Methodology for Assessing Information Security Risks at Oil Refining Enterprises

The basis of Russia's economic security is the effectiveness of financial management of oil refining enterprises in the context of global digitalization and the transition of enterprises to a new technological order. Moreover, the current high level of automation of business processes of oil refining enterprises leads to the adoption of development strategies, taking into account the risks from compliance with information security. Discussion of law enforcement practice by oil refineries, of the Federal Law dated July 27, 2006 No. 149 Federal-Law "On information, information technology, and information protection", issued to replace the Federal Law of February 20, 1995 No. 24 Federal Law "On Information, Informatization, and Information Protection", which are held with the support and participation of the Federal Security Service of the Russian Federation, Ministries of Internal Affairs of the Russian Federation and Defense of Russia, Federal Service for Technical and Export Control of Russia, Federal Security Service of Russia, Ministry (Emergency Situations) for Civil Defense, Emergencies and Elimination of Consequences of Natural Disasters of the Russian Federation, Ministry of Digital Development of the Russian Federation, Roskomnadzor (FS for Supervision in the Area of Communications), Ministry of Economic Development of the Russian Federation, Ministry of Energy of the Russian Federation, Ministry of Transport of the Russian Federation, Ministry of Finance of the Russian Federation, The Central Bank of the Russian Federation, and many of the remaining federal ministries and departments of the Russian Federation is posed as a particularly important task of the "digital" economy of Russia in terms of the importance of identifying, accounting, and reducing threats from information security risks. The main purpose of this article is to develop a methodology for assessing the information security risks of enterprises in the oil refining industry, taking into account the delineation of areas of responsibility in the event of threats to information security from the security services and information technologies of the enterprise. Justification of the calculation of information security risks, taking into account the transition of oil refineries to the conditions of the "digital" economy set out on the example of the standards of the general process "Risk Management" and regulatory documents: ISO 20000 series; ISO 27000 series; ISO 22000 series; Interstate Standard R 53647 series; ISO 31000 series. The proposed methodology for assessing information security risks of oil refining enterprises was implemented using the example of ISO 31000, the choice of indicators of direct and indirect types of threats in assessing the risk category was determined according to the Interstate Standard R ISO/IEC 13335-3-2007 security methods and means. A set of methods for the internal process of oil refineries, risk assessment, and, as a result, damage prevention, a mathematical apparatus was used for statistical data processing. A redistributed map of business processes of a refinery was obtained, which allows assessing possible threats, identify channels of information leakage, and take prompt measures to counter information security risks at enterprises of the oil refining industry as a way to improve the efficiency of an enterprise in a digital economy in the area of economic security of PJSC "GAZPROM".