350 rub
Journal Highly available systems №4 for 2016 г.
Article in number:
Information security of electronic trading platforms. Part 3. The Security Policy
Authors:
G.P. Akimova - Ph. D. (Eng.), Leading Research Scientist, Institute for Systems Analysis of FRC CSC RAS (Moscow) E-mail: akimova@isa.ru A.Yu. Danilenko - Ph. D. (Phys.-Math.), Head of Laboratory, Institute for Systems Analysis of FRC CSC RAS (Moscow) E-mail: danilenko@isa.ru E.V. Pashkina - Research Scientist, Institute for Systems Analysis of FRC CSC RAS (Moscow) E-mail: pashkina@isa.ru A.A. Podrabinovich - Research Scientist, Institute for Systems Analysis of FRC CSC RAS (Moscow) E-mail: podrabinovich@isa.ru D.V. Solovev - Research Scientist, Institute for Systems Analysis of FRC CSC RAS (Moscow) E-mail: soloviev.dmitrii@mail.ru
Abstract:
This paper continues a series of articles under the title «Information security of electronic trading platforms», in which the author de-scribes a collective of various aspects of the safe operation of electronic trading platforms (hereinafter ETP). The general logic of work e-trading platform is placed on the public resources of information about the alleged procurement (notices of proceedings), the collection of bids from potential suppliers, vendor selection and contract to supply the required products. For any characteristic of the ETP operation, under which one way or another affect the security of information resources, including personal data. As objects of protection can be considered evidence of organizations accredited to the ETP, personal information managers of accredited organizations, the data of registered users, data procurement, application providers, and other information. If information security regime in the case of ETP data availability is achieved by using hardware and organizational measures to ensure the continuity of the functioning of the hardware and software, as well as the integrity and confidentiality of the said hardware and safety equipment as part of the ETP software. ETP access control subsystem is based on a role model with elements of discretionary approach, mandatory access control does not apply. The specifics of electronic platforms is that they are relevant for foreign offenders related to the categories of competitors, unscrupulous partners and external actors. At the same time the objectives of the first two categories of violators may be compromised ETP or distortion of the results of trading in order to obtain favorable orders. With regard to external actors, their goal is likely to be banal hooliganism. Regarding insiders note that you must eliminate with the help of organizational and staffing measures destructive activity of adminis-trators at all levels, as well as other members of the ETP. With regard to representatives of accredited organizations that they work with ETP software through public communication networks outside the controlled area, which significantly limits their ability to disrupt the IS mode. In fact, they can only try to increase its power by adjusting the system name and password administrators or employees ETP, and also to introduce a virus or trojan. The authors suggest to stay on measures to ensure information security in the case of the ETP in terms of determining the necessary set of these measures, and the peculiarities of their realization in the final article of the series «Information security of electronic trading platforms».
Pages: 20-26
References