Topical issues of IT risk management at critical information infrastructure facilities

Abstract

Today, the urgent issue of the security industry is to address the state of information security of critical infrastructure objects with the effective application of appropriate measures to maintain it in proper condition.
This article emphasizes the particular relevance of these issues with an emphasis on the most significant aspects of ensuring information security at critical infrastructure facilities through risk management and strategies for responding to them. The essence of ways of responding to risks and their processing is revealed.
Preliminary planning of the risk management process related to the information infrastructure is a key aspect of the security risk management process. A well-planned process involves matching the significance of the business process for the critical infrastructure object with the costs necessary to manage the risks affecting this business process. All business processes for which the value of the loss is greater than some predetermined value are declared critical.
Risk management planning activities are most effectively carried out by a special working group consisting of the top manager, heads of other departments and the IT manager. The working group forms strategies for responding to identified, assessed and ranked risks. It should be emphasized that when analyzing risks, it is necessary to take into account not only the operation of systems in regular mode, but also the peak load on them.
When making decisions about responding to relevant risks, costs must be taken into account, taking into account the full assessment of the level of risks characteristic of the operation of critical infrastructure objects.
When managers of business units determine tasks to combat risks in their units, most often they accept any risks without understanding the consequences, since their real goals are related to the performance of the main official tasks that affect the final result of the activity. Risk treatment options should be evaluated based on the degree of risk reduction and the degree of any additional benefits or opportunities created.
Special attention is paid to the risk-taking strategy, which requires significant professional and intellectual abilities of decision-makers. Taking into account the peculiarities of this method of response, it is necessary to develop an approach adapted for a specific object of information activity with the determination of the question of the economic feasibility of applying security measures in relation to the manifestation of possible information security incidents.

Keywords: critical infrastructure facilities, response strategy, risk acceptance, information security.

References
1. Resolution of the Cabinet of Ministers of Ukraine "On Approval of General Requirements for Cyber Protection of Critical Infrastructure Objects" dated June 19, 2019 No. 518 Kyiv {Amended according to Resolution of the Cabinet of Ministers No. 991 dated 09/02/2022}.
2. Information and cyber security: sociotechnical aspect: textbook / [V. L. Buryachok, V. B. Tolubko, V. O. Khoroshko, S. V. Tolyupa];. K.: DUT, 2015.— 288 p.
3. Domarev, V.V. Management of information security in banking institutions (Theory and practice of implementing standards of the ISO 27k series) / V.V. Domarev, V.V. Domarev. - Donetsk: Velstar, 2012, 2012 - 146 p.
4. Bogush V. M. Yudin O. K. Information security of the state. Kharkiv: Konsum. 2004. S-508.
5. Garasim Y.R. Analysis of the information security risk management process in the process of ensuring the survivability of systems / Yu.R. Garasym, V.A. Romaka, M.M. Rybiy // Bulletin of the Lviv Polytechnic National University "Automation, measurement and control". - 2013. - No. 756. - P. 105-123.
6. DSTU ISO/IEC 27001:2015 Information technologies. Protection methods. Information security management systems. Requirements (ISO/IEC 27001:2013; Cor 1:2014, IDT).
7. DSTU ISO/IEC 27002:2015 Information technologies. Protection methods. Code of practices regarding information security measures (ISO/IEC 27002:2013; Cor 1:2014, IDT).
8. DSTU ISO/IEC 27005:2015 Information technologies. Protection methods. Information security risk management (ISO/IEC 27005:2011, IDT).
9. DSTU ISO/IEC TR 19791:2015 Information technologies. Protection methods. Security assessment of operating systems (ISO/IEC TR 19791:2010, IDT).
10. NATIONAL BANK OF UKRAINE, Department of Informatization, Resolution of the Board of the National Bank of Ukraine dated 28.10.2010 N 474 (v0474500-10) "On entry into force of information security management standards in the banking system of Ukraine", "Methodological recommendations on the implementation of the information security management system and risk assessment methods in accordance with the standards of the National Bank of Ukraine.