REQUIREMENTS ANALYSIS METHOD OF INFORMATION SECURITY MANAGEMENT SYSTEMS
DOI:
https://doi.org/10.28925/2663-4023.2020.9.149158Keywords:
information security management system, requirement, characteristics of requirement, requirements analysis, requirement diagram, SysMLAbstract
The process of analyzing the requirements for information security management systems is considered. The obligation to comply with the requirements of the international standard ISO/IEC 27001 is shown. This provides confidence to stakeholders in the proper management of information security risks with an acceptable level. This is due to the internal and external circumstances of influencing the goal and achieving the expected results of organizations. In addition, the identification of stakeholders, their needs and expectations from the development of information security management systems are also considered. It is established that now the main focus is on taking into account the requirements for the process of developing these systems or to ensure information security in organizations. The transformation of the needs, expectations and related constraints of stakeholders into an appropriate systemic solution has been overlooked. These limitations have been overcome through the method of analyzing the requirements for information security management systems. Its use allows, based on the needs, expectations and related constraints of stakeholders, to identify relevant statements in established syntactic forms. There is need to check each of them for correctness of formulation and compliance with the characteristics of both the individual requirement and the set of requirements. For their systematization, establishment of relations the graphic notation SysML is applied. In view of this, the requirement is considered as a stereotype of a class with properties and constraints. Relationships are used to establish relationships between requirements. Their combination is represented by a diagram in the graphical notation SysML and, as a result, allows you to specify the requirements for information security management systems. In the prospects of further research, it is planned to develop its logical structure on the basis of the proposed method.
Downloads
References
International Organization for Standardization. (2013, Sept. 25). ISO/IEC 27001:2013, Information technology. Security techniques. Information security management systems. Requirements. [Online]. Available: https://www.iso.org/ standard/54534.html. Accessed on: May 14, 2020.
DP “UkrNDNTs”. (2015, Dec. 18). DSTU ISO/IEC 27001:2015, Information technology. Security techniques. Information security management systems. Requirements. Kyiv, 2016, 22 p.
International Organization for Standardization. (2013, Sept. 25). ISO/IEC 27002:2013, Information technology. Security techniques. Code of practice for information security controls. [Online]. Available: https://www.iso.org/standard/54534.html. Accessed on: May 14, 2020.
International Organization for Standardization. (2019, Mar. 08). ISO/IEC/IEEE 15026-1:2019, Systems and software engineering. Systems and software assurance. Part1: Concepts and vocabulary. [Online]. Available: https://www.iso.org/standard/73567.html. Accessed on: May 14, 2020.
International Organization for Standardization. (2017, Apr. 12). ISO/IEC 27003:2017, Information technology. Security techniques. Information security management systems. Guidance. [Online]. Available: https://www.iso.org/ru/standard/63417.html. Accessed on: May 14, 2020.
Verkhovna Rada Ukrainy. VIІІ convocation, 7th session. (2017, Oсt. 05). Law № 2163-VIII, On the Basic Principles of Cyber Security of Ukraine. [Online]. Available: https://zakon.rada.gov.ua/laws/show/2163-19#n89. Accessed on: May. 14, 2020.
Cabinet of Ministers of Ukraine. (2019, June 19). Resolution № 518, On approval of the General requirements for cyber protection of critical infrastructure. [Online]. Available: https://zakon.rada.gov.ua/laws/show/518-2019-%D0% BF#Text. Accessed on: May. 14, 2020.
National energy and utilities regulatory commission of Ukraine. (2019, Oсt. 07). Resolution № 2094, On the adoption of the previous decision on the certification of the transmission system operator of electricity. [Online]. Available: https://www.nerc.gov.ua/ index.php?id=44925. Accessed on: May. 14, 2020.
Verkhovna Rada Ukrainy. IІ convocation, 1st session. (1994, July 05; with changes). Law № 80/94-ВР, On information protection in information and telecommunication systems. [Online]. Available: https://zakon.rada.gov.ua/laws/show/80/94-%D0%B2% D1%80#Text. Accessed on: May. 14, 2020.
Cabinet of Ministers of Ukraine. (2018, Nov. 07). Resolution № 992, On approval requirements in the field of electronic trust services and confirm the compliance of trust in electronic services. [Online]. Available: https://zakon.rada.gov.ua/laws/show/992-2018-%D0%BF#Text. Accessed on: May. 14, 2020.
National Bank of Ukraine. (2017, Sept. 28). Resolution № 95, On approval of the Regulations on the organization of measures to ensure information security in the banking system of Ukraine. [Online]. Available: https://zakon.rada.gov.ua/ laws/show/v0095500-17#Text. Accessed on: May. 14, 2020.
V. V. Tsurkan, “Specification of requirements for information security management systems”, in Proc. Ukrainian scientific-practical conference Actual problems of information security management of the state, Kyiv, 2020, p. 221.
K. Wiegers, and J. Beatty, Software Requirements (Developer Best Practices). Redmond, Washington, USA: Microsoft Press, 2013.
S. B. Gordienko, V. V. Aleinikov, A.V. Litvinov, and O.V. Rzayev, “Current issues of construction and certification of the company's information security management system”. Modern Information Security, no. 1, pp. 10-15, 2014.
A. I. H. Suhaimi, D. Bao, Y. Goto, and J. Cheng, “Development of ISMEE: An Information Security Management Engineering Environment”, in Computer Science and its Applications. Lecture Notes in Electrical Engineering, vol. 330, J. Park, I. Stojmenovic, H. Jeong, and G. Yi, Eds. Berlin, Germany: Springer, 2015, pp. 1325-1330, doi: 10.1007/ 978-3-662-45402-2_184.
Y. You, I. Cho, and K. Lee, “An advanced approach to security measurement system”. The Journal of Supercomputing, vol. 72, iss. 9, pp. 3443-3454, 2016, doi: 10.1007/s11227-015-1585-7.
V. O. Sirotyuk, “Models, methods and tools for developing and implementing an effective information security management system of the patent office”, Naukovedenie, vol. 9, no. 6, 2017. [Online]. Available: https://naukovedenie.ru/PDF/ 06TVN617.pdf. Accessed on: May. 14, 2020.
D. Proença, and J. Borbinha, “Information Security Management Systems - A Maturity Model Based on ISO/IEC 27001”, in: Business Information Systems. BIS 2018. Lecture Notes in Business Information Processing, vol 320, W. Abramowicz, and A. Paschke, Eds. Berlin, Germany: Springer, Cham, 2018, pp. 102-114, doi: 10.1007/978-3-319-93931-5_8.
V. Diamantopoulou, A. Tsohou, and M. Karyda, “General Data Protection Regulation and ISO/IEC 27001:2013: Synergies of Activities Towards Organisations’ Compliance”, in Trust, Privacy and Security in Digital Business. Lecture Notes in Computer Science,
vol. 11711, S. Gritzalis, E. Weippl, S. Katsikas, G. Anderst-Kotsis, A. Tjoa, and I. Khalil, Eds. Berlin, Germany: Springer, Cham, 2019, pp. 94-109, doi: 10.1007/978-3-030-27813-7_7.
V. V. Selifanov, and R. V. Meshcheryako, “Methods of acceptable options formation of organizational structure and the structure of the automated information security management system”, Modeling, optimization and information technology, vol. 8, iss. 1, pp. 1-13, 2020, doi: 10.26102/2310-6018/2020.28.1.001.
International Organization for Standardization. (2018, Dec. 12). ISO/IEC/IEEE 24748-2:2018, Systems and software engineering. Life cycle management. Part 2: Guidelines for the application of ISO/IEC/IEEE 15288 (System life cycle processes). [Online]. Available: https://www.iso.org/standard/70816.html. Accessed on: May 14, 2020.
International Organization for Standardization. (2018, Nov. 28). ISO/IEC/IEEE 29148:2018, Systems and software engineering. Life cycle processes. Requirements engineering. [Online]. Available: https://www.iso.org/standard/70816.html. Accessed on: May 14, 2020.
SysML Open Source Project. [Online]. Available: https://sysml.org/. Accessed on: May 14, 2020.
Model based systems engineering with Sparx Systems Enterprise Architect. [Online]. Available: https://sparxsystems.com/resources/user-guides/. Accessed on: May 14, 2020.