The President of Vietnam officially announced the Law on Cyberinformation Security, which serves as an important legal framework for implementing cybersecurity activities in Vietnam. This Law takes effect on July 01, 2016.
The Law on Cyberinformation Security was initiated by the Ministry of Information and Communications in 2011 and took nearly four years to complete. This Law was officially approved with the approval of 424 out of 425 delegates present during the plenary session of the 10th session of the 13th National Assembly of Vietnam on November 19, 2015.
The Law on Cyberinformation Security consists of 8 chapters, 54 articles. This Law prescribes cyberinformation security activities, and rights and responsibilities of agencies, organizations and individuals in ensuring cyberinformation security; civil cryptography; standards and technical regulations on cyberinformation security; trading in the field of cyberinformation security; development of human resources for cyberinformation security; and state management of cyberinformation security.
The Law on Cyberinformation Security aims to address the requirements of national cybersecurity, thereby contributing to improving the legal framework for cybersecurity by applying synchronized and feasible regulations in practice and leveraging the country's resources to ensure cybersecurity, develop the cybersecurity sector to meet the requirements of socio-economic development, and ensure national defense and security.
The Law on Cyberinformation Security also aims to protect the legitimate rights and interests of organizations and individuals participating in cybersecurity activities; strengthen supervision, prevention, and control of cybersecurity risks, ensuring the effectiveness of state management in the field of cybersecurity; expand international cooperation on cybersecurity based on respect for independence, sovereignty, equality, mutual benefit, in compliance with Vietnamese law and treaties to which the Socialist Republic of Vietnam is a contracting party.
Immediately after the Law was approved, the Government planned to develop and issue guiding documents under the Law in 2016.
According to the plan, the Ministry of Information and Communications will take the lead in drafting and submitting to the Government and the Prime Minister three documents, including: a decree detailing the criteria, authority, procedures, and process for determining the level of information system security and the responsibilities for ensuring the security of information systems at each level; a decree detailing the conditions for granting licenses for cybersecurity products and services; a decision by the Prime Minister on the list of cybersecurity products and services.
Besides, within their jurisdiction, in the coming time, the Ministry of Information and Communications will also develop Government’s decrees and circulars detailing certain provisions of the Law on Cyberinformation Security, and propose the issuance of or issue a system of standards and regulations on cybersecurity. They will also organize activities to disseminate and promote the Law.
The Ministry of National Defense will take the lead in drafting and submitting to the Government a decree detailing activities to prevent information conflicts on the network. The Government Cipher Committee will assist the Minister of National Defense in drafting and submitting to the Government a decree detailing civil encryption. The Ministry of Public Security will take the lead in drafting and submitting to the Government a decree regulating the prevention of network usage for terrorist activities.
Below are some important contents of Chapter II on Assurance of cyberinformation security, which include provisions on Cyberinformation protection (Section 1) and Protection of information systems (Section 3).
Cyberinformation protection
This consists of 7 chapters (from Article 9 to Article 15) and regulates the following contents:
Classification of information: Information is classified based on its secrecy in order to take appropriate protection measures. Information regarded as state secret shall be classified and protected in accordance with the law on protection of state secrets.
Agencies and organizations that use classified and unclassified information in activities within their fields shall develop regulations and procedures for processing information; determine contents and methods of recording authorized accesses to classified information.
Management of sending of information: The sending of information in cyberspace must meet the following requirements: Not forging the information sender source; and complying with this Law and other relevant laws.
Commercial information may not be sent to electronic addresses of recipients when the latter has not yet consented or has refused to receive, unless the recipients are obliged to receive information under law.
Telecommunications enterprises, enterprises providing telecommunications application services and enterprises providing information technology services that send information shall: comply with the law on storage of information and protection of personal information and private information of organizations and individuals; take blocking and handling measures upon receiving notices of organizations or individuals that the sending of information is illegal; offer recipients to refuse to receive information; provide necessary technical and professional conditions upon request for competent state agencies to manage and ensure cyberinformation security.
Prevention, detection, stoppage and handling of malware: Responsibilities of each entity are specified as follows:
- Agencies, organizations and individuals shall prevent and stop malware as guided or requested by competent state agencies.
- The managing body of a national important information system shall put into operation technical and professional systems for preventing, detecting, stopping and promptly handling malware.
- Enterprises providing email services or transmitting and storing information must have malware filtering systems in the course of sending, receiving and storing information via their systems and shall send reports to competent state agencies in accordance with law. Internet service-providing enterprises shall take measures to manage, prevent, detect, and stop the spread of, malware and handle it at the request of competent state agencies.
- The Ministry of Information and Communications shall assume the prime responsibility for, and coordinate with the Ministry of National Defense, the Ministry of Public Security and related ministries and sectors in, preventing, detecting, stopping and handling malware that affects national defense and security.
Security assurance for telecommunications resources
- Users of telecommunications resources shall apply managerial and technical measures to prevent cyberinformation insecurity arising from their frequencies, number stores, domain names and internet addresses; and coordinate with, and provide information relating to telecommunications resource security for, competent state agencies upon request.
- Enterprises providing services on the internet shall manage, and coordinate in preventing cyberinformation insecurity arising from, internet resources and their clients; provide adequate information at the request of competent state agencies; coordinate in connection and routing to ensure secure and stable operation of Vietnam’s system of national domain name servers.
- The Ministry of Information and Communications shall ensure cyberinformation security for Vietnam’s system of national domain name servers.
Response to cyberinformation security incidents: This means activities aiming to handle and remedy an incident that causes cyberinformation insecurity.
- Response to cyberinformation security incidents must adhere to the following principles: being prompt, rapid, accurate, synchronous and effective; complying with the law on coordination of response to cyberinformation security incidents; and ensuring coordination among domestic and foreign agencies, organizations and enterprises.
- Ministries, ministerial-level agencies, government-attached agencies, provincial- level People’s Committees, telecommunications enterprises and managing bodies of national important information systems shall establish or appoint a specialized division to respond to cyberinformation security incidents. The Ministry of Information and Communications shall coordinate response to cyberinformation security incidents nationwide, and prescribe in detail coordination of response to cyberinformation security incidents.
Emergency response to ensure national cyberinformation security: This means incident response activities in catastrophic circumstances or at the request of competent state agencies with a view to ensuring national cyberinformation security.
Emergency response to ensure national cyberinformation security must adhere to the following principles: organizing response according to decentralized competence; conducting response on the spot, rapidly, strictly and with close coordination; applying effective and feasible technical measures.
Emergency response plans to ensure national cyberinformation security include: Emergency response plan to ensure national cyberinformation security; Emergency response plan to ensure cyberinformation security for state agencies, political organizations and socio-political organizations; Emergency response plan to ensure cyberinformation security for localities; Emergency response plan to ensure cyberinformation security for telecommunications enterprises.
Responsibilities to ensure national cyberinformation security are prescribed as follows:
- The Prime Minister shall decide on emergency response plans to ensure national cyberinformation security;
- The Ministry of Information and Communications shall coordinate emergency response to ensure national cyberinformation security;
- Ministries, sectors, People’s Committees at all levels, and related agencies and organizations shall, within the ambit of their tasks and powers, coordinate and direct emergency response to ensure national cyberinformation security;
- Telecommunications enterprises shall take emergency response measures and coordinate with the Ministry of Information and Communications and related ministries, sectors and People’s Committees at all levels in ensuring national cyberinformation security.
Responsibilities of agencies, organizations and individuals in ensuring cyberinformation security: Agencies, organizations and individuals engaged in cyberinformation security activities shall coordinate with competent state agencies and other organizations and individuals in ensuring cyberinformation security. Agencies, organizations and individuals using services in cyberspace shall promptly notify service-providing enterprises or specialized incident response units of cyberinformation security sabotaging acts or incidents.
Protection of information systems
This consists of 7 chapters (from Article 21 to Article 27) and regulates the following contents:
Classification of information systems by security grade means the determination of information security grades of information systems in an ascending order from 1 to 5 for taking appropriate management and technical measures to properly protect information systems of each grade.
Information systems shall be classified by security grade as follows:
- Grade 1 means that when an information system is sabotaged, it will harm lawful rights and interests of organizations or individuals but will not harm public interests, social order and safety or national defense and security;
- Grade 2 means that when an information system is sabotaged, it will seriously harm lawful rights and interests of organizations or individuals or will harm public interests but will not harm social order and safety or national defense and security;
- Grade 3 means that when an information system is sabotaged, it will seriously harm production, public interests and social order and safety or will harm national defense and security;
- Grade 4 means that when an information system is sabotaged, it will cause extremely serious harms to public interests and social order and safety or will seriously harm national defense and security;
- Grade 5 means that when an information system is sabotaged, it will cause extremely serious harms to national defense and security.
The Government shall prescribe in detail criteria, competence, order and procedures for determining security grades of information systems and responsibility for ensuring security for information systems of each grade.
Tasks of protecting information systems include: To determine security grades of information systems; To assess and manage security risks to information systems; To urge, supervise and examine the protection of information systems; To take measures to protect information systems; To comply with the reporting regime; To conduct public information for raising awareness about cyberinformation security.
Measures to protect information systems include: To promulgate regulations on cyberinformation security assurance in designing, developing, managing, operating, using, updating or abolishing information systems; To apply management and technical measures according to standards and technical regulations on cyberinformation security for preventing and combating risks and remedying incidents to cyberinformation security; To examine and supervise the observance of regulations and assess the effectiveness of applied management and technical measures; To supervise security of information systems.
Security supervision of information systems: This means activities of choosing a to-be- supervised object, and collecting, and analyzing the status of, information of this object with a view to identifying factors that affect the security of such information system; reporting on and warning acts of infringing upon cyberinformation security or acts threatening to cause cyberinformation security incidents to such information system; analyzing key factors that affect the status of cyberinformation security; and proposing change of technical measures.
Subject to security supervision of an information system are firewall, access control, major routes of information, important servers, important equipment and important terminal equipment.
Telecommunications enterprises, enterprises providing information technology services and enterprises providing cyberinformation security services shall coordinate with managing bodies of information systems in supervising the security of information systems at the request of competent state agencies.
Responsibilities of managing bodies of information systems: Managing bodies of information systems shall protect information systems in accordance with Articles 22, 23 and 24 of the Law on Cyberinformation Security.
State-funded managing bodies of information systems shall perform the responsibilities defined in Clause 1 of this Article and shall: make plans to ensure cyberinformation security appraised by competent state agencies when establishing, expanding or upgrading their information systems; and appoint individuals or units to take charge of cyberinformation security.
National important information systems: When establishing, expanding or upgrading a national important information system, information security shall be inspected before putting this system into operation and exploitation.
The Ministry of Information and Communications shall assume the prime responsibility for, and coordinate with the Ministry of National Defense, the Ministry of Public Security and related ministries and sectors in, making a list of national important information systems for submission to the Prime Minister for promulgation.
Responsibility to ensure cyberinformation security for national important information systems:
- The managing body of a national important information system shall: comply with the provisions of Clause 2, Article 25 of this Law; periodically have cyberinformation security risks assessed by a specialized organization designated by a competent state agency; take standby measures for information systems; plan and conduct drills in the protection of national important information systems.
- The Ministry of Information and Communications shall: assume the prime responsibility for, and coordinate with managing bodies of national important information systems, the Ministry of Public Security and related ministries and sectors in, guiding, urging, inspecting and examining the protection of cyberinformation security for national important information systems, except those specified in Clauses 3 and 4 Article 27 of this Law; request telecommunications enterprises, enterprises providing information technology services and enterprises providing cyberinformation security services to provide technical advice and assistance and respond to cyberinformation security incidents for national important information systems.
- The Ministry of Public Security shall guide, urge, inspect and examine the protection of cyberinformation security for national important information systems under its management; and coordinate with the Ministry of Information and Communications, managing bodies of national important information systems and related ministries, sectors and People’s Committees at all levels in protecting other national important information systems at the request of competent state agencies.
- The Ministry of National Defense shall guide, urge, inspect and examine the protection of cyberinformation security for national important information systems under its management.
- The Government Cipher Committee shall organize the use of ciphers for protecting information in national important information systems of state agencies, political organizations and socio-political organizations; and coordinate with managing bodies of national important information systems in supervising cyberinformation security in accordance with law.
Source: Cyberinformation Security Magazine
- Key word:
- Law on Cyberinformation Security 2015