Cybersecurity criteria for major national security information systems in Vietnam

Cybersecurity criteria for major national security information systems in Vietnam (Internet image)

1. What is cybersecurity?

Cybersecurity means assurance that activities in cyberspace do not harm national security, public order, the lawful rights and interests of any organization or individual.

(Clause 1, Article 2 of the Law on Cybersecurity 2018)

2. Cybersecurity criteria for major national security information systems in Vietnam

(1) Criteria for regulations, procedures, and methods of ensuring cybersecurity for major national security information systems in Vietnam

- Governing bodies of major national security information systems shall, based on regulations on cybersecurity, state confidentiality protection, confidential work, technical standards and regulations on cyber information security, and other relevant professional technical standards, develop regulations, procedures, and plans for the protection of cybersecurity of major national security information systems under their management.

- Contents of regulations, procedures, and plans for the protection of cybersecurity shall elaborate on the major information system and major information prioritized for protection; management procedures, technical procedures, and professional procedures in using and protecting cybersecurity of the database and technical infrastructure; the criteria for personnel of cyber administration, system operation, assurance of cyber information security and safety, and activities of drafting, storing, and transmitting state confidentiality via information systems; responsibilities of each division and individual in managing, operating, and using; sanctions for violations.

(Article 8 of Decree 53/2022/ND-CP)

(2) Criteria for personnel of system operation, administration, and cybersecurity protection in Vietnam

- Divisions in charge of system operation and administration and cybersecurity protection are required.

- Personnel in charge of system operation and administration and cybersecurity protection shall have professional qualifications in cybersecurity, cyber information security, and information technology; have commitments to protect the confidentiality of information on major national security information systems during the process of working and after leaving the job position.

- Mechanisms of independent professional operations between divisions of operation, administration, and protection of cybersecurity for major national security information systems are required.

(Article 9 of Decree 53/2022/ND-CP)

(3) Criteria for assurance of cybersecurity for devices, hardware, and software that are components of the system in Vietnam

- Hardware devices that are components of the system shall be tested for cybersecurity to detect weaknesses and confidential vulnerabilities, malicious codes, transceivers, and malicious hardware for the assurance of compatibility with other components in the major national security information system. Administrative devices must be installed with operating systems and clean applications and have layers of firewall protection. Information systems that handle state confidentialities shall not be connected to the Internet.

- Products that are warned or notified to have risks of cybersecurity disorder by cybersecurity protection forces shall not be put into use, or they shall have measures to handle and remedy weaknesses, confidential vulnerabilities, malicious codes, and malicious hardware before being put into use.

- Digital data and information shall be handled and stored via information systems of state confidentiality shall be encrypted or have protection measures during the process of establishment, trade, and storage on the Internet according to regulations of laws on state confidentiality protection.

- Information technology devices, communication means, data containers, and devices serving activities of information systems shall be managed, destroyed, or fixed according to laws on state confidentiality protection and working regulations of governing bodies of such information systems.

- System software, feature software, middleware, database, application programs, source codes, and development tools shall be periodically reviewed and updated with patches.

- Mobile devices and devices with information storage features when connecting to the internal network of a major national security information system shall be tested and controlled for safety assurance and may only be used in such information systems.

- Devices and means that store information when connecting, transporting, and storing shall:

+ Test the confidentiality before connecting to major national security information systems;

+ Control the connection and disconnection of devices of major national security information systems;

+ Implement measures to ensure safety during transport and storage and protection measures regarding the stored information of state confidentiality.

(Article 10 of Decree 53/2022/ND-CP)

(4) Criteria for technical measures to supervise and protect cybersecurity in Vietnam

- The operational environment of a major national security information system shall:

+ Be separated from environments of development, testing, and experiment;

+ Apply measures to ensure information safety;

+ Not install tools and means for application development;

+ Eliminate or turn off unused or unnecessary features and feature software on the information system.

- Data of the major national security information system shall have automatic backup plans suitable for external storage with data change frequency and ensure that arising data must be backed up within 24 hours. Backup data must be tested to ensure the restoration ability every 6 months.

- A network system shall:

+ Be divided into different network zones according to users and using purposes and must at least have a separate network zone for the server of the information system; have a demilitarized zone (DMZ) to provide services on the Internet; have a separate network zone to provide wireless network services; have a separate network zone for the database server;

+ Have devices and software to control connections and access to major network zones;

+ Have measures to timely control, detect, and prevent unauthorized connections, access, and intrusion;

+ Have plans to respond to distributed denial-of-service attacks (DDoS) and other forms of attacks suitable with the scale and nature of the major national security information system.

- Adoption of measures and solutions to find and timely detect technical weaknesses and vulnerabilities of the network system, illegal connections, and devices and software illegally installed in the network.

- Logs of the information system and users’ activities, arising errors, and information safety incidents must be recorded and stored for at least 3 months in a centralized form and backed up at least once a year.

- Regarding the control of access of users and groups of users using devices and tools:

+ Register, allocate, renew, and revoke access rights of devices and users;

+ Ensure that each account with access to the system is only associated with one user; in case of sharing the account for general access to the major national security information system, there must be approval from competent authorities and identification of the responsibility of each individual at each time of use;

+ Limit and control access to accounts with administrative rights:

(i) establish mechanisms to control the creation of accounts with administrative rights to ensure that such accounts may only be used with the approval of competent authorities;

(ii) adopt measures to supervise the use of accounts with administrative rights;

(iii) ensure that there is only 1 access at a time to an account with administrative rights, and such account shall automatically log out if it is idle for a certain time;

+ Manage and allocate confidential passwords to access the information system;

+ Review, inspect, and re-consider the approval of access rights of users;

+ Impose requirements and criteria for information safety for devices and tools used for access.

(Article 11 of Decree 53/2022/ND-CP)

(5) Criteria for physical security in Vietnam

- Major national security information systems shall be arranged and installed at safe locations and protected to reduce risks of threats and hazards from the environment and intrusion.

- Major national security information systems shall be ensured regarding power sources and support systems when the main power source is disrupted; have measures to prevent overload, voltage drop, and lightning transmission; have grounding systems; have backup power generators and uninterruptible power supply systems (USP) to ensure the continuous operation of devices.

- Major national security information systems shall have plans and measures to protect and combat intrusion for information collection of unmanned aerial devices.

- Data centers of major national security information systems shall have their access controlled 24/7.

(Article 12 of Decree 53/2022/ND-CP)

>> CLICK HERE TO READ THIS ARTICLE IN VIETNAMESE