What are the criteria for personnel of system operation, administration, and cybersecurity protection of major national security information systems in Vietnam?
What are the criteria for personnel of system operation, administration, and cybersecurity protection of major national security information systems in Vietnam? What are the criteria for assurance of cybersecurity for devices, hardware, and software that are components of major national security information systems in Vietnam? What are the criteria for technical measures to supervise and protect cybersecurity of major national security information systems in Vietnam?
Thank you!
What are the criteria for personnel of system operation, administration, and cybersecurity protection of major national security information systems in Vietnam?
Pursuant to Article 9 of the Decree 53/2022/NĐ-CP stipulating the criteria for personnel of system operation, administration, and cybersecurity protection of major national security information systems in Vietnam as follows:
1. Divisions in charge of system operation and administration and cybersecurity protection are required.
2. Personnel in charge of system operation and administration and cybersecurity protection shall have professional qualifications in cybersecurity, cyber information security, and information technology; have commitments to protect the confidentiality of information on major national security information systems during the process of working and after leaving the job position.
3. Mechanisms of independent professional operations between divisions of operation, administration, and protection of cybersecurity for major national security information systems are required.
What are the criteria for assurance of cybersecurity for devices, hardware, and software that are components of major national security information systems in Vietnam?
Pursuant to Article 10 of the Decree 53/2022/NĐ-CP stipulating the criteria for assurance of cybersecurity for devices, hardware, and software that are components of major national security information systems in Vietnam as follows:
1. Hardware devices that are components of the system shall be tested for cybersecurity to detect weaknesses and confidential vulnerabilities, malicious codes, transceivers, and malicious hardware for the assurance of compatibility with other components in the major national security information system. Administrative devices must be installed with operating systems and clean applications and have layers of firewall protection. Information systems that handle state confidentialities shall not be connected to the Internet.
2. Products that are warned or notified to have risks of cybersecurity disorder by cybersecurity protection forces shall not be put into use, or they shall have measures to handle and remedy weaknesses, confidential vulnerabilities, malicious codes, and malicious hardware before being put into use.
3. Digital data and information shall be handled and stored via information systems of state confidentiality shall be encrypted or have protection measures during the process of establishment, trade, and storage on the Internet according to regulations of laws on state confidentiality protection.
4. Information technology devices, communication means, data containers, and devices serving activities of information systems shall be managed, destroyed, or fixed according to laws on state confidentiality protection and working regulations of governing bodies of such information systems.
5. System software, feature software, middleware, database, application programs, source codes, and development tools shall be periodically reviewed and updated with patches.
6. Mobile devices and devices with information storage features when connecting to the internal network of a major national security information system shall be tested and controlled for safety assurance and may only be used in such information systems.
7. Devices and means that store information when connecting, transporting, and storing shall:
a) Test the confidentiality before connecting to major national security information systems;
b) Control the connection and disconnection of devices of major national security information systems;
c) Implement measures to ensure safety during transport and storage and protection measures regarding the stored information of state confidentiality.
What are the criteria for technical measures to supervise and protect cybersecurity of major national security information systems in Vietnam?
Pursuant to Article 11 of the Decree 53/2022/NĐ-CP stipulating the criteria for technical measures to supervise and protect cybersecurity of major national security information systems in Vietnam as follows:
1. The operational environment of a major national security information system shall:
a) Be separated from environments of development, testing, and experiment;
b) Apply measures to ensure information safety;
c) Not install tools and means for application development;
d) Eliminate or turn off unused or unnecessary features and feature software on the information system.
2. Data of the major national security information system shall have automatic backup plans suitable for external storage with data change frequency and ensure that arising data must be backed up within 24 hours. Backup data must be tested to ensure the restoration ability every 6 months.
3. A network system shall:
a) Be divided into different network zones according to users and using purposes and must at least have a separate network zone for the server of the information system; have a demilitarized zone (DMZ) to provide services on the Internet; have a separate network zone to provide wireless network services; have a separate network zone for the database server;
b) Have devices and software to control connections and access to major network zones;
c) Have measures to timely control, detect, and prevent unauthorized connections, access, and intrusion;
d) Have plans to respond to distributed denial-of-service attacks (DDoS) and other forms of attacks suitable with the scale and nature of the major national security information system.
4. Adoption of measures and solutions to find and timely detect technical weaknesses and vulnerabilities of the network system, illegal connections, and devices and software illegally installed in the network.
5. Logs of the information system and users’ activities, arising errors, and information safety incidents must be recorded and stored for at least 3 months in a centralized form and backed up at least once a year.
6. Regarding the control of access of users and groups of users using devices and tools:
a) Register, allocate, renew, and revoke access rights of devices and users;
b) Ensure that each account with access to the system is only associated with one user; in case of sharing the account for general access to the major national security information system, there must be approval from competent authorities and identification of the responsibility of each individual at each time of use;
c) Limit and control access to accounts with administrative rights: (i) establish mechanisms to control the creation of accounts with administrative rights to ensure that such accounts may only be used with the approval of competent authorities; (ii) adopt measures to supervise the use of accounts with administrative rights; (iii) ensure that there is only 1 access at a time to an account with administrative rights, and such account shall automatically log out if it is idle for a certain time;
d) Manage and allocate confidential passwords to access the information system;
dd) Review, inspect, and re-consider the approval of access rights of users;
e) Impose requirements and criteria for information safety for devices and tools used for access.
Best regards!
