​MOF to Issue New Regulations on Cyber Information Safety, Cyber Security

​MOF to Issue New Regulations on Cyber Information Safety, Cyber Security 03/04/2023 03:59:00 771

Font-size:A- A+
Contrast:Increase Decrease

The Ministry of Information and Communications issued the Circular No. 12/2022/TT-BTTTT dated August 12, 2022 detailing and guiding a number of articles of the Decree No. 85/2016/ND-CP dated July 1. 2016 of the Government on the security of information system by classification (replacing the Circular No. 03/2017/TT-BTTTT dated April 24, 2017). In order to implement new regulations, directions and guidelines on network safety and security at the Ministry of Finance, the Department of Informatics and Financial Statistics has been developing the Regulation on Cyber Information Safety and Cyber Security of the Ministry of Finance (replacing the Regulation on Cyber Information Safety issued under Decision No. 201/QD-BTC dated February 12, 2018 of the Minister of Finance). The draft Regulation has been sent for comments for the second time, is expected to be completed and submitted to the Minister of Finance for promulgation in April 2023.

MOf ban hành QC moi.jpg

The new regulations provided at the Circular No. 12/2022/TT-BTTTT will be concretized and applied by the Ministry of Finance in the specific regulations on cyber information safety and cyber security.

The first new point is the regulation on identifying the administration unit of information system and the unit authorized to perform the responsibilities of the administration unit of information system (Article 4). According to provisions of the Circular No. 03/2017/TT-BTTTT, for ministries, the administration unit of information system is the ministry or authority competent to decide on investment in projects of construction, establishment, upgrade and expansion of information system. According to Circular 12/2022/TT-BTTTT, only authorities competent to decide on investment in projects of construction, establishment, upgrade and expansion of information systems and being capable to fully implement the provisions of Article 20 of the Decree 85/2016/ND-CP shall be considered and decided by the Ministry to be assigned as the administration unit of information system. Similarly, only unit competent to act on behalf of the Ministry to perform responsibilities of the information system administrator specified in Clause 2, Article 20 of the Decree 85/2016/ND-CP shall be considered and authorized by the Ministry to perform responsibilities of the administration unit of information system.

The second new point is regulation on authority to verify the classification proposal in case where the specialized information security unit is also assigned to manage and operate the information system by the information system administration unit at the same time (Article 6). This content is not provided at the Circular No. 03/2017/TT-BTTTT.

The third new point is a number of additional regulations on requirements to ensure information system security by classification (Articles 9, 10 and Appendices). The Circular 12/2022/TT-BTTTT stipulates the compliance with the National Standard TCVN 11930:2017 on Information technology–security techniques–basic requirements for information system security by classification (Clause 1 Article 9). Although this regulation is new compared to the Circular 03/2017/TT-BTTTT, it is not new to the units of the Ministry of Finance, since the Ministry of Finance has prescribed the application of TCVN 11930:2017 at the Ministry’s Regulation on Cyber Information Safety under the Decision No. 201/QD-BTC dated February 12, 2018. Accordingly, the units under the Ministry have implemented this Standard right after starting to implement the information system security by classification from 2018.

In addition to compliance with TCVN 11930:2017, there are a number of new regulations on requirements to ensure information system security by classification in Clauses 6, 7, 8, 9, 10, Article 9 and Appendices of the Circular 12/2022/TT-BTTTT: The information system, upon new construction, expansion or upgrade, must have plan to ensure information security prior to be putting into operation and exploitation; Regulations on ensuring information system security must be issued before the Classification Proposal is approved; Requirements on internal software upon newly built or expanded or upgraded; Requirements in case the information system is deployed in the form of information technology service outsource at Data Center or Cloud Computing; Requirements on information security risk management plan and plan on operation and exploitation termination, liquidation and cancellation; Some additional requirements for network security solutions.

The fourth new point is a more specific regulation on information security inspection and assessment (Article 12), including inspecting and assessing the compliance with provisions of the law on information system security by classification; examining and evaluating the effectiveness of information security measures according to approved information security plan; testing, evaluating, detecting malicious codes, vulnerabilities, weaknesses, and penetration testing of information systems.

The fifth new point is specific regulation on annual report by the administration units of information system to the Ministry of Information and Communications (Article 14).

(Thu Hằng)

 

 

Voted

Voting Score
0 / 5
0 votes
5
0%
4
0%
3
0%
2
0%
1
0%