Quyết định 63/QD-TTg

DECISION

APPROVING THE NATIONAL PLANNING ON DEVELOPMENT OF DIGITAL INFORMATION SECURITY THROUGH 2020

THE PRIME MINISTER

Pursuant to the December 25, 2001 Law on Organization of the Government;
Pursuant to the May 25. 2002 Ordinance on Post and Telecommunications;
Pursuant to the November 29, 2005 Law on E-Transactions;
Pursuant to the June 29, 2006 Law on Information Technology;
Pursuant to the Government's Decree No. 160/2004/ND-CP of September3, 2004, detailing the implementation of a number of articles of the Ordinance on Post and Telecommunications regarding telecommunications;
Pursuant to the Governments Decree No. 20/ 2007/ND-GP of February 15, 2007, detailing the implementation of the Law on E-Transactions regarding digital signatures and digital signature certification services;
Pursuant to the Government's Decree No. 64/ 2007/ND-CP of April 10, 2007, providing for the application of information technology in state agencies' operations;
Pursuant to the Government s Decree No. 97/ 2008/ND-CP of August 28, 2008, providing for the management, provision and use of Internet services and e-information on the Internet;
At the proposal of the Minister of Information and Communications,

DECIDES:

Article 1. To approve the national Planning on development of digital information security through 2020. with the following principal contents:

I. PLANNING VIEWPOINTS

1. The concept of digital information security:"Digital information security" is a term used to refer to the protection of digital information and information systems from natural risks and illegal access, use. disclosure, sabotage, modification or destruction, aiming to ensure the accurate and reliable operations of information systems in service of proper users (below referred to as information security).

Information security denotes the protection of network and information infrastructure safety, computer and data safety and information technology application.

2. Assurance of information security should be comprehensively considered from the following aspects:

a/ Ensuring the Planning's compliance with laws on information technology in general and information security in particular.

b/ Ensuring the management of information systems under prescribed processes, standards and technical regulations from the stage of planning, designing, development and operation to liquidation.

c/ All subjects entitled to lawful access to information systems must be protected and have responsibility to ensure information security for the systems.

3. The Government encourages organizations and individuals to protect and develop information security in different forms within the law-established frame in order to contribute to stepping up information technology application and development.

4. The Government encourages domestic organizations and individuals to research into and develop information security products and solutions for combined use with imported products, striving to achieve complete mastery of technologies so as to ensure information security for national key information systems at in increasing level.

II. GENERAL OBJECTIVES THROUGH 2020

1. Ensuring network and information infrastructure safety

a/ Information security for national key information systems will be guaranteed by special-use security systems of high reliability:

b/ Operations of digital signature certification systems and public code infrastructure systems will be controlled in conformity with relevant technical standards:

c/ A network for coordination of response to. incidents in national information networks and infrastructure will be set up. involving various economic sectors;

d/ By 2020, network and information infrastructure safety will be guaranteed to meet development requirements of the information technology industry.

2. Ensuring safety for data and information technology applications

a/ Information security for e-government and e-commerce applications will be guaranteed at the highest level during the process of providing online services to the public;

b/ Information security for national key information systems will satisfy international standards;

c/ Almost all information technology applica­tions and data exchange will be compatible in terms of information security standards.

3. Developing human resources and raising awareness about information security

a/ Vietnam's information technology human resources will be trained in information security at a level equal to that of leading countries in the ASEAN;

b/ Public awareness about information security will be developed and incrementally raised. All information system users will have necessary knowledge about using information security functions integrated in the systems;

c/ All system administrators of national key information systems will be trained and granted national information security certificates.

4. Legal environment for information security

a/ The legal environment for information security will be perfected and become an effective tool for:

- Enforcing information security regulations.

- Defining responsibilities of individuals and organizations in the performance of information security tasks.

- Handling violations of information security regulations.

- Suppressing crimes of infringing upon information security;

b/The system of information security policies will be effectively realized based on a .system of criteria for evaluation of the level of information security and information security crimes;

c/ Legal provisions on cyber crimes will be improved.

III. DEVELOPMENT OBJECTIVES THROUGH 2015

1. Ensuring information security for the national information infrastructure up to the international level

a/ Local-area networks and terminal equipment in state agencies will operate under regulations and standardized processes with necessary technical solutions to ensuring information security;

b/ National databases will be furnished with necessary technical solutions and have regulations and processes to assure information security up to international standards;

c/ Systems for monitoring, supervising and warning information security risks will be built and put into commission nationwide;

d/ National key information systems must comply with general regulations on information security assurance promulgated by the Government. The Government will introduce a supervision mechanism and conduct annual assessment of the information security level of these systems;

e/ Enterprises' and organizations' local-area networks will be designed with appropriate and synchronous measures to ensure their information security.

2. Ensuring safety for data and information technology applications for central and local state agencies and the whole society

a/ The information security level of e-information systems of state agencies will be periodically examined and evaluated and annually tested against standards prescribed by the State;

b/ All websites of the Government, ministries, branches, provinces and centrally run cities will have effective measures against attacks which threaten information security and plans on response to incidents so as to ensure uninterrupted operation at full capacity;

c/ For budget-funded information technology application projects, theoretical bases on information security and confidentiality will be elaborated right at the stage of planning and designing information systems. Information systems of state agencies must be designed with technical solutions to assuring information security and confidentiality, together with management regulations applicable to these agencies and users;

d/ Data transmission and telecommunications service providers will commit to ensuring data safety in transmission lines in conformity with quality standards already announced to service users;

e/ Internet access service providers and agents will manage Internet access and use in accordance with law;

f/ Measures will be taken to assure information security for all e-transactions conducted. Providers of new e-commerce services will publicize and commit to observing quality standards on information security before officially launching these services.

3. Human resources development and raising of public awareness about information security

a/ To elaborate criteria on. and required skills for. information security experts. To train and grant national certificates to over 80% of system administrators of national key information systems;

b/To train 1.000 information security experts according to international standards so as to ensure information security for national key information systems and the whole society;

c/ Users of information devices and services will be regularly notified of and updated with new information security risks and capable of reporting these risks to responsible agencies.

4. Legal environment on information security

a/ Legal provisions on cyber crimes and regulations on investigation into, prevention of. and fight against, cyber crimes will be further improved;

b/ A legal environment for cipher activities will be created and perfected, facilitating the development of public code infrastructure and the use of codes in socio-economic activities;

c/ In 2010, to promulgate:

Standards on the national encryption system to enable the management of public code infrastructure systems in Vietnam;

The system of standards and criteria for assessment of information security for information systems; from 2015. these standards will be applied to all national key information systems.

5. Encouraging and supporting the development of domestic information security products

a/ To attach importance to the investment in and support the research into and development of domestic information security products, solutions and services under the information technology technical-economic program for combined use with imported products;

b/ To encourage and support domestic enterprises to manufacture anti-virus products, spam and cyber attack prevention products and attack detection products of increasing quality so as to meet practical demands.

c/ To encourage the research into, development and exploitation of open-source codes, aiming to master technologies and. at the same time, build laboratories for quality assessment and test of quality of information security products and solutions to protecting users' interests.

IV. SOLUTIONS ,

1. Raising awareness and stepping up communication about information security

To raise awareness and step up communication about this Planning on the mass media. To organize conferences and workshops on information security targeting state agencies, enterprises and citizens.

2. Perfecting state mechanisms and policies on information security

To review and perfect legal documents and state mechanisms and policies so as to create a favorable environment for information security assurance, meeting requirements for comprehensive international economic integration, boosting cooperation and fair competition among enterprises. To study and elaborate a Law on Cyber Crimes. To impose more severe penalties and resolutely take action against violations in information security.

3. Building institutions and enhancing activities for information security assurance

To further perfect the state management apparatus for information security from the central to local level, attaching importance to raising capability of management agencies in charge of information security. To enhance activities of forecasting, controlling and detecting attacks, making early warnings, promptly preventing and responding to problems caused by attacks. To organize periodical evaluation and publicize annual reports on the capacity of ensuring information security for the Government's information systems and national key information systems.

4. Developing information security human resources

a/ Raising of investment capital

Investment capital for information security assurance will be raised along the line that funds for information security assurance will be allocated from the state budget at the central and local levels (the central budget will ensure funds for security assurance for national information systems while local budgets will ensure funds for information security for local agencies).

Funds for information security assurance for enterprises and other organizations will be raised from enterprises themselves and social sources.

b/ Human resource training and re-training

To develop a system of criteria on and required skills for information security experts;

To develop training programs and train information security experts to meet requirements in the period of competition and integration;

To develop and maintain a mechanism of notifying users of newly emerging threats to information security;

To develop human resources capable of developing technological solutions so as to create a shortcut to scientific and technological achievements and avoid dependence on foreign countries.

5. Promoting domestic and international cooperation

To promote cooperation in the prevention of and fighting against cyber attacks though the sharing and exchange of information among countries in the region and the world. To increase cooperation with international information security organizations in exchanging and training experts in technical issues and information security management;

To promote cooperation among domestic organizations in protecting national information infrastructure and setting up a network for monitoring, making early warnings on and preventing attacks;

To intensify coordination among consultancy units and information security experts in readily responding to information security incidents.

V. TASKS

1. Building institutions and technical infrastructure for information security assurance

a/ In 2010, to design and promulgate policies and systems of standards and processes on information security, serving as a basis for state agencies and enterprises with local-area networks to elaborate their information security regulations during 2011-2015. To encourage all economic and social sectors to elaborate and promulgate regulations on information security assurance in their units;

b/ To establish the National Information Security Department responsible for managing, regulating and guiding information security assurance activities nationwide. To set up computer security incident response teams (CSIRTs) in agencies and units and connect CSIRTs into a national network so as to promptly respond to information security incidents;

c/To build technical infrastructure facilities, including systems for controlling network information security, preventing the sending and transmission of viruses, spams, trojan horses and spywares which threaten computer security, scrutinizing and redressing weaknesses, and detecting attacks and making early earnings, and plans on response to and prevention of threats to information security;

d/ To develop Internet protection systems to serve learning demands, provide healthy information to the public and prevent harmful information;

e/ To conduct surveys on national key information infrastructure in all provinces and centrally run cities under information technology application projects to be implemented in 2010. To plan and work out roadmaps for application of regulations and processes on information security assurance for these systems.

2. Conducting communication to raise awareness about and develop technological capacity in information security

a/ To organize training courses to disseminate information security knowledge and skills for the public. To use the mass media and organize events, conferences and workshops to improve the public awareness about information security:

b/To develop and promulgate criteria of. and training programs required for. information security experts who are capable of monitoring, supervising, detecting, making early warnings on and promptly responding to threats and. at the same time, possess necessary skills of assessing and testing information security quality. To train, grant certificates to, and develop a contingent of information security experts in state agencies and enterprises and a contingent of testers;

c/ To conduct surveys and supplement data on specialized information security personnel and make forecasts about the labor market in the information security domain:

d/ To build up a contingent of research and development workers specialized in information security technologies and solutions and adopt policies to develop this contingent both quantitatively and qualitatively;

e/ To conduct annual assessment of the safety of information security products currently in use and the readiness of information security systems in public organizations and enterprises;

f/To promote international cooperation and attract foreign investment projects on the basis of technology transfer, conduct the pilot application of, research into and strive to master technologies then develop particular information security products of Vietnam.

3. Implementing information security projects and programs

a/ To quickly formulate and implement priority projects funded with investment capital from the state budget so as to build institutions and technical infrastructure for assurance of national information security;

b/ Stale agencies shall formulate investment projects on technical infrastructure for information security assurance to meet practical demands and set aside a part of investment capital of information technology application projects for taking information security solutions;

c/ To work out programs on communication about information security and allocate annual funds for the implementation of these programs;

d/ To attach importance to schemes on research into and development of products, technologies, technical solutions and service-provision models under the information technology technical-economic program.

Article 2. Organization of implementation

1. The Ministry of Information and Communications shall:

a/ Assume the prime responsibility for. and coordinate with concerned ministries, branches, provincial-level People's Committees and the Vietnam Information Security Association in. organizing the implementation of this Planning;

b/ Regularly examine the implementation of this Planning and summarize and report implementation results to the Prime Minister;

c/ Based on the national economic development, propose to the Prime Minister contents which must be updated or adjusted to suit the reality;

d/ Elaborate and promulgate policies and national technical regulations on information security: elaborate and submit national standards on informal ion security to competent agencies for publicization according to law;

e/Assume the prime responsibility for. and coordinate with the Ministry of Public Security in. inspecting, examining and handling violations of regulations on information security assurance committed by organizations and individuals.

2. The Ministry of Planning and Investment shall:

a/ Assume the prime responsibility for. and coordinate with the Ministry of Information and Communications and the Ministry of Finance in. balancing funds for the implementation of projects, programs and tasks specified in this Planning and including them in the State's five-year and annual plans;

b/ Assume the prime responsibility for, and coordinate with the Ministry of Finance in. allocating annual development investment funds for the implementation of national information security projects.

3. The Ministry of Finance shall:

a/ Assume the prime responsibility for. and coordinate with the Ministry of Planning and Investment in. allocating annual funds for the implementation of this Planning in budget estimates of ministries and central agencies:

b/ Coordinate with the Ministry of Information and Communications in submitting financial mechanisms and policies for the implementation of this Planning to competent authorities for consideration and promulgation.

4. The Ministry of Public Security shall:

a/ Assume the prime responsibility for studying and adding provisions on cyber crimes to the Penal Code and supplementing the Criminal Procedures Code, taking into account particular characteristics of the investigation into cyber crimes, for submission to the National Assembly;

b/ Manage, control, prevent, detect, defer and fight plots and activities of abusing information systems to infringe upon national security, social order and safety and citizens' interests;

c/ Protect the safety of important national security works in the domain of information security.

5. The Ministry of National Defense shall:

a/ Perform the state management of information security in the domain of defense;

b/ Effectively build and exploit key information security laboratories under the Ministry of National Defense.

6. Ministries, ministerial-level agencies, government-attached agencies and provincial-level People's Committees shall:

a/ Based themselves on this Planning, supplement information security contents to their 2011-2015 plans and annual plans on information technology application;

b/ Elaborate and promulgate regulations on safety assurance for information systems under their management:

cl Work out theoretical bases on information security and estimate appropriate fund amounts for applying technical solutions to assuring information security to information technology application projects in their units.

Article 3. This Decision takes effect on the date of its signing.

Ministers, heads of ministerial-level agencies, heads of government-attached agencies, chairpersons of provincial-level People's Committees and directors general of state enterprises shall implement this Decision.

APPENDIX

LIST OF PRIORITY PROJECTS FUNDED WITH THE STATE BUDGET
(To the Prime Minister's Decision No. 63/QD-TTg of January 13, 2010)