DOI: 10.24143/2072-9502-2017-4-45-53 UDC [002:004.056]:681.51/.54
G. A. Popov, A. G. Popov, N. D. Shishkin, M. F. Rudenko
THE CONCEPTUAL SCHEME OF INFORMATION SECURITY IN THE OBJECT PROTECTION MODEL
Abstract. This paper proposes a conceptual scheme of information security (IS) which comprises most existing IS systems. There are shown seven components describing IS process in the object protection model: requirements to IS support; the data protected; threats to the protected data; countermeasures to the threats; information system for the protected data processing; conditions facilitating or impeding IS process; object of protection. The diagram showing interrelations of the listed components has been given. The meanings of the entities "requirements", "Information system", "conditions", "object of protection" have been clarified; mechanisms for influencing IS process of such entities as "information system", "conditions", "object of protection" have been revealed. For the entity "requirements" there have been allocated seven classes of requirements to ensure information security; the main legislative and normative documents that define the content of these requirements for each class of requirements have been given. The approaches to measura-bility and assessment of the rate of requirements implementation have been described. It is stated that a number of elements in a wealth of elementary requirements are rather high, therefore, instead of the list of elementary requirements there are usually developed several generalized factors (probabilistic factor, time factor, expenses factor). IS systems oriented to these factors help to realize a more flexible IS technique, when cases of IS violation not leading to a substantial damage could be even neglected, and IS system will mainly focus on preventing most dangerous attempts to break IS.
Key words: providing information security; conceptual scheme; entities of IS process; IS requirements, attendant requirements.
Introduction
The problem of ensuring information security has two thousand years of history, but, on the basis of the formation of concepts and common technologies of information security, this problem was systematically examined only in the seventies of the last century. However, for many years the need to solve conceptual problems of information security was not seen as significant and important. And only in the second half of the nineties, after the emergence of a series of national and international standards on information security (IS) in the developed countries, primarily in the United States, was recognized the topicality and importance of the conceptual approach to formation IS systems (ISS) and analysis of various problems related to it.
However, despite the rapid growth of research and publications on the subject followed, solving a range of issues, related to ensuring information security, in particular, the analysis of threats and vulnerabilities, classification of objects of protection and means of countering the demands of IS, is one of the problems not yet adequately solved. This is the problem of constructing the General model of security, which would encompass most of the existing systems-security, although the educational and monographic publications on the basics of formation of ISS currently are quite a lot [1-5]. Below is suggested a possible approach to constructing the General IS model for typical secured objects. The model is presented in the form of a diagram that lists all the main entities that define the process of ensuring information security, and the relationships between them.
1. The structure of the General model
The information security is understood as the protection of the object (the state, legal entity, physical person) in the field of information, where the information field is a set of information infrastructure (i.e., information and its processing), subjects collecting, forming, distributing and use of information, and also system of regulation of arising social relations.
Process of IS is a complex process, which consists in the interaction of the following entities (components) participating in the process of ensuring IS:
1. Requirements for ensuring information security.
2. Protected information.
3. The threats that can degrade the characteristics of the protected information to an unacceptable level.
4. The means and mechanisms to counter the threats.
5. Information system, in which protected information is processed.
6. Conditions (primarily, external), that promote or inhibit the process of ensuring IS.
7. The objects served by the information system and associated with protected information (sources and/or consumers of the protected information).
Entities are listed in order of their analysis in the process of building or improving the security system. The main ones are the first four entities (components). The last three components are related, not directly involved in the process of protecting information.
An overview of the relationship of these components in the process of ensuring IS is presented in Fig. 1.
The process of operation a system in accordance with diagram presented above can be described simplistic as follows. The organization starting from the purpose of functioning of informatization object, its capabilities and existing conditions of operation, formulates requirements to information security. The following is the analysis of all organization's information resources from the point of view of their importance and the need to limit access to them, allowing at the next stage to analyze all possible threats to the resources allocated. Based on the analysis of all the potential threats, the requirements put forward in ensuring security and taking into account the existing capacity of the organization, mechanisms and means to counter threats are established.
Firm (Organization)
4. Requirements to information security
5. Information system
3. The means to counter threats
1. Protected information
Ï
2.Treats to information
7. Object of informatization
n oi
T3
n
0
о
СШ
ni in
01
о
n
Рч
Fig. 1. The scheme of interrelation of the IS components
As components of information security (conditions of functioning, composition and intensity of threats, characteristics of object of informatization and the system of information processing, etc.), as well as opportunities of the organization are changed, requirements to ensure information security and the composion of countermeasures may be changed.
Note that the overlap of the various blocks in Fig. 1 shows certain relationships between these blocks. So, unit 4 "Counter means" is partially located outside the boundary of block "Organization", because for some classes countermeasures are not controlled by the organization; for example, legislative tools in the field of information security. The intersection of this block with blocks "Organization", "Information system" and "Protected information" correspond, in particular, organizational and technical means of ensuring information security, access controls and cryptographic assets, respectively. Unit 2 "Threat information" intersects with almost all main blocks of the diagram as the sources of threats can be in any of the blocks that intersect a specified block.
Next, we need to reveal the contents of the mentioned above seven components of the process ensuring information security. As in the literature [1-5; https://tech.wikireading.ru/12973; http:// asher.ru/security/book/its/05; http://bdu.fstec.ru] has a sufficiently meaningful analysis of threats, classification of the protected data and the means to counter threats, due to the limited possibilities of this work below will consider only the other components of the models of information security.
2. Requirements for protected information
Under the requirements of information security we understand the list of restrictions on the set of indicators characterizing the properties of information and its processing that are essential from the point of view of information security.
Conduct a classification of possible requirements to ensure information security. As the main indicator of classification choose the category of subjects of data processing source of requirements; namely, the state bodies, commercial organizations, private individuals and legal entities, international organizations, industries and sectors of national activity, the individual requirements of legal entities and economic entities. The specified highlighting these categories of subjects of data processing is reflected in the laws and regulations where requirements to ensure information security for each of the listed categories of entities are formulated and which each corresponding entity (government, business entities and the legal or physical person) must perform. Select the following seven main sources of requirements.
1. Requirements for protection of state secrets. These requirements relate to the protection of state and commercial organizations, which processes the data making the state secret. These requirements are formulated in the Federal law (FL) No. 5485-1 dated 21.07.1993 "On state secrets" (http://base.garant.ru/10102673/).
Refinement, detailing, implementation and monitoring of the implementation of these requirements are given in the accompanying instructions and orders of the RF President, RF Government, normative documents of regulators in this field. The requirements of this group are mandatory for all entities that process the data making the state secret.
2. Requirements of the state level, not related to state secrets. These requirements relate to the protection of state information resource. The requirements for the protection of state information resource is given in the Federal law No. 149 dated 27.07.2006 "On information, information technologies and protection of information" (http://www.consultant.ru/document/cons_doc_LAW_61798), as well as in the regulatory documents of the Federal service for technical and export control (FSTEC). They are binding for all departments and organizations where there is or processed state information resource as well as for those legal and natural persons which have economic or other technological contacts (e.g., associated with fulfillment of contractual obligations) with organizations that process the information relating to state information resource.
3. Requirements for business entities. Formulated in the FL No. 98 dated 29.07.2004 "About trade secret" (http://www.consultant.ru/document/cons_doc_LAW_48699). Compliance, in contrast to the requirements of the state secret, is optional, but if a conflict occurs between business entities, the degree of fulfillment of the requirements of this FL may be one of the decisive factors in making judicial decisions. Therefore, entities with serious intentions in the market, try to fulfill all the requirements of this FL.
4. Requirements to legal entities and individuals, regardless of any of their special privileges. This should include primarily the Federal law No. 152 "On personal data" (http://docs.cntd.ru/document/901990046), as well as state standards of the Russian Federation, in particular the following:
- GOST R 50922-2006 - Protection of information. Basic terms and definitions;
- P 50.1.053-2005 - Information technology. Basic terms and definitions in the field of technical protection of information;
- GOST R 51188-98 - Protection of information. Test software for the presence of computer viruses. Model guidance;
- GOST R 51275-2006 - Protection of information. The object of informatization. Factors affecting information. General provisions;
- GOST R ISO/IEC 15408-1-2008 - Information technology. Methods and means of security. Evaluation criteria information technology security. Part 1. Introduction and General model;
- GOST R ISO/IEC 15408-2-2008 - Information technology. Methods and means of security. Evaluation criteria information technology security. Part 2. Functional safety requirements;
- GOST R ISO/IEC 15408-3-2008 - Information technology. Methods and means of security. Evaluation criteria information technology security. Part 3. Requirements of trust for security;
- GOST R ISO/IEC 15408 - Common criteria of information technology security;
- GOST R ISO/IEC 17799 - Information technology. Practical rules of information security management. Direct application of international standard with the addition of ISO/IEC 17799:2005;
- GOST R ISO/IEC 27001 - Information technology. Security methods. Management system for information security. Requirements. Direct application of international standard ISO/IEC 27001:2005;
- GOST R 51898-2002 -Security aspects. Rules for inclusion in the standards.
Violations and non-compliance with these documents is the basis for implementing various forms of disciplinary, civil, administrative or even criminal punishment.
5. Industry requirements. Typically, these requirements are formulated in industry standards. An example can be standards Central Bank of RF:
- Standard Bank of Russia - Ensuring information security of organizations of Bank system of the Russian Federation. The collection and analysis of technical data in responding to information security incidents in the implementation of money transfers (STO BR IBBS-1.3-2016);
- Standard Bank of Russia - Ensuring information security of organizations of Bank system of the Russian Federation. General provisions (STO BR IBBS-1.0-2014)
- Standard Bank of Russia - Ensuring information security of organizations of Bank system of the Russian Federation. Methodology conformity assessment of information security of organizations of Bank system of the Russian Federation to requirements of STO BR IBBS-1.0 - 2014 (STO BR IBBS-1.2-2014);
- Standard Bank of Russia - Ensuring information security of organizations of Bank system of the Russian Federation. Information security audit of STO BR IBBS-1.1-2007 (STO BR IBBS-1.1-2007).
Compliance with these documents is often significantly more important than the requirements of all other documents on information security since the implementation of these requirements associated with obtaining the appropriate licenses. Therefore, for legal entities of this category of claims is the main.
6. International requirements. These requirements are formulated in the international standards for security; in particular:
- ISO/IEC 27000 - Vocabulary and definitions;
- ISO/IEC 17799:2005 - Information technology - security Technology - Practical rules for information security management;
- ISO/IEC 27001 - Information technology - security Techniques - management of information security - Requirements. An international standard based on BS 7799-2:2005;
- ISO/IEC 27002 - Now: ISO/IEC 17799:2005. Information technology - security Technology - Practical rules for information security management. Release date - 2007 year;
- ISO/IEC 27005 - Now: BS 7799-3:2006 - Guidelines for information security risk management.
This category of requirements is particularly important for companies and organizations whose
activities are closely connected with international contacts or is held on the territory of other countries. An example might be banking activities.
7. Individual requirements. These requirements are formulated directly by legal or physical persons, take into account the individual needs and peculiarities of activity of these entities.
Thus, theoretically, a situation could arise when the organization will have to ensure simultaneous fulfillment of the requirements for all above-mentioned classes of requirements. In this regard,
of particular interest is the issue of consistency and coherence to these groups of requirements. This issue requires a separate analysis.
Another important aspect of the problem of formation and implementation of the requirement for information security is the question of the measurability of each requirement and assessing whether or not is fulfilled a specific requirement in the organization activity at the current moment. In theory, the full description of the requirements for information security should include all many of the basic requirements for information security for each element in the information system and each component of the protected information by all possible it states under all possible modes of information processing and states of information system. However, practically it is impossible due to the fact that the number of elements in this set of basic requirements is very large. So usually instead of a list of basic requirements is formed by a small set of indicators, which generally reflect trends in ensuring information security in the system. These indices are called generalized. Since the high-level metrics characterize the condition of ensuring information security of the average, even at a high level generalized indicator is possible breach of information security. Generalized indicators can be computed either on the basis of the elementary or intermediate indicators, or estimated on the basis of statistical, expert, or other informal methods. Among generalized indicators highlight the following three groups of indicators:
1. Probabilistic indicators; first of all, the probability of a providing security Ps (or security
breach PV ) information, that is, the probability that for a given fixed time interval will not be implemented any security violations in the system (respectively at least once successfully implemented an attempt to violate information security).
2. Indicators of costs; first of all, average damage n D and maximum of the expected loss n™x from violations of information security.
3. Time parameters; in particular, the average time TV to the nearest successfully implemented
attempts to violate security (if possible, given the different levels of hacking and the violation of information security).
Requirements for information security on the basis of these indicators can be formalized in the form of inequalities; for example, PS > PS , PV < PV , nD < nD , nmax < nDax , Tv > Tv , where
PS , PV , nD . nr , TV - the required (given) the value levels of these parameters. Indicators, that most fully evaluate the effectiveness of information security are nD and nmax . In particular, indicators nD and nmax allow more fully consider the consequences of hacking and breaches of information security, that creates opportunities for more adequate policy to the existing realities of the security. In addition, system security focused on these metrics allows to implement more flexible technology of information security, in which, in particular, violations of information security, that did not cause significant damage can even be ignored, and the focus of ISS will be focused on preventing the most dangerous attempts to breach information security, which can lead to big damage. For example, compare the following two successful attempts of hacking the system. In the first case is a hacker who, having broken all boundaries of protection, penetrated to the protected information only for the affirmation and committing hooliganism. In the second case, is the agent of a competing company that was able to crack only part of the boundaries of protection, nonetheless not reaching the protected information. The real damage in the first case is minor, and in the second one is infinitely higher, because the next attempt of the agent taking into account the already existing experience of penetration may be successful. From the point of view of probabilistic and time parameters, which only record the fact of the security breach, the more significant is the hacking system hacker. The same cost figures that take into account the consequences of hacking, allow to cover the above-described characteristics of the violation.
Select the next two most common goals, formalizing the requirements of assuring of information security. First statement: using a minimal amount of resources, to ensure the security level to be not
below the specified. Second statement: at a given composition and the volumes of resources allocated provide the highest achievable level of security of information. The first statement is more typical for the state system when it is required to provide security for critical systems and objects do not regarding to possible costs associated with it. The second statement is more typical for businesses that can allocate only limited resources and means to ensure.
3. Related model components-security
As mentioned above, associated components of the model are the conditions of operation of the information systems, information system itself and informatization object. Let us briefly consider how these components influence the process of information security.
The conditions for the functioning of information system. Under the conditions of operation of the information system we understand the set of those factors of the external environment, which satisfy the following two properties:
1) these factors can not be threats to information security, methods of targeted actions on information system or targeted intervention in the process of its creation or functioning;
2) these factors have, or may have a certain impact on the information system, but the information system does not directly affect them. Information system is forced to fix only the characteristics of these factors and adapt to them.
General classification of the conditions of operation of the information system in many ways similar to the general classification of threats as a direct external influences, because in both cases we are talking about the contact and interaction of information system with the external environment. From this point of view, it is primarily necessary to select mediums through which the interaction of information system with the external environment is realized; they are:
1. The legal environment, the combination of those legal, regulatory and other documents that are not directly associated with the process of providing of information security, but which, nevertheless, must be taken into account.
2. Territorial-geographical environment, defined primarily geographical and territorial location of the object of protection and information system. In particular, the convenience of the location (in the populated area, outside it, in a remote location), availability of suitable communications infrastructure (roads, electricity, communications, utilities system), the nature of the premises where is located the information system (floors, degree of compactness and isolation).
3. Social environment, defined primarily in relation to the object of informatization and information system communities, local and regional leadership.
4. Climatic environment primarily temperature and humidity characteristics and their change during the year.
Based on the selected environments it can be carried out more detailed classification of conditions of functioning the information system.
Information system. This component can significantly affect the organization and process of information security in the organization. For example, a completely different IS technologies must be used in the case of distributed data processing and network organization and centralized processing, when all processing of restricted access are concentrated in a small number of isolated premises. Further, the composition of information technologies and technical means of data processing are a significant factor in determining the process of ensuring information security.
A systematic study of this component in the system's IS involves primarily the description of information system as an object. It is necessary to describe the structure of information system, which includes the following types of interrelated structures.
1. A logical structure.
2. Organizational structure.
3. A topological structure.
4. Technological structure.
Based on the analysis of these structures can be revealed their features important for the process of information security.
The object of informatization. Main functions of ISS is directly linked with the processes of functioning of appropriate system of data processing. Therefore, ISS usually considered as a complement to information system add-on information system, and in this respect ISS directly to the object of informatization is not connected. All the impact of ISS on the object information and, reverse, the object information on ISS occur through the mediation of information system.
However, there are problems of information security, the solution of which ISS interacts directly with the object of information, passing the information system as an intermediary. Specify the following three important class of problems of this type.
1. In many of information systems, especially in real-time information systems is actual problems of protecting the original data supplied to the input of information system. This problem should be resolved ISS before the source data reaches the input of the information system and will become its integral part. That is the task of system security is solved outside the framework of information system.
2. In case of dangerous and emergency situations many of the processes in the information system, including the processes of interaction with the object of informatization, can be blocked and interrupted. The decision to freeze and/or abort processes in the information system was adopted by ISS in cooperation directly with the object of informatization. In particular, if the information system fails. However, ISS is still required to ensure compliance with the requirements for information security. This system of ensuring information security must interact directly with the object of informatization.
3. Many of the activities and methods of safety of object of informatization are common to all aspects of safety, including for information security; for example, methods of physical security. Therefore, these activities should be implemented in direct contact with the secure service of object of informatization.
Conclusion
The paper presents the general scheme of information security model of protected object, identifies seven core entities related to ensuring information security, as well as the relationship between them. For one of the main entities, requirements to ensure information security seven groups of possible requirements are allocated depending on the sources, formulating these requirements. Briefly are described the relationship of three related components - the conditions of operation of the information system, directly information system and object of informatization - wit ISS.
REFERENCES
1. Nesterov S. Osnovy informatsionnoi bezopasnosti [Fundamentals of information security]. Saint-Petersburg, Lan' Publ., 2016. 324 p.
2. Baranova E. K., Babash A. V. Informatsionnaia bezopasnost' i zashchita informatsii [Information security and information protection]. Moscow, ITs RIOR, NITs INFRA-M, 2016. 322 p.
3. Gatchin Iu. A., Klimova E. V. Osnovy informatsionnoi bezopasnosti [Fundamentals of information security]. Saint-Petersburg, SPbGU ITMO, 2009. 84 p.
4. Sychev Iu. N. Osnovy informatsionnoi bezopasnosti [Fundamentals of information security]. Moscow, EAOI, 2007. 300 p.
5. Makarenko S. I. Informatsionnaia bezopasnost' [Information security]. Stavropol, SF MGGU imeni M. A. Sholokhova, 2009. 372 p.
The article submitted to the editors 11.09.2017
INFORMATION ABOUT THE AUTHORS
Popov Georgiy Aleksandrovich - Russia, 414056, Astrakhan; Astrakhan State Technical University; Doctor of Technical Sciences, Professor; Head of the Department of the Information Security; [email protected].
Popov Alexander Georgevich — Russia, 414056, Astrakhan; Astrakhan State Technical University; Postgraduate Student of the Department of Information Security; [email protected].
Shishkin Nikolay Dmitrievich - Russia, 414056, Astrakhan; Astrakhan State Technical University; Doctor of Technical Sciences, Professor; Professor of the Department of Technological Machines and Equipment; [email protected].
Rudenko Mikhail Fedorovich - Russia, 414056, Astrakhan; Astrakhan State Technical University"; Doctor of Technical Sciences, Professor; Professor of the Department of Life Security and Engineering Ecology; [email protected].
Г. А. Попов, А. Г. Попов, Н. Д. Шишкин, М. Ф. Руденко
КОНЦЕПТУАЛЬНАЯ СХЕМА ОБЕСПЕЧЕНИЯ ИНФОРМАЦИОННОЙ БЕЗОПАСНОСТИ В ТИПОВОМ ОБЪЕКТЕ ЗАЩИТЫ
Предлагается концептуальная схема процесса обеспечения информационной безопасности (ОИБ), которая охватывает большинство существующих систем ОИБ. Выделено семь сущностей (компонентов), определяющих процесс ОИБ в типовом объекте защиты: требования по обеспечению информационной безопасности; защищаемая информация; угрозы защищаемой информации; средства и механизмы противодействия угрозам; информационная система, в которой обрабатывается защищаемая информация; условия, способствующие или препятствующие процессу ОИБ; объект защиты. Приведена диаграмма, отображающая взаимосвязи перечисленных сущностей. Раскрыто содержание сущностей «требования...», «информационная система.», «условия.», «объект защиты». Для сущностей «информационная система.», «условия.», «объект защиты» раскрыты механизмы их влияния на процесс ОИБ. Для сущности «требования. » выделено семь классов требований по ОИБ и приведены основные законодательные и нормативные документы, определяющие их содержание. Описаны возможные подходы к измерению и оценке степени выполнения требований. Отмечается, что число элементов во множестве элементарных требований очень велико, поэтому вместо списка множества элементарных требований обычно формируется небольшой набор показателей, называемых обобщенными, которые в целом отражают тенденции по ОИБ в системе. Выделены три группы наиболее значимых обобщенных показателей (вероятностные, временные показатели, показатели издержек). Системы ОИБ, ориентированные на эти показатели, позволяют реализовать более гибкую технологию ОИБ, при которой, в частности, случаи нарушения информационной безопасности, не повлекшие существенного ущерба, могут даже игнорироваться, а основное внимание системы ОИБ будет сосредоточено на предотвращении наиболее опасных попыток нарушения информационной безопасности, которые могут привести к большому ущербу.
Ключевые слова: обеспечение информационной безопасности, концептуальная схема, основные сущности процесса защиты, требования по информационной безопасности, сопутствующие компоненты.
СПИСОК ЛИТЕРА ТУРЫ
1. Нестеров С. Основы информационной безопасности. СПб.: Лань, 2016. 324 с.
2. Баранова Е. К., Бабаш А. В. Информационная безопасность и защита информации: учеб. пособие. М.: ИЦ РИОР, НИЦ ИНФРА-М, 2016. 322 с.
3. Гатчин Ю. А., Климова Е. В. Основы информационной безопасности: учеб. пособие. СПб.: СПбГУ ИТМО, 2009. 84 с.
4. Сычев Ю. Н. Основы информационной безопасности: учеб.-практ. пособие. М.: ЕАОИ, 2007. 300 с.
5. Макаренко С. И. Информационная безопасность: учеб. пособие. Ставрополь: СФ МГГУ им. М. А. Шолохова, 2009. 372 с.
6. Крат Ю. Г., Шрамкова И. Г. Основы информационной безопасности: учеб. пособие. Хабаровск: Изд-во ДВГУПС, 2008. 112 с.
Статья поступила в редакцию 11.09.2017
ИНФОРМАЦИЯ ОБ АВТОРАХ
Попов Георгий Александрович — Россия, 414056, Астрахань; Астраханский государственный технический университет; д-р техн. наук, профессор; зав. кафедрой информационной безопасности; [email protected].
Попов Александр Георгиевич — Россия, 414056, Астрахань; Астраханский государственный технический университет; аспирант кафедры информационной безопасности; [email protected].
Шишкин Николай Дмитриевич — Россия, 414056, Астрахань; Астраханский государственный технический университет; д-р техн. наук, профессор; профессор кафедры технологических машин и оборудования; [email protected].
Руденко Михаил Фёдорович — Россия, 414056, Астрахань; Астраханский государственный технический университет; д-р техн. наук, профессор; профессор кафедры безопасности жизнедеятельности и инженерной экологии; [email protected].
-3-