Assignment of roles in ensuring network information safety and network security in Vietnam of Ministry of Finance

Assignment of roles in ensuring network information safety and network security in Vietnam of Ministry of Finance (Internet image)

On May 19, 2023, the Ministry of Finance of Vietnam issued Decision 1013/QD-BTC promulgating the Regulation on network information safety and cyber security of the Ministry of Finance.

1. What is cyberinformation security and cybersecurity?

- Cyberinformation security is the protection of information and information systems on the network from unauthorized access, use, disclosure, interruption, modification, or destruction to ensure the integrity, confidentiality, and availability of information.

Cybersecurity is the assurance that operations in cyberspace do not cause harm to national security, social order and safety, or the legitimate rights and interests of agencies, organizations, and individuals.

(Clause 2, 3, Article 2 of Regulation issued together with Decision 1013/QD-BTC)

2. Assignment of roles in ensuring network information safety and network security in Vietnam of Ministry of Finance 

Specifically, in Article 4, Article 2 of the Regulation promulgated together with Decision 1013/QD-BTC stipulating the assignment of the role of ensuring network information safety and cyber security to the Ministry of Finance as follows:

(1) The owner of the information system:

(i) The Ministry of Finance is the owner of the information system built, established, upgraded, or expanded from the project or plan to hire services under the approving competence of the Minister of Finance; the owner of the information system is built, established, upgraded, and expanded from the project, service hire plan, outline, and detailed estimate under the approving competence of units under ministerial agencies and non-business units under ministries.

The Ministry of Finance authorizes the General Department to perform the responsibilities of the information system owner for the information system in which the General Department is the project investor, to assume the prime responsibility for implementing the service outsourcing plan.

The unit authorized to manage the information system fully fulfills the responsibilities of the information system owner in accordance with the law on network safety and security and this Regulation.

The authorization shall end at the time when the information system approved by the Ministry of Finance terminates its use or is transferred by the Ministry of Finance to another unit in accordance with current regulations.

The scope of the authorized information system is specified in the project investment approval decision; plans to hire information technology services; detailed outlines, and estimates.

(ii) The General Department is the owner of the information system that is built, established, upgraded, and expanded from the project; the service plan, detailed outline, and cost estimates fall under the approval authority of the General Department and units under the General Department.

(iii) In case the information system related to the entity is subject to the application of this Regulation but not within the scope specified in (i), (ii), the Director of the Department of Financial Informatics and Statistics shall report to the Minister of Finance to decide on the unit in charge of the information system or authorize the performance of responsibilities of the information system owner in accordance with law.

(2) Information system operator:

- Units under ministerial agencies (including the Department of Informatics and Financial Statistics), non-business units under the Ministry shall assume the prime responsibility for building, establishing, upgrading, expanding, maintaining the operation of the application layer or the database of the information system, and performing the role of the information system operator.

The Department of Informatics and Financial Statistics is the unit operating the internal network system and the network safety and security system of the Ministry; the backbone network of the Unified Communications Infrastructure of the Finance Sector, and other information systems under the decision of the Minister of Finance.

- For the information system managed by the General Department, the General Department shall appoint an information system operator.

- In the event that the information system is in the process of hiring information technology services, the service provider shall perform the role of the information system operator.

(3) Unit in charge of network safety and security:

- The Department of Financial Informatics and Statistics assumes the role of a specialized unit in charge of cybersecurity for the Ministry of Finance.

- The specialized information technology unit under the General Department assumes the role of the Department in charge of network safety and security.

- The owner of the information system shall establish or designate a specialized division of network security and safety of the unit in charge of network safety and security of the owner of the information system.

(4) The Steering Committee for Digital Transformation of the Ministry of Finance concurrently assumes the role of the Steering Committee for Response to Cybersecurity Incidents of the Ministry of Finance.

(5) Unit in charge of responding to cybersecurity incidents (referred to as the Incident Response Unit):

- The Department of Financial Informatics and Statistics assumes the role of a specialized incident response unit of the Ministry of Finance, responsible for implementing incident response work on information systems managed by the Ministry of Finance (excluding information systems that the Ministry has authorized to perform the responsibility of information system owners).

- The Department in charge of network safety and security of the General Department assumes the role of the agency in charge of incident response of the General Department.

- The unit in charge of incident response shall submit to the information system owner a proposal to establish an incident response team and organize incident response activities in the field, area, and scope of his/her management.

(6) Cybersecurity protection force of the Ministry of Finance, including the department in charge of network safety and security under the Department of Informatics and Financial Statistics; the specialized network safety and security division of the specialized information technology unit under the General Department; and incident response teams under the Ministry of Finance.

Note: Units and departments assigned to take on the role of ensuring network safety and security at (1) to (6) perform their responsibilities in accordance with the law applicable to their respective roles and in accordance with these Regulations.

More details can be found in Decision 1013/QD-BTC, effective from the date of signing and promulgation.

>> CLICK HERE TO READ THIS ARTICLE IN VIETNAMESE