Access Alert | Vietnam’s Ministry of Information and Communication Releases Draft Circular proposing Security Requirements for their Information System

Access Alert | Vietnam’s Ministry of Information and Communication Releases Draft Circular proposing Security Requirements for their Information System

Following Data Classification Levels, Vietnam has released draft circular for comments, proposing security requirements for different levels of data, per their data classification framework. These security requirements exclude data from the Ministry of Defence and the Ministry of Public Security.

This regulation proposes baseline (a) technical requirements, including network infrastructure safety; server security; application security and data security, as well as (b) management requirements such as general policy; organization and personnel; design and construction management; operational management; testing, assessment and risk management.

The Circular proposes the following requirements:

1. Information Security Assurance Plans

  • For information Levels 1, 2, 3, information security levels must be sufficient but should also consider the possibility of sharing between information systems for solutions to protect and share resources, so as to optimize performance and avoid system redundancies and duplicate investments.
  • For Levels 4 and 5, the information security assurance plans need to be designed to ensure availability, segregation and limit the impact on the entire system when one component in the system is affected.

2. Information Security Audits and Compliance

  • These will be required for information Levels 3, 4, and 5, with compliance and reporting requirements detailed in Articles 8 and 9 of the Circular. This include any newly-built and expanded/upgraded systems.

3. Cloud Computing

  • If Cloud Computing is deployed, specific requirements for logical and physical separation are detailed in the Circular, with stricter separation for network and storage requirements for Level 4 and 5 (see Article 8, Clause 6).

4. Information Security Risk Management Plan required

  • An Information Security Risk Management plan is now required for all information Levels, with higher requirements for Level 3 and above.

5. System termination/ exit strategy required

  • System termination/exit plans are now required for all information Levels, with higher requirements for Level 3 and above.

The MIC Public Consultation closes on 11 May 2022, and submissions can be put through via their website.

Data Classification Framework for Vietnam

The data classification framework for Vietnam has been established in Decree 85/2016/ND-CP on the security of information systems by classification, involving five Levels.

Related Articles

Access Alert: Maximising opportunities for the tech industry in a new era of EU competitiveness

Access Alert: Maximising opportunities for the tech industry in a new era of EU competitiveness

The Draghi report, published on 9 September 2024, presents a strategic roadmap for Europe to regain its global competitiveness. It...

11 Sep 2024 Opinion
旅客輸送サービスの現状調査:人口減少下の課題と展望

旅客輸送サービスの現状調査:人口減少下の課題と展望

Read the content in English 著者: Abhineet Kaul (Access Partnership), Swee Cheng Wei (Access Partnership), Chailyn Ong (Access Partnership) アドバイザー:...

30 Aug 2024 General
Passenger Transportation in Japan: Challenges and outlook with ongoing societal changes in less connected areas

Passenger Transportation in Japan: Challenges and outlook with ongoing societal changes in less connected areas

投稿を日本語で読む Authors: Abhineet Kaul (Access Partnership), Swee Cheng Wei (Access Partnership), Chailyn Ong (Access Partnership) Advisors: Dr. Tomoaki Watanabe (GLOCOM),...

30 Aug 2024 General
Access Alert: Update on Mexico’s Regulatory Reforms: What You Need to Know

Access Alert: Update on Mexico’s Regulatory Reforms: What You Need to Know

In recent developments, Mexico is moving forward with a constitutional reform aimed at dissolving several key autonomous agencies, including the...

28 Aug 2024 General