Information Technology Reference
In-Depth Information
information and within is the question of an owner of that system. If it is a bank or a
private company, that is its own decision as to what methods and what requirements are
needed for integrity, accessibility and confidentiality. This should be achieved in that
system protection. It is not technical, just a hard question. You gather the experts,
arrange a fee and ask them to create a technical project on how should they protect your
information and your requirements. This is just the approach and the government issues
the requirements, the rules of what that complex system should consist of and what the
criteria should be. It is close to the common criteria approach. Our Turkish colleagues
came close to this, but our approach is that each owner of the information system should
know that he has to protect, otherwise we do not care about his information but as a
government organization, we have to remind him to think about it. That is our approach.
It is not exactly like an art. I totally agree with General Vellone that there is no totally
equal protection system in the world, because there are different owners. A State or a
private company has its own requirements and its own vision of the type of equipment.
Say I have no money and I would like to build my own protection system without
any technical means. For example, I would just put one armed guard near the computer
and no-one would have unauthorized access to this computer. That is very simple, but
perhaps a bank could spend a lot of money just to get from another company the non-
authorized access protection system with, for instance, smart cards. We have just the
uniform approach. The uniform system is a hierarchical structure for the protection of
State information resources and we would love if some universities in Ukraine or some
private companies would take care of the CERTs, the commercial CERTs, for example.
And we should have a known hierarchical basis for our structure. We are trying to work
with our colleagues in the Presidential Administration and in private companies to
negotiate how we can make a popular basis. We are trying to work together to
summarise our efforts in one direction.
Valente
: I have a follow-up question which is this: the framework, the institutions that
you have created and all the methodology and all the policies that you have created, are
they designed to guard against external attacks? Is Ukraine using the same infrastructure,
the same organizations and the same methodology to prevent non-internal but illegal
activities coming from the Ukraine towards other infrastructures?
Kolobov
: Exactly, it is very important for us as far as we have our statistics showing
40% to 80% of illegal activity in our networks inside Ukraine from our students. They
are all smart and clever guys, just trying to see what will happen if they use some
downloaded programme from the Internet or to sneak to the traffic and catch some
passwords, etc. We are trying to gather them together and explain what we would like
them to do first. We are really worried about internal attacks from local nets in
organizations because our employees do not receive high salaries and if, for example,
somebody from outside can get one of ythese employees a little money, maybe he will
try to gather information from the local network. And our experience tells us that we
have to create a complex system of protection that would be efficient not just against
external attacks, but internal also and that is why one of the most important things for us
is that we have to note every event which our system deals with inside and that is why we
are trying to neutralize not only external, but also internal attacks.
Search WWH ::
Custom Search