Evaluate your CISA preparation. Attempt below 150 questions which are designed as per CISA exam pattern considering domain wise weightage.
http://datainfosec.blogspot.in/2016/04/cisa-mock-test-question-paper-1.html
Evaluate your CISA preparation. Attempt below 150 questions which are designed as per CISA exam pattern considering domain wise weightage.
http://datainfosec.blogspot.in/2016/04/cisa-mock-test-question-paper-1.html
isk-Based Inspection (RBI) is a systematic approach that enables users to make informed business decisions regarding inspection and maintenance expenditure. It identifies, assesses and maps industrial risks (due to corrosion and stress cracking), which can compromise equipment integrity in both pressurized equipment and structural elements.
RBI combines the principles of risk with operational experience to obtain a safe and cost effective inspection program targeting inspection where and when it is needed. Also addresses risks that can be controlled through proper inspections and analysis.
The MCGlobalTech Managed Security Compliance Program helps small business government contractors meet the DFARS/NIST 800-171 compliance requirements by managing their security and compliance. Save Money. Run your business. Leave it to the experts.
A risk assessment and management process that is focused on loss of containment of pressurized equipment in processing facilities due to material deterioration. These risks are managed primarily through equipment inspection.
Management of e-SOP in GxP environment .Anand Pandya
Management and use of electronic SOP for use in GxP environment . How can electronic version of SOP be prepared and used in compliance with regulatory environment .
isk-Based Inspection (RBI) is a systematic approach that enables users to make informed business decisions regarding inspection and maintenance expenditure. It identifies, assesses and maps industrial risks (due to corrosion and stress cracking), which can compromise equipment integrity in both pressurized equipment and structural elements.
RBI combines the principles of risk with operational experience to obtain a safe and cost effective inspection program targeting inspection where and when it is needed. Also addresses risks that can be controlled through proper inspections and analysis.
The MCGlobalTech Managed Security Compliance Program helps small business government contractors meet the DFARS/NIST 800-171 compliance requirements by managing their security and compliance. Save Money. Run your business. Leave it to the experts.
A risk assessment and management process that is focused on loss of containment of pressurized equipment in processing facilities due to material deterioration. These risks are managed primarily through equipment inspection.
Management of e-SOP in GxP environment .Anand Pandya
Management and use of electronic SOP for use in GxP environment . How can electronic version of SOP be prepared and used in compliance with regulatory environment .
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB
The webinar covers:
• Development and implementation of ICS Security Management System
• Using ISO 27001 as the ISMS fundamental platform
• NIST SP 800-82 usage as the audit platform against ICS object
Presenter: Pedro Putu Wirya, an IT and ICS Security Consultant with an extensive experience in ISMS.
Link of the recorded session published on YouTube: https://youtu.be/iuI2QYsUYZQ
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurAlan Yau Ti Dun
"Like any information security processes, there should be an adequate and"
"reasonable level of assurance for cyber security, which completes the security perspective when combined with governance and management processes. Cyber security assurance requires a comprehensive set of controls that covers risk as well as management processes."
"These controls are supported by appropriate metrics and indicators for"
"security goals and factual security risk. This session will share the cybesecurity self assessment program in carrying out an audit or self- assessment review on cyber security controls and practices in a typical organisation. This assurance program will leverage on COBIT 5 framework"
"and COBIT 5 for Information Security as a baseline."
Our audits are designed to help you determine your SAP landscape's actual risk exposure and pinpoint areas that are open to potential attacks. They include everything from your infrastructure and SAP system parameters to individual component configurations and authorizations.
Also if your company's migration to SAP HANA or S/4HANA is right around the corner. An audit offers an ideal solution for safeguarding your systems and taking all the necessary security measures before you start your transition.
Our approach is based on SAP's security guidelines, the recommendations of the German Federal Office for Information Security (BSI), and the information security standard DIN ISO 27001.
Topics of focus:
• Challenges, tools and proven methods
• Advantages of a root cause analysis and of the resulting risks for your company
• Quick check vs. audit vs. penetrationtest
• Our project approach at a glance
• Recommendations for the follow-up of an Audit
-----------------------------------------------------------------------------------------
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
International Journal of Engineering Research and Development (IJERD)IJERD Editor
journal publishing, how to publish research paper, Call For research paper, international journal, publishing a paper, IJERD, journal of science and technology, how to get a research paper published, publishing a paper, publishing of journal, publishing of research paper, reserach and review articles, IJERD Journal, How to publish your research paper, publish research paper, open access engineering journal, Engineering journal, Mathemetics journal, Physics journal, Chemistry journal, Computer Engineering, Computer Science journal, how to submit your paper, peer reviw journal, indexed journal, reserach and review articles, engineering journal, www.ijerd.com, research journals,
yahoo journals, bing journals, International Journal of Engineering Research and Development, google journals, hard copy of journal
IIC IoT Security Maturity Model: Description and Intended UseKaspersky
How to ensure that security implemented in IoT devices and systems is up to the provider's requirements and yet don't mean over-spending on unnecessary mechanisms? That's what the Security Maturity Model, developed by Industrial Internet Consortium with our contribution, is about.
Read more at http://iiconsortium.org/.
Defining an IT Auditor,
IT Auditor Certifications & ISACA,
IT Audit Phases,
Preparing to be Audited,
How IT auditor audits an Applications,
Auditing technology for Information System.
Гибридная методика оценки безопасности ИТИлья Лившиц
В настоящее время, компоненты ИТ без функций безопасности (далее – ФБ) представляют собой скорее исключение из правил, нежели правило. Компоненты ИТ без ФБ не представляют собой большой проблемы, поскольку они могут быть заменены на аналоги, обладающие изначально ФБ, либо дополнены необходимыми «наложенными» ФБ, либо осуществить «импорт» необходимых ФБ из смежных компонентов ИТ, возможный в силу синергизма и эмерджентности, обязательно присущих системе обработки информации (далее – СОИ). При дальнейшем изложении при упоминании ИТ будем полагать, что современные компоненты ИТ, представленные на конкурентном рынке для объектов ТЭК, уже обладают определенным набором ФБ.
В работе рассмотрено несколько примеров несуществующих (или мнимых) активов, для которых введен термин "токсичный актив". Отмечается, что необходимо создать в России национальную полно-форматную, сбалансированную и самодостаточную индустрию ИТ, которая от базиса до самого верх-него слоя надстройки должна быть "пронизана" функциями безопасности. Представлено обоснование того, что навык распознавания токсичных активов в области ИТ и очистки от них поможет специалистам существенно улучшить требуемый уровень ИБ.
Противодействие угрозам "нулевого дня" посредством мгновенных аудитов ИБИлья Лившиц
Рассматривается формирование концепции мгновенных аудитов ИБ как один из подходов для противодействия современным угрозам, в т.ч. угрозам "нулевого дня" (АРТ), для повышения эффективности СМИБ.
Методика выполнения комплексных аудитов промышленных объектов для обеспечения...Илья Лившиц
Определенное внимание специалистов к современным стандартам ISO обусловлено разумным желанием применять в повседневной работе «лучшие практики», т.е. обеспечить результативное и экономически эффективное управление предприятием. Очевидно, что специализированные стандарты, такие как ISO 50001 (СЭнМ), не дают «автоматически» детального и точного ответа как лучше обеспечить внедрение, с чего
следует начать, какие документы разрабатывать. Одним из подходов, хорошо зарекомендовавшим себя на практике, представляется применение методики комплексных аудитов для обеспечения результативного и экономически эффективного внедрения СЭнМ.
Предлагаемая методика обеспечивает «мягкое» погружение персонала в сложную инженерно-экономическую специфику стандарта ISO 50001, обеспечивает унификацию документации ИСМ, учитывает снижение общих расходов (трудоемкости) проекта благодаря единым принципам менеджмента и единой команды аудиторов и достижение запланированных результатов в рамках нифицированного управления ИСМ. Данная
методика предлагается для применения на различных сложных промышленных объектах, там, где остановка деятельности недопустима и вместе с тем требуется высокий инженерный потенциал команды проекта.
Внедрение систем энергоменеджмента в соответствии с требованиями ISO 50001:20...Илья Лившиц
Стандарт в области энергоменеджмента ISO 50001:2011 (СЭнМ) считается новым и привлекает к себе определенное внимание специалистов для оптимизации управления. В рамках данной публикации предлагается обратить внимание на возможность интеграции при решении «узких» задач СЭнМ и решении более широкого спектра проблем (например, в области управления затратами и обеспечения комплексной безопасности) различных промышленных объектов. Также возможно предложить на практике для решения проблемы обеспечения комплексной безопасности промышленных объектов применение системы аудитов, анализа со стороны руководства, постоянного улучшения результативности в единой интегрированной системе менеджмента организации.
Определение бюджета для реализации проекта системы менеджмента информационной...Илья Лившиц
В представленной публикации кратко рассмотрена проблема при формировании экономических оценок процессов обеспечения ИБ. Данная проблема имеет важное значение, т.к. в настоящее время применяются разноплановые подходы при обосновании бюджета для
нормального функционирования СМИБ. Основное внимание обращено на сложности формирования оценок затрат для обеспечения требуемого бизнесом уровня ИБ, в условиях отсутствия приемлемых (признанных) отраслевых метрик ИБ и проблем при достоверной оценке результативности СМИБ. С учетом поставленной проблемы предложены формулы
расчета бюджета для реализации проекта СМИБ на основании оценки последствий инцидентов
ИБ и результативности различных применяемых мер (средств) обеспечения ИБ, дополнительно
рассмотрен практический кейс, поясняющий расчет для конкретной моделируемой ситуации.
Предложенная численная оценка затрат на обеспечение ИБ основывается на использовании метрик ИБ (оценки результативности мер и средство обеспечения ИБ), использует оценки последствий инцидентов ИБ (подтвержденные объективными данными аудитов) и позволяет формировать общую оценку бюджета для реализации проекта СМИБ с
целью обеспечить заданный высшим руководством уровень обеспечения ИБ. Данные результаты могут найти применение при формировании, экспертизе, оптимизации и документированном обосновании бюджетов СМИБ, формируемых с целью достижения
требуемого уровня обеспечения ИБ в различных организациях.
Применение риск-ориентированных стандартов для обеспечения комплексной безопа...Илья Лившиц
В предлагаемой работе предложены некоторые подходы к решению проблемы обеспечения постоянного улучшения результативности СМ (ИСМ) промышленных предприятий, как СлПО на основе современных риск-ориентированных стандартов (серии 9001, 20000, 22301, 27001). Учитывая относительную новизну данных стандартов в практическом применении к исследуемой проблеме, предлагаемые подходы могут быть полезными при планировании системы риск-менеджмента (на базе стандарта 31000) и оценки возможных потерь в рамках бизнес-процессов СМ (ИСМ), а также, в частности, для решения практических задач – обеспечения комплексной безопасности.
К ВОПРОСУ ОЦЕНКИ РЕЗУЛЬТАТИВНОСТИ ПРИ ВНЕДРЕНИИ СИСТЕМ МЕНЕДЖМЕНТА ИНФОРМАЦИО...Илья Лившиц
Актуальность данной публикации вызвана постоянным вниманием к вопросам анализа и интерпретации результатов внедрения систем менеджмента информационной безопасности (СМИБ). При анализе таких проектов, как правило, в расчет берется только минимум требований, исходя из известной методической базы — международных стандартов ISO серии 27000. Однако применения для анализа результативности СМИБ только "сертификационного" стандарта ISO 27001 объективно недостаточно, дополнительно необходим специальный стандарт ISO 27004, содержащий правила работы с метриками ИБ. В данном исследовании, во-первых, рассмотрена современная нормативная база ISO серии 27001, во-вторых, показано практическое применение метрик ИБ, существенно расширяющих возможности оценки результативности СМИБ, а также даны рекомендации по формированию
Исследование зависимости сертификации по международным стандартам ISO от типо...Илья Лившиц
Процесс проектирования, создания и внедрения современных систем
менеджмента является на данном этапе развития общества, объективно, вопросом не
технического (технологического) порядка. Очевидно, что реализация проекта без
серьезной проработки, точного расчета рисков, оценки необходимых ресурсов (бюджета,
персонала, лицензий и пр.) невозможна для современной организации, работающей в
жестких конкурентных условиях. Для государственных организаций все вышесказанное
усиливается требованиями обеспечения режима национальной безопасности, что
подтверждается и требованиями законодательства и практикой выполнения проектов в
области ИТ. В предлагаемой работе предложены некоторые подходы для реализации
процесса поддержки принятия решения в части выбора модели для развития
современной организации на фазе проектирования и оценки приемлемости выбора: по
составу систем менеджмента, по применимым стандартам, по необходимости
сертификации в функции обеспечения стабильного роста, безопасности бизнес-
процессов, защиты ценных активов (в т.ч. нематериальных) на основании статистики
сертификации ISO.
Подходы к применению модели интегрированной системы менеджмента для проведени...Илья Лившиц
Для сложных промышленных объектов обеспечение комплексной безопасности является крайне важной проблемой и особо актуальной для современных аэропортовых комплексов (АК). Особенностями АК являются учет значительного множества требований: авиационной безопасности (АБ), безопасности персонала, сохранности воздушных судов (ВС), а также инженерной инфраструктуры. Для обеспечения безопасного функционирования АК применяются комплексные системы управления, в состав которых входят системы менеджмента (СМ), соответствующие различным стандартам, в т.ч. международным (ISAGO, ISO, ISO/IEC и пр.). Оценка результативности таких СМ представляет известную проблему. Поставленную задачу представляется целесообразным рассмотреть на основе модели ИСМ, дополненной блоком проведения комплексных аудитов с учетом специфики АБ. В публикации приведены результаты расчетов по представленной модели ИСМ с учетом расширенного состава критериев для АК. По согласованному мнению экспертов, требования «базовых» стандартов ISO значительно уступают по приоритету «профильным» для АК требованиям ISAGO (IATA).
МЕТОДИКА ЧИСЛЕННОЙ ОЦЕНКИ УЯЗВИМОСТЕЙ И УГРОЗ ИНФОРМАЦИОННОЙ БЕЗОПАСНОСТИ ДЛЯ...Илья Лившиц
Актуальность рассмотрения вопросов анализа уязвимостей и угроз критичных систем в полной мере применима к национальной платежной системе (НПС) РФ. В данном исследовании была рассмотрена современная нормативная база комплекса стандартов Банка России по обеспечению информационной безопасности организаций банковской системы (СТО БР ИББС) (версии 2014 г.) и показано практическое применение современных стандартов ISO серии 27000, а также даны рекомендации по смягчению (парированию) угроз НПС в будущем.
РИСК-ОРИЕНТИРОВАННЫЕ СТАНДАРТЫ ДЛЯ СИСТЕМ МЕНЕДЖМЕНТА ПРОМЫШЛЕННЫХ ПРЕДПРИЯТИЙИлья Лившиц
Предложены варианты подходов к обеспечению по-
стоянного улучшения систем менеджмента (СМ), в том
числе и интегрированных (ИСМ), промышленных пред-
приятий как сложных объектов на основе современных
риск-ориентированных стандартов серий ISO 9001, ISO
27001, ISO 22301. Предлагаемые подходы могут быть
полезны при планировании систем риск-менеджмента,
оценке возможных потерь в рамках бизнес-процессов
СМ (ИСМ) и решении практических задач
Vaccine management system project report documentation..pdfKamal Acharya
The Division of Vaccine and Immunization is facing increasing difficulty monitoring vaccines and other commodities distribution once they have been distributed from the national stores. With the introduction of new vaccines, more challenges have been anticipated with this additions posing serious threat to the already over strained vaccine supply chain system in Kenya.
Saudi Arabia stands as a titan in the global energy landscape, renowned for its abundant oil and gas resources. It's the largest exporter of petroleum and holds some of the world's most significant reserves. Let's delve into the top 10 oil and gas projects shaping Saudi Arabia's energy future in 2024.
Overview of the fundamental roles in Hydropower generation and the components involved in wider Electrical Engineering.
This paper presents the design and construction of hydroelectric dams from the hydrologist’s survey of the valley before construction, all aspects and involved disciplines, fluid dynamics, structural engineering, generation and mains frequency regulation to the very transmission of power through the network in the United Kingdom.
Author: Robbie Edward Sayers
Collaborators and co editors: Charlie Sims and Connor Healey.
(C) 2024 Robbie E. Sayers
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
Automobile Management System Project Report.pdfKamal Acharya
The proposed project is developed to manage the automobile in the automobile dealer company. The main module in this project is login, automobile management, customer management, sales, complaints and reports. The first module is the login. The automobile showroom owner should login to the project for usage. The username and password are verified and if it is correct, next form opens. If the username and password are not correct, it shows the error message.
When a customer search for a automobile, if the automobile is available, they will be taken to a page that shows the details of the automobile including automobile name, automobile ID, quantity, price etc. “Automobile Management System” is useful for maintaining automobiles, customers effectively and hence helps for establishing good relation between customer and automobile organization. It contains various customized modules for effectively maintaining automobiles and stock information accurately and safely.
When the automobile is sold to the customer, stock will be reduced automatically. When a new purchase is made, stock will be increased automatically. While selecting automobiles for sale, the proposed software will automatically check for total number of available stock of that particular item, if the total stock of that particular item is less than 5, software will notify the user to purchase the particular item.
Also when the user tries to sale items which are not in stock, the system will prompt the user that the stock is not enough. Customers of this system can search for a automobile; can purchase a automobile easily by selecting fast. On the other hand the stock of automobiles can be maintained perfectly by the automobile shop manager overcoming the drawbacks of existing system.
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Quality defects in TMT Bars, Possible causes and Potential Solutions.PrashantGoswami42
Maintaining high-quality standards in the production of TMT bars is crucial for ensuring structural integrity in construction. Addressing common defects through careful monitoring, standardized processes, and advanced technology can significantly improve the quality of TMT bars. Continuous training and adherence to quality control measures will also play a pivotal role in minimizing these defects.
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSEDuvanRamosGarzon1
AIRCRAFT GENERAL
The Single Aisle is the most advanced family aircraft in service today, with fly-by-wire flight controls.
The A318, A319, A320 and A321 are twin-engine subsonic medium range aircraft.
The family offers a choice of engines
Forklift Classes Overview by Intella PartsIntella Parts
Discover the different forklift classes and their specific applications. Learn how to choose the right forklift for your needs to ensure safety, efficiency, and compliance in your operations.
For more technical information, visit our website https://intellaparts.com
The optimization method of the integrated management systems audit program v2+
1. UDC 004.056
The optimization method of the Integrated
Management System audit program
I.I. Livshitz, D.V. Yurkin, A.A. Minyaev
JSC “Gasinformservice”
Kronshtadskaya 10 A, St. Petersburg, 198096, Russia
Abstract. Nowadays the application of integrated management systems (IMS) attracts the attention of top
management from various organizations such as refineries, instrument-making, air entities and defense. However,
there is an important problem of running the audits in IMS and realization of complex checks of different ISO
standards in full scale with the essential reducing of available resources.
Key words: IT-Security, Integrated Management Systems, standard, audit, IT-security management system.
1. Introduction
Recently, the application of integrated management systems (IMS) attracts more top
management. Nowadays there is an important problem of running the audits in IMS and
particularly, realization of complex checks of different ISO standards in full scale with the
essential reducing of available resources. In a greater degree this problem is illustrative of
supporting IT-Security audit program, as far as negative consequences can lead to essential
damage. The realization of IT-Security management systems gets more application in practice.
Moving to analysis based on risks provides the increasing of interest to rational exploitation of
modern risk-oriented ISO standards. Studying the problem with realization of IMS audits makes
the essential interest also the search of ways of IMS audit program optimization that are based on
principles of continuous adaptation in the process of incoming data during one micro cycle of
audit. It is supposed that new method of audit program optimization will let us to provide more
rational acceptance of the IT-Security control solution.
2. Problem description
To provide stable development of modern organizations in the context of risks of different
origin, it is appear to be reasonable to apply risk-oriented standard and implement the IMS [1, 7,
9]. From the point of view of controlling the IMS audits in supposed method we should notice
the necessity of solution of next important practical tasks [4]:
1. The task of resources allocation for audit program;
2. The task of account of factors that influence on the depth of audit-leak program,
incidents, the appearance of criminal actions, revealed earlier mismatches and in this way the
volume definition of audit program;
3. The task of collection of verifiable information;
4. The task to provide the auditors with special knowledge and skills either to invite
engineers;
It is necessary to admit that we should be aware of recommendations PAS-99 in IMS [9], that
allows to take into account the specific requirements of carrying out combined audits, the
account of risks, flexible controlling of IMS audit program volume with the account of last
results and the importance of processes [4, 5].
3. Principles of organization of flexible audits
The suggested method of optimization of the IMS audit program is based on next basic
principles:
2. 1. We input the concept of integral evaluation (IE) of IT-Security that includes the specific
group index of evaluation of all submitted for IT-Security audit processes - RISMS. This
group index defines with the help of specific indexes – RPR, multiplied on their weight
coefficient in dependence of process importance in the IT-Security organization for the
concrete object of evaluation (OE).
2. After running the basic IT-Security audit, its condition is valued for the purpose of
accordance with demands of audit criteria, and also its influence on IT-Security integral
evaluation of concrete object of evaluation.
3. Next IT-Security audits are held by the given method that uses flexible approach: those
processes, that have the most priority in the IT-Security for the concrete object of
evaluation, and where the essential mismatches of last audit were revealed, are exposed
of more detailed check.
4. Frequency and detail, which must be differentiated for different checked processes,
comports with IT-Security too. For example, definite groups of processes, that have
priority meaning in integral evaluation (for example, it depends on the model of actual
threats of IT-Security), are exposed more detailed and often with audits. The processes,
that have the lowest priority in the integral evaluation for the concrete object of
evaluation, are checked seldom and less detailed.
5. The depth of check and frequency of audits, each time for k-audit in micro cycle PDCA,
defines in dependence of oncoming function of integral evaluation for the concrete object
of evaluation to some stated objective index – Rtarget for complex evaluation of concrete
object of evaluation security.
In addition we should note the importance of implementation of new standard, ISO 55000 [6-
8] – as many assets are not ruled in a proper manner. Accordingly, the appliance of demands
of one implemented standard (for example, modern ISO 27001) substantially relieves the
solution of standard problems of security, that are solved simultaneously, therefore they must
be checked simultaneously within the context of combined audits of all MS in organization
(for example, ISO 9001, ISO 50001, ISO 27001) [1-4, 5-8].
4. Statement of the problem
For the evaluation of a degree of providing IT-Security system conformance on the IMS
audits to presented requirements of IT-Security we use private and group IT-Security
indexes.
For the purposes of realizing IMS audits in the aspect of providing IT-Security we suggest to
use the index of effectiveness of MS IT-Security RISMS , which we can calculate in each cycle
of k-audit using the additive formula with the account of α-weight coefficients and index of
effectiveness of each concrete process of IT-Security – RPR :
i
n
i
iISMS RR Pr
1
•= ∑=
α (1)
in this case :
1
1
=∑=
n
i
iα
In its turn, indexes of effectiveness of each concrete i-process of IT-Security – RPR are
calculated by additive formula with the account of β-weight coefficients and indexes of IT-
Security metrics for each concrete i-process of IT-Security – KKPI:
PKIj
m
j
j KR i
•= ∑=1
Pr β (2)
in this case:
1
1
=∑=
m
j
jβ
3. The coefficients of relevancy of private indexes of IT-Security, that are used by calculation
of IT-Security group indexes, must be equal to 1 that provides ritualization of all indexes in
additive formula above (1) and (2). Accordingly, the final index of effectiveness of MS IT-
Security RISMS must maximize reaching 1:
1Pr
1
→•= ∑=
i
n
i
iISMS RR α (3)
In the process of IMS audits, the constant measuring of current nonconformance for k-audit
RISMS is measured as discrepancy with the objective (maximal) index:
[ ]∑=
−•=−=∆
n
i
iiISMS RRR
1
Pr )1(1 α (4)
Regarding the results of all audits, that are carried out in a strict accordance with IMS audit
program, we fill in the following matrix with the account of IT-Security processes – PR, IT-
Security audits – k-audits and IT-Security metrics – KPI.
5. Basic optimization cycle of IMS audit program
In terms of known audit standards (in particular [4,5]), we offer a method of multistage
optimization of IMS audit processes for the complex industrial objects (CIO), which let us to
provide the system of coordination, distribution of recourses and system of effective
reduction of results of IMS audits till the person who takes decision. This method consists of
scientifically grounded and object-oriented immediate functioning of IT-Security subsystem
within IMS and it differs from existing methods with cyclic continuous evaluation of
effectiveness on the basis of optimal system of IT-Security numeral indexes (metrics). The
offered method consists of two connected cycles of optimization of IMS audits program that
differs with the existence of:
1. Basic optimization cycle, which characterizes the effective carrying out of IMS audits in
terms of evaluation of efficiency for each PRi- IT-Security process, each KPIj – IT-
security metric, and also it defines cycles of resources optimization in audits program: of
depth (“Scope”), size of auditor’s sample, number of involved auditors (engineers) and
etc.
2. Fast block of evaluation of efficiency of correction measures and corrective actions in
current k-audit, that touches the changes each of next process of IT-Security and next k+1
audit program. It is also provided fast transfer to evaluation of efficiency indexes of IMS
– RISMS in k-audit and k+1 audit for the constant and effective optimization of all IMS
audit program.
Let’s consider the basic optimization cycle of IMS audit program that was built with the
account of audit’s formal ISO standards requirements and ISAGO standards supported with
new components (see fig. 1):
- Formation efficiency evaluation of each k-audit;
- Formation of fast efficiency evaluation of correction(corrective actions);
- Formation of quick back link in the current audit cycle;
- Formation of system reaction – complication or easing depending on current integral
evaluation in current audit cycle;
- Formation of integral evaluation of IMS security.
Preconditions (data inputs) for the start of basic optimization cycle of audit program are
given:
- T0 – basis period of IT-Security audits;
- S0 – basic (planned) price of IT-Security audits;
- V0 – basic volume of IT-Security audits (number of units);
- F0 – basic list of functional questions of IT-Security audits;
- O0 – basic list of attended IT-Security audit objects.
4. 1 Formation of audit program
begining
end
αi , βj , K KPI pr j
2 Formation of k-Audit plan
3
Formation the monitoring by j-
metrics K KPI for
Pr i - processing in k-audit ОЗ
6
Formation of mismatches of
k-audit
7
Formation of plan of corrective
actions for k-audit
The analysis of integral
evaluation
The basic conditions
for audits planning:
T0, S0, V0, F0, O0
The evaluation
of corrective efficiency
K KPI pr j
R ISMS
∆ R PR i,
∆ K KPI pr j
5
Realization of cycle of
audit program, planning
k+1 аудита
R ISMS (corr)
8 Completion of audits program
Changing “complication” of
conditions for planning
audits: Tk+1, Sk+1, Vk+1,
Fk+1, Ok+1
RISMS <> 1
RISMS (corr) <> 1
Changing (easing) the
conditions for planning
audits: Tk+1, Sk+1, Vk+1,
Fk+1, Ok+1
R PR i , R ISMS
4
Formation of evaluation of
Pr i – processing and R ISMS
of integral evaluation in k-audit
Fig.1 – Basic optimization cycle of IMS audit program
The description of basic optimization cycle of IMS audit program is given in table 1.
Table 1 - The description of basic optimization cycle of IMS audit program
№ Action Result
1. Formation of audit program
RISMS ≥ RISMS tar
Formulas (1),(2)
Specified:
-α- weight coefficient of IT-Security
process (for group metric);
-β- weight coefficient of IT-Security
metric process (for private metric);
-k- number of IT-Security audits in
program of audits;
- RISMS – current integral evaluation
of IT-Security MS efficiency;
- RISMS tar- target integral evaluation
of IT-Security MS efficiency;
-Δ- possible deviation (formula 4);
- KPRi – target index of i-process
efficiency;
5. -K KPIj - target index of j-metric
efficiency for i-process
2. Formation of k-audit plan Confirmation of k-audit plan
3. Carrying out the k-audit Report on the results of k-audit
4. Formation of monitoring the results of k-audit:
Therefore KPRi and K KPIj
Filling the database of audit with
KPRi and K KPIj indexes
5. Formation RISMS evaluation – k-audit integral
evaluation
Filling the database of audit with
RISMS for k-audit
6. Evaluation of RISMS degree of progress by the k-
audit results of RISMS tar target index
Filling the database of audit with
RISMS for k-audit
7. In case, if RISMS ≥ RISMS tar, i.e fixed index of
efficiency is reached, it is carried out the informing
of program audit manager about possible
“softening” of k+1 audit planning conditions. Next
go on to the step 13 to realization (continuation) of
audit program and carrying out the k+1 audit.
Report on the results of k-audit
8. In case if RISMS < RISMS tar, , i.e fixed index of
efficiency cannot be reached, it is carried out the
formation of list of mismatches on k-audit.
Carrying out the k+1 audit can be stopped by the
audit program manager’s decision with the aim of
reducing the expenses.
Report on the results of k-audit
9. Because of formed list of mismatches on the last
step it is formed the correction plan and the
corrective actions for the determined mismatches on
the k-audit.
Filling the database of audit with
KPRi and K KPIj indexes for k-audit,
which characterizes the degrees of
deviation on target index of PRi - IT-
Security process on the whole and
KKPIj private indexes.
10. The evaluation of efficiency correction and
corrective actions with mismatches, determined on
the results of k-audit.
Filling the database of audit with
RISMS (corr) for k-audit
11. In case, if RISMS ≥ RISMS tar, i.e is reached the fixed
index of efficiency of corrective measures for all
determined mismatches on the results of k-audit,
then there is carried out the informing of audit
program manager and in case of absence other
mismatches for the period of realization of
corrective measures, the end of the audit program.
Report on the results of k-audit
12. In case, if RISMS(corr) < RISMS tar, i.e fixed index of
efficiency of corrective measures for all determined
mismatches on the results of k-audit cannot be
reached, , then there is carried out the informing of
audit program manager about possible complication
of planning audit conditions. Next go on to the step
13 to realization (continuation) of audit program
and carrying out the k+1 audit.
Report on the results of k-audit
13. In case, if the efficiency of corrective measures for
all defined mismatches on the k+1 audit is
confirmed, then there is carried out the move to the
following realization (continuation) of audit
program and carrying out the k+1 audit.
The realization of audit program.
6. 6. The quick block of efficiency evaluation of IMS audit program.
The quick block of efficiency evaluation of correction measures and corrective actions in the
current k-audit, which touch the changes of next process and also the following in the k+1
audit program and quick move to the evaluation of efficiency indexes of IT-Security MS –
RISMS, is shown in the fig.2.
The description of quick block of efficiency evaluation of IMS audit program is given in
table 2.
1
Formation of mismatches list
On k-audit
begining
end
αi , βj , K KPI pr j
4
Formation of corrective actions
plan of k-audit
5
Carrying out k+1 audit witch
changed characteristic
(R ISMS (corr) = 1)
The analysis of integral
evaluations of k and k+1
audits
The basic conditions for
audits planinig:
T0, S0, V0, F0, O0
7
Realization of cycle of audit
program
6
Efficiency evaluation of audit
program
Efficiency evaluation of
correction k-audit
R ISMS (corr) k,
Ti+1, Si+1 , Vi+1,
Fi+1, Oi+1
RISMS (corr) k <> 1
RISMS (corr) k+1 > RISMS (corr) k
Changing (complication)
conditions for audits
programing: Ti+1, Si+1, Vi+1,
Fi+1, Oi+1
Recount
R ISMS
2
Formation of mismatches list
Pr i – processing in k-audit
3
Formation of mismatches list on
j-metrics K KPI for Pr i - process
in k-audit Recount βj
Recount αi
Recount
K KPI pr j
Changing conditions for
improving Pr – i process:
Ti+1, Si+1, Vi+1, Fi+1, Oi+1
RISMS (corr) k+1 <= RISMS (corr) k
R ISMS (corr) k,
R ISMS (corr) k+1
Fig.2 - The quick block of efficiency evaluation of IMS audit program
Table 2 - The description of quick block of efficiency evaluation of IMS audit program
№ Action Result
1. Formation of audit program Specified:
-α- weight coefficient of IT-Security
process (for group metric);
-β- weight coefficient of IT-Security metric
process (for private metric);
-k- number of IT-Security audits in program
of audits;
- RISMS – current integral evaluation of IT-
7. Security MS efficiency;
- RISMS tar- target integral evaluation of IT-
Security MS efficiency;
-γ- number of audits in audits program;
-Δ- possible deviation (formula 4);
- KPRi – target index of i-process efficiency;
-K KPIj - target index of j-metric efficiency
for i-process
2. In case if, there are defined mismatches on
basic audit criteria, there is formed the list of
k-audit mismatches.
The list of k-audit mismatches.
3. Each defined mismatch subsequently
matches up with certain PR IT-Security i-
process.
It is carried out the recount of weight
coefficient (group) of IT-Security PR i-
process.
Filling the database of audit with new α
index.
4. Each defined mismatch subsequently
matches up with j-metric and KPRi index for
certain IT-Security PR i-process.
It is carried out the recount of β weight
coefficient (private) for the metrics of IT-
Security PR i-processes. Filling the database
of audit with new β index.
5. It is carried out the plan formation of
corrective actions on k-audit.
It is carried out the recount of PR i-
objective index of i-process efficiency.
Filling the database of audit with new KPRi
index.
6. The efficiency evaluation of correction and
corrective actions on k-audit.
Filling the database of audit with RISMS (corr)
index for k-audit and new values T1, S1 ,V1,
F1 ,O1
7. In case, if RISMS(corr) < RISMS tar, i.e fixed
index of efficiency of corrective measures
for all determined mismatches on the results
of k-audit cannot be reached, , then there is
carried out the informing of audit program
manager about possible complication of
planning audit conditions. Next go on to the
step 5 to plan formation of corrective actions
for k-audit and recount of group (α) and
private (β) coefficients for each mismatch.
Report on the results of k-audit
8. In case, if
RISMS ≥ RISMS tar, i.e is reached the fixed
index of efficiency of corrective measures
for all determined mismatches on the results
of k-audit, then there is carried out the
realization of next audit: k+1 audit with the
account of new changed parameters by the
results of successful realization of corrective
actions on last audit.
Report on the results of k-audit
9. The analysis of integral evaluations for k
and k+1 audit: RISMS(corr)k ,and RISMS(corr)k+1
Filling the database of audit with RISMS (corr)
index for k-audit and RISMS(corr)k+1 for k+1-
audit
10. In case, if RISMS(corr)k+1 ≤ RISMS(corr)k , it is
carried out the informing of audit program
manager about possible complication of
Report on the results of k-audit
8. planning audit conditions. Evidently, that it
will increase the expenses on carrying out
the audits in the following. Next go on to the
step 5 to plan formation of corrective actions
for k-audit and recount of group (α) and
private (β) coefficients for each mismatch.
11. In case, if RISMS(corr)k+1 > RISMS(corr)k , it is
carried out the informing of audit program
manager about possible return to basic
condition of audit planning. Next go on to
the step 5 to plan formation of corrective
actions for k+1-audit and recount of group
(α) and private (β) coefficients for each
mismatch
Report on the results of k-audit
12. In case of increasing of efficiency degree of
program RISMS(corr)k+1 > RISMS(corr)k , there is
carried out the evaluation of audit program,
which includes economic aspect
(minimization S-parameter).
Report on the results of k-audit
7. Conclusions
Given method of ISMS audit program optimization is based on the modern risk-oriented
standards and let to provide the constant optimization of carrying out the IT-Security audits
on the basis of joined flexible adaptive algorithms.
References
1. ISO/IEC 27001:2013. Information technology. Security techniques. Information security
management systems // Requirements, International Organization for Standardization. 2013.
23 p.
2. ISO/IEC 27000:2014. Information technology. Security techniques. Information security
management systems // Overview and vocabulary, International Organization for
Standardization. 2014. 31 p.
3. ISO/IEC 27004:2009. Information technology. Security techniques. Information security
management systems // Measurement, International Organization for Standardization. 2009.
55p.
4. ISO19011:2011.Guidelines for auditing management systems;
5. ISO 17021:2011. Conformity assessment -Requirements for bodies providing audit and
certification of management systems;
6. ISO 55000:2014 Asset management – Overview, principles and terminology // International
Organization for Standardization, 2014. – 19 pages.
7. ISO 55001:2014 Asset management – Management systems – Requirements // International
Organization for Standardization, 2014. – 14 pages.
8. ISO 55002:2014 Asset management – Management systems – Guidelines for the application
of ISO 55001 // International Organization for Standardization, 2014. – 32 pages.
9. PAS-99:2012 «Specification of common management system requirements as a framework
for integration»