Description: In the article, the peculiarities of evaluating information security guarantees for the integrated information security system in accordance with state and international standards are considered. The application of the formalized model of the process which assessing the requirements of guarantees of information security for the subjects of expertise by using the axiomatic constructions is proposed. The following aspects were taken into account when developing a model of assessment of information security guarantees: functional, informative, organizational and causal characteristics. The functional characteristic of the model accurately determines what is carried out by the elements of the process. The information characteristic of the model reflects the informational nature that is being formed, produced or used by the process. Organizational characteristic of the model describes who and when performs specific actions, work, operations of the process with the inclusion of physical mechanisms of transmission and storage of object. The causal characteristic of the model refers to the coordination and dependence of the actions and the subjects of these actions. Such model allows to study the process of assessing information security guarantees and to determine the requirements for the results of the examination, regarding impartiality, objectivity, repeatability, reproducibility and comparability. Also, the article defines the requirements for the results of the examination and proposes conditions for the identity of the objects of assessment, programs and methods of assessment, experts, evidence and evaluation results. These conditions are clear and rely on strict definitions of the equality of the corresponding sets or graphs, which allows in practice to objectively confirm the fulfillment of the requirements for the results of the examination.
Keywords: integrated information security system, information and telecommunication system, information security subject of expertise object of expertise, formalized model, expert
1. Potii, O., Illiashenko, O. and Komin, D. (2015), Advanced security assurance case based on ISO/IEC 15408, Theory and Engineering of Complex Systems and Dependability, pр. 391-401.
2. Lemeshko, О.V., Evseeva, O.U. and Chechui, O.V. (2008), “Kategoryalno-tenzornoe predstavlenye telekommunykacionnoj sistemu” [Categorical-tensor representation of the telecommunication system], Scientific proceeding of Ukrainian research institute of communication, Kyiv, No. 2(4), pp. 3-15.
3. Potij, A.V., Komin, D.S. and Rebriy, I.N. (2012), A Method of Evaluating Assurance Requirements, Information & Security, An International Journal, No. 28, pp. 108-120.
4. Illiashenko, O.O. (2018), “Ocinjuvannja informacijnoji bezpeky system na proghramovnij loghici z vykorystannjam kejsiv: taksonomija, notacija, koncepcija” [Estimation of information security of systems on programmable logic using cases: taxonomy, notation, concept], Science and Technology of the Air Forces of Ukraine, No. 2(31), pp. 97-103. https://doi.org/10.30748/nitps.2018.31.12.
5. The State Standard of Ukraine (2017), “ISO/IEC 15408-1 (ISO/IEC 15408-1:2009, IDT) Informacijni texnologiyi. Metody zaxystu. Kryteriyi ocinky. Chastyna 1. Vstup ta zagalna model” [Informational technology. Security techniques. Evaluation criteria for IT security. Part 1: Introduction and general model].
6. The State Standard of Ukraine (2017), “ISO/IEC 15408-2 (ISO/IEC 15408-2:2008, IDT) Informacijni texnologiyi. Metody zaxystu. Kryteriyi ocinky. Chastyna 2. Funkcionalni vymogy” [Informational technology. Security techniques. Evaluation criteria for IT security. Part 2: Functional requirements].
7. The State Standard of Ukraine (2017), “ISO/IEC 15408-3 (ISO/IEC 15408-3:2008, IDT) Informacijni texnologiyi. Metody zaxystu. Kryteriyi ocinky. Chastyna 3. Vymogy do garantiyi bezpeky” [Informational technology. Security techniques. Evaluation criteria for IT security. Part 3: Security assurance requirement].
8. Potij, A.V. (2006), “Formalnaya model processa zashhytu ynformacyy” [Formal model of the information security process], Radio electronic and computer systems, No. 5 (17), pp.128-133.
9. The State Standard of Ukraine (2015), “ISO/IEC 18045 (ISO/IEC 18045:2008, IDT) Informacijni texnologiyi. Metody zaxystu. Metodologiya ocinyuvannya bezpeky informacijnyx texnologij” [Information Technology. Methods of protection. Methodology for IT security assessment].
10. Administration of the State Service for Special Communications and Information Protection of Ukraine (2011), ND 2.6-001 “Poryadok provedennya robit z derzhavnoyi ekspertyzy zasobiv texnichnogo zaxystu informaciyi vid nesankcionovanogo dostupu ta kompleksnyx system zaxystu informaciyi v informacijno-telekomunikacijnyx systemax” [Procedure for conducting works on state expertise of means of technical protection of information from unauthorized access and complex systems of information security in information and telecommunication systems], Kyiv, 104 p.
11. “ISO/IEC 15408-1 (2009), Informational technology. Security techniques. Evaluation criteria for IT security. Part 1: Introduction and general model, available at: https://www.iso.org/standard/50341.html
12. ISO/IEC 15408-3 (2008), Informational technology. Security techniques. Evaluation criteria for IT security. Part 3: Security assurance requirement, available at: https://www.iso.org/standard/46413.html
13. Prieto-Diaz, R. (2002), The Common Criteria Evaluation Process. Process Explanation, Shortcomings, and Research Opportunities, Commonwealth Information Security Center Technical Report CISC-TR, December 2002, James Madison University, USA, 62 p.