some existing and effectively working mechanisms and tools are hardly intended to be
legitimized in the nearest future [36].
To sum up the mentioned above main results of our investigation, we define the
system of legal provision of information security as a dynamic multifunctional
structure with backlinks, all components of which are structured by levels and are
interrelated, producing synergetic effect and aiming at legal provision of information
security.
Model of Information security implementation in the microlevel. The aim of
each object of information security is maintenance of its own System of Information
Security Provision (SISP). The use and the content of organizational policies that
specify how users of information and technology resources should behave in order to
prevent, detect, and respond to security incidents has become a challenging piece of
research in order to comprehend the current state of knowledge on the formation,
implementation, and effectiveness of security policies in organizations [6]. As making
strategic security improvements and adhering to common best practices can reduce
exposure to emerging risks, slow attackers’ progress, and provide more visibility into
the threat landscape, there is a list of provisions which is recommended to be included
into Information Security Policy [1]. Therefore, architecting and effective usage of the
SISP includes the following steps:
-
detect the requirements for information protection which are specific for the
definite object;
-
be aware of the relevant national and international legislation;
-
use the existing practices (standards, methods etc.) of architecting similar
SISP;
-
denote the structural units responsible for implementation and support of
SISP;
-
share duties and spheres of responsibility for meeting the requirements of
SISP among the structural units;
-
figure out general rules, technical and organization requirements (based on
information security risk management) which will formulate Information Security
Policy of the safeguarded entity;
-
implement the requirements of the Information Security Policy by means of
introduction of relevant information protection software and hardware;
-
implement the System of Information Security Management (SISM);
-
provide regular control of the SISP efficiency using SISM and in case of
necessity to review and upgrade SISP and SISM documents.
As it comes from the last stage of the algorithm of architecting and effective usage
of the SISP it is an everlasting cyclic process, when the last stage of revision and
upgrading mergers with the initial stage – detecting of the requirements for information
- 1041 -