This annex provides security requirements for information systems at five different levels from low to high (1-5). Each level has specific technical and management requirements, including network infrastructure security, server security, application security, data security, general policies, human resource organization, system design and construction, operation management, and risk assessment. The higher the level, the greater the degree of security required.
Đối tượng áp dụng
Agencies and organizations with information systems must comply with the regulations of the Ministry of Information and Communications to ensure information security.
Các điểm cốt lõi
- Technical requirements include network infrastructure security, server security, application security, and data security.
- Management requirements include general policies, human resource organization, system design and construction, operation management, and risk assessment.
- additionaltopics
- 1. Backup and data recovery plan. 2. Multi-Factor Authentication (MFA) policy. 3. Cybersecurity risk management. 4. Employee training on security awareness enhancement.
- commoninformation
- Issued together with Circular No. 03/2017/TT-BTTTT dated April 24, 2017 by the Minister of Information and Communications. - Applies to information systems from Level 1 to Level 5.
🌐 Tác động xã hội từ văn bản này
- Enhance the security of information systems, reduce the risk of data loss and cybersecurity risks.
- Facilitate compliance with legal regulations on information security for organizations and businesses.
❓ Câu hỏi thường gặp
What are the differences in security requirements for Level 5 information systems compared to lower levels?
At Level 5, security requirements become stricter and more complex. For example, log retention for a minimum of 12 months, using private channels when transmitting data over networks, maintaining at least two connections from the primary backup system to the secondary backup system.
How is the periodic security assessment conducted?
For Levels 1-3, this is conducted annually or as needed. For Levels 4 and 5, it is conducted semi-annually or as specifically required.
What are the backup plans for information systems?
Backup plans may include maintaining internet connections from at least two different ISPs, storing data in different geographic locations, and using hot standby equipment.
Toàn văn
|
MINISTRY INFORMATION AND Number: 03/2017/TT-BTTTT |
SOCIALIST REPUBLIC OF VIET NAM Hanoi, on 24 April 2017 |
CIRCULAR
DETAILING AND GUIDING CERTAIN PROVISIONS OF DECREE NO. 85/2016/NĐ-CP OF JULY 1, 2016 OF THE GOVERNMENT ON ENSURING INFORMATION SYSTEM SECURITY BY LEVEL
Pursuant to the Law on Cybersecurity dated November 19, 2015;
Pursuant to Decree No. 85/2016/NĐ-CP dated July 1, 2016 of the Government on ensuring information system security by level;
Pursuant to Decree No. 17/2017/NĐ-CP dated February 17, 2017, issued by the Government, on the functions, tasks, powers, and organizational structure of the Ministry of Information and Communications;
At the request of the Director of the Cybersecurity Agency,
The Minister of Information and Communications issues this Circular detailing and guiding certain provisions of Decree No. 85/2016/NĐ-CP dated July 1, 2016 on ensuring information system security by level.
PART I
GENERAL PROVISIONS
Article 1. Scope of Regulation
1. This Circular details and guides ensuring information system security by level, including: Guidance on identifying information systems and their security levels; Requirements for ensuring information system security by level; Inspection and evaluation of information security; Receiving and reviewing proposals for security levels; Reporting and sharing information.
2. Information systems serving national defense and security activities managed by the Ministry of National Defense and the Ministry of Public Security are not within the scope of regulation of this Circular.
Article 2. Applicability
The subjects applying this Circular shall implement according to the provisions of Article 2 of Decree No. 85/2016/NĐ-CP dated July 1, 2016 of the Government on ensuring information system security by level (hereinafter referred to as Decree No. 85/2016/NĐ-CP).
Article 3. Explanation of Terms
In this Circular, the following terms are understood as follows:
1. Multi-factor authenticationNo. is a method of authentication that does not rely solely on one factor but combines several factors related to the user, including: information that the user knows (passwords, access codes, etc.), information that the user possesses (digital certificates, smart cards, etc.) or biometric information about the user (fingerprint, iris, etc.).
2. Hot standby is the ability to replace the function of a device when a failure occurs without interrupting the operation of the system.
3. Necessary password complexity ensures that the password has more than 8 characters, including both uppercase and lowercase letters, special characters, and numbers.
4. Critical network equipment refers to devices whose partial or complete cessation of operation without prior planning will disrupt the normal operation of the information system.
Chapter II
GUIDANCE ON IDENTIFYING INFORMATION SYSTEMS AND THEIR SECURITY LEVELS
Article 4. Guidance on identifying specific information systems
1. The identification of information systems for determining the level is based on the principle stipulated in Clause 1, Article 5 of Decree No. 85/2016/NĐ-CP.
2. Information systems are established and formed through one or more of the following methods: investment and construction, new establishment; upgrading, expansion, integration with existing systems; leasing or transferring systems.
3. Internal-use information systems are those serving internal management and operation activities of agencies and organizations, including:
a) Email systems;
b) Document management and administrative systems;
c) Teleconferencing systems;
d) Specific information management systems (human resources, finance, assets or other specialized business areas) or comprehensive information management systems (integrating multiple functions and business areas);
e) Internal information processing systems.
4. Citizen and business service information systems are those directly or indirectly providing online services, including online public services and other online services in telecommunications, information technology, commerce, finance, banking, healthcare, education, and other specialized fields, including:
a) Email systems;
b) Document management and administrative systems;
c) One-stop electronic portals;
d) Electronic websites and portals;
e) Systems for providing or supporting the provision of online services;
f) Customer care systems.
5. Information infrastructure systems are collections of equipment and transmission lines serving the common operations of multiple agencies and organizations, including:
a) Internal networks, wide area networks, dedicated data transmission networks;
b) Database systems, data centers, cloud computing systems;
c) Electronic authentication and certification systems, digital signature systems;
d) Interconnection and integration systems of various information systems.
6. Industrial control information systems are those with functions to monitor, collect data, manage, and control important components serving the normal operation of construction projects, including:
a) Programmable logic controller (PLC) systems;
b) Distributed control systems (DCS);
c) Supervisory control and data acquisition (SCADA) systems.
7. Other information systems are those not falling under the above categories, used to directly serve or support specific business, production, and commercial activities of agencies and organizations in specialized fields.
Article 5. Manager of the Information System
1. For state agencies and organizations, the manager of the information system shall be one of the following cases:
a) Ministries, ministerial-level agencies, government agencies;
b) People's Committees of provinces and centrally governed cities;
c) The competent authority deciding to invest in projects for building, establishing, upgrading, and expanding the information system.
2. For enterprises and other organizations, the manager of the information system is the competent authority deciding to invest in projects for building, establishing, upgrading, and expanding the information system.
3. The manager of the information system may delegate to an organization to represent them in directly managing the information system and ensuring its security according to Clause 2, Article 20 of Decree No. 85/2016/NĐ-CP.
The delegation must be carried out in writing, clearly stating the scope and duration of the delegation. The delegated organization must directly perform the rights and obligations of the information system manager without re-delegating to a third party.
Article 6. Unit Operating the Information System
1. The unit operating the information system is the agency or organization assigned by the information system manager to operate the information system.
2. In cases where the information system includes multiple component systems or is distributed, with more than one unit operating the information system, the information system manager must have the responsibility to designate one unit as the lead to perform the rights and obligations of the unit operating the information system according to the provisions of the law.
3. In cases where the information system manager outsources IT services, the unit operating the information system is the service provider.
Article 7. Guidelines for Determining and Describing the Level of Information System Security
The determination and description of the level of information system security shall be carried out as follows:
1. Identifying and classifying the information system; identifying the manager of the information system and the unit operating the information system based on the provisions of Articles 5 and 6 of Decree No. 85/2016/NĐ-CP and Articles 4, 5, and 6 of this Circular.
2. Identifying the type of information processed through the information system based on the provisions of Clause 1, Article 6 of Decree No. 85/2016/NĐ-CP.
3. Determining the level based on the provisions of Articles 7 to 11 of Decree No. 85/2016/NĐ-CP. For information systems proposed at level 4 or level 5, the proposal for the level must clearly explain the following contents:
a) Identifying other related or connected information systems or those that significantly impact the normal operation of the proposed information system; specifying the extent of impact on the proposed information system when these systems suffer from information security breaches.
b) List of proposed critical components and network devices, types of critical information processed in the system (if applicable);
c) Explanation of the importance of critical components and network devices, types of information, and data processed or stored in the system (if applicable);
d) Explanation of cyber attack risks and information security breaches against the system, system components, and critical network devices; the impact of these cyber attack risks and information security breaches on the criteria for determining the level according to Articles 10 and 11 of Decree No. 85/2016/NĐ-CP;
đ) Evaluation of the scope and degree of impact on public interest, social order and safety, or national defense and security when遭受攻击导致信息安全或系统运行中断。对于提议的每个系统,都需要进行评估。
For information systems at level 4, the explanation requires continuous operation 24/7 and does not accept shutdowns without prior planning.
e) Other explanations (if any) based on the actual operation of the information system.
Chapter III
REQUIREMENTS FOR ENSURING INFORMATION SYSTEM SECURITY BY LEVEL
Article 8. General Requirements
1. The security assurance of information systems at each level shall be implemented according to the basic requirements stipulated in this Circular; technical standards and industry standards related to information security.
2. The basic requirements for each level specified in this Circular are the minimum requirements to ensure the security of information systems and do not include physical security requirements.
3. Basic requirements include:
a) Technical requirements: Network infrastructure security; server security; application security and data security;
b) Management requirements: General policy; organization and personnel; design and construction management; operation management; testing, evaluation, and risk management.
4. The development of security assurance plans meeting the basic requirements at each level shall be carried out in accordance with the principles set forth in Clause 2, Article 4 of Decree No. 85/2016/NĐ-CP, specifically as follows:
a) For information systems at levels 1, 2, and 3: Security assurance plans must consider the possibility of shared use among information systems for protective solutions, resource sharing to optimize performance, avoid excessive investment, duplication, and waste. In cases of new investment, there must be an explanation that existing solutions do not meet the basic requirements;
b) For information systems at levels 4 and 5: Security assurance plans need to be designed to ensure availability, separation, and minimize impact on the entire system when a component within the system or related to the system loses information security.
Article 9. Basic Requirements for Each Level
1. The plan to ensure the security of information systems at level 1 must comply with the detailed requirements prescribed in Appendix 1 attached to this Circular.
2. The plan to ensure the security of information systems at level 2 must comply with the requirements for level 1 and supplement the detailed requirements prescribed in Appendix 2 attached to this Circular.
3. The plan to ensure the security of information systems at level 3 must comply with the requirements for level 2 and supplement the detailed requirements prescribed in Appendix 3 attached to this Circular.
4. The plan to ensure the security of information systems at level 4 must comply with the requirements for level 3 and supplement the detailed requirements prescribed in Appendix 4 attached to this Circular.
5. The plan to ensure the security of information systems at level 5 must comply with the requirements for level 4 and supplement the detailed requirements prescribed in Appendix 5 attached to this Circular.
Chapter IV
INSPECTION AND EVALUATION OF INFORMATION SECURITY
Article 10. Content and Form of Inspection and Evaluation
1. Content of inspection and evaluation:
a) Inspection of compliance with legal regulations on ensuring the security of information systems at each level;
b) Evaluation of the effectiveness of measures to ensure the security of information systems;
c) Detection of malicious code, vulnerabilities, weaknesses, and system penetration testing;
d) Other inspections and evaluations as specified by the information system manager.
2. Forms of inspection and evaluation:
a) Regular inspection and evaluation according to the plan of the information system manager;
b) Unscheduled inspection and evaluation upon request of the competent authority.
a) Minister of Information and Communications;
b) Manager of the information system for information systems under their jurisdiction;
c) Specialized units for information security of the information system manager for information systems approved by this unit for the proposal level.
4. The entity responsible for conducting inspection and evaluation is the entity assigned the task by the competent authority or selected to perform the inspection and evaluation task.
5. The subjects of inspection and evaluation are the managers of information systems or operating units of information systems and related information systems.
5. The objects of inspection and evaluation are the managers of the information system or units operating the information system and related information systems.
Article 11. Inspection of compliance with laws on ensuring information system security according to levels
1. Inspection of compliance with laws on ensuring information system security according to levels includes:
a) Inspection of compliance with laws on determining the level of information system security;
b) Inspection of compliance with laws on implementing measures to ensure information system security according to levels.
2. The leading inspection unit shall be one of the following units:
a) The Cybersecurity Agency;
b) A specialized unit for cybersecurity.
3. The regular inspection plan shall include the following contents:
a) List of units and information systems (if any) to be inspected;
b) Scope and content of inspection;
c) Time to conduct inspection;
d) Units to coordinate in inspection (if any).
4. The inspection decision is established after the regular inspection plan has been approved by the competent authority or when there is an urgent inspection by the competent authority.
5. For regular inspections:
a) The leading inspection unit establishes the regular inspection plan for the next year to submit to the competent authority for approval as the basis for implementation;
b) In case of changes from the approved regular inspection plan, the leading inspection unit establishes the adjusted regular inspection plan to submit to the competent authority for approval of adjustment;
c) The regular inspection plan must be sent to the inspected entity and its superior agency within a maximum of 10 days from the date of approval but at least 10 days before the inspection date.
6. For urgent inspections:
Based on the urgent inspection requirements and the inspection decision, the Head of the Inspection Team specifies the inspection contents accordingly.
7. After completing direct inspection at the site, the Inspection Team is responsible for informing the inspected entity and handing over materials and equipment used during the inspection (if any).
The Inspection Team is responsible for drafting the Inspection Report, sending it to the inspected entity for comments. Within five days from receiving the draft Inspection Report, the inspected entity is responsible for providing comments on the draft contents.
8. Based on the draft Inspection Report and the feedback from the inspected entity, the Inspection Team completes the Inspection Report and the draft inspection conclusion within thirty days from the end of the on-site inspection and submits them to the competent authority requesting inspection for review and approval.
The inspection conclusion must be sent to the inspected entity and its superior management agency (if any) and related units (if necessary).
Article 12. Evaluation of the effectiveness of information security measures
1. Evaluating the effectiveness of information security measures involves a comprehensive review and verification of the degree of effectiveness of information security plans according to specific criteria and basic requirements.
Evaluating the effectiveness of applied information security measures serves as the basis for adjusting information security plans to meet practical needs.
2. The leading evaluation unit shall be one of the following organizations:
a) The Cybersecurity Agency;
b) A specialized unit for cybersecurity;
c) A state-owned organization with appropriate functions and tasks;
d) A business that has been licensed to provide information security testing and evaluation services.
3. The information system operating unit establishes the annual evaluation plan to submit to the competent authority for approval as the basis for implementation. The evaluation plan includes:
a) List of units and information systems to be evaluated;
b) Time to conduct evaluation;
c) Implementation unit: Self-evaluation or evaluation by a specialized cybersecurity unit or outsourcing in accordance with the law.
4. In case of changes from the approved evaluation plan, the information system operating unit establishes the adjusted evaluation plan to submit to the competent authority for approval of adjustment.
5. After completing direct evaluation at the site, the leading evaluation unit is responsible for informing the information system operating unit and handing over materials and equipment used during the evaluation (if any).
The leading evaluation unit is responsible for drafting the Evaluation Report, sending it to the information system operating unit for comments. Within five days from receiving the draft Evaluation Report, the information system operating unit is responsible for providing comments on the draft contents.
6. Based on the draft Evaluation Report and the comments from the information system operating unit, the leading evaluation unit completes the Evaluation Report and sends it to the information system operating and managing units.
Article 13. Evaluation of Malware Detection, Vulnerabilities, Weaknesses, and System Intrusion Testing
1. The evaluation of malware detection, vulnerabilities, weaknesses, and system intrusion testing involves conducting scans to identify system vulnerabilities and weaknesses, testing system intrusion attacks, and assessing potential risks and damages that information systems may suffer from such attacks.
2. The leading evaluation unit shall be one of the following organizations:
a) The Cybersecurity Agency;
b) A specialized unit for cybersecurity;
c) A state-owned organization with appropriate functions and tasks;
d) A business entity that has been granted permission to provide cybersecurity inspection and evaluation services or another organization permitted by the information system manager to conduct malware detection, vulnerability, weakness evaluations, and system intrusion testing.
3. The entity responsible for organizing the evaluation of malware detection, vulnerabilities, weaknesses, and system intrusion testing shall have the following responsibilities:
a) Informing the information system manager about identified cybersecurity weaknesses to address and prevent cybersecurity incidents.
b) Ensuring data security related to the evaluated system, not disclosing such data without the consent of the information system manager.
c) Conducting the evaluation of malware detection, vulnerabilities, weaknesses, and system intrusion testing must ensure it does not affect the normal operation of the system.
Cfragrance V
ACCEPTANCE AND REVIEW OF APPLICATION FILES FOR RATING
Article 14. Submission and Acceptance of Application Files for Rating Review
1. For information systems proposed for Levels 1, 2, and 3:
The operating unit of the information system shall submit one original copy and two valid copies of the application file for rating to the specialized unit on cybersecurity for review.
2. For information systems proposed for Levels 4 and 5:
a) The information system manager shall submit one original copy and four valid copies of the application file for rating to the Ministry of Information and Communications (Cybersecurity Agency) for review.
b) The organization receiving the application files and the address for receiving application files for information systems proposed for Levels 4 and 5:
Ministry of Information and Communications (Cybersecurity Agency), Floor 8, Building 115 Tran Duy Hung Street, Cau Giay District, Hanoi City.
In case of changes to the address for receiving application files, the Cybersecurity Agency will publicly announce the change according to regulations.
Within five working days from the date of receipt, the organization receiving the application file for rating shall check the validity of the file. If the file is invalid, the organization receiving the application file for rating shall notify the submitting organization in writing to supplement and complete the file.
Article 15. Organization of Review of Application Files for Rating
1. For information systems proposed for Levels 1, 2, and 3:
The specialized unit on cybersecurity shall conduct the review of application files for rating in accordance with Article 16 of Decree 85/2016/NĐ-CP.
During the review process, if necessary, the specialized unit on cybersecurity shall seek written opinions from relevant units.
2. For information systems proposed for Levels 4 and 5:
The Ministry of Information and Communications shall conduct the review of application files for rating in accordance with Article 16 of Decree 85/2016/NĐ-CP. The organization of the review of application files for rating shall be carried out according to the following procedures:
a) The Cybersecurity Agency shall seek written opinions from the Legal Affairs Department and other relevant units within the Ministry of Information and Communications when necessary based on their functions and tasks.
b) The Ministry of Information and Communications shall seek written opinions from the Ministry of National Defense and the Ministry of Public Security as prescribed.
c) Based on the written opinions of the Ministry of National Defense, the Ministry of Public Security, and other relevant units, if necessary, the Ministry of Information and Communications shall establish a Review Board to exchange views, discuss, and provide specific opinions. The Chairman of the Review Board shall be assigned by the Minister of Information and Communications, including representatives from the Leadership of the Cybersecurity Agency, the Legal Affairs Department, the VNCERT Center - Ministry of Information and Communications, representatives from the Leadership of functional units of the Ministry of Public Security, the Ministry of National Defense, and some independent experts (if necessary).
Article 16. Coordination Mechanism for Review
1. The system information operation unit shall be responsible for coordinating with the level proposal review unit in determining the suitability of the level proposal file to the operational requirements of the corresponding information system.
2. In necessary cases, the level proposal review unit shall conduct on-site inspections and evaluations of the security assurance plans for the information systems according to the proposed levels. Such inspections and evaluations must not affect the normal operations of the information systems and must notify the system managers and operation units upon identifying any weaknesses that need to be addressed.
…………………………..
protect the origin and content of information in accordance with the agreement among the parties involved in sharing information.
4. Information sharing shall be conducted at least once every quarter and in accordance with the actual operational needs of the corresponding information systems.
5. Shared information includes:
a) Unanalyzed or analyzed information regarding potential loss of information security; information about cyber attacks that have occurred:
- Types of cyber attacks recorded within the system;
- Number of cyber attack events recorded within the system;
- Sample data of cyber attacks collected;
- Other data agreed upon by the parties involved in sharing information.
b) Activities ensuring information system security such as awareness campaigns, training, drills, and other relevant information.
Chapter VII
IMPLEMENTATION
Article 19. Effective Date
1. This Circular takes effect from July 1, 2017;
2. During the implementation of this Circular, if there are any issues, agencies and units should contact the Ministry of Information and Communications (Information Security Department) for coordination in resolving them.
|
Place of Receipt: |
THE MINISTER |
ANNEX 1
BASIC REQUIREMENTS FOR SECURING INFORMATION SYSTEMS FOR LEVEL 1 INFORMATION SYSTEMS
(Annexed to Circular No. 03/2017/TT-BTTTT dated 24 the 4 NAME OF ORGANIZATION/UNIT/
1. Technical Requirements:
a) Server Security:
- Password authentication and system logging for server access and management activities;
- No unencrypted connections for remote server management;
b) Application Security:
- Password authentication and logging for application access and administrative login functions;
c) Data Security:
- Regular backup of data on the system based on requirements and usage purposes.
2. Management Requirements:
a) General Policy: Information security policy for system administrators and operators;
b) Organization and Personnel: Point of contact for reporting, exchanging, and handling emerging issues or security incidents.
ANNEX 2
BASIC REQUIREMENTS FOR SECURING INFORMATION SYSTEMS FOR
LEVEL 2 INFORMATION SYSTEMS
(Annexed to Circular No. 03/2017/TT-BTTTT dated April 24, 2017 issued by the Minister of Information and Communications)
1. Technical Requirements:
a) Network Infrastructure Security:
- Segmentation of network infrastructure into different zones based on requirements and usage purposes;
- Use of firewall devices to prevent unauthorized access between zones and the Internet;
- Authentication and encryption mechanisms when using wireless networks (if applicable);
- Account authentication solutions for critical network devices;
- Remote device management solutions (if applicable) through protocols supporting encryption;
b) Server Security:
- Use of anti-malware software on servers with automatic updates or new malware signature detection mechanisms;
- Password authentication mechanism with required complexity, periodic password changes as stipulated by the organization, and protection against password guessing attacks; authentication information must be stored in the system in encrypted form;
- Disablement of default or inactive accounts on the system; deactivation of unused services and software on the server;
- System logging for server access and management activities;
- Establishment of a patch update mechanism for operating system and service vulnerabilities on the server;
c) Application Security:
- Password strength requirements on applications to limit password guessing attacks; authentication information must be stored in encrypted form;
- Logging of access and error events;
- No unencrypted connections for remote application management.
d) Data Security: Use of independent storage systems or media to back up important data on servers regularly as prescribed by the organization.
2. Management Requirements:
a) General Policy:
- Information security policy for users including access and usage policies for networks and resources on the Internet, and application access;
- Information security policy for system administrators and operators including but not limited to network infrastructure security, server security, application security, and data security policies;
b) Organization and Personnel:
Procedures for issuing, revoking user accounts and access rights for new employees joining the system, employees changing roles, or employees ceasing to use the system;
c) Design and Construction Management:
- Design documentation describing security assurance plans for the information system;
- Inspection and verification procedures to ensure compliance with design documents and security requirements before acceptance and handover;
- Level assessment files approved by the specialized information security unit of the system manager;
d) Operation Management:
- System management and operation procedures meeting basic technical requirements; management of system changes, relocation, decommissioning, and termination;
- Emergency response plans for security incidents;
e) Inspection, Evaluation, and Risk Management:
- Periodic inspection and evaluation of information security and risk management every two years or as needed in accordance with legal provisions.
- The inspection and evaluation of information security and risk assessment must be carried out by the specialized unit responsible for information security of the system's management body or outsourced in accordance with the provisions of the law.
ANNEX 3
BASIC REQUIREMENTS FOR ENSURING THE SECURITY OF INFORMATION SYSTEMS FOR LEVEL 3 INFORMATION SYSTEMS
(Annexed to Circular No. 03/2017/TT-BTTTT dated April 24, 2017 issued by the Minister of Information and Communications)
1. Technical Requirements:
a) Network Infrastructure Security:
- There must be a dedicated network zone design including a private network zone for internal servers, a private network zone for servers providing necessary system services (such as DNS, DHCP, NTP services and others), a private network zone for database servers, and other private network zones as required by the organization;
- There must be a design to divide the internal network into separate functional networks according to business requirements; isolate the wireless network into its own private network zones separate from the functional network zones; isolate the private network zones for servers providing external internet services;
- There must be a load balancing plan and measures to mitigate denial-of-service attacks;
- There must be a centralized storage management system design and information security monitoring system;
- There must be a plan to use firewall devices between important network zones;
- There must be a plan to detect, prevent intrusions, and filter malicious software between the internet and internal networks;
- There must be logging of network device logs and centralized management within the administrative network zone for network devices that support this feature or critical network devices;
- Logs of network devices must be stored for at least three months and ensure synchronization of log times with the real-time time server according to Vietnam time zone;
- There must be a backup plan for key network devices in the system to ensure normal operation of the system when a network device fails;
- There must be a plan to update software, address information security vulnerabilities, and optimize network device configurations before deployment on the network;
- There must be a plan to authenticate administrator accounts on all network devices ensuring necessary password complexity requirements and preventing password brute-force attacks;
- There must be a plan to limit access sources and manage network device administration;
- There must be a plan to only allow network device administration through the internet using virtual private networks or equivalent methods;
- There must be logging of activities on internal network devices and ensure synchronization of log times with the time server;
- Information authentication stored on network devices must be encrypted;
b) Server Security:
- There must be a plan for centralized authentication management; prevent automatic login and automatically terminate sessions after a suitable waiting period according to organizational policy;
- Access, administration, and resource usage rights for each account on the system must be set up appropriately based on different job tasks and business requirements;
- There must be a plan for centralized management of software patching and upgrades;
- There must be a plan for centralized storage and management of server logs. Logs must be stored for at least three months;
- There must be a plan to synchronize server logs with the information security monitoring system;
- There must be a plan to limit allowed access and administration sources for servers; server administration through the internet must use virtual private networks or equivalent methods;
- There must be a plan to use firewalls on individual servers to allow only legitimate connections according to the services provided by the server;
- There must be a plan to back up the operating system and configuration of servers in accordance with organizational requirements;
- There must be logging of access, administration, and error generation activities;
c) Application Security:
- There must be a requirement to change passwords periodically for application administrator accounts; limit the waiting time to close a session when the application does not receive requests from users;
- There must be a separation of the application administration from the application providing services to users and ensure that applications operate with minimum privileges on the system;
- There must be a plan to limit allowed access and administration sources for applications; application administration through the internet must use virtual private networks or equivalent methods;
- There must be a plan to check and filter input data from users to ensure these data do not affect the security of the application;
d) Data Security:
- There must be a plan to encrypt stored data (excluding public information/data) on storage systems/media;
- There must be an automatic backup plan for information/data appropriate to the frequency of data changes;
2. Management Requirements:
a) General Policy: Regularly review and update the general information security policy every two years or as needed;
b) Organization and Personnel:
- There must be a plan and regular training, enhancement, dissemination, and promotion of knowledge and skills related to information security for relevant management and technical staff;
- There must be a policy requiring relevant staff to commit to confidentiality regarding data on the system, organizational private information, or sensitive information when leaving their positions;
c) System Design and Construction:
There must be a proposal file for the level reviewed by the specialized unit responsible for information security of the system's management body;
d) Operation Management:
- There must be a plan to monitor information security for the system during operation in accordance with the provisions of the law;
- There must be a plan and regularly organize drills to ensure information security for the system; send staff to participate in national or international drills convened by competent authorities;
- There must be a plan to restore normal system operations in case of incidents or disasters;
e) Inspection, Evaluation, and Risk Management:
- Annually conduct inspections, evaluations of information security, and risk management in accordance with the provisions of the law;
- The inspection, evaluation of information security, and risk assessment must be carried out by a specialized organization licensed by the competent authority or a state-run organization with appropriate functions and tasks designated by the system's management body in accordance with the provisions of the law.
ANNEX 4
BASIC REQUIREMENTS FOR ENSURING THE SECURITY OF INFORMATION SYSTEMS FOR LEVEL 4 INFORMATION SYSTEMS
(Annexed to Circular No. 03/2017/TT-BTTTT dated April 24, 2017 issued by the Minister of Information and Communications)
1. Technical Requirements:
a) Network Infrastructure Security:
- There must be a plan to detect and prevent intrusions between important network zones;
- There must be a plan for centralized management of wireless networks (if applicable);
- Have a centralized malware prevention management system. The basic functions of the system include: data updates, sending alerts, receiving control information from the centralized management system to software installed on servers/workstations within the network;
- Have a hot standby plan for key network devices to ensure continuous operation of the system; the capacity of the backup device must meet the scale of the system's operations;
- Have a plan to use multi-factor authentication methods for important network devices;
- Have a plan to independently store logs that are appropriate to the activities of network devices. Log data must be stored for at least six months;
- Have a real-time alerting plan directly to the system administrator through the monitoring system when incidents are detected on network devices;
- Have a plan to maintain at least two internet connections from ISPs using different domestic infrastructure connections (if the system is required to have an internet connection);
- Have a plan to prevent data loss within the system;
b) Server Security:
- Have a plan to use multi-factor authentication mechanisms when accessing servers within the system;
- Have a plan to independently store logs that are appropriate to the activities of servers. Log data must be stored for at least six months;
- Have a plan to check the integrity of system files and the integrity of permissions granted on system accounts;
c) Application Security:
- Have a plan to use multi-factor authentication mechanisms when accessing application administrative accounts; have a mechanism requiring users to change authentication information periodically;
- Have a plan to independently store logs that are appropriate to the activities of applications. Log data must be stored for at least six months;
- Have a mechanism to encrypt user authentication information before sending it to the application over a network environment;
- Have a mechanism to verify information and source when exchanging non-public information during application management over a network environment;
d) Data Security:
- Have a plan to check the integrity of data and detect, alert when data changes;
- Have a plan to classify and manage stored data according to types/groups by assigning different labels;
- Have a backup system with fault tolerance capabilities to ensure data can be restored when incidents occur;
2. Management Requirements:
a) General policy: Periodically review and update the general security policy every one year or as needed;
b) Organization and Personnel:
- Have a policy to audit and verify the background of management and technical operation staff responsible for system security, ensuring their suitability in terms of professional expertise, ethical standards, and specific job requirements;
- Have a plan and conduct annual training, enhancement, dissemination, and promotion of knowledge and skills related to information security for relevant management and technical staff;
- Have a policy to build a dedicated team for information security and assign leadership to directly oversee information security;
c) System Design and Construction:
- Have a level certification file reviewed by the Ministry of Information and Communications;
- Have a plan to test compatibility and impact of security patches and updates on system operations;
- Have a plan to configure optimally and ensure information security for network devices and servers before they are put into operation in the system;
- Have a plan to conduct comprehensive security assessments of the system before it is put into operation and exploitation;
d) Operation Management:
- Have a plan to monitor information security specifically for the system in accordance with the law; organize 24/7 direct monitoring;
- Have a plan and conduct annual exercises to ensure information security for the system;
- Have an emergency response plan to ensure network information security in accordance with the law;
e) Inspection, Evaluation, and Risk Management:
- Conduct periodic annual reviews and evaluations of information security and risk management;
- The review and evaluation of information security and risk management must be carried out by a specialized organization licensed by the competent authority or a state-owned institution with appropriate functions and tasks designated by the system's management;
ANNEX 5
BASIC REQUIREMENTS FOR ENSURING INFORMATION SYSTEM SECURITY FOR LEVEL 5 INFORMATION SYSTEMS
(Annexed to Circular No. 03/2017/TT-BTTTT dated April 24, 2017 issued by the Minister of Information and Communications)
1. Technical Requirements:
a) Network Infrastructure Security:
- Have a firewall system and an intrusion detection and prevention system between network zones of the system;
- Have a plan to store network device logs for at least twelve months;
- Have a backup plan for all network devices to ensure uninterrupted system operation;
b) Server Security:
- Have a plan to use workstation-level intrusion prevention solutions for servers;
- Have a plan to independently store server logs that are appropriate to the activities of servers. System logs must be stored for at least twelve months;
c) Application Security:
- Have a plan to apply two-way authentication mechanisms when exchanging important data over a network environment;
- Have a plan to use dedicated storage devices to store authentication information;
- Have a plan to store application logs for at least twelve months;
d) Data Security:
- Have a plan to use private channels when transmitting and exchanging data over a network environment;
- Have a plan to store backups of system data at different geographic locations;
- Have a plan to maintain at least two connections from the primary backup system to the secondary backup system;
2. Management Requirements:
a) General Policy:
Periodically review and update the general security policy every six months or as needed;
b) Organizational and personnel policies:
- Different positions must be assigned different dedicated staff members, no兼任职务;
- Critical operational positions must be staffed by at least two personnel working together;
c) System Design and Construction:
Products and equipment invested in the system must be tested for information security before being put into operation and exploitation;
d) Operation Management:
Have a plan and conduct biannual exercises to ensure information security for the system;
e) Inspection, Evaluation, and Risk Management:
- Conduct periodic reviews and evaluations of information security and risk management every six months or as required by actual needs or warnings from competent authorities.
The information security inspection, evaluation, and information security risk assessment must be conducted by a specialized organization licensed by the competent authority or a state-run institution with appropriate functions and tasks designated by the system's management entity in accordance with the provisions of the law.
Văn bản gốc (PDF)
Bản đồ quan hệ
Bấm vào một văn bản để mở. Viền đỏ = quan hệ làm thay đổi hiệu lực.
Bản dịch
Văn bản này có sẵn ở các ngôn ngữ sau: