ANALYSIS OF METHODS AND MEANS TO IMPLEMENT A RISK-ORIENTED APPROACH IN THE CONTEXT OF PROVIDING ENTERPRISE INFORMATION SECURITY

Abstract

Read online

The article is devoted to the actual problem of the present – the information security development on the base of risk-oriented approach for solving the problems of information security management for an enterprise. Modern business development trends require the need for risk management. The authors research methods and tools that allow to implement a riskoriented approach in the context of providing enterprise information security and to analyze and evaluate information risks of information security system. The paper considers a series of the tools representatives, most commonly used in this area, and analyzes several risk assessment methodologies, in particular CRAMM (UK) – the methodology for analysis and risk management, OCTAVE for assessing assets and vulnerability of information security, etc., and a series of regulatory documents, among which NIST SP800-30 (risk management in information technology system); ISO/IEC 27005:2011 (information security risk management methods); ENISA (information security risk assessment) and many others. The analysis of the software advantages and disadvantages for the determination and assessment of information security risks (CRAMM, CORAS, Risk Watch, OCTAVE, Oracle Crystal Ball) is presented and a number of recommendations according to the feasibility of using the considered software and management documentation taking into account relevant requirements and criteria of enterprises and organizations is formed.

Keywords

• інформаційні технології
• інформаційна безпека
• загрози
• вразливість
• інформаційні ризики
• оцінювання ризику