Instructions for reviewing and assessing the network information security situation in Vietnam

Instructions for reviewing and assessing the network information security situation in Vietnam (Internet image)

On April 12, 2024, the Ministry of Information and Communications issued Official Dispatch 1337/BTTTT-CATTT, providing guidance on reviewing and assessing the network information security situation for information systems under management.

Instructions for reviewing and assessing the network information security situation in Vietnam

Specifically, in accordance with the direction of the Prime Minister, the Ministry of Information and Communications respectfully requests the Ministries, agencies under the Ministries, agencies under the Government, and People's Committees of provinces and centrally-run cities to direct and organize the review and assessment of the network information security situation for the information systems of state agencies, organizations, and state-owned enterprises within the scope of management as follows:

(1) Objectives

- Review and assess the network information security situation of the information systems within the scope of management to promptly address existing vulnerabilities, weaknesses, and gaps in order to prevent network attacks;

- Ensure the full implementation of legal regulations on network information security, with a focus on ensuring the security of information systems according to their levels;

- Strengthen discipline and implementation, ensuring the progress of tasks in the Prime Minister's directives on network information security.

(2) Content of the review and assessment of approval of level proposals and corresponding information security assurance measures

* Review and assess the approval of level proposals and the implementation of corresponding information security assurance measures

- Collect statistics, review the information systems within the scope of management, and evaluate the current status of level proposals and corresponding information security assurance measures;

- Develop a specific plan and timeline for the information systems that have not implemented the approved level proposals and complete the deployment of the corresponding information security assurance measures. Ensure compliance with the Prime Minister's directions in Directive 09/CT-TTg dated February 23, 2024, on compliance with legal regulations and enhancement of security of information systems according to levels;

- Utilize the Level Management Support Platform provided by the Ministry of Information and Communications to build and manage the information systems within the scope of management at the following link: https://capdo.ais.gov.vn (the information on the platform serves as a basis for reference and evaluation by the Ministry of Information and Communications).

* Review and assess the implementation of information security checks, assessments, and risk management within the scope of management

- Collect statistics and review the organization's implementation of information security checks, assessments, and risk management for the information systems within the scope of management, as specified in Clause 2, Article 20 of Decree 85/2016/ND-CP, and Article 12 of Circular 12/2022/TT-BTTTT;

- Develop a plan and allocate resources to organize information security checks, assessments, and risk management for the information systems that have not undergone regular checks and assessments (at least once every 2 years for level 1 and level 2 systems; once a year for level 3 and level 4 systems; once every 6 months for level 5 systems). Promptly address existing vulnerabilities, weaknesses, and gaps to prevent network attacks, especially for systems that provide online services to citizens and businesses.

* Review and assess the construction of plans for responding to network security incidents and organizing network security exercises

- Collect statistics and evaluate the construction of plans for responding to incidents for the information systems within the scope of management. Timely update the corresponding incident response plans based on the type of incident/network attack, especially response plans for risks such as ransomware attacks, unauthorized control, interface changes, etc.;

- Assess the implementation and organization of practical network security exercises for the information systems within the scope of management, in accordance with the directives in Directive 18/CT-TTg dated August 13, 2022, on enhancing the implementation of activities for responding to network security incidents in Vietnam;

- Develop and update plans to ensure the implementation of exercises and response to potential incidents for the information systems within the scope of management, especially for critical information systems and systems that provide online services to citizens and businesses.

* Assess the allocation of items related to information security when developing and implementing annual information technology application plans, 5-year periods, and information technology projects.

(3) Reporting deadline for reviewing results

The report on the results of reviewing and assessing the network information security situation for the information systems under management should be submitted to the Ministry of Information and Communications (through the Information Security Department) as follows:

- Initial report:

Before April 22, 2024, for summarizing and reporting to the Prime Minister before April 30, 2024, as directed in Official Dispatch 33/CD-TTg dated April 7, 2024.

- Subsequent reports (Quarterly):

Before the 20th of the last month of the quarter (March, June, September, December in the reporting year).

Ho Quoc Tuan.

>> CLICK HERE TO READ THIS ARTICLE IN VIETNAMESE