METHOD FOR INTEGRATING INFORMATION SECURITY POLICIES, STANDARDS AND PROTOCOLS INTO THE DEVELOPMENT OF A COMPREHENSIVE INFORMATION SECURITY SYSTEM IN AN ORGANIZATION
DOI:
https://doi.org/10.28925/2663-4023.2025.31.1021Keywords:
comprehensive information security system, CISS, information security policy, information security management, CISS modelling, information security standards, ND TZI, ISO/IEC 27001, NIST SP 800-53, secure network protocols, TLS 1.3, SSHv2, DNSSEC, IPSec, compliance assessmentAbstract
The article addresses the problem of the discrepancy between declared information security policies, the requirements of standards and protocols, and the actual functioning of organizational information infrastructures. In practice, components of comprehensive information security systems (CISS) are often developed formally, without considering real risks, characteristics of network protocols, or compliance with international and national security standards. As a result, information security policies are not aligned with technical configuration parameters, leading to fragmentation of protection mechanisms and a decrease in overall system effectiveness. Another critical issue is the continued use of outdated or insecure protocols that remain operational due to the absence of systematic compliance control mechanisms. This study proposes a method for integrating information security policies, standard requirements (ISO/IEC 27001:2022, NIST SP 800-53, Ukrainian ND TZI), and secure network protocols (TLS 1.3, SSHv2, DNSSEC, IPSec) into the process of developing a comprehensive information security system. The method consists of four stages: asset and protocol analysis, development and formalization of security policies, compliance mapping with standards, and construction of an integrated CISS architecture based on the obtained results. To quantitatively assess the consistency of CISS components, a compliance scoring algorithm is introduced, enabling objective evaluation of the information infrastructure’s conformity with regulatory requirements and internal policies. Experimental validation of the method in a test environment demonstrated an increase in compliance with standards from 52% to 92%, the elimination of outdated or insecure protocols (FTP, SMB1, HTTP), and improved accuracy of CISS parameterization due to automated mapping of policies to technical security mechanisms. The obtained results confirm the feasibility and effectiveness of the proposed method for designing and modernizing CISS in organizations of various types. The purpose of this study is to develop a method for integrating information security policies, standards, and protocols into the formation of a comprehensive information security system within an organization.
Downloads
References
ISO. (2022). ISO/IEC 27001:2022. Information security, cybersecurity and privacy protection – Information security management systems – Requirements. Geneva: ISO.
National Institute of Standards and Technology. (2020). NIST Special Publication 800-53 Revision 5. Security and Privacy Controls for Information Systems and Organizations. Gaithersburg, MD: NIST.
Balatska, V. S., Tkachuk, R. L., & Maslova, N. V. (2025). Evolution of integrated information security systems and blockchain technologies in cybersecurity of state information systems of Ukraine. Cybersecurity: Education, Science, Technique, 2(30), 316–332. https://doi.org/10.28925/2663-4023.2025.30.975
Stallings, W. (2023). Network Security Essentials: Applications and Standards (7th ed.). Pearson.
State Service for Special Communications and Information Protection of Ukraine. (2008). ND TZI 2.5-004-2008. Procedure for developing a comprehensive information protection system (KSZI). Kyiv.
Balatska, V., Poberezhnyk, V., Petriv, P., & Opirskyy, I. (2024). Blockchain application concept in SSO technology context. CEUR Workshop Proceedings, 3654, 38–49. https://ceur-ws.org/Vol-3654/
Kent, S., & Seo, K. (2005). Security Architecture for the Internet Protocol (IPSec) (RFC 4301). IETF. https://www.rfc-editor.org/rfc/rfc4301
Balatska, V. S., & Opirskyy, I. R. (2023). Ensuring personal data confidentiality and cybersecurity through blockchain. Cybersecurity: Education, Science, Technique, 4(20), 6–19. https://doi.org/10.28925/2663-4023.2023.20.619
Anderson, R. (2020). Security Engineering: A Guide to Building Dependable Distributed Systems (3rd ed.). Wiley.
State Service for Special Communications and Information Protection of Ukraine. (2009). ND TZI 2.7-010-09. Classification of threats and model of the violator. Kyiv.
Balatska, V., Slobodian, N., & Opirskyy, I. (2024). Blockchain for enhancing transparency and trust in government registries. CEUR Workshop Proceedings, 3826, 50–59. https://ceur-ws.org/Vol-3826/
Rescorla, E. (2018). The Transport Layer Security (TLS) Protocol Version 1.3 (RFC 8446). IETF. https://www.rfc-editor.org/rfc/rfc8446
Balatska, V., Poberezhnyk, V., & Opirskyy, I. (2024). Using Non-Fungible Tokens and blockchain for access control in state registries. Cybersecurity: Education, Science, Technique, 4(24), 99–114. https://doi.org/10.28925/2663-4023.2024.24.99114
ENISA. (2022). Cybersecurity Policy Implementation Guide. European Union Agency for Cybersecurity. https://www.enisa.europa.eu
Poberezhnyk, V., Balatska, V., & Opirskyy, I. (2023). Development of the learning management system concept based on blockchain technology. CEUR Workshop Proceedings, 3550, 138–146. https://ceur-ws.org/Vol-3550/
Gartner Group. (2023). Market Guide for Zero Trust Network Access. Gartner.
Balatska, V., & Poberezhnyk, V. (2024). Concept of applying blockchain technologies to enhance the protection of personal data in the Diia platform: compliance with GDPR and Ukrainian legislation. Cybersecurity: Education, Science, Technique, 2(26), 268–290.
Arends, R., Austein, R., Larson, M., Massey, D., & Rose, S. (2005). DNS Security Introduction and Requirements (RFC 4033). IETF. https://www.rfc-editor.org/rfc/rfc4033
Balatska, V., Poberezhnyk, V., & Opirskyy, I. (2024). Utilizing blockchain technologies for ensuring the confidentiality and security of personal data in compliance with GDPR. CEUR Workshop Proceedings, 3800, 70–80. https://ceur-ws.org/Vol-3800/
State Service for Special Communications and Information Protection of Ukraine. (2005). ND TZI 3.7-003-2005. Procedure for conformity assessment of technical information protection means. Kyiv.
Shirey, R. (2007). Internet Security Glossary (RFC 4949). IETF. https://www.rfc-editor.org/rfc/rfc4949
Ivanusa, A., Tkachuk, R., Brych, T., Balatska, V., & Tkachenko, A. (2024). Methods and models for designing a system for automated search of vulnerabilities in web applications. Visnyk Lviv State University of Life Safety, 30, 110–122. https://doi.org/10.32447/20784643.30.2024.11
Balatska, V., & Dmytriv, N. (2025). Inter-organizational exchange of confidential personal data based on permissioned blockchain. Cybersecurity: Education, Science, Technique, 2(29), 178–193. https://doi.org/10.28925/2663-4023.2025.29.875
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Валерія Балацька, Андрій Івануса, Уляна Пановик
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
