A formalized model of an organization information security audit for compliance with the requirements of standards
| Autor: | Sergei A. Reznichenko, Alexei A. Sirotskiy |
|---|---|
| Rok vydání: | 2021 |
| Předmět: |
Information theory
Computer science ComputingMilieux_LEGALASPECTSOFCOMPUTING Information technology General Medicine Information security Audit T58.5-58.64 Object (computer science) Task (project management) Set (abstract data type) GOST (hash function) audit information security standard model control indicators methodology formalization Information security audit Risk analysis (engineering) Information security standards Q350-390 |
| Zdroj: | Bezopasnostʹ Informacionnyh Tehnologij, Vol 28, Iss 3, Pp 103-117 (2021) |
| ISSN: | 2074-7136 2074-7128 |
| Popis: | In general the overall task of an information security audit is to verify that the security system of an object meets the set of criteria that determine the requirements for the security level. In this regard, it is necessary to define and to establish a set of criteria reflecting the security level of the facility and to identify indicators for which objective verification procedures can be carried out. Information security audits can be conducted to ensure compliance with all information security standards. Due to the lack of instructional methodologies for auditing activities to assess the compliance of organization information security with the requirements of systemically important generally applicable documents and standards, studies were carried out on the content and formalizability of requirements using the example of the GOST R ISO/IEC 17799-2005 standard in terms of the building an instructional methodology for auditing IS possibility for compliance with this standard. The purpose of the study is to form a formalized audit methodology when conducting an audit of information security for compliance with standards and regulatory requirements for information security in the absence of developed and generally accepted methods. In the following a formalized model for auditing the organization's information security for compliance with the requirements of standards is developed. The model is based on the principles of maximum independence and objectivity of audit activities. The authors of the paper suggest an approach, which is based on a system of objective indicators comparable to protection functions, and consists in the formation of check lists with appropriate criteria for the correlation of indicators and methods of proving the facts revealed as a result of an audit. On the basis of the proposed model and methodology, it is possible to develop the check lists for any descriptive standard for which an audit is required. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|