Circular No. 27/2011/TT-BTTTT dated October 4, 2011 of the Minsitry of Information and Communications on coordination of Internet incident response activities in Vietnam

THE MINISTRY OF INFORMATION AND COMMUNICATIONS

Circular No. 27/2011/TT-BTTTT of October 4, 2011, on coordination of Internet incident response activities in Vietnam

THE MINISTER OF INFORMATION AND COMMUNICATIONS

Pursuant to the June 29, 2006 Law on Information Technology;

Pursuant to the December 4, 2009 Law on Telecommunications;

Pursuant to the Government’s Decree No. 64/2007/ND-CP of April 10, 2007, on application of information technology to the operation of state agencies;

Pursuant to the Government’s Decree No. 97/2008/ND-CP of August 28, 2008, on management, provision and use of Internet services and online information;

Pursuant to the Government’s Decree No. 187/2007/ND-CP of December 25, 2007, defining the functions, tasks, powers and organizational structure of the Ministry of Information and Communications;

At the proposal of the Director of the Vietnam Computer Emergency Response Team,

STIPULATES:

Chapter I

GENERAL PROVISIONS

Article 1. Scope of regulation and subjects of application

This Circular provides the Internet incident response network and coordination of Internet incident response activities in Vietnam; and responsibilities of organizations and persons involved in Internet incident response activities in Vietnam.

Article 2. Interpretation of terms

1. Internet incident (below referred to as incident) means an event which has occurred, is occurring or is likely to occur, causes information insecurity on the Internet, and is detected through supervision, evaluation and analysis of concerned agencies, organizations or persons or warned by domestic or foreign information security specialists or organizations.

2. Serious incident means an incident with one or more of the following properties: likely spreading wide and fast; likely destroying computer networks and the Internet; likely causing major damage or consequences to communication systems on the network; and requiring coordinated major national or international resources for settlement.

Chapter II

INCIDENT RESPONSE NETWORK

Article 3. Incident response network

1. The incident response network (below referred to as the network) is a collective of agencies, organizations and enterprises engaged in coordinated incident response activities in Vietnam (below collectively referred to as network members and shortly as members). The network is composed of obligatory and voluntary members.

2. Obligatory members include:

a/ The coordinating agency;

b/ Information technology units of ministries, ministerial-level agencies and government-attached agencies; provincial-level Information and Communications Departments;

c/ Internet service providers (ISP);

d/ Vietnam Internet Network Information Center (VNNIC).

3. Voluntary members are agencies, organizations or enterprises voluntarily operating in the network with a written registration (made according to a set form) sent to and accepted by the coordinating agency. Organizations engaged in information security activities are encouraged to set up incident response sections and participate in the network.

4. The Vietnam Computer Emergency Response Team (VNCERT) is the coordinating agency. VNCERT functions to coordinate incident response activities nationwide and may assign other organizations within the network to coordinate in preventing, handling and remedying Internet incidents in Vietnam; may decide on forms of coordination of incident response activities and shall take responsibility for its coordination requests; acts as the focal point for exchange of information on incident response cooperation with international computer emergency response teams. The coordinating agency’s activities to assign network members to coordination in handling and responding to incidents are called incident response coordination.

5. Detailed information on addresses, telephone numbers, fax numbers, email addresses and websites of network members are published on the website of the coordinating agency (www.vncert.gov.vn).

Article 4. Incident response points

1. Incident response point is a person or section that is allowed to represent network members to communicate and exchange information with other network members in incident response activities.

2. An incident response point must be professionally and technically qualified for carrying out incident response coordination activities.

3. An incident response point must ensure uninterrupted communication (24 hours a day and 7 days a week).

Article 5. Operation principles of the network

1. Information exchanged and provided in the coordination and handling of an incident must be kept confidential at the request of the affected organization or person unless that incident involves many other users that must be warned or reminded by the coordinating agency.

2. Information must be exchanged within the network in one or more forms such as official letter, email, telephone and fax. A network member receiving information must proactively verify the information sender to ensure reliability of the received message.

3. Network members may be shared with information and experience and participate in incident response exercises or training courses.

Article 6. Reporting regime

1. A network member shall biannually report to the coordinating agency on its receipt and handling of incidents.

a/ Reporting contents comply with Appendix 2 to this Circular. Guidance on the report form is published on the website of VNCERT;

b/ Deadline for report submission: Before June 15 and December 15 every year;

c/ Forms of report: Official letter and email;

d/ Reports to be sent to VNCERT: 18 Nguyen Du, Hanoi; email address: [email protected].

2. Network members shall make irregular reports at the request of the coordinating agency or when detecting a serious incident. The forms of and address for sending such reports comply with Clause 1 of this Article.

Chapter III

COORDINATION OF INCIDENT RESPONSE ACTIVITIES

Article 7. Notification of incidents

1. An Internet user that suffers an incident and fails to handle it shall notify the incident to one or more network members below:

a/ The network member responsible for incident response for that user (if any);

b/ ISPs that are directly providing Internet services for that user;

c/ The coordinating agency.

2. When detecting a serious incident, an organization or a person shall immediately notify it to the coordinating agency.

3. An incident notice covers:

a/ Description of the incident made according to the form provided in Appendix 3 to this Circular;

b/ Other information at the request of the information recipient.

4. Detailed guidance on notification of incidents is published on the website of the coordinating agency.

5. An incident notice sender shall closely coordinate with and provide full and accurate information on that incident to notified network members and create favorable conditions for these members and the coordinating agency to access and study incident-involved systems and devices for collecting and analyzing information to handle that incident.

Article 8. Receipt and processing of incident notices

1. A network member notified of an incident shall:

a/ Promptly and within 24 hours send a receipt acknowledgement of the incident notice to the notifying organization or person;

b/ Handle the incident within its capacity and responsibility;

c/ Notify the incident to the coordinating agency when failing to handle such incident.

2. The coordinating agency notified of an incident shall:

a/ Handle the incident as a network member under Clause 1 of this Article;

b/ Make coordination requests to network members for joining incident response efforts when necessary;

c/ Raise other resources and invite specialists to join incident response efforts when necessary;

d/ Coordinate with international computer response teams in handling transnational incidents.

Article 9. Incident response coordination

1. The coordinating agency shall coordinate incident response activities by sending to network members involved in the incident coordination requests made according to the form provided in Appendix 4 to this Circular.

2. The coordinating agency may request network members to cooperate in and request international computer emergency response teams to join incident response activities.

3. The coordinating agency shall notify coordination requests to affected organizations or persons in the course of incident response coordination.

4. Network members shall receive and comply with coordination requests and report and give feedback on implementation results to the coordinating agency.

Chapter IV

RESPONSIBILITIES OF ORGANIZATIONS AND INDIVIDUALS

Article 10. Network members

1. To publish addresses for receiving incident notices on their websites.

2. To assign personnel to act as incident response points and assure their compliance with Article 4.

3. To receive and process incident notices under Article 8.

4. To comply with the coordinating agency’s coordination requests under Article 9.

5. To coordinate with and support other network members in incident response activities.

6. To notify and update to the coordinating agency the following information:

a/ Addresses for receiving incident notices;

b/ Information on incident response points, including the full name, post, contact address, fixed telephone number, mobile phone number, fax number and email address.

7. To keep incident notices, incident handling records, coordination requests and reports on implementation of coordination requests for at least 1 year, including the following information:

a/ Contents and receipt time of incident notices, time of sending receipt acknowledgement;

b/ Incident handling results, causes of incidents, incident handling time and lists of organizations and persons participating in incident handling (if any);

c/ Time of sending incident notices to the coordinating agency, time of receiving receipt acknowledgement from the coordinating agency, for cases of notifying the coordinating agency.

8. To make reports under Article 6.

Article 11. The coordinating agency (VNCERT)

1. To perform the obligations of a network member under Clauses 1, 2, 3, 5 and 7 of Article 10, with the duration for keeping documents under Clause 7 of Article 10 complying with the State’s current regulations on the duration for keeping common dossiers and documents formed in the operation of state agencies.

2. To organize activities of the network and coordinate incident response activities and elaborate regulations and guidance on incident response within the network.

3. To receive and directly process or coordinate the processing of incident notices.

4. To develop and implement a technical assistance system for communication and information exchange within the network and create conditions for network members to use the system.

5. To summarize and notify within the network notices and warnings on weaknesses, loopholes and sources of attack on the Internet.

6. To collect, update and publish on the website of VNCERT network members’ addresses for receiving incident notices.

7. To collect, update and notify lists of incident response points to network members.

8. To provide annual statistical reports on incident emergency response activities.

Article 12. Internet service providers

1. To perform the obligations of a network member under Article 10.

2. To guide Internet users or subscribers (below collectively referred to as customers) in making incident notices.

3. To handle incidents for customers when receiving incident notices or detecting incidents.

4. To provide the following information at the request of the coordinating agency:

a/ Information on their customers involved in an incident, technical information on the systems of customers involved in the incident (IP address, domain name, access logbook, other information, if any);

b/ Information on network structure, information on supervision and statistics on incident-involved network data flows (if any);

c/ To provide software and source code of the software causing the incident, incident-related data and information on hardware causing the incident (if any).

5. To install connection portals and backup interfaces at important Internet points for themselves and competent state agencies to supervise and detect attacks or distribution and spread of malicious software.

6. To create conditions for the coordinating agency to access and study incident-involved systems and devices for collecting and analyzing information to handle the incident.

7. To comply with requests to coordinate the following activities:

a/ Halting connection with incident-causing devices or service systems;

b/ Blocking or temporarily redirecting incident-causing IP addresses or domain names;

c/ Removing or temporarily removing incident-causing applications or services on the Internet.

8. To provide resources within their capacity and within a definite time at the request of the coordinating agency for incident response activities or exercises, including:

a/ Internet lines, in case of occurring denial-of-service attacks causing bandwidth exhaustion or when requiring increased readiness for important service provision systems.

b/ Information security personnel to join incident response activities;

c/ Information security devices and technologies (if any).

Article 13. VNNIC

1. To perform the obligations of a network member under Article 10.

2. To provide information on registrants of the national domain name (.vn), units managing IP addresses and network codes granted by VNNIC and other incident-related information at the request of the coordinating agency.

3. To comply with the coordinating agency’s coordination requests to handle incidents related to Vietnam’s Internet resources.

Article 14. Information technology units of ministries, ministerial-level agencies, government-attached agencies; provincial-level Information and Communications Departments

1. To perform the obligations of a network member under Article 10.

2. To work out and guide incident response activities within their responsibilities.

3. To coordinate and support incident emergency response activities within their responsibilities and localities at the request of the coordinating agency.

Article 15. Other organizations and persons

1. Information security service providers

a/ To share information and data on implemented incident response activities at the request of the coordinating agency;

b/ To provide human resources and technological solutions within their capacity at the request of the coordinating agency.

2. Internet users

a/ To proactively take technical measures and solutions to assure information security, to scan malicious codes in computers to prevent Internet incidents;

b/ To proactively provide information and actively coordinate with network members in detecting, preventing and handling incidents.

Chapter V

ORGANIZATION OF IMPLEMENTATION

Article 16. Effect

1. This Circular takes effect on November 15, 2011.

2. In the course of implementation, any arising problems should be reported to the Ministry of Information and Communications (VNCERT) for consideration and revision.-

For the Minister of Information and Communications
Deputy Minister
NGUYEN MINH HONG

Note: All the Appendices mentioned in this Circular are not printed herein.