Professional Documents
Culture Documents
Abstract—The application of Integrated Management Accordingly, of particular interest to the study of problems
Systems (IMS) is now attracting the attention of TOP in the execution of the IMS audit, as well as finding ways to
management of a variety of organizations: refineries, machinery, optimize the program IMS audit based on the principles of
instrument-making, aviation, defense, etc. However, now the continuous adaptation of the data within one micro-cycle
major problem is still the performance of IMS audits as full PDCA (Plan-Do-Check-Act), one of the basic audit cycle. On
implementation of complex checks from different ISO standards the basis of the practice of IMS audits it is proposed a new
with a substantial limitation or reduction of available resources. method to optimize the program audits, which will enable a
more rational decision making for decision makers in today's
At the same time, the continuous improvement of
complex economic environment [6 – 8].
management principles and in particular – the transition to risk-
based thinking provide a greater interest in the rational use of II. AUDIT TASK DEFINITION
ISO standards. In this issue cover a technique of optimization
IMS audits program, based on principles of continuous As previously noted, to ensure the stable development of
adaptation when entering data in a single micro-cycle audit. An modern organizations in the context of the presence of risks of
additional advantage of proposed technique is the use of different origin, it seems reasonable to use the risk-based
numerical IT-security metrics of audit, contributing to standards and the introduction of IMS [9 - 11]. From the point
continuous improvement of the IT-security level of organizations. of view of the management audit of IMS in the proposed
technique, we note the need to address the following important
Keywords—Information security; Information Security practical problems (in parentheses indicate the paragraphs of
Management System; audit; risk management; threats; the standard audit SM – ISO 19011 [18]):
vulnerabilities; Standards.
A. The problem of resource allocation for the program
I. INTRODUCTION audits:
Recently, the application of integrated management The development of a programme of audits (5.1),
systems (IMS) attracts the attention of senior management
(decision makers – decision makers of various organizations. Identification and risk assessment audit programs
Occur almost isolated cases, when the modern organization of (5.3.4),
diverse industry sector (oil, instrument, aircraft and defense)
Identification of resources for program audits (5.3.6).
implement only one system management (SM), by contrast,
now typically implemented the projects of IMS. Consider some B. The task of taking into account factors that affect depth
of the largest Russian organizations, in which authors over a program audits – leakage incidents, the manifestation of
long period 2010-2015 had the opportunity to perform audits. criminal actions, previously identified inconsistencies and,
therefore, to determine the scope of programme of audits
However, at the moment remains an important issue
(5.3.3).
ensuring the implementation of the audit programme in
management systems information security (ISMS) – C. The task of collecting verifiable information (6.4.6).
implementation of the full set of checks on various ISO
standards, with a significant reduction in available resources. D. The task of providing special knowledge and skills of
Largely this problem is to ensure the IMS audit program for auditors (7.2.3.3), or the involvement of technical experts:
audits of information security (IT-Security), as the negative Types of activity,
effects of incidents can result in significant damage to the
organization until the end of activities. At the same time, Requirements of stakeholders,
continuous improvement management principles and, in Knowledge of security process,
particular, the transition to a thinking, risk-based, provide
increased interest in the rational use of modern risk-oriented Knowledge of the technical means and measures to
standards [1 - 5]. ensure information security.
122
deterministic constraints, and constrained optimization (the begining
where:
F ( y) R m , Realization of cycle of
2 Formation of k-Audit plan
5 audit program, planning
1
f ( y) R k+1 аудита
f (y) – is the objective function of the m-dimensional vector Formation the monitoring by j-
argument y, such that: 3 metrics K KPI for
Pr i - processing in k-audit ОЗ K KPI pr j
y = (y1, y2, … ym)
where: y D R m Formation of evaluation of
Changing (easing) the
4 Pr i – processing and R ISMS
The range of permissible values: conditions for planning
audits: Tk+1, Sk+1, Vk+1,
of integral evaluation in k-audit R PR i , R ISMS
gi ( y) 0; i 1, N
Fk+1, Ok+1
R ISMS <> 1
T– the period of information security audits; Changing “complication” of
conditions for planning Formation of mismatches of
S– the planned cost of information security audits; audits: Tk+1, Sk+1, Vk+1,
6
k-audit
Fk+1, Ok+1
123
REFERENCES truboprovodnogo transporta nefti I nefteproduktov. – 2012. – vyp.1. –
pp. 52-55.
[1] ISO/IEC 27001:2013. Information technology. Security techniques. [13] Malysheva E.Y., Bobrovski’ S.M. Architektura informacionno’ sistemy
Information security management systems // Requirements, ocenki integrirovannih sistem menegmenta // Vektor nauki Tol’atti
International Organization for Standardization. 2013. 23 p. Universitet. – 2012. – vyp. 1. – pp. 64-67.
[2] ISO 55000:2014 Asset management – Overview, principles and [14] Ajam M., Alshawi M., Mezher T. Augmented process model for e-
terminology // International Organization for Standardization, 2014. – tendering: toward integrating object models with document
19 pages. management systems.
[3] ISO 55001:2014 Asset management – Management systems – Automation in Construction. 2010. V. 19. № 6. pp. 762-778.
Requirements // International Organization for Standardization, 2014. – [15] Sheverda V.V. Podhody k razrabotke integrirovannih sistem
14 pages. menegmenta na predpriyatiyah elektronno’ promyshlennosti // Voprosy
[4] ISO 55002:2014 Asset management – Management systems – sovremennoy nauki b praktiki. Yniversitet im. V.I. Vernadskogo. –
Guidelines for the application of ISO 55001 // International 2012. – vyp. 3. – pp. 250-254.
Organization for Standardization, 2014. – 32 pages. [16] Mengersen K., Whittle P.J.L., et al. Beyond compliance: Project on an
[5] PAS-99:2012 «Specification of common management system Integrated system approach for PEST risl management in South East
requirements as a framework for integration» Asia. EPPO Bulletin. 2012. V. 42. № 1. pp. 109-116.
[6] Shishkin V., Yusupov R.M. Doktrina informacionnoi bezopasnosti [17] Portyanko T.M. Tendencii sozdaniy integrirovannih sistem
Rossi’skoy Federacii — opit kolichestvennogo modelirovaniy. Tr. menegmenta na predpriyatiyah promyshlennogo kompleksa //
SPIIRAN. – 2002. – vyp. 1. – Tom 1. Vostochno-Evrope’ski’ zhurnal peredovyh technologi’. – 2010. – Vol.
[7] Yusupov R.M., Shishkin V. О nekotorih protivorechiyah v reshenii 2. – vyp 8 (44). pp. 40-43.
problem informacionnoi besopasnosti. Tr. SPIIRAN. – 2008. – vyp. 6. [18] ISO 19011:2011.Guidelines for auditing management systems;
— pp. 39–59. [19] Griffith A. Management systems for sustainable construction:
[8] Kotenko I.V., Saenko I.B., Yusupov R.M. Analiticheskiy obzor Integrating Environmental, Quality and Safety management systems.
dokladov Mezhdunarodnogo seminara ―Nauchniy analis i podderzhka International Journal of Environmental Technology & Management.
politik bezopasnosti v kiberprostranstve‖ (SA&PS4CS 2010). Tr. 2002. V. 2. № 1-3. p. 114.
SPIIRAN, 2010, vyp. 2, pp. 226 – 248 [20] RAROC and risk management: Quantifying the risks of business.
[9] Livshits I., Poleshuk A. Prakticheskay ocenka resultativnosti ISMS v Bankers Trust New York Corporation, 1995.
sootvetstvii s trebovaniyami razlichnih system standartizacii: ISO [21] Smith, Gordon E. (1992, ASQC) Massey University, Palmerston North,
27001 i STO Gazprom. Tr. SPIIRAN. – 2015. – vyp. 3. – pp. 33 – 44. New Zealand, Auditing Statistical Methods for ISO 9001. Аnnual
[10] Livshitz I. [Practical purpose methods for ISMS evaluation]. Quality Congress, Nashville TN Vol. 46 No. 0, QICID: 9905 May 1992
Menedzhment kachestva – Quality Management. 2013. vol. 1. pp. 22– pp. 849-854
34 (In Russ). [22] ISO/IEC 27000:2014. Information technology. Security techniques.
[11] Livshitz I. [Approaches to the application of the integrated Information security management systems // Overview and vocabulary,
management system model for carrying out audits for complex International Organization for Standardization. 2014. 31 p.
industrial facilities – airport complexes]. Trudy SPIIRAN – SPIIRAS [23] ISO/IEC 27004:2009. Information technology. Security techniques.
Proceedings. 2014. vol. 6, pp. 72–94. (In Russ). Information security management systems // Measurement,
[12] Arzamazov M.A., Serov G.P. Konsolidatsiya obshich trebovani’ k International Organization for Standardization. 2009. 55p.
otdel’nym sistemam menegmenta I innovatcii pri razrabotke [24] ISO 17021:2011. Conformity assessment -Requirements for bodies
integrirovannih sistem menegmenta // Nauka I technologii providing audit and certification of management systems;
124