Law on Cyberinformation Security of Vietnam: Protection of information systems classified by security grades

Users connecting and accessing information systems legally are responsible for complying with regulations on information security for systems issued by authorized agencies or organizations. Information systems directly connected to each other must belong to the same grade or consecutive grades. The requirement for ensuring information system security at each grade is a minimum requirement corresponding to that grade.

The plan for ensuring information security at each grade must comply with standards and technical regulations, including the following contents: Ensuring information security in the design and formulation stage; Ensuring information security during operation; Information security testing and evaluation; Information security risk management; Information security monitoring; Disaster preparedness, incident response, and post-disaster recovery; Termination of operation, exploitation, disposal, and cancellation.

The provisions in the Law on Information System Protection include the following main contents:

Classification of security grades of information systems

Classification of information systems by security grade means the determination of information security grades of information systems in an ascending order from 1 to 5 for taking appropriate management and technical measures to properly protect information systems of each grade.

Information systems shall be classified by security grade as follows:

- Grade 1 means that when an information system is sabotaged, it will harm lawful rights and interests of organizations or individuals but will not harm public interests, social order and safety or national defense and security;

- Grade 2 means that when an information system is sabotaged, it will seriously harm lawful rights and interests of organizations or individuals or will harm public interests but will not harm social order and safety or national defense and security;

- Grade 3 means that when an information system is sabotaged, it will seriously harm production, public interests and social order and safety or will harm national defense and security;

- Grade 4 means that when an information system is sabotaged, it will cause extremely serious harms to public interests and social order and safety or will seriously harm national defense and security;

- Grade 5 means that when an information system is sabotaged, it will cause exứemely serious harms to national defense and security.

Tasks of protecting information systems

Tasks of protecting information systems include the following:

- To determine security grades of information systems.

- To assess and manage security risks to information systems.

- To urge, supervise and examine the protection of information systems.

-  To take measures to protect information systems.

- To comply with the reporting regime.

- To conduct public information for raising awareness about cyberinformation security.

Measures to protect information systems

Measures to protect information systems include the following: 

- To promulgate regulations on cyberinformation security assurance in designing, developing, managing, operating, using, updating or abolishing information systems.

- To apply management and technical measures according to standards and technical regulations on cyberinformation security for preventing and combating risks and remedying incidents to cyberinformation security.

- To examine and supervise the observance of regulations and assess the effectiveness of applied management and technical measures.

- To supervise security of information systems.

Security supervision of information systems

Security supervision of an information system means activities of choosing a to-be- supervised object, and collecting, and analyzing the status of, information of this object with a view to identifying factors that affect the security of such information system; reporting on and warning acts of infringing upon cyberinformation security or acts threatening to cause cyberinformation security incidents to such information system; analyzing key factors that affect the status of cyberinformation security; and proposing change of technical measures.

Subject to security supervision of an information system are firewall, access control, major routes of information, important servers, important equipment and important terminal equipment.

Telecommunications enterprises, enterprises providing information technology services and enterprises providing cyberinformation security services shall coordinate with managing bodies of information systems in supervising the security of information systems at the request of competent state agencies.

Responsibilities of managing bodies of information systems

Managing bodies of information systems shall protect information systems in accordance with Articles 22, 23 and 24 of the Law on Cyberinformation Security of Vietnam.

State-funded managing bodies of information systems shall perform the responsibilities defined above and shall: make plans to ensure cyberinformation security appraised by competent state agencies when establishing, expanding or upgrading their information systems; appoint individuals or units to take charge of cyberinformation security.

National important information systems

When establishing, expanding or upgrading a national important information system, information security shall be inspected before putting this system into operation and exploitation.

The Ministry of Information and Communications shall assume the prime responsibility for, and coordinate with the Ministry of National Defense, the Ministry of Public Security and related ministries and sectors in, making a list of national important information systems for submission to the Prime Minister for promulgation.

Responsibility to ensure cyberinformation security for national important information systems

- The managing body of a national important information system shall: comply with the provisions of Clause 2, Article 25 of this Law; periodically have cyberinformation security risks assessed by a specialized organization designated by a competent state agency; take standby measures for information systems; plan and conduct drills in the protection of national important information systems.

- The Ministry of Information and Communications shall:

+ Assume the prime responsibility for, and coordinate with managing bodies of national important information systems, the Ministry of Public Security and related ministries and sectors in, guiding, urging, inspecting and examining the protection of cyberinformation security for national important information systems, except those specified in Clauses 3 and 4 Article 27 of this Law;

+ Request telecommunications enterprises, enterprises providing information technology services and enterprises providing cyberinformation security services to provide technical advice and assistance and respond to cyberinformation security incidents for national important information systems.

- The Ministry of Public Security shall guide, urge, inspect and examine the protection of cyberinformation security for national important information systems under its management; and coordinate with the Ministry of Information and Communications, managing bodies of national important information systems and related ministries, sectors and People’s Committees at all levels in protecting other national important information systems at the request of competent state agencies.

- The Ministry of National Defense shall guide, urge, inspect and examine the protection of cyberinformation security for national important information systems under its management.

- The Government Cipher Committee shall organize the use of ciphers for protecting information in national important information systems of state agencies, political organizations and socio-political organizations; and coordinate with managing bodies of national important information systems in supervising cyberinformation security in accordance with law.

These contents will be specified by the Government in the Decree on protection of information systems classified by security grade, which includes detailed provisions on criteria, authorities, procedures for determining the grade of information system security, and responsibilities for ensuring information system security at each grade.

Some terms in the Law on Cyberinformation Security

- Information system means a combination of hardware, software and databases established to serve the creation, provision, transmission, collection, processing, storage and exchange of information in cyberspace.

- National important information system means an information system which, when being sabotaged, will cause extremely serious harms to national defense and security.

- Managing body of an information system means an agency, organization or individual competent to directly manage an information system.

- Infringement upon cyberinformation security means an act of illegally accessing, utilizing, disclosing, interrupting, altering or sabotaging information or information systems.

- Cyberinformation security incident means an incident that harms information or an information system, affecting the integrity, confidentiality or usability of information.

- Cyberinformation security risk means a subjective factor or an objective factor that is likely to affect the status of cyberinformation security.

- Cyberinformation security risk assessment means the detection, analysis and estimation of levels of harm and threats to information or information systems.

- Cyberinformation security risk management means the introduction of measures to minimize cyberinformation security risks.

Source: antoanthongtin.vn

>> CLICK HERE TO READ THIS ARTICLE IN VIETNAMESE