Circular No. 20/2017/TT-BTTTT dated September 12, 2017 of the Ministry of Information and Communications on prescribing the coordination in response to cyber security incidents nationwide

CIRCULAR

Prescribing the coordination in response to cyber security incidents nationwide[1]

Pursuant to the November 19, 2015 Law on Cyberinformation Security;

Pursuant to the Government’s Decree No. 85/2016/ND-CP of July 1, 2016, on assurance of information system safety at all levels;

Pursuant to the Government’s Decree No. 17/2017/ND-CP of February 17, 2017, defining the functions, tasks, powers and organizational structure of the Ministry of Information and Communications;

Pursuant to the Prime Minister’s Decision No. 05/2017/QD-TTg of March 16, 2017, prescribing the national system of plans on emergency response to ensure cyber security;

At the proposal of the Director of the Vietnam Computer Emergency Response Center;

The Minister of Information and Communications promulgates the Circular prescribing the coordination in response to cyber security incidents nationwide.

Chapter I

GENERAL PROVISIONS

Article 1.Scope and subjects of application

1. This Circular prescribes activities of coordination in response to cyber security incidents nationwide (excluding activities of coordination in response to serious cyber security incidents prescribed in the Prime Minister’s Decision No. 05/2017/QD-TTg of March 16, 2017, prescribing the national system of emergency response plans to ensure cyber security (below referred to as Decision No. 05/2017/QD-TTg)).

Incidents in the information systems managed by the Ministry of National Defense and Ministry of Public Security are not subject to this Circular.

2. This Circular applies to agencies, organizations and individuals involved in activities of coordination in response to cyber security incidents.

Article 2.Interpretation of terms

1.Cyber security incidentmeans an attack against or a harm caused to information or an information system, thus affecting its integrity, confidentiality or usability (below referred to as incident).

2.Response to cyber security incidentmeans activities aimed to deal with and remedy an incident causing cyber insecurity, including monitoring, collecting and analyzing signs of, detecting, making warnings about, investigating, verifying and stopping the incident, recovering data and restoring normal operation of the information system.

3.Incident response focal pointmeans a section or an individual designated by a member of the national network of response to cyber security incidents to represent such member in contacting and exchanging information with the national coordinating agency for responding to incidents or with other members in incident response coordination activities.

Article 3.Assignment of powers to organize response to cyber security incidents nationwide

Powers to organize response to cyber security incidents nationwide are assigned to the agencies, organizations and units responsible for responding to cyber security incidents nationwide defined in Decision No. 05/2017/QD-TTg. Agencies and organizations taking part in the incident response coordination nationwide include:

1. The Ministry of Information and Communications, which shall act as the Standing Agency for Cyber Security Emergency Response nationwide (below referred to as the Standing Agency) and the National Coordinating Committee for Cyber Security Emergency Response (below referred to as the National Response Coordinating Committee); and the Vietnam Computer Emergency Response Center (VNCERT), which shall act as the National Incident Response Coordinating Agency (below referred to as the National Coordinating Agency).

2. The steering committees for emergency response to cyber security incidents of the ministries, ministerial-level agencies, government-attached agencies and provincial-level People’s Committees (below referred to as ministerial- or provincial-level incident response steering committees).

3. Specialized units in charge of response to cyber security incidents (below referred to as specialized incident response units); incident response units or incident response sections of the ministries, ministerial-level agencies, government-attached agencies and provincial-level People’s Committees (below referred to as incident response teams).

4. The National Cyber Security Incident Response Network (below referred to as the Incident Response Network) and its executive board.

5. Information system owners; units operating information systems; specialized agencies, organizations and units designated or summoned by the Standing Agency, National Coordinating Agency or ministerial- or provincial-level incident response steering committees to take part in incident response.

Article 4.Principles of incident response coordination

1. Compliance with the regulations on coordination in response to cyber security incidents.

2. Proactiveness, promptness, swiftness, accuracy, synchronism and effectiveness.

3. Close, correct, synchronous and effective coordination among agencies, organizations and enterprises at home and abroad.

4. Incident response must be primarily based on on-site forces and be the main responsibility of information system managers.

5. Satisfaction of the conditions and priorities for maintenance of the operation of information systems already approved by competent authorities in incident response plans.

6. Information exchanged in the incident response network shall be checked and verified before performance of subsequent steps.

7. Information acquired from the involvement in incident response activities at the request of the National Coordinating Agency or agencies, organizations or individuals encountering incidents shall be kept confidential.

Chapter II

THE INCIDENT RESPONSE NETWORK

Article 5.The incident response network

1. The incident response network operates nationwide and is composed of members being specialized incident response units and related agencies, organizations and enterprises defined in Article 7 of Decision No. 05/2017/QD-TTg.

2. The incident response network operates according to its operation regulation and under relevant guidelines of the National Coordinating Agency (the Vietnam Computer Emergency Response Center). The network’s executive board shall be established by the Ministry of Information and Communications under Article 7 of Decision No. 05/2017/QD-TTg.

3. The network members shall make declaration dossiers according to Form No. 01 provided in the Appendix to this Circular, update them on an annual basis, and send them to the National Coordinating Agency. Organizations, enterprises and individuals that are willing to become network members shall make applications for participation according to Form No. 02 and send them to the National Coordinating Agency.

Article 6.Responsibilities and powers of network members

1. Network members have the following responsibilities and powers:

a/ To fulfill the responsibilities and exercise the powers provided in Decision No. 05/2017/QD-TTg;

b/ To designate their incident response focal points that are capable and professionally qualified and have professional skills to coordinate in the incident response in an uninterrupted manner around the clock; to post on their websites or portals addresses for receiving information about incidents; to provide and update information about their incident response focal points and technical staffs in charge of cyber security and incident response under their management to the National Coordinating Agency; to update information about any changes in their incident response focal points within 24 hours;

c/ To sum up data and make biannual reports (before June 20) and annual reports (before December 15) according to Form No. 05, and send them to the National Coordinating Agency; to make irregular reports at the request of the National Coordinating Agency;

d/ To report to the National Coordinating Agency information they have received about incidents detected in the information systems under their management;

dd/ To make and implement incident response plans, guide incident response activities, organize and direct incident response teams under their management;

e/ To request other network members to provide guidance and assistance in incident response when necessary; to participate in workshops, meetings, training courses, drills and other activities within the network;

g/ To share their information and experiences and give warnings about incidents and the situation of cyber security at home and abroad;

h/ Network members being related agencies and units of the Ministry of Public Security and Ministry of National Defense are not required to comply with Points c and d of this Clause.

2. Responsibilities and powers of the National Coordinating Agency:

a/ To fulfill the responsibilities and exercise the powers provided in Decision No. 05/2017/QD-TTg;

b/ To post on its website its telephone and fax numbers, email addresses, hotlines and ensure resources for operating hotlines around the clock to receive information about and promptly respond to incidents; to keep contact details (addresses, telephone and fax numbers and email addresses) and information of incident response focal points and technical staffs in charge of cyber security and incident response and incident response teams of network members;

c/ To build and operate the network’s portal and technical system to support the communication and exchange of information within the network and technical systems to serve incident response coordination, handling and remediation;

d/ To guide activities of notification and answering inquiries about cyber security incidents nationwide; to administer the network; to study and propose measures to increase resources for its effective operation;

dd/ To collect, receive and process information and warnings and issues warnings about cyber security risks and incidents to competent persons and related agencies, organizations and units and propose measures to prevent, stop and handle such risks and incidents;

e/ To organize workshops and meetings to disseminate and share information about and training courses and drills in cyber security and incident response; and organize common activities of the network.

Article 7.Main activities of the incident response network

The executive board of the network shall organize the performance of tasks of the network, including the following main activities:

1. Studying, collecting, receiving, analyzing and verifying information, making assessments and warnings about cyber security incidents and risks and malwares.

2. Coordinating the response to, handling, stopping and remedying incidents; to inspecting and pressing for the formulation and implementation of cyber security incident response plans and the performance of responsibilities and obligation of its members.

3. Building capacity for its members and incident response teams, including:

a/ Training and drilling to improve their professional qualifications and skills; organizing working trips at home and abroad to survey, study and exchange experiences and promote cooperation;

b/ Holding regular briefings, organizing workshops, conferences and talks to exchange and share information about and experiences in coordination in incident response and cyber security assurance;

c/ Supporting the development and application of information system management and operation processes up to national standards, national technical regulations and international standards on cyber security and incident response;

d/ Conducting professional researches, preparing reports, documents, instructions and statistics on cyber security and relevant issues for sharing within the network.

4. Participating in information and communication activities to raise awareness about incident prevention and response and cyber security assurance.

5. Organizing, and maintaining the operation of, the network executive board; and carrying out other activities related to the coordination in incident response and cyber security assurance.

Chapter III

COORDINATION IN INCIDENT RESPONSE

Article 8.Coordination in incident response

1. Coordination in incident response means activities of the National Coordinating Agency and other competent agencies to mobilize, administer and uniformly coordinate resources, including human resources, material resources (equipment and facilities), financial resources (finance and budgets) to prevent, monitor, collect information about, detect and warn about incidents; to receive, analyze and verify information about and classify incidents; administer, coordinate and organize incident response, stay ready for, respond to and remedy incidents in order to minimize risks and damage caused by incidents.

2. The National Coordinating Agency shall perform the function of warning about incidents and coordinating the response to incidents nationwide; may mobilize and command the incident response network members and related organizations and individuals in preventing, dealing with and remedying incidents nationwide; shall make commands/requests for coordination according to Form No. 06 provided in the Appendix to this Circular and take responsibility for such commands/requests.

3. Tasks to be performed in incident response coordination activities:

a/ Monitoring, analyzing, detecting and warning about cyber risks, threats, vulnerabilities, incidents and attacks, and measures to prevent incidents;

b/ Making or proposing incident response plans;

c/ Organizing training and drills in incident response and cyber security assurance;

d/ Mobilizing and arranging resources for incident response according to competence; providing technical assistance and implementing measures to respond to and prevent and combat cyber attacks;

dd/ Investigating, analyzing and identifying sources and methods of attacks in order to respond to and stop them, and at the same time warning about incidents and providing guidance on preventing them from spreading; collecting data and preparing reports on incidents;

e/ Sharing, exchanging and providing information among related agencies and organizations on incident response, incident response coordination and the process of dealing with incidents;

g/ Other activities related to incident response under decisions of the Ministry of Information and Communications.

4. Information about incident response coordination shall be exchanged in one or several of the following forms: official letter, email, telephone, facsimile, text message or advanced communications system, and, for confidential information, in accordance with relevant regulations on confidentiality.

Article 9.Cyber security incident notification and reporting

1. Forms of incident notification and reporting

a/ Forms of incident notification: official letter, facsimile, email, text message or via a technical system for reporting on cyber security incidents under the guidance of the National Coordinating Agency;

b/ Forms of incident reporting: written or electronic report (bearing the signature and seal of or digital signature of the competent person).

2. Reports on cyber security incidents

a/ Within 5 days after detecting an incident in the system, a unit or an individual that operates an information system shall report on such incident under Point a, Clause 3 of this Article (incident reporting) and concurrently to the following agencies and units: the agency managing the information system, the National Coordinating Agency, the specialized unit in charge of incident response and the concerned incident response network member (if any). If the incident has not yet been completely dealt with by the time of reporting, right after completely dealing with the incident, such unit or individual shall update information about the incident to the agencies and units that have previously received the incident’s reports;

b/ In case the information system operating unit or individual thinks that the incident may go beyond its/his/her handling capacity, it/he/she shall prepare a preliminary report on the incident and send it to the information system manager, the specialized unit in charge of incident response (if any) and the National Coordinating Agency. Within 5 days after the response to the incident is completed, it/he/she shall make a report on completion of the incident response and send it to the information system manager and the National Coordinating Agency. The National Coordinating Agency shall only record the completion of the incident response when receiving such report;

c/ Upon detecting a sign of a cyber security attack or incident, organizations and individuals other than the information system operating unit or individual shall promptly notify such incident (incident notification) to one or all of the following agencies and units: the information system operating unit or individual, the information system manager, the National Coordinating Agency, the specialized unit in charge of incident response or the concerned incident response network member.

3. Types of incident notification and reporting:

a/ An incident notice must contain: Name and address of the notifier; name or domain name and IP address of the information system where the incident occurs; names and addresses of the unit or individual and the agency managing the information system (if known); description of the incident and time of detection; results of handling the incident, proposals and recommendations, and other relevant information (if any);

b/ A preliminary report on an incident must have the contents specified in Form No. 03 in Appendix I to this Circular;

c/ Situation development report;

d/ Report on specific response plan;

dd/ Report requesting assistance and coordination;

e/ Report on completion of incident response, made according to Form No. 04 in Appendix I to this Circular.

4. In the course of incident response, units or individuals operating information systems shall assume the prime responsibility for, and coordinate with related agencies and units in, preparing incident response reports under regulations and at the request of competent agencies.

Article 10.Detection, receipt, verification, preliminary handling and classification of cyber security incidents

1. A unit or an individual operating an information system shall:

a/ Upon detecting an incident, monitor, record and collect information about the incident and notify or report on the incident under Article 9 of this Circular;

b/ Upon receiving an incident notice, immediately confirm the receipt of the notice to its sender;

c/ Verify and preliminary handle the incident: Assume the prime responsibility for, and coordinate with the unit in charge of assuring cyber security (if any), unit in charge of incident response and telecommunications and Internet service providers (ISP) in, analyzing and verifying the incident; immediately carry out preliminary incident response activities and implement the process of incident response under the approved cyber security incident response plan or the process prescribed in Article 11 of this Circular. If determining that the incident may be a serious one, the information system operating unit or individual shall immediately report it to the information system manager and related specialized unit in charge of incident response, proposing the latter to treat the incident as a serious one, and at the same time report it to the National Coordinating Agency.

2. A specialized unit in charge of incident response or an incident response network member shall:

a/ Upon detecting an incident, immediately notify the incident to the unit or individual operating the information system, the information system manager and the National Coordinating Agency;

b/ Upon receiving an incident notice or report, record or receive it under regulations and confirm the receipt of the notice to its sender;

c/ Verify and handle the incident: Coordinate with the unit or individual operating the information system in checking, verifying and handling the incident within its/his/her capacity and responsibility. If determining that the incident may be a serious one or fall beyond its/his/her handling capacity, the information system operating unit or individual shall immediately report it to the information system manager and National Coordinating Agency;

d/ Supervise the process of incident response and report or make recommendations to or ask for instructions from the information system manager and ministerial- or provincial-level incident response steering committee in case the incident falls beyond its/his/her competence, responsibility or handling capacity;

dd/ Report to the National Coordinating Agency on incident developments when so requested.

3. The National Coordinating Agency shall:

a/ Record and receive cyber security incident notices and reports according to the prescribed procedures;

b/ Reply to confirm the receipt of notices and reports to their senders;

c/ Check, verify and classify incidents for giving warnings, direct involved parties in choosing incident response plans, organize the response and report to and propose the Standing Agency to consider and decide on the level of seriousness of incidents and appropriate emergency response plans. For serious incidents, the National Coordinating Agency shall assume the prime responsibility for, and coordinate with related agencies in, implementing the steps in the process of responding to these incidents as prescribed in Decision No. 05/2017/QD-TTg;

d/ Coordinate with international cyber security incident response organizations in receiving early warnings and information about cyber security incidents and risks and join in the response to cross-border incidents and attacks;

dd/ Perform other responsibilities; and report to the Standing Agency on matters falling beyond its competence.

Article 11.Process of cyber security incident response

The process of cyber security incident response is described in the diagram in Appendix II to this Circular, covering:

1. Receiving and analyzing information about, preliminarily responding to, and notifying the incident

a/ Receiving and verifying information about the incident

Responsible unit: The unit or individual operating the information system.

Coordinating units: Specialized unit in charge of incident response and the National Coordinating Agency.

Tasks: Monitoring, receiving and analyzing reports and signs of incidents from inside and outside sources. Upon analyzing and verifying an incident, evidence shall be recorded and collected and the incident’s sources shall be identified.

b/ Carrying out priority steps of preliminary response

Responsible unit: The unit or individual operating the information system.

Coordinating units: Specialized unit in charge of incident response, related network members and the National Coordinating Agency.

Tasks: After confirming the occurrence of an incident, the unit or individual operating the information system shall base itself/himself/herself on the incident’s nature and signs to carry out the preliminary priority steps to respond to the incident under the approved incident response plan or the guidance of the related specialized unit in charge of incident response or the National Coordinating Agency.

c/ Choosing an incident response plan

Responsible unit: The unit or individual operating the information system.

Coordinating units: Specialized unit in charge of incident response, related network members and the National Coordinating Agency.

Tasks: Based on the approved incident response plan or the guidance of the related specialized unit in charge of incident response or the National Coordinating Agency, to choose a plan to stop and handle the incident and report to the information system manager and ministerial- or provincial-level incident response steering committee for direction (if necessary).

d/ Directing the incident response (if necessary)

Responsible unit: The ministerial- or provincial-level incident response steering committee.

Coordinating unit: The information system manager.

Tasks: Based on the report or proposal of the unit or individual operating the information system, the ministerial- or provincial-level incident response steering committee shall coordinate with the information system manager and consult the National Coordinating Agency (if necessary) in following the directions given by the specialized unit in charge of incident response and ordering the incident response team under its management to carry out response and handling activities; direct and assign its staffs to make statements and provide information. In the course of response, depending on practical developments of the incident, the ministerial- or provincial-level incident response steering committee may decide to add members to the incident response team and direct the adjustment of the incident response plan.

dd/ Reporting on incidents

Responsible unit: The unit or individual operating the information system.

Coordinating units: Related/responsible specialized unit in charge of incident response, telecommunications and Internet service providers (ISP).

Tasks:  After carrying out the priority steps of preliminary response, the unit operating the information system shall notify and report on the incident to related organizations and individuals inside and outside the agencies and organizations as specified in Article 9 of this Circular and its internal regulations (if any).

e/ Coordinating the incident response

Responsible units: The ministerial or provincial incident response steering committee and the National Coordinating Agency.

Coordinating units: The unit or individual operating the information system, specialized unit in charge of incident response, and related network member.

Tasks: Based on characteristics of the incident, the ministerial or provincial incident response steering committee and the National Coordinating Agency shall request assistance of the unit or individual operating the information system and specialized unit in charge of incident response, and coordinate and supervise the mechanism of coordinating efforts and sharing information within the ambit of their functions and tasks in order to mobilize resources for incident response.

2. Responding to, stopping and handling the incident

Responsible units: The unit or individual operating the information system and incident response team.

Coordinating units: The unit responsible for ensuring cyber security for the information system where the incident occurs, related specialized unit in charge of incident response, related network member, and the National Coordinating Agency.

Tasks:

a/ Collecting evidence, analyzing and identifying the scope and affected subjects of the incident;

b/ Analyzing and identifying the source of attack, responding to, preventing and minimizing impacts and consequences of the incident on the information system.

3. Handling the incident, removing malwares and restoring the information system

a/ Handling the incident and removing malwares

Responsible units: The unit or individual operating the information system and incident response team.

Coordinating units: The unit responsible for ensuring cyber security for the information system where the incident occurs, specialized unit in charge of incident response, related network member, and the National Coordinating Agency.

Tasks: After stopping the incident, the unit or individual operating the information system, specialized unit in charge of incident response and incident response team/section shall remove malwares and fix cyber security vulnerabilities of the information system.

b/ Restoring the information system

Responsible unit: The unit or individual operating the information system.

Coordinating units: The incident response team, unit responsible for ensuring cyber security for the information system where the incident occurs, specialized unit in charge of incident response, related network member, and the National Coordinating Agency.

Tasks: The unit or individual operating the information system shall assume the prime responsibility for, and coordinate with related units in, carrying out activities to restore the information system, recover its data and connections, ensure the secure system configuration, and add devices, hardware and software to ensure cyber security for the information system.

c/ Checking and assessing the information system

Responsible unit: The unit or individual operating the information system.

Coordinating units: The unit responsible for ensuring cyber security for the information system where the incident occurs, specialized unit in charge of incident response, information system manager, and the National Coordinating Agency.

Tasks: The unit or individual operating the information system and related units shall check and assess operation of the entire information system after the incident is dealt with. In case the system cannot resume its stable operation, it is necessary to collect evidence, re-identify causes of the incident and carry out the steps specified in Clauses 2 and 3 of this Article again to deal with the incident definitely and restore normal operation of the information system.

4. Making review and assessment

Responsible unit: The unit or individual operating the information system.

Coordinating units: The specialized unit in charge of incident response; the incident response team; the information system manager; ministerial- or provincial-level incident response steering committee; and the National Coordinating Agency.

Tasks: The unit or individual operating the information system where the incident occurs shall coordinate with the specialized unit in charge of incident response and the incident response team in summing up information, reports and analyses related to the incident and implementation of the incident response plan, then report them to the information system manager, the ministerial- or provincial-level incident response steering committee, and the National Coordinating Agency; analyze causes of the incident, draw experience from the incident response and propose additional measures to prevent and respond to similar incidents in the future.

Chapter IV

MEASURES TO ENSURE RESPONSE TO CYBER SECURITY INCIDENTS

Article 12.Formulation and implementation of plans on response to incidents to ensure cyber security

1. Agencies, organizations and enterprises shall formulate and implement plans on response to incidents to ensure their own cyber security, in which:

a/ For approved level-4 and level-5 information systems or those on the list of information systems of national importance, such plans shall be formulated according to the fundamentals of plans on response to cyber security incidents provided in Article 16 of Decision No. 05/2017/QD-TTg;

b/ For information systems other than those mentioned at Point a, Clause 1 of this Article, incident response plans shall be formulated according to Appendix III to this Circular.

2. Information system managers and agencies and units competent to approve incident response plans shall determine conditions and priority principles for maintaining operation of information systems when the incident response is carried out and consider them a compulsory requirement of incident response plans.

3. The National Coordinating Agency shall guide the formulation and implementation of incident response plans and provisions for response to and handling of cyber security incidents; organize training courses and drills in different areas and regions, at home and abroad; formulate plans and organize regular inspection and assessment of the implementation of cyber security incident response plans by ministries, sectors, localities, organizations and enterprises.

Article 13.Funds

Funds for activities of coordinating the response to cyber security incidents nationwide must comply with Article 17 of Decision No. 05/2017/QD-TTg and relevant guiding documents.

Chapter V

ORGANIZATION OF IMPLEMENTATION

Article 14.Effect

1. This Circular takes effect on November 1, 2017, and replaces the Ministry of Information and Communications’ Circular No. 27/2011/TT-BTTTT of October 4, 2011, prescribing the coordination in response to Internet incidents in Vietnam.

2. Any problems arising in the course of implementation should be promptly reported to the Ministry of Information and Communications (through the Vietnam Computer Emergency Response Center) for study, amendment and supplementation.

Minister of Information and Communications
TRUONG MINH TUAN

The appendices to this Circular are not translated.