The number of transactions, users, and connected devices is growing, and so is – the number of vulnerabilities. Information security, data protection, and privacy have become extremely hot topics, especially in the light of GDPR and the upcoming ePrivacy Regulation. GDPR fines can amount up to 20 million euros, and it is only logical businesses are reluctant to incur such losses. Gartner predicts that worldwide enterprise security spending will increase by 8 percent in 2018 reaching $96.3 billion. Whereas the global IT security spending is projected to amount to $57.72 billion worldwide.
Source: Statista
Companies that consider software development offshoring and look for an outsourcing vendor must be 100% sure all their information assets and the users’ confidential data are safe and sound. A lot of businesses choose to cooperate with Ukrainian developers due to the large pool of qualified talent in the country. However, they often have many questions concerning Ukraine’s safety as a software development outsourcing destination.
That’s why we’ve decided to take a closer look at the Ukrainian security legislation and talk with N-iX information security team to establish how safe Ukraine is for software development offshoring. Part One of our guide considers how data protection and information security are enforced in the country. Also, it explores how Ukrainian IT outsourcing vendors handle various aspects of security.
In Part Two, we dwell on the business climate in Ukraine, reforms, and investments in the Ukrainian economy to determine whether it safe to do business in the country. Primarily, the second part focuses on the IT industry and its development.
Legislation of Ukraine is being harmonized with the EU law
Ukraine is going through a wide spectrum of reforms right now, and the state is working in many directions to effectuate EU membership. Despite the post-soviet legacy, Ukraine has taken many steps to fight corruption and red tape. All these efforts have resulted in the stabilization of the economy, the inflow of investments, and improved legislation. The state is hitting its target for 3.5% GDP growth in 2018 and experiences a persistent decline in inflation. Ukraine’s IT exports grew by 20% year-on-year in 2017 to reach a new record of USD 3.6 billion. Thus Ukraine has proven itself as a reliable IT outsourcing destination.
Ukraine’s legislation on data protection and info security focuses mostly on cybersecurity in the state sector. Regarding data protection in the private sector, In June 2010, Ukrainian Parliament passed the Law “On Protection of Personal Data” which сame into effect in January 2011. In July 2013, Parliament passed amendments to the Data Protection Law and made it more up to date.
On 25 October 2017, Ukraine entered the EU–Ukraine Association Agreement and published a plan of measures for its effective implementation. The plan pays special attention to the harmonization of Ukrainian legislation with the EU law. According to Paragraph 11 of this plan, the Ukrainian Parliament Commissioner for Human Rights was required to revise legislation on the protection of personal data and bring it into compliance with GDPR.
Additionally, Ukraine’s President Petro Poroshenko has signed the bill on the key principles of ensuring cyber security in Ukraine. The law takes into consideration a number of proposals from NATO and the EU experts.
How Ukrainian IT companies ensure data protection and information security
Ukrainian laws are still undergoing changes to be in full accord with the EU legislation. As a result, established Ukrainian IT companies, their information security, and legal teams take lead on complying with international regulations, following best security practices, and meeting clients’ demands. For instance, here are some of the basic security procedures N-iX uses:
Office security
First of all, we ensure the physical security of our facilities, use CCTV cameras and advanced access key card systems to prevent unauthorized visitors from the office. N-iX infosec team carries out background verification checks on all candidates for employment and obliges employees to sign security commitments.
Security awareness training for employees
All employees of the organization receive appropriate awareness education and regular updates in organizational policies and procedures. The company ensures the security of teleworking and protects information that is accessed, processed or stored at teleworking sites.
Data protection
Our team protects data from loss, destruction, falsification, and unauthorized access according to legislative, regulatory, contractual and business requirements. N-iX ensures secure log-on procedures, password management, cryptographic keys management, network security, and information asset management. The employees’ access rights to information are removed when the cooperation is over.
Protection of intellectual property
We ensure the protection of intellectual property rights according to the legislative and contractual agreements. Our information security teams revise the security policies at planned intervals to guarantee they are suitable, adequate and effective. Also, we maintain appropriate contacts with relevant authorities, security forums, and interest groups to provide business continuity in case of an emergency or a disaster.
It is also worth mentioning that Ukrainian programmers are ranked first in the world in terms of security.
How to establish secure cooperation with an IT vendor
When a client has formulated their accurate requirements concerning info security and data protection, the company should verify if an outsourcing vendor follows the corresponding procedures and policies to meet the specific demands.
First, ask if the IT company undertakes recurrent internal audits of its compliance with the security controls and policies. Furthermore, the compliance must be verified by an accredited third party (e.g., once a year).
Second, an IT outsourcing vendor must provide an accurate information asset inventory and indicate what devices and networks they will use to store, access, and transfer the data. The company must also specify what administrative and technical controls they will apply to ensure the integrity, availability, and confidentiality of the information assets.
Third, there must be a contract clause that states what happens to the data when the agreement is terminated. A vendor should give a written confirmation that the data has been deleted or transferred back to its owner.
To ensure data protection and compliance with GDPR, the vendor can provide pseudonymization of the data. Pseudonymization is a de-identification procedure by which personal data is replaced by one or more artificial identifiers, or pseudonyms, and thus the IT vendor has no access to actual users’ personal data.
Also, the customer can require the IT vendor to work remotely with its data without porting it to servers in Ukraine.
Another important evidence that the IT outsourcing company follows all the security policies and procedures is obtaining the corresponding certificates and compliance with the international laws and regulations. For instance, if a company is granted with ISO 27001 it means it implements a wide range of administrative and physical controls to ensure confidentiality, integrity, and availability of information assets. Another standard, PCI DSS is required to process credit card data. Whereas, compliance with HIPAA law is required when working with medical data.
Also, it is crucial for an IT outsourcing vendor to have legal representatives in the EU or US offices.
Wrap-up
So is it safe to outsource to Ukraine, and do Ukrainian IT companies pay enough attention to data protection and privacy? Many companies that consider software development offshoring and cooperation with Ukrainian vendors, ask these questions. We can clearly see a lot of positive changes in Ukraine’s legislation as it is in the process of harmonization with the EU laws. What’s more, many reputable Ukrainian IT companies take lead in compliance with the international regulations, contractual agreements, and best security practices. They prevent unauthorized access and ensure the confidentiality, integrity, and availability of the client’s data. To establish secure cooperation with an IT vendor, a client can request information regarding internal and external audits, info asset inventory, security policies, and procedures the company applies, certificates it holds, etc.
In Part Two, you will learn more about business climate, reforms, investments, and IT industry in Ukraine to make sure it is a safe destination for software development offshoring.