Decree 53/2022/ND-CP detailing the Law on Cyber Security

  • Summary
  • Content
  • Status
  • Vietnamese
  • Download
Save

Please log in to use this function

Send link to email

Please log in to use this function

Error message
Font size:

ATTRIBUTE

Decree No. 53/2022/ND-CP dated August 15, 2022 of the Government detailing a number of articles of the Law on Cyber Security
Issuing body: GovernmentEffective date:
Known

Please log in to a subscriber account to use this function.

Don’t have an account? Register here

Official number:53/2022/ND-CPSigner:Vu Duc Dam
Type:DecreeExpiry date:Updating
Issuing date:15/08/2022Effect status:
Known

Please log in to a subscriber account to use this function.

Don’t have an account? Register here

Fields:National Security

SUMMARY

Information system logs must be stored for at least 12 months

This noticeable content is prescribed by the Government in the Decree No. 53/2022/ND-CP dated August 15, 2022, detailing a number of articles of the Law on Cyber Security.

Accordingly, a dossier of request for including an information system in the List of information systems of national security importance comprises: A written request for including information systems in the List of information systems of national security importance; Document providing the list of all information systems of agencies and organizations and attached supporting documents.

Besides, managers of information systems of national security importance shall, based on regulations on protection of cyber security, state secrets, work secrets, technical regulations and standards on cyber security, and relevant professional technical standards, formulate regulations, processes and plans for protection of cyber security for information systems of national security importance under their management.

Noticeably, system logs serving the investigation and handling of violations against the law on cyber security must be stored for at least 12 months. Prescribed data shall be stored from the time on which the enterprise receives the request for data storage to the time the request ends; the minimum storage duration is 24 months.

This Decree takes effect from October 01, 2022.

For more details, click here.
Download files here.
LuatVietnam.vn is the SOLE distributor of English translations of Official Gazette published by the Vietnam News Agency
Effect status: Known

THE GOVERNMENT
__________

No. 53/2022/ND-CP

THE SOCIALIST REPUBLIC OF VIETNAM
Independence - Freedom - Happiness

__________________

Hanoi, August 15, 2022

 

 

DECREE

Detailing a number of articles of the Law on Cyber Security

_____________

 

Pursuant to the Law on Organization of the Government dated June 19, 2015 and the Law Amending and Supplementing a Number of Articles of the Law on Organization of the Government and the Law on Organization of Local Administration dated November 22, 2019;

Pursuant to the Law on National Security dated December 03, 2004;

Pursuant to the Law on Cyber Security dated June 12, 2018;

Pursuant to the Law on Cyberinformation Security dated November 19, 2015;

At the proposal of the Minister of Public Security;

The Government promulgates the Decree detailing a number of articles of the Law on Cyber Security.

 

Chapter I

GENERAL PROVISIONS

 

Article 1. Scope of regulation

This Decree details Points a, b, c, d, dd, g, i, k, and l Clause 1 Article 5, Clause 4 Article 10, Clause 5 Article 12, Clause 1 Article 23, Clause 7 Article 24, Clauses 2 and 4 Article 26, Clause 5 Article 36 of the Law on Cyber Security, including:

1. Cyber security protection measures: Conducting cyber security appraisal; assessing cyber security conditions; conducting cyber security inspection; conducting cyber security supervision; responding to and remedying cyber security incidents; using cryptography to protect cyber information; requesting the removal of unlawful or false information in cyberspace which infringes upon national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals; collecting electronic data relating to activities in cyberspace which infringe upon national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals; terminating, suspending or requesting the cessation of operation of information systems or revocation of domain names.

2. Grounds, order and procedures for establishment, and coordination between ministries and relevant functional sectors in appraisal, assessment, inspection, supervision, response and remediation of cyber security incidents for information systems of national security importance.

3. Cyber security conditions for information systems of national security importance.

4. Implementation of cyber security protection activities by state agencies and political organizations at central and local levels.

5. Order and procedures for cyber security inspection applicable to information systems of agencies, organizations and individuals not included in the List of information systems of national security importance according to the cases specified in Clause 1 Article 24.

6. Data storage and location of branches or representative offices in Vietnam, for enterprises specified in Clause 3 Article 26.

7. The assignment and coordination in implementing measures for protecting cyber security, preventing and handling acts of infringing upon cyber security if these measures are related to the state management of many ministries and sectors.

Article 2. Interpretation of terms

In this Decree, the terms below are construed as follows:

1. Personal information means data about information in the form of symbols, letters, numbers, images, sounds or the like to identify an individual.

2. Service user means an organization or individual participating in using services in cyberspace.

3. Service user in Vietnam means an organization or individual using cyberspace in the territory of the Socialist Republic of Vietnam.

4. Data on relationships of service users means data about information in the form of signs, letters, numbers, images, sounds or the like that reflects and identifies the relationships of service users with others in cyberspace.

5. Data created by service users in Vietnam means data about information in the form of signs, letters, numbers, images, sounds or the like that reflects the participation, operation and use of the cyberspace by service users and information about devices and network services used to connect with the cyberspace within the territory of the Socialist Republic of Vietnam.

6. Services in telecommunications networks mean telecommunications services or telecommunications application services in accordance with law provisions.

7. Services in the Internet mean Internet services and services providing contents in the Internet in accordance with law provisions.

8. Value-added services in the cyberspace mean value-added telecommunications services in accordance with law provisions.

9. Professional cyber security protection force includes:

a) Department of Cyber ​​Security and Hi-tech Crime Prevention under the Ministry of Public Security;

b) Military Security Department under the General Political Department and Cyberspace Command under the Ministry of National Defence.

10. Managers of information systems of national security importance mean agencies and organizations competent to directly manage information systems of national security importance, including:

a) Ministries, ministerial-level agencies, and government-attached agencies;

b) People’s Committees of provinces and centrally-run cities;

c) Political organizations at central levels;

d) Authorities competent to decide on projects of construction investment, establishment, upgrade and expansion of information systems of national security importance.

11. Domestic enterprises mean enterprises established or registered to establish in accordance with Vietnamese laws of which headquarters are located in Vietnam.

12. Foreign enterprises mean enterprises established or registered to establish in accordance with foreign laws.

 

Chapter II

MAKING A LIST OF, COORDINATION MECHANISM, AND CYBER SECURITY CONDITIONS TO PROTECT INFORMATION SYSTEMS OF NATIONAL SECURITY IMPORTANCE

 

Section 1

MAKING A LIST OF INFORMATION SYSTEMS OF NATIONAL SECURITY IMPORTANCE

 

Article 3. Grounds for establishing information systems of national security importance

Information systems of national security importance means information systems of state agencies and political organizations of the Socialist Republic of Vietnam, including:

1. National important information system as prescribed by the Law on Cyberinformation Security.

2. Information systems serving the direction and administration of national security-related important works as prescribed by laws.

3. Information systems serving the direction, administration and control of operation of national security-related important telecommunications works as prescribed by laws.

4. Information systems in the fields prescribed in Clause 2 Article 10 of the Law on Cyber Security, which, if encountering incidents, being hacked, taken control of, disrupted, interrupted, paralyzed or sabotaged, will cause one of the following consequences:

a) Directly affecting the independence, sovereignty, and territorial integrity of the Fatherland, the existence of the regime and the State of the Socialist Republic of Vietnam;

b) Causing serious consequences to national defense, security, foreign affair, weakening the ability to defend and protect the Fatherland;

c) Causing serious consequences to the national economy;

d) Causing disaster to human life and ecological environment;

dd) Causing serious consequences to operations of special construction works as decentralized by the construction law;

e) Causing serious consequences to the planning of undertakings and policies within the scope of state secrets;

g) Seriously affecting the direction of Party and State agencies at central level.

Article 4. Compilation of dossiers of request for including information systems in the List of information systems of national security importance

1. Managers of information systems shall be responsible for reviewing and comparing with provisions of Clause 4 Article 3 of this Decree, compile dossiers of request for including information systems under their management in the List of information systems of national security importance.

2. Regarding information systems in the List of information systems of national security importance:

a) The Ministry of Information and Communications shall be responsible for sending the Ministry of Public Security dossiers of information systems of national security importance approved by the Prime Minister to make the List of information systems of national security importance;

b) In cases prescribed at Point a Clause 2 of this Article, managers of information systems of national security importance are not required to compile the dossiers of request for including them in the List of information systems of national security importance;

c) The Ministry of Public Security shall be responsible for including national important information systems in the List of information systems of national security importance according to the prescribed order and procedures; notify the managers of such information systems the inclusion of such information systems in the List of information systems of national security importance and take the corresponding responsibilities.

3. In the course of appraisal of security grades of information systems, if it deems that there is sufficient evidence to include information systems in the List of information systems of national security importance, the Ministry of Information and Communications shall be responsible for transfer dossiers to the Ministry of Public Security for appraisal of dossiers of request for including information systems in the List of information systems of national security importance.

4. Professional cyber security protection forces shall, based on their assigned functions and tasks, review information systems with grounds appropriate with Article 3 of this Decree and request managers of information systems to compile dossiers of request for including information systems under their management in the List of information systems of national security importance.

5. Dossiers of request for including information systems in the List of information systems of national security importance:

a) A written request for including information systems in the List of information systems of national security importance (Form No. 01 provided in the Appendix);

b) Document providing the list of all information systems of agencies and organizations (Form No. 02 provided in the Appendix);

c) Attached supporting documents, including: Documents describing and explaining the overview of the information system; construction design documents approved by competent authorities or documents of equivalent value; documents proving the conformity with the grounds for proposing to put the information system on the list of information systems of national security importance; documents explaining information system protection plan (plan to ensure network infrastructure safety; server safety; application safety; database safety; management policy; organization and personnel; design and construction management; operation management; inspection, assessment and risk management).

6. An original dossier of request for including information systems in the List of information systems of national security importance shall be made and sent to:

a) Department of Cyber ​​Security and Hi-tech Crime Prevention under the Ministry of Public Security, except for provisions of Points b and c of this Clause;

b Cyberspace Command under the Ministry of Defence, for military information systems;

c) Government Cipher Committee, for cipher information systems under Government Cipher Committee.

7. Agencies receiving dossiers mentioned in Clause 6 of this Article shall be responsible for giving written opinions on the received dossiers (using Form No. 03 provided in the Appendix).

Article 5. Appraisal of dossiers of request for including information systems in the List of information systems of national security importance

1. The Department of Cyber ​​Security and Hi-tech Crime Prevention under the Ministry of Public Security shall appraise the dossiers of request for including information systems in the List of information systems of national security importance according to regulations, except for the cases specified in Clauses 2 and 3 of this Article.

2. The Cyberspace Command under the Ministry of Defense shall provide guidance on compilation of dossiers, receipt and appraisal of dossiers of request for including military information systems in the List of information systems of national security importance.

3. The Government Cipher Committee shall appraise dossiers of request for including information systems of the Government Cipher Committee in the List of information systems of national security importance.

4. Appraisal council shall appraise dossiers of request for including information systems in the List of information systems of national security importance:

a) For information systems of national security importance related to many sectors and fields, or the appraisal requiring opinions of many ministries and functional sectors;

b) Appraisal council shall work on a part-time basis and automatically dissolve upon completion of its tasks. Based on the nature and role of the information system, members of the Appraisal council may include the Ministry of Public Security, the Ministry of National Defence, the Ministry of Information and Communications, the Government Cipher Committee, and relevant agencies and units. Depending on each specific case, the Appraisal council shall invite the managers of the information system to attend the appraisal meeting;

c) The Appraisal council shall be responsible for appraising the security grades of information systems and dossiers of request for including information systems in the List of information systems of national security importance.

5. Results of the Appraisal council's meeting shall be used to serve the cyber security and cyberinformation security works.

6. In case it is necessary to verify the information in the dossier and the actual status of the information system mentioned in the dossier, the appraising agency specified in Clauses 1, 2 and 3 of this Article shall conduct a physical inspection and survey to appraise the proposal to put the information system on the List of information systems of national security importance. Duration for physical inspection and survey must not exceed 20 days.

Survey results shall be made in a record certified by the appraising agency and manager of the information system.

7. The manager of information system shall coordinate and facilitate the appraisal, survey, inspection and supplement the dossier upon request of the appraising agency.

8. Order and procedures for appraisal of dossiers:

a) Duration of appraisal of a dossier is 30 days from the date on which the complete and valid dossier of request for including the information system in the List of information systems of national security importance or from the date of completing the survey process as prescribed in Clause 6 of this Article;

b) Duration for certifying the validity of the dossier is 3 working days after receiving the complete dossier of request for including the information system in the List of information systems of national security importance;

c) Ending the appraisal period, the appraising agency shall complete the dossier requesting the Minister of Public Security and the Minister of National Defence and submit it to the Prime Minister to promulgate and update decisions according to the assigned functions and tasks. Concurrently, issue a written notice on appraisal result to the manager of the information system (made according to Form No. 04 provided in the Appendix);

d) The Minister of Public Security and the Minister of Defence shall decide on extending the appraisal duration. The extension period must not exceed 20 days.

9. The Ministry of Public Security shall assume the prime responsibility for, and coordinate with the Ministry of National Defence and the Government Cipher Committee in, reaching an agreement on mechanism and submit it to the Prime Minister to issue a decision on establishing and updating the List of information systems of national security importance.

Article 6. Excluding information systems from the List of information systems of national security importance:

1. In case it deems that the information systems of national security importance under the management no longer satisfy the grounds specified in Article 3 of this Decree, the managers of such information systems of national security importance shall compile a dossier of request for excluding information systems from the List of information systems of national security importance.

2. On an annual basis, the professional cyber security protection forces shall, based on their functions and tasks, review information systems with criteria no longer appropriate with Article 3 of this Decree and request the managers of information systems to compile dossiers of request for excluding information systems under their management from the List of information systems of national security importance.

3. A dossier of request for excluding information systems from the List of information systems of national security importance comprises:

a) A written request for excluding information systems from the List of information systems of national security importance (Form No. 05 provided in the Appendix);

b) Other necessary documents directly relating to the request for excluding information systems from the List of information systems of national security importance.

4. The order, procedures and competence to consider and decide on excluding information systems from the List of information systems of national security importance shall comply with the provisions on order, procedures and competence to consider and decide on including information systems in the List of information systems of national security importance.

Article 7. Coordination in appraisal, assessment, inspection, supervision, response and remediation of incidents of information systems of national security importance

1. The protection of cyber security and cyberinformation security of the information systems of national security importance shall comply with the law on cyber security and cyberinformation security.

2. Coordination principles

a) Applying the law on cyber security and cyberinformation security when appraisal, assessment, inspection, supervision, response and remediation of incidents of information systems of national security importance.

b) In case where the coordination of many concerned parties is required, the Ministry of Public Security, the Ministry of National Defence and the Government Cipher Committee shall, based on the Law on Cyber Security, assume the prime responsibility for, and coordinate with the Ministry of Information and Communications and relevant ministries and sectors in, organizing the appraisal, assessment, inspection, supervision, response and remediation of incidents of information systems of national security importance according to the assigned functions and tasks;

c) The process of coordination must comply with treaties and regulations of international organizations in which Vietnam participated, the Law on Cyber Security and relevant laws, and must be carried out actively, regularly and timely according to the assigned functions, tasks and powers.

3. Coordination method

a) The Ministry of Public Security shall send a document requesting relevant ministries and sectors to assign their members to participate in the appraisal, assessment, inspection, supervision, response and remediation of incidents of information systems of national security importance;

b) Relevant ministries and sectors shall be responsible for appointing members to fully participate in activities in the course of appraisal, assessment, inspection, supervision, response and remediation of incidents of information systems of national security importance upon requests;

c) Dossiers and documents serving the appraisal, assessment, inspection, supervision, response and remediation of incidents of information systems of national security importance shall be copied and sent to participants by the Ministry of Public Security according to regulations.

4. The coordination in supervision of the information systems of national security importance in service of the protection of cyber security and cyberinformation security:

a) Data on cyber security and cyberinformation security supervision shall be shared among professional cyber security protection forces, and they shall be responsible for sharing such data with the Authority of Information Security under the Ministry of Information and Communications, for the purpose of serving the performance of the assigned functions and tasks;

b) In case where the supervision cyberinformation security of information systems of national security importance has been performed, the supervision data shall be shared to serve the protection of cyber security and cyberinformation security;

c) Managers of information systems of national security importance shall be responsible for preparing sites, technical conditions, establishing and connecting supervision devices and systems of professional cyber security protection forces with the information systems managed by them in order to early detect and warn cyber security risks.

 

Section 2

CYBER SECURITY CONDITIONS FOR INFORMATION SYSTEMS OF NATIONAL SECURITY IMPORTANCE

 

Article 8. Conditions in terms of regulations, processes and plans for protection of cyber security for information systems of national security importance

1. Managers of information systems of national security importance shall, based on regulations on protection of cyber security, state secrets, work secrets, technical regulations and standards on cyber security, and relevant professional technical standards, formulate regulations, processes and plans for protection of cyber security for information systems of national security importance under their management.

2. Such regulations, processes and plans for protection of cyber security must specify important information and information systems to be prioritized to protect; management processes, techniques and operations in using and protecting cyber security of data and technical infrastructure; personnel conditions for those who administer the network, operate the system, ensure security, cyberinformation security and edit, store and transmit state secrets through the information systems; responsibilities of each department and individual in management, operation and use; sanctions for violations.

Article 9. Personnel conditions for those who operate and administer the systems, protect cyber security

1. Having a department in charge of operation and administration of the systems, and protection of cyber security.

2. Persons in charge of operation and administration of the systems, and protection of cyber security must possess professional qualifications in terms of cyber security, cyberinformation security or information technology; have a commitment to protect information related to the information systems of national security importance during their work and after quitting jobs.

3. Having a mechanism that independently operates among department operating, administering and protecting cyber security of the information systems of national security importance.

Article 10. Cyber security conditions for devices, hardware and software being system components

1. Hardware devices are system components that must be tested for cyber security in order to detect security weaknesses and vulnerabilities, malware, transceiver and malicious hardware to ensure compatibility with other components of the information systems of national security importance. Administrative devices must be installed with operating system, clean software with firewall. Information systems to process state secrets shall not be connected with the Internet.

2. Products whose cyber security risks are warned or notified by professional cyber security protection forces shall not be put into use or must be taken measures for handling or remedying security weaknesses and vulnerabilities, malware and malicious hardware before putting into use.

3. Digital data and information shall be processed and stored through information systems classified as state secrets that must be encrypted or taken protective measures during the process of creation, exchange, and storage in the Internet in accordance with the law on protection of the state secrets.

4. Information technology devices, communication means, information carriers and devices serving the information systems’ operations must be managed, destroyed, or repaired according to the law and protection of state secrets, and working regulations of the managers of information systems.

5. System software, utility software, middleware, databases, application programs, source code and development tools shall be periodically reviewed and updated with patches.

6. Mobile devices and equipment with information storage function when connecting to internal networks of information systems of national security importance must be checked and controlled to ensure safety, and they shall be used only in information systems of national security importance.

7. Upon connecting, transmitting or storing, information storage devices and means must:

a) Be checked for security before connecting to the information systems of national security importance;

b) Have the connection or disconnection from devices of the information systems of national security importance controlled;

c) Taking measures for security assurance upon transmitting, storing, and measures for protecting information classified as state secrets that has already been stored.

Article 11. Conditions for technical measures to monitor and protect cyber security

1. Operation environment of the information systems of national security importance must satisfy the following requirements:

a) Separating from environments for development, inspection and testing;

b) Taking solutions for information security assurance;

c) Application development tools or means are not allowed to be installed;

d) Removing or turning off utility software or functions that are no longer in use or unnecessary in the information systems.

2. Regarding data of the information systems of national security importance, plans for automatically back up to external storage means appropriate to the data change frequency are required, of which arising data must be backed up within 24 hours. Backed-up data must be checked to ensure the capacity of biannual restoration.

3. The network system must satisfy the following requirements:

a) Being divided into different network areas according to users and use purposes. There must be a separate network zone for the server of the information system, a demilitarized zone (DMZ) to provide services in the Internet; a separate network zone to provide wireless services; a separate network zone for database server;

b) Having devices and software to perform the functions of controlling connection and traffic of important network zones;

c) Having solutions for controlling, detecting and preventing timely untrusted or illegal connection;

d) Having plans for response to denial-of-service (DoS) attacks and other form of attacks appropriate to the scale and nature of the information systems of national security importance.

4. Having measures and solutions for exploring and detecting timely technical weaknesses and vulnerabilities of the network system and connections, devices and software illegally installed in the network.

5. Recording and storing operational logs of the information system and users, arising errors, information security incidents at least every 3 months concentratedly, and backing up them at least every year.

6. Controlling access of users and groups of tool or device users by:

a) Registering, granting, expanding and revoking the access right of devices or users;

b) Each account must be granted for only one user; in case of using a shared account to access the information system of national security importance, approval from the competent authority is required, and individual responsibility at each using time must be determined;

c) Restricting and controlling access from administrative accounts: (i) Establishing a mechanism for controlling the creation of administrative accounts to ensure that no account is usable until obtaining approval from the competent authority; (ii) Taking measures to control the use of administrative accounts; (iii) The administrative account shall be restricted to ensure that one account is available for only one user, and it shall automatically log out after a specific period of no operation;

d) Managing and granting private code to access the information system;

dd) Reviewing, checking and re-approving the access right for the users;

e) Prescribing requirements and conditions for information security for devices and tools used to access.

Article 12. Physical security conditions

1. The information system of national security importance must be located and installed in safe places and protected to minimize risks before threats from the environment and illegal access.

2. The power source and supporting systems in case the principal power source is interrupted, of the information system of national security importance must be ensured. Measures to prevent voltage drop or overload or measures for lightning protection must be taken; grounding system, backup generator and uninterruptible power supply system must be equipped for the continuous operation of devices.

3. The information system of national security importance must have a plan and measure for protection and prevention from the information collection of unmanned aerial vehicles.

4. It is required to carry out the 24/7 access control of data center of the information system of national security importance.

 

Chapter III

ORDER AND PROCEDURES FOR APPLYING A NUMBER OF MEASURES FOR CYBER SECURITY PROTECTION

 

Article 13. Order and procedures for cyber security appraisal of an information system of national security importance

1. Cyber security appraisal of the information system in the List of information systems of national security importance shall be carried out by the professional cyber security protection force according to regulations.

2. Order for cyber security appraisal of an information system of national security importance

a) The manager of an information system of national security importance shall submit a dossier of request for cyber security appraisal to the competent professional cyber security protection force;

b) The professional cyber security protection force shall receive, check and guide to complete the dossier of request for cyber security appraisal, and grant a written receipt within 3 working days immediately after receiving the complete and valid dossier;

c) The professional cyber security protection force shall conduct the cyber security appraisal according to Clause 3 Article 11 of the Law on Cyber Security, and notify results within 30 days, from the date of granting the written receipt for the manager of the information system of national security importance.

3. A dossier of request for appraisal of the information system of national security importance comprises:

a) A written request for cyber security appraisal (Form No. 06 provided in the Appendix);

b) Prefeasibility study report, design dossier of an information system investment project before obtaining approval;

c) Scheme for upgrading the information system before being approved, in case of upgrading the information system of national security importance.

4. In case where the conformity between the current status of the information system of national security importance and the dossier of request for appraisal must be determined, the professional cyber security protection force shall conduct survey and assessment of the actual status of the information system of national security importance to compare with the dossier of request for appraisal. The physical survey and assessment must not affect the normal operation of the manager as well as the information system of national security importance. Duration for physical survey and assessment must not exceed 7 working days.

5. Cyber security appraisal results must be protected according to law provisions.

Article 14. Order and procedures for assessment of cyber security conditions of an information system of national security importance

1. Assessment of cyber security conditions of the information system in the List of information systems of national security importance shall be carried out by the professional cyber security protection force according to regulations.

2. Order for assessment of cyber security conditions of an information system of national security importance:

a) The manager of an information system of national security importance shall submit the dossier of request for assessing cyber security conditions of the information system of national security importance to the professional cyber security protection force competent to conduct assessment in accordance with Clause 3 Article 12 of the Law on Cyber Security;

b) The professional cyber security protection force shall receive, check and guide to complete the dossier of request for cyber security condition assessment, and grant a written receipt immediately after receiving the complete and valid dossier;

c) After receiving the complete and valid dossier, the professional cyber security protection force shall conduct cyber security condition assessment and notify the result within 30 days, after granting the written receipt to the manager of an information system of national security importance;

d) In case of the cyber security conditions are satisfied, head of the agency assessing the cyber security conditions shall grant the certificate of satisfaction of cyber security conditions for the information system of national security importance within 3 working days after ending the assessment.

3. A dossier of request for certification of cyber security conditions of the information system of national security importance comprises:

a) A written request for cyber security certification (Form No. 07 provided in the Appendix);

b) Prefeasibility study report, design dossier of an information system investment project before obtaining approval;

c) Dossier of solution for ensuring cyber security for the information system of national security importance.

4. In case of failing to satisfy the cyber security conditions, the professional cyber security protection force shall request the manager of an information system of national security importance to supplement and upgrade it to fully meet the conditions.

Article 15. Order and procedures for cyber security supervision

1. The Department of Cyber ​​Security and Hi-tech Crime Prevention under the Ministry of Public Security, the Cyberspace Command under the Ministry of National Defence shall be responsible for conducting cyber security supervision for the national cyberspace, information systems of national security importance according to the assigned functions and tasks. The Government Cipher Committee shall conduct cyber security supervision for its cipher information systems according to the assigned tasks and functions.

2. Order of cyber security supervision by the professional cyber security protection force:

a) Sending a written notice requesting to take measures for cyberc security supervision to the information system manager. Such notice must specify the reason, time, content and scope of cyber security supervision;

b) Implementing measures for cyber security supervision;

c) Making periodic statistics and reports on cyber security supervision results.

3. Responsibilities of the manager of an information system of national security importance:

a) To develop and deploy the cyber security supervision system, coordinate with the professional cyber security protection force in supervise the cyber security of the information systems under its management;

b) To prepare sites, technical conditions, establishing and connecting supervision devices and systems of professional cyber security protection forces with the information systems under the management to serve the cyber security supervision;

c) To provide and update information about the information systems under the management, technical plans for deploying the supervision system for the professional cyber security protection force on a regular basis or irregular basis upon request of the competent professional cyber security protection force;

d) To notify the professional cyber security protection force supervision activities of the information system manager every 3 months;

dd) To keep relevant information confidential during the course of coordination with the professional cyber security protection force.

4. Telecommunications enterprises, enterprises providing information technology, telecommunications and Internet services shall be responsible for coordinating with the professional cyber security protection forces in supervising cyber security according to the competence in order to protect cyber security.

5. Cyber security supervision results shall be kept confidential according to law provisions.

Article 16. Order and procedures for cyber security inspection

1. The professional cyber security protection force shall conduct cyber security inspection for the information system in accordance with Clause 5 Article 13, Clause 1 Article 24 of the Law on Cyber Security. Inspection contents include: inspecting the compliance with the law on ensuring cyber security assurance, keeping state secrets in cyberspace; inspecting and assessing results of plans and measures for cyber security assurance, plans for responding to and remedying cyber security incidents; inspecting, assessing and detecting weaknesses and vulnerabilities, malware and penetration attacks to the system; other inspection and assessment prescribed by the information system managers.

2. Order and procedures for cyber security inspection by the professional cyber security protection force:

a) Notifying the cyber security inspection plan according to regulations;

b) Establishing an inspection team according to the assigned functions and tasks;

c) Conducting cyber security inspection, closely coordinating with the information system manager during the inspection;

d) Making records on the cyber security inspection process, result, and storage in accordance with law provisions;

dd) Notifying the cyber security inspection result within 3 working days after finishing the inspection.

3. In case it is required to maintain the status quo of the information for investigating, handling acts of violation, detecting weaknesses and vulnerabilities; guiding or participating in the remediation upon request of the information system manager, the professional cyber security protection force shall send a written request to the information system manager to suspend the cyber security inspection. Such a request must clearly specify the reason, purpose and time of suspending the cyber security inspection.

Article 17. Order and procedures for responding to and remedying cyber security incidents of an information system of national security importance

1. For information systems of national security importance having cyber security incidents, the following order and procedures for responding to and remedying shall be complied with:

a) The professional cyber security protection force shall notify in writing and guide the interim plan to prevent and handle the attacks, remedy consequences caused by such attacks, cyber security incidents to the manager of the information system of national security importance.

In case of emergency, it must notify by phone call or other forms before issuing a written notice;

b) The manager of the information system of national security importance shall be responsible for taking measures as guided and other appropriate measures to prevent, handle and remedy consequences immediately after receiving the notification, except for the cases specified at Point c of this Clause.

In case of beyond the capacity, the manager must timely notify the professional cyber security protection force for coordination and response to the cyber security incidents;

c) In case it is necessary to immediately respond to prevent the consequences that may threaten the national security, the professional cyber security protection force shall directly decide on the coordination and response to the cyber security incidents.

2. Coordination and response to cyber security incidents by professional cyber security protection forces:

a) Assessing and deciding on plans for responding to and remedying cyber security incidents;

b) Coordination the work of responding to and remedying cyber security incidents;

c) Presiding, receiving, collecting, processing, and exchanging information about responding to and remedying cyber security incidents;

d) Mobilizing and coordinating with relevant domestic and overseas organizations and individuals in participating in responding to and remedying cyber security incidents, if necessary;

dd) Designating a focal point to coordinate with functional units of other countries, or international organizations in responding to and remedying transnational incidents based on international agreements or treaties to which Vietnam is a contracting party;

e) Inspecting, monitoring and urging the implementation by relevant units in responding to and remedying cyber security incidents;

g) Making records on the process of responding to cyber security incidents.

3. Organizations and individuals participating in responding to and remedying cyber security incidents shall take measures and carry out activities to respond and remedy incidents according to the coordination of the professional cyber security protection forces.

4. In case of protecting national security, social security and order, telecommunications enterprises and enterprises providing Internet services shall arrange sites, connectors and necessary technical measures so as the Department of Cyber ​​Security and Hi-tech Crime Prevention under the Ministry of Public Security can perform the cyber security assurance tasks. Specific order and procedures shall be implemented by telecommunications enterprise, enterprises providing Internet services together with the Department of Cyber ​​Security and Hi-tech Crime Prevention under the Ministry of Public Security.

Article 18. Order and procedures for implementing the measure of using cryptography to protect cyber information

1. The professional cyber security protection force shall use the encryption measure by using cryptography to protect cyber information when transmitting information and documents containing state secrets in cyberspace. Encryption measure must meet requirements as prescribed by the law on cipher, protection of state secrets and cyber security.

2. In case of necessity for the purposes of national security, social order and security, protection of lawful rights and interests of organizations, agencies and individuals, the professional cyber security protection forces shall send a written request to relevant agencies, organizations and individuals to encrypt information other than those classified as state secretes before storing or posting on the Internet. Such a request must clearly specify the reason and contents to be encrypted.

Article 19. Order and procedures for implementing the measure of requesting the removal of unlawful or false information in cyberspace which infringes upon national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals

1. Such measure shall be taken in the following cases:

a) Information in the cyberspace is determined by competent authorities as containing contents infringing upon national security or propaganda contents opposing the State of the Socialist Republic of Vietnam; instigating riots or disrupting security or public order in accordance with law provisions;

b) There is a legal ground to identify the information in the cyberspace containing contents humiliating or slandering; or infringing upon economic management order; or fabricated or false contents causing public anxiety, seriously damaging socio-economic activities, requiring the removal of information;

c) Other information in the cyberspace containing contents specified at Points c, dd and e Clause 1 Article 8 of the Law on Cyber Security in accordance with law provisions.

2. The Director of the Department of Cyber ​​Security and Hi-tech Crime Prevention under the Ministry of Public Security, heads of competent agencies of the Ministry of Information and Communications shall:

a) Decide on taking the measure of requesting the removal of unlawful or false information in cyberspace which infringes upon national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals in accordance with Clause 1 of this Article;

b) Send a written request to enterprises providing services in telecommunications networks or the Internet, value-added services in the cyberspace, and information system managers to remove unlawful or false information in the cyberspace which infringes upon national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals in accordance with Clause 1 of this Article;

c) Inspect the implementation of the measure by concerned entities upon request;

d) Exchange and share information about the implementation of such measure, except for the cases where the information is classified as state secrets or is requested under the Ministry of Public Security’s professional operation.

3. The professional cyber security protection forces under the Ministry of Defence shall decide on taking the measure of requesting the removal of unlawful or false information in cyberspace which infringes upon national security, and military security as prescribed in Clause 1 of this Article, for army information systems.

Article 20. Order and procedures for implementing the measure of collecting electronic data relating to activities in cyberspace which infringe upon national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals

1. Electronic data means an information in the form of signs, letters, numbers, images, sounds or the like.

2. The Director of the Department of Cyber ​​Security and Hi-tech Crime Prevention under the Ministry of Public Security shall decide on taking the measure of collecting electronic data to serve the investigation and handling of activities in cyberspace infringing upon national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals.

3. The collection of electronic data relating to activities in cyberspace which infringe upon national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals shall be carried out in accordance with law provisions; provided that the following requirements are satisfied:

a) Maintain the status quo of the digital devices and electronic data;

b) The copy of electronic data must follow the prescribed process by using recognized devices and software which are verifiable, while ensuring the status quo of the electronic data stored in the devices;

c) The process of restoration of data, or search for electronic data must be recorded in the minutes, pictures or videos; in case of necessity, such process may be repeated to have the equivalent result to present at the court;

d) Persons collecting electronic data must be officers who are assigned to perform the tasks of collecting electronic data.

4. Principles of copying and restoring electronic data relating to activities in cyberspace which infringe upon national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals:

a) In case the electronic data is considered having the value of proving crime, the copying or restoration of such data must be carried out by competent persons under the competent authorities’ decisions as prescribed by law;

b) The copying and restoration of electronic evidence must be recorded in the minutes; in case of necessity, a dependent third party may be invited to participate, observe and certify this process.

5. The seizure of means of storing, transmitting and processing electronic data relating to activities in cyberspace which infringe upon national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals shall comply with the law.

6. The professional cyber security protection forces under the Ministry of Defence shall decide on taking the measure of collecting electronic data to serve the investigation of violations and crimes in cyberspace threatening the information security and safety, infringing upon national security and military security.

Article 21. Order and procedures for implementing the measure of terminating, suspending or requesting the cessation of operation of information systems or revocation of domain names

1. Such measure shall be taken in the following cases:

a) Having documents proving that the information system’s operation violates the law on national security and cyber security;

b) The information system is being used for the purpose of infringing upon national security, social order and security.

2. The Minister of Public Security shall directly decide on terminating, suspending or requesting the cessation of operation of information systems or, suspending or revoking domain names with activities violating the law on cyber security.

3. The Director of the Department of Cyber ​​Security and Hi-tech Crime Prevention under the Ministry of Public Security shall be responsible for implementing the decision on terminating, suspending or requesting the cessation of operation of information systems or, suspending or revoking domain names.

4. Order and procedures for implementing the measure:

a) Reporting the application of the measure of terminating, suspending or requesting the cessation of operation of information systems, or suspending or revoking domain names;

b) Deciding on terminating, suspending or requesting the cessation of operation of information systems, or suspending or revoking domain names;

c) Sending a written request to concerned organizations, agencies and individuals to terminate, suspend or request the cessation of operation of the information system, or sending a request for suspending or revoking domain names to the Vietnam Internet Network Information Center according to the order and procedures as prescribed by law. Such a request must clearly specify the reason, time, content and request;

d) In case of emergency for the purpose of timely preventing the information system's operation to avoid causing harms to the national security, or preventing negative consequences, the Department of Cyber ​​Security and Hi-tech Crime Prevention under the Ministry of Public Security shall directly send a written request via fax or email to the organizations, agencies or individuals to terminate or suspend, or request the cessation of operation of the information system;

Within 24 hours after sending the request, the Department of Cyber ​​Security and Hi-tech Crime Prevention under the Ministry of Public Security shall send a written request for terminating, suspending or requesting the cessation of operation of the information system. Past the above-mentioned time limit, if no written decision is issued, the information system shall continue to operate. Depending on the nature, extent and consequence due to the delay in sending the written request, the performers and involved persons shall bear responsibility in accordance with law provisions;

dd) The termination, suspension or request for the cessation of operation of an information system must be recorded in the minutes. Such minutes must specify the time, location, grounds and shall be made into 2 copies. The competent authority shall keep one copy, the other shall be kept by the agency, organization or individual;

e) For the suspension or revocation of national domain names in cases specified in Clause 1 of this Article, the competent authority shall send a written request to the Vietnam Internet Network Information Center for suspension or revocation of domain names according to the order and procedures as prescribed by law.

5. For the termination, suspension or request for the cessation of operation of an information system without the grounds specified in Clause 2 of this Article, the heads or deputy heads of the competent authorities and concerned officers shall bear responsibility before the law; and pay compensation for any damage to concerned organizations, agencies and individuals in accordance with law provisions.

Article 22. Responsibilities of agencies, organizations and individuals in implementing cyber security protection measures

1. The professional cyber security protection forces shall provide specific guidance for concerned agencies, organizations, and individuals to follow provisions on the order and procedures for applying a number of cyber security protection measures.

2. Agencies, organizations and individuals, within the ambit of their responsibilities and powers, timely coordinate and support the professional cyber security protection forces to follow the order and procedures for applying a number of cyber security protection measures.

3. In case enterprises providing cross-border services are announced violation against Vietnamese laws by competent agencies, Vietnamese organizations and enterprises shall be responsible for coordinating with competent authorities in preventing and handling violations committed by the enterprises providing cross-border services.

4. Any acts of taking advantages of, or abusing cyber security protection measures to violate the law shall, depending on the violation nature and extent, be handled in accordance with law provisions. In case of causing damage to lawful rights and interests of organizations and individuals, compensation payment shall be implemented in accordance with law provisions.

5. For information systems not in the List of information systems of national security importance, the Ministry of Public Security, the Ministry of National Defence and the Ministry of Information and Communications shall coordinate in a synchronous manner, to protect cyber security and ensure cyberinformation security according to the assigned functions and tasks:

a) The Ministry of Information and Communications shall act as the focal point in presiding civil activities, except for the cases specified at Points b and c of this Clause;

b) The Ministry of Public Security shall act as the focal point in presiding activities of protecting national security, social order and security, protecting cyber security, preventing and combating cybercrime, cyber terrorism and cyber espionage;

c) The Ministry of Defence shall act as the focal point in presiding activities to protect the fatherland in the cyberspace.

 

Chapter IV

IMPLEMENTATION OF CYBER SECURITY PROTECTION ACTIVITIES BY STATE AGENCIES AND POLITICAL ORGANIZATIONS AT CENTRAL AND LOCAL LEVELS

 

Article 23. Formulation and completion of regulations on using computer networks of state agencies and political organizations at central and local levels

1. State agencies and political organizations at central and local levels must formulate regulations on using, managing and ensuring cyber security for internal computer networks and computer networks connected to Internet under their management. Regulations on cyber security must be based on regulations on protecting cyber security and state secrets, technical regulations and standards on cyberinformation security, and other relevant specialized technical standards.

2. Regulations on using and ensuring cyber security for computer networks of state agencies and political organizations at central and local levels must contain the following principal contents:

a) Specifying important information and information systems to be prioritized in cyber security assurance;

b) Specifying prohibited activities, and principles of management, use and assurance of cyber security; internal computer networks that store and transmit state secrets must be physically separated from the computer networks and electronic means and equipment connected to the Internet. Other cases must comply with the law on state secret protection;

c) Managerial, professional and technical procedures in operating, using and ensuring cyber security for data, technical infrastructure, which satisfy basic requirements for information system safety assurance;

d) Personnel conditions for those who administer the network, operate the system, ensure security, cyberinformation security and those who perform works relating to the edit, storage and transmission of state secrets through the information systems;

dd) Specifying responsibilities of each department and individual in management, use, and assurance of cyber security and information security;

e) Sanctions for violations of regulations on cyber security assurance.

Article 24. Formulation and completion of plans for cyber security assurance of information systems of state agencies and political organizations at central and local levels

1. Heads of state agencies and political organizations at central and local levels shall be responsible for promulgating plans for cyber security assurance for their information systems in a synchronous, consistent and concentrated manner, with resource sharing to optimize efficiency, avoiding duplication of investment.

2. A plan for cyber security assurance of an information system includes:

a) Regulations on cyber security assurance in design and establishment of an information system, meeting basic requirements such as managerial, technical and professional requirements;

b) Cyber security appraisal;

c) Cyber security inspection and assessment;

d) Cyber security supervision;

dd) Response and remediation of incidents and risk situations related to cyber security;

e) Risk management;

g) End of the operation, exploitation, repair, liquidation and cancellation.

Article 25. Plans for response to and remediation of cyber security incidents of state agencies and political organizations at central and local levels

1. A plan for response to and remediation of cyber security incidents includes:

a) A plan for prevention and handling of information in the information system, with propaganda contents opposing the State of the Socialist Republic of Vietnam; instigating riots or disrupting security or public order; humiliating or slandering; or infringing upon economic management order;

b) A plan for prevention and combat of cyber espionage; protection of information classified as state secrets, work secrets, business secrets, personal secrets, family secrets and privacy in cyberspace;

c) A plan for prevention and combat of acts of using cyberspace, information technology or electronic devices in violation of the law on national security and social order and safety;

d) A plan for prevention and combat of cyber-attacks;

dd) A plan for prevention and combat of cyber terrorism;

e) A plan for prevention and handling of dangerous cyber security circumstances.

2. A plan for responding to and remedying cyber security incidents must specify:

a) General provisions;

b) Assessment of cyber security incidents and risks;

c) A plan for responding to and remedying some specific situations;

d) Tasks and responsibilities of agencies affiliated to the organizations; coordination, handling, response to and remediation of incidents;

dd) Training, rehearsal, prevention of incidents, supervision to detect, and assurance of conditions for response to and remediation of incidents;

e) Solutions for ensuring and implementing such plan, and funding for implementation.

 

Chapter V

DATA STORAGE AND LOCATION OF BRANCHES OR REPRESENTATIVE OFFICES IN VIETNAM

 

Article 26. Data storage and location of branches or representative offices in Vietnam

1. Data must be stored in Vietnam includes:

a) Data about personal information of service users in Vietnam;

b) Data created by service users in Vietnam: Account name, duration of using services, credit card information, email address, the latest login or logout IP address, registered telephone number associated with the account or data;

c) Data about relationship of service users in Vietnam: Friends, groups of persons whom the users connect or interact.

2. Domestic enterprises shall store data specified in Clause 1 of this Article in Vietnam.

3. The storage of data and location of branches or representative offices in Vietnam by foreign enterprises:

a) Foreign enterprises conducting business activities in Vietnam involved in one of the following fields, including telecommunications services; storage and sharing of data in the cyberspace; provision of national or international domain names for service users in Vietnam; e-commerce; online payment; payment intermediary; service of connecting transportation through the cyberspace; service of providing, managing or operating other information in the cyberspace in the form of message, voice call, video call, email, online discussion, must store data specified in Clause 1 of this Article and locate a branch or representative office in Vietnam, in case their services are used to commit violations against the law on cyber security that have been notified and requested for coordination, prevention, investigation and handling in writing by the Department of Cyber ​​Security and Hi-tech Crime Prevention under the Ministry of Public Security, but fail to comply with or fail to fully comply with, or prevent, obstruct, counteract cyber security protection measures implemented by the professional cyber security protection forces;

b) In force majeure cases in which foreign enterprises cannot comply with the law on cyber security, they must notify the Department of Cyber ​​Security and Hi-tech Crime Prevention under the Ministry of Public Security within 3 working days in order to check the authenticity of the force majeure events. In such cases, enterprises must work out a remediation plan within 30 working days.

4. In case where the enterprises fail to fully collect, exploit, analyze and process the data specified Clause 1 of this Article, they shall coordinate with the Department of Cyber ​​Security and Hi-tech Crime Prevention under the Ministry of Public Security in, certifying and storing types of data currently being collected, exploited, analyzed and processed.

In case the enterprises collect, exploit, analyze and process additional data prescribed in Clause 1 of this Article, they shall be responsible for coordinating with the Department of Cyber ​​Security and Hi-tech Crime Prevention under the Ministry of Public Security to include it in the list of data to be stored in Vietnam.

5. Enterprises shall decide the form of storing data in Vietnam.

6. Order and procedures for requesting the storage of data, or location of a branch or representative office of a foreign enterprise in Vietnam:

a) The Minister of Public Security shall issue a decision on requesting the storage of data and location of a branch or representative office in Vietnam;

b) The Department of Cyber ​​Security and Hi-tech Crime Prevention under the Ministry of Public Security shall notify, guide, monitor, supervise and urge an enterprise to follow the requirements for storage of data and location of a branch or representative office in Vietnam; concurrently, notify concerned agencies to perform their state management functions under the competence;

c) Within 12 months from the date on which the Minister of Public Security issues a decision, enterprises specified at Point a Clause 3 Article 26 of this Decree must complete the storage of data and location of branches or representative offices in Vietnam.

7. Order and procedures for location of a branch or representative office in Vietnam shall comply with the law on business, commerce, enterprises and relevant regulations.

8. Enterprises failing to comply with this Article shall, depending on the nature and seriousness of the violation, be handled in accordance with law provisions.

Article 27. Duration for data storage and location of branches or representative offices in Vietnam

1. Data specified in Article 26 of this Decree shall be stored from the time on which the enterprise receives the request for data storage to the time the request ends. The minimum storage duration is 24 months.

2. A branch or representative office shall be located in Vietnam as prescribed in Article 26 of this Decree from the time on which the enterprise receives the request for location of a branch or representative office in Vietnam to the time it terminates the operation in Vietnam, or the prescribed services are no longer provided in Vietnam.

3. System logs serving the investigation and handling of violations against the law on cyber security as prescribed at Point b Clause 2 Article 26 of the Law on Cyber Security must be stored for at least 12 months.

 

Chapter VI

IMPLEMENTATION PROVISIONS

 

Article 28. Funding

1. Funding for ensuring the cyber security in operation of state agencies and political organizations at central and local levels shall be covered by the state budget.

2. Funding invested for cyber security from the public investment capital shall be implemented in accordance with the Law on Public Investment. For public investment projects to develop or expand, upgrade the information systems, investment funding shall be allocated in the investment capital of the corresponding projects.

3. Funding for appraisal, supervision, inspection and assessment of cyber security conditions; implementation of cyber security plans of state agencies and political organizations at central and local levels shall be balanced and allocated in the annual state budget estimate of such agencies and organizations as decentralized by the Law on the State Budget.

4. The Ministry of Finance shall provide guidance on expenses for the protection of cyber security in the budget estimate, guide the management and use of regular expenditures for the assurance of cyber security of state agencies and organizations.

5. State agencies and organizations shall, based on the assigned tasks, make estimates, manage, use and finalize the expenses for performing the task of cyber security assurance in accordance with the Law on the State Budget.

Article 29. Effect

This Decree takes effect from October 01, 2022.

Article 30. Responsibility of implementation

1. The Minister of Public Security shall urge, inspect and guide the implementation of this Decree. Any difficulties arising in the course of implementation should be discussed with the Ministry of Public Security for synthesis and report to the Prime Minister for consideration, decision and amendment.

2. Ministers, Heads of the Ministerial-level agencies, Heads of Government-attached agencies, chairpersons of People's Committees of provinces and centrally-run cities shall be responsible for the implementation of this Decree.

 

 

ON BEHALF OF THE GOVERNMENT

FOR THE PRIME MINISTER
THE DEPUTY MINISTER

 

 

 

Vu Duc Dam

 

 

 

Appendix

(Attached to the Government’s Decree No. 53/2022/ND-CP dated August 15, 2022)

______________

 

Form No. 01 - Written request for including information systems in the List of information systems of national security importance

Form No. 02 - Document providing the list of all information systems of agencies and organizations

Form No. 03 - Receipt of dossiers of request for including information systems in the List of information systems of national security importance

Form No. 04 - Notice on Appraisal council's opinions on dossiers of request for including information systems in the List of information systems of national security importance

Form No. 05 - Written request for excluding information systems from the List of information systems of national security importance

Form No. 06 - Cyber security appraisal of information systems of national security importance

Form No. 07 - Written request for certification of cyber security conditions of information systems of national security importance

 

 

Form No. 01

AGENCY/ORGANIZATION
_________

No. .......

Regarding request for including an information system in the List of information systems of national security importance

THE SOCIALIST REPUBLIC OF VIETNAM
Independence - Freedom - Happiness

__________________

Place, date...... month......year…….

 

 

To:................................ 1

 

Pursuant to the Law on Cyber Security dated June 12, 2018;

Pursuant to the Government’s Decree No. /2022/ND-CP dated ...., detailing a number of articles of the Law on Cyber Security;

................. 2 requests to include the following information system in the List of information systems of national security importance:

1. Information system to be included in the List of information systems of national security importance

a) General information

- Information system name:

- Address (where the information system is located):

- Person in charge (full name, position, telephone number, email address):

b) Information system scope and scale

- Importance:

- Use purposes:

- Objects of service:

- Cybersecurity requirements:

2. Unit managing the information system

- Unit name:

- Decision on establishment/defining the functions, tasks and powers:

- Representative:

- Address:

- Contact information (telephone number, email address):

3. Unit operating the information system

- Unit name:

- Decision on establishment/defining the functions, tasks and powers:

- Representative:

- Address:

- Contact information (telephone number, email address):

4. Explanations of the conformity with the grounds for establishing information systems of national security importance

a) Conformity with provisions of Clause 2 Article 10 of the Law on Cyber Security (specify grounds, supporting arguments and relevant documents)

b) Conformity with provisions on national important information systems, national security-related important works and national security-related important telecommunications works (specify grounds, supporting arguments and relevant documents):

c) Assessment of the scope and extent of influence and determination of the consequences of the information system in the event of an incident, intrusion, hijacking, falsification, interruption, disruption, paralysis, attack or sabotage (specify grounds, supporting arguments and relevant documents).

5. Explanations of the information system structure

a) The physical structure describes the network devices, the terminals included in the system and the physical connection between the devices (physical connection diagram).

b) The logical structure describes the design of the functional network zones present in the system; network connection direction; terminals; network devices (logical connection diagram).

c) The List of devices used in the system (device name/type; deploying location, in case the physical devices are divided into logical devices, then the deploying locations are locations of logical devices; use purposes).

d) The List of applications and services in the system (application and service name; name and configuration of the server/deploying location/operating system; use purposes).

dd) The proposed list of network devices and components, importance to prioritize protection (device name, processing information, function/importance).

6. Explanations of the technical and managerial cyber security plan

a) Managerial cyber security plan (specify the issued plan or plan to be issued, basic contents and protection purposes).

b) Technical cyber security plan (specify the issued plan or plan to be issued, basic contents and protection purposes).

c) Cyber security plan for response and remediation of cyber security incidents (specify the issued plan or plan to be issued, basic contents and protection purposes).

7. Enclosed documents

a) The List of information systems of organizations and agencies (information system name, functions and use purposes).

b) Construction designs approved by competent authorities or equivalent documents (in case where the construction design is unavailable, the reason is required).

c) Other documents that are quoted or mentioned in this Official Dispatch.

 

Receipt:

- As above;

- ................

AGENCY/ORGANIZATION REPRESENTATIVE

(Signature, full name, title and seal)

 

 

--------------------

1 Appraising agency as specified in Clauses 1, 2 and 3 Article 5 of this Decree.

2 Agency/organization name.

 

 

Form No. 02

AGENCY/ORGANIZATION
_________

No. .......

Regarding the provision of the list of information systems

THE SOCIALIST REPUBLIC OF VIETNAM
Independence - Freedom - Happiness

__________________

Place, date...... month......year…….

 
 

To: ....................... 1

 

Pursuant to the Law on Cyber Security dated June 12, 2018;

Pursuant to the Government’s Decree No. /2022/ND-CP dated ...., detailing a number of articles of the Law on Cyber Security;

............... 2 provides the list of current information systems as follows:

No.

Information system name

Manager

Address

Contact information

1

Information system A

- Unit name:

 

- Person in charge (full name, position, telephone number, email address)

 

 

Receipt:

- As above;

- ................

AGENCY/ORGANIZATION REPRESENTATIVE

(Signature, full name, title and seal)

 

 

 

 
 
 

Form No. 03

AGENCY/ORGANIZATION1
_________

No. .......

Regarding the receipt of the dossier of request for including information systems in the List of information systems of national security importance

THE SOCIALIST REPUBLIC OF VIETNAM
Independence - Freedom - Happiness

__________________

Place, date...... month......year…….

 

 

To: ....................... 2

 

....3 receives the Official Dispatch dated .... from ....4, on request for including an information system in the List of information systems of national security importance as follows:

1. Time of receiving the dossier (specify time, date, month and year):

......................................................................................

2. A dossier of request for including an information system in the List of information systems of national security importance comprises: ...

......................................................................................

......................................................................................

Request for supplement (in case where the dossier is incomplete):

......................................................................................

......................................................................................

Deadline for supplement (specify date, month and year):

......................................................................................

......................................................................................

3. Time for feedback: Time... date... month.... year....

 

Receipt:

- As above;

- ................

AGENCY/ORGANIZATION REPRESENTATIVE

(Signature, full name, title and seal)

 

 

---------------

1 Appraising agency as specified in Clauses 1, 2 and 3 Article 5 of this Decree.

2 Requester.

3 Agency receiving the dossier (appraising agency as specified in Clauses 1, 2 and 3 Article 5 of this Decree).

4 Requester.

 

 

Form No. 04

AGENCY/ORGANIZATION1
_________

No. .......

Regarding the Appraisal council's opinions on the dossier of request for including an information system in the List of information systems of national security importance

THE SOCIALIST REPUBLIC OF VIETNAM
Independence - Freedom - Happiness

__________________

Place, date...... month......year…….

 

 

To: ....................... 2

 

On.... date.... month.... year...., the Appraisal council held a meeting and gave opinions on the dossier of request for including an information system in the List of information systems of national security importance of ....3 with the following contents:

1. Opinion collection result

No.

Information system name

Result

Qualified

Unqualified

1

 

/

/

 

2. Conclusion

......................................................................................

......................................................................................

3. Request

......................................................................................

......................................................................................

 

Receipt:

- As above;

- ................

AGENCY/ORGANIZATION REPRESENTATIVE

(Signature, full name, title and seal)

 

 

---------------

1 Appraising agency as specified in Clauses 1, 2 and 3 Article 5 of this Decree.

2 Requester.

3 Requester.

 

 

Form No. 05

AGENCY/ORGANIZATION
_________

No. .......

Regarding request for excluding an information system from the List of information systems of national security importance

THE SOCIALIST REPUBLIC OF VIETNAM
Independence - Freedom - Happiness

__________________

Place, date...... month......year…….

 

 

To: ............................................................  1

 

Pursuant to the Law on Cyber Security dated June 12, 2018;

Pursuant to the Government’s Decree No. /2022/ND-CP dated ...., detailing a number of articles of the Law on Cyber Security;

... 2 requests to exclude the following information system from the List of information systems of national security importance:

1. General information

- Information system name: ...

- Unit managing the information system ...

- Address: ...

- Decision on including the information system in the List of information systems of national security importance (specify the number, date and month, abstract):

2. Reason

......................................................................................

3. Enclosed documents (documents proving that the information system is no longer appropriate to be classified as an information system of national security importance)

......................................................................................

 

Receipt:

- As above;

- ................

AGENCY/ORGANIZATION REPRESENTATIVE

(Signature, full name, title and seal)

 

 

__________________

1 Appraising agency as specified in Clauses 1, 2 and 3 Article 5 of this Decree.

2 Agency/organization name.

 

 

Form No. 06

AGENCY/ORGANIZATION
_________

No. .......

Regarding cyber security appraisal of an information system of national security importance

THE SOCIALIST REPUBLIC OF VIETNAM
Independence - Freedom - Happiness

__________________

Place, date...... month......year…….

 

 

To: .................................1

 

Pursuant to the Law on Cyber Security dated June 12, 2018;

Pursuant to the Government’s Decree No. /2022/ND-CP dated ...., detailing a number of articles of the Law on Cyber Security;

........ ........ 2 Requests cyber security appraisal of the following information system of national security importance:

1. General information:

- Information system name: ...

- Unit managing the information system ...

- Address: ...

- Decision on including the information system in the List of information systems of national security importance (specify the number, date and month, abstract):

2. Enclosed documents:

a) Prefeasibility study report, design dossier of an information system investment project before obtaining approval;

b) Scheme for upgrading the information system before being approved, in case of upgrading the information system of national security importance.

 

Receipt:

- As above;

- ................

AGENCY/ORGANIZATION REPRESENTATIVE

(Signature, full name, title and seal)

 

 

-----------------------

1 Appraising agency as specified in Clauses 1, 2 and 3 Article 5 of this Decree.

2 Agency/organization name.

 

 

Form No. 07

AGENCY/ORGANIZATION
_________

No. .......

Regarding request for certification of cyber security conditions of the information system of national security importance

THE SOCIALIST REPUBLIC OF VIETNAM
Independence - Freedom - Happiness

__________________

Place, date...... month......year…….

 

 

To: ............................ 1

 

Pursuant to the Law on Cyber Security dated June 12, 2018;

Pursuant to the Government’s Decree No. /2022/ND-CP dated ...., detailing a number of articles of the Law on Cyber Security;

.............. 2 requests the certification of cyber security conditions of the following information system of national security importance:

1. General information:

- Information system name: ...

- Unit managing the information system ...

- Address: ...

- Decision on including the information system in the List of information systems of national security importance (specify the number, date and month, abstract):

2. Enclosed documents:

a) Prefeasibility study report, design dossier of an information system investment project before obtaining approval;

b) Dossier of solutions for ensuring cyber security for the information system of national security importance.

 

Receipt:

- As above;

- ................

AGENCY/ORGANIZATION REPRESENTATIVE

(Signature, full name, title and seal)

 

-----------------------

 

1 Appraising agency as specified in Clauses 1, 2 and 3 Article 5 of this Decree.

2 Agency/organization name.

 

 

Please log in to a subscriber account to see the full text. Don’t have an account? Register here
Please log in to a subscriber account to see the full text. Don’t have an account? Register here
Processing, please wait...
LuatVietnam.vn is the SOLE distributor of English translations of Official Gazette published by the Vietnam News Agency

ENGLISH DOCUMENTS

LuatVietnam's translation
Decree 53/2022/NĐ-CP DOC (Word)

This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here

Decree 53/2022/NĐ-CP PDF

This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here

* Note: To view documents downloaded from LuatVietnam.vn, please install DOC, DOCX and PDF file readers
For further support, please call 19006192

related news

SAME CATEGORY

loading