REGULATORY FRAMEWORK FOR THE DEVELOPMENT OF AN ORGANISATION'S INFORMATION SECURITY MANAGEMENT POLICY
DOI:
https://doi.org/10.28925/2663-4023.2024.26.693Keywords:
cybersecurity;, management policy;, information security management of organisations;, compliance management of enterprise information securityAbstract
The article deals with the problem of imperfection of regulatory documents in terms of revision of the main regulatory legal acts, their updating in accordance with changes and trends in the protection of information resources. The author emphasises the need to improve the compliance of organisations with due regard for the active digitisation of services in Ukraine, integration into the global digitalised space, as well as the active use of information and communication technologies, and expansion of the range of services in the field of electronic communications, which are the reasons for new attacks on enterprises. The author emphasises that these trends necessitate strengthening the protection of information flows of organisations (against unauthorised access, leakage of confidential data, loss of information assets, dissemination of intellectual property, dissemination of information constituting a trade secret) on the basis of a reliable regulatory framework. The article provides definitions of the following concepts: “information security policy”, “information security policy”, “bank information security policy”, and the resources that are the objects of dissemination of the organisation’s information security policy are presented. The authors have thoroughly monitored the regulatory and legal documents and identified the main regulatory documents on ensuring information security of organisations, namely: laws, regulations, resolutions, international standards, presidential decrees regulating cybersecurity and information protection of organisations operating in the financial sector. The results of the monitoring of documents and their summary are considered as the basis for the formation of compliance enhancements and the possibility of their implementation in the practical activities of banks in the development of information security management policies by cybersecurity specialists (chief compliance officer (CCO) and chief information security officer (CISO)).
Downloads
References
Titova, V., Kliots, Yu., Volynets, V., Petliak, N., & Ohorodnyk, M. (2024). Development of an information security policy for a private enterprise Rozroblennia polityky informatsiinoi bezpeky pryvatnoho pidpryiemstva. Measuring and Computing Devices in Technological Processes, 3, 79–83. https://doi.org/10.31891/2219-9365-2024-79-10
Chubaievskyi, V. (2022). Methods of corporate information security management. Ekonomika ta suspilstvo, 43. https://doi.org/10.32782/2524-0072/2022-43-49
Bosak, A., Verzhykovskyi, V., Kalinin, I., Maksymiv, I., Prystupa, D., & Ryvak, O. (2023). Principles of formation of enterprise information security. International Scientific Journal «Internauka». Series: Economic Sciences, 11(79). https://doi.org/10.25313/2520-2294-2023-11-9157
Rzhevska, N., & Feshchenko, A. (2022). The peculiarities of space state information policy. Language-Cultura-Politics. International Journal, 1, 247–264. https://doi.org/ 10.54515/lcp.2022.1.247-264
Kurii, Y., & Opirskyy, I. (2023). ISO 27001: Analysis of changes and compliance features of the new version of the standard. Electronic Professional Scientific Journal «Cybersecurity: Education, Science, Technique», 3(19), 46–55. https://doi.org/10.28925/2663-4023.2023.19.4655
Chmutova, I. M., Bezrodna, O. S., & Nechyporenko, D. I. (2020). The methodological instrumentarium for assessing compliance risks of financial monitoring of banks. Business Inform, 11(514), 296–309. https://doi.org/10.32983/2222-4459-2020-11-296-309
Herasymchuk, T. F., Kyrydon, A. M., & Troian, S. S. (2017). Zahalna teoriia polityky: Navchalnyi posibnyk [General theory of politics: A study guide], Kondor.
Kolbech, H. K. (2004). Polityka: Osnovni kontseptsii v suspil`nykh naukakh [Politics: Basic concepts in the social sciences]. Vydav. dim «KM Akademiia».
On Approval of the Methodological Recommendations for Ensuring Cyber Security of Automated Process Control Systems, Order, № 463 (2023) (Ukraine). https://ips.ligazakon.net/document/fn077605?an=37&ed=&dtm=&le=
On Approval of the General Requirements for the Cyber Defence of Critical Infrastructure Objects, Resolution of the Cabinet of Ministers of Ukraine No. 518 (2022) (Ukraine). https://zakon.rada.gov.ua/laws/show/518-2019-п#Text
On Amendments to Certain Regulatory Acts of the National Bank of Ukraine, Resolution of the National Bank of Ukraine № 40 (2023) (Ukraine). https://zakon.rada.gov.ua/laws/show/v0040500-23#Text
On Approval of the Regulation on the Organisation of the Risk Management System in Banks of Ukraine and Banking Groups, Resolution of the National Bank of Ukraine № 64 (2024) (Ukraine). https://zakon.rada.gov.ua/laws/show/v0064500-18#Text
On Approval of the Regulation on the Organisation of Measures to Ensure Information Security in the Banking System of Ukraine, Resolution of the National Bank of Ukraine № 95 (2017) (Ukraine). https://zakon.rada.gov.ua/laws/show/v0095500-17#Text
On Approval of the Regulation on Monitoring of Banks’ Compliance with Legislative Requirements on Information Security, Cyber Security and Electronic Trust Services, Resolution of the Board of the National Bank of Ukraine № 4 (2021). https://bank.gov.ua/ua/legislation/Resolution_16012021_4
PCI COUNCIL LLC. (2024). Standart (PCI DSS/ v.4.0.1.). https://east.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss
What are the 12 requirements of PCI DSS Compliance? (б. д.). ControlCase. https://www.controlcase.com/what-are-the-12-requirements-of-pci-dss-compliance/
Regulation (eu) 2016/679 of the European Parliament and of the Council (б. д.). EUR-Lex repealing Directive 95/46/EC (General Data Protection Regulation. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679
EU Datenschutz Grundverordnung (EU-DSGVO). (б. д.). EU Datenschutz Grundverordnung (EU-DSGVO). https://www.privacy-regulation.eu/
INFORMATION SECURITY CONTROLS. (2022). ISO/IEC 27001:2022. IT Governance Publishing. https://doi.org/10.2307/j.ctv30qq13d.8
International Standart. (2022). Information security, cybersecurity and privacy protection — Information security controls (ISO/IEC 27002:2022).
Hulak, H. M., Zhiltsov, O. B., Kyrychok, R. V., Korshun, N. V., & Skladannyi, P. M. (2024). Information and cyber security of the enterprise. Textbook. Lviv: Publisher Marchenko T. V.
Published
How to Cite
Issue
Section
License
Copyright (c) 2024 Тетяна Капелюшна, Світлана Легомінова, Тетяна Мужанова, Віталій Тищенко
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
