Based on the provided information, these are the technical and management requirements for high-level security information systems (complexity level from 1 to 7). Below is a summary of the main technical requirements:
适用范围
Information systems need to be designed with separate network zones based on function. - High-security information systems, especially those processing state secrets.
要点
- Requirements for system design:
- Design network zones within the system based on function (for example: internal network zone, border zone, DMZ...). - Ensure safety when managing remote access and between network zones. - Load balancing and backup for network devices. - Protect database servers with dedicated firewalls if necessary. - Filter malicious software in the network environment. - Prevent Denial of Service (DoS) attacks. - Protect web applications. - Manage email system security. - Centralized monitoring and security event analysis.
- Requirements for setting up and configuring the system:
- Control external and internal network access. - System logging. - Intrusion prevention. - Malware protection. - Server handling during transfer. - Application and source code security assurance.
- Management requirements:
- Information system security design. - Development of outsourced software. - Testing and acceptance of the system. - System operation management (including network, server, data, endpoint device management...). - Information security risk management.
- Risk management plan:
- Information security risk management. - System operation termination, exploitation, liquidation, and cancellation.
🌐 本文件的社会影响
- Compliance with these requirements helps protect information systems from cyber security threats and ensures data integrity.
- Risk management plans and system operation termination strategies also play a crucial role in minimizing negative impacts in case of incidents.
❓ 常见问题
Why is it necessary to design separate network zones?
This design helps to divide the system into smaller parts, making management and security easier.
What is geographic redundancy?
This is a strategy of placing systems in different geographic locations to ensure operational readiness in case of an incident at a specific location.
全文
|
MINISTRY OF INFORMATION AND COMMUNICATION |
SOCIALIST REPUBLIC OF VIETNAM Independence - Freedom - Happiness |
| Number: 12/2022/TT-BTTTT | Hanoi, August 12, 2022 |
Detailed regulations and guidance on certain provisions of
Decree No. 85/2016/NĐ-CP dated July 1, 2016 of the Government
on ensuring information system security according to levels
||| Pursuant to the Cybersecurity Law dated November 19, 2015;
Pursuant to Decree No. 85/2016/NĐ-CP dated July 1, 2016 of the Government on ensuring the security of information systems according to levels;
Pursuant to Decree No. 48/2022/NĐ-CP dated July 26, 2022 of the Government stipulating the functions, tasks, powers, and organizational structure of the Ministry of Information and Communications;
At the proposal of the Director of the Information Security Agency;
The Minister of Information and Communications promulgates this Circular providing detailed regulations and guidance on certain provisions of Decree No. 85/2016/NĐ-CP dated July 1, 2016 on ensuring information system security according to levels.
PART I
GENERAL PROVISIONS
Article 1. Scope of Regulation
This Circular provides detailed regulations and guidance on ensuring information system security according to levels, including: Identification of information systems and explanation of information system security levels; requirements for ensuring information system security according to levels; inspection and evaluation of information security; reporting procedures.
Article 2. Applicability
The subjects to which this Circular applies shall implement in accordance with the provisions of Article 2 of Decree No. 85/2016/NĐ-CP dated July 1, 2016 of the Government on ensuring information system security according to levels (hereinafter referred to as Decree No. 85/2016/NĐ-CP).
Article 3. Explanation of Terms
In this Circular, the following terms are understood as follows:
1. Hot standby is the ability to replace the function of equipment when a failure occurs without interrupting the operation of the system.
2. Main network equipment or critical equipment refers to equipment within the system whose failure without prior planning will disrupt the entire information system's operation. The main network equipment components are determined based on the level of the information system, including at least: Central switching equipment or equivalent, central firewall, web application firewall, centralized storage system, database firewall.
Article 4. Information System Administrator
1. For Ministries, agencies at the ministerial level, government agencies, People's Committees of provinces and centrally-administered cities, the information system administrator is one of the following cases:
a) Ministries, agencies at the ministerial level, government agencies;
b) People's Committees of provinces and centrally-administered cities;
c) The authority having the right to decide on investment projects for building, establishing, upgrading, and expanding information systems. Ministries, agencies at the ministerial level, government agencies, People's Committees of provinces and centrally-administered cities decide on the information system administrator in accordance with the provisions of this clause, ensuring that the agency or organization entrusted with the role of information system administrator has sufficient capacity to fully implement the provisions of Article 20 of Decree No. 85/2016/NĐ-CP.
2. For enterprises and other organizations (excluding Ministries, agencies at the ministerial level, government agencies, People's Committees of provinces and centrally-administered cities), the information system administrator is the authority having the right to decide on investment projects for building, establishing, upgrading, and expanding information systems.
3. In necessary cases, the information system administrator may delegate responsibilities to a subordinate organization with sufficient capacity to act on behalf of the information system administrator as stipulated in Clause 2 of Article 20 of Decree No. 85/2016/NĐ-CP.
Delegation of responsibility for the information system administrator must be carried out in writing, clearly stating the scope of the system, the responsibilities of the delegated organization, and the duration of the delegation.
Article 5. Information System Operation Unit
1. The information system operation unit is an agency or organization assigned by the information system administrator to operate the information system.
2. In cases where the information system consists of multiple component systems or is distributed, and there are more than one information system operation units, the information system administrator is responsible for designating a leading unit to perform the rights and obligations of the information system operation unit as prescribed by law.
3. In cases of outsourcing IT services, the information system operation unit is determined as follows:
a) In cases where the service provider has not been identified in accordance with the law, the leading unit outsourcing the service acts as the operation unit;
b) In cases where the service provider has been identified in accordance with the law, the operation unit is the service provider;
c) In cases where the service provision period has expired, if the information system established through outsourcing continues to operate, the operation unit is determined as the leading unit outsourcing the service.
Article 6. Review of the Application for Determining the Level in Cases Where the Specialized Unit on Information Security Is Also Assigned to Manage and Operate the Information System
In cases where the specialized unit on information security is also assigned by the system's management authority to manage and operate the information system, the organization of the review of the Application for Determining the Level shall be carried out according to one of the following options:
1. The specialized unit on information security shall submit to the system's management authority a subordinate unit with sufficient capacity to take the lead and organize the review.
2. The specialized unit on information security shall propose to the system's management authority to establish an independent Review Board to perform the task of reviewing the Application for Determining the Level.
Chapter II
DETERMINATION OF INFORMATION SYSTEMS AND EXPLANATION OF THE LEVEL OF INFORMATION SECURITY
INFORMATION SYSTEM SECURITY LEVEL
Article 7. Determination of Information Systems
1. The determination of information systems for the purpose of determining the level is based on the principles stipulated in Clause 1, Article 5 of Decree No. 85/2016/NĐ-CP.
2. Internal-use information systems are those serving internal administrative and operational activities of agencies and organizations.
3. Information systems serving citizens and businesses are those directly or indirectly providing online services, including online public services and other online services in telecommunications, information technology, commerce, finance, banking, healthcare, education, and other specialized fields.
4. Information infrastructure systems are collections of equipment, transmission lines serving common operations of multiple agencies and organizations such as wide area networks, databases, data centers, cloud computing; electronic authentication, digital certification, digital signatures; interconnection of information systems.
5. Industrial Control Information Systems are systems with functions to monitor, collect data, manage, and control important components to serve the normal operation of construction projects.
6. Other information systems are those not falling under the types mentioned in Clauses 2, 3, 4, and 5 of this Article, used to directly serve or support specific business, production, and commercial activities of agencies and organizations within their specialized fields.
7. Quarterly (on the first day of each quarter), the Cybersecurity Agency under the Ministry of Information and Communications shall be responsible for updating and supplementing the list of information systems as prescribed in Clauses 2, 3, 4, 5, and 6 of this Article and publish it on the Ministry of Information and Communications' official website.
Article 8. Explanation of the Level of Information System Security
1. For new or expanded information systems, depending on the investment form and technical solutions in the Economic and Technical Report (in the case of a project applying a single-step design scheme), in the Basic Design included in the Feasibility Study Report (in the case of a project applying a two-step design scheme), in the Plan for Hiring IT Services (in the case of hiring IT services), or in the Outline and Detailed Budget (in the case of IT application investment without a project), they must meet the requirements of the information security assurance plan at the proposed level, explained in the Application for Determining the Level.
2. The explanation of the Application for Determining the Level includes the following components:
a) General description of the information system;
b) Explanation of the proposed level;
c) Explanation of the information security assurance plan.
3. The general description of the information system includes the following contents:
a) Information about the system's management authority, including: Name of the system's management authority; functional duties and powers; representative person and position; address; contact information (including phone number, email);
b) Information about the system's operating unit, including: Name of the operating unit; functional duties and powers; representative person and position; address; contact information (including phone number, email);
c) Description of the scope and scale of the information system, clarifying the scope of the system, its scale, and the target audience served by the system;
d) Description of the current system architecture (for systems currently in operation) or description of the system architecture (for newly constructed or upgraded systems), including detailed descriptions of the logical model, physical model of the system, list of main equipment and network devices in the system (including device name/type, deployment location, purpose of use), list of applications/services provided by the system (including service name, server deployment location/system, purpose of use), planning of network areas and IP addresses in the system (including network areas, internal IP addresses (IP Private), public IP addresses (IP Public)).
4. Explanation of the proposed level includes the following contents:
a) List of information systems and corresponding levels, including: Name of the information system, proposed level, basis for proposing the level for each information system;
b) Detailed explanation of the information systems, clarifying the type of information processed, type of information system, basis for proposing the level for each information system.
5. For information systems proposed at Level 4 or Level 5, in addition to the contents specified in Clause 3 of this Article, the following additional contents need to be clarified:
a) Identification of related or connected information systems that have significant impact on the normal operation of the proposed-level information system;
b) Explanation of cyber attack risks and their impact on the proposed-level information system;
c) Assessment of the scope and degree of impact on public interest, social order, or national defense and security when the proposed-level information system suffers from cyber attacks causing loss of information security or disruption of operations.
d) Explain the requirement to operate 24/7 without accepting unplanned downtime for information systems as specified in Clause 2 and Clause 3 of Article 10 of Decree 85/2016/NĐ-CP.
6. Explain the measures to ensure information security, including the following contents:
a) Explain the measures to meet the management requirements corresponding to the proposed level;
b) Explain the measures to meet the technical requirements corresponding to the proposed level.
Chapter III
REQUIREMENTS FOR INFORMATION SYSTEM SECURITY BY LEVEL
SYSTEM OF INFORMATION BY LEVEL
Article 9. General Requirements
1. Ensuring the security of information systems according to levels shall be carried out in accordance with the basic requirements stipulated in this Circular and the National Standard TCVN 11930:2017 on Information Technology - Security Techniques - Basic Requirements for Information System Security by Level.
2. The basic requirements for each level stipulated in this Circular are the minimum requirements to ensure the security of information systems, including basic management requirements, basic technical requirements, and excluding physical security requirements.
3. Basic management requirements include:
a) Establishing information security policies;
b) Organizing information security assurance;
c) Ensuring human resources;
d) Managing system design and construction;
đ) Managing system operation;
e) Risk management plan for information security;
g) Plan for ending operation, exploitation, liquidation, and cancellation of information systems.
4. Basic technical requirements include:
a) Network security assurance;
b) Server security assurance;
c) Application security assurance;
d) Data security assurance.
5. Developing plans to ensure information security that meet the basic requirements at each level shall be carried out in accordance with the principles stipulated in Clause 2 of Article 4 of Decree 85/2016/NĐ-CP, specifically as follows:
a) For information systems at Levels 1, 2, and 3: The information security assurance plan must consider the possibility of shared use among information systems for protective solutions and resource sharing to optimize performance, avoid excessive investment, duplication, and waste;
b) For information systems at Levels 4 and 5: The information security assurance plan needs to be designed to ensure availability, separation, and minimize impact on the entire system when a component within the system or related to the system loses information security.
6. When new information systems are invested in and constructed or expanded and upgraded, they must fully implement the approved information security assurance plan in the Level Proposal Document and comply with the security requirements set forth in Articles 9 and 10 of this Circular before being put into operation and exploitation.
7. The regulation for ensuring the security of information systems must be established to meet the security management requirements at the corresponding information system security level and be approved and issued by the competent authority before the Level Proposal Document is approved.
8. Information security requirements for internal software when newly built or expanded and upgraded:
a) Internal software newly built or expanded and upgraded must comply with the Secure Software Development Framework;
b) Meet the basic security requirements for internal software.
9. In the case where an information system at Level 3 is implemented in the form of leasing IT services at a Data Center or Cloud Computing, the system design must meet the following requirements:
a) It must be designed separately and independently from other systems in terms of logic and have access control measures between systems;
b) Network areas within the system must be designed separately and independently from each other in terms of logic and have access control measures between network areas;
c) Logical independent storage partitioning must be implemented.
10. In the case where an information system at Level 4 or Level 5 is implemented in the form of leasing IT services at a Data Center or Cloud Computing, the system design must meet the following requirements:
a) It must be designed separately and independently from other systems in terms of physical aspects and have access control measures between systems;
b) Network areas within the system must be designed separately and independently from each other in terms of logic and have access control measures between network areas;
c) Physical independent storage partitioning must be implemented;
d) Main network devices must be physically separated.
Article 10. Information security assurance plan for each level
1. The information system security assurance plan at Level 1 must comply with the detailed requirements set forth in Appendix I issued together with this Circular.
2. The information system security assurance plan at Level 2 must comply with the detailed requirements set forth in Appendix II issued together with this Circular.
3. The information system security assurance plan at Level 3 must comply with the detailed requirements set forth in Appendix III issued together with this Circular.
4. The information system security assurance plan at Level 4 must comply with the detailed requirements set forth in Appendix IV issued together with this Circular.
5. The information system security assurance plan at Level 5 must comply with the detailed requirements set forth in Appendix V issued together with this Circular.
Chapter IV
INFORMATION SECURITY CHECK AND EVALUATION
Article 11. General provisions on inspection and evaluation activities
1. Inspection and evaluation contents:
a) Inspection and evaluation of compliance with legal regulations on ensuring information system security according to levels;
b) Inspection and evaluation of the effectiveness of information security measures according to the approved information security assurance plan;
c) Inspection and evaluation to detect malicious code, vulnerabilities, weaknesses, and penetration testing of information systems.
2. Frequency of inspection and evaluation:
a) Periodic inspection and evaluation as prescribed in point c, Clause 2, Article 20 of Decree 85/2016/NĐ-CP;
b) Ad hoc inspection and evaluation upon request of the competent authority.
3. Forms of inspection and evaluation to detect malicious code, vulnerabilities, weaknesses, and penetration testing of information systems, including the following three forms:
a) Black box inspection and evaluation;
b) Gray box inspection and evaluation;
c) White box inspection and evaluation.
Article 12. Contents of inspection and evaluation on information security
1. Contents of inspection and evaluation of compliance with legal regulations on ensuring information system security according to levels, including:
a) Inspection and evaluation of compliance with the management body of the information system as prescribed in Article 20 of Decree 85/2016/NĐ-CP, including: Implementation of establishing/designating a specialized unit/department for information security of the management body of the information system as prescribed in Clause 1, Article 20 of Decree 85/2016/NĐ-CP; Implementation of preparing, organizing assessment, and approving the level proposal file for information systems within the scope of management; Implementation of deploying the information security assurance plan according to the plan in the approved level proposal file for information systems within the scope of management; Organizing implementation of inspecting, evaluating information security and managing information security risks within their own agencies and organizations as prescribed in point c, Clause 2, Article 20 of Decree 85/2016/NĐ-CP; Organizing implementation of short-term training, propaganda, dissemination, raising awareness, and drills on information security as prescribed in point d, Clause 2, Article 20 of Decree 85/2016/NĐ-CP;
b) Inspection and evaluation of compliance with the specialized unit for information security of the management body of the information system as prescribed in Article 21 of Decree 85/2016/NĐ-CP, including the following contents: Advisory work, organization of enforcement, urging, inspecting, supervising information security assurance work; Work of assessing, approving or giving professional opinions on the level proposal file according to the prescribed authority;
c) Inspection and evaluation of compliance with the operation unit as prescribed in Article 22 of Decree 85/2016/NĐ-CP;
d) Inspection and evaluation of the organization's implementation of information security measures according to the approved information security assurance plan.
2. Contents of inspection and evaluation of the effectiveness of information security measures according to the approved information security assurance plan, including:
a) Inspection of the completeness and appropriateness of the Information Security Regulation according to the approved information security assurance plan on management;
b) Evaluation of compliance with regulations and procedures in the Information Security Regulation during operation, exploitation, termination, or cancellation of the information system;
c) Evaluation of system design according to the approved information security assurance plan;
d) Evaluation of system setup and configuration according to the approved information security assurance plan;
đ) Inspection of configuration and strengthening security for system equipment, operating systems, applications, databases, and other related components in the system according to the guidelines of the Ministry of Information and Communications.
3. Contents of inspection and evaluation to detect malicious code, vulnerabilities, weaknesses, and penetration testing of information systems, including:
a) Scanning and detecting malicious code, vulnerabilities, weaknesses of the system, and attacking penetration tests against system equipment, operating systems, applications, databases, and other related components in the system;
b) Source code security evaluation for internal software;
c) Proposing solutions and plans to handle vulnerabilities, weaknesses, and configurations and strengthen security for the contents of inspections evaluated as not meeting standards.
Chapter V
REPORTING SYSTEM
Article 13. General provisions on reporting regime
1. Methods for sending and receiving reports:
a) Through the document management and operation system;
b) Through the report software system deployed by the Ministry of Information and Communications;
c) Through electronic mail systems;
d) Other methods as prescribed by law.
2. Frequency of reporting:
a) Annually;
b) Ad hoc upon request from competent authorities.
3. Time period for finalizing data for annual reports:
From December 15 of the year preceding the reporting period to December 14 of the reporting period.
4. Deadline for submitting annual reports:
a) Specialized units responsible for information security and system operators shall submit their reports to the system managers before December 20 each year;
b) System managers shall submit their reports to the Ministry of Information and Communications before December 25 each year.
Article 14. Content of reports
1. General information about the system manager, specialized unit for information security, and operator for each managed information system, including: Name of the system manager, specialized information security unit, and operator; functions, tasks, and powers; representative person and position; address; contact information (including phone number, email).
2. List of information systems under management, including: System name, operator, proposed level.
3. List of information systems approved for level proposal files according to regulations.
4. List of information systems fully implemented, partially implemented, or not yet implemented with protective measures meeting safety requirements according to the approved safety assurance plan at the level.
5. List of information systems having Safety Assurance Regulations according to regulations.
6. List of information systems complying with regulations and procedures in Safety Assurance Regulations during operation, exploitation, termination, or cancellation of information systems.
7. List of information systems inspected and evaluated according to regulations.
8. Evaluation of the implementation of safety assurance measures according to the approved safety assurance plan in the level proposal file based on criteria and requirements.
9. Information on decisions approving level proposal files and safety assurance plans according to criteria and requirements (fully met/not fully met; completion plans or timelines for unmet criteria and requirements).
10. Information on the issuance and Safety Assurance Regulations.
11. Other information as required by competent authorities.
Chapter VI
IMPLEMENTATION
Article 15. Approval time for level proposal files when building new or expanding, upgrading information systems
Level proposal files for information security are encouraged to be approved before the competent authority approves the economic-technical report or the basic design within the feasibility study report or the IT service procurement plan or the detailed outline and budget.
Article 16. Transitional Provisions
1. For operating and exploiting information systems that have been approved for levels prior to the effectiveness of this Circular: The system manager shall review the level proposal files and the approved safety assurance plans. Any review, adjustment, and re-approval of level proposal files and safety assurance plans (if necessary) must be completed by June 2023.
2. For operating and exploiting information systems that have not yet had level proposal files approved: Construction, examination, and approval of level proposal files and implementation of safety assurance plans according to the approved plan in the level proposal file to meet the requirements set out in Circular No. 03/2017/TT-BTTTT dated April 24, 2017 of the Ministry of Information and Communications detailing and guiding certain provisions of Decree No. 85/2016/NĐ-CP dated July 1, 2016 of the Government on ensuring safety of information systems according to levels and in accordance with the provisions of this Circular, ensuring that when this Circular takes effect, there will be no need to repeat the process of constructing, examining, and approving level proposal files.
Article 17. Effectiveness and Responsibility for Implementation
1. This Circular takes effect from October 1, 2022 and replaces Circular No. 03/2017/TT-BTTTT dated April 24, 2017 of the Ministry of Information and Communications detailing and guiding certain provisions of Decree No. 85/2016/NĐ-CP dated July 1, 2016 of the Government on ensuring safety of information systems according to levels.
2. During the implementation of this Circular, if there are any difficulties, agencies and units should contact the Ministry of Information and Communications (Information Security Department) for coordination in resolving them./.
|
Place of Receipt: - Prime Minister and Deputy Prime Ministers (for comments); - Central Party Office and Party Committees; - General Secretary's Office; - National Assembly's Office; - President's Office; - Ministries, agencies equivalent to ministries, and government agencies; - Supreme People's Court; - Supreme People's Procuracy; - State Audit Agency; - CENTRAL ORGANIZATIONS OF ASSOCIATIONS; - Provincial and municipal People's Committees directly under the central government; - Legal Documents Supervision Bureau (Ministry of Justice); - Provincial Departments of Information and Communications; - Official Gazette, Government Portal; - Ministry of Information and Communications: Ministers and Deputy Ministers; agencies and units under the Ministry; Electronic Information Portal; - To be filed: VT, CATTT (230). |
THE MINISTER (Signed) Nguyen Manh Hung
|
Appendix I
BASIC REQUIREMENTS FOR SAFETY OF INFORMATION SYSTEMS
FOR LEVEL 1 INFORMATION SYSTEMS
(Annexed to Circular No. /2022/TT-BTTTT
dated month year 2022 of the Minister of Information and Communications)
I. MANAGEMENT REQUIREMENTS
|
Serial number |
Requirements |
TCVN 11930:2017 |
|
1.1 |
Establishing information security policies |
Section 5.1.1 |
|
1.1.1 |
Information Security Policy |
Section 5.1.1.1 |
|
1.1.2 |
Development and Publication |
Section 5.1.1.2 |
|
1.1.3 |
Review and Amendment |
Section 5.1.1.3 |
|
1.2 |
Organization to Ensure Information Security |
Section 5.1.2 |
|
1.2.1 |
Dedicated Unit for Information Security |
Section 5.1.2.1 |
|
1.2.2 |
Coordination with Competent Authorities |
Section 5.1.2.2 |
|
1.3 |
Ensuring Human Resources |
Section 5.1.3 |
|
1.3.1 |
Recruitment |
Section 5.1.3.1 |
|
1.3.2 |
During the Working Process |
Section 5.1.3.2 |
|
1.3.3 |
Termination or Change of Work |
Section 5.1.3.3 |
|
1.4 |
Management of Design and Construction of Systems |
Section 5.1.4 |
|
1.4.1 |
Information System Security Design |
Section 5.1.4.1 |
|
1.4.2 |
Testing and Acceptance of Systems |
Section 5.1.4.2 |
|
1.5 |
System Operation Management |
Section 5.1.5 |
|
1.5.1 |
Network Security Management |
Section 5.1.5.1 |
|
1.5.2 |
Management of Server and Application Security |
Section 5.1.5.2 |
|
1.5.3 |
Data Security Management |
Section 5.1.5.3 |
|
1.6 |
Information Security Risk Management Plan |
|
|
1.7 |
Plan for System Shutdown, Exploitation, Liquidation, and Abolition |
|
II. TECHNICAL REQUIREMENTS
1. Requirements for System Design
a) Design network zones within the system based on function, the minimum network zones shall include:
i. Internal network zone;
ii. Perimeter network zone;
iii. DMZ zone;
b) Have design solutions to ensure the following requirements:
i. Have a solution to manage secure remote access to the system using a virtual private network or equivalent solution;
ii. Have a solution to manage access between network zones and prevent intrusion, using a firewall product with integrated intrusion prevention functions or equivalent solution;
iii. Have a solution to protect against malware for servers and workstations using anti-malware products or equivalent solution.
2. Requirements for Setting Up and Configuring the System
|
Serial number |
Requirements |
TCVN 11930:2017 |
|
1.1 |
Network Security Assurance |
Section 5.2.1 |
|
1.1.1 |
External Network Access Control |
Section 5.2.1.2 |
|
1.1.2 |
System Logs |
Section 5.2.1.3 |
|
1.1.3 |
Intrusion Prevention |
Section 5.2.1.4 |
|
1.1.4 |
Protection of System Equipment |
Section 5.2.1.5 |
|
1.2 |
Server Security Assurance |
Section 5.2.2 |
|
1.2.1 |
Authentication |
Section 5.2.2.1 |
|
1.2.2 |
Access Control |
Section 5.2.2.2 |
|
1.2.3 |
System Logs |
Section 5.2.2.3 |
|
1.2.4 |
Intrusion Prevention |
Section 5.2.2.4 |
|
1.2.5 |
Malware Prevention |
Section 5.2.2.5 |
|
1.3 |
Application Security Assurance |
Section 5.2.3 |
|
1.3.1 |
Authentication |
Section 5.2.3.1 |
|
1.3.2 |
Access Control |
Section 5.2.3.2 |
|
1.3.3 |
System Logs |
Section 5.2.3.3 |
|
1.4 |
Data Security Assurance |
Section 5.2.4 |
|
1.4.1 |
Backup and Recovery |
Section 5.2.4.1 |
Seal Registration Certificate
BASIC REQUIREMENTS FOR SAFETY OF INFORMATION SYSTEMS
FOR INFORMATION SYSTEMS AT LEVEL 2
(Annexed to Circular No. /2022/TT-BTTTT
dated month year 2022 of the Minister of Information and Communications)
I. MANAGEMENT REQUIREMENTS
|
Serial number |
Requirements |
TCVN 11930:2017 |
|
1.1 |
Establishing information security policies |
Section 6.1.1 |
|
1.1.1 |
Information Security Policy |
Section 6.1.1.1 |
|
1.1.2 |
Development and Publication |
Section 6.1.1.2 |
|
1.1.3 |
Review and Amendment |
Section 6.1.1.3 |
|
1.2 |
Organization to Ensure Information Security |
Section 6.1.2 |
|
1.2.1 |
Dedicated Unit for Information Security |
Section 6.1.2.1 |
|
1.2.2 |
Coordination with Competent Authorities |
Section 6.1.2.2 |
|
1.3 |
Ensuring Human Resources |
Section 6.1.3 |
|
1.3.1 |
Recruitment |
Section 6.1.3.1 |
|
1.3.2 |
During the Working Process |
Section 6.1.3.2 |
|
1.3.3 |
Termination or Change of Work |
Section 6.1.3.3 |
|
1.4 |
Management of Design and Construction of Systems |
Section 6.1.4 |
|
1.4.1 |
Information System Security Design |
Section 6.1.4.1 |
|
1.4.2 |
Outsourced Software Development |
Section 6.1.4.2 |
|
1.4.3 |
Testing and Acceptance of Systems |
Section 6.1.4.3 |
|
1.5 |
System Operation Management |
Section 6.1.5 |
|
1.5.1 |
Network Security Management |
Section 6.1.5.1 |
|
1.5.2 |
Management of Server and Application Security |
Section 6.1.5.2 |
|
1.5.3 |
Data Security Management |
Section 6.1.5.3 |
|
1.5.4 |
Information Security Incident Management |
Section 6.1.5.4 |
|
1.5.5 |
End-User Security Management |
Section 6.1.5.5 |
|
1.6 |
Information Security Risk Management Plan |
|
|
1.7 |
Plan for System Shutdown, Exploitation, Liquidation, and Abolition |
|
II. TECHNICAL REQUIREMENTS
1. Requirements for System Design
a) Design network zones within the system based on function, the minimum network zones shall include:
i. Internal network zone;
ii. Perimeter network zone;
iii. DMZ zone;
iv. Internal server zone;
v. Wireless network zone (if applicable), separated and independent from other network zones.
b) Have design solutions to ensure the following requirements:
i. Have a solution to manage secure remote access to the system using a virtual private network or equivalent solution;
ii. Have a solution to manage access between network zones and prevent intrusion, using a firewall product with integrated intrusion prevention functions or equivalent solution;
iii. Have a solution to protect against malware for servers and workstations using anti-malware products or equivalent solution;
iv. Have a solution to protect against web application attacks; use web application firewall products for information systems as prescribed in Clause 2, Article 8 of Decree No. 85/2016/NĐ-CP;
v. Have a solution to ensure information security for email systems for email systems;
vi. Have a solution for backup of critical network devices, including central switches or equivalent, central firewalls.
2. Requirements for Setting Up and Configuring the System
|
Serial number |
Requirements |
TCVN 11930:2017 |
|
1.1 |
Network Security Assurance |
Section 6.2.1 |
|
1.1.1 |
External Network Access Control |
Section 6.2.1.2 |
|
1.1.2 |
Internal Network Access Control |
Section 6.2.1.3 |
|
1.1.3 |
System Logs |
Section 6.2.1.4 |
|
1.1.4 |
Intrusion Prevention |
Section 6.2.1.5 |
|
1.1.5 |
Protection of System Equipment |
Section 6.2.1.6 |
|
1.2 |
Server Security Assurance |
Section 6.2.2 |
|
1.2.1 |
Authentication |
Section 6.2.2.1 |
|
1.2.2 |
Access Control |
Section 6.2.2.2 |
|
1.2.3 |
System Logs |
Section 6.2.2.3 |
|
1.2.4 |
Intrusion Prevention |
Section 6.2.2.4 |
|
1.2.5 |
Malware Prevention |
Section 6.2.2.5 |
|
1.2.6 |
Server Handling During Transfer |
Section 6.2.2.6 |
|
1.3 |
Application Security Assurance |
Section 6.2.3 |
|
1.3.1 |
Authentication |
Section 6.2.3.1 |
|
1.3.2 |
Access Control |
Section 6.2.3.2 |
|
1.3.3 |
System Logs |
Section 6.2.3.3 |
|
1.3.4 |
Application Security and Source Code |
Section 6.2.3.4 |
|
1.4 |
Data Security Assurance |
Section 6.2.4 |
|
1.4.1 |
Data Security |
Section 6.2.4.1 |
|
1.4.2 |
Backup and Recovery |
Section 6.2.4.2 |
ANNEX III
BASIC REQUIREMENTS FOR SAFETY OF INFORMATION SYSTEMS
FOR INFORMATION SYSTEMS AT LEVEL 3
(Annexed to Circular No. /2022/TT-BTTTT
dated month year 2022 of the Minister of Information and Communications)
I. MANAGEMENT REQUIREMENTS
|
Serial number |
Requirements |
TCVN 11930:2017 |
|
1.1 |
Establishing information security policies |
Section 7.1.1 |
|
1.1.1 |
Information Security Policy |
Section 7.1.1.1 |
|
1.1.2 |
Development and Publication |
Section 7.1.1.2 |
|
1.1.3 |
Review and Amendment |
Section 7.1.1.3 |
|
1.2 |
Organization to Ensure Information Security |
Section 7.1.2 |
|
1.2.1 |
Dedicated Unit for Information Security |
Section 7.1.2.1 |
|
1.2.2 |
Coordination with Competent Authorities |
Section 7.1.2.2 |
|
1.3 |
Ensuring Human Resources |
Section 7.1.3 |
|
1.3.1 |
Recruitment |
Section 7.1.3.1 |
|
1.3.2 |
During the Working Process |
Section 7.1.3.2 |
|
1.3.3 |
Termination or Change of Work |
Section 7.1.3.3 |
|
1.4 |
Management of Design and Construction of Systems |
Section 7.1.4 |
|
1.4.1 |
Information System Security Design |
Section 7.1.4.1 |
|
1.4.2 |
Outsourced Software Development |
Section 7.1.4.2 |
|
1.4.3 |
Testing and Acceptance of Systems |
Section 7.1.4.3 |
|
1.5 |
System Operation Management |
Section 7.1.5 |
|
1.5.1 |
Network Security Management |
Section 7.1.5.1 |
|
1.5.2 |
Management of Server and Application Security |
Section 7.1.5.2 |
|
1.5.3 |
Data Security Management |
Section 7.1.5.3 |
|
1.5.4 |
Terminal Device Security Management |
Section 7.1.5.4 |
|
1.5.5 |
Malware Prevention Management |
Section 7.1.5.5 |
|
1.5.6 |
Information System Security Monitoring Management |
Section 7.1.5.6 |
|
1.5.7 |
Vulnerability Management |
Section 7.1.5.7 |
|
1.5.8 |
Information Security Incident Management |
Section 7.1.5.8 |
|
1.5.9 |
End-User Security Management |
Section 7.1.5.9 |
|
1.6 |
Information Security Risk Management Plan |
|
|
1.7 |
Plan for System Shutdown, Exploitation, Liquidation, and Abolition |
|
II. TECHNICAL REQUIREMENTS
1. Requirements for System Design
a) Design network zones within the system based on function, the minimum network zones shall include:
i. Internal network zone;
ii. Perimeter network zone;
iii. DMZ zone;
iv. Internal server zone;
v. Wireless network zone (if applicable), separate and independent from other network zones;
vi. Database server network zone;
vii. Administration zone.
b) Have design solutions to ensure the following requirements:
i. Have a remote system management and administration access control plan using virtual private networks or equivalent solutions; use virtual private network products for information systems processing state secrets or systems specified in point c, Clause 2, Article 9 of Decree 85/2016/NĐ-CP;
ii. Have a network zone access control and intrusion prevention plan using firewall products with integrated intrusion prevention functions or network layer intrusion prevention products;
iii. Have a load balancing and hot standby plan for key network devices, at least including central switches or equivalents, central firewalls, web application firewalls, centralized storage systems, database firewalls (if applicable);
iv. Have a security plan for database servers; use database firewall products for centralized database systems, meeting the criteria set out in Clause 3, Article 9 of Decree 85/2016/NĐ-CP;
v. Have a malware filtering plan on the network environment using firewall products with integrated network environment malware protection functions or equivalent solutions;
vi. Have a distributed denial-of-service attack prevention plan; use distributed denial-of-service attack prevention services or products for data center systems, cloud computing systems, electronic identity and authentication systems, electronic certification systems, digital signature systems, and integrated and shared data connection systems, meeting the criteria set out in Clause 3, Article 9 of Decree 85/2016/NĐ-CP;
vii. Have a web application attack prevention plan; use web application firewall products for information systems specified in Clause 2, Article 9 of Decree 85/2016/NĐ-CP;
viii. Have a plan to ensure email system information security; use email system information security products for email systems, meeting the criteria set out in Clause 2, Article 9 of Decree 85/2016/NĐ-CP;
ix. Have a network layer access management plan; use network layer access management products for internal network systems, network security monitoring and operation centers, meeting the criteria set out in Clause 3, Article 9 of Decree 85/2016/NĐ-CP;
x. Have a centralized information system monitoring plan;
xi. Have a centralized information system security monitoring plan using information security event management and analysis products or equivalent products;
xii. Have a centralized backup management plan using centralized storage systems and centralized storage management products;
xiii. Have a plan to manage anti-malware software on servers/user computers, using anti-malware products and/or endpoint security incident detection and response products with centralized management functions;
xiv. Have a data leakage prevention plan; use data leakage prevention products for information systems processing state secrets or systems specified in point c, Clause 2, Article 9 of Decree 85/2016/NĐ-CP;
xv. Have a backup internet connection plan for service servers;
xvi. Have a plan to ensure wireless network security (if applicable).
2. Requirements for Setting Up and Configuring the System
|
Serial number |
Requirements |
TCVN 11930:2017 |
|
1.1 |
Network Security Assurance |
Section 7.2.1 |
|
1.1.1 |
External Network Access Control |
Section 7.2.1.2 |
|
1.1.2 |
Internal Network Access Control |
Section 7.2.1.3 |
|
1.1.3 |
System Logs |
Section 7.2.1.4 |
|
1.1.4 |
Intrusion Prevention |
Section 7.2.1.5 |
|
1.1.5 |
Protection against malicious software in the network environment |
Section 7.2.1.6 |
|
1.1.6 |
Protection of System Equipment |
Section 7.2.1.7 |
|
1.2 |
Server Security Assurance |
Section 7.2.2 |
|
1.2.1 |
Authentication |
Section 7.2.2.1 |
|
1.2.2 |
Access Control |
Section 7.2.2.2 |
|
1.2.3 |
System Logs |
Section 7.2.2.3 |
|
1.2.4 |
Intrusion Prevention |
Section 7.2.2.4 |
|
1.2.5 |
Malware Prevention |
Section 7.2.2.5 |
|
1.2.6 |
Server Handling During Transfer |
Section 7.2.2.6 |
|
1.3 |
Application Security Assurance |
Section 7.2.3 |
|
1.3.1 |
Authentication |
Section 7.2.3.1 |
|
1.3.2 |
Access Control |
Section 7.2.3.2 |
|
1.3.3 |
System Logs |
Section 7.2.3.3 |
|
1.3.4 |
Information security for communication |
Section 7.2.3.4 |
|
1.3.5 |
Denial prevention |
Section 7.2.3.5 |
|
1.3.6 |
Application Security and Source Code |
Section 7.2.3.6 |
|
1.4 |
Data Security Assurance |
Section 7.2.4 |
|
1.4.1 |
Data integrity |
Section 7.2.4.1 |
|
1.4.2 |
Data Security |
Section 7.2.4.2 |
|
1.4.3 |
Backup and Recovery |
Section 7.2.4.3 |
REGULATIONS ON THE CERTIFICATE DESIGN FOR OUTSTANDING RURAL INDUSTRIAL PRODUCTS
BASIC REQUIREMENTS FOR SAFETY OF INFORMATION SYSTEMS
FOR INFORMATION SYSTEMS AT LEVEL 4
(Annexed to Circular No. /2022/TT-BTTTT
dated month year 2022 of the Minister of Information and Communications)
I. MANAGEMENT REQUIREMENTS
|
Serial number |
Requirements |
TCVN 11930:2017 |
|
1.1 |
Establishing information security policies |
Section 8.1.1 |
|
1.1.1 |
Information Security Policy |
Section 8.1.1.1 |
|
1.1.2 |
Development and Publication |
Section 8.1.1.2 |
|
1.1.3 |
Review and Amendment |
Section 8.1.1.3 |
|
1.2 |
Organization to Ensure Information Security |
Section 8.1.2 |
|
1.2.1 |
Dedicated Unit for Information Security |
Section 8.1.2.1 |
|
1.2.2 |
Coordination with Competent Authorities |
Section 8.1.2.2 |
|
1.3 |
Ensuring Human Resources |
Section 8.1.3 |
|
1.3.1 |
Recruitment |
Section 8.1.3.1 |
|
1.3.2 |
During the Working Process |
Section 8.1.3.2 |
|
1.3.3 |
Termination or Change of Work |
Section 8.1.3.3 |
|
1.4 |
Management of Design and Construction of Systems |
Section 8.1.4 |
|
1.4.1 |
Information System Security Design |
Section 8.1.4.1 |
|
1.4.2 |
Outsourced Software Development |
Section 8.1.4.2 |
|
1.4.3 |
Testing and Acceptance of Systems |
Section 8.1.4.3 |
|
1.5 |
System Operation Management |
Section 8.1.5 |
|
1.5.1 |
Network Security Management |
Section 8.1.5.1 |
|
1.5.2 |
Management of Server and Application Security |
Section 8.1.5.2 |
|
1.5.3 |
Data Security Management |
Section 8.1.5.3 |
|
1.5.4 |
Terminal Device Security Management |
Section 8.1.5.4 |
|
1.5.5 |
Malware Prevention Management |
Section 8.1.5.5 |
|
1.5.6 |
Information System Security Monitoring Management |
Section 8.1.5.6 |
|
1.5.7 |
Vulnerability Management |
Section 8.1.5.7 |
|
1.5.8 |
Information Security Incident Management |
Section 8.1.5.8 |
|
1.5.9 |
End-User Security Management |
Section 8.1.5.9 |
|
1.6 |
Information Security Risk Management Plan |
|
|
1.7 |
Plan for System Shutdown, Exploitation, Liquidation, and Abolition |
|
II. TECHNICAL REQUIREMENTS
1. Requirements for System Design
a) Design network zones within the system based on function, the minimum network zones shall include:
i. Internal network zone;
ii. Perimeter network zone;
iii. DMZ zone;
iv. Internal server zone;
v. Wireless network zone (if applicable), separate and independent from other network zones;
vi. Database server network zone;
vii. Management zone;
viii. Device management zone;
b) Have design solutions to ensure the following requirements:
i. Have a secure remote system management and administration plan using a virtual private network or equivalent solution; use virtual private network products for information systems processing state secrets;
ii. Have a network zone access control and intrusion prevention plan using firewall products with integrated intrusion prevention functions or network layer intrusion prevention products;
iii. Have a load balancing and hot standby plan for key network devices, at least including central switches or equivalents, central firewalls, web application firewalls, centralized storage systems, database firewalls (if applicable);
iv. Have a plan to ensure database server security; use database firewall products for shared databases meeting the criteria specified in Clause 3 of Article 10 of Decree 85/2016/NĐ-CP;
v. Have a plan to block and filter malicious software in the network environment using integrated network firewall products with malware protection functions or equivalent solutions;
vi. Have a plan to prevent denial-of-service attacks; use denial-of-service attack protection services or products for information systems specified in Clause 2 of Article 10 of Decree 85/2016/NĐ-CP or data centers, cloud computing, electronic identity, authentication, certification, digital signatures, integrated connection, data sharing systems meeting the criteria specified in Clause 3 of Article 10 of Decree 85/2016/NĐ-CP;
vii. Have a plan to protect web applications from cyber attacks; use web application firewall products for information systems specified in Clause 2 of Article 10 of Decree 85/2016/NĐ-CP or data centers, cloud computing, electronic identity, authentication, certification, digital signatures, integrated connection, data sharing systems meeting the criteria specified in Clause 3 of Article 10 of Decree 85/2016/NĐ-CP;
viii. Have a plan to ensure email system information security; use email system security products;
ix. Have a network access control plan; use network access control products for internal networks, network security monitoring and operation centers meeting the criteria specified in Clause 3 of Article 10 of Decree 85/2016/NĐ-CP;
x. Have a centralized information system monitoring plan using centralized information system monitoring products;
xi. Have a centralized information system security monitoring plan using information security event management and analysis products or equivalent products;
xii. Have a centralized backup management plan using centralized storage systems and centralized storage management products;
xiii. Have a plan to manage anti-malware software on servers/user computers, using anti-malware products and/or endpoint security incident detection and response products with centralized management functions;
xiv. Have a plan to prevent data leakage; use data leakage prevention products for information systems processing state secrets or shared databases meeting the criteria specified in Clause 3 of Article 10 of Decree 85/2016/NĐ-CP;
xv. Have a backup internet connection plan for service servers;
xvi. Have a plan to ensure wireless network security (if applicable);
xvii. Have a plan to manage privileged accounts; use privileged account management products.
2. Requirements for Setting Up and Configuring the System
|
Serial number |
Requirements |
TCVN 11930:2017 |
|
1.1 |
Network Security Assurance |
Section 8.2.1 |
|
1.1.1 |
External Network Access Control |
Section 8.2.1.2 |
|
1.1.2 |
Internal Network Access Control |
Section 8.2.1.3 |
|
1.1.3 |
System Logs |
Section 8.2.1.4 |
|
1.1.4 |
Intrusion Prevention |
Section 8.2.1.5 |
|
1.1.5 |
Protection against malicious software in the network environment |
Section 8.2.1.6 |
|
1.1.6 |
Protection of System Equipment |
Section 8.2.1.7 |
|
1.2 |
Server Security Assurance |
Section 8.2.2 |
|
1.2.1 |
Authentication |
Section 8.2.2.1 |
|
1.2.2 |
Access Control |
Section 8.2.2.2 |
|
1.2.3 |
System Logs |
Section 8.2.2.3 |
|
1.2.4 |
Intrusion Prevention |
Section 8.2.2.4 |
|
1.2.5 |
Malware Prevention |
Section 8.2.2.5 |
|
1.2.6 |
Server Handling During Transfer |
Section 8.2.2.6 |
|
1.3 |
Application Security Assurance |
Section 8.2.3 |
|
1.3.1 |
Authentication |
Section 8.2.3.1 |
|
1.3.2 |
Access Control |
Section 8.2.3.2 |
|
1.3.3 |
System Logs |
Section 8.2.3.3 |
|
1.3.4 |
Information security for communication |
Section 8.2.3.4 |
|
1.3.5 |
Denial prevention |
Section 8.2.3.5 |
|
1.3.6 |
Application Security and Source Code |
Section 8.2.3.6 |
|
1.4 |
Data Security Assurance |
Section 8.2.4 |
|
1.4.1 |
Data integrity |
Section 8.2.4.1 |
|
1.4.2 |
Data Security |
Section 8.2.4.2 |
|
1.4.3 |
Backup and Recovery |
Section 8.2.4.3 |
Appendix V
BASIC REQUIREMENTS FOR SAFETY OF INFORMATION SYSTEMS
FOR THE INFORMATION SYSTEM OF LEVEL 5
(Annexed to Circular No. /2022/TT-BTTTT
dated month year 2022 of the Minister of Information and Communications)
I. MANAGEMENT REQUIREMENTS
|
Serial number |
Requirements |
TCVN 11930:2017 |
|
1.1 |
Establishing information security policies |
Section 9.1.1 |
|
1.1.1 |
Information Security Policy |
Section 9.1.1.1 |
|
1.1.2 |
Development and Publication |
Section 9.1.1.2 |
|
1.1.3 |
Review and Amendment |
Section 9.1.1.3 |
|
1.2 |
Organization to Ensure Information Security |
Section 9.1.2 |
|
1.2.1 |
Dedicated Unit for Information Security |
Section 9.1.2.1 |
|
1.2.2 |
Coordination with Competent Authorities |
Section 9.1.2.2 |
|
1.3 |
Ensuring Human Resources |
Section 9.1.3 |
|
1.3.1 |
Recruitment |
Section 9.1.3.1 |
|
1.3.2 |
During the Working Process |
Section 9.1.3.2 |
|
1.3.3 |
Termination or Change of Work |
Section 9.1.3.3 |
|
1.4 |
Management of Design and Construction of Systems |
Section 9.1.4 |
|
1.4.1 |
Information System Security Design |
Section 9.1.4.1 |
|
1.4.2 |
Outsourced Software Development |
Section 9.1.4.2 |
|
1.4.3 |
Testing and Acceptance of Systems |
Section 9.1.4.3 |
|
1.5 |
System Operation Management |
Section 9.1.5 |
|
1.5.1 |
Network Security Management |
Section 9.1.5.1 |
|
1.5.2 |
Management of Server and Application Security |
Section 9.1.5.2 |
|
1.5.3 |
Data Security Management |
Section 9.1.5.3 |
|
1.5.4 |
Terminal Device Security Management |
Section 9.1.5.4 |
|
1.5.5 |
Malware Prevention Management |
Section 9.1.5.5 |
|
1.5.6 |
Information System Security Monitoring Management |
Section 9.1.5.6 |
|
1.5.7 |
Vulnerability Management |
Section 9.1.5.7 |
|
1.5.8 |
Information Security Incident Management |
Section 9.1.5.8 |
|
1.5.9 |
End-User Security Management |
Section 9.1.5.9 |
|
1.6 |
Information Security Risk Management Plan |
|
|
1.7 |
Plan for System Shutdown, Exploitation, Liquidation, and Abolition |
|
II. TECHNICAL REQUIREMENTS
1. Requirements for System Design
a) Design network zones within the system based on function, the minimum network zones shall include:
i. Internal network zone;
ii. Perimeter network zone;
iii. DMZ zone;
iv. Internal server zone;
v. Wireless network zone (if applicable), separate and independent from other network zones;
vi. Database server network zone;
vii. Management zone;
viii. Device management zone;
b) Have design solutions to ensure the following requirements:
i. There is a plan for secure remote system access management using Virtual Private Network products;
ii. There is a plan for network zone access management and intrusion prevention using Intrusion Prevention System products;
iii. There is a plan for hot standby load balancing for network devices;
iv. There is a plan to ensure database server security; using Database Firewall products for information systems as specified in Clause 2, Article 11 of Decree 85/2016/NĐ-CP;
v. There is a plan to filter and block malicious software on the network using Integrated Malware Protection Firewall products or equivalent solutions;
vi. There is a plan to prevent Distributed Denial of Service attacks; using services from enterprises or Distributed Denial of Service Attack Prevention products for information systems as specified in Clause 2 and Clause 3, Article 11 of Decree 85/2016/NĐ-CP;
vii. There is a plan to prevent web application attacks; using Web Application Firewall products for information systems as specified in Clause 2, Article 11 of Decree 85/2016/NĐ-CP;
viii. There is a plan to ensure email system security; using Email Security products;
ix. There is a plan for network layer access management using Network Access Control products;
x. Have a centralized information system monitoring plan using centralized information system monitoring products;
xi. Have a centralized information system security monitoring plan using information security event management and analysis products or equivalent products;
xii. Have a centralized backup management plan using centralized storage systems and centralized storage management products;
xiii. Have a plan to manage anti-malware software on servers/user computers, using anti-malware products and/or endpoint security incident detection and response products with centralized management functions;
xiv. There is a plan to prevent data leakage; using Data Loss Prevention products for information systems processing state secrets or as specified in Clause 2, Article 11 of Decree 85/2016/NĐ-CP;
xv. Have a backup internet connection plan for service servers;
xvi. Have a plan to ensure wireless network security (if applicable);
xvii. There is a plan for privileged account management using Privileged Account Management products;
xviii. There is a plan for geographic location-based system backup, with locations at least 30 kilometers apart;
xix. There is a plan for network connection backup between primary and backup systems;
2. Requirements for Setting Up and Configuring the System
|
Serial number |
Requirements |
TCVN 11930:2017 |
|
1.1 |
Network Security Assurance |
Section 9.2.1 |
|
1.1.1 |
External Network Access Control |
Section 9.2.1.2 |
|
1.1.2 |
Internal Network Access Control |
Section 9.2.1.3 |
|
1.1.3 |
System Logs |
Section 9.2.1.4 |
|
1.1.4 |
Intrusion Prevention |
Section 9.2.1.5 |
|
1.1.5 |
Protection against malicious software in the network environment |
Section 9.2.1.6 |
|
1.1.6 |
Protection of System Equipment |
Section 9.2.1.7 |
|
1.2 |
Server Security Assurance |
Section 9.2.2 |
|
1.2.1 |
Authentication |
Section 9.2.2.1 |
|
1.2.2 |
Access Control |
Section 9.2.2.2 |
|
1.2.3 |
System Logs |
Section 9.2.2.3 |
|
1.2.4 |
Intrusion Prevention |
Section 9.2.2.4 |
|
1.2.5 |
Malware Prevention |
Section 9.2.2.5 |
|
1.2.6 |
Server Handling During Transfer |
Section 9.2.2.6 |
|
1.3 |
Application Security Assurance |
Section 9.2.3 |
|
1.3.1 |
Authentication |
Section 9.2.3.1 |
|
1.3.2 |
Access Control |
Section 9.2.3.2 |
|
1.3.3 |
System Logs |
Section 9.2.3.3 |
|
1.3.4 |
Information security for communication |
Section 9.2.3.4 |
|
1.3.5 |
Denial prevention |
Section 9.2.3.5 |
|
1.3.6 |
Application Security and Source Code |
Section 9.2.3.6 |
|
1.4 |
Data Security Assurance |
Section 9.2.4 |
|
1.4.1 |
Data integrity |
Section 9.2.4.1 |
|
1.4.2 |
Data Security |
Section 9.2.4.2 |
|
1.4.3 |
Backup and Recovery |
Section 9.2.4.3 |
原始文件(PDF)
关系图
点击文件即可打开。红色边框=改变效力的关系。
译本
本文件提供以下语言版本: