Decision No. 1017/QD-TTg dated August 14, 2018 of the Prime Minister on approving the Schemes for surveillance of cyber information security applied to e-government information and technology services and systems up to 2020, with visions toward 2025

THE PRIME MINISTER 

DecisionNo. 1017/QD-TTg dated August 14, 2018 of the Prime Minister on approving Schemes for surveillance of cyber information security applied to e-government information and technology services and systems up to 2020, with visions toward 2025

Pursuant to the Law on Organization of the Government dated June 19, 2015;

Pursuant to the Law on Information Technology dated June 29, 2006;

Pursuant to the Law on Cyber Information Security dated November 19, 2015;

Pursuant to Decree No. 85/2016/ND-CP dated July 1, 2016 of the Government on security of information systems by classification;

Pursuant to Decision No. 05/2017/QD-TTg dated March 16, 2017 of the Prime Minister providing for emergency response plans to ensure national cyber information security;

Pursuant to Resolution No. 36a/NQ-CP dated October 14, 2015 of the Government on E-Government;

At the request of the Minister of Information and Communications,

HEREBY DECIDE:

Article 1.Granting approval for the Scheme for surveillance of cyber information security for e-government information and technology services and systems up to 2020, with visions towards 2025 (hereinafter referred to as "Scheme") with the primary following contents:

I. OBJECTIVES

1.Visions towards 2025:

a) To exaggerate the surveillance extent and increase the capacity to carry out surveillance of cyber security and information system security (hereinafter referred to as “surveillance of cyber information security") of the Center for surveillance of national cyber information security (hereinafter referred to as “the national surveillance center”) of the Vietnam Computer Emergency Response Team (hereinafter referred to as “the VNCERT”), ministries, ministerial agencies, provinces and centrally-affiliated cities, Internet service providers (hereinafter referred to as “ISPs”) for the purpose of improving capacity for early detection and accurate and timely warning of events, incidents, signs, malicious codes, risks, weaknesses or holes that are likely to cause cyber information insecurity for e-government information systems and information technology services (hereinafter referred to as “e-government information systems").

b) To enhance the systematization and synchronization and normalize the surveillance of cyber information security for e-government information systems nationwide, increase efficiency and capacity to discover and response to cyber-attacks and incidents regarding cyber information security towards development of sustainable e-government information systems.

c) To develop a network for surveillance of national cyber information security, ensure close and efficient association, connection and cooperation between concentrated surveillance provided by the national surveillance center and the ISPs and local surveillance carried out by information system managers.

d) To create a group of experts for professional and disciplinary surveillance of cyber information security.

2.Particular objectives:

a) To refine and develop the cyber information security surveillance system at VNCERT into a Center for surveillance of national cyber information security for the purpose of improving the efficiency in connecting, collecting and analyzing data for concentrated surveillance of information security applied to e-government information systems of ministries and local authorities.

b) To improve local surveillance and monitoring capacity, ensure consistency in application of standards for information connection and exchange between the national surveillance center and local surveillance and monitoring systems in pursuit of surveillance of cyber information security for e-government information systems of ministries and local authorities.

c) To ensure regular update and upgrade on the cyber information security surveillance system with the aim of increasing the proactivity in response to cyber-attacks and timely adapting to continuous changes in technology.

d) To fulfill all requirements for techniques and plane in order to install local monitoring equipment on the Internet system provided by the ISPs which is connected to the national surveillance center To enhance surveillance of cyber information security for the Internet services provided by the ISPs related to e-government information systems.

dd) To improve competencies and create a group of experts serving surveillance of cyber information security for e-government information systems through training in professional skills and techniques. To promote information sharing and cooperation among entities involved in cyber information security for e-government information systems, in particular, and for mandatory national information infrastructures, in general.

II.TASKS AND SOLUTIONS

1.Developing and completing a regulatory and institutional framework as a fully legal basis for carrying out surveillance of cyber information security for e-government information technology services and systems.

a) Formulate and issue policies, regulations and guidelines on surveillance of cyber information security, ensure consistency in surveillance carried out by the Ministry of Information and Communications, relevant ministries, local authorities, ISPs and relevant organizations, establish norms, standards and technical documents regarding surveillance and assurance of cyber information security and guiding documents on investment in local surveillance and monitoring systems and carry out surveillance of cyber information security for e-government information systems.

b) Employ direct and indirect surveillance methods under the guidance of the Ministry of Information and Communications and VNCERT.

c) Synchronically operate technical systems for surveillance of cyber information security for e-government information systems, including the national surveillance center located at VNCERT, local surveillance and monitoring systems of ministries and local authorities and surveillance and monitoring systems set up in facilities of ISPs on a basis of maximizing the use of current equipment in conjunction with new investment, reform and additional provision to ensure connectivity, synchronization and coverage.

d) Develop, issue and apply technical standards and solutions to ensure continuous, stable and efficient information exchange and connection between the surveillance system for national cyber information security and local surveillance and monitoring systems of ministries and local authorities.

dd) Formulate and issue financial policies and restrictions, and necessary requirements for ensuring resources and efficiency in surveillance of cyber information security for e-government information systems.

e) Formulate and submit an incentive policy and special financial mechanism intended for personnel carrying out surveillance of cyber information security, the national surveillance center and departments of management and operation of local surveillance and monitoring systems for the purpose of developing human resources for surveillance, coordination and emergency response and assurance of cyber information security for e-government information systems.

2.Increasing the capacity of the center for surveillance of national cyber information security serving e-government

a) Invest in expansion, upgrade and provide additional resources for operation of the national surveillance center under the management of VNCERT, enhance direct and indirect surveillance systems with the aim of exaggerating the surveillance extent, increasing detecting and warning capacity and dealing with attacks, incidents, malicious codes, weaknesses, holes or risks leading to cyber information insecurity for e-government information systems. Carry out direct surveillance for e-government information technology services and systems of ministries and local authorities. Conduct survey and select several mandatory classed 3 e-government information systems and higher rank and mandatory national information systems eligible for direct surveillance towards nationwide surveillance.

b) Cooperate and assist in installation of local surveillance and monitoring systems in ministries and local authorities and facilities of the ISPs for the purpose of connecting and sharing information, journal and data on the national surveillance center serving the surveillance of cyber information security for e-government information systems, collect and analyze information and data from the ISPs for early detection and warning of cyber information insecurity risks. Invest in and establish equipment systems, and carry out inspection, assessment and surveillance of cyber information security for e-government information systems for the purpose of timely warning of risks, holes and weaknesses of those systems.

c) Invest in, refine and provide additional hardware and software, and carry out regular maintenance of systems of the national surveillance center. Hire and maintain the Internet and data transmission channel strong enough to ensure connection between the national surveillance center, ministries, local authorities and the ISPs. Update and purchase additional models of malicious codes, information on incidents, holes, attack techniques and technologies related to cyber information security from providers for the purpose of increasing the capacity to identify cyber incidents or cyber-attacks of the national surveillance center.

d) Collect, store, analyze and establish a database and system for sharing reports, warning of risks, incidents or conditions regarding cyber information security of e-government, create an information database and surveillance database and report the results of incident analysis serving research, analysis and handling of potential cyber information insecurity. Organize dissemination in order to instruct and attract organizations, enterprises and people to participate in surveillance of cyber information security.

dd) Increase the number of personnel and hire additional experts in information security in order to ensure continuity of 24/7 surveillance of cyber security, monitor, analyze, investigate, confirm and timely warn of attack signs and incidents regarding cyber information security of e-government information systems.

3.Enhancing efficiency in operation of local monitoring systems and local systems for surveillance of cyber security of ministries and local authorities

a) Ministries and local authorities shall invest in establishment or lease a service provider to establish and maintain local monitoring and surveillance systems for the purpose of surveillance of cyber information security for e-government information systems under management; organizations assigned to manage and operate mandatory national information systems and State-owned corporations shall, on their own initiative, create systems or hire a service provider to establish systems for monitoring and surveillance of information systems under management; and agencies shall invest in purchase of hardware and software suitable for subjects under surveillance according to actual requirements and connect their local monitoring and surveillance systems with the system for surveillance of national cyber information security under the guidance of the Ministry of Information and Communications and VNCERT.

b) Cooperate and ask for instructions of the Ministry of Information and Communications and VNCERT in case of investment in new establishment or lease, purchase or operation of local monitoring and surveillance systems, and adopt technical and connecting procedures uniformly as regulated by the Ministry of Information and Communications serving surveillance of cyber information security for e-government information systems.

c) Fulfill technical conditions as required by the Ministry of Information and Communications and VNCERT in order for the national surveillance center to carry out direct or indirect surveillance of classed 3 e-government information systems and higher rank and mandatory national information systems under management Information system owners, information systems management and operation agencies, ISPs and organizations and enterprises in charge of management of mandatory national information systems are required to provide technical information on information infrastructure and systems, applications, services, IP address, point allocation, connectors and technical requirements, and configuration or installation of necessary equipment as required by the VNCERT in order for the national surveillance center to run monitoring systems and carry out direct or indirect surveillance of e-government information systems and other mandatory information systems under its management. Provide surveillance information, journal and data and closely cooperate with relevant agencies in fulfilling requirements of the VNCERT for surveillance, emergency response and assurance of cyber information security for e-government information systems and mandatory national information systems.

d) Offer training courses for improving knowledge and skills of personnel for surveillance of cyber information security and raising awareness as well as broadening knowledge of information security of users and officials relating to e-government information systems Ministries and local authorities shall increase the number of personnel and leased technical service providers to carry out surveillance and assurance of cyber information security for e-government information systems.

dd) Invest in and develop equipment systems, and carry out regular inspection, assessment and surveillance of cyber information security for e-government information systems under management.8 Carry out inspection and assessment of operation of systems for monitoring and surveillance of local cyber information security and connection, cooperation, exchange of surveillance information and data as well as warning of cyber information security incidents with the national surveillance center every 6 months and every year, then send reports to the Ministry of Information and Communications (VNCERT) which are then consolidated and submitted to the Prime Minister.

4.Enhancing surveillance of cyber information security carried out by the ISPs and e-government service and system providers

a) The ISPs and infrastructure service providers and data and information technology centers related to e-government information systems must establish and increase the number of systems for monitoring and surveillance of cyber information security for cyber systems, data centers and information technology systems under their management. Enterprises and ISPs shall carry out surveillance of cyber information security for their transmission channels, Internet services, data center services and information technology systems and services provided for the e-government of ministries and local authorities and connect as well as synchronize with the national surveillance center under the guidance of the VNCERT. The aforesaid entities shall send quarterly and irregular reports on surveillance results and information on cyber information security incidents concerned as required by the VNCERT. Connect, provide and share information, data and journals concerning the national surveillance center as required by the VNCERT for the purpose of analysis and surveillance of information security.

b) Provide technical information on cyber systems, point allocation, connectors, technical requirements and establishment and configuration of transmission lines and equipment as required by the VNCERT in order for the national surveillance center to develop local monitoring systems and collect information and data from the Internet systems and data centers and systems provided by enterprises and ISPs for the purpose of analysis and surveillance of cyber information security. Assist and closely cooperate and fulfill requirements of the VNCERT for surveillance, emergency response and assurance of cyber information security for e-government information systems.

c) Assist and cooperate in carrying out surveillance of cyber information security for Internet services provided by the ISPs, share information, data and journals concerning surveillance of cyber information security among the ISPs, enterprises and the VNCERT, and closely cooperate with the VNCERT and managers of e-government systems in surveillance of cyber information security and coordinate rescue from incidents relating to the Internet services or information technology services and systems serving the e-government provided by ISPs and enterprises themselves.

5.Creating and developing human resources for surveillance and assurance of national cyber information security

a) The VNCERT shall establish standards for job titles and positions, certificate of skills and techniques in information security, surveillance and emergency response and regulations on training, examination and issuance of certificates to technical personnel, officials and experts in information security, surveillance, analysis, emergency response and assurance of cyber information security then send them to the Ministry of Information and Communications for promulgation.

b) Develop and launch projects and programs for training and developing human resources for surveillance, emergency response and assurance of cyber information security, offer training courses, set examinations and grant certificates as well as offer training and practice programs for improving professional knowledge, skills and techniques to personnel and experts working in regulatory agencies and members of the response team for incidents relating to national cyber information security.

c) Promote research, catch up with scientific and technological achievements and seek domestic technological solutions, assist enterprises in developing domestic products, carry out inspection and assessment of domestic information security products and issue certificates as well as offer recommendations in order for state-owned enterprises to select domestic products passing the inspection to be used in contract packages, purchasing projects or investment in information security and information technologies serving the e-government, in particular, and regulatory agencies, in general.

d) Invest in development of high-qualified personnel in combination with lease of experts for surveillance, analysis and warning of cyber information insecurity risks and assistance in dealing with incidents of e-government information systems, create and develop a group of high-qualified experts working for organizations and enterprises with the aim of studying and developing information security technologies and solutions serving surveillance and assurance of cyber information security for e-government information systems.

dd) Encourage state-owned enterprises to hire technical service providers and personnel to carry out surveillance of cyber information security for e-government information systems.

III.FUNDING

1.Funding sources

Funding for the scheme shall be allocated from the following sources:

-State budget (including central government budget and local government budget) according to current decentralized budget management which is allocated in annual estimate given to ministries, central government authorities and local authorities in accordance with provisions of the Law on State Budget Integration between funding for national programs for high-tech development and those for national product development programs shall be prioritized.

-Fund for Vietnam public telecommunications services as per law provisions

-Revenues of agencies permitted to be remained by those agencies as regulated

-Other legal funding sources such as non-refundable aid, aid from organizations and individuals and other community funding sources

2.Funding allocation principles

a) Funding from central government budget and other funding sources under central management shall be allocated for tasks and projects herein by ministries, ministerial agencies, Governmental agencies and central government authorities and other tasks as prescribed in the Appendix issued thereto. According to the given tasks, ministries, ministerial agencies, Governmental agencies and central government authorities shall prepare plans, projects and funding estimate as well as carry out procedures for approving and allocating funding from central government budget and other funding sources under central management as per provisions of laws in force.

b) Local government budget and other funding sources under local management shall be allocated for projects and tasks herein by local government authorities; People s Committees of provinces and centrally-affiliated cities, according to the given tasks, shall prepare plans, projects and funding estimate, and grant approval as authorized or submit those plans and estimate to the People s Council for approving and allocating funding from local government budget and other funding sources under local management as per provisions of the law in force.

c) Funding sources from non-refundable aid, scientific and technological development, national programs for high-tech development and national product development programs shall be prioritized for development of domestic products and services relating to information security solutions and other projects and tasks mentioned in this Decision.

d) With regard to tasks funded by state budget, according to tasks specified in this Decision, agencies shall make annual funding estimate and include it in their own funding plan which is then sent to financial agency of the same level for consolidation and submission for estimate approval and funding allocation as per provisions of the Law on State Budget.

3.Including tasks and projects funded by the Vietnam public telecommunications service fund prescribed in this Decisions, especially tasks and projects specified in Appendix II in public telecommunications service provision programs for launching purpose According to the given tasks, the Ministry of Information and Communications shall prepare specific plans and projects as well as make funding estimate and carry out procedures for approving such estimate and allocating funding as regulated.

Projects and tasks not funded by the Vietnam public telecommunications service fund shall be considered to receive funding from central government budget. The Ministry of Planning and Investment and Ministry of Finance shall cooperate with the Ministry of Information and Communications in carrying out necessary review of projects and tasks stated in Appendix I and II issued thereto for the purpose of including those tasks and projects in the budget plan and public investment plan up to 2020 and those during 2021 – 2025 in pursuit of allocating funding or providing additional funding for implementation.

IV.IMPLEMENTATION

1.Ministries, local authorities and other enterprises and organizations shall:

a) Carry out surveillance of cyber information security prescribed in Clause 1, 3, 4 and 5 in Part II and other relevant tasks herein according to contents of this Decision, guiding documents on surveillance of cyber information security provided by the Ministry of Information and Communications, Vietnam E-Government Architecture Framework, ministerial e-government architecture and provincial e-government architecture.

b) Carry out inspection and assessment, and send reports on a six-month basis and annual and irregular reports on implementation of this Decision under the guidance and requirement of the Ministry of Information and Communications which are then consolidated and submitted to the Prime Minister.

c) Ensure funding (including expenditures on development investment and recurrent expenditures) for tasks and projects herein and increase the number of leased service providers to carry out surveillance of cyber information security for fields under management.

d) Agencies and organizations in charge of management and operation of national database and mandatory national information systems and state-owned corporations in charge of management of mandatory information systems in key fields prioritized for cyber information security shall carry out surveillance of cyber information security for their own systems as prescribed in Clause 3, 4 and 5 Part II and other relevant contents in this Decision.

dd) The ISPs, hosting agencies and data and service centers for lease of software, systems, equipment, services of information technology, information security, e-payment and public online services serving e-government systems must carry out surveillance of cyber information security for concerned services in accordance with regulations and guiding documents issued by the Ministry of Information and Communications.

2.The Ministry of Information and Communications shall:

a) Preside over and cooperate with ministries, local authorities and relevant agencies and enterprises in implementing this Decision, urging for implementation, carrying out inspection and periodical assessment of results of such implementation and send those results to the Prime Minister as well as propose adjustments or amendments to this Decision where necessary.

b) Establish a Steering Committee for coordinating, urging, inspecting and directing the implementation of this Decision and controlling the cooperation and sharing regarding surveillance of cyber information security of which the chairman is the representative of the Ministry of Information and Communications and the standing department of such Steering Committee is the VNCERT affiliated to the Ministry of Information and Communications. Preside over performance of the tasks herein at the national level.

c) Preside over and cooperate with relevant agencies and organizations in performing tasks prescribed in Clause 1, 2 and 5 Part II and other relevant tasks herein.

d) Provide guidelines and cooperate with ministries, local authorities and relevant enterprises and agencies in performing tasks prescribed in Clause 3 and 4 Part II and other tasks herein.

dd) Instruct the VNCERT to perform the national coordination in respect of surveillance of information security for e-government information systems, enhance the operation of the national surveillance center, develop programs and offer training and practicing courses in surveillance, warning, emergency response and prevention and control of cyber-attacks  according to the reality, and perform other tasks herein.

3.The Government’s Office shall:

a) Preside over and cooperate with the Ministry of Information and Communications in investment and refine in local monitoring and surveillance equipment systems serving surveillance of e-government information systems in the Government’s Office.

b) Cooperate with the Ministry of Information and Communications in performing given tasks as prescribed in Clause 3 Part II and other relevant tasks herein.

4.The Ministry of Finance shall:

a) Balance and allocate funding from state budget for recurrent expenditure for the purpose of performing tasks and running projects herein.

b) Preside over and cooperate with the Ministry of Information and Communications in providing guidelines for making state budget estimate, managing and using state budget to perform tasks and launch projects herein. Cooperate with the Ministry of Information and Communications in performing tasks prescribed in point dd Clause 1 Part II herein.

5.The Ministry of Planning and Investment shall:

a) Allocate funding from state budget for expenditures on development investment for the purpose of performing tasks and running projects herein.

b) Preside over and cooperate with the Ministry of Information and Communications in considering and including additional tasks or projects herein in public investment plans and programs and target programs for information technology, and relevant plans and programs as well as balance and allocate funding sources for the purpose of accelerating the implementation progress

6.The Ministry of Science and Technology shall:

a) Preside over and cooperate with the Ministry of Information and Communications and relevant ministries and local authorities in conducting research on standards, technologies, solutions and products serving surveillance of cyber information security for e-government information systems.

b) Preside over and cooperate with relevant competent authorities in considering and allocating scientific and technological funding sources and other sources from national programs for high-tech development and national product development programs for tasks and projects herein. Foster research and catch up with scientific and technological achievements, develop and assist in use of domestic information security solutions, products and services.

7.The ISPs and information technology and infrastructure service providers shall:

a) Proactively cooperative with the VNCERT and competent authorities of ministries and local authorities in investing in and carrying out surveillance of cyber information security prescribed in Clause 4 Part II and performing other relevant tasks herein.

b) Offer training and practicing courses for the purpose of improving skills for personnel carrying out surveillance and assurance of cyber information security under management according to training programs, standards and certificates provided by the Ministry of Information and Communications.

c) Carry out quarterly, annual or irregular inspection and assessment, and send reports on results of surveillance of cyber information security for the systems under management and performance of tasks given herein to the VNCERT, Ministry of Information and Communications which are then consolidated and submitted to the Prime Minister.

d) Ensure funding for performance of the tasks given herein.

Article 2.This Decision takes effect on the signing date.

Article 3.Ministers and Directors ofministerial agencies, Governmental agencies, Chairman of People s Committees of provinces and centrally-affiliated cities, the ISPs and relevant organizations and individuals enterprises shall take responsibility to implement this Decision./.

For the Minister

The Deputy Minister

Vu Duc Dam

APPENDIX I

LIST OF SEVERAL PROJECTS AND TASKS FUNDED BY CENTRAL GOVERNMENT BUDGET
(Issued together with Decision No.1017/QD-TTg dated August 14, 2018 of the Prime Minister)

APPENDIX II

LIST OF SEVERAL PROJECTS AND TASKS PRIORITIZED FOR FUNDING FROM VIETNAM PUBLIC TELECOMMUNICATIONS SERVICE FUND
(Issued together with Decision No.1017/QD-TTg dated August 14, 2018 of the Prime Minister)

Note:The aforesaid projects and tasks are set for assistance in adoption of solutions for enhancing secured and reliable communication in establishment of cyber systems and provision of telecommunications services for community and Steering Committees of government authorities of various levels (according to task no.5 prescribed in point b clause 1 Section IV Article 1 of Decision No.1168/QD-TTg dated July 24, 2015 of the Prime Minister which grants approval for public telecommunications service provision program up to 2020.)