Circular No. 31/2017/TT-BTTTT dated November 15, 2017 of the Ministry of Information and Communications on surveillance of information system security

THE MINISTRY OF INFORMATION AND COMMUNICATIONS

Circular No. 31/2017/TT-BTTTT datedNovember 15, 2017 of the Ministry of Information and Communications onsurveillance of information system security

Pursuant toLaw on Cyber information Security dated November 19, 2015;

Pursuant tothe Government’s Decree No.72/2013/ND-CPdated July 15, 2013 on management, provision and use of Internet services and online information;

Pursuant to the Government’s Decree 25/2014/ND-CPdated April 7, 2014 on preventing and taking actions against crimes and other violations of law involved in high technology;

Pursuant tothe Government’s Decree No.85/2016/ND-CPdated July 01, 2016 on security of information systems by classification;

Pursuant to the Government’s DecreeNo.17/2017/ND-CPdated February 17, 2017 on functions, duties, power and organizational structure of theMinistry of Information and Communications;

Pursuant tothe Prime Minister’s Decision No.05/2017/QD-TTgdated March 16, 2017 on emergency response plans to ensure national cyber information security;

Implementing the Government sResolutionNo.36a/NQ-CPdated October 14, 2015 on electronic Government;

At the request of Director of Vietnam Computer Emergency Response Teams;

The Minister ofInformation and Communicationspromulgates the Circular onsurveillance of information system security.

Chapter I

GENERAL PROVISIONS

Article 1. Scopeof adjustment

This Circular provides guidelines for surveillance of information system security (hereinafter referred to as “surveillance”) in the whole country, except for information systems managed byMinistry of National DefenseandMinistry of Public Security.

Article 2.Subject of application

This Circular applies to authorities, organizations and individuals directly carrying out surveillance or involved in these activities in the whole country.

Chapter II

SURVEILLANCE OF INFORMATION SYSTEM SECURITY

Article3. Surveillance principles

1.Surveillance is carried out regularly and continuously.

2.Surveillance, analysis and prevention methods are actively implemented topromptlydetect and prevent cyber information security incidents and risks.

3.The stability and security of information provided or exchanged during the surveillance are ensured.

4.There are close and effective regulation and cooperation between surveillance carried out byMinistry of Information and Communicationsand those carried out by managers of information systems. Connection between the surveillance system of theMinistry of Information and Communicationsand those of managers of information systems are gradually established in the whole country.

Article 4. Surveillance methods

1.Surveillance shall be carried out directly (direct surveillance) or indirectly (indirect surveillance). A manager of an information system may carry out surveillance or use surveillance services. If necessary, according to capacity, situation and actual resources, the manager of an information system may request relevant authorities affiliated to the Ministry of Information and Communications to provide assistance in surveillance in conformity with actual resources.

2.Direct surveillance is the surveillance carried out by installing equipment for analyzing dataflow (surveillance), directly collecting information from log files and warnings about information security intrusions, risks and incidents. A direct surveillance shall include the following activities:

a) Analysis and collection of information on cyber information security. To be specific:

-Analyzing and surveillance cyber information security of network transmission lines or information flow at internet ports using equipment capable of analyzing network transmission lines to detect information security intrusions, risks and incidents such as equipment for detecting or preventing intrusions in conformity with entities under surveillance (Ex:IDS,IPS,Web Firewall, etc.)

-Collecting log files and cyber information security warnings expressing the operation of applications, information system and information security equipment

b) Consolidation, synchronization, verification and processing of information on cyber information security to detect cyber information security intrusions, risk and incidents or remove inaccurate information.

3.Indirect surveillance is surveillance carried out through techniques for collecting information from relevant information sources; inspecting and surveillance of entities under surveillance for determine their operation and capacity to satisfy and connect with other relevant factors to detect cyber information security intrusions, risks and incidents. Indirect surveillance includes the following activities:

a) Collection, analysis and verification of information about cyber information security intrusions, risks and incidents related to entities under surveillance collected from relevant information sources;

b) Remote or direct inspection and review of entities under surveillance for assessing situation and detectingcyber informationsecurity intrusions, risks and incidents able to be used, intruded or damaged.

Article5. Requirements for direct surveillance by managers of information systems

Managers of information systems shall actively carry out surveillance in accordance with applicable regulations. Surveillance of 3^rd-class information systems or higher classbytheirmanagersshall satisfy the following requirements:

1.  Central surveillance by the manager shall satisfy the following requirements:

a)Sufficient features of collection and consolidation of information oncyber informationsecurity are provided;

b) Collected information is analyzed to detect and warn aboutcyber information security intrusions, risks and incidents that can affect the system s operation or capacity to provide services of information systems under surveillance;

c) Interfaces facilitating the continuous surveillance and surveillance by supervisors are provided;

d) The following input information is collected and analyzed: wed servers with web applications such as portal, online public services, etc; warnings and log files of basic monitoring equipment; warns and log files of firewalls established for protecting internet connection related to entities requiring surveillance;

e) The central surveillance is suitable for quantity and formats of and able to analyze information oncyber informationsecurity collected from information systems under surveillance.

2.Collection of information on cypherinformation securityand basic monitoring shall satisfy the following requirements:

a) Information oncyber informationsecurity is collected from log files and warnings of software or equipment related to entities requiring surveillance for provision for central host computer servers or at the request of competent authorities affiliated toMinistry of Information and Communications.The following informationon cyber information securityis collected andprovided: wed servers with web applications such as portal, online public services, etc; warningsand log files of basic monitoring equipment; warnings and log files of firewalls established for protecting internet connection related to entities requiring surveillance;

b) Basic monitoring equipment is able to detectcyber informationsecurity intrusions, risks and incidents and is established to ensure surveillance of all Internet connections of entities requiring surveillance;

c) Surveillance equipment has functions of detection and establishment of separate rules for detecting intrusions based on the following information: source IP address, destination IP address, source port address, destination port address, special data segments in transmitted packets. If organizations and individuals use basic monitoring equipment themselves, existing applications such as IDS, IPS, Web firewalls, etc are prioritized to be used basic as surveillance equipment;

d) Information systems serving the electronic government using encoded protocol (“https” for example) have technical measures for ensuring that equipment for surveillancecyber informationsecurity will have sufficient information to detectcyber informationsecurity intrusions, risks and incidents;

e) Basic monitoring equipment is established and connected with the surveillance system of theMinistry of Information and Communicationsaccording to instructions and requirement of competent authorities.

3.The surveillance includes the following activities:

a) Monitoring, continuously carrying out surveillance and making daily reports and ensuring the stable and continuous operation of and information collection of by the manager’s surveillance system;

b) Formulating and issuing regulations oncyber informationsecurity surveillance which specify time limit for regular collection of processing results and making reports;

c) Surveillance and operating the basic monitoring equipment to ensure the stability, continuity and timely adjustment in case of changes and following instructions provided by theMinistry of Information and Communicationsto ensure effective surveillance;

d) Making weekly reports on surveillance results and sending them to managers of information systems. A weekly report shall contain time of surveillance, the list of noticeable intruded entities (ID address, description of provided services and time of intrusion); intrusion methods that have been detected and relevant evidence; entities carrying out intrusions; changes in information systems under surveillance and surveillance systems, etc.;

dd) Classifyingcyber informationsecurity risks and incidents according to specific cases;

e) Regularly getting results of handling ofcyber informationsecurity risks and incidents for retention and report;

g) The manager of an information system requesting competent authorities affiliated to theMinistry of Information and Communicationsto monitor the grassroots system or information systems under surveillance of theMinistry of Information and Communicationsshall provide and update information on the information systems requiring surveillance and descriptions of technical plans for operating the manager’s surveillance system for theMinistry of Information and Communicationsusing the specimen prescribed in Appendix 1, which includes the following information:

-Descriptions of each information system under surveillance, including IP address, domain name, provided services, name and version of the operating system and web applications;

-Position of the manager’s surveillance system, capacity of transmission lines connected with entities under surveillance of the manager, information expected to be collected and protocol of collection such as IDS warning, firewall logs, web server logs, etc.

h) Retaining information on surveillance for at least 30 operating days in normal conditions;

i) Regularly providing information on surveillance or surprisingly provide it at the request of theMinistry of Information and Communicationsin accordance with regulations of law;

k) Submitting reports on surveillance by the manager of information system every 6 months using the specimen prescribed in Appendix 2.

Article6. Surveillance by enterprises

Telecommunications enterprises, enterprises providing information technology servicesand enterprises providingcyber informationsecurity services shall:

1.Cooperate with the manager of information system in surveillance at the request of theMinistry of Information and Communications.

2.Provide information on infrastructure, techniques and network system, provide technical assistance at the request of theMinistry of Information and Communicationsto serve the surveillance of theMinistry.

3.Carry out the tasks of surveillance prescribed in Article 7 of the Prime Minister’s Decision No.05/2017/QD-TTg.

Article7. Individuals and departments in charge of surveillance and warning

1.The manager of an information system shall appoint individuals or departments to take charge of surveillance and warning ofcyber informationsecurity and cooperate with competent authorities affiliated to theMinistry of Information and Communications.

2.Individuals and departments in charge of surveillance shall provide and access informationpromptlyand continuously and carry out surveillance within their information systems.

3. Individuals and departments in charge of surveillanceshall provide information via one or multiple manners such asofficial dispatchs, emails, telephone, fax, or exchange on a specialized communications software to ensure information security.

4.Information on an individual or a department in charge of surveillance includes name of individual, name of department, position, address, landline phone and mobile phone numbers, email and digital signature (if any).

Article8. Information exchange, provision and sharing

1.Individuals and departments in charge of surveillance are encouraged to exchange and provide information for each other in order to cooperate in surveillance, warning of and response to incidents and increase the initiative in dealing with risks to, methods and tricks of intrusions intocyber informationsecurity of organizations and individuals.

2.Information that may be shared, provided or exchanged including information on cyber informationsecurity intrusions, risks and incidents; methods, tricks and origins of intrusions; effects caused by incidents and management and technical methods for dealing with these risks, intrusions and incidents.

3.Principles of information exchange, provision and sharing

a) Appropriate management and technical methods are applied promptly and accurately to ensure security of exchanged information;

b) Exchanged information is actively verified to ensure its accuracy;

c) One or multiple manners for exchanging information such as website official dispatch, emails, messages, telephone or fax are used

d) When the information is exchanged with competent authorities affiliated to theMinistry of Information and Communications, instructions provided by thisMinistryare followed.

Article 9.Activities for increasing surveillance capacity

1.Organizing regular briefings and seminars in terms of surveillance activities.

2.Providing training and carrying out maneuvers to increase the surveillance capacity.

3. Accelerating and inspecting surveillance and warning by specialized department in charge ofcyber informationsecurity.

4.Sharing knowledge and experience of surveillance, warning of and response to incidents.

5.Researching into and making devices for providing assistance in cooperating and exchanging information on surveillance, warning of and response to incidents.

6.Developing products and services of advanced surveillance, analysis and warning for each specific entity under surveillance.

7.Promote the development of bilateral and multilateral cooperation agreements between specialized departments in charge of cyber information security in order to increase surveillance and warning capacity.

8.Promoting international cooperation in surveillance, warning of and response to incidents.

Chapter III

SURVEILLANCE BY THE MINISTRY OF INFORMATION AND COMMUNICATIONS

Article10. Models ofsurveillance by the Ministryof Informationand Communications

1.Central surveillance:

a) The central surveillance includes the collection, surveillance, detection, analysis, processing of, report on and collection of evidence forcyber informationsecurityintrusions, risks and incidents according to data/information oncyber informationsecurity collected by direct surveillance through the basic monitoring system or indirect surveillance; storage of collected data in the form of events and centralized management of basic monitoring systems;

b) The central surveillance shall be carried out through the cyber-security surveillance system and the system for dealing withintrusions into Vietnam internet managed and operated by competent authorities affiliated to theMinistry of Information and Communicationsaccording to principles of date sharing and connection for improve the surveillance effectiveness.

2.The basic monitoring system:

a) The basic monitoring system is comprised of equipment and software able to monitor, collect, analyze and provide information on log files, status and warnings for the central surveillance to serve the analysis and detection of incidents, weakness, risks and gaps of cyber information security;

b) The basic monitoring system is provided with technical conditions and is installed in a position suitable for operating and collecting data from entities under surveillance according to instructions provided by regulatory authorities affiliated to the Ministry ofInformation and Communications;

c) The competent authorities affiliated to theMinistry of InformationandCommunicationsshall take charge and cooperate with the manager of information system in setting up, managing and operating this system in accordance with regulations of law

d) Equipment/software for basic monitoring shall be set up to connect and serve the central surveillance based on standards and technical regulations or instructions of theMinistry of Information and Communications.

Article11. Surveillanceby the Ministryof Informationand Communications

1.TheMinistry of Information and Communicationsshall monitor systems and technology and information serving the electronic government.

2.At the request of managers of information systems, theMinistry of Information and Communicationsshall monitor important information systems in need of ensuringcyber informationsecurity in conformity with actual resources.

3.The central surveillance by theMinistry of Information and Communicationsshall ensure the receipt and analysis of information on surveillance collected from the basic monitoring system, equipment and system for indirect surveillance.

4.Surveillanceby the Ministryof Informationand Communicationsincludes the following activities:

a) Selecting, managing and updating the list of entities under surveillance prescribed   in this Circular and other relevant legal documents;

b) Monitoring and watching the surveillance center, making reports on surveillance analysis; inspect andacceleratethe surveillance and surveillance;

c) Consolidating, retaining, analyzing and classifying the information and datacollected from the basic monitoring system, equipment and system for indirect surveillanceand other information sources;

d) Inspecting and analyzing evidence and data to detect unusual signs and risks tocyber informationsecurity. If the risks or incidents have not been verified, taking supplemental measures for collecting more necessary information and data in order to increase the accuracy of analysis results and warning information;

dd) Carrying out investigation and verification to determine risks and incidents happened to entities under surveillance. Analyzing and classifying cyber information security risks and incidents according to specific situation, warnings departments in charge of cyber information security, organizations operating information systems (hereinafter referred to as “operator”) and managers of information systems when detecting intrusions, risks and incidents happened to entities under surveillance;

e) Providing instructions on surveillance by managers of information systems; creating and providing instructions on connection between the surveillance systems of managers of information systems and systems for central surveillance of the Ministry of Information and Communications; maintaining the information security during the collection and analysis thereof;

g) Regularly collecting surveillance results, warning and handling of cyber information security intrusions, risks and incidents for retention and report;

h) Instructing and helping operators and managers of information systems to respond to and handle cyber information security intrusions, risks and incidents if necessary;

i) Assisting certain operators and managers of information systems in setting up basic monitoring systems in conformity with actual resources; and

k) Competent authorities affiliated to the Ministry of Information and Communications shall make annual cost estimates, approve and distribute funding provided by the state budget and other legal source of funding for carrying out surveillance activities in accordance with regulations of law and instructions provided by competent authorities and submit their cost estimates to the Minister or competent authorities for approval.

Chapter IV

RESPONSIBILITIES OF AUTHORITIES AND ORGANIZATIONS

Article12. Authority of Information Security

The Authority of Information Security shall:

1.Manage and operate the system for dealing with intrusions into the Vietnam Internet to carry out the central surveillance.

2.Consolidate surveillance results, information and data oncyber informationsecurity to serve thestate administrationin terms of information security.

3.Acceleratecompliance with basic requirements for ensuring security of information and surveillance systems in accordance with regulations of law on ensuring security of information systems by classification.

4.Take charge and cooperate with Vietnam Computer Emergency Response Team (VNCERT) in researching into establishing technical criteria and issuing detailed instructions on connection between the basic monitoring system and the system for dealing with intrusions into Vietnam Internet and requesting the Ministerof Information and Communicationstopromulgatethem.

5.Cooperate in or take charge of surveillance ofimportant information systems in need of ensuring cyber information securityat the request of managers of information systems.

Article13. VNCERT

VNCERT shall:

1. Manage and operatethe system for cyber security intrusion surveillanceto exercise the central surveillance.

2.Consolidate surveillance results, information and data on cyber information security for regulation and response to intrusions.

3.Take charge and cooperate with the Authority of Information Security in issuing instructions on surveillance procedures; organized activities for increasing the surveillance capacity;accelerate, monitor and inspect surveillance of and warnings aboutcyber informationsecurity according to assignment by theMinistry of Information and Communications.

4. Take charge and cooperate withthe Authority of Information Securityinresearching intoestablishing technical criteria and issuing detailed instructions on connection between the basic monitoring system and the system forsurveillance cyber security intrusionsand requesting the Minister of Information and Communications to promulgate them.

5.Take charge of surveillance and warning ofcyber informationsecurity applicable to information systems and technology and information services serving the electronic government. Cooperate in or take charge of surveillance important information systems in need of ensuring cyber information security at the request of their managers.

6.Consolidate and report on results of surveillance and warnings of nationalcyber informationsecurity and total upcyber informationsecurity intrusions, risks and incidents

Article 14.Managers of information systems

Managers of information systems shall:

1.Provide directions on surveillance of information systems under their management; cooperate with competent authorities affiliated to theMinistry of Information and Communicationsin carrying out surveillance in accordance with regulations of law.

2.Follow instructions of andcooperate with competent authoritiesaffiliated tothe Ministry of Information and Communications insurveillance activities.

3.Provide information on surveillance activities at the request of theMinistry of Information and Communications.

4.Submit reports on surveillance results every 6 months using the specimen prescribed in Appendix 2 or at the request of theMinistry of Information and Communications.

5.Prepare backup ports and interface at internet connection points according to the prescribed technical criteria to set up surveillance points of the Ministry of Information and Communication Point if necessary.

6. Managers of information systemsmonitored by theMinistry of Information and Communicationsshall:

a) Determine and make lists of systems and entities under surveillance and provide relevant technical information thereon and send them to theMinistry of Information and Communications;

b) Implement their surveillance systems in accordance with regulations of this Circular and relevant regulations of law; cooperate in providing information on infrastructure and information systems under surveillance and provide technical assistance at the requests of competent authorities affiliated to theMinistry of Information and Communications;

c) Assign staffs to receive warnings about and deal withcyber informationsecurity intrusions, risks and incident at the warnings or requests of competent authorities affiliated to the Ministry of Information and Communications;

d) Regularlygetresults of handling of cyber information securityintrusions,risks and incidents for retention and report;

7.Make annual cost estimates, approve and distribute fundinggranted bythe state budget and other legal source of funding forcarrying outsurveillance in accordance with regulations of law and instructions bycompetent authorities.

Chapter V

IMPLEMENTATION

Article15. Effect

1.This Circular takes effect on January 15, 2018.

2.Any problem arising during the implementation of this Circular should bepromptlyreported to theMinistry of Information and Communicationsfor instructions and amendments.

The Minister

Truong Minh Tuan