On the Protection of Information Stored in Information and Telecommunication Systems

June 12, 2005

L
A W O F U K R A I N E



On the Protection of
Information

Stored in
Information and Telecommunication Systems


(Vidomosti
Verkhovnoyi Rady Ukrayiny
(VVR
(The Official Gazette of the Verkhovna Rada of Ukraine)
),
1994,
No. 31, p.286
)


{As amended by the Law

# 1180-VI( 1180-17) adopted on 03/19/2009,VVR, 2009, No.32-33, p.485 }


This
Law shall regulate the protection of information stored in
information, telecommunication, and information/telecommunication
systems (hereinafter—system(s)).


Article1. Terms and Definitions


For
the purposes of this Law, the terms used herein shall have the
following meanings:


blocking
of
information stored in a system shall be understood as
actions preventing access to information stored in a system;


information
leakage
shall be understood as information becoming disclosed or
accessible to unauthorized natural persons and/or legal entities;


information
owner
 shall be understood as a natural person or a legal entity holding ownership to
information;


system
owner
 shall be understood as a natural person or a legal entity holding ownership to a
system;


access
to information stored in a system
 shall
be understood as enabling a user to process information stored in a
system;


protection
of information stored in a system
shall be understood as measures to prevent unauthorized information operations;


destruction of information stored in a system shall be
understood as actions resulting in the removal of information from a
system;


information
(automated
) system shall be understood as an administrative/technical system for hardware and software
processing of information;


information/telecommunication
system
 shall be understood as a complex
of information and telecommunication systems functioning as a unit used to process information;


integrated
information protection system
shall be understood as an
integrated complex of administrative and engineering measures, techniques, and methods to protect information;


user
of information stored in a system
(hereinafter—user) shall be understood as a natural person or a legal entity
authorized, in accordance with the legally established procedure, to
access information stored in a system;


cryptographic
protection of information
 shall be
understood as a variation of information protection by means of
conversion of information using special (key) data to encrypt/decrypt information as
well as verify its authenticity, integrity,
authorship, etc.;


unauthorized processing of information stored in a system shall
be understood as operations in violation of information access
procedures established by law;


processing
of information stored in a system
 shall
be understood as performing one or more operations such as:collecting, entering,saving, modifying,reading, storing,deleting, registering,receiving, obtaining,and transmitting information stored in a system using hardware
and software;


breach
of integrity of information stored in a system
shall be
understood as unauthorized modification of information stored in a system;


procedure
for access to information stored in a system
shall be understood
as conditions for enabling a user to process information stored in a
system and rules of processing that information;


telecommunication
system
 shall be understood as a complex
of hardware and software used for information
distribution by means of transmitting,emitting, or receiving it in the form of signals, symbols,sounds, moving or still images, etc.;


technical
protection of information
 shall be
understood as a variation of information protection using engineering
measures and/or software and hardware aimed to prevent information
leakage, destruction, and blocking, as well as breach of integrity
of, and unauthorized access to information.


Article2. Assets Subject to Protection
in a System


Assets
subject to protection in a system shall include information processed
in that system and the software used to
process that information.


Article3. Parties to the Process of
Protection


The
parties to the process of protection of
information stored in systems shall include the
following:


information
owners;


system
owners;


users;


a
specially authorized central executive agency for special
communication management and information
protection as well as its regional offices. {Article 3.1.5 of the Law # 879-VI ( 879-17) as amended on 01/15/2009
}


An
information owner may, either under a contract or as per order,
delegate the right to process information to another natural person
or legal entity, i.e. information manager.


A
system owner may, either under a contract or as per order, delegate
the right to manage a system to another natural person or legal
entity, i.e. system manager.


Article4. Access to Information Stored
in a System


The
procedure for access to information, the
list of users and their powers in relation
to that information shall be established by an information owner.


The
procedure for access to government owned information or restricted
information that is subject to protection under law,as well as the list of users and
their powers in relation to that
information shall be established by law.


In
cases stipulated by law, information stored
in a system may be accessed without authorization in
accordance with the legally established procedure.


Article5. Relations between an
Information Owner and a System Owner


A
system owner shall take necessary measures to protect information
stored in a system in accordance with the procedures established by,
and under the terms of, a contract between a system owner and an
information owner unless otherwise provided by law.


A
system owner shall, at the request of an information owner, provide
information about the security measures implemented to protect
information stored in a system.


Article6. Relations between a System
Owner and a User


A
system owner shall inform a user about a system’s operating
schedule and regulations and provide access
to information stored in a system according to the established access
procedure.


Article7. Relations between System
Owners


An
owner of a system in which information from another system is processed shall take necessary
measures to protect such information in accordance with the
procedures established by, and under the terms of, a contract between
system owners unless otherwise provided by law.


An
owner of a system in which information from another system is processed shall report any known
facts of unauthorized information operations to an owner of that
system.


Article8. Conditions for Processing of
Information Stored in a System


Conditions
for processing of information stored in a system shall be established by a system owner under the terms of a
contract with an information owner unless otherwise provided by law.


Government
owned information or restricted information stored in a system that
is subject to protection under law shall be
processed within a system using a verified
compliant, integrated information protection system.A system’s compliance shall be verified by government
experts in accordance with the legally established procedure.


An
integrated system for the protection of government owned information
or restricted information that is subject to protection under law
shall use the means of information protection certified compliant or verified compliant by government
technical and/or cryptographic protection experts.Verification of compliance and evaluation by government
experts shall follow the legally established procedure.


Article9. Ensuring Protection of
Information Stored in a System


The
responsibility for ensuring protection of
information stored in a system shall lie
with a system owner.


In
the case of processing of government owned information or restricted
information that is subject to protection under law,a system owner shall establish an information protection
service or appoint persons responsible for managing and supervising
information protection.


A
system owner shall report every unauthorized attempt to access
government owned information or restricted information stored in a
system that is subject to protection under the law to a specially
authorized central executive agency for special communications
management and information protection or
its regional office.

{
Article 9,
para. 3 as amended by the Law #879-VI ( 879-17) adopted on 01/15/2009
}


Article10. Powers of Government
Agencies for the Protection of Information Stored in Systems


The
requirements ( 373-2006-п) to ensure the protection of
government owned information or restricted information that is
subject to protection under law shall be established by the Cabinet
of Ministers of Ukraine.


{
Article 10.2 repealed
as amended by the Law #
879-VI( 879-17) adopted on 01/15/2009
}


A specially authorized central executive agency for special
communication management shall:

{
Article 10.3, para. 1 as amended by the Law #879-VI ( 879-17) adopted on 01/15/2009
}


develop
proposals regarding the government information protection policy and,
within its competence, facilitate its implementation;


establish
requirements and procedures for setting up an integrated system for
the protection of government owned information or restricted
information that is subject to protection under law;


arrange
the evaluation of integrated information protection systems and
compliance verification of the means of technical and cryptographic
protection of information by government experts;


supervise
the protection of government owned information or restricted
information that is subject to protection under law;


take
measures to detect any threats to public information resources
through unauthorized access to information,

telecommunication, and information/telecommunication
systems and provide recommendations to
prevent those threats. {A paragraph added to Article 10.3 as amended by the Law #1180-VI ( 1180-17) adopted on 03/19/2009
}


Government
agencies shall, within their competences and subject to approval by a
respective specially authorized central executive agency for special
communications management and information
protection or its regional office, establish special procedures for
the protection of government owned information or restricted
information that is subject to protection under law.

{
Article 10.4 as amended by the Law # 879-VI( 879-17) adopted on 01/15/2009
}


Special
procedures for the protection of information stored in banking
information systems shall be established by the National Bank of
Ukraine.


Article11. Liability for the violation
of laws on the protection of information stored in systems


Persons
who have violated the laws on the protection of information stored in
systems shall be held liable under law.


Article12. International Treaty


If
an international treaty ratified by the
Verkhovna Rada of Ukraine provides for rules other than stipulated by
this Law, the provisions of an
international treaty shall apply.


Article13. Final Provisions


1.This Law shall enter into force on1 January, 2006.


2.Until brought into compliance with this Law, other regulations
shall apply to the extent not contrary to this Law.


3.The Cabinet of Ministers of Ukraine and the National Bank of
Ukraine shall, within the six months following the effective date of
this Law and within the scope of their powers:


bring
their regulations in compliance with this Law;


ensure
that all ministries and other central executive agencies bring their
regulations in compliance with this Law.


President
of Ukraine Leonid
KUCHMA


Kyiv,
5
July 1994

#80/94-VR