Methods for assessing the level of security of software of automated systems of internal affairs bodies and directions for their improvement

Objective. The purpose of the article is to analyze existing methods and procedures used to assess the level of software security of automated systems, based on a study of scientific literature, international and industry standards of the Russian Federation on information security of automated systems, guidelines and methodological documents of the Federal Service for Technical and Export Control Russia, as well as departmental orders on the protection of information from unauthorized access at informatization facilities of internal affairs bodies. Method. To achieve this goal, the method of system analysis of approaches used in assessing the level of software security in automated systems was used. Result. The results of an analysis of the main approaches to assessing the level of software security in automated systems are presented. The expediency of combining the considered approaches to carry out a quantitative assessment of the level of software security at informatization facilities of internal affairs bodies in real time, taking into account vulnerabilities in the software used, is substantiated. Conclusion. The results obtained can be used to generate indicators of the level of software security in automated systems of internal affairs bodies and to develop methods for their calculation taking into account the time factor.

1. GOST R 56939-2016. Data protection. Secure software development. General requirements. Moscow: Standardinform, 2016; 24. (In Russ)

2. GOST R ISO/IEC 25051-2017. Information Technology. System and software engineering. Requirements and quality assessment of systems and software. Moscow: Standardinform, 2017; 32. (In Russ)

3. GOST R 51188-98. Data protection. Testing software for the presence of computer viruses. Model manual. – Moscow: IPK Publishing House of Standards, 2003; 12. (In Russ)

4. Protection against unauthorized access to information. Part 1. Information security software. Classification according to the level of control over the absence of undeclared capabilities: Guiding document dated June 4, 1999 No. 114 //FSTEC of Russia [Electronic resource]. – Access mode: https://fstec.ru/dokumenty/vse-dokumenty/spetsialnye-normativnye-dokumenty/rukovodyashchij-dokument-ot-4-iyunya-1999-g-n-114 (date of access: 10/30/2023). (In Russ)

5. Information technology security. Criteria for assessing the security of information technologies: Guiding document dated June 19, 2002;187 FSTEC of Russia [Electronic resource]. Access mode: https://fstec.ru/dokumenty/vse-dokumenty/spetsialnye-normativnye-dokumenty/rukovodyashchij-dokument-ot-19-iyunya-2002-g-n-187 (date of access: 10/30/2023). (In Russ)

6. On approval of the Instructions for organizing the protection of personal data contained in information systems of internal affairs bodies of the Russian Federation: order of the Ministry of Internal Affairs of Russia dated July 6, 2012 No. 678 (as amended by orders of the Ministry of Internal Affairs of Russia dated July 15, 2013 No. 538, 20.04. 2015 No. 447, 07.12.2016 No. 807) [Electronic resource]. Access mode: https://base.garant.ru/70230320/?ysclid=lmdv18b7g0759105782 (access date: 11/05/2023). (In Russ)

7. Issues of organizing information and legal support for the activities of internal affairs bodies of the Russian Federation: order of the Ministry of Internal Affairs of Russia dated August 25, 2017 No. 680 (as amended by order of the Ministry of Internal Affairs of Russia dated March 23, 2018 No. 155) [Electronic resource]. – Access mode: https://base.garant.ru/72617376/?ysclid=lmduxlmjdz739176488 (access date: 11/05/2023). (In Russ)

8. GOST R ISO/IEC 9126-93. Information technology. Evaluation of software products. Quality characteristics and guidelines for their use [Electronic resource]. – Access mode: http://docs.cntd.ru/document/gost-r-iso-mek-9126-93 (access date 05.11.2023). (In Russ)

9. GOST 28806-89. Quality of software. Terms and definitions [Electronic resource]. Access mode: http://www.kimmeria.nw.ru/standart/glosys/gost_28806_90.pdf (access date: 11/03/2023). (In Russ)

10. Computer facilities. Protection against unauthorized access to information. Indicators of security against unauthorized access to information: Guiding document dated July 25, 1997 No. 383 // FSTEC of Russia [Electronic resource]. Access mode: http://fstec.ru/tekhnicheskaya-zashchita-informatsii/dokumenty/114-spetsialnye-normativnye-dokumenty/383-rukovodyashchij-dokument-reshenie-predsedatelya-gostekhkomissii-rossii-ot-25-iyulya-1997-g (date of access: 11/06/2023). (In Russ)

11. Automated systems. Protection against unauthorized access to information. Classification of automated systems and requirements for information protection: Guiding document: decision of the Chairman of the State Technical Commission of Russia dated March 30, 1992 dated March 30, 1992 No. 384 // FSTEC of Russia [Electronic resource]. Access mode: https://fstec.ru/tekhnicheskaya-zashchita-informatsii/dokumenty/114-spetsialnye-normativnye-dokumenty/384-rukovodyashchij-dokument-reshenie-predsedatelya-gostekhkomissii-rossii-ot-30-marta-1992-g (date of access: 05.11.2023). (In Russ)

12. GOST R ISO/IEC 15408-2-2013. Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 2: Functional security components [Electronic resource]. Access mode: https://files.stroyinf.ru/Data2/1/4293774/4293774728.pdf (date of access: 10/28/2023). (In Russ)

13. ISO/IEC 17000:2004. Conformity assessment. Dictionary and General principles [Electronic resource]. Access mode: https://pqm-online.com/assets/files/lib/std/iso_17000-2004.pdf (access date: 11/06/2023). (In Russ)

14. Radko N. M. Penetrations into the computer operating environment: models of malicious remote access: textbook. N. M. Radko, Yu. K. Yazov, N. N. Korneeva. Voronezh: Voronezh State Technical University, 2013; 265. (In Russ)

15. Yazov Yu. K., Solovyov S. V. Methodology for assessing the effectiveness of information protection in information systems from unauthorized access: monograph. St. Petersburg: High technology, 2023; 258. (In Russ)

16. ISO/IEC 27002:2005-2013. Information technology. Security method. Practical rules of information security management [Electronic resource]. Access mode: http://docs.cntd.ru/document/gost-r-iso-mek-17799-2005 (access date 06.11.2023). (In Russ)

17. Methodology for assessing the level of criticality of software, software and hardware vulnerabilities: Methodological document dated October 28, 2022 // FSTEC of Russia [Electronic resource]. – Access mode: https://fstec.ru/dokumenty/vse-dokumenty/spetsialnye-normativnye-dokumenty/metodicheskij-dokument-ot-28-oktyabrya-2022-g-2 (date of access: 05.11.2023). (In Russ)

18. On the issue of assessing the security of automated systems based on the criticality of their vulnerabilities. A. O. Efimov [et al.] Bulletin of the Voronezh Institute of the Federal Penitentiary Service of Russia. 2023; 2: 50–54. (In Russ)

19. Efimov A. O. Conceptual basis for assessing the level of security of automated systems based on their vulnerability / A. O. Efimov, I. I. Livshits, T. V. Meshcheryakova, E. A. Rogozin // Information technology security = IT Security. 2023; 30(2): 63–79. (In Russ)

20. Popov A. D. Models and algorithms for assessing the effectiveness of information protection systems from unauthorized access, taking into account their time characteristics in automated systems of internal affairs bodies: 05.13.19 dissertation for the scientific degree of Candidate of Technical Sciences / Popov Anton Dmitrievich. Voronezh, 2018; 163. (In Russ)

21. Batskikh A.V. Models for assessing the effectiveness of the functioning of modified subsystems for managing access to information in automated systems of internal affairs bodies: 2.3.6. dissertation for the degree of candidate of technical sciences / Batskikh Anna Vadimovna. Voronezh, 2022; 190. (In Russ)

22. Zolotykh E. S. Models for assessing the danger of implementing network attacks in automated systems of internal affairs bodies: 2.3.6. dissertation for the degree of candidate of technical sciences / Elena Sergeevna Zolotykh. Voronezh, 2022; 220. (In Russ)

23. Common Vulnerability Scoring System version 3.1. Specification Document. Revision 1 [Electronic resource]. Access mode: https://cvss/v3-1/cvss-v31-specification_r1.pdf (access date: 10/30/2023). (In Russ)

24. Yazov Yu. K. Petri-Markov networks and their application for modeling the processes of implementing threats to information security in information systems: monograph. Yu. K. Yazov, A. V. Anishchenko. – Voronezh: Kvarta, 2020; 173. (In Russ)