VERBAL MODEL OF MANAGEMENT OF A VULNERABLE PROCESS OF DEDICATING THE ACCESS OF USERS TO THE SOFTWARE OF THE ELECTRONIC DOCUMENT SYSTEM

Objectives Traditional methods for solving the problem of protecting the information resource of electronic document management systems based on protective basic functions (identification, authentication and verification of users, etc.) of available tools and information security subsystems have a significant drawback - inefficiency when an attacker masters the password of regular users. In order to eliminate it, it is necessary to develop new methods related to managing the weakly vulnerable process of delimiting user access not only to confidential information, but also to the software of the electronic document management system.

Method One way to solve this problem is to use the modified “soft administration” method, which consists in automatically generating lists of allowed source files in the authorization matrix by reducing the lists and comparing file integrity functions with a reference list for an existing software package. This allows you to automate the process of developing access control rules and provide management of the weakly vulnerable process of access control to software tools of the electronic document management system.

Result A verbal model is developed for automated control of a weakly vulnerable process of differentiating access to software tools of an electronic document management system, and a system of performance indicators for the functioning of a promising subsystem for protecting confidential information characterizing it as a control object is proposed.

Conclusion The presented verbal model provides for the possibility of distributed control, in which the security administrator directly controls the specified process using a remote software tool. The formation (change) of the authority establishment matrix for managing a weakly vulnerable process of access control using a promising subsystem for protecting confidential information and the development of a system of indicators to comprehensively evaluate the effectiveness of its functioning is one of the most important tasks of protecting information from unauthorized access, guaranteeing the implementation of a security policy throughout the entire operation period secure electronic document management system. 

1. Shan'gin V.F. Zashchita informatsii v komp'yuternykh sistemakh i setyakh: ucheb. posobiye / V.F. Shan'gin. — M.: DMK Press, 2012. 592 s. [Shangin V.F. Information Protection in computer systems and networks: proc. benefit / V.F. Shangin. — M.: DMK Press, 2012. 592 p. (in Russ)].

2. Metody i sredstva otsenki zashchishchonnosti avtomatizirovannykh sistem organov vnutrennikh del: monografiya [Elektronnyy resurs] / Ye.A. Rogozin [i dr.]; pod red. prof. Ye.A. Rogozina. — Voronezh: Voronezh. in-t MVD Rossii, 2017. 88 s. [Methods and tools for assessing the security of automated systems of bodies of internal Affairs: monograph [Electronic resource] / E.A. Rogozin [and others]; under the editorship of Professor E.A. Rogozin. Voronezh: Voronezh. Ministry of internal Affairs of Russia, 2017. 88 p. (in Russ)].

3. Metody i sredstva otsenki effektivnosti podsistemy zashchity konfidentsial'nogo informatsionnogo resursa pri yeyo proyektirovanii v sistemakh elektronnogo dokumentooborota: monografiya / I.I. Zastrozhnov [i dr.]. — Voronezh: Voronezh. gos. tekhn. un-t, 2015. 106 s. [Methods and means of assessing the effectiveness of the subsystem of protection of confidential information resource in its design in electronic document management systems: monograph / I.I. Zastrozhnov [and others]. Voronezh: Voronezh. state tech. UN-t, 2015. 106 p. (in Russ)].

4. Avsent'yev O.S. Metodika upravleniya zashchitoy informatsionnogo resursa sistemy elektronnogo dokumentooborota / O.S. Avsent'yev, I.G. Drovnikova, I.I. Zastrozhnov, A.D. Popov, Ye.A. Rogozin // Trudy SPIIRAN. № 2 (57) (2018). S.-Pb.: SPIIRAN, 2018. 2018. № 2(57). S. 188-210. DOI 10.15622/sp.57.8. [Avxentiev O.S. The management of protection information resource electronic document management system / O.S. Avxentiev, I.G. Drovnikova, I.I. Zastrozhnov, A.D. Popov, E.A. Rogozin // Proceedings of SPIIRAS. № 2 (57) (2018). S.-Pb.: Spiran, 2018. 2018. № 2 (57). P. 188-210. DOI 10.15622 / sp.57.8 (in Russ)].

5. Drovnikova I.G. Verbal'naya model' upravleniya razgranicheniyem dostupa pol'zovateley k konfidentsial'nym svedeniyam sistem avtomatizirovannogo dokumentooborota / I.G. Drovnikova, V.P. Alforov // Okhrana, bezopasnost', svyaz' — 2017: sb. st. Mezhdunar. nauch.-praktich. konf. V. 3. CH. 3. (Voronezh, 16 noyabrya 2017 g.). Voronezh: VI MVD Rossii, 2018. S. 77- 80. [Drovnikova I.G. Verbal control model differentiation of user access to confidential information of automated document management / I.G. Drovnikova, P.V. Alferov // Protection, security, communications — 2017: collection of articles]. scientific-practical conf. V. 3. Part 3. (Voronezh, 16 November 2017). Voronezh: VI Ministry of internal Affairs of Russia, 2018. P. 77-80 (in Russ)].

6. Drovnikova I.G. Kontseptual'naya model' upravleniya zashchitoy informatsionnogo resursa sistemy elektronnogo dokumentooborota / I.G. Drovnikova, I.I. Zastrozhnov, Ye.A. Rogozin // Vestnik Voronezhskogo instituta MVD Rossii. 2016. № 2. S. 147-154. [Drovnikova I.G. A conceptual model for managing information resource of an electronic document management system / I.G. Drovnikova, I.I. Zastrozhnov, E.A. Rogozin // Bulletin of Voronezh Institute of MIA Russia. 2016. № 2. P. 147-154 (in Russ)].

7. Zastrozhnov I.I. Metodologicheskiye osnovy bezopasnosti ispol'zovaniya informatsionnykh tekhnolo-giy v sistemakh elektronnogo dokumentooborota: monografiya / I.I. Zastrozhnov, Ye.A. Rogozin, M.A. Bagayev. — Voronezh: IPTS «Nauchnaya kniga», 2011. 252 s. [Zastrozhnov I.I. Methodological basis for the safe use of information technologies in electronic document management systems: monograph / I.I. Zastrozhnov, E.A. Rogozin, M.A. Bagayev. Voronezh: CPI «Scientific book», 2011. 252 p. (in Russ)].

8. Drovnikova I.G. Metodika proyektirovaniya sistem informatsionnoy bezopasnosti v avtomatizirovannykh sistemakh [Elektronnyy resurs] / I.G. Drovnikova, A.A. Nikitin, Ye.A. Rogozin // Internet-zhurnal «Tekhnologii tekhnosfernoy bezopasnosti». 2016. Vypusk № 4 (68) (avgust). http://ipb.mos.ru/ttb/2016-4. [Drovnikova I.G. Methods of designing of information security systems in automated systems [Electronic resource] / I.G. Drovnikova, A.A. Nikitin, E.A. Rogozin // Internet journal «Technologies of technospheric safety». — 2016. Issue № 4 (68) (August). http:// ipb.mos.ru/ttb/2016-4 (in Russ)].

9. Drovnikova I.G. Razrabotka metoda «myagkogo administrirovaniya» dlya organizatsii upravleniya podsistemoy razgranicheniya dostupa v avtomatizirovannykh sistemakh / I.G. Drovnikova, D.A. Kabanov // Vestnik Voronezhskogo instituta MVD Rossii. 2014. № 4. S. 269-276. [Drovnikova I.G. Development of a method for «soft admin» organization control subsystem of access control in automated systems / I.G. Drovnikova, D.A. Kabanov // Vestnik of Voronezh Institute of MIA Russia. — 2014. № 4. P. 269-276 (in Russ)].

10. Buzov G.A. Zashchita informatsii ogranichennogo dostupa ot utechki po tekhnicheskim kanalam / G.A. Buzov. M.: GLT, 2016. 586 c. [Buzov G.A. Protection of limited access information from leakage through technical channels / G.A. Buzov. M.: GLT, 2016. 586 p. (in Russ)].

11. Malyuk A.A. Osnovy politiki bezopasnosti kriticheskikh sistem informatsionnoy infrastruktury: ucheb. posobiye / A.A. Malyuk M.: Goryachaya liniya — Telekom, 2018. 314 s. [Malyuk A.A. Fundamentals of security policy of critical information infrastructure systems: proc. manual / A.A. Malyuk M.: Hot line — Telecom, 2018. 314 p. (in Russ)].

12. Babash A.A. Aktual'nyye voprosy zashchity informatsii: monografiya / A.A. Babash [i dr.]. — M.: Rior, 2017. 111 s. [Babash A.A. Actual questions of information security: monograph / A.A. Babash [and others]. M.: Rior, 2017. 111 p. (in Russ)].

13. Danilenko A.V. Bezopasnost' sistem elektronnogo dokumentooborota. Tekhnologiya zashchity elektronnykh dokumentov / A.V. Danilenko. M.: Lenand, 2015. 232 s. [Danilenko A.V. Security of electronic document management systems. Technology to protect electronic documents / A.V. Danilenko. M.: Lenand, 2015. 232 p. (in Russ)]. Markov A.S. Metody otsenki nesootvetstviya sredstv zashchity informatsii / A. S. Markov [i dr.]. — M.: Radio i svyaz', 2012. 192 s.

14. Markov A.S. Methods for assessing the mismatch of information security tools / A. S. Markov [et al.]. - M.: Radio and Communications, 2012.192 s. [Markov A.S. Methods of evaluation of information security means. M.: Radio and communication, 2012. 192 p. (in Russ)].

15. Xiao Y. Handbook of security and neyworks / Y. Xiao [and ot.]. Word Scientific Pub Co Inc. 1 edition, 2012. 576 p.

16. Schaefer R. Information Theoretic Security and Privacy of Information Systems / R. Schaefer. — Cambridge University Press, 2017. 574 p.

17. Sheikh F. Circuits and Systems for Security and Privacy / F. Sheikh [and others]. CRC Press, 2016. 400 p.

18. Fields B. Handbook of Research on Information and Cyber Security in the Fourth Industrial Revolution / B. Fields. IGI Global, 2018. 648 p.

19. Rudra B. Flexible Network Architectures Security: Issues and Principles /B. Rudra. Auerbach Publications, 2018. 326 p.

20. Klaic А. Conceptual Modeling of Information Systems within the Information Security Policies / A. Klaic, M. Golub // Journal of Economics/ Business and Management. 2013. vol. 1. Issue 4. pp. 371–376.

21. Nazareth D. System dynamics model for information security management / D. Nazareth, J. Choi // Information & Management. 2015. vol. 52. Issue 1. P. 123–134.

22. Rogozin Ye.A. Model' funktsionirovaniya tipovoy sistemy zashchity informatsii ot nesanktsionirovannogo dostupa v avtomatizirovannykh informatsionnykh sistemakh OVD / Ye.A. Rogozin, A.D. Popov // Vestnik Voronezhskogo instituta MVD Rossii. 2016. № 4. S. 122-132. [Rogozin E.A. Model operation of the standard information system of protection against unauthorized access to automated information systems of the Law Enforces Agencies / E.A. Rogozin, A.D. Popov // Vestnik Voronezhskogo instituta MVD Rossii — Bulletin of the Voronezh Institute of the Ministry of the Interior of Russia. 2016. № 4. pp. 122–132 (in Russ)].

23. GOST R ISO/MEK 15408-2-2013. Informatsionnaya tekhnologiya. Metody i sredstva obespecheniya bezopasnosti. Kriterii otsenki bezopasnosti informatsionnykh tekhnologiy. CH. 2: Funktsional'nyye komponenty bezopasnosti. [Elektronnyy resurs]. URL: http://docs.cntd.ru/document/1200105710 (data obrashcheniya 23.11.2018). [GOST R ISO/IEC 15408-2-2013. Information technology. Methods and means of security. Criteria for evaluating the security of information technology. Part 2: Functional safety components. [Electronic resource.] — URL: http://docs.cntd.ru/document/1200105710 (accessed 23.11.2018) (in Russ)].

24. Zashchita ot nesanktsionirovannogo dostupa k informatsii. Terminy i opredeleniya: rukovodyashchiy dokument // sb. rukovodyashchikh. dokum. po zashchite informatsii ot nesanktsionirovannogo dostupa Gosudarstvennoy tekhnicheskoy komissii pri Prezidente Rossiyskoy Federatsii. M.: Ross. inzhener. Akademiya, 1998. S. 5-14. [Protection against unauthorized access to information. Terms and definitions: guidance document // sat. docum. on protection of information from unauthorized access of the state technical Commission under the President of the Russian Federation. M.: Ross. engineer. Academy, 1998. P. 5-14 (in Russ)].

25. Kontseptsiya zashchity sredstv vychislitel'noy tekhniki i avtomatizirovannykh sistem ot nesanktsionirovannogo dostupa k informatsii: rukovodyashchiy dokument // sb. rukovodyashchikh. dokum. po zashchite informatsii ot nesanktsionirovannogo dostupa Gosudarstvennoy tekhnicheskoy komissii pri Prezidente Rossiyskoy Federatsii. M.: Ross. inzhener. Akademiya, 1998. S. 15-21. [The concept of protection of computer equipment and automated systems from unauthorized access to information: guidance document // sat. docum. on protection of information from unauthorized access of the state technical Commission under the President of the Russian Federation. M.: Ross. engineer. Academy, 1998. P. 15-21 (in Russ)].

26. Avtomatizirovannyye sistemy. Zashchita ot nesanktsionirovannogo dostupa k informatsii. Klassifikatsiya avtomatizirovannykh sistem i trebovaniya po zashchite informatsii: rukovodyashchiy dokument // sb. rukovodyashchikh. dokum. po zashchite informatsii ot nesanktsionirovannogo dostupa Gosudarstvennoy tekhnicheskoy komissii pri Prezidente Rossiyskoy Federatsii. M.: Ross. inzhener. Akademiya, 1998. S. 22-51. [Automated system. Protection against unauthorized access to information. Classification of automated systems and information security requirements: guidance document // sat. docum. on protection of information from unauthorized access of the state technical Commission under the President of the Russian Federation. — M.: Ross. engineer. Academy, 1998. P. 22-51 (in Russ)].

27. Sredstva vychislitel'noy tekhniki. Zashchita ot nesanktsionirovannogo dostupa k informatsii. Pokazateli zashchishchonnosti ot nesanktsionirovannogo dostupa k informatsii: rukovodyashchiy dokument // sb. rukovodyashchikh. dokum. po zashchite informatsii ot nesanktsionirovannogo dostupa Gosudarstvennoy tekhnicheskoy komissii pri Prezidente Rossiyskoy Federatsii. M.: Ross. inzhener. Akademiya, 1998. S. 52-71. [Computer aids. Protection against unauthorized access to information. Indicators of protection against unauthorized access to information: guidance document // sat. docum. on protection of information from unauthorized access of the state technical Commission under the President of the Russian Federation. M.: Ross. engineer. Academy, 1998. рр. 52-71 (in Russ).]

28. Vremennoye polozheniye po organizatsii razrabotki, izgotovleniya i ekspluatatsii programmnykh i tekhnicheskikh sredstv zashchity informatsii ot nesanktsionirovannogo dostupa v avtomatizirovannykh sistemakh i sredstvakh vychislitel'noy tekhniki: rukovodyashchiy dokument // sb. rukovodyashchikh. dokum. po zashchite informatsii ot nesanktsionirovannogo dostupa Gosudarstvennoy tekhnicheskoy komissii pri Prezidente Rossiyskoy Federatsii. — M.: Ross. inzhener. Akademiya, 1998. S. 72-92. [Temporary position on the organization of development, production and operation of software and hardware to protect information from unauthorized access to automated systems and computer equipment: guidance document // sat. docum. on protection of information from unauthorized access of the state technical Commission under the President of the Russian Federation. M.: Ross. engineer. Academy, 1998. pp. 72-92 (in Russ)].