Methods of acceptable options formation of organizational structure and the structure of the automated information security management system

To ensure comprehensive information protection, it is necessary to use various means of information protection, distributed by levels and segments of the information system. This creates a contradiction, which consists in the presence of a large number of different means of information protection and the inability to ensure their joint coordinated application in ensuring the protection of information due to the lack of an automated control system. One of the tasks that contribute to the solution of this problem is the task of generating a feasible organizational structure and the structure of such an automated control system, whose results would provide these options and choose the one that is optimal under given initial parameters and limitations.Тhe problem is solved by reducing the General problem to a particular problem of splitting into subgraphs of the original graph of the automated cyber defense control system. In this case, the subgraphs will correspond to the subsystems of the automated cyber defense management system at different levels and will provide a visual representation of the process of acceptable variants formation of the organizational composition and structure of such an automated control system. As a result of the operation of splitting into subtasks of the graph, a set of acceptable variants of the organizational composition and structures of the automated cyber defense management system are supposed to be obtained, based on which the optimal choice is made under the given initial parameters and restrictions. As a result, the technique of formation of admissible variants of organizational structure and structure by the automated control system of cyber defense is received.

1. Federal law No. 187 of 26.07.2017 On security of critical information infrastructure of the Russian Federation. [Electronic resource.] Mode of access: http://www.kremlin.ru/acts/bank/42128 free (date accessed: 15.05.2018).

2. Selifanov V.V. Methods of forming the structure of information protection management functions of significant objects of critical information infrastructure of the Russian Federation. Mathematical structures and modeling. Omsk. 2019;1(49):97-106.

3. Methods for Testing & Specification; Risk-Based Security Assessment and Testing Methodologies, European Telecommunications Standards Institute, ETSI EG 201 015, 2015. [Online].https://www.etsi.org/deliver/etsi_eg/201000_201099/201015/02.01.01_60/eg_20 1015v020101p.pdf.

4. Cloud Flare. Zero-trust security: What’s a zero-trust network? 2019. [Online]. https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/.

5. Bellovin S. Layered Insecurity. IEEE Security & Privacy. 2019; 17(03): 96-95. DOI: 10.1109/MSEC.2019.2906807.

6. Order of FSTEC of Russia dated 25.12.2017 No. 239 / On approval of security Requirements for significant objects of critical information infrastructure of the Russian Federation. [Electronic resource.] Mode of access: https://minjust.consultant.ru/documents/38914 free (date accessed: 15.05.2019). 018:86.

7. Goldobina A.S., Isayeva J.A. The Choice of a simulation model of information protection management processes to assess the effectiveness of state and municipal systems. Innovative development of science and education. Collection of articles of the International scientific-practical conference. In 2 parts. Penza. 2018:86.

8. Yener B., Gal T. Cybersecurity in the Era of Data Science: Examining New Adversarial Models. IEEE Security & Privacy. 2019;01:1-1,5555. DOI: 10.1109/MSEC.2019.2907097.

9. Peisert S. Control Systems Security from the Front Lines. IEEE Security & Privacy. 2014; 12(06):55-58. DOI: 10.1109/MSP.2014.105.

10. Choo K., Kermani M., Azarderakhsh R. and Govindarasu M. Emerging Embedded and Cyber Physical System Security Challenges and Innovations. IEEE Transactions on Dependable and Secure Computing. 2017; 14(03): 235-236. DOI: 10.1109/TDSC.2017.2664183.

11. Mailloux L., McEvilley M., Khou S. andPecarina J. Putting the «Systems» in Security Engineering: An Examination of NIST Special Publication 800-160.IEEE Security & Privacy. 2016; 14(04): 76-80. DOI: 10.1109 / MSP.2016.77.

12. Selifanov V.V., Goldobina A.S., Isaeva J.A. Construction of Adapted Three-Level Model of Control Processes of Information Security System of Critical Information Infrastructure Objects. Collection of the conference "Actual problems of electronic instrumentation APEP-2018. Proceedings of the XIV International scientific technical conference. In 8 Volumes. 2018". Novosibirsk. 2018: 148-153.

13. Security management problems of complex systems: proceedings of XXVI international. confer., 19 Dec. 2018, Moscow; Under the General editorship of A. O. Kalashnikov, V. V. Kul'by. M.: IPU Russian Academy of Sciences. 2018: 411.

14. Burkov V., Goubko M., Korgin N., Novikov D. Introduction to Theory of Control in Organizations. New York: CRC Press. 2015:352.

15. Novikov D., Chkhartishvili A. Reflexion and Control: Mathematical Models. London: CRC Press. 2014:298.

16. Novikov D. Theory of Control in Organizations. New York: Nova Science Publishers. 2013:341.

17. Selifanov V.V., Goldobina A.S., Isaeva J.A., Klimova A. M., Zenkin P.S. Construction of adaptive three-level model of management processes of information protection system of objects of critical information infrastructure. Reports of Tomsk state University of control systems and Radioelectronics. Tomsk. 2018; 21(4): 51-58.

18. Confidant. Centralized and operational management of protected computers in infrastructures of any size and purpose. 2019. [Online]. https: //www.dallaslock.ru/products/tsentralizovannoe-upravlenie/

19. Confidant. Virtual infrastructure information security system Dallas Lock // 2019. [Online]. https://www.dallaslock.ru/products/szvi-dallas-lock/