The ProZorro public procurement system is based on the principles of open data, but we take the demands of the confidentiality, integrity and data availability very seriously. While the public purchasing tender information is available on the web portal free and without any registration, the integrity and security of the system are built into its data architecture. A number of measures are constantly undertaken and processes are put in place to guarantee information security, specifically to protect sensitive data from unauthorized access, to secure the integrity of the central database and to maintain open and unrestricted access to open data. The central database is hosted within secure cloud service De Novo that had been created to meet the strict information security requirements of the Data Protection Service of Ukraine for government data systems.
Together with the public purchasing system participants, SOE Prozorro is currently undergoing the process of the formal certification of the code of practice for information security management that fully meets the highest international and the legal information security requirements in Ukraine.
The authorization procedure for the electronic online marketplaces consists of the following steps
The development of the technical specification for the information security management practice
Coordination of the technical specification for the information security management practice with the SOE Prozorro (the administrator)
Approval of the technical specification by the State Service of Special Communications and Information Protection of Ukraine
Preparation of the technical plan and the supporting documentation for the certification (testing) procedure
Application for the certification (testing) procedure and its completion
The Administrator of the electronic public purchasing system is responsible for the oversight of the technical aspects of the comprehensive information security management practice by each of the participating electronic marketplaces. Currently, the participating marketplaces are at the following stages of the 5-step information security confirmation process
Pro Purchasing, "Е-tender", NEWTEND, PrivatMarket, Ukrainian Universal Market, TENDERMASTER, Accept, OPEN TENDER, “UPETEM”, "Brizol.net", “e.Trade”, “25/8.AUCTION”, “GOV.AUCTION”, “Your Tender”, "Aladdin Government", APS Market
Public Bid, zakupki.prom.ua, “TENDER-online”
PublicPurchasing.Online, “Zakupki UA”
Information System Data Security
As the administrator of the electronic system of public purchasing in Ukraine, SOE Prozorro is mandated with the mission to ensure information security management compliance among all of the participants of the electronic procurement system.
“A sufficient information security management process within the cloud-based electronic system of public purchasing will be considered such that is certified according to the international code of practice for information security management based on ISO/IEC 27001 or the State Standard of Ukraine ISO/IEC 27001, or in accordance with applicable standards which replace them, certified by an accredited organization based in Ukraine or by an accredited international organization which is a registered party to the multilateral International Accreditation Forum and/or applicable accredited European organization based on ISO/IEC 27001 or the State Standard of Ukraine ISO/IEC 27001, or in accordance with applicable standards which replace them” (translated extract from the Law of Ukraine on Public Procurement)
Information Security Management System
“The electronic system of public purchasing must create and maintain a comprehensive information security management practice in accordance with the applicable legal requirements pertaining to information security. The specific requirements are to be defined by the administrator of the public purchasing system in accordance to the applicable legal requirements pertaining to information security. Electronic marketplaces, prior to joining the electronic system of public purchasing, must be certified by the administrator as to meeting the documented requirements of having a comprehensive information security management system in place.” (translated extract from the Act of the Cabinet of Ministers of Ukraine on the Accession and Authorization procedure for the commercial online marketplaces on joining the electronic system of public purchasing)
In accordance with the law, information security requirements for the commercial online marketplaces on joining the electronic system of public purchasing have been and are implemented and are updated on a regular basis.
Interaction of the administrator and the online electronic marketplace platform operators
Approved updated rules for interaction between the system administrator and the operators in the part of information security as part of an exemplary agreement between the administrator and operators (Act of the Ministry of the Economy and Economic Development dated 28.03.2018, number 435)
Information security requirements that are part of the contract with the marketplace operators are as follows:
“During the execution of this agreement, the Parties undertake to comply with the legislation of Ukraine in the field of technical and cryptographic protection of information, the Procedure, and requirements established in the documentation of the integrated system of information security of the ESC.
The operator is required to configure the site security services (identification and authentication, access control, logging, encryption, etc.) in accordance with the requirements and recommendations of the manufacturer of the equipment or software.
The Parties are obliged to provide full assistance to the state authorities, the other Party and its representatives in case of investigations into cases of information security.
Means of cryptographic protection of information, including means of electronic digital signature, used in the work of the site, should have valid expert conclusions or certificates of conformity on the results of state expertise in the field of cryptographic protection of information.
The operator is required to conduct internal audits of information security in order to assess the compliance of processes and procedures, security measures and the state of the information systems with the requirements of the Operator's information security policies and rules, legislative and contractual requirements, as well as recommendations of international standards. The results of the audit should be presented in the form of a report, which should contain information on the status of compliance with the above requirements, recommendations and plans for eliminating identified non-conformities and take into account the results of previous audits.
The operator must carry out the specified audit within six months from the date of signing this agreement and subsequently at least once a year, as a result of which the report, certified by signatures of the authorized persons of the site, shall be submitted by the official letter to the Administrator within five calendar days.
In case of incidents involving information security on the site, the Operator must send to the Administrator's e-mail within three hours from the moment the incident is detected to send a report, which must include: the name of the authorized electronic platform, the date and time of occurrence of the incident, the description of the incident (the possibility of deployment), violation of the property of information (integrity, confidentiality, accessibility), external or internal intervention, possible causes, criticality, place (system module), occurrence, action taken and that other important information. After giving the specified preliminary report, the Operator must conduct a detailed investigation of the incident, prepare a detailed report and provide it to the Administrator.
The site operator is required to conduct a scan (external and internal) of its site for the presence of vulnerabilities once a quarter and report to the Administrator within five calendar days following the last day of the reporting period. The reporting period is a quarter. The report should include an area of action and scan goals, generalized guidance information, a list of necessary actions to address vulnerabilities, and detailed information for technical experts. Following the scan results, the Operator needs to make a plan to eliminate the identified vulnerabilities and provide it to the Administrator.
The administrator has the right to conduct an external site scan for vulnerabilities and to check the reliability of the reports provided by the sites.
In case of incidents related to information security, the Administrator within one working day shall submit the corresponding report for consideration by the commission. The Commission reviews the report within five working days and takes one of the following decisions:
- elimination by the operator of the authorized electronic platform of the detected violations in the period specified by the commission. In this case, the commission requires from the Operator to carry out an audit of the system of internal control and information security by the appropriate certified specialists in order to confirm the violation, the results of which are considered at the meeting of the commission and take appropriate follow-up decisions;
- withdrawal of authorization to operate within the electronic public procurement system."