Circular 12/2022/TT-BTTTT amend 85/2016/ND-CP ensuring the security of information systems by levels

CIRCULAR
Detailing and guiding a number of articles of the Government’s Decree No. 85/2016/ND-CP of July 01, 2016 on ensuring the security of information systems by levels

__________

Pursuant to the November 19, 2015 Law on Cyberinformation Security;

Pursuant to the Government’s Decree No. 85/2016/ND-CP of July 01, 2016 on ensuring the security of information systems by levels;

Pursuant to the Government’s Decree No. 48/2022/ND-CP of July 26, 2022, defining the functions, tasks, powers and organizational structure of the Ministry of Information and Communications;

At the proposal of the Director General of Information Security Department;

The Minister of Information and Communications promulgates the Circular detailing and guiding a number of articles of the Government’s Decree No. 85/2016/ND-CP of July 01, 2016 on ensuring the security of information systems by levels.

Chapter I

GENERAL PROVISIONS

Article 1. Scope of regulation

This circular details and provides guidelines for ensuring the security of information systems by levels, including: identification of information systems and explanation of information system security levels; requirements for ensuring the security of information systems by levels; inspection and assessment of information security; and reporting regime.

Article 2. Subjects of application

The subjects of application of this Circular shall comply with Article 2 of the Government’s Decree No. 85/2016/ND-CP of July 1, 2016 on ensuring the security of information systems by levels (below referred to as Decree No. 85/2016/ND-CP).

Article 3. Interpretation of terms

In this Circular, the following terms are understood as follows:

1. Hot standby is the capability to replace the function of equipment when a malfunction occurs without interrupting the operation of the system.

2. Main or critical network equipment refers to the devices in the system that, if they cease to operate without prior planning, will disrupt the operation of the entire information system. The components of main network equipment are determined according to the levels of the information system and include at least: central switch equipment or equivalent, central firewall device, web application firewall, centralized storage system, and database firewall.

Article 4. Information system administrator

1. For Ministries, ministerial-level agencies, Government-attached agencies, and People's Committees of provinces and centrally-run cities, the information system administrator is one of the following cases:

a) Ministries, ministerial-level agencies, Government-attached agencies;

b) People's Committees of provinces and centrally-run cities;

c) Authorities competent to decide on investment in the projects of construction, establishment, upgrade, or expansion of information systems. Ministries, ministerial-level agencies, Government-attached agencies, and People's Committees of provinces and centrally-run cities shall decide the administrator of the information system according to this Clause, ensuring that the agency or organization assigned as the administrator has sufficient capacity to fully implement Article 20 of Decree No. 85/2016/ND-CP.

2. For enterprises and other organizations (not being Ministries, ministerial-level agencies, Government-attached agencies, and People's Committees of provinces and centrally-run cities), the information system administrator is the authority competent to decide on the investment in the construction, establishment, upgrade, and expansion of information systems.

3. In case of necessity, the information system administrator may delegate a subordinate organization with sufficient capacity to perform the responsibilities of the information system administrator as prescribed in Clause 2, Article 20 of Decree No. 85/2016/ND-CP.

The responsibility delegation of the information system administrator must be done in writing, clearly stating the scope of the system, the responsibilities of the delegated organization, and the duration of the delegation.

Article 5. Information system operating unit

1. The information system operating unit is the agency or organization assigned by the information system administrator to operate the information system.

2. If the information system consists of multiple component systems or is distributed, with more than one operating unit, the information system administrator shall designate one unit to take the lead in exercising the rights and obligations of the information system operating unit in accordance with the law regulations.

3. In the case of outsourcing information technology services, the information system operating unit is determined as follows:

a) If the service provider has not been identified in accordance with the law regulations, the unit in charge of hiring the service shall act as the operating unit;

b) If the service provider has been identified in accordance with the law regulations, the operating unit is the service provider;

c) If the service period has expired and the information system established through the outsourcing service continues to operate, the operating unit is the unit in charge of hiring the service.

Article 6. Appraisal of proposal dossiers for level determination in case the specialized information security unit is also assigned to manage and operate the information system by the information system administrator

In cases where the specialized information security unit is also assigned to manage and operate the information system by the information system administrator, the organization of the appraisal of proposal dossiers for level determination shall be carried out according to one of the following options:

1. The specialized information security unit shall propose that the information system administrator assigns a qualified subordinate unit to preside over and organize the appraisal.

2. The specialized information security unit shall propose that the information system administrator establishes an appraisal council independently carrying out the appraisal of the proposal dossiers for level determination.

Chapter II
IDENTIFICATION OF INFORMATION SYSTEMS AND EXPLANATION OF INFORMATION SYSTEM SECURITY LEVELS

Article 7. Identification of information systems

1. The identification of information systems for level determination is pursuant to the principles prescribed in Clause 1, Article 5 of Decree No. 85/2016/ND-CP.

2. An information system serving internal operations is the system that only serves the administrative and operational activities of the agency or organization.

3. An information system serving the public and businesses is a system that directly or indirectly supports the provision of online services, including online public services and other online services in various sectors such as telecommunications, information technology, commerce, finance, banking, healthcare, education, and other specialized fields.

4. An information infrastructure system is a collection of equipment and transmission lines that serve the general activities of multiple agencies and organizations, such as wide area networks, databases, data centers, cloud computing; electronic authentication, electronic certification, digital signatures; and interconnection of information systems.

5. An industrial control information system is a system that functions to monitor, collect data, manage, and control critical components for the control and normal operation of construction projects.

6. Other information systems are systems that are not classified under the categories mentioned in Clauses 2, 3, 4, and 5 of this Article, and used to directly serve or support the specific operational, production, or business activities of agencies or organizations according to specialized fields.

7. On a quarterly basis (on the first day of the quarter), the Department of Information Security – the Ministry of Information and Communications shall update and supplement the list of information systems as prescribed in Clauses 2, 3, 4, 5, and 6 of this Article and publishing it on the portal of the Ministry of Information and Communications.

Article 8. Explanation of information system security levels

1. Depending on the form of investment, the technical options in the technical-economic report (in cases that the investment project applies a one-step design), in the basic design within the feasibility study report (in cases that the investment project applies a two-step design), in the plan for renting information technology services (in cases of renting IT services), or in the detailed outline and cost estimates (in cases of IT application investments without project preparation), newly constructed, expanded, or upgraded information systems must meet the requirements of the information security assurance plan according to the proposed level, as explained in the proposal dossier for level determination.

2. The explanation of the proposal dossier for level determination includes the following components:

a) Overview explanation of the information system;

b) Explanation of the proposed level determination;

c) Explanation of the information security assurance plan.

3. Overview explanation of the information system, including the following contents:

a) Information about the information system administrator, including: Name of the administrator; regulations on functions, tasks, and powers; representative, position; address; contact information (including phone number, email);

b) Information about the information system operating unit, including: Name of the operating unit; regulations on functions, tasks, and powers; representative, position; address; contact information (including phone number, email);

c) Description of the scope and scale of the information system, clearly stating the system's scope, scale, and service objects;

d) Description of the current system architecture (for systems in operation) or description of the system architecture (for newly constructed, upgraded, or expanded systems), including a detailed description of the logical model and physical model of the system, a list of equipment and main network devices in the system (including device name/type, location of installation, purpose of use), a list of applications/services provided by the system (including service name, implementation server/location of installation/server operating system, purpose of using service), network zone planning, and IP addresses within the system (including network zone, internal IP addresses (IP Private), and public IP addresses (IP Public)).

4. Explanation of the proposed levels, including the following contents:

a) List of information systems and corresponding levels, including: Name of the information system, proposed level, basis for the proposal for each information system;

b) Detailed explanation for each information system, clearly stating the type of information processed, the type of information system, and the basis for the proposed level for each information system.

5. Explanation of the proposed level for information systems proposed at level 4 or level 5, in addition to the contents specified in Clause 3 of this Article, must clarify the following contents:

a) Identifying other related information systems that are connected to or have a significant impact on the normal operation of the information system with proposed level;

b) Explaining the risks of cyber attacks and the level of impact on the information system with proposed level;

c) Assessing the scope and level of impact on public interests, social order and safety, or national defense and security when a cyber attack causes information insecurity or disruption to the operation of the information system with proposed level;

d) Explaining the requirement for 24/7 operation and the non-acceptance of operational downtime without prior planning for the information systems as prescribed in Clauses 2 and 3, Article 10 of Decree No. 85/2016/NĐ-CP.

6. Explanation of the information security assurance plan, including the following contents:

a) Explanation of the plan to meet the management requirements corresponding to the proposed level;

b) Explanation of the plan to meet the technical requirements corresponding to the proposed level.

Chapter III
REQUIREMENTS FOR ENSURING THE SECURITY OF INFORMATION SYSTEMS BY LEVELS

Article 9. General requirements

1. Ensuring the security of information systems by levels is implemented according to the basic requirements prescribed in this Circular and the National Standard TCVN 11930:2017 on information technology – safety techniques – basic requirements for the security of information system by levels.

2. The basic requirements for each level prescribed in this Circular are the minimum requirements to ensure the security of information systems, including basic management requirements, basic technical requirements, and excluding physical safety requirements.

3. Basic management requirements include:

a) Establishing information security policies;

b) Organizing information security assurance;

c) Ensuring human resources;

d) Managing the design and construction of the system;

dd) Managing system operation;

e) Plan for managing information security risk;

g) Plan for the termination of operation, extraction, liquidation, and disposal of the information system.

4. Basic technical requirements include:

a) Ensuring network security;

b) Ensuring server security;

c) Ensuring application security;

d) Ensuring data security.

5. The development of information security assurance plans that meets the basic requirements for each level shall be implemented according to the principles prescribed in Clause 2, Article 4 of Decree No. 85/2016/ND-CP, specifically as follows:

a) For information systems at levels 1, 2, and 3: The information security assurance plan must consider the possibility of sharing protection solutions and resources among information systems to optimize performance and avoid redundant, duplicate, and wasteful investments;

b) For information systems at levels 4 and 5: The information security assurance plan must be designed to ensure availability, separation, and limitation of the impact on the entire system when one component of the system or related to the system loses information security.

6. Information systems, when newly invested, expanded, or upgraded, must fully implement the approved information security assurance plan as prescribed in the level proposal dossier and meet the security requirements prescribed in Articles 9 and 10 of this Circular before being put into operation and extraction.

7. The information system security assurance regulations for the system must be developed to meet the security management requirements according to the corresponding security level of information system and must be approved and issued by competent authorities before the level proposal dossier is approved.

8. Information security requirements for internal software when newly developed, expanded, or upgraded:

a) Internal software that is newly developed, expanded, or upgraded must comply with the framework of security software development;

b) Meet the basic security requirements for internal software.

9. If the information system at level 3 is launched in the form of renting information technology services at Data Center or Cloud Computing, the system design must meet the following requirements:

a) It must be designed to be logically separated and independent from other systems, with access management measures among systems;

b) Network zones within the system must be designed to be logically separated and independent from each other, with access management measures among network zones;

c) There must be storage partitions that are logically separated.

10. If the information system at level 4 or level 5 is launched in the form of renting information technology services at Data Center or Cloud Computing, the system design must meet the following requirements:

a) It must be designed to be physically separated and independent from other systems, with access management measures among systems;

b) Network zones within the system must be designed to be logically separated and independent from each other, with access management measures among network zones;

c) There must be storage partitions that are physically separated;

d) The main network devices must be physically separated.

Article 10. Information security assurance plans for each level

1. The information security assurance plan for level 1 information systems must meet the detailed requirements specified in Appendix I issued with this Circular;

2. The information security assurance plan for level 2 information systems must meet the detailed requirements specified in Appendix II issued with this Circular;

3. The information security assurance plan for level 3 information systems must meet the detailed requirements specified in Appendix III issued with this Circular;

4. The information security assurance plan for level 4 information systems must meet the detailed requirements specified in Appendix IV issued with this Circular;

5. The information security assurance plan for level 5 information systems must meet the detailed requirements specified in Appendix V issued with this Circular.

Chapter IV
INSPECTION AND ASSESSMENT OF INFORMATION SECURITY

Article 11. General Provisions on Inspection and Assessment Activities

1. Contents of inspection and assessment:

a) Inspecting and assessing the compliance with law regulations on ensuring the security of information systems by levels;

b) Inspecting and assessing the effectiveness of information security measures according to the approved information security assurance plan;

c) Inspecting and assessing the detection of malware, vulnerabilities, weaknesses, and conducting penetration testing of information systems.

2. Frequency of inspection and assessment:

a) Regular inspection and assessment as prescribed at Point c, Clause 2, Article 20 of Decree No. 85/2016/ND-CP;

b) Unscheduled inspection and assessment as required by the competent authority.

3. Forms of inspection and assessment for detecting malware, vulnerabilities, weaknesses, and conducting penetration testing of the information system include the following three forms:

a) Black box inspection and assessment;

b) Gray box inspection and assessment;

c) White box inspection and assessment.

Article 12. Contents of inspection and assessment of information security

1. The contents of the inspection and assessment of the compliance with law regulations on ensuring the security of information systems by levels include:

a) Inspecting and assessing the compliance of the information system administrator according to Article 20 of Decree No. 85/2016/ND-CP, including: The implementation of establishing/designating a specialized unit/department for information security by the information system administrator as prescribed in Clause 1, Article 20 of Decree No. 85/2016/ND-CP; the preparation of the level proposal dossier, the organization of appraisal, and the approval of the level proposal dossier according to regulations for information systems under the management scope; the implementation of the information security plan according to the approved level proposal dossier for information systems under the management scope; the organization of inspection, assessment of information security, and management of information security risks within their agencies and organizations as prescribed at Point c, Clause 2, Article 20 of Decree No. 85/2016/ND-CP; the organization of short-term training, propaganda, dissemination, awareness-raising, and drills on information security as stipulated at Point d, Clause 2, Article 20 of Decree 85/2016/ND-CP.

b) Inspecting and assessing the compliance of the specialized unit for information security of the information system administrator according to Article 21 of Decree No. 85/2016/ND-CP, including these following contents: Advising, organizing implementation, urging, inspecting, and supervising the work of ensuring information security; Appraising, approving, or providing professional opinions on the level proposal dossier according to the prescribed authority;

c) Inspecting and assessing the compliance of the operating unit according to Article 22 of Decree No. 85/2016/ND-CP;

d) Inspecting and assessing the implementation of information security measures according to the approved information security plan.

2. The content of inspecting and assessing the effectiveness of information security measures according to the approved information security plan includes:

a) Inspecting the adequacy and appropriateness of the Information Security Regulation according to the approved information security management plan;

b) Assessing the compliance with the regulations and procedures in the information security regulation during the operation, extraction, termination, or disposal of the information system;

c) Assessing the design of the system according to the approved information security plan;

d) Assessing the setup and configuration of the system according to the approved information security plan;

dd) Inspecting the configuration and enhancement of security for system devices, operating systems, applications, databases, and other related components in the system according to the guidelines of the Ministry of Information and Communications.

3. The content of inspecting and assessing the detection of malware, vulnerabilities, weaknesses, and penetration testing of the information system includes:

a) Scanning and detecting malware, vulnerabilities, and weaknesses of the system, and conducting penetration testing on system devices, operating systems, applications, databases, and other related components in the system;

b) Assessing the safety of source code for internal software;

c) Proposing plans and strategies for addressing vulnerabilities and weaknesses, and configuration and security enhancement measures for the inspected contents that are assessed as inadequate.

Chapter V

REPORTING REGIME

Article 13. General provisions on the reporting regime

1. Methods of submitting and receiving reports:

a) Submitting through the document management and administration system;

b) Submitting through the reporting software system implemented by the Ministry of Information and Communications;

c) Submitting via email;

d) Other methods as prescribed by law regulations.

2. Reporting frequency:

a) Annually on a regular basis;

b) On an ad-hoc basis as requested by competent authorities.

3. Date of finalizing annual periodic report data:

From December 15 of the year preceding the reporting period to December 14 of the reporting period.

4. Deadline for submitting annual periodic reports:

a) The specialized unit for information security and the operating unit of the information system must submit reports to the information system administator by December 20 each year;

b) The information system administrator must submit report to the Ministry of Information and Communications by December 25 each year.

Article 14. Report contents

1. General information about the information system administrator, the specialized unit for information security, and the operating unit for each information system under management scope, including: Name of the information system administrator, the specialized unit for information security, and the operating unit; defined functions, duties, and authorities; representative, position; address; contact information (including phone number and email).

2. List of information systems under management, including: Name of the system, the operating unit, and the proposed level.

3. List of information systems approved for the level proposal dossier as prescribed.

4. List of information systems that have fully implemented, partially implemented, or not yet implemented the measures of protection to meet the security requirements according to the approved information security plan.

5. List of information systems that have an information security regulation as prescribed.

6. List of information systems that comply with the regulations and procedures in the information security regulation during the operation, extraction, termination, or disposal of the information system.

7. List of information systems that have been inspected and assessed as prescribed.

8. Assessment of the implementation of information security measures according to the approved information security plan in the level proposal dossier based on each criterion and requirement.

9. Information on the decision approving the level proposal dossier, and the approved information security plan in the level proposal dossier based on each criterion and requirement (whether fully met/not fully met; plans or timelines for completing unmet criteria and requirements).

10. Information on the decision issuing and the information security regulation.

11. Other information as required by competent authorities.

Chapter VI
ORGANIZATION OF IMPLEMENTATION

Article 15. Timing for approval of the level proposal dossier when newly developing or expanding, upgrading information systems

The level proposal dossier for information security is encouraged to be approved before the competent authority approves the technical-economic report or the basic design within the feasibility study report, or the plan for renting it services, or the corresponding detailed outline and cost estimate.

Article 16. Transitional provisions

1. For information systems that are currently in operation and extraction and have been approved for a level before the effective date of this Circular: The information system administrator must review the approved level proposal dossier and the information security plan. The review, adjustment, and re-approval of the level proposal dossier and the information security plan (if necessary) must be completed before June 2023.

2. For information systems that are currently in operation and extraction but have not yet been approved for a level proposal dossier: The implementation of development, appraisal, and approval of the level proposal dossier and the information security plan according to the approved plan in the level proposal dossier must meet the requirements as prescribed in the Ministry of Information and Communications’ Circular No. 03/2017/TT-BTTTT of April 24, 2017 detailing and guiding a number of articles of the Government’s Decree No. 85/2016/ND-CP of July 1, 2016 on ensuring the security of information systems by levels and align with the provisions of this Circular, ensuring that the process of constructing, appraising, and approving the level proposal dossier shall not be redone when this Circular takes effect.

Article 17. Effect and responsibility of implementation

1. This Circular takes effect on October 1, 2022, and replaces the Ministry of Information and Communications’ Circular No. 03/2017/TT-BTTTT of April 24, 2017 detailling and guiding a number of articles of the Government’s Decree No. 85/2016/ND-CP of July 1, 2016 on ensuring the security of information systems by levels.

2. Any problem arising in the course of implementing this Circular should be promptly reported to the Ministry of Information and Communications (Department of Information Security) for coordination and resolution./.

* All Appendices are not translated herein.