FORMALIZATION OF THE ACCESS CONTROL AUDIT PROCEDURE IN THE INFORMATION SYSTEM

The article discusses current problems and tools for ensuring information security in information systems. The author analyzes the current trends in information security breaches in 2018-2019, concludes about the relevance of countering threats related to unauthorized access. The basic tools for protecting an information system from unauthorized access are many rights and rules for access control between objects and subjects. Therefore, to ensure the necessary level of security, the adequacy and consistency of the distribution of access rights is important. The methodology and conceptual scheme for conducting an audit of the access control subsystem based on ACL lists, consisting of procedures for initiating audits, collecting and analyzing audit data has been developed. The mathematically model of audit procedure is automation in the form of an audit software tool for the access control subsystem using the Windows operating system as an example. The main advantage of the proposed audit procedure is that it does not require complex testing procedures, calculation of probabilities, involvement and selection of experts. The main purpose of the program is to assess the compliance of the existing settings of the access control policy in the system with the security policy of the system under investigation.

1. Analytical report of Positive Technologies “Actual cyber threats - 2018. Trends and forecasts”. - https://www.ptsecurity.com/ruru/research/analytics/cybersecurity-threatscape-2018/ (appeal date 03/15/2019).

2. Vitenburg E.A., Nikishova A.V. The structure of the information system of the enterprise as a basis for the formation of the information security system // Information technologies in science, education and production (ITNOP-2018) VII International Scientific and Technical Conference. Collection of conference proceedings. 2018. pp. 162-167.

3. Bulgakov OM, Udalov VP, Chetkin OV Mathematical model of the impact of the offender on the components of the integrated security system // Bulletin of the Voronezh Institute of the Ministry of Internal Affairs of Russia, 2015.№2. Pp. 165 - 175. - http://cyberleninka.ru/article/n/matematicheskaya-modelvozdeystviya-narushitelya-na-komponenty-integrirovannoy-sistemybezopasnosti (appeal date 02/28/2019).

4. Oladko V.S. Risks of control and access control systems // Young Scientist. 2016. №28 (132). P. 133 – 136.

5. Tokarev V.L., Sychugov A.A. Method of Auditing the protection of automated systems // Modeling, optimization and information technology. Scientific journal, 2019. Volume 7. №1. - http://moit.vivt.ru (circulation date 02/02/2019).

6. Semenova N.A. Semantic model of access control // Applied Discrete Mathematics. 2012.№2 (16). S. 50-64. (In Russia)

7. Kolegov D.N., Tkachenko N.O. Lightweight implementation of attribute access control mechanism for DBMS at the level of a protective screen // Applied diskette mathematics. Application. 2016. S.93 - 95. (In Russia)

8. Mironova V.G., Shelupanov A.A. Analysis of differentiation and distribution of access rights based on the discretionary model of differentiation of access rights Take-Grant // Bulletin of the Southern Federal University. Technical science. 2013. No. 12 (149) .C. 111 - 117. (In Russia)

9. Kurakin A.S., Kostyreva A.A. Model of limitation of rights of access for special purpose information system. H&ES Research. 2019. Vol. 11. No. 2. Pр. 82–89. doi: 10.24411/2409-5419-2018-10262 (In Russia)

10. Chirkova M.L., Shubin E.V. The use of the HRU model to ensure the security of information systems // All-Russian annual scientific-practical conference: collection of materials, Kirov April 15-26, 2013. P. 513-515.