Regulations on classification of information systems by security grade in Vietnam

Regulations on classification of information systems by security grade in Vietnam (Internet image)

Regarding this issue, LawNet would like to answer as follows:

1. What is classification of information systems by security grade?

According to Clause 1, Article 21 of the Law on Cyberinformation Security 2015, classification of information systems by security grade means the determination of information security grades of information systems in an ascending order from 1 to 5 for taking appropriate management and technical measures to properly protect information systems of each grade.

2. Regulations on classification of information systems by security grade in Vietnam

According to Clause 2, Article 21 of the Law on Cyberinformation Security 2015, information systems shall be classified by security grade as follows:

- Grade 1 means that when an information system is sabotaged, it will harm lawful rights and interests of organizations or individuals but will not harm public interests, social order and safety or national defense and security;

- Grade 2 means that when an information system is sabotaged, it will seriously harm lawful rights and interests of organizations or individuals or will harm public interests but will not harm social order and safety or national defense and security;

- Grade 3 means that when an information system is sabotaged, it will seriously harm production, public interests and social order and safety or will harm national defense and security;

- Grade 4 means that when an information system is sabotaged, it will cause extremely serious harms to public interests and social order and safety or will seriously harm national defense and security;

- Grade 5 means that when an information system is sabotaged, it will cause exứemely serious harms to national defense and security.

3. Tasks of protecting information systems in Vietnam 

Tasks of information system protection according to Article 22 of the Law on Cyberinformation Security 2015 include:

- To determine security grades of information systems.

- To assess and manage security risks to information systems.

- To urge, supervise and examine the protection of information systems.

- To take measures to protect information systems.

- To comply with the reporting regime.

- To conduct public information for raising awareness about cyberinformation security.

4. Measures to protect information systems in Vietnam

According to Article 23 of the Law on Cyberinformation Security 2015, measures to protect information systems are as follows:

- To promulgate regulations on cyberinformation security assurance in designing, developing, managing, operating, using, updating or abolishing information systems.

- To apply management and technical measures according to standards and technical regulations on cyberinformation security for preventing and combating risks and remedying incidents to cyberinformation security.

- To examine and supervise the observance of regulations and assess the effectiveness of applied management and technical measures.

- To supervise security of information systems.

5. Responsibility to ensure cyberinformation security for national important information systems in Vietnam 

Responsibility to ensure cyberinformation security for national important information systems according to Article 27 of the Law on Cyberinformation Security 2015 are as follows:

- The managing body of a national important information system shall:

+ Comply with the provisions of Clause 2, Article 25 of this Law;

+ Periodically have cyberinformation security risks assessed by a specialized organization designated by a competent state agency;

+ Take standby measures for information systems;

d/ Plan and conduct drills in the protection of national important information systems.

- The Ministry of Information and Communications shall:

+ Assume the prime responsibility for, and coordinate with managing bodies of national important information systems, the Ministry of Public Security and related ministries and sectors in, guiding, urging, inspecting and examining the protection of cyberinformation security for national important information systems, except those specified in Clauses 3 and 4 of this Article;

+ Request telecommunications enterprises, enterprises providing information technology services and enterprises providing cyberinformation security services to provide technical advice and assistance and respond to cyberinformation security incidents for national important information systems.

- The Ministry of Public Security shall guide, urge, inspect and examine the protection of cyberinformation security for national important information systems under its management; and coordinate with the Ministry of Information and Communications, managing bodies of national important information systems and related ministries, sectors and People’s Committees at all levels in protecting other national important information systems at the request of competent state agencies.

- The Ministry of National Defense shall guide, urge, inspect and examine the protection of cyberinformation security for national important information systems under its management.

- The Government Cipher Committee shall organize the use of ciphers for protecting information in national important information systems of state agencies, political organizations and socio-political organizations; and coordinate with managing bodies of national important information systems in supervising cyberinformation security in accordance with law.

>> CLICK HERE TO READ THIS ARTICLE IN VIETNAMESE