Directive 14/CT-TTg on network security to improve Vietnam's ranking index

DIRECTIVE
ON ENHANCING NETWORK SECURITY
TO IMPROVE VIETNAM S RANKING INDEX
-------------

Recently, the legal framework for safety and network security in Vietnam has been gradually improved. However, the guidance on the implementation of laws on network safety and security, personal information protection, child protection on cyberspace as well as the handling of violations remain inadequate. The construction and issuance of standards and technical regulations in the field of network information security have not met practical needs. Activities to improve capacity, awareness and responsibility for network safety and security are still limited. The cooperation between domestic and foreign agencies, organizations and enterprises to ensure network safety and security remains weak. The supervision, evaluation and protection of information systems in State agencies and organizations lack professionalism. In 2018 and the early days of 2019, there were some intentional cyber-attacks to steal state secret information, causing serious consequences. Therefore, Vietnam’s ranking in the Global Cyber security Index (hereinafter referred to as GCI) of the International Telecommunication Union (hereinafter referred to as ITU) remains low. According to the unofficial ranking in March 2019 (for the period of 2017-2018), Vietnam ranked 50 over 194 assessed countries and territories and 5 over 11 Southeast Asia countries.

In the coming time, state agencies, organizations and enterprises should implement overall solutions to ensure network security and safety to overcome the above-mentioned shortcomings and limitations, contributing to improving Vietnam s ranking in GCI. Given that context, the Prime Minister issues instructions as follows:

1. Ministries, ministerial-level agencies, Government-attached agencies, People s Committees of provinces and municipalities, State-owned corporations and commercial banks, Vietnam Development Banks, Vietnam Bank for Social Policies, Co-operative Bank of Vietnam and other State credit and financial institutions shall implement some following solutions:

a) Ministers, heads of ministerial-level and government-attached agencies, presidents of People s Committees of provinces and municipalities, presidents and general directors of State-owned corporations and commercial banks, Vietnam Development Banks, Vietnam Bank for Social Policies, Co-operative Bank of Vietnam and other State credit and financial institutions shall thoroughly grasp the principle of taking accountability to the Prime Minister for the loss of network safety and security happening or the leakage of State secrets in agencies and units under their management;

b) The bodies shall designate and arrange the specialized units on network information security to well perform the tasks of giving advices, conducting the organization, monitoring and inspecting the implementation of law provisions on ensuring network safety and security. The bodies also shall closely coordinate with the units in charge of network safety and security under the Ministry of Information and Communications, the Ministry of Public Security and the Ministry of Defense in monitoring, sharing information, inspecting and evaluating network security;

c) For the supervision and rescue of network information security incidents and the protection of information systems under their management: The bodies shall self-monitor and self-rescue the network information security incidents and self-protect the information systems under their management or select organizations and enterprises with sufficient capacity to conduct the work; report the information of units assigned to supervise and respond to network information security incidents to Ministry of Information and Communications for summarizing before December 31, 2019 and when having changes on information of the units; connecting and sharing information with the National Cyber Security Monitoring Center of the Information Security Department under the Ministry of Information and Communications;

d) For the inspection and assessment of network information security of the information systems under their management: The bodies shall select organizations and enterprises that are independent from organizations and enterprises in charge of supervising and protecting to periodically inspect and evaluate network information security of level 3 or higher-level information systems under their management or unexpectedly inspect and evaluate at request according to law provisions;

For level 3 and level 4 information systems, the bodies shall annually inspect, evaluate and report the results of inspection to the Ministry of Information and Communications before December 14 for summarizing and reporting to the Prime Minister;

For the national important information systems (level 5), the bodies shall, in every 6 months, conduct the inspection and evaluation and report the results to the Ministry of Information and Communications before June 14 and December 14 to summarize and report to the Prime Minister;

e) The bodies shall prioritize the use of products, solutions and services of domestic enterprises meeting the requirements of network safety and security in accordance with law provisions for level 3 or higher-level information systems and e-Government information systems;

f) The bodies shall ensure the funding for network information security products and services reaches at least 10% of the total budget for the implementation of annual and five-year information technology application plans and other information technology projects (when the investors do not have technical facilities or have to hire specialized network information security services meeting the law provisions on level-based safety assurance of information systems);

g) The bodies shall use and manage the USB tokens of digital signatures and authentication services of digital signatures exclusively used by the Government, digital certificates and encryption solutions of the Government Cipher Committee according to regulations;

h) The bodies shall continue to improve policies and legal frameworks for network information security, cyber security, cybercrime prevention and child protection in cyberspace; strategies and plans to develop network information security; human resources for network safety and security; technical standards and regulations on network information security;

i, The bodies shall promptly provide legal and technical information and statistics; organize capacity building and promote cooperation in the field of network safety and security serving the assessment and ranking of GCI of ITU.

2. The Ministry of Information and Communication shall take responsibilities for:

a) Assuming the prime responsibility and coordinating with relevant ministries, agencies and localities to take overall solutions to ensure network information safety in state agencies and organizations, measures to raise Vietnam s rank on safety and network security worldwide; develop a set of criteria for assessing network information security in Vietnam, conducting assessment and announcing the results annually;

b) Improving the legal framework, mechanisms and policies to promote network information security; submitting strategies and plans on national network information security in the next periods to the Prime Minister for approval;

c) Assuming the prime responsibility for developing the Project on training and developing the human resources on network security and safety, the Project on disseminating and raising public awareness and sense of responsibility on information security assurance in the period of 2021 - 2025 and the Project on protecting personal information and supporting children to safely, effectively and creatively communicate in the cyberspace, then submitting them to the Prime Minister for approval;

d) Studying and proposing amendments to coordination regulations of the Ministry of Information and Communications, the Ministry of Public Security and the Ministry of Defense in ensuring network safety and security in accordance with the reality;

e) Studying and issuing technical standards, regulations and solutions to protect personal information in online information systems that collect users information;

f) Strengthening dissemination and raising awareness and sense of responsibility for child protection in the cyberspace; instructing telecommunications and Internet service providers (ISP) and digital content providers to implement technical solutions on child protection in the cyberspace;

g) Assuming the prime responsibility for establishing, managing and organizing short-term and long-term training courses to improve knowledge and skills for the network of specialized units on network information safety; formulating and promulgating standards of basic skills on network information security for officials in charge of information security and cyber  security in agencies and organizations;

h) Announcing the list of network information products, solutions and services to meet the requirements of state agencies and organizations before September 30, 2019; periodically revising and supplementing in accordance with the reality;

i) Providing guidelines and supporting state agencies and organizations, especially agencies and organizations without the preparation of resources and expertise in network information security supervision, protection, inspection and evaluation. Several agencies shall be chosen to pilot implementation, organize conferences to review and evaluate the implementation and spreading the good examples of deploying overall solutions to ensure network information security in state agencies and organizations before December 31, 2019;

k) Developing and maintaining the electronic portals in Vietnamese and English summarizing necessary information to provide to ITU and prestigious organizations, serving the assessment of network security index, including: legal documents and instructions for operation, statistics reports, lists of businesses with permission to trade in network information security products and services, training and educating programs, practical exercises, communication materials and publications, domestic and international cooperation activities...;

l) Assuming the prime responsibility for supervising and monitoring the implementation of this Directive, then summarizing and reporting the results of annual task performance to the Prime Minister.

3. The Ministry of Public Security shall take responsibilities for:

a) Assuming the prime responsibility and coordinating with relevant agencies to continue to improve legal documents on network security, cybercrimes and personal information protection;

b) Strengthening network security for information systems in the field under the management of the Ministry of Public Security;

c) Coordinating closely with the Ministry of Information and Communications in identifying the level and ensuring information security for important national information systems.

4. The Ministry of Defense shall take responsibilities for:

a) Strengthening network security for information systems in the field under the management of the Ministry of Defense;

b) Coordinating closely with the Ministry of Information and Communications in identifying the level and ensuring information security for important national information systems;

5. The Government Cipher Committee shall take responsibilities for:

a) Assuming the prime responsibility and coordinating with ministries, agencies and localities to synchronously implement solutions to protect state secret information by means of encryption with the deployment and use of Government specialized digital signature authentication services to meet the requirements of overall information security and safety of Party and State agencies;

b) Strengthening network security for information systems in the field under the management of the Government Cipher Committee.

6. The Ministry of Planning and Investment and the Ministry of Finance shall take responsibilities for:

a) Strengthening and prioritizing the allocation of development investment capital, annual administrative expenditures for ministries, ministerial-level agencies, Government-attached agencies, provinces and municipalities to ensure network security;

b) In the process of appraising and balancing capital sources for information technology projects, the funding shall reach at least 10% of the total budget for the implementation of information technology projects when the investors do not have technical facilities or have to hire specialized network information security services meeting the law provisions on level-based safety assurance of information systems.

7. The Ministry of Education and Training shall take responsibilities for:

a) Instructing and guiding training institutions to promulgate plans on training human resources for network security to meet market demands;

b) Assuming the prime responsibility and coordinating with the Ministry of Information and Communications to promote the dissemination and awareness raising programs on network safety and security in the training institutions.

8. The Ministry of Science and Technology shall take responsibilities for:

a) Assuming the prime responsibility and coordinating with the Ministry of Information and Communications, Ministry of Public Security, Ministry of Defense and other relevant ministries and agencies to finalize and announce technical standards and regulations in the field of network information security;

b) Assuming the prime responsibility and coordinate with relevant ministries and agencies in elaborating mechanisms and policies to promote research, development and innovative entrepreneurship in the field of safety and network security;

c) Encouraging, promoting and strengthening Ministerial and State-level scientific research related to network security and safety.

9. The Ministry of Labor, War Invalids and Social Affairs shall take responsibilities for:

a) Assuming the prime responsibility for improving the legal framework for child protection in the cyberspace;

b) Strengthening the dissemination, enforcement, interactive mechanisms, tools and means to protect children in the cyberspace.

10. The Ministry of Foreign Affairs shall take responsibilities for:

a) Assuming the prime responsibilities and coordinating with the Ministry of Information and Communications, Ministry of Public Security and Ministry of Defense to strengthen cooperation and participation in international organizations and bilateral and multilateral agreements in the field of network security;

b) Promptly sharing information and reports of international agencies and organizations on requirements, assessment and ranking of network security with concerned ministries and agencies.

11. Concerned ministries, agencies and organizations shall take responsibilities for:

a) Proactively publishing legal and technical information and statistics, organizing capacity building and promote cooperation in the fields of network security under their management on electronic portals and other means of mass media to support organizations in searching, investigation, surveying, statistics and ranking; allocating budget for ensuring network information security according to Point e, Clause 1 of this Directive;

b) Coordinating with the Ministry of Information and Communication in assessing the level of ensuring information network safety;

c) Enhancing participation in domestic cyber security networks as well as international activities, forums, organizations and networks on cyber security according to law provisions.

12. Vietnam Information Security Association (VNSA) shall take responsibilities for:

a) Organizing annual surveys, assessment and appraising on the typical and high-quality network information security solutions and services of Vietnam;

b) Assuming the prime responsibility and coordinating with enterprises in the field of network information security to propose criteria and implement measures to improve the quality of products, services and human resources for information security according to international standards.

13. Telecommunication and Internet service providers (ISP) shall take responsibilities for:

a) Establishing and arranging attached units specializing in network information security to protect their systems and customers; participating in supporting state agencies and organizations to monitor, protect, inspect and assess network information safety under the management of the Ministry of Information and Communications;

b) Implementing technical measures to protect children in the cyberspace under the guidance of the Ministry of Information and Communications.

14. Organization of implementation:

a) Ministers, heads of ministerial-level agencies, heads of Government-attached agencies, presidents of provincial and municipal People s Committees, heads of agencies and units, concerned organizations and individuals shall take responsibilities for instructing and strictly enforcing this Directive;

b) The Central Office and Committees of VCP, the Office of National Assembly, the Presidential Office, the Supreme People s Procuracy, the Supreme People s Court, State Audit and political-social organizations shall strengthen the work of ensuring overall network security in agencies and organizations in accordance with the law on network security and other relevant regulations./.

The Prime Minister

Nguyen Xuan Phuc