Directive on strengthening information system security at different levels in Vietnam

Directive on strengthening information system security at different levels in Vietnam (Internet image)

On February 23, 2024, the Prime Minister issued Directive 09/CT-TTg on compliance with regulations and strengthening the security of information systems at different levels.

Directive on strengthening information system security at different levels in Vietnam 

Specifically, to enhance compliance with regulations and strengthen the security of information systems at different levels, the Prime Minister requires:

(1) Ministers, heads of ministerial-level agencies and government bodies; Chairpersons of People's Committees of provinces and centrally-run cities; Chairpersons of Boards of Directors, Councils of Members, and Directors General of state-owned corporations, companies, state commercial banks, the Vietnam Development Bank, the Social Policy Bank, the Vietnam Cooperative Bank, and other state credit and financial organizations nationwide, to focus on directing the implementation of the following measures:

- Directly supervising and be responsible for ensuring information security in the activities of their own agencies and localities; be accountable to the Prime Minister and the law if the units under their management fail to comply with legal provisions on ensuring information system security at different levels or if there are incidents of information security breaches, data leaks, and breaches of state secrets.

- Organizing the dissemination and strict compliance with legal provisions on ensuring network information security within the units under their management. Direct the units operating information systems under their management to fundamentally change their awareness, determine the proposed level to implement security measures as prescribed, and use this as an important basis for determining and allocating resources for implementation as well as evaluating the level of compliance with legal provisions on network information security.

- Ensuring that information systems under design, construction, upgrading, and expansion are approved for the level of information system security and fully implement the proposed information security measures before being put into operation and exploitation.

- Conducting reviews, statistics, and updates of the list of information systems under their management; ensuring that information systems from level 1 to level 5 (if any) currently in operation are approved for the level of information system security no later than September 2024; and fully implementing the proposed information security measures approved no later than December 2024.

- Prioritizing the deployment of information systems on digital infrastructure (such as data centers, cloud computing services) that have fully implemented information security measures to inherit existing information security measures.

- Regularly and effectively use the information security support platforms provided by the Ministry of Information and Communications to gradually digitize state management activities and enforce laws on network information security within their management scope.

- Organizing the effective, substantial, regular, and continuous implementation of information security measures following the 4-tier model, especially by enhancing the capabilities of the monitoring and professional protection layer and maintaining continuous and stable connectivity and information sharing with the National Cybersecurity Monitoring Center under the Authority of Information Security, Ministry of Information and Communications; prioritizing the use of information security products, solutions, and services produced or owned by Vietnamese businesses.

- Periodically organizing inspection activities, checks, and evaluations of compliance with regulations, and monitoring the implementation of information security measures at different levels within their management scope, at least once a year. Report the results of implementation to the Ministry of Information and Communications before December 25 each year for synthesis and reporting to the Prime Minister.

- Prioritizing the allocation of resources in accordance with legal provisions to effectively implement information system security at different levels, information security measures following the 4-tier model, especially for data centers and shared important information systems.

(2) The Ministry of Information and Communications is responsible for:

- Developing, disseminating, training on the use, and maintaining the operation of information security support platforms, such as the platform for managing information system security at different levels, the platform for coordinating the handling of national network information security incidents, the platform for supporting digital investigation, etc., to support agencies, organizations, and enterprises in implementing information security activities conveniently, effectively, and synchronously from central to local levels. Organize the evaluation and ranking of information system security at different levels of ministries, sectors, and localities through the platform for managing information system security at different levels.

- Organizing propaganda, training, capacity building, guidance, urging, inspection, evaluation, and other activities to promote the synchronous and comprehensive implementation of network information security, focusing on ensuring information system security at different levels and ensuring information security in the 4-tier model.

- Developing and issuing a Handbook on Compliance with Legal Provisions and Enhancing Information System Security at Different Levels; providing guidance on the information security model for reference and convenience in implementing activities for ministries, sectors, and localities. Completion no later than June 2024.

- Strengthening inspection and checking of compliance with legal provisions on information security at state agencies and organizations; enterprises implementing the digital platform serving digital transformation, developing e-government, digital government, digital economy, and digital society; enterprises providing digital infrastructure services, telecommunications services, Internet, and other related enterprises in Vietnam. Strictly handle agencies, organizations, and enterprises that violate the law on network information security.

- Taking the lead in organizing the deployment, guidance, monitoring, urging, inspection, and evaluation of the implementation of this Directive.

(3) Cybersecurity enterprises:

Researching and improving products, services in network information security provided by enterprises, aiming to integrate multiple solutions and services to ensure network information security that meets technical requirements and complies with legal provisions on ensuring information system security at different levels, technical standards, regulations, and guidelines of the Ministry of Information and Communications.

(4) Telecommunications and Internet service providers:

- Identifying the deployment of basic measures to ensure network information security to protect users of telecommunications and Internet services is the responsibility of telecommunications and Internet service providers.

- Researching and implementing solutions on Internet access devices provided by enterprises to users to protect users from accessing illegal information sources and prevent the risk of information security breaches; connecting and sharing information and data according to the guidance of the Ministry of Information and Communications.

Ho Quoc Tuan

>> CLICK HERE TO READ THIS ARTICLE IN VIETNAMESE