WEB APPLICATION OF ESTIMATING PROTECTION SYSTEM EFFECTIVENESS OF THE ENTERPRISE


Cite item

Full Text

Abstract

This article describes the WEB-application algorithm that allows to automate the audit of the company and to generate recommendations for the protection of the company in accordance with the requirements of the legislation. Moreover, it deals with the principle of the database formation. The authors describe the database according to the thematic issues of the information security for all the selected groups, private indicators and reference base, which is the master system of the protection. It is also represented the system of the group assessment, performance information security and the current reporting security of the enterprise. In the result, the authors give an algorithm of the visualization of the audit results. Using this application will reduce the resource and time which can be spent on the audit.

Full Text

Introduction The initial step in the constructing of the comprehensive information protection system in the enterprise is the audit of the information security, which comprises the determination of the baseline level of the information system security. Nowadays, the information security audit represents one of the most actual and dynamically developing directions of the strategic and operational management in the field of the company’s information security. The relevance of the performing the audit is caused by the necessity to ensure an information security in the organizations of various forms of ownership. From the perspective of the audit work, there are three principle steps: - collecting of the information and data, interviewing of the workers and the study of organizational, administrative and technical documentation; - the analysis of the data; - the recommendations development to harmonize the safety requirements and reporting documents (report or conclusion on the results of the audit). To automate the audit, to reduce resource and time expenses for it’s conducting and visualization of the results together with Information System Technology (IST) a software in PHP language has been developed. The database was created on the basis of MYSQL. JavaScript and a technology for displaying Canvas material were used for visualization of results. The purpose of the project Сreate a WEB-application, which allows to automate the company’s audit and to form the recommendations for the system protection of the company in accordance with the requirements of the legislation. The diagram of the WEB-application operation is shown in Picture 1. The basic tasks of the application 1. To get the information about the company, its functioning and security which is realized in the course of specially organized interviews with senior officials of the company, by examining technical, organizational and administrative documentation, as well as the study of the system information with the help of special software; 2. To create a database application. The first database represents the description of the group and private information security indicators which are formulated in the form of thematic issues on the information security, and the answers to them will allow describe the system of the information protection in the enterprise in details. The group indicators are formulated in the basic directions assessment of the state security company. 16 group performances (evaluation areas) are defined. The further stage of the development is to expand the number of group and private indicators depending on the specific of the undertaking, the volume and the area of the survey. The second database is a reference system protection. The reference system is formed according to the requirements of the Russian Federation legislation in the field of the information security. The audit is conducted on the bases of the requirements for public information systems that process a personal data. These requirements are regulated in order with the Federal service of the Technical and Export Control (February 11, 2013, № 17) «The approval of the data protection requirements which don’t constitute a state secret of the state information systems». The answers to all thematic issues must be evaluated by the unit, which has the full conformity with the requirements. The organizational and technical requirements for the information security are formed according to the class of security information system. The program includes all possible classes of the security, ranging from 1 (highest) to the 4 (lowest). After the report generating we compare the obtained results with the standard audit protection system, and form recommendations to eliminate vulnerabilities. Picture 1. Schematic diagram of the algorithm of the WEB-application 3. The system of the group performance assessment. The evaluation of the group indicator is computed from the estimates which contain private indicators in it. It’s necessary to consider the significance of the coefficients , which define the importance of the private indicators for evaluating of the group indicators. When counting the coefficients of the significance it should be performed the normalization condition: , where n - the number of private indicators in the i-th group indicators. In this work, the coefficients inside each group indicators equal and their sum is one. The plans of this work development is to build a detailed algorithm for calculating the significant coefficients which define the importance of the private indicators. 4. The formation of the audit reports. The obtained test answers (calculation of the group and private indicators, pie chart) are reflected in the conclusion (report) about the results of the audit. The report which is obtained after the audit will allow organize the work about the construction of the enterprise protection system. It is a key document describing: the parameters and properties of an information system, its organizational and technical description, the interaction with other systems, the organization of information security (physical security arrangements, software, firmware and hardware protection), the tasks and business processes, which enterprise information system carries out. It’s also important to determine the most probable threats for the security concerning the resources and information system security that makes possible the realization of these threats. Thus, the construction of the current status of the company security and the recommendations to harmonize the protection system are formed. 5. The visualization of the results. In addition to the reports and recommendations of the audit, the results are presented by the yet chart, as it is illustrated in Picture 2. All the calculated parameters are displayed in the group chart information of the security sectors. Picture 2. The Diagram of the indicators security enterprise Where IAF - Identification and authentication; UPD - Management software access; OPS - Limits software environment; ZNI - Protection machine data carriers; RSB - Registration of events security; ABZ - Anti-virus protection; SOB - Intrusion Detection; ANZ - Analysis of data protection; OCL - Ensuring the integrity of the information system; ODT - Providing access to information; ZSV - Protection virtualization environment; ZTC - Protection technical means; ZIS - Protect information system and her means of transmission; INC - Detection incidents and respond to them. UKF - Configuration management information system. In the sector, one of three zones is colored in different colors, depending on the value of the indicator. In the final evaluation of the indicator group red (critical) level is displayed from 0 to 50 percent, yellow (average) level of protection is displayed from 50 to 75, and green (high) level - from 75 or higher. To place the text next to the levels, it’s necessary to convert the polar coordinates to Cartesian. The definition zones of the filling one security indicator. This code fragment draws the arc and reduces to the center of the circle line: var start=(Math.PI/180)*270+(Math.PI/180)*num*i; context.arc(beginX,beginY,radius3,start,start+(Math.PI/180)*num,false); BeginX - Initial coordinates - X BeginY - Initial coordinates - And Radius3 - The radius of the circle Start - Start coordinates Num - Number of categories For example, to display the name of the measures security next to the indicator in the chart, it is necessary to translate the coordinates from polar to Cartesian. The code snippet of the conversion from polar to Cartesian coordinates to print the text in the chart: x=(beginX-42)*Math.cos (start+(Math.PI/180) *num/2) + (beginX-30); y=(beginY-50)*Math.sin(start+(Math.PI/180) *num/2)+(beginY+10); context.beginPath(); context.fillText(""+arrayKategory[i]+"", x, y); BeginX - Initial coordinates - X BeginY - Initial coordinates - And Start - Start coordinates Num - Number of categories Picture 3. The scheme of the algorithm for constructing a pie chart indicators enterprise security In Picture 3, it is a schematic diagram of the algorithm for constructing the indicators enterprise security. 6. The transferring of all the results in PDF-document. Conclusion The software is situated at the implementation stage in the IST Company and is used to audit the security state of the information system in the enterprise.
×

About the authors

Nadezhda Fiodorovna Bakhareva

Povolzhskiy State University of Telecommunications and Informatics

Email: bahareva-nf@psuti.ru

Stepan Vasilevich Fedorov

Povolzhskiy State University of Telecommunications and Informatics

Email: fstepan2010@gmail.com

References

  1. СТО БР ИББС-1.2-2014. Методика оценки соответствия информационной безопасности организаций банковской системы Российской Федерации требованиям. - Введ. 2014-06-01: Изд-во стандартов, 2014. - 101 с.
  2. Wikipedia. Аудит информационной безопасности, 2015 // ru.wikipedia.org (д.о. 22. 12. 2016).
  3. Rowell E. HTML5 Canvas Cookbook / Packt Publishing, 2011. - 332 р.
  4. Williams L.J. Learning HTML5 Game Programming. A Hands-on Guide to Building Online Games Using Canvas, SVG, and WebGL / Addison-Wesley Professional 2011. - 256 р.
  5. Hawkes R. Foundation HTML5 Canvas. For Games and Entertainment / friendsofED 2011. - 316 р.
  6. Fulton S. Fulton J. HTML5 Canvas / O’Reilly Media, 2011. - 650 р.
  7. Flanagan D. Canvas Pocket Reference. Scripted Graphics for HTML5 / O'Reilly Media, 2010. - 110 р.
  8. Сleverstudents Перевод градусов в радианы и обратно, 2015. // cleverstudents.ru (д.о. 23.12.2016).
  9. Hbc. Оценка эффективности систем защиты информации, 2015. //, hbc.ru (д.о. 21.12.2016).
  10. Niisokb. Аудит информационной безопасности, 2015. // niisokb.ru (д.о. 10.12.2016).

Supplementary files

Supplementary Files
Action
1. JATS XML
Download

Copyright (c) 2017 Bakhareva N.F., Fedorov S.V.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

This website uses cookies

You consent to our cookies if you continue to use our website.

About Cookies