Cancellation of Complex System for Information Protection - Breakthrough or Pyrrhic Victory?
Artem Kokhanevich, CEO GigaCloud
As often happens in Ukraine, another important law was gracefully carried past the market. On July 1, the president signed a document, in fact, canceling the compliance of the CSIP demands for the government agencies. Or rather, suggesting to use the ISMS standards adopted in Europe instead of the “outdated” national data security standard.
We were taught that "international" is often better than "domestic". But it is not always true.
Ukraine has its own cybersecurity standard - a certificate of compliance with Complex System for Information Protection. And its main plus is that it even exists. Indeed, some of its standards are outdated, but in general the need to comply with this standard forces companies to build full-fledged security systems.
In turn, instead of CSIP we are offered (allegedly - there is no explicit indication in the new law!) ISO/IEC 27001 - one of the most famous standards in the area of information security management systems. In fact, this is just a set of policies and procedures according to which a company would protect its data assets from deliberate or accidental misuse, loss or damage.
The ISO's approach to standardization is based on the principle that no system can always be in perfect condition. Therefore, where there are clear working patterns in the CSIP, the ISO contains just recommendations. To obtain ISO/IEC 27001, it’s not necessary to comply with all the requirements of the specified standard even at the time of certification itself, - it is enough to undertake obligations to complete everything necessary within a year.
And to clarify the difference, CSIP is a set of organizational, engineering and technical measures that are aimed at ensuring the data protection from disclosure, leakage and unauthorized access. ISO/IEC 27001 is a certificate of compliance of an enterprise's business processes with some specific standard. The first one is about systems, the second is about people. These are essences that complement each other but cannot replace each other.
Why kill an ugly duckling if he's a potential swan?
In the explanatory note to the document the authors indicate directly that its purpose is to create an opportunity for the market not to use the CSIP. Either they are not very well versed in the issue, or they are fulfilling the task set by someone to “bury” the CSIP, misleading those who understand even less.
In fact, the “problem” with the CSIS is that it is not easy to obtain this certificate. It lays down a number of requirements, including the placement of physical infrastructure on the territory of Ukraine, which is not always convenient for some players in the IT market. The owners of information systems are interested in canceling this certification - it requires considerable work to be done. And since data security is still being done not for yourself, but for the box - the easier it is for them, the better. But they forget (or do not know yet ) that an ISMS conforming to ISO/IEC 27001 must regularly go through the logged improvement stages, annual statutory audits and periodic recertifications, monitor incidents and make changes to processes and documents. Therefore, it is unlikely that it will be possible to significantly “save” time and money - if you approach the task correctly, you will need even more resources to maintain the system in a working state.
Perhaps, instead of creating workarounds, it would be worthwhile to modify and update the existing standard, train specialists and create a fully functional certification? Allowing only the companies that are able to build a full-fledged security system to work with critical information and infrastructure?
Maybe. But there’s nothing to talk about if the already adopted law was initially formulated incorrectly? The remarks by the Main Legal Department and the Rada Committees note the lack of clear wording, inconsistency with the text of interrelated laws, definitions that are absent in the legislative field of Ukraine …
«… One of such conditions (paragraph two of this part) is the confirmation of compliance of the information security management system based on the results of the procedure for assessing compliance with the national standards of Ukraine regarding the information security management system. At the same time, the concept of "information security management system" is not defined by law, which will make it impossible to legally correct use of the provisions of the Law regarding information processing in the "system" without the use of a comprehensive data protection system… " ©conclusion of the Main Legal Department of the Verkhovna Rada of Ukraine
I have already said that Ukraine needs a deep reform of the state IT industry. In the most innovative economic branch of our country there are still no unified work standards, there is no understanding of the need to "dash for it for staying put." Ukrainian government agencies are struggling to oppose innovation, looking for the simplest possible ways to solve their problems - and the IT sector is no exception.
We do not need to be led by lobbyists and abolish national standards. Yes, the elimination of CSIP and strict requirements for cybersecurity are convenient, for example, for international cloud operators, since they do not have infrastructure in Ukraine. However, the supporters of such an approach forget that in the same USA there is a huge set of requirements for companies working with the public sector. And even for such a big player as Amazon, only a few sites meet these requirements. And certification for the ability to provide cloud services for the US public sector is much stricter than the Ukrainian CSIP.