Methods for assessing the efficiency of access control subsystems at informatization facilities of internal affairs bodies and aspects of their improvement

Objective. The purpose of the article is to analyse the existing methodology used to assess the efficiency of automated information security systems by studying open literature sources, international and industry standards of the Russian Federation on information security of automated systems, guidelines and orders of the Federal Service for Technical and Expert Control of Russia, as well as departmental orders, instructions and regulations on information security at informatization facilities of internal affairs bodies. The analysis results in identifying the advantages and disadvantages of the specified methodology, as well as the possibilities of its use when conducting a quantitative assessment of the efficiency of access control subsystems of information security systems at the informatization facilities of internal affairs bodies.
Methods. To achieve this goal, the method for system analysis of approaches used to assess the efficiency of information security tools and systems has been applied.
Results. The paper presents results of analysing the main approaches used to assess the efficiency of tools and systems for information security of automated systems. The paper determines the relationship between the efficiency indicator of access control subsystems of information security systems and the main disadvantage of their use in protected automated systems of internal affairs bodies. The paper substantiates main directions of improving the existing methodology, proposes methods and indicators for quantifying the efficiency of access control subsystems (including those modified on the basis of using new information and communication technologies) of information security systems in protected automated systems of internal affairs bodies.
Conclusion. The results obtained can be used to quantify the security level of existing automated systems and those being developed at informatization facilities of internal affairs bodies.

1. GOST R ISO/MEK 15408-2-2013. Informatsionnaya tekhnologiya. Metody i sredstva obespecheniya bezopasnosti. Kriterii otsenki bezopasnosti informatsionnykh tekhnologiy. Chast' 2: Funktsional'nyye komponenty bezopasnosti [GOST R ISO / IEC 15408-2-2013. Information technology. Methods and means of ensuring safety. Criteria for assessing the security of information technology. Part 2: Functional components of security [Electronic resource]. URL: https://files.stroyinf.ru/Data2/1/4293774/4293774728.pdf (date accessed: 02/28/2020). (In Russ)]

2. FSTEK Rossii. Rukovodyashchiy dokument. Kontseptsiya zashchity sredstv vychislitel'noy tekhniki i avtomatizirovannykh sistem ot nesanktsionirovannogo dostupa k informatsii [Elektronnyy resurs]. [FSTEC of Russia. Guidance document. The concept of protection of computer technology and automated systems from unauthorized access to information [Electronic resource]. URL: http://fstec.ru/component/attachments/download/299 (date accessed: February 28, 2020). (In Russ)]

3. Ob utverzhdenii Kontseptsii obespecheniya informatsionnoy bezopasnosti organov vnutrennikh del Rossiyskoy Federatsii do 2020 goda: prikaz MVD Rossii ot 14.03.2012 № 169 [Elektronnyy resurs]. [On the approval of the Concept for ensuring information security of the internal affairs bodies of the Russian Federation until 2020: order of the Ministry of Internal Affairs of Russia dated March 14, 2012 No. 169 [Electronic resource]. URL: http://policemagazine.ru/forum/showthread.php?t=3663 (date accessed: 03/02/2020). (In Russ)]

4. Metodiki otsenki nadezhnosti sistem zashchity informatsii ot nesanktsionirovannogo dostupa avtomatizirovannykh sistem / Bokova O.I. [i dr.] [Methods for assessing the reliability of information protection systems against unauthorized access of automated systems / Bokova OI. [and others] // Proceedings of the SPII RAS. Vol. 18 No. 6 (2019). S.-Pb .: SPIIRAS, 2019.2019.T. 18.No. 6.pp. 1300-1331. SSN 2078-918. DOI 10.15622/sp.2019.18.6. (In Russ)]

5. Drovnikova I.G. Chislennyye metody rascheta pokazatelya effektivnosti vspomogatel'noy podsistemy v sisteme elektronnogo dokumentooborota [Drovnikova I.G. Numerical methods for calculating the efficiency indicator of the auxiliary subsystem in the electronic document management system / I.G. Drovnikova, P.V. Zinoviev, E.A. Rogozin // Bulletin Voronezh. Institute of the Ministry of Internal Affairs of Russia. 2016. No. 4. S. 114-121. (In Russ)]

6. GOST 28806-89. Kachestvo programmnykh sredstv. Terminy i opredeleniya [Elektronnyy resurs]. [GOST 28806- 89. The quality of the software. Terms and definitions [Electronic resource]. URL: http://www.kimmeria.nw.ru/standart/glosys/gost_28806_90.pdf (date accessed: 03.03.2020). (In Russ)]

7. GOST 28195-89. Assessment of the quality of software. General provisions [Electronic resource]. URL: [GOST 28195-89. Otsenka kachestva programmnykh sredstv. Obshchiye polozheniya [Elektronnyy resurs]. URL:http://docs.cntd.ru/document/1200009135 (data obrashcheniya: 05.03.2020). http://docs.cntd.ru/document/1200009135 (date accessed: 03/05/2020). (In Russ)]

8. GOST R ISO/MEK 9126-93. Informatsionnaya tekhnologiya. Otsenka programmnoy produktsii. Kharakteristiki kachestva i rukovodstva po ikh primeneniyu [GOST R ISO / IEC 9126-93. Information technology. Evaluation of software products. Quality characteristics and guidelines for their application [Electronic resource]. URL: http://docs.cntd.ru/document/gost-r-iso-mek-9126-93 (date of treatment 03/05/2020). (In Russ)]

9. Rad'ko N.M. Proniknoveniya v operatsionnuyu sredu komp'yutera: modeli zloumyshlennogo udalennogo dostupa: ucheb. posobiye / N.M. Rad'ko, YU.K. YAzov, N.N. Korneyeva. Voronezh: FGBOU VPO «Voronezhskiy gosudarstvennyy tekhnicheskiy universitet», 2013. 265 s. [Radko N.M. Penetration into the operating environment of a computer: models of malicious remote access: textbook. allowance / N.M. Radko, Yu.K. Yazov, N.N. Korneeva. Voronezh: Voronezh State Technical University, 2013.265 p. (In Russ)]

10. Rad'ko N.M. Risk-modeli informatsionno-telekommunikatsionnykh sistem pri realizatsii ugroz udalennogo i neposredstvennogo dostupa / N.M. Rad'ko, I.O. Skobelev. M: RadioSoft, 2010. 232 s. [Radko N.M. Risk-models of information and telecommunication systems in the implementation of threats of remote and direct access / N.M. Radko, I.O. Skobelev. M: RadioSoft, 2010.232 p. (In Russ)]

11. Popov A.D. Modeli i algoritmy otsenki effektivnosti sistem zashchity informatsii ot nesanktsionirovannogo dostupa s uchetom ikh vremennykh kharakteristik v avtomatizirovannykh sistemakh organov vnutrennikh del: dis. ... kand. tekhn. nauk: 05.13.19 / Popov Anton Dmitriyevich. Voronezh, 2018. 163 s. [Popov A.D. Models and algorithms for evaluating the effectiveness of information protection systems against unauthorized access, taking into account their time characteristics in automated systems of internal affairs bodies: dis. Cand. tech. Sciences: 05.13.19 / Popov Anton Dmitrievich. Voronezh, 2018.163 p. (In Russ)]

12. Xin Z. Research on effectiveness evaluation of the mission-critical system/Z. Xin, M. Shaojie, Z. Fang// Proceedings of 2013 2nd International Conference on Measurement, Information and Control. 2013. 869-873.

13. Maximizing Uptime of Critical Systems in Commercial and Industrial Applications VAVR-8K4TVA_R1_EN.pdf [Electronic resource]. URL: https://download.schneider-eletric.com/files?p_Doc_Ref=SPD_VAVR-8K4TVA_EN (date accessed: 03/06/2020).

14. Effectiveness Evaluation on Cyberspace Security Defense System / L. Yun [et ol.] // International Conference on Network and Information Systems for Computers (IEEE Conference Publications). 2015. рр.576-579.

15. FSTEK Rossii. Rukovodyashchiy dokument. Sredstva vychislitel'noy tekhniki. Zashchita ot nesanktsionirovannogo dostupa k informatsii. Pokazateli zashchishchennosti ot nesanktsionirovannogo dostupa k informatsii [Elektronnyy resurs]. [FSTEC of Russia. Guidance document. Computer facilities. Protection against unauthorized access to information. Indicators of security against unauthorized access to information [Electronic resource]. URL: http://fstec.ru/tekhnicheskaya-zashchita-informatsii/dokumenty/114-spetsialnyenormativnye-dokumenty/383-rukovodyashchij-dokument-reshenie-predsedatelya-gostekhkomissii-rossii-otlya-25-iyu date of access: 03/06/2020). (In Russ)]

16. FSTEK Rossii. Rukovodyashchiy dokument. Avtomatizirovannyye sistemy. Zashchita ot nesanktsionirovannogo dostupa k informatsii. Klassifikatsiya avtomatizirovannykh sistem i trebovaniya po zashchite informatsii [Elektronnyy resurs]. [FSTEC of Russia. Guidance document. Automated systems. Protection against unauthorized access to information. Classification of automated systems and requirements for information protection [Electronic resource]. URL: https://fstec.ru/tekhnicheskaya-zashchita-informatsii/dokumenty/114-spetsialnyenormativnye-dokumenty/384-rukovodyashchij-dokument-reshenie-predseda-gostekhkomissii-rossii-199-302-gart ( date of access: 03/10/2020). (In Russ)]

17. ISO / IEC 17000: 2004. Conformity assessment. Dictionary and General principles [Electronic resource]. - URL: https://pqm-online.com/assets/files/lib/std/iso_17000-2004.pdf (date accessed: 03/10/2020).

18. ISO / IEC 27002: 2005-2013. Information technology. Security method. Practical rules of information security management [Electronic resource]. URL: http://docs.cntd.ru/document/gost-r-iso-mek-17799-2005 (date of access 03/10/2020).

19. Razrabotka modeley i algoritmov otsenki effektivnosti podsistemy zashchity konfidentsial'nykh svedeniy pri yeye proyektirovanii v sistemakh elektronnogo dokumentooborota OVD: monografiya [Elektronnyy resurs] / Drovnikova I.G. [i dr.]. Voronezh: Voronezh. in-t MVD Rossii, 2019. [Development of models and algorithms for assessing the effectiveness of the subsystem for the protection of confidential information during its design in the systems of electronic document management of the Department of Internal Affairs: monograph [Electronic resource] / Drovnikova I.G. [and etc.]. Voronezh: Voronezh. Institute of the Ministry of Internal Affairs of Russia, 2019. (In Russ)]

20. Zastrozhnov I.I. Modelirovaniye i issledovaniye dinamiki funktsionirovaniya programmnykh sistem zashchity informatsii dlya otsenki i analiza kachestva ikh funktsionirovaniya pri proyektirovanii i upravlenii: dis. ... kand. tekhn. nauk: 05.13.18 / Zastrozhnov Igor' Ivanovich. Voronezh, 2005. 181 s. [Zastrozhnov I.I. Modeling and research of the dynamics of the functioning of information security software systems for assessing and analyzing the quality of their functioning in design and management: dis. ... Cand. tech. Sciences: 05.13.18 / Zastrozhnov Igor Ivanovich. Voronezh, 2005.181 p. (In Russ)]

21. Korniyenko B.Y. Design and research of mathematical model for information security system in computer network / B.Y. Korniyenko, L.P. Galata // Science-Based Technologies. 2017. Vol. 34. Issue 2. pp. 114-118.

22. Nazareth D. System dynamics model for information security management / D. Nazareth, J. Choi // Information & Management. 2015. Vol. 52. Issue 1. pp. 123-134.

23. Kresimir S. The information systems' security level assessment model based on an ontology and evidential reasoning approach / S. Kresimir, O Effectiveness Evaluation on Cyberspace Security Defense System. Hrvoje, G. Marin // Computers & Security. 2015. рр.100-112.

24. White S.C. Comparison of Security Models: Attack Graphs Versus Petri Nets / S.C. White, S.S. Sarvestani // Advances in Computers. 2014. Vol. 94. рр.1-24.

25. Nikishin K. Implementation of time-triggered ethernet using colored Petri NET / K. Nikishin, N. Konnov, D. Pashchenko // International Conference on Industrial Engineering, Applications and Manufacturing (ICIEAM). 2017. рр.1-5.

26. Charaf N. A colored Petri-net model for control execution of distributed systems / H. Charaf, S. Azzouzi // 4th International Conference on Control, Decision and Information Technologies (CoDIT). 2017. 277-282.

27. Network security analyzing and modeling based on Petri net and Attack tree for SDN / Y. Linyuan [and others] // 2016 International Conference on Computing, Networking and Communications (ICNC). 2016. рр.133-187.