What are the regulations on the basic List of criteria for cyberinformation security for surveillance cameras in Vietnam?
What are the regulations on the basic List of criteria for cyberinformation security for surveillance cameras in Vietnam? – Mr. Hung (Ca Mau)
What are the regulations on the basic List of criteria for cyberinformation security for surveillance cameras in Vietnam?
On May 7, 2024, the Minister of Information and Communications issued Decision 724/QD-BTTTT in 2024 regarding the basic List of criteria for cyberinformation security for surveillance cameras.
According to the Decision, the regulations on the basic List of criteria for cyberinformation security for surveillance cameras in Vietnam are as follows:
(1) Requirements of Documentation
User manuals should be provided for product usage instructions.
(2) Authentication Management
- Prevention of brute force attacks
+ The system shall provide the system administration function for changing the lockout time, the number of failed login attempts, and the continuous failed login time period. The default setting shall lock out login attempts for 5 minutes after 5 consecutive failed login attempts under 30 seconds.
+ The system shall only provide information to users about successful or failed login attempts without disclosing any other information that could be exploited for brute force attacks.
- Secure password management
+ The system shall request the users to change the default password or the generated password when using the device for the first time.
+ The system shall have a function to control secure passwords. Generated passwords should meet complexity requirements (minimum length of 8 characters, including uppercase letters, lowercase letters, numbers, and special characters).
+ The SHA-256 hash function or higher shall be used.
- Secure default password initialization
The default passwords for camera devices and related services (if any) must meet the following requirements:
+ The password shall include a minimum length of 8 characters, including uppercase letters, lowercase letters, numbers, and special characters.
+ The password initialization mechanism shall use a method that generates random values.
+ The password initialization mechanism shall not rely on publicly available information (e.g., MAC address, Wi-Fi SSID string, product name, product type, etc.).
+ Each camera device shall have a different default password.
- Authentication Management
+ The system shall have authentication functions that allow authentication of different types of entities, such as users or devices, with different authentication values.
+ Passwords stored on the camera shall be encrypted.
(3) Vulnerability Management
- Requirements for device vulnerability management systems
Manufacturers must have an online system to receive and disclose information about device vulnerabilities to users.
- Requirements for security vulnerability disclosure information
+ Descriptions of vulnerabilities, classifications, and severity grades shall be provided.
+ Descriptions of affected versions shall be provided.
+ Guidelines for updating and addressing vulnerabilities shall be included.
(4) Management and Implementation of Updates
- Requirements for update management systems
Manufacturers must have an online system to:
+ Disclose information about update versions.
+ Manage and implement updates for camera devices with internet connectivity.
- Requirements for update version information
Update version information should include at least the following details:
+ System software version.
+ Safety check code for the system software.
+ Descriptions of updated system software information.
- Requirements for internet-based version update functionality
+ Update functionality shall be performed through a secure network connection using secure encryption methods that meet the requirements stated in Section 6.1 of this document.
+ Authentication shall be required before performing updates.
+ New update versions shall be notified when users login and administer the devices.
+ The system shall have a function to enable automatic installation of patches from the manufacturer.
+ The system shall have a function to verify the integrity of updates, which have the manufacturer's digital signature.
(5) Safety Session Management
- Login Session Management
The camera device and the user interface application have a timeout feature that allows automatic logout after a certain period of time.
- Secure Session Key Generation
Secure session keys are generated for users upon successful login in accordance with the following requirements:
+ The session key is resistant to brute force attacks.
+ The session key is not deterministically generated and includes a random component.
+ The session key is not recoverable.
+ There is a function to invalidate or cancel a session login or previous session logins when the user logs in again.
(6) Communication Channel Management
- Secure Communication Connection Requirements
+ Encryption methods based on current Vietnamese standards or equivalent international standards are used.
+ The encryption method utilizes versions that do not contain publicly disclosed vulnerabilities or weaknesses in network information security announced by domestic or foreign organizations or agencies.
- Secure Access to Device Configuration
+ A secure channel shall be used for device access configuration.
+ Access to device configuration shall be controlled:
i. Grant minimal access privileges (only for configuration and device administration) to authenticated entities.
ii. Deny access to failed authentication entities.
iii. Deny access to entities that have not been authenticated.
+ Deny access to authenticated entities (users and machines) when the camera is in the initial operational state for:
i. Authenticated entities without sufficient access rights.
ii. Failed authentication entities.
iii. Unauthenticated entities.
Exception: All the above requirements do not apply to system services that support camera device operations such as ARP, DHCP, DNS, ICMP, NTP, etc.
(7) Interface Management
- Authentication Information Security
In the initial operational state, when the user has not been authenticated, the network interface of the device only provides publicly available information related to device operation and usage.
- Logic and Network Interface Management
+ Logic and network interfaces that are activated when the device is in the initial operational state must have a purpose description explaining why the interface is activated.
+ There is a function to enable or disable interfaces based on the description.
- Debug Interface Management
The debug interface must be disabled by default.
- Physical Interface Management
+ There is a function to disable physical connection ports when not in use.
+ All unused physical interfaces must be disabled from access in the default root installation mode.
(8) User Data Information Security
- Personal Data Protection
The camera device and associated services must have features that allow the configuration and storage location to be set within Vietnam for processing, storage, and exploitation of data (e.g., on memory cards/peripheral devices, cloud computing services located in Vietnam, etc.) to ensure compliance with Vietnamese laws on personal data protection.
- Data Collection Sensors
The user manual (or equivalent publicly available documentation) must list the inventory of sensors used by the camera device, and describe the functions and operating principles of each sensor used by the camera device.
- Personal Data Protection Notifications
During device initialization, setup, and configuration, there must be an interface that notifies users of the storage and processing location (country) of the data collected by the camera device and associated services.
- Erasing Data on the Camera Device
+ There is a function that allows users to delete collected and stored data on the camera device.
+ There is a function to notify users of the successful/failed deletion of data on the device when performing the deletion function.
+ There is a function to obtain user consent before deleting data.
- Erasing Data on Associated Services
+ There is a function that allows users to delete stored data on associated services.
+ There is a function to notify users of the successful/failed deletion of data on associated services when performing the deletion function.
+ There is a function that allows users to set an automatic data deletion time on associated services. The deletion time can be set by the user on the camera or follow the manufacturer's default time.
+ There is a function to obtain user consent before deleting data.
(9) Application Security
The camera device must have the following features:
+ Validate input data entered by users or through the programming interface.
+ Prevent the processing of input data that violates predefined filter conditions set by the manufacturer.
+ Validate data to prevent attacks on the device interface. Such attacks include, but are not limited to: SQL Injection, OS Command Injection, XPath Injection, Remote File Inclusion (RFI), Local File Inclusion (LFI), Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF).
(10) Ability to Recover System to Normal State after Incidents
In the event of a non-hardware-related error requiring a device reboot, the device ensures normal operation in the next boot.
What are the regulations on the basic List of criteria for cyberinformation security for surveillance cameras in Vietnam? - image from the internet
What is cyberinformation security according to the law in Vietnam?
According to Clause 1, Article 3 of Law on Cyberinformation Security 2015, the definition of cyberinformation security is as follows:
Cyberinformation security means the protection of information and information systems in cyberspace from being illegally accessed, utilized, disclosed, interrupted, altered or sabotaged in order to ensure the integrity, confidentiality and usability of information.
What are grades of network information system security in Vietnam?
According to Article 21 of the Law on Cyberinformation Security 2015, the classification of grades of network information system security is as follows:
- Grade 1: The Grade at which damage would harm the lawful rights and interests of organizations or individuals but will not harm public interests, social order and safety or national defense and security.
- Grade 2: The Grade at which damage would seriously harm lawful rights and interests of organizations or individuals or will harm public interests but will not harm social order and safety or national defense and security.
- Grade 3: The Grade at which damage would seriously harm production, public interests and social order and safety or will harm national defense and security.
- Grade 4: The Grade at which damage would cause extremely serious harm to public interests and social order and safety or will seriously harm national defense and security.
- Grade 5: The Grade at which damage would cause extremely serious harm to national defense and security.
- The classification of grades of network information system security is intended to apply management and technical measures to protect the information system according to its appropriate grade.
Best regards!