Vietnam: What is the information security proposal of the classified information systems? How to ensure the information security of the classified information systems?
How to ensure the information security of the classified information systems in Vietnam?
Pursuant to Article 10 of Circular 12/2022/TT-BTTTT stipulating as follows:
Plans to ensure information security for each class
1. The class 1 information system security plan must satisfy the requirements detailed in Appendix I issued together with this Circular.
2. The class 2 information system security plan must satisfy the requirements detailed in Appendix II issued with this Circular.
3. The class 3 information system security plan must satisfy the requirements detailed in Appendix III issued together with this Circular
4, The class 4 information system security plan must satisfy the requirements detailed in Appendix IV issued together with this Circular
5. The class 5 information system security plan must satisfy the requirements detailed in Appendix V issued together with this Circular
Accordingly, there will be a total of 5 plans to ensure information security corresponding to 5 classes according to the above regulations.
Vietnam: What is the information security proposal of the classified information systems? How to ensure the information security of the classified information systems? (Image from the internet)
What are the requirements to ensure the information security of the classified information systems in Vietnam?
Pursuant to Article 9 of Circular 12/2022/TT-BTTTT stipulating as follows:
General requirements
1. The requirements to ensure the information security of the classified information systems shall comply with the basic requirements specified in this Circular and the National Standard TCVN 11930-2017 on Information technology - safety techniques - basic requirements for security of the classified information systems.
2. Basic requirements for each class specified in this Circular are the minimum requirements to ensure information system security, including basic requirements on management, basic technical requirements and does not include physical security requirements.
3. Basic requirements for management, including:
a) Establish an information security policy;
b) Information security assurance organization;
c) Ensure human resources;
d) Manage system design and construction;
d) Manage system operation:
e) Information security risk management plan;
g) Plan for termination of operation, exploitation, liquidation and destruction of the information system.
4. Basic technical requirements, including:
a) Ensure network safety,
b) Ensure server security;
c) Ensure application security
d) Ensure data security.
5. The formulation of an information security plan that meets the basic requirements for each class shall comply with the principles specified in Clause 2, Article 4 of Decree No. 85/2016/ND-CP, specifically as follows:
a) For class 1, 2, and 3 information systems: The information security assurance plan must consider the possibility of common use between information systems for solutions to protect and share resources to protect and share resource optimize performance, avoid redundant, duplicate and wasteful investment;
b) For class 4, 5 information systems: The information security assurance plan should be designed to ensure availability, segregation and limit the impact on the entire system when one component in the system is affected or related to an information security loss system.
6. When the information system is newly built, expanded or upgraded, it must fully implement the information security assurance plan approved in the class proposal and meet the security requirements in Articles 9 and 10 of this Circular before being put into operation and exploitation.
7. Regulations on ensuring information system security for the system must be developed, meet the safety requirements on management according to the respective information system security class and approved by competent authorities, issued before the class Proposal is approved.
8. Information security requirements for internal software when building new, expanding or upgrading:
a) Newly built, expanded or upgraded internal software must comply with the Safe Software Development Framework;
b) Meet the basic security requirements for the Internal Software.
9. In case a class 3 information system is deployed in the form of hiring information technology services at a data center or cloud computing, the system design must meet the following requirements:
a) Must be designed separately, logically independent from other systems and have measures to control access between systems:
b) Network areas in the system must be designed separately, logically independent of each other and have measures to manage access between network areas.
c) Have logically independent segregated storage partitions.
10, In case a class 4 or class 5 information system is deployed in the form of hiring information technology services at a Data Center or Cloud Computing, the system design must meet the following requirements:
a) Must be designed separately, physically independent from other systems and have measures to control access between systems.
b) Network areas in the system must be designed separately, logically independent of each other and have measures to manage access between network areas.
c) Have physically separated storage partitions;
d) Primary network devices must be physically isolated.
Accordingly, the assurance of information system security by class is carried out according to the above general requirements.
What are the basic requirements to ensure information system security from class 1 to class 5?
- Basic requirements to ensure information system security at class 1 are specified in Appendix I issued together with Circular 12/2022/TT-BTTTT as follows:
- Basic requirements to ensure information system security at class 2 are specified in Appendix II issued together with Circular 12/2022/TT-BTTTT as follows:
- Basic requirements to ensure information system security at class 3 are specified in Appendix III issued together with Circular 12/2022/TT-BTTTT as follows:
- Basic requirements to ensure information system security at class 4 are specified in Appendix IV issued together with Circular 12/2022/TT-BTTTT as follows:
- Basic requirements to ensure information system security at class 5 are specified in Appendix V issued together with Circular 12/2022/TT-BTTTT as follows:
See all basic requirements for information system security from level 1 to level 5: here.
Circular 12/2022/TT-BTTTT will take effect from October 1, 2022.
LawNet
