Thông tư liên tịch 06/2008/TTLT-BTTTT-BCA

JOINT CIRCULAR

ON ASSURANCE OF INFRASTRUCTURE SAFETY AND INFORMATION SECURITY IN POST, TELECOMMUNICATIONS AND INFORMATION TECHNOLOGY ACTIVITIES

Pursuant to the 2006 Law on Information Technology;
Pursuant to the 2004 Law on National Security;
Pursuant to the 2002 Ordinance on Post and Telecommunications;
Pursuant to Decree No. 160/2004/ND-CP of September 3, 2004, detailing the implementation of a number of articles of the Post and Telecommunications Ordinance regarding telecommunications;
Pursuant to Decree No. 157/2004/ND-CP of August 18, 2004, detailing the implementation of a number of articles of the Post and Telecommunications Ordinance regarding post;
Pursuant to Decree No. 128/2007/ND-CP of August 2, 2007, on delivery services;
Pursuant to Decree No. 187/2007/ND-CP of December 25, 2007, defining the functions, tasks, powers and organizational structure of the Ministry of Information and Communication;
Pursuant to Decree No. 136/2003/ND-CP of November 14, 2003, defining the functions, tasks, powers and organizational structure of the Ministry of Public Security;
Pursuant to Decree No. 151/2005/ND-CP of December 14, 2005, on powers and responsibilities of national security protection agencies and officials;

The Ministry of Information and Communication and the Ministry of Public Security jointly guide the assurance of infrastructure safety and information security in post, telecommunications and information technology activities as follows:

I. GENERAL PROVISIONS

1. Scope of regulation and subjects of application

a/ This Circular guides the assurance of infrastructure safety and information security in post, delivery, telecommunications, Internet, signal transmission and broadcasting and information technology activities (below referred to as post, telecommunications and information technology activities).

b/ This Circular applies to organizations and individuals engaged in the establishment of networks; provision and use of services; equipment manufacture and trading; and construction and installation of post, telecommunications and information technology facilities in Vietnam.

2. Interpretation of terms

a/ Assurance of infrastructure safety means assurance of the integrity of the system of post, telecommunications and information technology equipment, networks and facilities; the integrity and confidentiality of mails, postal items and parcels, cargo packages and bales and information delivered through post, telecommunications and information technology networks; and the safety of parties engaged in the establishment, provision and use of post, telecommunications and information technology services.

c/ Assurance of information security means the management, control, prevention, detection of and fight against acts of using or abusing post, telecommunications and information technology infrastructure to infringe upon national security, social order and safety and citizens interests.

3. General principles on assurance on infrastructure safety and information security

a/ Parties engaged in post, telecommunications and information technology activities shall assure infrastructure safety and information security, promptly detect and remedy incidents; and take responsibility before law for the contents of mails, postal items and parcels, cargo packages and bales and information which are stored and delivered through their post, telecommunications or information technology networks.

b/ Assurance of infrastructure safety and information security in post, telecommunications and information technology activities must neither obstruct production and business activities of post, telecommunications and information technology enterprises nor cause damage to lawful rights and interests of parties engaged in post, telecommunications and information technology activities.

c/ Only competent persons of national security protection agencies defined in Article 9 of Decree No. 151/2005/ND-CP of December 14, 2005, on powers and responsibilities of national security protection agencies and officials may control information security in post, telecommunications and information technology activities.

d/ Violations that adversely affect infrastructure safety and information security must be promptly detected and strictly handled in accordance with law.

4. Prohibited acts

a/ Providing, using or abusing post, telecommunications and information technology infrastructure or services to infringe upon national security, social order and safety or badly affect the national traditions and customs.

b/ Unlawfully obstructing post, telecommunications and information technology activities.

c/ Destroying or damaging post, telecommunications or information technology facilities or using or abusing networks, devices and hardware and software tools to interfere in or disturb the operation of post, telecommunications and information technology infrastructure.

d/ Stealing and unlawfully using passwords, cipher keys or private information of organizations and individuals; unlawfully obstructing organizations and individuals access to information.

dd/ Producing, selling, purchasing, storing, transporting and using counterfeit postal stamps; appropriating, opening, exchanging, or disclosing the contents of, mails, postal items and parcels, cargo packages and bales and information delivered through post, telecommunications and information technology networks.

e/ Other illegal acts related to post, telecommunications and information technology activities.

II. ASSURANCE OF INFRASTRUCTURE SAFETY AND INFORMATION SECURITY

1. Assurance of infrastructure safety in post, telecommunications and information technology activities

Assurance of infrastructure safety in post, telecommunications and information technology activities covers:

a/ Protection of post, telecommunications and information technology infrastructure to prevent hacking, illegal access and sabotage; prevention of and fight against fire, explosion and other incidents caused by natural disasters, humans or animals.

b/ Application of contingency solutions and backup devices to ensure the continuous and safe operation of post, telecommunications and information technology infrastructure.

c/ Application of solutions and measures to prevent the use or abuse of networks, devices or hardware and software tools to obstruct, interfere in, damage or destroy the operation of post, telecommunications and information technology infrastructure; prevention and control of computer viruses, spams and spywares; prevention of and fight against acts of stealing or unlawfully using passwords, cipher keys or private information of organizations and individuals.

d/ Assurance of safety for post, telecommunications and information technology equipment and operators of post, telecommunications and information technology networks.

dd/ Inspection and examination and handling of violations related to infrastructure safety in post, telecommunications and information technology activities.

2. Assurance of information security in post, telecommunications and information technology activities

Assurance of information security in post, telecommunications and information technology covers:

a/ Application of professional measures to control information delivered through post, telecommunications and information technology networks in accordance with law in order to detect, prevent and promptly handle violations; suspension of the provision and use of services and handling of cases of providing, using or abusing post, telecommunications and information technology networks and services to infringe upon national security and social order and safety.

b/ Application of solutions and measures to assure the confidentiality of secret state information and private information of organizations and individuals, contents of mails, postal items and parcels, cargo packages and bales and information delivered through post, telecommunications and information technology networks.

c/ Coordination in the grant of licenses and determination of business conditions for assuring information security in post, telecommunications and information technology activities.

d/ Inspection and examination and handling of violations related to information security in post, telecommunications and information technology activities.

III. INFRASTRUCTURE SAFETY AND INFORMATION SECURITY ASSURANCE RESPONSIBILITIES

1. Responsibilities of the Ministry of Information and Communication

a/ To direct and guide organizations, individuals and post, telecommunications and information technology enterprises to observe legal provisions on infrastructure safety; to inspect, examine and handle violations in the assurance of infrastructure safety in post, telecommunications and information technology activities.

b/ To coordinate with the Ministry of Public Security in assuring information security and in inspecting, examining and handling organizations and individuals that violate regulations on assurance of information security in post, telecommunications and information technology activities.

c/ In emergency cases prescribed by law, to decide on the use of part or the whole of post, telecommunications and information technology infrastructure in performing security and defense tasks.

d/ To assume the prime responsibility for elaborating, promulgating and implementing standards and technical regulations on the safety of post, telecommunications and information technology infrastructure.

dd/ To make and send a list of important works related to national security and other important post, telecommunications and information technology infrastructure facilities to be guarded and protected by armed forces units, enclosed with their dossiers to competent agencies, for appraisal and approval in accordance with law.

e/ Regarding licensing

- To assume the prime responsibility for appraising and granting licenses for dealing in or testing networks, telecommunications, Internet, post and delivery services and to notify in writing the Ministry of Public Security thereof.

- To assume the prime responsibility for, and coordinate with the Ministry of Public Security in, appraising and granting licenses to foreign-invested delivery service enterprises and granting licenses to foreign organizations and individuals for setting up private telecommunications networks and private Internet network or use radio frequencies and radio broadcasting devices.

- To assume the prime responsibility for, and coordinate with the Ministry of Public Security and the Ministry of Defense in, appraising and granting licenses for laying telecommunications cables in Vietnams sea areas according to Articles 46 and 47 of Decree No. 160/2004/ND-CP of September 3, 2004, detailing the implementation of a number of articles of the Post and Telecommunications Ordinance regarding telecommunications.

- To assume the prime responsibility for, and coordinate with the Ministry of Public Security and the Ministry of Defense in, appraising and granting licenses for ships and boats to conduct survey, installation, maintenance and repair of telecommunications cables in Vietnams sea areas.

2. Responsibilities of the Ministry of Public Security

a/ To direct and perform tasks of assurance of information security, prevention and combat of crimes and other law-breaking acts in post, telecommunications and information technology activities; to inspect, examine and handle violations of regulations on assurance of information security in post, telecommunications and information technology activities.

b/ To direct public security units and local public security departments to closely coordinate with agencies and organizations under the Ministry of Information and Communication in assuring infrastructure safety and inspecting, examining and handling organizations and individuals that violate regulations on assurance of infrastructure safety in post, telecommunications and information technology activities.

c/ To organize and invest in scientific and technological researches in order to raise the information technology application capacity to assure national security and maintain social order and safety. To apply professional measures and invest in the installation of the ministry’s equipment system to control and assure infrastructure safety and information security.

d/ To direct public security units and local public security departments to arrange armed police forces to guard and protect important national security facilities and other important targets being post, telecommunications and information technology facilities.

dd/ Upon detection of information, documents, data and objects involved in national security infringements prescribed in Article 3 of Decree No. 151/2005/ND-CP of December 14, 2005, on powers and responsibilities of national security protection agencies and officials, national security protection agencies under public security units and local public security departments shall:

- Request organizations and individuals to supply those information, data, figures, documents and objects.

- Take according to their competence measures of confiscating or copying information, data, figures, documents, objects and some or all of equipment systems.

- Prevent access to equipment systems and networks and the use of services.

- Perform other tasks and exercise other powers as prescribed by law.

e/ Public security units and local public security departments in charge of national security protection shall provide professional guidance on a contractual basis to security forces of organizations managing and operating post, telecommunications and information technology infrastructure.

g/ Pay charges for the lease of transmission channels to assure information security as prescribed by law.

h/ Regarding licensing

- Grant of licenses to foreign-invested delivery services: Within 20 days after receiving the Information and Communication Ministry’s request and a valid dossier, the security protection agency shall advise and assist the Public Security Ministry’s leadership in appraising the dossiers contents related to the assurance of infrastructure safety and information security and make a written reply to the Ministry of Information and Communication.

- Grant of licenses to foreign organizations and individuals in Vietnam for setting up private telecommunications networks and private Internet networks or using radio frequencies and radio broadcasting equipment: Within 10 days after receiving the Information and Communication Ministry’s request and a valid dossier of a foreign organization or individual, the security protection agency shall advise and assist the Public Security Ministry’s leadership in making a written reply to the Ministry of Information and Communication. In special cases for foreign organizations and individuals in Vietnam that are eligible for diplomatic or consular privileges or immunities, the security protection agency shall advise and assist the Public Security Ministry’s leadership in making a written reply to the Ministry of Information and Communication within 03 working days after receiving the Information and Communication Ministry’s request.

- Grant of licenses for telecommunications cable installation in Vietnams sea areas: The security protection agency shall advise and assist the Public Security Ministry’s leadership in making a written reply to the Ministry of Information and Communication within 15 working days after receiving the Information and Communication Ministry’s request and a valid dossier of-the organization applying for cable installation.

- Grant of licenses for ships and boats cable line survey, installation, maintenance and repair in Vietnams sea areas: The security protection agency shall advise and assist the Public Security Ministry’s leadership in making a written reply to the Ministry of Information and Communication within 5 working days after receiving the Information and Communication Ministry’s request and a valid dossier of the applying organization.

3. Responsibilities of post, telecommunications and information technology enterprises

a/ To elaborate plans and apply measures to assure infrastructure safety and information security suitable to their networks and services and in line with world technology development trends.

b/ To research into and develop technologies in order to raise the safety of their post and telecommunications networks; to work out contingency plans on networks and equipment in response to emergency circumstances and incidents in order to ensure information security and the continuous and safe operation of post, telecommunications and information technology networks and services.

c/ To elaborate and promulgate regulations on coordination with public security, military, militia and self-defense forces in assuring infrastructure safety and information security.

d/ To supply necessary information and data on technologies and techniques used for their existing systems and approved projects on post, telecommunications and information technology to professional units under the Ministry of Public Security for infrastructure safety and information security purposes.

dd/ To invest in and install equipment systems to ensure information security at their enterprises according to the Prime Ministers Decision No. 70/2007/QD-TTg of May 21, 2007, providing for the investment in the system of equipment to assure information security for telecommunications networks in Vietnam,

e/ To arrange ground areas, network access points connection terminals and technical conditions necessary for information security assurance as requested by the Ministry of Public Security and the Ministry of Information and Communication. To ensure favorable conditions for national security protection agencies to conduct professional measures prescribed by law in order to protect national security and social order and safety.

g/ To promptly and adequately supply information, documents, data and objects to national security protection agencies upon written request of competent persons specified in Article 4 of Decree No. 151/2005/ND-CP of December 14, 2005, defining powers and responsibilities of national security protection agencies and officials.

h/ To closely collaborate with professional units of the Ministry of Public Security and the Ministry of Information and Communication in:

- Collecting, analyzing, assessing and forecasting information relating to network incidents,. weaknesses and flaws in infrastructure safety and information security; proposing measures to improve the capability of preventing and lighting hacking and illegal access.

- Promptly responding to technical incidents which may affect their equipment systems capability of controlling infrastructure safety and information security.

- Taking measures for protecting the safety of post, telecommunications and information technology infrastructure; detecting, promptly Preventing and suspending the provision and use of services in the cases of using or abusing post, telecommunications and information technology networks and services to infringe upon national security and social order and safety.

i/ To ensure the confidentiality of private information of post, telecommunications and information technology service users in accordance with law.

k/ To organize the training and development of infrastructure safety and information security human resources suitable to their networks and business activities. To build up security forces which will be equipped with security devices; to carry out patrols and guard; to conduct irregular and regular examination of the protection of post, telecommunications and information technology networks.

l/ To disseminate information on the purposes, role and significance of infrastructure safety and information security assurance; to guide users of post, telecommunications and information technology networks in observing regulations on infrastructure safety and information security assurance.

IV. EXAMINATION, INSPECTION, AND HANDLING OF VIOLATIONS

1. Functional agencies under the Ministry of Information and Communication and the Ministry of Public Security shall coordinate with one another in conducting regular or irregular examination and inspection of the assurance of infrastructure safety and information security in post, telecommunications and information technology activities. Post, telecommunications and information technology enterprises and related organizations and individuals shall create favorable conditions for competent state agencies to conduct examination and inspection.

2. Organizations and individuals that violate regulations on infrastructure safety and information security in post, telecommunications and information technology activities shall, depending on the nature and severity of their violations, be administratively sanctioned or examined for penal liability in accordance with law.

V. ORGANIZATION OF IMPLEMENTATION

1. The Ministry of Information and Communication and the Ministry of Public Security shall, within the ambit of their functions, tasks and powers, guide organizations and individuals in taking measures to assure infrastructure safety and information security in post, telecommunications and information technology activities.

2. Provincial-level Peoples Committees shall direct provincial-level Information and Communication Services and Public Security Services and post, telecommunications and information technology enterprises in their locality to strictly implement this Circular.

3. Biannually, provincial-level Information and Communication Services and Public Security Services shall review the situation of network safety and information security in post, telecommunications and information technology activities and report it to provincial-level Peoples Committee presidents and propose implementation measures.

4. Annually, post, telecommunications and information technology enterprises shall preliminary review and evaluate the situation of infrastructure safety and information security, make recommendations and propose rewards to state management agencies, and report them to the Ministry of Information and Communication and the Ministry of Public Security.

5. This Circular lakes effect 15 days after its publication in CONG BAO and replaces Joint Circular No. 01/2001/TTLT-TCBD-BCA of June 7, 2001, of the General Department of Post and the Ministry of Public Security, guiding the assurance of network safety and information security in post and telecommunications activities.

Any problems and difficulties arising in the implementation process should be reported to the Ministry of Information and Communication and the Ministry of Public Security for timely guidance.