350 rub
Journal Highly available systems №4 for 2016 г.
Article in number:
Information security of electronic trading platforms. Part 3. The Security Policy
Keywords:
electronic trading platforms
Information Security
automated information systems
threat model
Model of offender
Authors:
G.P. Akimova - Ph. D. (Eng.), Leading Research Scientist, Institute for Systems Analysis of FRC CSC RAS (Moscow)
E-mail: akimova@isa.ru
A.Yu. Danilenko - Ph. D. (Phys.-Math.), Head of Laboratory, Institute for Systems Analysis of FRC CSC RAS (Moscow)
E-mail: danilenko@isa.ru
E.V. Pashkina - Research Scientist, Institute for Systems Analysis of FRC CSC RAS (Moscow)
E-mail: pashkina@isa.ru
A.A. Podrabinovich - Research Scientist, Institute for Systems Analysis of FRC CSC RAS (Moscow)
E-mail: podrabinovich@isa.ru
D.V. Solovev - Research Scientist, Institute for Systems Analysis of FRC CSC RAS (Moscow)
E-mail: soloviev.dmitrii@mail.ru
Abstract:
This paper continues a series of articles under the title «Information security of electronic trading platforms», in which the author de-scribes a collective of various aspects of the safe operation of electronic trading platforms (hereinafter ETP). The general logic of work e-trading platform is placed on the public resources of information about the alleged procurement (notices of proceedings), the collection of bids from potential suppliers, vendor selection and contract to supply the required products. For any characteristic of the ETP operation, under which one way or another affect the security of information resources, including personal data. As objects of protection can be considered evidence of organizations accredited to the ETP, personal information managers of accredited organizations, the data of registered users, data procurement, application providers, and other information.
If information security regime in the case of ETP data availability is achieved by using hardware and organizational measures to ensure the continuity of the functioning of the hardware and software, as well as the integrity and confidentiality of the said hardware and safety equipment as part of the ETP software. ETP access control subsystem is based on a role model with elements of discretionary approach, mandatory access control does not apply.
The specifics of electronic platforms is that they are relevant for foreign offenders related to the categories of competitors, unscrupulous partners and external actors. At the same time the objectives of the first two categories of violators may be compromised ETP or distortion of the results of trading in order to obtain favorable orders. With regard to external actors, their goal is likely to be banal hooliganism.
Regarding insiders note that you must eliminate with the help of organizational and staffing measures destructive activity of adminis-trators at all levels, as well as other members of the ETP. With regard to representatives of accredited organizations that they work with ETP software through public communication networks outside the controlled area, which significantly limits their ability to disrupt the IS mode. In fact, they can only try to increase its power by adjusting the system name and password administrators or employees ETP, and also to introduce a virus or trojan.
The authors suggest to stay on measures to ensure information security in the case of the ETP in terms of determining the necessary set of these measures, and the peculiarities of their realization in the final article of the series «Information security of electronic trading platforms».
Pages: 20-26
References
- Akimova G.P., Danilenko A.JU., Pashkin M.A., Pashkina E.V., Podrabinovich A.A. Informacionnaja bezopasnost ehlektronnykh torgovykh ploshhadok. CHast 1. Rol chelovecheskogo faktora // Sistemy vysokojj dostupnosti. 2016. T. 12. № 3. S. 19−24.
- Akimov V.P., Danilenko A.JU., Pashkin M.A., Pashkina E.V. Informacionnaja bezopasnost ehlektronnykh torgovykh ploshhadok. CHast 2. Osobennosti programmnogo obespechenija // Sistemy vysokojj dostupnosti. 2016. T. 12. № 4. S. 12−19.
- O kontraktnojj sisteme v sfere zakupok tovarov, rabot, uslug dlja obespechenija gosudarstvennykh i municipalnykh nuzhd. Federalnyjj zakon № 44-FZot 05 aprelja 2013 g.
- Ob ehlektronnojj podpisi. Federalnyjj zakon № 63-FZot 06 aprelja 2011 goda.
- O personalnykh dannykh. Federalnyjj zakon № 152-FZ ot 27 ijulja 2006 g.
- Danilenko A.JU. Bezopasnost sistem ehlektronnogo dokumentooborota: Tekhnologija zashhity ehlektronnykh dokumentov. Serija «Osnovy zashhity informacii». № 13. M.: URSS. 2015. 232 s.
- Bazovaja model ugroz bezopasnosti personalnykh dannykh pri ikh obrabotke v informacionnykh sistemakh personalnykh dannykh. Utverzhdena FSTEHK RF 15 fevralja 2008 g.