logo-image
Deregulative changes in information security in Ukraine
Автор: Юрій Котляров, Сергій Циба
Джерело: Lexology, 12 червня 2020 р.

Repeated cyber intrusions into Ukrainian information and industrial systems demonstrate the need for changes in its information security legal and regulatory framework.

On 4 June 2020 Ukrainian Parliament adopted the amendments to the Law “On the Protection of Information in Information and Telecommunication Systems”.

Though amendments are only two pages long, they can be viewed as a big step forward.  

What is all about?

The current law mandates that all “state information resources” and “information access to which is restricted by law” to be processed in a system, where, a so-called, “comprehensive system of information protection” (CSIP) is implemented.   

CSIP is defined as a set of organizational and technical information security measures, the completeness of which is to be attested by the state regulator. In other words, CSIP is information security management system, which must be validated through state examination. If examination is successful, the CSIP will receive an attestation document. This document authorizes the information system to process, store and transmit certain classes of information.    

In general, CSIP is a useful information security management system. It addresses a range of risk and measures that are applicable across many environments. Due to its rigorous verification and validation process many Ukrainian security experts, primarily in public sector, view CSIP as all but exclusive mean of assuring that IT system is adequately safe.

However, there are another part of security community in Ukraine, mainly from the private sector, who sees CSIP and its legal and regulatory framework as outdated, rigid and cost-ineffective. Their arguments are as follows.

First, the current CSIP legal and regulatory framework has inherited the legacy of the Soviet era, when almost all information was categorized as state information, and much of it was classified as state secret. In particular, it provides broad, arbitrary and legally uncertain definition of categories of information that must be protected by CSIP. It is both inadequate to achieve real purpose and far-fetched in its scope. Thus, CSIP regulation is no longer able to maintain a fit between its outdated goal and function and ever evolving goal and function of modern security.  

Second, CSIP is governed by rigid regulatory framework, and its lifecycle is tightly controlled by the state. Thus, many security experts view CSIP as giving false sense of security. In addition, many experts view the CSIP as a static security posture fixed at the moment of state attestation without its genuine evolution over time reacting to ever changing threat landscape. This is at odds with genuine risk management. Combined with the sense of unfitness to the purpose and current weak enforcement mechanism, CSIP regulation encourages, at best, “box ticking” compliance culture or, at worst, non-compliance at all.          

Third, because of its rigid and formalized regulatory framework CSIP is not cost-effective. Information security should justify its costs. The less justification, the less security and compliance. The genuine risk-based management is based on the trade-offs between the costs of applying information system controls and benefits of using secured system. As the current CSIP regulatory framework does not embody the genuine risk-based management approach, the CSIP is viewed as not cost justifiable. Thus, again, CSIP regulation is no longer viewed as fit to achieve its purpose.

The amendments to Law “On the Protection of Information in Information and Telecommunication Systems” provides a sort of compromise to those extreme views. The main changes relate to the descoping of certain classes of sensitive information from the CSIP regulation.

In particular, CSIP is now mandatory only for information systems that process, store or transmit:

  1. state secret;
  2. official information and
  3. information of state registers or unified registers creation of which prescribed by law.  

All other “state information resources” and “information access to which is restricted by law” can be processed, stored and transmitted in IT systems without CSIP. However, such IT systems must meet the following conditions:

  1. information security management system (ISMS) must be created;
  2. the conformity of such ISMS to the Ukrainian standards in information security must be certified by an assessment body either accredited by the National Accreditation Agency of Ukraine or by a national accreditation agency of other country, if the National Accreditation Agency of Ukraine and such national accreditation agency of foreign country are members of international or regional organization and/or concluded with such organization agreement on mutual recognition of conformity assessment outcomes;
  3. cryptographic means used as controls in such ISMS must have a positive expert opinion in the result of state expertise;
  4. none of the elements of ISMS must be located on the territory of Ukraine that is not under control of Ukrainian government or on the territory of countries declared by Ukrainian Parliament as aggressors or which are under sanctions pursuant to Ukrainian law, or countries which are members of custom unions with the foregoing countries;
  5. specific requirements with respect to the above information set out by the government of Ukraine must be met.         

However the above law amendments may look like, they definitely improve the current CSIP legal and regulatory framework. In particular, they recognize that “state information resources” have different values and therefore may need different level of protection. Instead of rigid and highly controlled CSIP, the law amendments introduce ISMS which may be more flexible, fit for purpose and cost effective. Overall, the law amendments can be viewed as act of deregulation.

What are their possible implications for Ukrainian and foreign companies?            

First, if such companies provide IT-related services for public sector they may not need further to comply with CSIP requirements because their IT systems, as a rule, do not process, store or transmit state secret or official information or operate state registers. Instead, such companies may create more appropriate and cost-effective ISMS.

Second, if all of the above qualifying conditions are met, cloud services providers with data centers located outside Ukraine, e.g., Microsoft, Google and Amazon, may use their current information security certificates as confirmation for compliance with Ukrainian law.  

In summary, the law amendments is a big step towards the improvement and harmonization of the Ukrainian information security legislation and regulation with the worldwide best practices.

There are many other similar legislative initiatives in Ukraine and we expect the radical change of information security legal landscape soon.