Criteria for technical measures to supervise and protect cybersecurity in Vietnam

Criteria for technical measures to supervise and protect cybersecurity in Vietnam (Internet image) 

Regarding this issue, LawNet would like to answer as follows:

1. Criteria for technical measures to supervise and protect cybersecurity in Vietnam

Criteria for technical measures to supervise and protect cybersecurity according to Article 11 of Decree 53/2022/ND-CP are as follows:

- The operational environment of a major national security information system shall:

+ Be separated from environments of development, testing, and experiment;

+ Apply measures to ensure information safety;

+ Not install tools and means for application development;

+ Eliminate or turn off unused or unnecessary features and feature software on the information system.

- Data of the major national security information system shall have automatic backup plans suitable for external storage with data change frequency and ensure that arising data must be backed up within 24 hours. Backup data must be tested to ensure the restoration ability every 6 months.

- A network system shall:

+ Be divided into different network zones according to users and using purposes and must at least have a separate network zone for the server of the information system; have a demilitarized zone (DMZ) to provide services on the Internet; have a separate network zone to provide wireless network services; have a separate network zone for the database server;

+ Have devices and software to control connections and access to major network zones;

+ Have measures to timely control, detect, and prevent unauthorized connections, access, and intrusion;

+ Have plans to respond to distributed denial-of-service attacks (DDoS) and other forms of attacks suitable with the scale and nature of the major national security information system.

- Adoption of measures and solutions to find and timely detect technical weaknesses and vulnerabilities of the network system, illegal connections, and devices and software illegally installed in the network.

- Logs of the information system and users’ activities, arising errors, and information safety incidents must be recorded and stored for at least 3 months in a centralized form and backed up at least once a year.

- Regarding the control of access of users and groups of users using devices and tools:

+ Register, allocate, renew, and revoke access rights of devices and users;

+ Ensure that each account with access to the system is only associated with one user; in case of sharing the account for general access to the major national security information system, there must be approval from competent authorities and identification of the responsibility of each individual at each time of use;

+ Limit and control access to accounts with administrative rights:

(i) Establish mechanisms to control the creation of accounts with administrative rights to ensure that such accounts may only be used with the approval of competent authorities;

(ii) Adopt measures to supervise the use of accounts with administrative rights;

(iii) Ensure that there is only 1 access at a time to an account with administrative rights, and such account shall automatically log out if it is idle for a certain time;

+ Manage and allocate confidential passwords to access the information system;

+ Review, inspect, and re-consider the approval of access rights of users;

+ Impose requirements and criteria for information safety for devices and tools used for access.

2. Criteria for personnel of system operation, administration, and cybersecurity protection in Vietnam

Criteria for personnel of system operation, administration, and cybersecurity protection in Vietnam according to Article 9 of Decree 53/2022/ND-CP are as follows:

- Divisions in charge of system operation and administration and cybersecurity protection are required.

- Personnel in charge of system operation and administration and cybersecurity protection shall have professional qualifications in cybersecurity, cyber information security, and information technology;

Have commitments to protect the confidentiality of information on major national security information systems during the process of working and after leaving the job position.

- Mechanisms of independent professional operations between divisions of operation, administration, and protection of cybersecurity for major national security information systems are required.

>> CLICK HERE TO READ THIS ARTICLE IN VIETNAMESE