Гибридная методика оценки безопасности ИТИлья Лившиц
В настоящее время, компоненты ИТ без функций безопасности (далее – ФБ) представляют собой скорее исключение из правил, нежели правило. Компоненты ИТ без ФБ не представляют собой большой проблемы, поскольку они могут быть заменены на аналоги, обладающие изначально ФБ, либо дополнены необходимыми «наложенными» ФБ, либо осуществить «импорт» необходимых ФБ из смежных компонентов ИТ, возможный в силу синергизма и эмерджентности, обязательно присущих системе обработки информации (далее – СОИ). При дальнейшем изложении при упоминании ИТ будем полагать, что современные компоненты ИТ, представленные на конкурентном рынке для объектов ТЭК, уже обладают определенным набором ФБ.
‘Big models’: the success and pitfalls of Transformer models in natural langu...Leiden University
Abstract: Large Language Models receive a lot of attention in the media these days. We have all experienced that generative language models of the GPT family are very fluent and can convincingly answer complex questions. But they also have their limitations and pitfalls. In this presentation I will introduce Transformer-based language models, explain the relation between BERT, GPT, and the 130 thousand other models available on https://huggingface.co. I will discuss their use and applications and why they are so powerful. Then I will point out challenges and pitfalls of Large Language Models and the consequences for our daily work and education.
Net effectより確実性:
動画:https://youtu.be/34sJ8h29hcg より
診療ガイドライン作成のためのシステマティックレビューにおける 各アウトカムのエビデンスの確実性から エビデンス全体の確実性を評価する方法を何度も読んで理解して欲しい解説:EBM の実践にも役立つよ編
EBM中級編:Precisionのいろいろな考え方を学んで、信頼区間を見直すことで、imprecisionを理解しよう https://youtu.be/l7E5s4NQKsg も必見です。
Step4:シナリオにおける正味の効果推定値の精確さの分類のスライドで、相原先生のブログの図(右上)では、-3.5とあるが、3.5の誤りと思われる。
内科医のエビデンスに基づく医療情報 http://aihara.la.coocan.jp/
メイン論文:Alper BS, Oettgen P, Kunnamo I, et al. Defining certainty of net benefit: a GRADE concept paper. BMJ Open 2019;9:e027445.
https://bmjopen.bmj.com/content/9/6/e027445
参考:Monica Hultcrantz, David Rind, Elie A. Akl, et al. The GRADE Working Group clarifies the construct of certainty of evidence. J Clin Epidemiol. 2017 Jul;87:4-13.
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6542664/
相原守夫.診療ガイドラインのためのGRADEシステム第3版・内科医のエビデンスに基づく医療情報
Natural Language Processing for biomedical text mining - Thierry HamonGrammarly
Speaker: Thierry Hamon, Associate Professor in Computer Science at Université Paris, Member of the LIMSI-CNRS research lab.
Summary: Among the large amounts of unstructured data generated across the world and available nowadays, textual data represent an important source of information. This fact is particularly true in the biomedical domain, where a constant increasing demand to access the textual content is observed: the situation is relevant for accessing and processing Electronic Health Records, online discussion forums, and scientific literature. Indeed, dealing with biomedical texts requires us to take into account a great variety of texts, languages and Users.
For several years now, a lot of NLP research has focused on mining and retrieving information (i.e., medical entities and domain-specific relations), which are relevant for biologists, physicians, terminologists, epidemiologists, and patients. We will propose an overview of the NLP methods used for tackling several such research problems through text mining applications. First, we will present the resources and rule-based approaches we designed for extracting drug-related information from clinical texts, and for acquiring domain-specific semantic relations from digital libraries. Then we will present the cross-lingual approach we are developing for building multilingual terminologies from a patient-centered Ukrainian corpus.
Гибридная методика оценки безопасности ИТИлья Лившиц
В настоящее время, компоненты ИТ без функций безопасности (далее – ФБ) представляют собой скорее исключение из правил, нежели правило. Компоненты ИТ без ФБ не представляют собой большой проблемы, поскольку они могут быть заменены на аналоги, обладающие изначально ФБ, либо дополнены необходимыми «наложенными» ФБ, либо осуществить «импорт» необходимых ФБ из смежных компонентов ИТ, возможный в силу синергизма и эмерджентности, обязательно присущих системе обработки информации (далее – СОИ). При дальнейшем изложении при упоминании ИТ будем полагать, что современные компоненты ИТ, представленные на конкурентном рынке для объектов ТЭК, уже обладают определенным набором ФБ.
‘Big models’: the success and pitfalls of Transformer models in natural langu...Leiden University
Abstract: Large Language Models receive a lot of attention in the media these days. We have all experienced that generative language models of the GPT family are very fluent and can convincingly answer complex questions. But they also have their limitations and pitfalls. In this presentation I will introduce Transformer-based language models, explain the relation between BERT, GPT, and the 130 thousand other models available on https://huggingface.co. I will discuss their use and applications and why they are so powerful. Then I will point out challenges and pitfalls of Large Language Models and the consequences for our daily work and education.
Net effectより確実性:
動画:https://youtu.be/34sJ8h29hcg より
診療ガイドライン作成のためのシステマティックレビューにおける 各アウトカムのエビデンスの確実性から エビデンス全体の確実性を評価する方法を何度も読んで理解して欲しい解説:EBM の実践にも役立つよ編
EBM中級編:Precisionのいろいろな考え方を学んで、信頼区間を見直すことで、imprecisionを理解しよう https://youtu.be/l7E5s4NQKsg も必見です。
Step4:シナリオにおける正味の効果推定値の精確さの分類のスライドで、相原先生のブログの図(右上)では、-3.5とあるが、3.5の誤りと思われる。
内科医のエビデンスに基づく医療情報 http://aihara.la.coocan.jp/
メイン論文:Alper BS, Oettgen P, Kunnamo I, et al. Defining certainty of net benefit: a GRADE concept paper. BMJ Open 2019;9:e027445.
https://bmjopen.bmj.com/content/9/6/e027445
参考:Monica Hultcrantz, David Rind, Elie A. Akl, et al. The GRADE Working Group clarifies the construct of certainty of evidence. J Clin Epidemiol. 2017 Jul;87:4-13.
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6542664/
相原守夫.診療ガイドラインのためのGRADEシステム第3版・内科医のエビデンスに基づく医療情報
Natural Language Processing for biomedical text mining - Thierry HamonGrammarly
Speaker: Thierry Hamon, Associate Professor in Computer Science at Université Paris, Member of the LIMSI-CNRS research lab.
Summary: Among the large amounts of unstructured data generated across the world and available nowadays, textual data represent an important source of information. This fact is particularly true in the biomedical domain, where a constant increasing demand to access the textual content is observed: the situation is relevant for accessing and processing Electronic Health Records, online discussion forums, and scientific literature. Indeed, dealing with biomedical texts requires us to take into account a great variety of texts, languages and Users.
For several years now, a lot of NLP research has focused on mining and retrieving information (i.e., medical entities and domain-specific relations), which are relevant for biologists, physicians, terminologists, epidemiologists, and patients. We will propose an overview of the NLP methods used for tackling several such research problems through text mining applications. First, we will present the resources and rule-based approaches we designed for extracting drug-related information from clinical texts, and for acquiring domain-specific semantic relations from digital libraries. Then we will present the cross-lingual approach we are developing for building multilingual terminologies from a patient-centered Ukrainian corpus.
INFORMATION SECURITY MATURITY MODEL FOR NIST CYBER SECURITY FRAMEWORK Sultancsandit
The National Institute of Standards and Technology (NIST) has issued a framework to provide
guidance for organizations within critical infrastructure sectors to reduce the risk associated
with cyber security. The framework is called NIST Cyber Security Framework for Critical
Infrastructure (CSF). Many organizations are currently implementing or aligned to different
information security frameworks. The implementation of NIST CSF needs to be aligned with and
complement the existing frameworks. NIST states that the NIST CSF is not a maturity
framework. Therefore, there is a need to adopt an existing maturity model or create one to have
a common way to measure the CSF implementation progress. This paper explores the
applicability of number of maturity models to be used as a measure to the security poster of
organizations implementing the NIST CSF. This paper reviews the NIST CSF and compares it to
other information security related frameworks such as COBIT, ISO/IEC 27001 and the ISF
Standard of Good Practice (SoGP) for Information Security. We propose a new information
security maturity model (ISMM) that fills the gap in the NIST CSF.
Knowledge Acquisition Based on Repertory Grid Analysis Systemijtsrd
This paper is to introduce an approach to the repertory grids are a well known knowledge acquisition and representation techniques based on the personal construct theory. The repertory grid analysis is the most applied method of semi automated interviews used in AI. Several software packages that use RGA improve the knowledge acquisition process. Repertory grid has the cognitive psychological basis and generality needed to provide excellent elicitation and acquisition facilities. Repertory grids are used as knowledge acquisition tools in the development of expert system. The rating of knowledge acquisition is gaining insight into expert's mental model of the problem. This system gives knowledge using development of knowledge acquisition methods based on repertory grid analysis. This system helps user to recommend which products are most similar. Be Nue | Sabai Win "Knowledge Acquisition Based on Repertory Grid Analysis System" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-6 , October 2019, URL: https://www.ijtsrd.com/papers/ijtsrd29128.pdf Paper URL: https://www.ijtsrd.com/computer-science/artificial-intelligence/29128/knowledge-acquisition-based-on-repertory-grid-analysis-system/be-nue
This paper deals with the risk assessment of different types of electronics and mobile payment systems as well as the countermeasures to mitigate the identified risk in various electronics and mobile payment synthesis.
Visualization of Computer Forensics Analysis on Digital EvidenceMuhd Mu'izuddin
- This is my first article, its for my Final Year Project for Bachelor's of Computer Science (Systems and Networking)
- It also will be uploaded into CyberSecurity Malaysia E-Bulletin for 2017
FUNCTIONAL AND INFORMATIONAL MODEL OF EXPERT SPECIALIZATION USING IDEF STANDARDMandar Trivedi
For process of modeling are developed suitable CASE tools. In the course of
building this process a standard is used for functional modeling of IDEF0 realized through
BPWin tool. Family of integrated IDEF methods presents basic tool of some modern
strategies and methodologies of business process improvement, like for example: BPR, CPI,
IPD, TQM etc. In paper is given functional and informational model of ″Process of expert
specialization of employees in education″ using graphical language IDEF0 that is, CASE
Bpwin tool.
Dynamic Validity Period Calculation of Digital Certificates Based on Aggregat...ijcisjournal
The paper proposes a method based on different security-related factors to dynamically calculate the validity period of digital certificates. Currently validity periods are most often defined statically without scientific justification. This approach is not sufficient to objectively consider the actual need for security. Therefore the approach proposed in this paper considers relevant security criteria in order to calculate a meaningful validity period for digital certificates. This kind of security assessment can be executed periodically in order to dynamically respond to changing conditions. Especially in the context of complex systems and infrastructures that have an increased need for security, privacy and availability this issue is highly relevant.
INFORMATION SECURITY MATURITY MODEL FOR NIST CYBER SECURITY FRAMEWORK Sultancsandit
The National Institute of Standards and Technology (NIST) has issued a framework to provide
guidance for organizations within critical infrastructure sectors to reduce the risk associated
with cyber security. The framework is called NIST Cyber Security Framework for Critical
Infrastructure (CSF). Many organizations are currently implementing or aligned to different
information security frameworks. The implementation of NIST CSF needs to be aligned with and
complement the existing frameworks. NIST states that the NIST CSF is not a maturity
framework. Therefore, there is a need to adopt an existing maturity model or create one to have
a common way to measure the CSF implementation progress. This paper explores the
applicability of number of maturity models to be used as a measure to the security poster of
organizations implementing the NIST CSF. This paper reviews the NIST CSF and compares it to
other information security related frameworks such as COBIT, ISO/IEC 27001 and the ISF
Standard of Good Practice (SoGP) for Information Security. We propose a new information
security maturity model (ISMM) that fills the gap in the NIST CSF.
Knowledge Acquisition Based on Repertory Grid Analysis Systemijtsrd
This paper is to introduce an approach to the repertory grids are a well known knowledge acquisition and representation techniques based on the personal construct theory. The repertory grid analysis is the most applied method of semi automated interviews used in AI. Several software packages that use RGA improve the knowledge acquisition process. Repertory grid has the cognitive psychological basis and generality needed to provide excellent elicitation and acquisition facilities. Repertory grids are used as knowledge acquisition tools in the development of expert system. The rating of knowledge acquisition is gaining insight into expert's mental model of the problem. This system gives knowledge using development of knowledge acquisition methods based on repertory grid analysis. This system helps user to recommend which products are most similar. Be Nue | Sabai Win "Knowledge Acquisition Based on Repertory Grid Analysis System" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-6 , October 2019, URL: https://www.ijtsrd.com/papers/ijtsrd29128.pdf Paper URL: https://www.ijtsrd.com/computer-science/artificial-intelligence/29128/knowledge-acquisition-based-on-repertory-grid-analysis-system/be-nue
This paper deals with the risk assessment of different types of electronics and mobile payment systems as well as the countermeasures to mitigate the identified risk in various electronics and mobile payment synthesis.
Visualization of Computer Forensics Analysis on Digital EvidenceMuhd Mu'izuddin
- This is my first article, its for my Final Year Project for Bachelor's of Computer Science (Systems and Networking)
- It also will be uploaded into CyberSecurity Malaysia E-Bulletin for 2017
FUNCTIONAL AND INFORMATIONAL MODEL OF EXPERT SPECIALIZATION USING IDEF STANDARDMandar Trivedi
For process of modeling are developed suitable CASE tools. In the course of
building this process a standard is used for functional modeling of IDEF0 realized through
BPWin tool. Family of integrated IDEF methods presents basic tool of some modern
strategies and methodologies of business process improvement, like for example: BPR, CPI,
IPD, TQM etc. In paper is given functional and informational model of ″Process of expert
specialization of employees in education″ using graphical language IDEF0 that is, CASE
Bpwin tool.
Dynamic Validity Period Calculation of Digital Certificates Based on Aggregat...ijcisjournal
The paper proposes a method based on different security-related factors to dynamically calculate the validity period of digital certificates. Currently validity periods are most often defined statically without scientific justification. This approach is not sufficient to objectively consider the actual need for security. Therefore the approach proposed in this paper considers relevant security criteria in order to calculate a meaningful validity period for digital certificates. This kind of security assessment can be executed periodically in order to dynamically respond to changing conditions. Especially in the context of complex systems and infrastructures that have an increased need for security, privacy and availability this issue is highly relevant.
Availability Assessment of Software Systems Architecture Using Formal ModelsEditor IJCATR
There has been a significant effort to analyze, design and implement the information systems to process the information and data, and solve various problems. On the one hand, complexity of the contemporary systems, and eye-catching increase in the variety and volume of information has led to great number of the components and elements, and more complex structure and organization of the information systems. On the other hand, it is necessary to develop the systems which meet all of the stakeholders' functional and non-functional requirements. Considering the fact that evaluation and assessment of the aforementioned requirements - prior to the design and implementation phases - will consume less time and reduce costs, the best time to measure the evaluable behavior of the system is when its software architecture is provided. One of the ways to evaluate the architecture of software is creation of an executable model of architecture.
The present research used availability assessment and took repair, maintenance and accident time parameters into consideration. Failures of software and hardware components have been considered in the architecture of software systems. To describe the architecture easily, the authors used Unified Modeling Language (UML). However, due to the informality of UML, they utilized Colored Petri Nets (CPN) for assessment too. Eventually, the researchers evaluated a CPN-based executable model of architecture through CPN-Tools.
International Journal of Engineering Research and Applications (IJERA) aims to cover the latest outstanding developments in the field of all Engineering Technologies & science.
International Journal of Engineering Research and Applications (IJERA) is a team of researchers not publication services or private publications running the journals for monetary benefits, we are association of scientists and academia who focus only on supporting authors who want to publish their work. The articles published in our journal can be accessed online, all the articles will be archived for real time access.
Our journal system primarily aims to bring out the research talent and the works done by sciaentists, academia, engineers, practitioners, scholars, post graduate students of engineering and science. This journal aims to cover the scientific research in a broader sense and not publishing a niche area of research facilitating researchers from various verticals to publish their papers. It is also aimed to provide a platform for the researchers to publish in a shorter of time, enabling them to continue further All articles published are freely available to scientific researchers in the Government agencies,educators and the general public. We are taking serious efforts to promote our journal across the globe in various ways, we are sure that our journal will act as a scientific platform for all researchers to publish their works online.
Discussion 1Recommend three countermeasures that could enhance.docxelinoraudley582231
Discussion 1
Recommend three countermeasures that could enhance the information security measures of an enterprise. Justify your recommendations.
1. Upon extensive review of existing IT EBK and what new measures needed to be taken, Homeland Security came to the conclusion that a comprehensive approach information security including the steps of manage, design, implement, and evaluate would best serve to safeguard against future threats. Manage: calls for the oversight of security programs to come from the highest levels of chains of command with constant focus on “ensuring its currency with changing risk and threat” (2007, p. 9). Design: calls for analyzing a program to assess what types of “procedures and processes” will best direct its successful execution. Implement: refers to how programs and policies are instituted within the company. Evaluate: this final step calls for a final critique of the new program or policy’s successful ability to [achieve] its purpose (2007, p. 9).
2. Homeland Security also recommended a “Competency and Functional Framework for IT Workplace Development” that placed strong emphasis on a clear chain of command and communication with clear job titles and IT employee roles being placed into a group of Executive, Functional or Corollary employees (2007, p. 17).
3. The report stressed the primary role of “the IT Security Compliance Professional is . . . overseeing, evaluating, and supporting compliance issues pertinent to the organization” (Homeland Security, 2007, p.16). Thus, the report logically concluded that IT professionals must know and be able to properly define terms such as evaluation, compliance and assessment in order to properly perform their duties (p. 14).
Propose three cybersecurity benefits that could be derived from the development of a strategic governance process. Select the benefit you find most important and explain why.
The National Computing Centre points out that there are numerous benefits to having a rigorous strategic governance process in place. Among them, increased transparency and accountability which leads to an “improved transparency of IT costs, IT process, [and] IT portfolio (2005, p. 6). This increased transparency and accountability also leads to an “improved understanding of overall IT costs and their input to ROI cases” which in turn often brings about “an increased return on investment/stakeholder value” (p. 6). Finally, the authors point to the fact that with increased transparency comes increased accountability and companies avoid “unnecessary expenditures” (p. 7).
Discussion 2
Categorize the roles described by the Information Technology Security Essential Body of Knowledge (EBK), in terms of executive, functional, and corollary competencies. Select two of these roles that you believe enhance the security countermeasures of an organization the most and justify your response.
As mentioned previously, Homeland Security’s 2007 report emphasized the importance of properly .
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...IJNSA Journal
Modern organizations are adopting new ways of measuring their level of security for compliance and justification of security investments. The highly interconnected environment has seen organizations generate lots of personal information and sensitive organizational data. Easiness in automation provided by open-source enterprise resource planning (ERP) software has accelerated its acceptability. The study aimed at developing a security measurement framework for open-source ERP software. The motivation was twofold: paradigm shift towards open-source ERP software and the need for justified investment on information security. Product quality evaluation method based on ISO 25010 framework guided the selection of attributes and factors. A security measurement framework with security posture at the highest level, attributes and factors was developed presenting a mechanism for assessing organization’s level of security. Security posture promotes customers’ confidence and gives management means to leverage resources for information security investment. The future work includes definition of metrics based on the framework.
Similar to 2 fruct hybrid_livshitz_v7_17-03-2018 (20)
В работе рассмотрено несколько примеров несуществующих (или мнимых) активов, для которых введен термин "токсичный актив". Отмечается, что необходимо создать в России национальную полно-форматную, сбалансированную и самодостаточную индустрию ИТ, которая от базиса до самого верх-него слоя надстройки должна быть "пронизана" функциями безопасности. Представлено обоснование того, что навык распознавания токсичных активов в области ИТ и очистки от них поможет специалистам существенно улучшить требуемый уровень ИБ.
Противодействие угрозам "нулевого дня" посредством мгновенных аудитов ИБИлья Лившиц
Рассматривается формирование концепции мгновенных аудитов ИБ как один из подходов для противодействия современным угрозам, в т.ч. угрозам "нулевого дня" (АРТ), для повышения эффективности СМИБ.
Методика выполнения комплексных аудитов промышленных объектов для обеспечения...Илья Лившиц
Определенное внимание специалистов к современным стандартам ISO обусловлено разумным желанием применять в повседневной работе «лучшие практики», т.е. обеспечить результативное и экономически эффективное управление предприятием. Очевидно, что специализированные стандарты, такие как ISO 50001 (СЭнМ), не дают «автоматически» детального и точного ответа как лучше обеспечить внедрение, с чего
следует начать, какие документы разрабатывать. Одним из подходов, хорошо зарекомендовавшим себя на практике, представляется применение методики комплексных аудитов для обеспечения результативного и экономически эффективного внедрения СЭнМ.
Предлагаемая методика обеспечивает «мягкое» погружение персонала в сложную инженерно-экономическую специфику стандарта ISO 50001, обеспечивает унификацию документации ИСМ, учитывает снижение общих расходов (трудоемкости) проекта благодаря единым принципам менеджмента и единой команды аудиторов и достижение запланированных результатов в рамках нифицированного управления ИСМ. Данная
методика предлагается для применения на различных сложных промышленных объектах, там, где остановка деятельности недопустима и вместе с тем требуется высокий инженерный потенциал команды проекта.
Внедрение систем энергоменеджмента в соответствии с требованиями ISO 50001:20...Илья Лившиц
Стандарт в области энергоменеджмента ISO 50001:2011 (СЭнМ) считается новым и привлекает к себе определенное внимание специалистов для оптимизации управления. В рамках данной публикации предлагается обратить внимание на возможность интеграции при решении «узких» задач СЭнМ и решении более широкого спектра проблем (например, в области управления затратами и обеспечения комплексной безопасности) различных промышленных объектов. Также возможно предложить на практике для решения проблемы обеспечения комплексной безопасности промышленных объектов применение системы аудитов, анализа со стороны руководства, постоянного улучшения результативности в единой интегрированной системе менеджмента организации.
Определение бюджета для реализации проекта системы менеджмента информационной...Илья Лившиц
В представленной публикации кратко рассмотрена проблема при формировании экономических оценок процессов обеспечения ИБ. Данная проблема имеет важное значение, т.к. в настоящее время применяются разноплановые подходы при обосновании бюджета для
нормального функционирования СМИБ. Основное внимание обращено на сложности формирования оценок затрат для обеспечения требуемого бизнесом уровня ИБ, в условиях отсутствия приемлемых (признанных) отраслевых метрик ИБ и проблем при достоверной оценке результативности СМИБ. С учетом поставленной проблемы предложены формулы
расчета бюджета для реализации проекта СМИБ на основании оценки последствий инцидентов
ИБ и результативности различных применяемых мер (средств) обеспечения ИБ, дополнительно
рассмотрен практический кейс, поясняющий расчет для конкретной моделируемой ситуации.
Предложенная численная оценка затрат на обеспечение ИБ основывается на использовании метрик ИБ (оценки результативности мер и средство обеспечения ИБ), использует оценки последствий инцидентов ИБ (подтвержденные объективными данными аудитов) и позволяет формировать общую оценку бюджета для реализации проекта СМИБ с
целью обеспечить заданный высшим руководством уровень обеспечения ИБ. Данные результаты могут найти применение при формировании, экспертизе, оптимизации и документированном обосновании бюджетов СМИБ, формируемых с целью достижения
требуемого уровня обеспечения ИБ в различных организациях.
Применение риск-ориентированных стандартов для обеспечения комплексной безопа...Илья Лившиц
В предлагаемой работе предложены некоторые подходы к решению проблемы обеспечения постоянного улучшения результативности СМ (ИСМ) промышленных предприятий, как СлПО на основе современных риск-ориентированных стандартов (серии 9001, 20000, 22301, 27001). Учитывая относительную новизну данных стандартов в практическом применении к исследуемой проблеме, предлагаемые подходы могут быть полезными при планировании системы риск-менеджмента (на базе стандарта 31000) и оценки возможных потерь в рамках бизнес-процессов СМ (ИСМ), а также, в частности, для решения практических задач – обеспечения комплексной безопасности.
К ВОПРОСУ ОЦЕНКИ РЕЗУЛЬТАТИВНОСТИ ПРИ ВНЕДРЕНИИ СИСТЕМ МЕНЕДЖМЕНТА ИНФОРМАЦИО...Илья Лившиц
Актуальность данной публикации вызвана постоянным вниманием к вопросам анализа и интерпретации результатов внедрения систем менеджмента информационной безопасности (СМИБ). При анализе таких проектов, как правило, в расчет берется только минимум требований, исходя из известной методической базы — международных стандартов ISO серии 27000. Однако применения для анализа результативности СМИБ только "сертификационного" стандарта ISO 27001 объективно недостаточно, дополнительно необходим специальный стандарт ISO 27004, содержащий правила работы с метриками ИБ. В данном исследовании, во-первых, рассмотрена современная нормативная база ISO серии 27001, во-вторых, показано практическое применение метрик ИБ, существенно расширяющих возможности оценки результативности СМИБ, а также даны рекомендации по формированию
Исследование зависимости сертификации по международным стандартам ISO от типо...Илья Лившиц
Процесс проектирования, создания и внедрения современных систем
менеджмента является на данном этапе развития общества, объективно, вопросом не
технического (технологического) порядка. Очевидно, что реализация проекта без
серьезной проработки, точного расчета рисков, оценки необходимых ресурсов (бюджета,
персонала, лицензий и пр.) невозможна для современной организации, работающей в
жестких конкурентных условиях. Для государственных организаций все вышесказанное
усиливается требованиями обеспечения режима национальной безопасности, что
подтверждается и требованиями законодательства и практикой выполнения проектов в
области ИТ. В предлагаемой работе предложены некоторые подходы для реализации
процесса поддержки принятия решения в части выбора модели для развития
современной организации на фазе проектирования и оценки приемлемости выбора: по
составу систем менеджмента, по применимым стандартам, по необходимости
сертификации в функции обеспечения стабильного роста, безопасности бизнес-
процессов, защиты ценных активов (в т.ч. нематериальных) на основании статистики
сертификации ISO.
Подходы к применению модели интегрированной системы менеджмента для проведени...Илья Лившиц
Для сложных промышленных объектов обеспечение комплексной безопасности является крайне важной проблемой и особо актуальной для современных аэропортовых комплексов (АК). Особенностями АК являются учет значительного множества требований: авиационной безопасности (АБ), безопасности персонала, сохранности воздушных судов (ВС), а также инженерной инфраструктуры. Для обеспечения безопасного функционирования АК применяются комплексные системы управления, в состав которых входят системы менеджмента (СМ), соответствующие различным стандартам, в т.ч. международным (ISAGO, ISO, ISO/IEC и пр.). Оценка результативности таких СМ представляет известную проблему. Поставленную задачу представляется целесообразным рассмотреть на основе модели ИСМ, дополненной блоком проведения комплексных аудитов с учетом специфики АБ. В публикации приведены результаты расчетов по представленной модели ИСМ с учетом расширенного состава критериев для АК. По согласованному мнению экспертов, требования «базовых» стандартов ISO значительно уступают по приоритету «профильным» для АК требованиям ISAGO (IATA).
МЕТОДИКА ЧИСЛЕННОЙ ОЦЕНКИ УЯЗВИМОСТЕЙ И УГРОЗ ИНФОРМАЦИОННОЙ БЕЗОПАСНОСТИ ДЛЯ...Илья Лившиц
Актуальность рассмотрения вопросов анализа уязвимостей и угроз критичных систем в полной мере применима к национальной платежной системе (НПС) РФ. В данном исследовании была рассмотрена современная нормативная база комплекса стандартов Банка России по обеспечению информационной безопасности организаций банковской системы (СТО БР ИББС) (версии 2014 г.) и показано практическое применение современных стандартов ISO серии 27000, а также даны рекомендации по смягчению (парированию) угроз НПС в будущем.
РИСК-ОРИЕНТИРОВАННЫЕ СТАНДАРТЫ ДЛЯ СИСТЕМ МЕНЕДЖМЕНТА ПРОМЫШЛЕННЫХ ПРЕДПРИЯТИЙИлья Лившиц
Предложены варианты подходов к обеспечению по-
стоянного улучшения систем менеджмента (СМ), в том
числе и интегрированных (ИСМ), промышленных пред-
приятий как сложных объектов на основе современных
риск-ориентированных стандартов серий ISO 9001, ISO
27001, ISO 22301. Предлагаемые подходы могут быть
полезны при планировании систем риск-менеджмента,
оценке возможных потерь в рамках бизнес-процессов
СМ (ИСМ) и решении практических задач
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
COLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdfKamal Acharya
The College Bus Management system is completely developed by Visual Basic .NET Version. The application is connect with most secured database language MS SQL Server. The application is develop by using best combination of front-end and back-end languages. The application is totally design like flat user interface. This flat user interface is more attractive user interface in 2017. The application is gives more important to the system functionality. The application is to manage the student’s details, driver’s details, bus details, bus route details, bus fees details and more. The application has only one unit for admin. The admin can manage the entire application. The admin can login into the application by using username and password of the admin. The application is develop for big and small colleges. It is more user friendly for non-computer person. Even they can easily learn how to manage the application within hours. The application is more secure by the admin. The system will give an effective output for the VB.Net and SQL Server given as input to the system. The compiled java program given as input to the system, after scanning the program will generate different reports. The application generates the report for users. The admin can view and download the report of the data. The application deliver the excel format reports. Because, excel formatted reports is very easy to understand the income and expense of the college bus. This application is mainly develop for windows operating system users. In 2017, 73% of people enterprises are using windows operating system. So the application will easily install for all the windows operating system users. The application-developed size is very low. The application consumes very low space in disk. Therefore, the user can allocate very minimum local disk space for this application.
Final project report on grocery store management system..pdfKamal Acharya
In today’s fast-changing business environment, it’s extremely important to be able to respond to client needs in the most effective and timely manner. If your customers wish to see your business online and have instant access to your products or services.
Online Grocery Store is an e-commerce website, which retails various grocery products. This project allows viewing various products available enables registered users to purchase desired products instantly using Paytm, UPI payment processor (Instant Pay) and also can place order by using Cash on Delivery (Pay Later) option. This project provides an easy access to Administrators and Managers to view orders placed using Pay Later and Instant Pay options.
In order to develop an e-commerce website, a number of Technologies must be studied and understood. These include multi-tiered architecture, server and client-side scripting techniques, implementation technologies, programming language (such as PHP, HTML, CSS, JavaScript) and MySQL relational databases. This is a project with the objective to develop a basic website where a consumer is provided with a shopping cart website and also to know about the technologies used to develop such a website.
This document will discuss each of the underlying technologies to create and implement an e- commerce website.
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Automobile Management System Project Report.pdfKamal Acharya
The proposed project is developed to manage the automobile in the automobile dealer company. The main module in this project is login, automobile management, customer management, sales, complaints and reports. The first module is the login. The automobile showroom owner should login to the project for usage. The username and password are verified and if it is correct, next form opens. If the username and password are not correct, it shows the error message.
When a customer search for a automobile, if the automobile is available, they will be taken to a page that shows the details of the automobile including automobile name, automobile ID, quantity, price etc. “Automobile Management System” is useful for maintaining automobiles, customers effectively and hence helps for establishing good relation between customer and automobile organization. It contains various customized modules for effectively maintaining automobiles and stock information accurately and safely.
When the automobile is sold to the customer, stock will be reduced automatically. When a new purchase is made, stock will be increased automatically. While selecting automobiles for sale, the proposed software will automatically check for total number of available stock of that particular item, if the total stock of that particular item is less than 5, software will notify the user to purchase the particular item.
Also when the user tries to sale items which are not in stock, the system will prompt the user that the stock is not enough. Customers of this system can search for a automobile; can purchase a automobile easily by selecting fast. On the other hand the stock of automobiles can be maintained perfectly by the automobile shop manager overcoming the drawbacks of existing system.
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Dr.Costas Sachpazis
Terzaghi's soil bearing capacity theory, developed by Karl Terzaghi, is a fundamental principle in geotechnical engineering used to determine the bearing capacity of shallow foundations. This theory provides a method to calculate the ultimate bearing capacity of soil, which is the maximum load per unit area that the soil can support without undergoing shear failure. The Calculation HTML Code included.
Event Management System Vb Net Project Report.pdfKamal Acharya
In present era, the scopes of information technology growing with a very fast .We do not see any are untouched from this industry. The scope of information technology has become wider includes: Business and industry. Household Business, Communication, Education, Entertainment, Science, Medicine, Engineering, Distance Learning, Weather Forecasting. Carrier Searching and so on.
My project named “Event Management System” is software that store and maintained all events coordinated in college. It also helpful to print related reports. My project will help to record the events coordinated by faculties with their Name, Event subject, date & details in an efficient & effective ways.
In my system we have to make a system by which a user can record all events coordinated by a particular faculty. In our proposed system some more featured are added which differs it from the existing system such as security.
Saudi Arabia stands as a titan in the global energy landscape, renowned for its abundant oil and gas resources. It's the largest exporter of petroleum and holds some of the world's most significant reserves. Let's delve into the top 10 oil and gas projects shaping Saudi Arabia's energy future in 2024.
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...Amil Baba Dawood bangali
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...
2 fruct hybrid_livshitz_v7_17-03-2018
1. The New “Hybrid” Approach for IT-Security
Assessment
Ilya Livshitz, Andrey Neklyudov
ITMO University
St. Petersburg, Russia
livshitz.il@yandex.ru, nav7ad@mail.ru
Pavel Lontsikh, Natalya Lontsikh, Elena Golovina
Irkutsk National Research Technical University
Irkutsk, Russia
palon@list.ru
Abstract—It is relevant to evolve processes of evaluation of
the IT security nowadays. Creating and application of the
common evaluation approaches for an IT component, which are
processed by the governmental and civil organizations, are still
not solving problem. It is suggested to create a more precise and
complex assessment tool for an IT security – the “hybrid” method
of the IT security evaluation for a particular object, which is
based on a range of adequate assessment tools.
I. INTRODUCTION
The processes of the evaluation of the IT-security are
relevant nowadays. Creation and application of the common
approaches to the IT component evaluation remain unsolved.
The main criteria for a suitability of the IT component were its
passing through a procedure of an independent adequate
security conformity assessment.
This is a fascinating procedure, because it fosters the fuller
comprehension of the IT evolution circumstances today and in
a long run. This research proposes performing for the precise
object the synthesis of the “hybrid” approach of the IT security
evaluation, based on the range of adequate and available
assessment tools.
II. THE PRECISION AS A TARGET
In order to prevent a new essence involvement without an
emergency, authors proposed an idea of an increasing the
IT-security evaluation precision by the synthesize the final
adequate assessment tool set on a base of the “hybrid” method,
adopted to a concrete IT object. IT evaluation precision defines
by the assessment tool and measuring techniques used.
But the most important thing, that experience shows up, is
that the adequate assessment tools shouldn't be too many and,
in conjunction, they should be combined in to a basis, that have
irrespective assessment lines within (this we can compare with
a liner vector independence).
III. THE EXPERTIZE
Almost in any domain all problems can be solved on a base
of these three, quit independent, expertize types:
Experience (E) – the one, which is beard by the
individual himself.
Requirements (R) – expertize, that is fixed on a data
carrier like a slightly formalized requirements.
Calculation (C) - expertize, that is based on a
measurement and calculation.
Each type of expertize has its own merits and demerits. In
some cases a problem can be solved both with a one type of the
expertise or with a random combination. Moreover, as for the
historical background, everything starts with the E-type of
expertize. However, in ideal, it’s better to use all three types
together, in a harmonious interaction with each other.
Graphically it can be imagine as a triangle, where the
vertices are represent the “poles” of the expertise’s, and a
“body” of a triangle, beyond the vertices – some combination
of it, the contribution of each to the proportion is determine by
the closeness to the vertices corresponding (see Fig.1).
Fig.1. Expertize contribution in graphical image
The point A1 represents the expertize contribution before
the TCSEC publishing. The point A2 shows expertize
combination in a “rainbow series” era, when the security
specifications were firstly structured, slightly formalized and
were made accessible to a society. The point A3 corresponds to
an expertize combination in a Common Criteria (CC) period,
when security and assurance specifications were harmonized
2. with the IT evolution level, precisely structured and were
brought to a semi-formal style. Exactly at the time of CC, the
C expertise type contribution appeared in a expertize
proportion, at least because of the risk inclusion in a security
concepts list and their correlation investigation.
The aim of the “hybrid” method, as authors see, is the
increasing the C expertise type contribution to the level that
will ensure the A1 point in an optimal zone. This approach
requires that the IT-security evaluations have been done by the
calculation way, just like the reliability or resistance index of a
cryptographic primitive estimation execute.
IV. THE “HYBRID” METHOD OF EVALUATION
As an assessment tool for the “hybrid” method the ISO/IEC
27001 series [1], CC (ISO 15408 series substitution allows [2,
3, 4]) and the Data flow Diagram (DFD) are used. The last one
is chosen since, notwithstanding of the shifting the emphasis
from structural to object-oriented approach during the analysis
and designing the IS, structural notations are widely and
effective used both in business and system analysis. If desired,
DFD might be replace by another simulation tool, e.g. Unified
Modeling Language (UML).
For an industrial automation, evaluation can be useful such
a tools like the IEC 61508 [5] or IEC 61511 [6], if it requires to
mutually tying up information and functional security
questions. All those assessment tools are uphold in a relevant
condition, which is adequate to the up-to-date IT evolution
level and consumers demands. Moreover, which is not of a
small account, these standards are widely used in practice for a
valuation, as DFD is used for a system simulation. In a modern
IT belief system, which is stated – “all is an object”, “hybrid”
method defines following types of an object:
IT – a production method, in the context of our issue –
the way of the information processing.
IT component – a part of the Information processing
method, which is, in turn, can be divided into a
component. When its needed to show that the IT
component is undivided, it is called the IT element. IT
and its components can be established both on a base of
a hardware and without it.
Information Processing System (IPS) – a set of
hardware with the specified relations, which is used as a
base for IT or IT component establishment.
IPS component – a part of IPS that, in a turn, also can be
divided on parts. When it is needed to show that the IPS
component is undivided, it's called IPS element.
V. THE MAIN IDEA OF THE “HYBRID” METHOD
A primary intent of suggested “hybrid” method of the IT-
security evaluation is a facility to make an a secure assessment
with a preset refinement level of the random object of
evaluation (OE), that can be any IT or its separate component.
This method “exclusivity” achieves due to a simple, but
effective solution – building a model of the operation system
and attention span to a security questions in a places that can
bring effective solution, with the limited number of trusted
boundaries points (TB) [7,8].
Exactly within the TB control realized by the security
functions or functional environment, specified in CC notation.
IT-Security management measures in the 27001 notation are
provided exactly for TB. Thus, IT-security evaluation quality in
a great extent will be determine by a validity of the OE model.
From the one hand, the need for a creation of an adequate IT
model for OE can cause some difficulties by the persons what
have not enough skills, but on the other hand, must be
mentioned, that it can't be satisfactory examined without IT in a
whole or its components models.
“Hybrid” method does not provide the development of a
united requirement list for the Security Target (ST), or for the
range of the ST, as it should be done if the CC doctrine is
followed dogmatically. However, at the same time, some
structure and forming procedures adopted partially from the
ST. In one sense, this is done not to involve a new essences
over existed, but in the other – to ensure “hybrid” method users
with sets of materials, compatible with the ST parts, which
might be useful to users if they will decide to develop ST and
certify the OE by the CC.
Operation sequence that is provided by the “hybrid”
method:
IT structuring.
Device space structuring.
IPS modelling.
Security issue defining.
Security target identification.
Short specification of the valuation object.
A. Step 1. IT structuring
All IT, that provides business process automation, are being
divided into a few realms. The number of realms and their
content determine as to be convenient and effective to work
with. The concentration of the IT that ensure automation of the
organization business processes, similar in some criteria, in one
area borders and attainability of the evaluation targets also have
an impact on the number of a realms and its content. The realm
can be both a composite and tiered hierarchical structure, which
contains nested realms.
B. Step 2. Device space structuring.
The device space, which is occupied by an organization, is
structured into a few locations (L). The number of it depends
on the actual position of the organization assets in a device
space, its working convenience and efficiency and attainability
of the evaluation targets. The location also can be both a
composite and tiered hierarchical structure, which contains a
nested location.
C. Step 3. IPS modelling
The IPS model patterning, which is the base for the IT, is
realized in terms of DFD. The number of a models patterned
defines as to be convenient to work with, to bear a
comprehensive picture with a detailed elaboration given and to
ensure the accomplishment of the evaluation targets. If it is
needed, it's possible to develop more than one model per
system, as well as it can be designed only one model for
3. several similar to each other systems [7,8]. You can see the IPS
model for a real object (from the author’s practical experience)
in a Fig.2.
L1
R2.1
P1
EE1
TB1
P2
TB2
TB5
P3
TB3
P4
TB4
TB6
EE2 EE3
R2.3
P
TB9
R1.4
P
TB10
Fig.2. IPS model for a real evaluation object
D. Step 4. Security issue defining
The security issue defining consists of a logical
determination of the IT-security threats, organization security
policy and assumptions for the operation environment. Keeping
in mind an Albert Einstein quotation, that “Everything should
be made as simple as possible, but not simpler” we try to avoid
extra detailed elaboration of the security threat information. In
authors’ opinion, it is necessary and enough to determine the
security threats information on the IPS model to get the optimal
detailed elaboration keep going from the DFD objects to its
realization tools – practically to the IPS components,
considering IPS components as a finite automaton.
The definition of security problems for complex industrial
facilities (CIF) is the sequential definition of IT-Security
threats, organizations IT-Security policies and assumptions IT-
Security environment. We need to focus on the fact that threats
to CIF determined by using the risks, as is customary in the
international practice in the world ([9], [10], [11], [12], [13,
[14], [15]). In accordance with Appendix C of ISO/IEC 27005
is taken into account a list of typical threats (see Table I).
From the list on the basis of preliminary surveys real CIF
selected applicable threats, which then will be ranked
according to the degree of impact on risks of IT-Security
according to ISO/IEC 27001.
TABLE I. THE LIST OF IT-SECURITY THREATS
Type of Threats Name of Threat Applicable
Physical
Fire Yes
The water damage
Pollution
Major accident Yes
Destruction of equipment or media
Compromise of
information
Disclosure
Data from untrusted sources
Criminal use of hardware Yes
Criminal use of the software Yes
Technical fault
Saturation of the information system
Equipment failure Yes
Malfunction of the software
Breach of information system support Yes
Compromise
functions
Falsification of the rights
The abuse of rights Yes
The denial of action Yes
Violation from personnel Yes
Threats that must confront the object of evaluation are
determined by the risk register (for example, in order of
severity). Example of defining of risk measure in ascending
order of severity (ranking) threats the following Table II. In
accordance with Annex C of ISO/IEC 27005 for example, CIF
made the ranking of applicable threats by defining measures of
risk. The probability and size of impact are determined by the
rank scale in ascending order from 1 (minimal) to 5
(maximum).
TABLE II. DEFINITION A MEASURE OF RISK AND RANKING OF APPLICABLE
IT-SECURITY THREATS
Name of Threat
Size of
impact
Probability
Risk
size
Treatment
risk
Fire 5 1 5 Yes
Major accident 5 1 5 Yes
Disclosure 2 1 2
Criminal use of hardware 2 1 2
Criminal use of the
software
2 1 2
Equipment failure 1 1 1
Breach of information
system support
2 1 2
The abuse of rights 1 1 1
The denial of action 1 2 2
Violation of health
personnel
2 1 2
The above IT-Security threats without type specification of
the source of threats (this may be staff, natural phenomena or
technology catastrophes), are a carrier of the two main types of
threats ISO/IEC 15408 series. The results of the risk
assessment for concrete CIF identified the following threats:
4. T.LA2DF – an external entity by means of logical
access may affect the availability, confidentiality and
integrity of transmitted messages.
T.LA2CoIT – an external entity through the logical
access to the target component of IPS can disrupt the
availability and integrity of the configuration and the
target component of IPS, as well as the availability,
confidentiality and integrity of information processed by
the target component of IPS.
The risk register for CIF formed on the base of IPS model
or use an existing one. In the practice of completed projects [6],
as a rule, a good starting point is the analysis of the result of
audits, for example compliance with ISO/IEC 27001 series.
Table III shows an example of compliance evaluation some IPS
for real CIF requirements (selected several items from each
section of the requirements).
TABLE III. COMPLIANCE WITH ISO/IEC 27001
Point Requirement Compliance
Non-
conformance
А.6.1.3
Responsibilities for
IT-Security provisioning
Not fully defined
in the job
descriptions
А.7.1.1
Inventory of organization
assets
Yes
А.10.2.2
Monitoring and analysis of
services provided by third
parties and/or organizations
Not fully defined
(in respect of
foreign affiliates)
А.11.3.2
Equipment user without
sufficient supervision
Yes
А.12.4.1 Control of the software Yes
А.15.1.3
Protection the organization
account
Yes
The necessity appears cause, the one of the assessment
tools, which are used in a CC evaluation, keeps security
specifications that practically appear in a semi-formal style, but
it is needed to use formal ones indeed for a height level of
confidence. One must note, that the real height levels of the
EAL, from 5 and higher, mean that all possible controls with
the mathematical methods are done. For example, Integrity-
178B RTOS, the EAL6+ level system is a military operation
system (which was used for the fighting machine automation
control and for the NASA space shuttle). To do the CC usage,
as an assessment tool, more efficient it is reasonable to apply it
to a pretty formalized items, the IPS model, undoubtedly, is the
formal one.
E. Step 5. Security target identification
Security targets are the brief and abstract statement of the
assumed solution of the issue, already appointed. They have
three roles:
To present a height -level issue solution description.
To divide this solution into two pieces (one for the
evaluation object and the second for a function
environment), reflects that each essence solve its own
part of an issue.
To show that all these parts arrange in absolute problem
solving.
Defining the security targets is processed as it's
recommended in CC. The conclusion is made, on a base of a
security targets and their substantiation that if all security
targets are reached, that means that security issue, appointed
earlier, is solved. That, in its turn, means that all threats are
well reacted and the security assumptions are executed.
F. Step 6. Short specification of the valuation object
In this short description OE user can find the information about
how is the certain object meets all security function, assurance
and IT management specifications. The correspondence
between the IPS model and the real respective system describes
by a natural language. Each DFD notation in a model fits to a
certain IPS component, data channel, TB implement means.
Therewith, following points are considered for each TB:
TB implement means;
Security function and assurance specifications in a CC
notation;
IT management specifications in ISO/IEC 27001
notation.
Actually, on this stage security issue consideration for each TB
is held and that’s exactly that provides height security
assessment precision of such a complicated OE as IT.
VI. IT-SECURITY RISK ASSESSMENT
For the interfacing the risk assessment procedure with the
“hybrid” method of IT-security evaluation one can take the IPS
model, validity of which is approved with the IT-security
evaluation, as a base for the risk assessment, and estimate the
threat impact probability. In addition, in the process, the
probability of a successful impact of a definite threat to a
concrete object in the IPS model calculated as a multiplication
of a probability of data flow (DF) occurrence by the threat
source, between itself and a target object, to a probability of a
DF overcoming each TB along its way.
It is need to be mentioned, that all threat impact
probabilities, calculated by the method given below, are
probability a priori, so the assessment of an apprehended
damage by the threat impact is also a priori. For that reason, the
risks, which are calculated as a multiplication of the a priory
probability to the a priori assessment of damages still a priory
themselves. However, as practice is a truth criterion, authors
believe that it is useful to repeat evaluation of posterior risks
with some intervals, using posterior (actual) damage
assessment that fits these incidents. For the security posterior
incident probability calculation authors recommend to use a
calculation formula of a recovered object failure probability,
applied while the reliability calculation.
VII. EXAMPLE OF THE HYBRID METHOD IMPLEMENTATION
Authors have an experience in comparison of the real IT-
security assessments, received in 2016-2017 years by different
methods for the unique CIF [7, 8]. To ensure a scale identity
the IT security assessment was shown as a risk measure. We
have used the following formula for the calculation of a new
“hybrid” methodology:
𝑅 𝑎𝑝𝑟 [𝑅𝑖] =
𝑉𝑖
𝑘
∗ 𝑆𝑖
𝑛
𝑉 𝑚𝑎𝑥 ∗ 𝑆 𝑚𝑎𝑥
∗ 𝑄𝑖 (1)
5. Where:
Rapr – assessment of a priori risk for Ri Realm in CIF
Ri – research Ri (Realm) for CIF
V
(k)
i – a priori probability of realization of threats
S
(n)
i – a priori the value of damage
V
max
– The maximum a priori probability of realization of
threats
S
max
– The maximum amount of damages if the threat is
credible
Q – Maximum value of the scale of risk assessment
k – Maximum value of the probability (taken 1)
n – The maximum value of the damage (taken 3)
The limitations in the calculation for the new “hybrid”
method by the formula (1) shown below:
0 ≤ Rapr ≤ 10
Q ≤ 10
V
(k)
i ≤ k
S
(n)
i ≤ n
V
max
≤ 1
S
max
≤ 3
In order to bring to ten-to-one scale, risk figures multiplied
with a normalized factor (risk measures are from 1 to 10), the
loss of risk is 0. Table 1 shows a result of a priory risks
comparison based on different methods.
The results of the calculation by the formula (1) a new
“hybrid” method is presented in Table IV (for all set of
Realms Ri for real CIF objects).
TABLE IV. THE CALCULATION OF A PRIORI RISK ON ” HYBRID” TECHNIQUE
FOR CIF OBJECT
IT Realm
V(k)
i
(0, 1)
S(n)
i
(0, 1, 2, 3)
Rapr
(0, 10)
Realm R1.*
Realm R1.1 0,25 3,00 2,50
Realm R1.2 0,25 3,00 2,50
Realm R1.3 0,25 3,00 2,50
Realm R1.4 0,25 3,00 2,50
Realm R2.*
Realm R2.1 – Confidential Storage 0,25 2,00 1,67
Realm R2.2 – ERP System 0,25 2,00 1,67
Realm R2.3 – Internet access 0,25 1,00 0,83
Realm R3.*
Realm R3.1.1 0,25 3,00 2,50
Realm R3.1.2 0,25 3,00 2,50
Realm R3.1.3 0,25 3,00 2,50
Realm R3.1.4 0,25 3,00 2,50
Realm R3.2 – control system for R3.1 0,25 3,00 2,50
Realm R3.3 – control system for R1.* 0,25 3,00 2,50
Note that not all of IT Realms for real CIF can be covered,
for example, by a specific regulatory document by Order
FSTEC Russia N 31 (in contrast to the proposed method) or
NIST SP 800-53 (USA National Regulation). In particular, the
region R2.3 – access to resources on the Internet workstations
cannot be estimated from the position, for example, of the
Order FSTEC Russia N 31 or NIST SP 800-53 (USA), as it
relates to IT-Security control systems. For this reason, in Table
V reflect only the portion that applies only to those areas of IT,
that fall under the requirements of a particular order of FSTEC
Russia or NIST SP 800 (USA).
TABLE V. THE CALCULATION OF A PRIORI RISK ON “HYBRID” TECHNIQUE FOR
CIF OBJECT IN ACCORDANCE ORDER FSTEC N 31
IT Realm
V(k)
i
(0, 1)
S(n)
i
(0, 1, 2, 3)
Rapr
(0, 10)
Realm R3.*
Realm R3.1.1 1,00 3,00 10,00
Realm R3.1.2 1,00 3,00 10,00
Realm R3.1.3 1,00 3,00 10,00
Realm R3.1.4 1,00 3,00 10,00
Realm R3.2 – control system for R3.1 1,00 3,00 10,00
Realm R3.3 – control system for R1.* 1,00 3,00 10,00
Based on formula (1) can be performed calculations for
other Standards and recommendations in a particular industry
(for example, based on R STO Gazprom for oil and gas
industry regulation). All results of calculations for all IT
Realms are summarized in Table VI.
TABLE VI. THE RESULTS OF THE COMPARISON OF A PRIORI RISK ON
DIFFERENT METHODOLOGICAL BASES
IT
Realm
Hybrid
method
Order
FSTEC
31
Order
FSTEC
21
STO
Gazprom
4.2.2-01
STO
Gazprom
4.2.2-02
STO
Gazprom
4.2.2-03
R1.*
R1.1 2,50
R1.2 2,50
R1.3 2,50
R1.4 2,50
R2.*
R2.1 1,67 3,33 6,67 6,67
R2.2 1,67 3,33 6,67 6,67
R2.3 0,83
R3.*
R3.1.1 2,50 10,00 10,00 10,00
R3.1.2 2,50 10,00 10,00 10,00
R3.1.3 2,50 10,00 10,00 10,00
R3.1.4 2,50 10,00 10,00 10,00
R3.2 2,50 10,00 10,00 10,00
R3.3 2,50 10,00 10,00 10,00
The results of the comparison of a priori risk on a scale
(Q = 10) for different methods is shown in Fig. 3 in 3D
respectively. It should be noted the “hybrid” technique gives
the estimated a priori risk is significantly closer to the actual
values of posterior risk than other existing methods of
assessment.
6. Fig.3. The results of the comparison of a priori risk on different
methodological bases in 3D
VIII.CONCLUSION
Nowadays, IT components with the security features that
meet the civil society demands are available. All these
components were evaluated by their competence and are
suitable for building security capacity.
A new method was suggested to create a more precise IT-
security evaluation tool for the particular object – the “hybrid'
method of IT-security assessment on a base of the set of
adequate assessment tools.
The new "Hybrid" method differs that the appropriate level
of accuracy can be applied for evaluation the IT object of any
scale, including for Complex Industrial Facilities. The
evaluation process is strictly based-on the applicable field of
standards and suitable recommendations corresponding to the
current IT developer level in the world.
The comparison of the results of the IT-Security risk
assessment determined that the use of “hybrid” methods as a
methodological basis for estimating a priori risks allows
getting closest to the reality (a posteriori risk) result. The
accuracy of risk assessment in the use of “hybrid” methods
will increase with the detail. We need a sufficiently large
number of cases to judge on statistical accuracy, possibly.
The assessment IT-Security report for CIF is objective
evidence generated in the measured values and based on a
system of public Standards: NIST, ISO/IEC, NECR, etc. It
allows creating on the basis of “hybrid” methods for the
assessment of the safety of various CIF within both national
and foreign jurisdictions.
REFERENCES
[1] ISO/IEC 27001:2013. Information technology. Security techniques.
Information security management systems. Requirements,
International Organization for Standardization. 2013.
[2] ISO/IEC 15408-1:2009 Information technology - Security techniques
- Evaluation criteria for IT security - Part 1: Introduction and
general model. International Organization for Standardization. 2009.
[3] ISO/IEC 15408-2:2008 Information technology - Security techniques
- Evaluation criteria for IT security - Part 2: Security functional
components. International Organization for Standardization. 2008
[4] ISO/IEC 15408-3:2008 Information technology - Security techniques
- Evaluation criteria for IT security - Part 3: Security assurance
components. International Organization for Standardization. 2008
[5] IEC 61508-1:2010 Functional safety of electrical, electronic,
programmable electronic safety-related systems — Part 1: General
requirements.
[6] IEC 61511-1:2003 Functional safety — Safety instrumented systems
for the process industry sector — Part 1: Framework, definitions,
system, hardware and software requirements.
[7] Livshitz I. Approaches to the Application of the Integrated
Management System Model for Carrying out Audits for Complex
Industrial Objects – Airport Facilities. SPIIRAS Proceedings. 2014.
Vol. 6, pp. 72–94. (In Russ).
[8] Livshitz I. The Methods of optimization audit program for Integrated
Management Systems. SPIIRAS Proceedings. 2016. Vol. 5, pp. 52–
68. https://dx.doi.org/10.15622/sp.48.3. (In Russ).
[9] Martin, Nathaniel F.G. & England, James W. Mathematical Theory
of Entropy. — Cambridge University Press, 2011. — ISBN 978-0-
521-17738-2
[10] European Conference on Modelling and Simulation, May 26-29,
Albena (Varna), Bulgaria, Proceedings, 2015, Albena (Varna), 843
pp.
[11] Li B. S. X., Wan B., Wang C., Zhou X., Chen X. Definitions of
predictability for cyber physical systems//J. of Systems Architecture.
2016 DOI: 10.1016/j.sysarc.2016.01.007
[12] Merlino G., Arkoulis S., Distefano S., Papagianni C., Puliafito A.,
Papavassiliou S. Mobile crowdsensing as a service: A platform for
applications on top of sensing Clouds//Future Generation Computer
Systems. 2016. Vol. 56. P. 623-639
DOI: 10.1016/j.future.2015.09.017
[13] Ganti R., Ye F., Lei H. Mobile crowdsensing: current state and future
challenges//IEEE Communications Magazine. 2011. N 49(11). P. 32-
39 DOI: 10.1007/978-3-319-26401-1_25
[14] Hahn A., Ashok A., Sridhar S., Govindarasu M. Cyber-physical
security testbeds: Architecture, application, and evaluation for smart
grid//IEEE Transact. of Smart Grid. 2013. N 4(2). P. 847-855
DOI: 10.1109/TSG.2012.2226919
[15] Gonga L., Yanga W., Zhoub Z., Mana D., Caic H., Zhoud X., Yange
Z. An adaptive wireless passive human detection via fine-grained
physical layer information//Ad Hoc Networks. 2016. Vol. 38. P. 38-
50 DOI: 10.1016/j.adhoc.2015.09.005