URAN's network infrastructure meets the requirements of the state in terms of security - confirmed by certificates

Published: 15 May 2024

Text – Tetiana Preobrazhenska, URAN

Illustrative image from Pexels (by Brett Sayles)

URAN Association has passed the certification of compliance of its integrated information security systems (IISS) with the requirements of regulatory documents on information security. Both the data centre and the secure Internet access node received the certificate. Both URAN’s IISSs meet the security level required by the State Service of Special Communications and Information Protection of Ukraine.

What is an IISS and why is it needed

Ukrainian legislation obliges to protect information belonging to the state, as well as certain restricted information, including citizens’ personal data. To process such information, it is necessary to use IISS with confirmed compliance. Compliance is confirmed by a state examination.

IISS – integrated information security system – is a set of engineering, technical and organisational measures aimed at protecting information from disclosure, leakage and unauthorised access.

Not every digital service provider has such a protection system, as the process of building and state examination of an IISS is complex and time-consuming.

Why it is important for URAN users

Having IISS certificates means that, with the state’s approval, URAN can provide Internet access and build virtual infrastructure for government organisations (including universities and research institutions) and for projects with special information security requirements.

URAN users can be sure that their critical information, whether confidential, secret or proprietary, is securely protected. It will not fall into the hands of intruders, it will not be altered or used outside the rules of the security policy, and information will not be lost due to equipment malfunctions.

In addition, URAN’s IISS certificates guarantee user institutions that the level of protection of their IT infrastructure does not violate state requirements. This is important for those who are responsible for the institution’s compliance with legal requirements: for example, rectors and IT centre managers.

“According to the decision of the Ministry of Education and Science of Ukraine, URAN Association has the status of a national research and education network” Yevhenii Preobrazhenskyi, executive director of the URAN Association, explains. “We provide virtual infrastructure and Internet access to state universities and research institutions, so we must ensure proper protection of their information.”

We decided to build IISS to, on the one hand, meet the requirements of the state, and, on the other hand, provide users with a guarantee of security and reliability of our services.

How URAN Association created the IISS

To obtain IISS certificates, the URAN Association passed several complex checks and took measures to ensure data protection at various levels.

URAN was building IISS for two sites simultaneously: the data centre and the secure Internet access node (SIAN). The data centre hosts servers with a virtual user environment: it stores the universities’ distance learning systems, their websites and other data. Through the SIAN, URAN network users connect to the Internet.

The construction and certification of the IISS took about 9 months.

This is a multi-stage process. After analysing the current state of information security, experts develop a technical task that is agreed with the State Service of Special Communications and Information Protection of Ukraine. Next, they determine a detailed list of the necessary equipment, software, and scope of work, describe the technical solution in a working draft, purchase equipment and software, and start implementing the IISS. After the system is built, it is tested for a certain time, and only then does it undergo a state examination and (if successful) receive a certificate of compliance.

“This is a complex procedure that affects all areas of the company’s work,” Yevhenii Preobrazhenskyi says. “It involves access to premises, software configuration, interaction between technical service specialists, and the introduction of additional documentation on security incidents.”

The result is worth it, as it guarantees our users reliable information protection.