Technical protection of information

Development and implementation of integrated information protection systems (IPS) in information and telecommunication systems (ITS) of classes "1", "2", and "3".

This area of activity of the SE "INFOTECH" is intended for public and private enterprises that need to process information with restricted access.

The grounds for determining the need to create an IPSS are the norms and requirements of the current legislation (the Law of Ukraine "On Information Protection in Information and Telecommunication Systems"), according to which state information resources or restricted information, the requirement for protection of which is established by law, must be processed in the system using a comprehensive information security system with confirmed compliance.

The process of creating CISS in ITS consists of the following stages:

• formation of general requirements for CISS(Comprehensive information security system) in ITS;
• development of information security policy in ITS
• development and approval by the State Special Communications Service of Ukraine of the Terms of Reference for CISS in ITS;
• development of the CISS project;
• development of operational documentation for the Comprehensive Information Protection System (CISS);
• development of organizational and administrative documentation for the Comprehensive Information Protection System (CISS).
• putting CISS into operation and assessing information security.

As part of the stage "putting CISS into operation and assessing information security", preliminary tests and trial operations are carried out, which allows the customer to train personnel involved in the use of ITS in the future.

Based on the results of the development and implementation of the CISS in the ITS, the customer receives a ready-made package of documentation for the CISS in the ITS, which is transferred to an independent expert organizer (following ND TZI 2.6-001-2011, expert organizers and experts must be independent in their activities and not responsible for the creation), recommendations for further use and transfer of the ITS to commercial operation after the state examination is completed.

During the state examination, INFOTECH, as a developer, cooperates fruitfully with the organizer of the examination.

Development and implementation of the CISS web page.

Placing up-to-date and reliable state information resources on the official website of the organization/institution promotes the development of public document circulation and simplifies the work with citizens' appeals to state institutions.

Following the Law of Ukraine on Access to Public Information, the information generated for publication on a website must be accessible, reliable, and protected from unauthorized modification.

Based on this, within the framework of the information and telecommunication system that ensures the operation of the website, the website owner must ensure the following security policy requirements:

• protection of information in the process of its publication on the website from unauthorized access and modification (access should be limited exclusively to administrators)
• protection of technical data of the website functioning and credentials of the website staff from unauthorized access, modification, and destruction;
• to ensure the resilience of the software and hardware complex of the website to equipment failures, redundancy of critical components of the website, and the possibility of modernization and technological maintenance without interruption of its operation;
• introduce continuous audits of information security events.

To ensure the website security policy is following the requirements of the current legislation of Ukraine and to eliminate or minimize the damage that may be caused by unauthorized access, a comprehensive website information security system should be created. The stages of the creation of the CISS of a web page are similar to the stages of the creation of the CISS of ITS.

The team of the State Enterprise "INFOTECH" combines IT developers and experienced specialists in the field of technical information security, so it provides this service at the most professional level.

Assessment of information security in ITS by conducting a state examination in the field of technical information protection (TIP).

The state examination in the field of technical information protection is carried out with the aim of research, verification, analysis, and assessment of information security in ITS, as well as confirmation of compliance of the created CISS in ITS with the requirements of regulatory documents on technical information protection.

This area of activity is relevant for organizations and institutions that process information, the protection of which is provided for by applicable laws and regulations.

The state examination consists of the following stages:

• preliminary familiarization, examination, and analysis of the documentation on CISS in ITS;
• development and approval by the Administration of the State Special Communications Service of Ukraine of the Program and Methodology for conducting expert tests, which defines the stages and methods of assessing CISS in ITS;
• development of the Protocol of expert tests, which documents the results of the inspection following the clauses of the Program and the methodology of expert tests;
• submission of the Expert Opinion on the system to the Administration of the State Special Communications Service of Ukraine for consideration and approval.
• preparation of an Expert Opinion, which contains conclusions on each point of the methodology, as well as the special opinions of the Experts recorded in the work execution protocol;
• submission of the expertise documents for consideration and registration to the Administration of the State Special Communication Service.

Following the results of the state expertise, the State Enterprise "INFOTECH" transfers to the Customer (owner of the system) a Certificate of Compliance of the Cryptographic Information Protection System in the Information and Communication System with the requirements of normative documents on technical protection of information (with annexes), registered by the Administration of the State Special Communication Service.

Experts of the State Enterprise "INFOTECH" continuously improve their knowledge and skills, monitor the latest changes in legislation, and cooperate productively with software developers, which is the key to quality expertise execution.

Consulting and methodological services

Consulting in the field of information protection is related to the support of the organization's work processes, during which it is necessary to modernize the existing system or introduce modern means and methods of information protection. This includes conducting training sessions with the personnel involved in the operation of information security tools.

The rapid development of INFOTECH in the field of IT and the high standards set by our government customers allow us to qualitatively analyze the current state of the means and methods of protecting information resources of any type of organization and provide practical advice on improving, optimizing and further developing the overall information security system.

Carrying out work on the examination of TIP means

As noted in ND TZI 1.1-002-99, the problem of protection against unauthorized access to information resources processed in ITS is divided into two areas:

• ensuring the security of information in existing or created ITS;
• the creation of technical means of protection of information against unauthorized access or tamper-proof components of a computer system outside a specific operating environment.

The state examination of technical information protection means is carried out to assess the compliance of the functional security services (FSS) implemented in it and the level of guarantees of the correctness of their implementation with the requirements of applicable regulations.

In this case, the state examination includes the following stages of expert work:

1. assessment of FSS(functional security service):

   • preliminary analysis of the evaluated product;
   • development of the FSS test program;
   • development of the FSS test methodology;
   • conducting tests of the means of implementing the FSS;
   • analysis, documentation, and approval of FSS test results.

2. to assess the level of guarantees of the correctness of FSS implementation:

   • familiarization with the assessed product, collection and analysis of materials (documents) characterizing the organization of the process of development, production, and supply of the assessed product;
   • development of a program for verifying compliance with the requirements for the level of guarantees;
   • development of a methodology for verifying compliance with the requirements for the level of guarantees;
   • assessing the level of guarantees following the developed program and methodology;
   • analyzing and documenting the results of the assessment of the level of guarantees;
   • assessing (if necessary) the compliance of the IE with the requirements of current regulatory documents on ensuring the protection of information in ITS of a certain type or other requirements imposed on it;
   • documenting and approving the results of the examination.