Directive 18/CT-TTg 2022 strengthen the activities for responding to cyberinformation security incidents in Vietnam

DIRECTIVE

On intensification of response to cyberinformation security incidents in Vietnam^[1]

Cyberinformation security is an important and cross-cutting pillar to build digital trust and protect the country’s prosperous development in the digital era, thus gaining success in the national digital transformation, one of important tasks and strategic breakthroughs set out at the 13^th National Congress of the Communist Party of Vietnam. Response to cyberinformation security incidents is an urgent key activity that helps agencies and organizations minimize damage, even when serious incidents occur. However, for the time being, the response to cyberinformation security incidents in agencies, organizations and enterprises in Vietnam still fails to meet the requirements of early and proactive response and prompt and effective handling incrementally increasing cyber-attacks which become more and more complicated and may cause unpredictable consequences on socio-economic development and stability.

In order to remove limitations and shortcomings and increase the effect and effectiveness of national response to cyberinformation security incidents, the Prime Minister directs:

1. Ministries, ministerial-level agencies, government-attached agencies, provincial-level People’s Committees, state corporations and economic groups, and organizations and enterprises that are members (or have their affiliated units being members) of the National Cyberinformation Security Incident Response Network to urgently perform the following jobs:

a/ Ministers, heads of ministerial-level agencies, head of government-attached agencies, chairpersons of provincial-level People’s Committees, presidents and general directors of state corporations and economic groups, and other organizations and enterprises that are members (or have their affiliated units being members) of the National Cyberinformation Security Incident Response Network shall disseminate among organizations and individuals under their management the principle “Responding to network information security incidents is an important activity to detect, prevent, handle and promptly remedy cyberinformation security incidents”; direct the implementation of this Directive in a serious manner and take responsibility before the Prime Minister for negligence in responding to cyberinformation security incidents, once it occurs, thus leading to serious consequences and damage in agencies and units under their management.

b/ To shift the mode of response to cyberinformation security incidents from passive to active: proactively identifying threats and scanning vulnerabilities in information systems within the scope of their management at least once every 6 months; issuing information system incident response plans and scenarios before December 31, 2022, and promptly updating these plans and scenarios upon occurrence of changes thereto; organizing cyber-attack drills at least once a year for information systems at level 3 or higher levels in order to assess intrusion prevention capacity and promptly detect weaknesses regarding processes, technology or personnel. If detecting security risks or threats that might lead to unauthorized access and control of systems, to proceed with the handling of weaknesses and vulnerabilities simultaneously with hunting for threats.

c/ Before December 31, 2022, to reorganize and consolidate cyber emergency response teams (CERTs) to be more professional and flexible, each composing of at least 5  cyberinformation security experts (including also outsourced experts) who meet information security skill standards provided by the Ministry of Information and Communications.

d/ Agencies in charge of 11 important sectors in which cyberinformation security assurance must be prioritized (under the Prime Minister’s Decision No. 632/QD-TTg of May 10, 2017) shall focus on sharing information about cyberinformation security risks and incidents with agencies, organizations and enterprises that manage and operate information systems in the sectors and on promptly and effectively serving sectoral CERTs.

dd/ To assign CERTs to perform the following regular tasks: acting as the focal point in receiving information on, and manage, incidents; responding and handling incidents and hunting for threats; studying and monitoring cyber-attack risks and information on vulnerabilities and weaknesses; practicing information system protection skills and participating in training programs and drills chaired by the National Coordinating Agency.

e/ To allocate sufficient funds to ensure the operation of CERTs; to attract high-quality human resources to work in responding to cyberinformation security incidents.

g/ To review, detect and remedy vulnerabilities and weaknesses in a serious manner according to warnings of competent authorities; to proactively monitor and early detect cyberinformation security risks for prompt handling and remediation.

h/ To take measures to mitigate cyberinformation security risks caused by the third parties and information technology and communications supply chains.

i/ To strictly comply with regulations on reporting cyberinformation security incidents; to promote public information about reporting and provision of information on cyberinformation security incidents.

k/ To encourage the implementation of campaigns to raise end-users’ vigilance against cyber-attacks.

l/ To make public contact information (phone numbers, emails or other communication channels) for receipt of cyberinformation security incident reports on their websites before October 31, 2022.

2. The Ministry of Information and Communications:

a/ To guide the development of CERTs for 11 important sectors in which cyberinformation security assurance must be prioritized under the Prime Minister’s Decision No. 632/QD-TTg of May 10, 2017.

b/ To guide the implementation of regular activities of CERTs and develop the capacity framework of CERTs by November 30, 2022.

c/ To promote cyberinformation security drills at agencies, organizations and enterprises; to use results of such drills as criteria for annual assessment of maturity and professionalism of CERTs.

d/ To assume the prime responsibility for implementing, guiding, monitoring, urging, inspecting and assessing the implementation of this Directive; to summarize implementation results and report thereon to the Prime Minister.

3. The Ministry of Public Security and Ministry of National Defense:

a/ To carry out incident response activities according to their assigned functions and tasks.

b/ To closely coordinate with the Ministry of Information and Communications in responding to national cyberinformation security incidents.

4. The Ministry of Finance shall guide the allocation of, and prioritize, budget funds for response to cyberinformation security incidents.

5. Telecommunications and Internet service providers:

a/ To publicize contact information (telephone numbers, email addresses or other communications channels) for receipt of cyberinformation security incident reports on their websites before October 31, 2022; to provide customers with information on methods for reporting on cyberinformation security incidents.

b/ To strictly comply with the National Coordinating Agency’s coordination requirements of response to and handling of incidents.

c/ To warn customers about risks of wide-range cyberinformation security incidents or when detecting cyberinformation security risks and incidents related to customers, and support customers to respond and handle cyberinformation security incidents related to the services they provide.

6. Cyberinformation security enterprises:

a/ To provide and share information about cyberinformation security incidents with the Ministry of Information and Communications (the Authority of Information Security).

b/ To closely coordinate with the National Coordinating Agency in responding and handling incidents.

c/ To pay attention to participating in international organizations on response to incidents in order to promote sharing of information.

7. Ministers, heads of ministerial-level agencies, heads of government-attached agencies, chairpersons of provincial-level People’s Committees, heads of agencies and units, and related organizations and individuals shall strictly implement this Directive.-

For the Prime Minister
Deputy Prime Minister
VU DUC DAM