Information security audit as a necessary component of management in public institutions

Keywords: cybersecurity, cyber audit, cyber attack, government agencies, government

Abstract

Today, information systems (IS) play a key role in ensuring the efficiency of government agencies, enterprises, organizations.

Government agencies use a variety of IS to store, process and transmit information. This raises the issue of information protection that accumulates, especially given the global trend of increasing the number of information attacks that lead to significant public financial and material losses. The analysis of information resources demonstrates the transformation of attacks models and patterns of cyber-violators behavior, as priorities change in the objects of attacks, channels of information leakage.

Cybercriminals are developing new software and hardware systems that allow them to carry out more complex and powerful attacks, the organization of which does not require high skills and level of intellectual training. The main purpose of the information security audit can be to assess the level of security of the IS of the institution for management as a whole, taking into account the prospects for its development. Audit of information systems is the main tool to check the information systems used by the institution, security systems, communication systems with the external environment, corporate network for their compliance with business / operational processes carried out in the institution.

Given that today almost all the information of the institution, enterprise, organization is concentrated in a network of electronic accounting systems, resources which increase the efficiency of functional activities, and the use of information technology has a high risk of internal and external interference in information architecture (unregulated internal access, lack of protocol user actions in the system, external intervention, virus infection, etc.), due to increased resource costs taking into account the necessity to constantly ensure compliance with the state of the IT component of the institution to certain strategic goals and the external environment.

As stated in the Cyber Security Strategy of Ukraine, approved by the Decree of the President of Ukraine of March 15, 2016 № 96/2016, cybersecurity threats are actualized due to the action of such factors, in particular, as:

  • inconsistency of the electronic communications infrastructure of the state, the level of its development and protection with modern requirements;
  • insufficient level of protection of critical infrastructure, state electronic information resources and information, the requirement for protection of which is established by law, from cyber threats; unsystematic measures of cyber protection of critical infrastructure;
  • insufficient development of organizational and technical infrastructure for cybersecurity and cyber protection of critical infrastructure and state electronic information resources;
  • insufficient effectiveness of the security and defense sector of Ukraine in counteracting cyber threats of military, criminal, terrorist and other nature; insufficient level of coordination, interaction and information exchange between cybersecurity actors.

That is why the solution of the problem of information systems audit development in the world, improvement of standards, introduction of certification, application of various methods and techniques of world information systems audit practices, as well as software for information security audit of enterprises, institutions, organizations of all forms of ownership and subordination is constantly updated, operating in various sectors of the economy and public administration.

Downloads

Download data is not yet available.

Author Biographies

Hennadij Plis

PhD, Head of the State Audit Office of Ukraine, Kyiv

Yevhen Kotukh , Sumy State University, Sumy

PhD, Associate Professor of Computer Science, Sumy State University, Sumy

Dmytro Nekhoroshykh

Auditor of Legal Strategy Advisors, Kyiv

Hennadij Khalimov , Kharkiv National University of Radio Electronics, Kharkiv

Doctor of Technical Sciences, Professor, Head of the Department of Information Technology Security, Kharkiv National University of Radio Electronics, Kharkiv

Olga Kuchma

Head of the Department of Regulatory and Methodological Support of the State Financial Control Process of the State Audit Service of Ukraine, Kyiv

References

Averchenkov, V.Y. (2016). Audyt ynformatsyonnoi bezopasnosty. Moscow: Flinta [in Russian].

Astakhov, A. (2012). Audyt bezopasnosty ynformatsyonnykh system. Moscow [in Russian].

Petrenko, S. (2001). Audyt ynformatsyonnoi bezopasnosty korporatyvnykh system Ynternet/Yntranet. Systemy bezopasnosty, 41, 85-87 [in Russian].

Konsaltynh i audyt u sferi IT 2004. CNews Analytics. URL: http://www.bezpeka.com [in Ukrainian].

Alekseev, A. (2015). Upravlenye ryskamy. Metod CRAMM. URL: https://www.itexpert.ru/rus/ITEMS/ITEMS_CRAMM.pdf [in Russian].

Tom Carlson. (2001). Information Security Management: Understanding ISO 17799. URL: http://wisetel.com.br/pe_t-security/biblioteca/referencias_estrangeiras/ISO17799_ Whitepaper.pdf.

ISO 15408 Common Criteria for Information Technology Security Evaluation. Reference number ISO/IEC 15408-1:2009(E). 2009. URL: https://www.iso.org/standard/40612.html.

ISO/IEC 27001 Системы обеспечения информационной безопасности. URL: https://www.iso.org/ru/isoiec-27001-information-security.html.

Cramm. Threat and Risk Management. URL: https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_ cramm.html.

Gorbunov, A. Praktycheskyi menedzhment kachestva. URL: pqm-online.com [in Russian].

ISO/IEC 27001:2013; Соr 1:2014, IDT Information technology – Security techniques – Information security management systems – Requirements. URL: https://www.iso.org/standard/ 66805.html.

ISO/IEC 27002:2013 Information technology – Security techniques – Code of practice for information security controls. URL: https://www.iso.org/standard/54533.html.

ISO/IEC 27006:2015 Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems. URL: https://www.iso.org/standard/62313.html.

ISO/IEC 27007:2017 Information technology – Security techniques – Guidelines for information security management systems auditing. URL: https://www.iso.org/standard/ 67397.html.

ISO/IEC 27008:2019 Information technology – Security techniques – Guidelines for the assessment of information security controls. URL: https://www.iso.org/en/standard/61651.html.

ISO/IEC 17021-1:2015 Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 1: Requirements. URL: https://www.iso.org/obp/ui/#iso:std:iso-iec:17021:-1:en.

ISO/IEC 19011:2018 Guidelines for auditing management systems. URL: https://www.iso.org/en/standard/70017.html.

ISO/IEC 15408 Information technology - Security techniques - Evaluation criteria for IT security. URL: https://www.iso.org/en/standard/46413.html.

WebTrust. URL: https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services.

GDPR compliance. URL: https://legalitgroup.com/ru/home/.

BSI (Bundesamt für Sicherheit in der Informationstechnik (German Information Security Agency). URL: https://www.bsi.bund.de/EN/TheBSI/thebsi_node.html.

Nessus Network Monitor. URL: Nessus https://www.tenable.com/.

Published
2021-06-03
Section
Regional and Industrial Management