Unification of the approaches to control of the level of information security in different organizations

A unified method of the level of information security control is developed; it includes two stages: assessment of the current level of information security based on the fuzzy production rules and synthesis of the control decisions based on the application of fuzzy cognitive modeling to bring information security services to the desired target level. The algorithm for assessment of the level of information security is presented in the form of the iterative process, involving the following steps: verbal assessment of the level of damage; search for the relevant rules in the knowledge base; assessment of the state security services at the current level of the hierarchy according to the rules; identifying and excluding from consideration of the blocks containing the damage, the level of which does not allow identification of some blocks at the next level; calculation of integral evaluation of security services and generalized index of information security of the information object in general. The proposed method of assessment of the level of information security does not provide the solution of generating control solutions for information security services output to the desired target level, since it does not contain information about the cause-and-effect relationships between the observed damage information assets and means of information security threats and vulnerabilities and have made it possible implementation attacks, which in turn led to the observed damage. To solve the problem of the second phase was a model showing the links between the damage information assets and means of information security, threats and vulnerabilities. Assessing the level of information security based on the fuzzy production rules enables the decision maker make an informed judgment about the need for synthesis of control solutions for the withdrawal of security services to the specified target level, and the fuzzy cognitive model allows to synthesize the data management decisions. The technique level management of information security has been tested in several organizations in the various fields of activity. The obtained results led to the conclusion on the applicability of the proposed methodology in organizations in the various fields.