What are regulations on data-level information security assurance in Vietnam?
What are regulations on data-level information security assurance in Vietnam? What is determination of levels and plans to ensure information system security in Vietnam? What are regulations on information security assurance when receiving, developing, operating and maintaining information systems in Vietnam?
Please advise. Thankyou.
What are regulations on data-level information security assurance in Vietnam?
In Clause 6, Article 7 of the Regulation on ensuring network information safety and network security, promulgated together with Decision 1760/QD-BKHCN in 2022, it provides for data-level information security assurance as follows:
6. Data-level information security assurance:
a) The unit must protect information and data related to official activities, information with important, sensitive or non-public information by measures such as: ensure the confidentiality, integrity and availability of information and data; encrypt information and data when stored on mobile data storage systems/devices; use digital signatures to authenticate and secure information and data;
b) The unit needs to deploy a storage system/media that is independent of the storage system on service servers for backup; classifying and managing information, data is stored according to different types/groups of labeled information; backup the following basic information and data: system configuration file, server operating system image, database; data, business information;
c) The unit needs to arrange its own computer that is not connected to the network, set a password, encrypt data and other security measures to ensure information safety to compose, store data, information and documents. important at secret, top secret, top secret levels;
d) The units under the Ministry must regularly inspect and supervise activities of sharing, sending and receiving information and data in their internal operations; recommend that sharing, sending and receiving information on the network environment requires the use of a password to protect information;
dd) For the exchange of information and data with outside parties, the units and individuals that exchange information and data outside commit to and take measures to keep the exchanged information and data confidential. Online transactions must be transmitted in full, to the correct address, to avoid unauthorized modification, disclosure or duplication; using strong authentication mechanisms, digital signatures when participating in transactions, using secure communication protocols.
What is determination of levels and plans to ensure information system security in Vietnam?
In Article 8 of the Regulation on ensuring network information safety and network security, promulgated together with Decision 1760/QD-BKHCN in 2022, stipulates determination of levels and plans to ensure information system security as follows:
1. The determination of information system levels and the formulation of plans to protect information systems according to levels serve the purposes of information security assessment and information security assurance for information systems. The principle of ensuring information security by level and the principle of determining the level is based on the principles specified in Articles 4 and 5 of Decree 85/2016/ND-CP.
2. Information system owner:
a) The owner of the information system as prescribed in Article 5 of Circular No. 03/2017/TT-BTTTT;
b) An information system owner may authorize an organization on his/her behalf to exercise the right to directly manage the information system and the responsibility to ensure information system security as prescribed in Article 20 of Decree No. Decree 85/2016/ND-CP . Authorization letter as prescribed in Clause 3, Article 5 of Circular No. 03/2017/TT-BTTTT.
3. Information system operator:
a) The Information Technology Center is the operator of the information systems, shared databases of the Ministry and other assigned information systems;
b) The units under the Ministry that are the owners of the information system are responsible for assigning the units to operate the information system;
c) Before being put into operation and use, information systems must be assigned to management and operation units. The unit operates the information system as prescribed in Article 6 of Circular No. 03/2017/TT-BTTTT.
4. Unit in charge of information security:
a) The Information Technology Center is a unit in charge of information security of the Ministry of Science and Technology;
b) The unit in charge of information technology at the units under the Ministry is concurrently the unit in charge of information security.
5. Authority to determine information system security level:
a) Unit that prepares level proposals: For information systems belonging to tasks and projects that are in the project formulation stage, the project formulation unit shall prepare level proposals; For outsourced information systems, the unit in charge of hiring the service shall compile a dossier of level proposal; For information systems that are in the implementation stage, the unit in charge of the implementation shall compile a dossier of level proposals; For information systems in operation, the operating unit prepares a level proposal;
b) For information systems proposed at level 3 or higher, the specialized information security unit of the units under the Ministry needs to ask for professional opinions of the Information Technology Center before when submitting to competent authorities for appraisal and approval of the level;
c) Competence to appraise and approve levels as prescribed in Article 12 of Decree No. 85/2016/ND-CP.
6. Order and procedures for determining information system level:
a) The identification and classification of information systems according to the provisions of Article 4 of Circular No. 03/2017/TT-BTTTT;
b) Contents of the application for information system level as prescribed in Article 15 of Decree 85/2016/ND-CP ;
c) Contents and time for appraisal of dossiers of proposals at the information system level are specified in Article 16 of Decree 85/2016/ND-CP;
d) The order and procedures for determining the level of an information system are specified in Articles 13 and 14 of Decree 85/2016/ND-CP and Articles 14, 15 and 16 of Circular No. 03/2017/TT - BTTTT.
7. Plan to ensure information system safety:
a) The plan to ensure information system security must be suitable to the level of the information system and meet the requirements specified in Circular No. 03/2017/TT-BTTTT, in accordance with the standard TCVN 11930: 2017, other standards, technical regulations and cyberinformation security policies of the Ministry of Science and Technology, cyberinformation security policies of units under the Ministry (if any);
b) The owner of the information system or the unit authorized to directly manage the information system shall organize the implementation of the plan to ensure information system security after the dossier of proposal for level or plan of security assurance is completed and approved system-wide;
c) The unit/department in charge of information security of the unit is responsible for supervising the implementation of the approved plans to ensure information security.
What are regulations on information security assurance when receiving, developing, operating and maintaining information systems in Vietnam?
In Article 9 of the Regulation on ensuring network information safety and network security, promulgated together with Decision 1760/QD-BKHCN in 2022, stipulating information security assurance when receiving, developing, operating and maintaining information systems is as follows:
1. When upgrading, expanding or replacing a part of the information system, it is necessary to review the security level and plan of the information system and adjust, supplement or replace level suggestions in case of need.
2. When receiving, developing, upgrading and maintaining the information system, the unit must conduct analysis, identify possible risks, assess the scope of impact and must prepare limiting measures. regulations, eliminate these risks and require suppliers, contractors and related individuals to perform.
3. During the operation of the information system, the information system-managing unit needs to evaluate and classify the information system by level; deploying an information system safety assurance plan that meets the basic requirements in standards and technical regulations on assurance of information system safety by level; regularly check and monitor information system safety; comply with established operating procedures and troubleshooting procedures; fully record and store system log information for information management and control.
4. Units under the Ministry related to application software development are responsible for requesting partners (if any) to carry out the work of ensuring information security, avoiding disclosure and leakage of source code and data. documents, design documents, system administration that partners are handling outside.
Best Regards!
