THE ORGANIZATIONAL PRINCIPLES OF INFORMATION PROTECTION MANAGEMENT SYSTEM REALIZATION

In the modern world, information protection is a driving force at the state level. Therefore, it is necessary to effectively form the system of control of information protection following international standards. The objective of the paper is an explanation of the importance of aligning of the existing regulatory framework with the requirements of the international ISO/IEC standards for the development of information security policy and risk assessment in information protection. In the paper, there are discussed protection (information technology and management of the use of information security management system), and security (for information technology, security techniques, requirements for audit and certification bodies, information protection). The management of information flows between users, processes, and objects' needs to be carried out only by specially authorized users (administrators). The article clarifies that the existing regulatory framework should be substantially changed because it does not specify requirements for the development of information security policies and information protection (IP) risk assessment. Four basic security criteria are presented: accessibility, integrity, confidentiality, and observation. In conclusions, there is proposed adoption of ISO/IES standards series 27000 to get an opportunity to legally participate in the state or private certification of technical systems for information protection (TZI) or develop their own qualitatively new security standards and policies.