Document from CIS Legislation database © 2003-2021 SojuzPravoInform LLC

RESOLUTION OF THE CABINET OF MINISTERS OF UKRAINE

of November 7, 2018 No. 992

About approval of requirements in the field of electronic confidential services and the Procedure for test of observance of requirements of the legislation in the field of electronic confidential services

(as amended of the Resolution of the Cabinet of Ministers of Ukraine of 11.12.2019 No. 1068)

According to Articles 13, 18 - 21, 23, 26 - 28, "About electronic confidential services" the Cabinet of Ministers of Ukraine decides 33 Laws of Ukraine:

1. Approve such which are applied:

requirements in the field of electronic confidential services;

Procedure for test of observance of requirements of the legislation in the field of electronic confidential services.

2. Determine that for provision of qualified electronic confidential services well-tried remedies of the electronic digital signature which received the positive expert opinions by results of state examination in the field of cryptographic information protection issued before entry into force of the Law of Ukraine "About electronic confidential services" before the termination of effective period of expert opinions can be used.

3. Recognize invalid resolutions of the Cabinet of Ministers of Ukraine according to the list which is attached.

4. This resolution becomes effective from the date of its publication, except Items 68 - 72 lists of the standards applied by skilled suppliers of electronic confidential services during provision of qualified electronic confidential services which is applied to the requirements approved by this resolution in the field of electronic confidential services. The specified Items become effective since January 1, 2019.

Prime Minister of Ukraine

V. Groysman

Approved by the Resolution of the Cabinet of Ministers of Ukraine of November 7, 2018 No. 992

Requirements in the field of electronic confidential services

General provisions

1. These requirements determine organizational and methodological, technical and technological conditions to which the skilled supplier of electronic confidential services shall adhere (further - the supplier), its isolated registration Items by provision of qualified electronic confidential services to their users.

2. The central zaveritelny body provides qualified electronic confidential services according to these requirements taking into account the features provided by the Law of Ukraine "About electronic confidential services".

3. Action of these requirements does not extend to provision of qualified electronic confidential services in bank system of Ukraine and during money transfer implementation.

4. In these requirements terms are used in such value:

the owner of the website - the user of qualified electronic confidential service in forming, check and confirmation of action of the qualified certificate of check of authenticity of the website;

hash value - the electronic data fixed on amount created by conversion of electronic data with use of the cryptographic algorithm;

hash - conversion of electronic data of any amount to electronic data of the fixed amount by application of the cryptographic algorithm;

the applicant - physical person or the representative of the legal entity which addressed the supplier for receipt of qualified electronic confidential services;

information and telecommunication system - set of information and telecommunication systems of the supplier or the central zaveritelny body which in processing of information are effective as a unit and combine software and hardware complex which is used during provision of qualified electronic confidential services (further - software and hardware complex), physical medium, information which is processed in the specified systems, and also hired employees of the supplier or the central zaveritelny body which are directly involved in provision of qualified electronic confidential services or servicing software and hardware complex (further - hired employees);

qualified electronic confidential service - electronic confidential service which provision is provided by the supplier or the central zaveritelny body, including by the qualified digital signature or seal and which is based on the qualified certificate of public key;

the user - the person which based on the agreement or other document receives qualified electronic confidential service at the supplier;

the object identifier - the unique alphanumeric or numerical identifier registered in the corresponding standard of International Organization for Standardization for specific objects or for certain class of objects;

online transaction - any action which technological scheme assumes availability of continuous telecommunication communication in real time during its carrying out;

policy of the certificate - the list of all rules applied by the contractor in the course of rendering qualified electronic confidential services in servicing of qualified certificates of public keys including provisions of these requirements;

provision certified the practician - the list of all practical actions and procedures which are applied to realization of policy of the certificate of the supplier;

the publication of the qualified certificate of public key - provision of the qualified certificate of public key to the user and, in case of its consent, to other persons by placement it on the official website of the supplier;

regulations of work - the document of the supplier or the central zaveritelny body which determines organizational and methodological, technical and technological conditions of activities of the supplier or the central zaveritelny body during provision of qualified electronic confidential services, including policy of the certificate and provision certified the practician;

distribution of information on the status of the qualified certificate of public key - provision of open entry to information on the status of the qualified certificate of public key;

the certificate revocation list - the list of qualified certificates of public keys created and published by the supplier which status is changed on blocked, recovered or cancelled;

the status of the qualified certificate of public key - condition of the qualified certificate of public key (acting, blocked, cancelled) on certain timepoint;

management of the status of the certificate - change of the status of the qualified certificate of public key by the supplier.

5. Other terms are used in the value given in the Laws of Ukraine "About electronic confidential services", "About electronic documents and electronic document management", "About telecommunications", "About information protection in information and telecommunication systems", "About the basic principles of ensuring cyber security of Ukraine".

Requirements to suppliers

6. Hired employees of the supplier which job responsibilities are directly connected with provision of qualified electronic confidential services are:

1) administrator of registration;

2) administrator of certification;

3) security administrator and audit;

4) system administrator.

Combination of job responsibilities of security administrator and audit with other job responsibilities which are directly connected with provision of qualified electronic confidential services is forbidden.

7. Hired employees of the supplier shall have knowledge, necessary for provision of qualified electronic confidential services, experience and qualification.

The person which has the higher education in the specialty in the field of information technologies, information protection or cyber security, and also length of service in the specialty in the specified spheres at least three years can be the administrator of certification, security administrator and audit, the system administrator.

8. The organization-legal status of the head and hired employees of the supplier, their task and function, the right and obligation, responsibility, and also professional knowledge, experience and qualification are determined in job descriptions.

Job descriptions shall contain requirements of information security and methods of its providing.

9. The head and hired employees of the supplier shall be acquainted with provisions of their job descriptions and be effective according to the official tasks and functions.

10. The administrator of registration is responsible for verification of the documents submitted by applicants, their statements concerning forming, blocking, updating and canceling of qualified certificates of public keys.

11. Fundamental obligations of the administrator of registration are:

1) identification and authentication of applicants;

2) verification of statements concerning forming, blocking, updates and cancellings of qualified certificates of public keys;

3) establishment of accessory of public key and the personal key corresponding to it to the applicant;

4) accounting of users.

12. The administrator of certification is responsible for forming of the qualified certificates of the public keys, maintaining the electronic register operating, blocked and the cancelled certificates of public keys, preserving and use of personal keys of the supplier, and also creation of their backup copies.

13. Fundamental obligations of the administrator of certification are:

1) participation in generation of couples of keys of the supplier and creation of backup copies of personal keys of the supplier;

2) storage of personal keys of the supplier and their backup copies;

3) ensuring use of personal keys of the supplier when forming and servicing qualified certificates of public keys of the supplier and users;

4) verification of statements for forming of qualified certificates of public keys of the supplier on compliance to requirements of regulations of work of the supplier;

5) participation in destruction of personal keys of the supplier;

6) ensuring maintaining, archiving and recovery of databases of qualified certificates of public keys of users;

7) providing the publication of qualified certificates of public keys of users and certificate revocation lists on the official website of the supplier;

8) creation of backup copies of qualified certificates of public keys of users;

9) preserving qualified certificates of public keys of users, their backup copies, certificate revocation lists and other important resources of information and telecommunication system of the supplier.

14. The security administrator and audit is responsible for proper functioning of end-to-end system of information protection or information security management system.

15. Fundamental obligations of security administrator and audit are:

1) participation in generation of couples of keys of the supplier and creation of backup copies of personal keys of the supplier;

2) control of forming, servicing and creation of backup copies of qualified certificates of public keys of the supplier, users and certificate revocation lists;

3) control of storage of personal keys of the supplier and their backup copies, personal keys of administrators;

4) participation in destruction of personal keys of the supplier, control of the correct and timely destruction by administrators of their personal keys;

5) organization of differentiation of access to resources of information and telecommunication system of the supplier;

6) ensuring observation of functioning of end-to-end system of information protection or information security management system (registration of events in information and telecommunication system of the supplier, monitoring of events and so forth);

7) providing the organization and holding actions for upgrade, testings, operational recovery of functioning of end-to-end system of information protection or information security management system after failures, failures, accidents of information and telecommunication system of the supplier;

8) providing access mode to rooms of the supplier where the information and telecommunication system of the supplier is placed;

Warning!!!

This is not a full text of document! Document shown in Demo mode!

If you have active License, please Login, or get License for Full Access.

With Full access you can get: full text of document, original text of document in Russian, attachments (if exist) and see History and Statistics of your work.

Get License for Full Access Now

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info

Effectively work with search system

Database include more 50000 documents. You can find needed documents using search system. For effective work you can mix any on documents parameters: country, documents type, date range, teams or tags.
More about search system

Get help

If you cannot find the required document, or you do not know where to begin, go to Help section.

In this section, we’ve tried to describe in detail the features and capabilities of the system, as well as the most effective techniques for working with the database.

You also may open the section Frequently asked questions. This section provides answers to questions set by users.

Search engine created by SojuzPravoInform LLC. UI/UX design by Intelliants.