field of information security of optoelectronic instrumentation. The article discusses the stages and rules of conducting an information security audit, as well as the criteria for evaluating its results. Information security audit is one of the most efficient tools for obtaining an independent and objective assessment of the current level of enterprise security from information security threats. In addition, the audit results provide the basis for forming a development strategy for the organization’s information security system.

DEVELOPMENT OF THE AUTOMATED INFORMATION SYSTEM FOR ORGANIZATION’S INFORMATION SECURITY CULTURE LEVEL ASSESSMENT

Relevance of the research. Ensuring the effectiveness of the information security systems requires creation of an appropriate information security culture for the employees of the organization in order to reduce human-related risks. Target setting. The techniques currently available for assessing information security risk are excluded as a source of the potential vulnerability. Considering the role of the personnel in the organization's information security systems, there is a need to create automated systems of human-machine interaction assessment through the level of the personnel information security culture, and to determine the integral indicator of the organization's information security culture. Actual scientific researches and issues analysis. Open access publications on the problems of integrating the information security culture into the corporate culture of the organization as a tool for ensuring the proper information security level of business processes are considered. Uninvestigated parts of general matters defining. The absence of formalized models for assessing the organization's information security culture level, as well as an automated process for its assessing were revealed by source analysis. The research objective. The purpose of the article to build a model that describes the process of obtaining an organization's information security culture level assessment in IDEF0 notation. Then, to create an architecture and database for system of information security culture assessment to support the general organization's information security system. The statement of basic materials. According to functional requirements, a conceptual model of «The organization`s ISC level determination» development process was created. Input information, governing elements, execution elements and mechanism, and output information were defined. To accomplish these tasks, an architecture and database of information system for assessing the information security culture level of the organization were proposed. Conclusions. The functional model of top-level development process was proposed. Formed functional requirements became the basis for development of information system architecture with description of its modules and database structure.

Employer Branding and Internet Security

This chapter promotes the concept of employer branding (EB) as special kind of value management being part of strategic human resources management (SHRM) and including elements of cyber security. Employees' and organization's shared values (EVPs) bring opportunity to create common sense of identity, which prevents potentially aversive behavior towards company's reputation. Chapter's background positions EB and EVP in process of SHRM, introduces the view of EB as architectural frame for core organizational values, and describes popular Internet tools of EB. The background is closed by descriptions of common Internet threats, their implications to overall organization's information security, as well as useful Internet security systems. Chapter concludes with recommendations regarding enhancing EB by better controlling company's information security. As a new research area is proposed sub-discipline of cyber security in management, with special dedication to SHRM.

Comparative analysis and patch optimization using the cyber security analytics framework

Dependable metrics are one of the critical elements of an organization’s information security program and are crucial for its long-term success. Current research in the area of enterprise security metrics provides limited insight on understanding the impact that attacks have on the overall security goals of an enterprise as well as predicting the future security state of the network. In this paper we present a novel security analytics framework that takes into account both the inter-relationship between different vulnerabilities and the temporal features that evolve over time, such as the vulnerability discovery rate and the lifecycle events. We then formally define a non-homogenous stochastic model that incorporates time dependent covariates, namely the vulnerability age and the vulnerability discovery rate, to help visualize the future security state of the network leading to actionable knowledge and insight. We will perform a comparative analysis and also describe the patch optimization methodology by applying this model on a sample network to demonstrate the practicality of our approach.

Employer Branding and Internet Security

This chapter promotes the concept of employer branding (EB) as special kind of value management being part of strategic human resources management (SHRM) and including elements of cyber security. Employees' and organization's shared values (EVPs) bring opportunity to create common sense of identity, which prevents potentially aversive behavior towards company's reputation. Chapter's background positions EB and EVP in process of SHRM, introduces the view of EB as architectural frame for core organizational values, and describes popular Internet tools of EB. The background is closed by descriptions of common Internet threats, their implications to overall organization's information security, as well as useful Internet security systems. Chapter concludes with recommendations regarding enhancing EB by better controlling company's information security. As a new research area is proposed sub-discipline of cyber security in management, with special dedication to SHRM.