Steps for data protection are taken on a governance level - on December 20, 2006, the president of Ukraine Victor Yushchenko signed a law entitled "On Ratification of Agreement between Ukraine and the European Union on the Security Procedures for the Exchange of classified information". The law entered into force on February 2007. (Law No. N499-V, source -"The Governmental Courier", No.3, January 10, 2007). This document defines responsibilities of the parties regarding the safety when exchanging information, which also includes, that each party is obliged to defend the classified information (information with limited access), which was provided by the other party, or which was received through any kind of exchange; each party should not disclose the classified information, to any other parties without preliminary agreement of the party, that has provided the information.
Also, according to the law, classified information can be disclosed or passed to another party according to the principle of control by the information owner.
Joint observation of the execution of the agreement is performed by Minister of the Interior of Ukraine and Secretaries-General of the European Union and the European Commission. Responsible for the enhancements of the agreement regarding the safety for data security and protection are - from the side of Ukraine - The Security Service of Ukraine, from the side of European Union - The Security Management Department of the Secretary General of the Council of European Union and the Safety Department of the Commission of the European Communities.
To protect the data, it is vital not only to use security systems (firewalls, UTMs and many more), but also to avoid "bugs in a human hardware" - to take actions against social engineering. Ainstainer Group Co Ltd has following corporative rules to protect intellectual property (these rules were created based on the other companies' experience and on the book by Kevin Mitnick - "The Art of Deception: Controlling the Human Element of Security"):
1. First, all information is classified based on the confidentiality level.
2. Each employee is informed on the possibility of intrusion, and is aware of the potentiality of being manipulated with an intention of receiving particular information. Employees know, what data is being protected and exactly how to protect it.
3. The co-workers know the reason and necessity of each particular action for the data protection.
4. Every person, that has access to the important information, constantly observes possible ways of attacks and educates the subordinates to be aware of these possibilities.
5. There are obligatory rules for the password creation - passwords must be strong enough; different passwords should be used; passwords should not be given out to any party not under any circumstances.
6. When being approached with request to provide any information, every staff member is obliged to check the authority of person requesting and make sure that the requesting person is authorized to receive such information (this also can be proven by the ability of that person to answer particular questions concerning his request details).
7. Employers must immediately report to the senior management on every suspicious situation; especially regarding such points:
System crash or system failure;
Being offered all kinds free software;
Attempts to receive passwords or any other confidential information;
Approaches from persons who fancy themselves as partner's subsidiary employees or senior managers.
Staff members are aware of the signs of social engineers:
Refusal to name the internal code;
Threats of negative consequences;
Avoidance of precise answers;
Efforts to set up a personal contact.
Ukraine is taking steps to guarantee the data security. While multinational clients benefit from skills and experience of Ukrainian IT experts, they may rest assure, that the shared data will be protected - not only by newest information security systems, but also by techniques, that prevent social engineering.
Ainstainer Group Co Ltd.