284
INFORMATION SECURITY AUDIT MODEL CREDIT FINANCIAL
ORGANIZATIONS
Sh.R.Gulomov (associate professor, TUIT named afterMukahmmad al-Khwarazmi)
L.T. Shirinov (assistant, TUIT named after Mukahmmad al-Khwarazmi)
A.F. Bekjonov (master student ,TUIT named after Mukahmmad al-Khwarazmi)
Features of information system are such that the
negative consequences of
failures individual organizations can lead to rapid development of the system the
crisis of the payment system, to harm the interests of owners and clients'. In cases
of incidents, the information security increases significantly the
resulting risk and
the possibility of damage to organizations. Therefore, for organizations is threats
pose a significant danger.
Fig.1. Process model of audit
The purpose of the work is to develop a process
model for the audit of
information security of a credit institution, with details in the form of a risk
assessment model, based on which it would be possible to solve management tasks
in credit and financial organizations.
To achieve this goal, the following were set and solved tasks:
1. To analyze existing sources of information
security threats security, to
clarify the classification of the sources of threats information security.
2. To analyze modern approaches to information management security risk
assessment information security, assessment of the level
of information security
relative to existing standard.
3. Develop an is audit model based on a process approach, The object of the
study is the information management system security of the credit and financial
institution.
Advisable enter another class of sources of threats associated with illegal
actions against customers of banks using banking products (fig. 1).
In the course of this work were considered the main regulations in information
security related to credit institutions. These regulations are many, and each of them
285
establishes its own requirements for conformity assessment in one form or another:
self-assessment in the form of completing questionnaires (PCI DSS) before passing
mandatory audit once every two years (382-P) or once a year (ISO 27001).
The process of is audit includes the following aspects:
defining inputs to the audit, such as purpose, audit, limitations and features, etc.;
the definition of key roles and resources to conduct the audit;
provision: programs of audit;
guidelines for planning,
data collection, validation of data and reporting of
results audit's;
guide for evaluating the attributes of the processes and extent of implementation
requirements of information security;
events to audit information security;
recording the output of the audit.
Such a scheme does not really guarantee the achievement of the goals audit's.
In order to get the output of the required level, the audit algorithm you must
add a feedback block that, in the event of a mismatch, this would reduce the level
of is risks and at the same time increase the compliance level as shown in figure 2.
Fig.2. Process model of audit
Information security audit is today one of the most effective tools for
independent and objective assessment the current level
of protection of the Bank
from various information threats. The audit results allow forming a systematic
approach to implementation information security system development strategies
credit and financial institution. Improving the audit process will allow the output to
get a higher level of information security in the credit
and financial institution,
which, in turn, will lead to an increase in competitiveness of the Bank.
A typical audit algorithm looks like this (figure 3):
286
Fig. 3. Scheme audit
References
1.
Курило
А.П. Аудит информационной безопасности /А.П. Курило. - М.: Издательская группа «БДЦ-пресс », 2006.- 305 с.
2.
Родина Ю.В. Дистанционное банковское обслуживание.Источники угроз текст./Родина
Ю.В//Научно-практический межотраслевой журнал «Интеграл»,№ 1(60) 2012г, с.40
3.
Обеспечение информационной безопасности организаций банковской системы
Российской Федерации. Аудит информационной безопасности. Стандарт Банка России
СТО БР ИББС-1.1-2007. Принят и введен в действие распоряжением Банка России от
28.04.2007 г. № Р-345
Do'stlaringiz bilan baham: