Methods of assessment of information security

The organizations which business in many respects depends on the information sphere for achievement of goals of business should support at the necessary level a system of providing Information Security (SOIB). SOIB represents set of the hardware-software, technical and organizational protective measures (PM) functioning under control of SMIB and the processes of understanding of cybersecurity initiating and supporting activities for management of cybersecurity.

Desire to have SOIB adequate to the purposes of cybersecurity of the organization for ensuring availability, integrity and confidentiality of data assets, leads to the aspiration to improve SOIB. Improvement, improvement of SOIB is possible on condition of knowledge of statuses of characteristics and parameters of the used ZM, processes of management, understanding of cybersecurity and understanding of degree of their compliance to required results. It is possible to understand these aspects of SOIB only based on assessment of cybersecurity of the organization received using cybersecurity assessment model on the basis of certificates of assessment, evaluation criteria and taking into account assessment context.

Evaluation criteria – all this what allows to set values of assessment for assessment object. As criteria for evaluation of cybersecurity requirements of cybersecurity, the cybersecurity procedure, a combination of requirements and cybersecurity procedures, level of investments, costs for cybersecurity can be used.

Records, factual statement or any information which is related to criteria for evaluation of cybersecurity and can be checked belong to certificates of assessment of cybersecurity. Proofs of the executed and executed activities for providing Information Security in the form of reporting, regulating, administrative documents, survey results, observations can be such certificates of assessment of cybersecurity.

The context of assessment of cybersecurity integrates the purposes and purpose of assessment of cybersecurity, a type of assessment (independent assessment, a self-assessment), an object and areas of assessment of cybersecurity, restriction of assessment and a role.

The model of assessment of cybersecurity defines the sphere of assessment reflecting a cybersecurity assessment context within criterion for evaluation of cybersecurity, display and conversion of assessment to assessment object parameters and also sets the indicators providing cybersecurity assessment in the field of assessment.

Process of evaluating cybersecurity (figure 53) is presented in a general view by principal components of process: context, certificates, criteria and model of assessment, necessary for implementation of process of assessment. Assessment of cybersecurity consists in development of estimated judgment concerning suitability (maturity) of processes of providing Information Security, adequacy of the used protective measures or expediency (sufficiency) of investments (costs) for ensuring the IB necessary level on a measurement base and estimations of critical elements (factors) of an object of assessment.

Along with the most important purpose of assessment of cybersecurity – creation of an information need for improvement of cybersecurity, also other purposes of evaluating cybersecurity such as are possible:

• determination of degree of compliance to the set criteria of certain areas of providing Information Security, processes of providing Information Security, protective measures;
• identification of influence of critical elements (factors) and their combination on cybersecurity of the organization;
• comparison of a maturity of different processes of providing Information Security and comparison of degree of compliance of different protective measures to the set requirements.

Results of assessment of cybersecurity of the organization can be also used by the concerned party for comparison of the cybersecurity level of the organizations with identical business and comparable scale. Depending on the criterion selected for assessment of cybersecurity it is possible to separate methods of assessment of cybersecurity of the organization (figure 54) into assessment against a standard, risk-oriented assessment and assessment on economic indicators.

The cybersecurity assessment method against a standard comes down to comparison of activity and measures for providing Information Security of the organization with the requirements fixed in a standard. As a matter of fact conformity assessment of SOIB of the organization to the set standard is carried out. Conformity assessment of cybersecurity of the organization to the set criteria is understood as the activity connected with direct or indirect determination of accomplishment or failure to follow relevant requirements of cybersecurity in the organization. Using conformity assessment of cybersecurity the correctness of implementation of processes of a system of providing Information Security of the organization is measured and shortcomings of such implementation are identified.

As a result of evaluating cybersecurity assessment of degree of compliance of SOIB to a standard as which can be accepted should be created (in total and separately):

• requirements of the legislation of the Russian Federation in the field of cybersecurity;
• industry requirements for providing Information Security;
• requirements of regulating, methodical and organizational and administrative documents for providing Information Security;
• requirements of national and international standards in the field of cybersecurity.

The main evaluation stages of information security against a standard include the choice of a standard and formation on its basis of criteria for evaluation of cybersecurity, collecting of certificates of assessment and measurement of critical elements (factors) of an object of assessment, formation of assessment of cybersecurity.

Risk-oriented assessment of cybersecurity of the organization represents assessment method at which the risks of cybersecurity arising in the information sphere of the organization are considered and the existing risks of cybersecurity and the taken measures for their processing are compared. As a result assessment of capability of the organization effectively should be created to manage risks of cybersecurity for achievement of the purposes.

The main stages of risk-oriented assessment of information security include identification of risks of cybersecurity, determination of adequate processes of management of risks and key indicators of risks of cybersecurity, formation on their basis of criteria for evaluation of cybersecurity, collecting of certificates of assessment and measurement risk factors, formation of assessment of cybersecurity.

The cybersecurity assessment method on the basis of economic indicators operates with arguments, clear for business, about need of providing and improvement of cybersecurity. For evaluating as criteria of efficiency of SOIB indicators of total cost of ownership are used, for example, [24] (Total Cost of Ownership is TSO).

The indicator of TCO is understood as the amount of direct and indirect costs on implementation, operation and support of SOIB. Direct costs are understood as all material costs, such as purchase of the equipment and software, labor cost of the corresponding employee categories. All housekeeping overheads of SOIB and also loss from the occurred incidents are indirect. Collecting and the analysis of statistics on structure of direct and indirect costs is carried out, as a rule, within a year. Data retrieveds are estimated by a number of criteria with indicators of TSO of the similar organizations of the industry.

Assessment on the basis of an indicator of TCO allows to estimate costs for information security and to compare cybersecurity of the organization to a standard profile of protection and also to manage costs for achievement of required level of security.

The main evaluation stages of efficiency of SOIB on the basis of the TCO model include collection of data on the TSO current level, the analysis of fields of providing Information Security, the choice of the TSO comparable model as evaluation criterion, comparison of indicators with evaluation criterion, formation of assessment of cybersecurity.

However this method of assessment requires creation of the general information database about efficiency of SOIB of the organizations of similar business and continued support of the database in current status. Such information exchange of the organizations, as a rule, does not answer the business purpose. Therefore cybersecurity assessment on the basis of an indicator of TCO is practically not applied.