Vulnerability management using a formalized description
DOI:
https://doi.org/10.30837/rt.2020.4.203.11Keywords:
vulnerabilities, vulnerability management system, ISMS, formalized description of ITS, qualitative assessment of vulnerabilities, NVD, CVSSAbstract
The article considers the main stages of vulnerability management and the problems arising in risk assessment and decision making during vulnerability management in the information and telecommunications system. It is assumed that modern techniques are not sufficient for effective vulnerability management. There is a need for creating a risk assessment system to improve decision-making procedures. The comparison of the formalized and informal description of the information and telecommunication system is described. The conclusion from the comparison results is that the formalized description has a number of advantages, so it is necessary that it should be built based on a formalized description of the information and telecommunication system. When adding qualitative vulnerability assessments (such as Common Vulnerability Scoring System vulnerabilities), this system will be unambiguous, clear, flexible, and easy to use. An additional advantage of such a system is the ability to automate assessment and decision-making processes, which will eliminate human influence and minimize the subjective factor in the management of vulnerabilities in the information and telecommunications system. Such a system will not exclude the influence of the security administrator, but will help him in decision-making, risk assessment, reduce the likelihood of errors, will help new staff in choosing decisions.
References
Tom Palmaers, Dennis Distler, Implementing a Vulnerability Management Process // SANS Institute Information Security Reading Room, 2013. 24 с.
ISO/IEC 27035:2016. Information technology – Security techniques – Information security incident management, 2016. (Міжнародний стандарт)
Про прийняття національних стандартів, про прийняття поправок до національних стандартів: затв. Національним Органом Стандартизації від 10 грудня 2018 р. №470
ISO/IEC 27005 Information technology – Security techniques – Information security risk management, 2018. (Міжнародний стандарт)
ISO/IEC 27001 Information technology – Security techniques – Information security management systems – Requirements, 2013. (Міжнародний стандарт)
Сєвєрінов О. В., Черниш В. І., Молчанова М. Є. Управління інформаційною безпекою згідно міжнародних стандартів // Системи управління, навігації та зв'язку. Вип. 2011. Т. 4. С. 250-253.
НД ТЗІ 2.5-004-99. Критерії оцінки захищеності інформації в комп’ютерних системах від несанкціонованого доступу. Київ : Департамент спеціальних телекомунікаційних систем та захисту інформації Служби безпеки України, 1999. 61с.
Common Vulnerability Scoring System version 3.1: Specification Document [Електронний ресурс] Режим доступу: https://www.first.org/cvss/specification-document
National Vulnerability Database [Електронний ресурс] Режим доступу: https://nvd.nist.gov
Замула А. А., Северинов А. В., Корниенко М. А. Анализ моделей оценки рисков информационной безопасности для построения системы защиты информации // Наука і техніка Повітряних Сил Збройних Сил України. 2014. №. 2. С. 133-138.
Downloads
Published
How to Cite
Issue
Section
License
Authors who publish with this journal agree to the following terms:
1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).