Calculation of risks of information security of telecommunication enterprise
The goal of this work is to identify and assess information security risks for a typical distributed information system within three controlled areas. The main emphasis, application of information security in the considered information system is done to minimize damage from security threats, aimed a...
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Plekhanov Russian University of Economics
2018-01-01
|
| Series: | Otkrytoe Obrazovanie (Moskva) |
| Subjects: | |
| Online Access: | http://openedu.rea.ru/jour/article/view/486 |
| id |
doaj-art-513f623e092546c19144b687b61a7993 |
|---|---|
| recordtype |
oai_dc |
| spelling |
doaj-art-513f623e092546c19144b687b61a79932018-08-28T08:41:12ZengPlekhanov Russian University of EconomicsOtkrytoe Obrazovanie (Moskva)1818-42432079-59392018-01-01222617010.21686/1818-4243-2018-2-61-70400Calculation of risks of information security of telecommunication enterpriseL. M. Il’chenko0E. K. Bragina1I. E. Egorov2S. I. Zaysev3Saint-Petersburg National Research University of Information Technologies, Mechanics and OpticsSaint-Petersburg National Research University of Information Technologies, Mechanics and OpticsSaint-Petersburg National Research University of Information Technologies, Mechanics and OpticsAdmiral Makarov State University of Maritime and Inland ShippingThe goal of this work is to identify and assess information security risks for a typical distributed information system within three controlled areas. The main emphasis, application of information security in the considered information system is done to minimize damage from security threats, aimed at the integrity and availability of the hardware and software complex of the information system, and not to the confidentiality of information resources processed with their help. The study examined international and national standards in the field of information security, which regulate issues of information security risks management. In particular, the basic requirements for the assessment and processing of information security risks were established, based on the international standard “ISO 27001: 2013 Information technologies. Methods of protection. Information security management systems”, as well as a comparison of this standard with its version from 2005 is made. As a leading method of risk assessment and processing, the most economical the qualitative method was chosen, in the absence of ready data on the number of attacks implemented in the considered information system for a certain period of time. In the process, valuable assets of the organization were considered, and based on the business process of the telecommunication company, major and minor assets were allocated, as well as the corresponding information security threats in accordance with the security threat data bank of the Federal Service for Technical and Export Control. The result of this work was the calculation of information security risks, based on the allocation of valuable assets of the organization, the degree of potential damage in the implementation of threats to such assets and the probability of the implementation of threats to the information system of the telecommunication enterprise. In addition, acceptable risks were identified, the processing of which is not required due to the fact that the actual cost of minimizing them is greater than the losses from the implementation of threats over them. In conclusion, possible measures were proposed to minimize information security risks, including a backup system, a system for protecting against unauthorized access, an anti-virus protection system, firewalling, and organizational measures and physical protection measures. The proposed method makes it possible to reasonably assess information security risks of an organization in conditions of insufficient initial data, as well as the absence of additional hardware and software for assessing information security risks, which allows applying it to model organizations based only on scaling of the considered system, if there is no state information secret in the processed data. The risk management procedure helps not only to identify and eliminate the analysis of vulnerabilities and innovations in the field of risk assessment, but also to increase the literacy level of staff, involved in the assessment and risk management process.http://openedu.rea.ru/jour/article/view/486information securityinformation security risks’ managementtelecommunication enterprise |
| institution |
Open Data Bank |
| collection |
Open Access Journals |
| building |
Directory of Open Access Journals |
| language |
English |
| format |
Article |
| author |
L. M. Il’chenko E. K. Bragina I. E. Egorov S. I. Zaysev |
| spellingShingle |
L. M. Il’chenko E. K. Bragina I. E. Egorov S. I. Zaysev Calculation of risks of information security of telecommunication enterprise Otkrytoe Obrazovanie (Moskva) information security information security risks’ management telecommunication enterprise |
| author_facet |
L. M. Il’chenko E. K. Bragina I. E. Egorov S. I. Zaysev |
| author_sort |
L. M. Il’chenko |
| title |
Calculation of risks of information security of telecommunication enterprise |
| title_short |
Calculation of risks of information security of telecommunication enterprise |
| title_full |
Calculation of risks of information security of telecommunication enterprise |
| title_fullStr |
Calculation of risks of information security of telecommunication enterprise |
| title_full_unstemmed |
Calculation of risks of information security of telecommunication enterprise |
| title_sort |
calculation of risks of information security of telecommunication enterprise |
| publisher |
Plekhanov Russian University of Economics |
| series |
Otkrytoe Obrazovanie (Moskva) |
| issn |
1818-4243 2079-5939 |
| publishDate |
2018-01-01 |
| description |
The goal of this work is to identify and assess information security risks for a typical distributed information system within three controlled areas. The main emphasis, application of information security in the considered information system is done to minimize damage from security threats, aimed at the integrity and availability of the hardware and software complex of the information system, and not to the confidentiality of information resources processed with their help. The study examined international and national standards in the field of information security, which regulate issues of information security risks management. In particular, the basic requirements for the assessment and processing of information security risks were established, based on the international standard “ISO 27001: 2013 Information technologies. Methods of protection. Information security management systems”, as well as a comparison of this standard with its version from 2005 is made. As a leading method of risk assessment and processing, the most economical the qualitative method was chosen, in the absence of ready data on the number of attacks implemented in the considered information system for a certain period of time. In the process, valuable assets of the organization were considered, and based on the business process of the telecommunication company, major and minor assets were allocated, as well as the corresponding information security threats in accordance with the security threat data bank of the Federal Service for Technical and Export Control. The result of this work was the calculation of information security risks, based on the allocation of valuable assets of the organization, the degree of potential damage in the implementation of threats to such assets and the probability of the implementation of threats to the information system of the telecommunication enterprise. In addition, acceptable risks were identified, the processing of which is not required due to the fact that the actual cost of minimizing them is greater than the losses from the implementation of threats over them. In conclusion, possible measures were proposed to minimize information security risks, including a backup system, a system for protecting against unauthorized access, an anti-virus protection system, firewalling, and organizational measures and physical protection measures. The proposed method makes it possible to reasonably assess information security risks of an organization in conditions of insufficient initial data, as well as the absence of additional hardware and software for assessing information security risks, which allows applying it to model organizations based only on scaling of the considered system, if there is no state information secret in the processed data. The risk management procedure helps not only to identify and eliminate the analysis of vulnerabilities and innovations in the field of risk assessment, but also to increase the literacy level of staff, involved in the assessment and risk management process. |
| topic |
information security information security risks’ management telecommunication enterprise |
| url |
http://openedu.rea.ru/jour/article/view/486 |
| _version_ |
1612668257519534080 |