Basic model of personal security threats. Personal data security threat model

when processing them in the personal data information system

1. General Provisions

This private model of threats to the security of personal data during their processing in the information system of personal data "SKUD" in ___________ (hereinafter referred to as ISPD) was developed on the basis of:

1) "Basic model of personal data security threats during their processing in personal data information systems", approved on February 15, 2008 by the Deputy Director of the FSTEC of Russia;

2) "Methods for determining actual threats to the security of personal data during their processing in personal data information systems", approved on February 14, 2008 by the Deputy Director of the FSTEC of Russia;

3) GOST R 51275-2006 “Information security. Factors affecting information. General provisions».

The model determines the threats to the security of personal data processed in the personal data information system "SKUD".

2. List of threats that pose a potential danger to personal data processed in ispdn

The potential danger for personal data (hereinafter referred to as PD) during their processing in ISPD is:

threats of information leakage through technical channels;

physical threats;

threats of unauthorized access;

personnel threats.

Identification of actual security threats to personal data when processing in ispdn

3.1. Determination of the initial security level of ispDn

The level of initial security of ISPD is determined by an expert method in accordance with the "Methodology for determining actual threats to the security of personal data during their processing in personal data information systems" (hereinafter referred to as the Methodology), approved on February 14, 2008 by the Deputy Director of the FSTEC of Russia. The results of the initial security analysis are shown in Table 1.

Table 1. Initial security level

Technical and operational characteristics of ISPD	Security level
Technical and operational characteristics of ISPD	High	Average	Short
1. By territorialaccommodation
Local ISPD deployed within one building
2. By the presence of a connection to public networks
ISPD, physically separated from public networks.
3. For built-in (legal) operations with records of PD databases
Read, write, delete
4. By delimiting access to PD
ISPD, to which a certain list of employees of the organization that owns the ISPD has access, or a PD subject
5. By the presence of connections with other PD databases of other ISPDs
ISPD, which uses one PD database, owned by the organization - the owner of this ISPD
6. By the level of generalization (depersonalization) of personal data
ISPD, in which the data provided to the user is not anonymized (i.e. there is information that allows you to identify the subject of the PD)
7. By the volume of PD, whichprovided to third-party ISPD users without pre-processing
ISPD, providing a part of PD
Characteristics of ISPD

Thus, ISPD has average (Y 1 =5 ) the level of initial security, since more than 70% of the ISPD characteristics correspond to a security level of at least "medium", but less than 70% of the ISPD characteristics correspond to the "high" level.

UDC 004.056

I. V. Bondar

METHODOLOGY FOR BUILDING A MODEL OF INFORMATION SECURITY THREATS FOR AUTOMATED SYSTEMS*

A technique for constructing a model of information security threats is considered. The purpose of modeling is to control the level of security information system risk analysis methods and the development of an effective information security system that ensures the neutralization of alleged threats by appropriate protective measures.

Keywords Key words: threat model, information system, information security system model.

At present, the development of a methodology is of particular relevance, which allows, within the framework of a unified approach, to solve the problems of designing automated systems in a secure design in compliance with the requirements of regulatory and methodological documents and automatically generating a list of protective measures and searching for the optimal set of information security tools (ISP) corresponding to this list.

One of the main tasks of ensuring information security are the definition of a list of threats and risk assessment of the impact of actual threats, which allows to justify the rational composition of the information security system. Although tasks of this kind are already being solved (see, for example,), including within the framework of a unified methodology, all of them are not without limitations and are aimed at creating a threat model suitable for solving a particular problem. I would especially like to note the rarity of attempts to visualize threat models.

This article presents a technique for modeling information security threats for automated systems based on a geometric model. This technique is interesting, first of all, by the universality of taking into account negative impacts, which was previously encountered only in work where the model was built on the basis of perturbation theory, and the possibility of visualizing the result. The usual way of visualization - the use of Kohonen maps with their inherent limitations and disadvantages - is not considered by the author, which increases the universality of the solution.

Geometric model of the SZI. Let P = (p P2, ■ ■ -, p2) be the set of means of defense, and A = (ab a2, ..., an) be the set of attacks. Those attacks that cannot be expressed by combinations of attacks will be called independent. Their set A "is a subset of the set A - the basis of attacks. Let's choose the space K1 for constructing the geometric model of the IPS, the dimension of which coincides with the power of the set A.

Any attack AeA is associated with certain means of defense (p "b p" 2, ..., p "k) with P. Let's denote this set (p "bp" 2, ..., p "i) = Pn-.

If the agent does not belong to the set Przi, then the attack of Ai is not dangerous for it.

The coordinate axes in the Kp space represent classes of threats. The unit of measurement on the coordinate axes is an independent attack, which is associated with a security tool. For each attack, the values of the coordinates of the corresponding vector indicate the means of protection that are part of the system under study.

As an example, let's consider the attack "UAS to information stored on the workstation by an external intruder" in the Cartesian space, where the x-axis is the threats associated with physical security; y - threats associated with software and hardware protection; z - threats associated with organizational and legal protection (Fig. 1). The attack can be implemented if three protection measures are not met: "An outsider in the controlled zone", "Unblocked OS session" and "PB violation".

Rice. 1. Model of the attack "NSD to information stored on the workstation by an external intruder"

This attack can be implemented in other ways, such as "Connecting to technical means and OI systems”, “Use of bugging tools”, “Masking as a registered user”, “Software defects and vulnerabilities”, “Backmarking”, “Use of viruses and other malicious program code”, “Theft of the carrier of protected information”, “Violation of the functioning of the information processing system” (Fig. 2).

*The work was carried out as part of the implementation of the Federal Target Program "Research and development in priority areas of development of the scientific and technological complex of Russia for 2007-2013" (GK No. 07.514.11.4047 dated 06.10.2011).

Initially, each P1 vector is in the first coordinate octant. Let us construct the surface of a convex polyhedron £ in R" so that each of its vertices coincides with the end of one of the vectors p1, p2, p.

Rice. 2. Model of the attack "NSD to information stored on the workstation by an external intruder"

It is natural to formalize the result of the impact of any attack A (by the reflection of a vector along the axis with an unfulfilled protection measure. Thanks to this method of modeling, the vectors corresponding to the means for which this attack not dangerous, will not change their position (Fig. 3).

So, after the impact of the attack А^ with the proposed modeling method, only the i-th coordinate of the vectors p1, p2, ..., pr, included in the geometric model, will change, and all other coordinates will remain unchanged.

Based on the results of attack modeling, one can judge the sensitivity or insensitivity of the information system (IS) to disturbing influences. If the coordinates of the polyhedron belong to

to the first coordinate octant, then a conclusion is made about the insensitivity of the IS to a disturbing effect, otherwise a conclusion is made about the insufficiency of protective measures. The stability measure is reduced to carrying out such a number of iterations in which the IS remains unperturbed by the effects of combinations of attacks.

threat model. The primary list of threats is formed by combinations of various factors affecting the protected information, categories of protection tools and levels of impact of violators (Fig. 4).

Identification and consideration of factors that affect or may affect protected information in specific conditions form the basis for planning and implementing effective measures to ensure the protection of information at the informatization object. The completeness and reliability of identifying factors is achieved by considering the full set of factors that affect all elements of the informatization object at all stages of information processing. The list of main subclasses (groups, subgroups, etc.) of factors in accordance with their classification is presented in section 6 of GOST 51275-2006 “Information security. Informatization object. Factors affecting information. General Provisions".

Threats of information leakage through technical channels are unambiguously described by the characteristics of the information source, the medium (path) of propagation and the receiver of the informative signal, i.e., they are determined by the characteristics of the technical channel of information leakage.

The formation of a secondary list of threats occurs due to its replenishment based on statistics on incidents that have taken place and based on the conditional degree of their destructive impact.

The degree of disturbing influence can be determined:

The likelihood of a threat;

Loss from the implementation of the threat;

System recovery time.

Rice. 3. Simulation results

The level of impact of violators

Rice. 4. BL-model of the threat model database in Chen's notation

Disturbance can lead to:

Violation of the confidentiality of information (copying or unauthorized distribution), when the implementation of threats does not directly affect the content of information;

Unauthorized, including accidental, influence on the content of information, as a result of which the information is changed or destroyed;

Unauthorized, including accidental, impact on the software or hardware elements of the IS, as a result of which information is blocked;

Loss of accountability of system users or entities acting on behalf of the user, which is especially dangerous for distributed systems;

Loss of data authenticity;

Loss of system reliability.

The measure of risk, which allows one to compare threats and prioritize them, can be determined by the total damage from each type of problem.

The result of the risk assessment for each threat should be:

Integrated use of appropriate information security tools;

Reasonable and targeted risk taking, ensuring full satisfaction of the requirements of the organization's policies and its risk acceptance criteria;

The maximum possible rejection of risks, the transfer of related business risks to other parties, such as insurers, suppliers, etc.

The considered method of constructing a threat model allows solving the problems of developing private models of threats to information security in specific systems, taking into account their purpose, conditions and features of functioning. The purpose of such modeling is to control the level of IP security by risk analysis methods and to develop an effective information protection system that ensures the neutralization of alleged threats.

In the future, this technique can be the basis for the development of universal algorithmic, and then mathematical models security, effectively combining the requirements of regulatory and methodological documents, the methodology for building threat models, intruder models, etc. Availability of such methodological support

will allow you to move to a higher quality high level design, development and security assessment of information security systems.

1. Kobozeva A. A., Khoroshko V. A. Analysis of information security: monograph. Kyiv: Publishing House of the State. un-ta inform.-communication. technologies, 2009.

2. Vasiliev V. I., Mashkina I. V., Stepanova E. S. Development of a threat model based on the construction of a fuzzy cognitive map for numerical assessment of the risk of information security violations. Izv. South feder. university Technical science. 2010. V. 112, No. 11. S. 31-40.

3. Operationally Critical Threat, Asset, and Vulnerability Evaluation (Octave) Framework: Techn. Rep. CMU/SEI-SS-TR-017 / C. J. Alberts, S. G. Behrens, R. D. Pethia, and W. R. Wilson; Carnegie Mellon Univ. Pittsburgh, PA, 2005.

4. Burns S. F. Threat Modeling: a Process to Ensure Application Security // GIAC Security Essentials

Certification Practical Assignments. Version 1.4c / SANS Inst. Bethesola, Md, 2005.

5. Popov A. M., Zolotarev V. V., Bondar I. V. Methodology for assessing the security of an information system according to the requirements of information security standards. Informatika i sistemy upr. / Pacific Ocean. state un-t. Khabarovsk, 2010. No. 4 (26). pp. 3-12.

6. Analysis of reliability and risk of special systems: monograph / M. N. Zhukova, V. V. Zolotarev, I. A. Panfilov et al.; Sib. state aerospace un-t. Krasnoyarsk, 2011.

7. Zhukov V. G., Zhukova M. N., Stefarov A. P.

Model of an access violator in an automated system // Program. products and systems / Research Institute Centerprogramsystems. Tver, 2012. Issue. 2.

8. Bondar I. V., Zolotarev V. V., Gumennikova A. V., Popov A. M. Decision support system for information security “OASIS” // Program. products and systems / Research Institute Centerprogramsystems. Tver, 2011. Issue. 3. S. 186-189.

CONSTRUCTION METHOD FOR INFORMATION SECURITY THREAT MODELS

OF AUTOMATED SYSTEMS

The authors consider a technique of threat models constructing. The purpose of modeling is to control the information system security level with risk analysis methods and describe the development of an effective information security system that ensures the neutralization of the supposed threats with appropriate security measures.

Keywords: threat model, information system, information security system model.

V. V. Buryachenko

VIDEO STABILIZATION FOR A STATIC SCENE BASED ON A MODIFIED BLOCK MATCHING METHOD

The main approaches to the stabilization of video materials are considered, in particular, finding the global motion of the frame caused by external influences. An algorithm for stabilizing video materials based on a modified block matching method for successive frames is constructed.

Keywords: video stabilization, block matching method, Gaussian distribution.

A digital image stabilization system first assesses unwanted motion and then corrects image sequences to compensate for external factors such as shooting instability, weather conditions, etc. It is likely that motion capture hardware systems will include image stabilization, so this study focuses on modeling and implementing algorithms that can run efficiently on hardware platforms.

There are two main approaches to solving the problem of stabilizing video materials: a mechanical approach (optical stabilization) and digital image processing. The mechanical approach is used in optical systems to adjust motion sensors during camera shake and means the use of a stable camera installation or the presence of gyroscopic stabilizers. Although this approach may work well in practice, it is almost never used due to the high cost of stabilizers and the availability of

IN this moment I am engaged in reviewing a private policy on the risks of information security violations and updating the information security threat model.

In the course of work, I encountered some difficulties. How I solved them and developed a private threat model will be discussed further.

Previously, many banks used the Industry Model of PD Security Threats taken from the Recommendation in the field of standardization of the CBR RS BR IBBS-2.4-2010 "Ensuring information security of organizations banking system Russian Federation. An industry specific model of threats to the security of personal data during their processing in personal data information systems of organizations of the banking system of the Russian Federation "(RS BR IBBS-2.4-2010). But due to the publication of information from the Bank of Russia dated May 30, 2014, the document has become invalid. Now it is needed develop yourself.

Not many people know that with the release of the Recommendation in the field of standardization of the Bank of Russia "Ensuring information security of organizations of the banking system of the Russian Federation. Prevention of information leaks" RS BR IBBS-2.9-2016 (RS BR IBBS-2.9-2016) there was a substitution of concepts. Now when defining a list of categories of information and a list of types of information assets it is recommended to focus on the content of clauses 6.3 and 7.2 of RS BR IBBS-2.9-2016. Previously, it was clause 4.4 of the Recommendations in the field of standardization of the Bank of Russia "Ensuring the information security of organizations of the banking system of the Russian Federation. Methodology for assessing the risks of information security violations" RS BR IBBS-2.2-2009 (RS BR IBBS-2.2-2009). I even turned to the Central Bank for clarification:

Main threat sources are listed in Clause 6.6 of the Standard of the Bank of Russia “Ensuring Information Security of Organizations in the Banking System of the Russian Federation. General Provisions” STO BR IBBS-1.0-2014 (STO BR IBBS-1.0-2014). Intruder Potential can be taken from here.

In general, when determining current IS threats it is necessary to take into account the information security incidents that occurred in the organization, information from the analytical reports of regulators and companies providing information security services, and the expert opinion of the company's specialists.

Also IS threats are determined in accordance with Bank of Russia Ordinance No. 3889-U dated 10.12.2015 "On the identification of personal data security threats that are relevant when processing personal data in personal data information systems (3889-U), Appendix 1 of RS BR IBBS-2.2-2009, table 1 RS BR IBBS-2.9-2016 (I made it a separate application), the Data Bank of Information Security Threats of the FSTEC of Russia (BDU).

By the way, I noticed that some threats from 3889-U duplicate threats from the BDU:

threat of exposure malicious code, external in relation to the personal data information system - UBI.167, UBI.172, UBI.186, UBI.188, UBI.191;
the threat of using social engineering methods to persons with authority in the personal data information system - UBI.175;
the threat of unauthorized access to personal data by persons who do not have authority in the personal data information system, using vulnerabilities in software personal data information system - UBI.192;

In this regard, I excluded duplicate threats from 3889-U in favor of UBI, since their description contains Additional Information, which facilitates filling in tables with a threat model and information security risk assessment.

Actual Threats source of threats "Adverse natural, man-made and social events" statistics of the Ministry of Emergency Situations of the Russian Federation on emergency situations and fires.

Actual Threats source of threats "Terrorists and criminal elements" can be determined based on the statistics of the Ministry of Internal Affairs of the Russian Federation on the state of crime and the newsletter "Crime in the banking sector".

On this stage we have identified the sources of IS threats and current IS threats. Now let's move on to creating a table with an information security threat model.

As a basis, I took the table "Industry model of PD security threats" from RS BR IBBS-2.4-2010. The columns "Threat source" and "Threat realization level" are filled in in accordance with the requirements of clause 6.7 and clause 6.9 of STO BR IBBS-1.0-2014. We still have empty columns "Types of environment objects" and "Security threat". I renamed the latter to "Consequences of the implementation of the threat", as in the BDU (in my opinion, it is more correct). To fill them in, we need a description of our threats from the BDU.

As an example, consider "UBI.192: The Threat of Using Vulnerable Versions of Software":
Description of the threat: the threat lies in the possibility of a destructive impact on the system by the intruder by exploiting software vulnerabilities. This threat is due to weaknesses in the mechanisms for analyzing software for vulnerabilities. The implementation of this threat is possible in the absence of a check before using the software for the presence of vulnerabilities in it.
Threat Sources: insider with low potential; external intruder with low potential.
Object of influence Key words: application software, network software, system software.
Consequences of the implementation of the threat: confidentiality violation, integrity violation, accessibility violation.

For convenience, I have distributed environment object types(objects of influence) by levels of threat realization ( levels of information infrastructure of the bank).

Scroll environment objects I compiled from clause 7.3 of RS BR IBBS-2.9-2016, clause 4.5 of RS BR IBBS-2.2-2009 and from the description of UBI. Threat Implementation Levels are presented in clause 6.2 of STO BR IBBS-1.0-2014.

That. this threat affects the following levels: the level of network applications and services; the level of banking technological processes and applications.

I did the same with other IS threats.

The result is a table like this.

Classification of unauthorized influences

A threat is understood as a potentially existing possibility of accidental or deliberate action (inaction), as a result of which the basic properties of information and its processing systems can be violated: availability, integrity and confidentiality.

Knowledge of the range of potential threats to protected information, the ability to competently and objectively assess the possibility of their implementation and the degree of danger of each of them is milestone complex process of organizing and providing protection. Determining the full set of IS threats is almost impossible, but relatively Full description they, in relation to the object under consideration, can be achieved with a detailed compilation of a threat model.

Remote attacks are classified according to the nature and purpose of the impact, according to the condition for the start of the impact and the presence feedback with the attacked object, by the location of the object relative to the attacked object and by the level reference model interactions open systems EMVOS, on which the impact is carried out.

Classification features of objects of protection and security threats automated systems and possible methods of unauthorized access (UAS) to information in protected AS:

1) according to the principle of NSD:
- - physical. It can be implemented by direct or visual contact with the protected object;
- - logical. Involves overcoming the protection system with the help of software tools by logical penetration into the AS structure;
2) along the way of NSD:
- - using a direct standard access path. Weaknesses in the established security policy and network management process are exploited. The result may be to masquerade as an authorized user;
- - use of a hidden non-standard access path. Undocumented features (weaknesses) of the protection system are used (deficiencies in algorithms and components of the protection system, errors in the implementation of the protection system design);
- - A special group in terms of the degree of danger is represented by IS threats carried out by the actions of the intruder, which allow not only to carry out an unauthorized impact (NSV) on informational resources systems and influence them by using means of special software and software and hardware impact, but also provide NSD to information.
3) according to the degree of automation:
- - performed with the constant participation of a person. Public (standard) software may be used. The attack is carried out in the form of a dialogue between the intruder and the protected system;
- - performed special programs without direct human intervention. Special software is used, most often developed using virus technology. As a rule, this method of UA is preferable for implementing an attack;
4) by the nature of the impact of the subject of NSD on the object of protection:
- - passive. Does not have a direct impact on the AU, but can violate the confidentiality of information. An example is the control of communication channels;
- - active. This category includes any unauthorized impact, the ultimate goal of which is the implementation of any changes in the attacked AS;
5) according to the condition of the beginning of the impact:
- - attack on request from the attacked object. The subject of the attack is initially conditionally passive and expects a request of a certain type from the attacked AS, the weaknesses of which are used to carry out the attack;
- - attack on the occurrence of the expected event on the attacked object. The OS of the attack object is monitored. The attack starts when the AC is in a vulnerable state;
- - unconditional attack. The subject of the attack active influence on the object of attack, regardless of the state of the latter;
6) according to the purpose of the impact. Security is considered as a combination of confidentiality, integrity, availability of resources and operability (stability) of the AS, the violation of which is reflected in the conflict model;
7) by the presence of feedback from the attacked object:
- - with feedback. This implies a bidirectional interaction between the subject and the object of the attack in order to obtain from the object of the attack any data that affects the further course of the UA;
- - no feedback. Unidirectional attack. The subject of the attack does not need a dialogue with the attacked AS. An example is the organization of a directed "storm" of requests. The goal is a violation of the performance (stability) of the AU;
8) according to the type of protection weaknesses used:
- - shortcomings of the established security policy. The security policy developed for the AS is inadequate to the security criteria, which is used to perform NSD:
- - administrative errors;
- - undocumented features of the security system, including those related to software, - errors, failed OS updates, vulnerable services, unprotected default configurations;
- - shortcomings of protection algorithms. The security algorithms used by the developer to build the information security system do not reflect the real aspects of information processing and contain conceptual errors;
- - errors in the implementation of the protection system project. The implementation of the information security system project does not comply with the principles laid down by the system developers.

Logical features of protected objects:

1) security policy. Represents a set of documented conceptual solutions aimed at protecting information and resources, and includes goals, requirements for protected information, a set of IS measures, duties of persons responsible for IS;
2) the administrative management process. Includes network configuration and performance management, access to network resources, measures to improve the reliability of the network, restore the health of the system and data, control the norms and correct functioning of protection tools in accordance with the security policy;
3) components of the protection system:
- - system cryptographic protection information;
- - Key information;
- - passwords;
- - information about users (identifiers, privileges, powers);
- - settings of the protection system;
4) protocols. As a set of functional and operational requirements for network hardware and software components, they must be correct, complete, consistent;
5) functional elements computer networks. Must be protected in the general case from overloading and destruction of "critical" data.

Possible ways and methods of UA implementation (types of attacks):

1) analysis network traffic, the study of LANs and means of protection to search for their weaknesses and the study of algorithms for the functioning of the AU. In systems with a physically dedicated communication channel, messages are transmitted directly between the source and the receiver, bypassing the rest of the system objects. In such a system, in the absence of access to the objects through which the message is transmitted, there is no software capability network traffic analysis;
2) introduction of unauthorized devices into the network.
3) interception of transmitted data for the purpose of theft, modification or redirection;
4) substitution of a trusted object in the AS.
5) introduction of an unauthorized route (object) into the network by imposing a false route with redirection of the message flow through it;
6) introduction of a false route (object) into the network by using the shortcomings of remote search algorithms;
7) exploitation of vulnerabilities in general system and application software.
8) cryptanalysis.
9) the use of shortcomings in the implementation of cryptoalgorithms and cryptographic programs.
10) interception, selection, substitution and prediction of generated keys and passwords.
11) assigning additional powers and changing the settings of the protection system.
12) introduction of program bookmarks.
13) violation of the operability (stability) of the AU by introducing an overload, destroying "critical" data, performing incorrect operations.
14) access to a network computer that receives messages or performs routing functions;

Classification of intruders

Possibilities of implementation of wrecking influences to a large extent depend on the status of the attacker in relation to the CS. An attacker can be:

1) CS developer;
2) an employee from among the service personnel;
3) user;
4) an outsider.

The developer owns the most complete information about the software and hardware of the COP. The user has a general idea about the structures of the CS, about the operation of information protection mechanisms. He can collect data about the information security system using traditional espionage methods, as well as attempt unauthorized access to information. An outsider who is not related to the CC is in the least advantageous position in relation to other attackers. If we assume that he does not have access to the COP facility, then he has at his disposal remote methods of traditional espionage and the possibility of sabotage. It can carry out harmful effects using electromagnetic radiation and interference, as well as communication channels, if the CS is distributed.

Great opportunities for wrecking the information of the CS have specialists serving these systems. Moreover, specialists from different departments have different potential for malicious actions. The greatest harm can be done by information security workers. Next come system programmers, application programmers, and engineering staff.

In practice, the danger of an attacker also depends on the financial, logistical capabilities and qualifications of the attacker.

A modern information security system should be built on the basis of a combination of various protection measures and rely on modern methods forecasting, analysis and modeling of possible threats to information security and the consequences of their implementation.

The simulation results are intended to select adequate optimal methods for parrying threats.

How to make a private model of information system security threats

At the modeling stage, the study and analysis of the existing situation is carried out and actual threats to the security of PD as part of ISPD are identified. For each identified ISPD, its own threat model is compiled.

The information system security threat model is built in accordance with the requirements of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”. In addition, methodological documents of the FSTEC of Russia can be used: "Basic model of security threats to personal data when they are processed in ISPD", "Methodology for determining actual security threats to personal data when they are processed in ISPD".

The initial data for evaluation and analysis are usually the materials of the "Act of Inspection", the results of a survey of employees of various departments and services, methodological documents of the FSTEC, etc.

A particular model of information system security threats must be approved by the head of the organization or the commission based on the report on the results of the internal audit.

The threat model may be developed by the organization's data protection officers or external experts. Threat model developers must have complete information about the personal data information system, know the regulatory framework for information protection.

Content of the information system security threat model

The ISPD security threat model reflects:

Directly the threats to the security of personal data. When processing personal data in ISPD, the following threats can be distinguished: those created by the violator ( individual) created by the hardware tab, created by malware, threats of special effects on ISPDs, threats of electromagnetic effects on ISPDs, threats of information leakage through technical channels, etc.
Sources of threats to ISPD. Possible sources of threats to ISPD can be: an external intruder, an internal intruder, a hardware-software tab or a malicious program.
General characteristics of ISPD vulnerabilities. It contains information about the main groups of ISPD vulnerabilities and their characteristics, as well as information about the causes of vulnerabilities.
Used means of information protection. For each ISPD, the necessary measures to reduce the risk of actual threats should be determined.

To download a private information system security threat model for a specific enterprise, answer the clarifying questions and enter the data into the template.

Information security threat model ISPD

As well as methodological documents of the FSTEC of Russia:

- "Basic model of security threats to personal data when they are processed in ISPD"

- "Methodology for determining actual threats to the security of personal data when they are processed in ISPD"

Initial data

The initial data for evaluation and analysis are:

Materials of the "Inspection Act";

The results of a survey of employees of various departments and services;

Methodological documents of the FSTEC;

- the requirements of a government decree;

Description of the approach to modeling personal data security threats

2.1.

The security threat model was developed on the basis of FSTEC methodological documents:

On the basis of the "Basic model of security threats to personal data during their processing in ISPD", a classification of security threats was carried out and a list of security threats was compiled.
Based on the list of security threats to PD as part of ISPD using the "Methodology for determining actual PD security threats when they are processed in ISPD", a model of PD security threats as part of ISPD ACS was built and actual threats were identified.

2.2.

Actual threats to the security of personal data are understood as a set of conditions and factors that create an actual danger of unauthorized, including accidental, access to personal data during their processing in an information system, which may result in the destruction, modification, blocking, copying, provision, distribution of personal data and other illegal activities.

2.3.

Threats of the 1st type are relevant for an information system if, among other things, the threats associated with the presence of undocumented (undeclared) capabilities in the system software used in the information system are relevant for it.

2.4.

Threats of the 2nd type are relevant for an information system if, among other things, it is subject to threats related to the presence of undocumented (undeclared) capabilities in the application software used in the information system.

2.5.

Threats of the 3rd type are relevant for an information system if threats are relevant for it that are not related to the presence of undocumented (undeclared) capabilities in the system and application software used in the information system.

Threat Model

3.1.

Classification of personal data security threats

When processing personal data in ISPD, the following threats can be distinguished:


№	Name of the threat	Description of the threat	Probability of occurrence	Possibility of realization of the threat

3.2.

Sources of threats to ISPD

Sources of threats in ISPD can be:


№	Name of threat source	General characteristics of the source of threats

1. General Provisions

2. List of threats that pose a potential danger to personal data processed in ispdn

Identification of actual security threats to personal data when processing in ispdn

3.1. Determination of the initial security level of ispDn

How to make a private model of information system security threats

Content of the information system security threat model