Меню Содержимое
Главная

Авторизация






Забыли пароль?
Ещё не зарегистрированы? Регистрация

Экспорт новостей

A TECHNIQUE FOR EVALUATION OF INFORMATION PROTECTION LEVEL (Continue3)
Автор Administrator   
29.06.2014 г.
Image 
Image 
Image 
Image 
       It is necessary to note, that the given algorithm is applicable in those conditions of system functioning, when the threats are realized on elements of system in time, i.e. at the moment, when the information is processed in the given elements by consideration of threats implementation to confidentiality and integrity of the information and before as the information will be processed in elements or at the moment of processing at threats implementation of denial in access service of the information. 

3.3.2 Formation of threats models with to take into consideration of rational distribution of threats implementation means on system elements

       For an estimation of the information security in IT system it is necessary to consider various modes of operations, script of use and various variants of system construction. At various use of various variants of system construction, the models of threats also will be various. It is clear, that in such cases of the characteristic of elements of system can change, the purposes of system, its topology, connections between elements and even architecture of system also can change. Thus the rational assignment of threats implementation means available at the threats agent on elements of system will vary. In the previous item 3.3.1 we considered rational distribution of means at the given mode of system operations. It is possible to tell, that for this case, such rational distribution and will be model of threats. However threats model can be formed for various combinations of the given modes of operations, scripts of use and variants of system construction. As we form models of threats on rational algorithm, we can speak about a degree of the importance for the given application of system of that or other threat. Thus, in a structure of protection for the given system we have an opportunity to take into account valuable for system of threat and to prove them. Thus also we have opportunity to prove sufficiency of expenses of the threats agent for drawing the maximal damage to system. In turn it gives us an opportunity in structures of protection for systems to speak about a maximum level of threats and in general about levels of threats for some classes of systems. According to submitted in subsection 5.3 “The risk assessment” by estimated levels and having calculated value of function (3.3.1.1), after rational distribution of means, it is possible to determine an opportunity of processing in system of the information with the given level of its importance A(td). If at the given level of threats we have defined, that the information with the given level of importance cannot be processed, showing to system additional restrictions, assumption, requirement and including requirement for realization in system of various formal models of protection of the information, we can achieve an opportunity of processing in system of the information with the given level of its importance A(td). To trace that level, when the given information can be processed in system, we should every time at entering a set of the additional requirements to expect achievement of the given level on algorithm submitted in a general view in the given item of work. In more detail this algorithm will be submitted in the following subsection 3.4. 

       For correct process of formation of threats models it is necessary to us to take into account also time dynamic of distribution of threats implementation means on system elements. In other words, we should consider the problem of rational distribution of means in time for system. Let's construct algorithm (3.3.1.1.1) so that in it the temporary factor both for importance of the information in system, and for the account of time of passage of the information through the given element of system, and also for the account of an opportunity of realization of the given threat in the given time could be taken into account. Thus, we can construct model of functioning of IT system in conditions as much as possible approached to real. 
 

3.3.2.1 Algoritm of rational distribution of threats implementation means on system elements in dynamics of its functioning

Algorithm (3.3.2.1.1): 
 
 
 
 
 
Последнее обновление ( 15.07.2014 г. )
 
A TECHNIQUE FOR EVALUATION OF INFORMATION PROTECTION LEVEL (Continue2)
Автор Administrator   
28.06.2014 г.
Image
Image 
Image
Image 
Image
Image
Последнее обновление ( 15.07.2014 г. )
 
A TECHNIQUE FOR EVALUATION OF INFORMATION PROTECTION LEVEL (Continue)
Автор Administrator   
27.06.2014 г.

3.1.4 Integrated information importance

       There is a set of IT systems, where it is not required to protect confidentiality of the information, but integrity and availability of the information play a significant role. The example of such system is the automated system of a dispatching service in airport. However we shall consider a common case, when in system it is necessary to protect availability, and integrity, and confidentiality of the information.
       It is obvious, that the most expedient common criterion can be probability that the information value loss on the system exit when at least one event in system happens: or the information confidentiality infringement, or the information integrity infringement, or denial in access service to the information.
       In this case by a rule of addition of probabilities we receive probability determining integrated importance:
Image 
 

3.2 Risks assessment 

       One of main question of IT system security evaluation is the question of the analysis of possible losses of material and non-material assets of organization, when organization use the given IT system with influence on it of real threats.
 
       For formal risk assessment task determination we shall assume, that the IT system is being evaluated consists of some objects and communications between them. Let's call objects and communications as the system elements. In section 2 of work the common posedness of a task is submitted, where the system is submitted as the graph G(D, B). The graph elements as set E = {D, B} = {ei}L are determined as well. In subsection 3.1 the importance of the information in system A(td) is determined. In order to in developed system the established risk level will not outdone, we should take into consideration the following:
  • rationally distribution of threats implementation means by a thread agent on the system elements; 
  • if we know what the specific threats will influence on system elements, we can to calculate probability pE(td) that when the system is functioning in conditions of threats influence, the information security in system for the given time td isn’t broken.
 Image
 
       For development of system for processing in it the information with the given level of its confidentiality are necessary in addition to taken into consideration the following. If for increase of probability of the information availability and integrity in system it is expedient to create some redundancy of its elements and communications between them, but for increase of the information confidentiality preservation probability it is expedient to reduce quantity of intermediary elements and ways to send of the information. However and in one and other case it is necessary to raise reliability and survivability of elements.
Image 
 
       It is possible to develop set of systems with a risk level, necessary for us. Therefore by following task of risk assessment is the definition from set of such systems of system is minimal at cost.
       At development of system functioning model we consider functioning as process of the information transfer from an entrance to an system exit at access of the one object to another. If in model to present system as bipolar graph G(D, B), the threats agent does not have sense to carry out attacks on all elements of system, it is enough to determine in the graph all possible simple sections (minimal sets of elements of system), separating poles the graph, and then the threats agent should determine those sections, which require the minimal expenses for him. Knowing the cost values Cv(ei) of v-th threat implementation in i-th element of system and knowing as can rationally be distributed threats on system elements we can to determine the minimal expenses of the threats agent for rational distribution of threats in system. 
       Thus, we have described algorithm of the risk assessment in our statement of a task, which will allow us to develop IT system with a necessary risk level of the information value loss in system, will allow us to evaluate expenses for creation of such system and to estimate expenses of the threats agent for infringement of the information security in system. 
 

3.3 Threats models

3.3.1 Rational distribution of threats on elements of systems

       We know, that the set E = {D, B} = {ei}L is set of the graph G elements, describing in mathematical model our system. Everyone i-th element of system is characterized by A(td), integrated importance of the information processable in system. The task is, that we need to distribute on the graph’s L elements {ei}L  the N known threats implementation means by rational way the threats implementation means can be diverse. 
Image 
Image 
Image 
 
 
 
 
 
 
 
 
 
Последнее обновление ( 15.07.2014 г. )
 
<< [Первая] < [Предыдущая] 1 2 3 [Следующая] > [Последняя] >>

Результаты 5 - 8 из 9

Краткие новости

Опросы

Кто на сайте?

Сейчас на сайте находятся:
2 гостей