MINISTRY
OF INFORMATION AND COMMUNICATIONS OF VIETNAM
--------
|
SOCIALIST
REPUBLIC OF VIETNAM
Independence - Freedom - Happiness
----------------
|
No.
20/2017/TT-BTTTT
|
Hanoi,
September 12, 2017
|
CIRCULAR
COORDINATING AND RESPONDING TO NATION-WIDE CYBER INFORMATION
SECURITY INCIDENTS
Pursuant to the Law on
Cyberinformation Safety dated November 19, 2015;
Pursuant to Decree No.
85/2016/ND-CP dated July 1, 2016 of the Government on level-based information
system safety;
Pursuant to Decree No.
17/2017/ND-CP dated February 17, 2017 of the Government on functions, tasks,
powers, and organizational structures of Ministry of Information and
Communications;
Pursuant to Decision No.
05/2017/QD-TTg dated March 16, 2017 of the Prime Minister on system of emergency
response measures for national cyber information security;
At request of Director of
the Vietnam Cybersecurity Emergency Response Center;
The Minister of Information
and Communications promulgates Circular on coordination and response to
nation-wide cyber information security incidents.
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
GENERAL PROVISIONS
Article
1. Scope and regulated entities
1. This
Circular prescribes coordination and response to nation-wide cyber information
security incidents (not including coordination and response to serious cyber
information security incidents specified under Decision No. 05/2017/QD-TTg
dated March 16, 2017 of the Prime Minister on emergency response system for
national cyber information security (hereinafter referred to as ”Decision No.
05/2017/QD-TTg”);
Incidents occurring within
information systems under the management of the Ministry of National Defense
and Ministry of Public Security are not prescribed by this Circular.
2. Regulated
entities are agencies, organizations, individuals related to coordination and
response to cyber information security incidents.
Article
2. Definitions
1. Cyber
information security incident means an attack on
information, information system or damage, violation to integrity, security, or
usability (hereinafter referred to as “incident”).
2. Response
to cyber information security incident means efforts to deal with
and rectify cyberinformation security incidents, including: monitoring,
collecting, analyzing, detecting, warning, investigating, verifying incidents,
preventing incidents, restoring data, and restoring normal operation of
information system.
3. Incident
response liaison means a unit or an individual authorized by members of
national cyber information security incident response network to represent the
members in communicating and exchanging information with National incident
response and coordination agency or other members in incident coordination and
response.
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Entities responding to
nation-wide cyber information security incidents are agencies, organizations,
and entities responding to national cyber information security incidents
specified under Decision No. 05/2017/QD-TTg. Agencies and organizations engaging
in coordination and response to nation-wide incidents include:
1. The
Ministry of Information and Communications - Standing authority for emergency
response and assurance of national cyber information security (hereinafter
referred to as “National standing authority”) and Coordinating Committee for
emergency response for national cyber information security (hereinafter
referred to as “National coordinating committee”); Vietnam Cybersecurity
Emergency Response Center VNCERT - National coordinating authority for incident
response (hereinafter referred to as "National coordinating authority”).
2. Steering
Committee for emergency response to cyber information security incidents of
ministries, ministerial agencies, Governmental agencies, and People's Committees
of provinces and central-affiliated cities (hereinafter referred to as
“Ministerial/Provincial steering committees”);
3. Entities
specializing in responding to cyber information security incidents (hereinafter
referred to as “incident response specialists”); incident response teams or
units in ministries, ministerial agencies, Governmental agencies, and People’s
Committees of provinces and central-affiliated cities (hereinafter referred to
as “incident response teams/units”).
4. Network
for response to national cyber information security incidents (hereinafter
referred to as “incident response network”); and Network Operating Committee.
5. Presiding
entities of information system; operating entities of information system;
agencies, organizations, and specializing entities designated or summoned by
National standing authority, National coordinating authority, or
Ministerial/Provincial steering committees to participate in incident response.
Article
4. Rules for incident coordination and response
1. Regulations
and law on coordination and response to cyber information security incidents
shall be complied with.
2. Active,
prompt, quick, accurate, synchronous, and effective shall be required.
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
4. Incident
response shall be implemented and dealt with by readily available forces and as
primary responsibilities of presiding entities of information system.
5. Conditions
and order of priority in maintaining operation of information system approved
by competent authority under incident response plan shall be adhered to.
6. Information
exchanged within the network shall be examined and verified prior to further
steps.
7. Information
confidentiality shall be guaranteed when engaging and implementing incident
response efforts of National coordinating authority or agencies, organizations,
individuals that encounter the incidents.
Chapter
II
INCIDENT RESPONSE NETWORK
Article
5. Incident response network
1. Incident
response network operates on a nation-wide scale and consists of members that
are incident response specialists, relevant agencies, organizations, and
enterprises specified under Article 7 of Decision No. 05/2017/QD-TTg.
2. Incident
response network operates in accordance with Network Operating Regulations and
relevant guidelines of National coordinating authority (Vietnam Cybersecurity
Emergency Response Center). Network Operating Committee shall be established by
the Ministry of Information and Communications under Article 7 of Decision No.
05/2017/QD-TTg
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Article
6. Responsibilities and powers of network members
1. Network
members have the responsibility and power to:
a) exercise responsibilities
and powers under Decision No. 05/2017/QD-TTg;
b) assign competent,
qualified liaisons with appropriate certifications and professional skills to
implement cooperation in incident response; maintain throughout and
around-the-clock communication; publicize incident report address on
website/web portal; provide and update information on incident response
liaisons, technicians for information security, incident response under their
management to National coordinating authority; update information on incident
response liaison within 24 hours from the time in which changes occur;
c) consolidate, develop, and
submit 6-monthly report (before June 20), annual report (before December 15)
using Form No. 5 to National coordinating authority; provide irregular report
at request of National coordinating authority;
d) report to National
coordinating authority upon receiving information or discovering incidents of
information systems under their management;
dd) develop and implement
incident response plans, guidelines on incident response operations; organize
and coordinate operation of incident response teams under their management;
e) request network members
to guide, assist in dealing with and responding to incidents when necessary;
participate in seminars, conferences, meetings, trainings, advanced trainings,
drills, and other activities in the network;
g) share information,
experience, and warnings regarding incidents and cyber information security in
Vietnam and in other countries;
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
2. National
coordinating authority has the responsibility and power to:
a) exercise responsibilities
and powers under Decision No. 05/2017/QD-TTg;
b) publicize their phone
number, fax, email address, hotline on their website, ensure resources to
maintain round-the-clock hotline, promptly receive and deal with incidents;
consolidate contact information (address, phone number, fax, email address) and
information on incident response liaisons, technicians for information security,
incident response of network members and incident response teams of network
members;
c) develop, implement, and
operate network website, technical system assisting communication and
information exchange within the network and other technical systems serving
incident coordination, response, rectification;
d) provide guidelines on
notifying and inquiring nation-wide cyber information safety incidents;
coordinate network; study and propose solutions for improving resources to
ensure effective implementation of the network;
dd) consolidate, receive, process,
prepare, and send information and warnings to competent individuals and
agencies, organizations, relevant entities regarding cyber information security
incidents and prevention, deterrence, handling solutions;
e) organize seminars and
meetings, publicize and exchange information, provide trainings, advanced
trainings, drills regarding response to cyber information security incidents;
organize general operations of the network.
Article
7. Primary operations of incident response network
Network Operating Committee
shall organize and implement tasks of incident response network, including
primary operations below:
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
2. Cooperating
in responding to, dealing with, preventing, and rectifying incidents;
inspecting and promoting development, implementation of plans for cyber information
security incidents and implementation of responsibilities, obligations of
network members;
3. Developing
and improving capacity of network members and incident response teams,
including:
a) providing training,
advanced trainings to improve qualifications, skills, professional operations;
organizing domestic and foreign business trips for the purpose of survey,
experience learning, exchange, and cooperation;
b) organizing periodic
meetings, conferences, seminars, and conversations to exchange information,
experience regarding incident coordination and rescue, cyber information
security assurance;
c) providing support in
developing and adopting information system management, operation procedures in
accordance with national standards, national technical regulations, and
international standards regarding information security and incident response.
d) organizing specialized
studies, developing reports, instruction manuals, statistical reports on information
security and issues relating to sharing and communication in the network.
4. Participating
in communication and popularization to raise awareness regarding incident
prevention, response, and cyber information security assurance.
5. Organizing
and maintaining operation of Network Operating Committee; implementing other
operations related to incident coordination and response and cyber information
security assurance.
Chapter
III
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Article
8. Incident coordination and response
1. Incident
coordination and response are implemented by National coordinating authority
and competent authorities in order to mobilize, operate, and jointly cooperate
resources, including: personnel, materials (equipment), financial (finance,
budget) to prevent, monitor, collect, discover, and warning against incidents;
receive, analyze, verify, and classify incidents; operate, cooperate, and
organize incident response, stay ready to respond and rectify incidents in
order to minimize risks and damage caused by the incidents.
2. National
coordinating authority shall issue warning, coordinate nation-wide incident
response efforts; mobilize and coordinate network members and relevant
organizations, entities to cooperate in preventing, dealing with, and
rectifying nation-wide incidents; promulgate and assume responsibility for
orders/request for coordination using Form No. 6 attached hereto;
3. Activities
involved in incident coordination and response:
a) Monitoring, analyzing,
discovering, warning about risks, threats, holes, incidents, cyber attacks and
solutions for incident prevention;
b) Developing, proposing
incident response solutions and plans;
c) Organize trainings and
drills regarding incident response and cyber information security assurance;
d) Operating and mobilizing
resources to respond to incidents within their competence; providing technical
support and taking measures to respond to and prevent cyber attack;
dd) Investigating,
analyzing, identifying origin, methods, and form of attack in order to deal
with, prevent, issue warnings and guidelines to prevent widespread incidents;
collecting, developing incident summary reports;
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
g) Conducting other
activities relating to incident response according to Decision of the Ministry
of Information and Communications.
4. Information
exchange regarding incident coordination and response shall be implemented via:
Official dispatch, electronic mail, telephone, fax, multimedia messages, advanced
technical communication systems; and compliant with relevant law provisions
regarding exchanging of confidential information.
Article
9. Notifying and reporting cyber information security incidents
1. Methods
of notifying, reporting incidents
a) Methods of notifying
incidents: Official dispatch, fax, electronic mail, multimedia messages, or
technical system for reporting cyber information security incident according to
guidelines of the National coordinating authority;
b) Methods of reporting
incident: Physical document or electronic document (bearing signature and seal
or digital signature of competent individual).
2. Reporting
cyber information security incident
a) Within 5 days from the
date on which incidents are discovered, entities and individuals operating
information system are responsible for sending information on the incidents
according to Point a Clause 3 of this Article (Incident Notification) to:
Entities presiding the information system, National coordinating authority,
incident response specialists, and relevant members of incident response
network (if any). If incident rectification has not been completed at the time
of reporting, entities and individuals operating information systems shall send
update on the incident to previous recipients as soon as rectification
completes;
b) If entities or
individuals operating information system deem the incidents exceed their
capability, they shall submit Initial incident report to entities presiding
information system, relevant incident response specialists (if any), and
National coordinating authority; entities or individuals operating information
system shall send Final incident report to entities presiding information
system and National coordinating authority within 5 days from the date on which
incident response is complete. National coordinating authority shall only
acknowledge completion of incident response efforts after receiving Final
incident report;
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
3. Types
of incident notification, report:
a) Incident notification
consists of: Name, address of entities, individuals sending the notification;
name or domain name, IP address of information system to which incidents occur;
name, address of entities and individuals operating, presiding information
system to which incidents occur (if known); description of the incident and
time in which the incident is discovered; incident resolution results,
propositions, recommendations, and other relevant information (if any);
b) Initial incident report
shall conform to Form No. 3 under Appendix I attached hereto;
c) Situation report;
d) Specific response
solution report;
dd) Assistance and
cooperation request;
e) Final incident report,
using Form No. 4 under Appendix I attached hereto.
4. Throughout
incident response process, entities and individuals operating information
system shall take charge and cooperate with relevant agencies, entities in
developing and maintaining incident response reports as per the law and at
request of competent authority.
Article
10. Discovering, receiving, verifying, taking initial actions, and classifying
cyber information security incidents
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
a) Upon discovering
incidents: Monitor, record, and gather information relating to the incidents,
organizations sending incident notification or report in accordance with
Article 9 hereof;
b) Upon receiving incident
notification: Immediately inform organizations, individuals sending incident
notification about received notification;
c) Verify incidents and take
initial actions: Take charge, cooperate with entities responsible for information
security (if any), relevant incident response specialists, telecommunication
enterprises, internet service providers (ISP) in analyzing, verifying, and
evaluating the incidents; perform initial response activities, implement response
procedures according to cyber information security incident response procedures
approved by competent authority or procedures under Article 11 hereof; if the
incidents are possibly serious incidents, immediately report to entities
presiding information system, relevant incident response specialists in order
to classify the incidents as serious incidents and report to National
coordinating authority.
2. Incident
response specialists or members of incident response network shall have the
responsibility to:
a) Upon discovering
incident: Immediately inform entities, individuals operating information
systems and presiding information system, and National coordinating authority
about the incidents;
b) Upon receiving incident
notification or reports: Acknowledge, receive as per the law, and respond to
incident notification or report senders after receiving;
c) Organizing verification
and incident resolution: Cooperate with entities and individuals operating
information system in assessing, verifying, and dealing with the incidents
within their capability and responsibility; if the incidents exceed their
capability or are possibly serious incidents, report to entities presiding
information system and National coordinating authority;
d) Supervise development of
incident response operations, report or propose, request direction of entities
presiding information system and Ministerial/Provincial steering committees if
the incidents exceed the scope of their powers and responsibilities or
capabilities;
dd) Consolidate and report
to National coordinating committee regarding incident development when
requested.
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
a) acknowledge, receive
incident notification, report according to procedures;
b)
respond to incident notification, report senders upon receiving incident
notification, report;
c) assess, identify, and
classify incidents in order to issue warnings, coordinate, choose solutions,
organize response, report, and request Standing authority to consider, decide
on serious incidents and appropriate emergency response solutions. If an
incident is classified as a serious incident, National coordinating authority
shall take charge and cooperate with relevant authorities in implementing
subsequent steps in serious incident response procedures under Decision No.
05/2017/QD-TTg;
d) organize cooperation with
international cyber information response organizations in receiving early
warnings, information on incidents, risk of cyber information security
violation, and cooperation in responding to cross-border incidents, attacks;
dd) implement other
responsibilities of National coordinating authority, report and propose to
Standing authority regarding issues that exceed their capability.
Article
11. Cyber information security incident response procedures
Cyber information security
incident response procedures according to chart under Appendix II include:
1. Receiving,
analyzing, providing initial response, and notifying incident
a) Receiving and verifying
incident
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Cooperating entities:
Incident response specialists, National coordinating authority.
Details: Monitoring,
receiving, analyzing warnings, signs of incidents from internal and external
sources. If the incident is verified to have occurred, acknowledging,
collecting evidence, and identifying origin of the incident.
b) Implementing initial
response steps
Presiding entities:
Entities, individuals operating information system.
Cooperating entities:
Incident response specialists, relevant network members, and National
coordinating authority.
Details: Once the incident
has been verified to occur, entities and individuals operating information
system shall rely on the nature and signs of the incident in order to implement
initial steps to deal with the incident according to incident response plan
approved by competent authority or according to instructions of incident
response specialists or National coordinating authority.
c) Implementing response
solutions
Presiding entities:
Entities, individuals operating information system.
Cooperating entities:
Incident response specialists, relevant network members, and National
coordinating authority.
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
d) Directing incident
resolution (if necessary)
Presiding entities:
Ministerial/Provincial steering committees.
oCooperating
entities: Entities presiding information system.
Details: Based on report and
proposition of entities and individuals operating information system,
Ministerial/Provincial steering committees shall cooperate with entities
presiding information system and consult National coordinating authority (if
necessary) in order to direct incident response specialists, summon incident
response teams/units within their management to implement incident response
efforts; direct and coordinate communication, information disclosure. Depending
on situation development throughout response procedures, Ministerial/Provincial
steering committees shall decide to expand the compositions of incident
response teams/units, adjust incident response plans.
dd) Filing incident report
Presiding entities:
Entities, individuals operating information system.
Cooperating entities:
Relevant/responsible incident response specialists, telecommunication
enterprises, ISP.
etDetails:
When initial response steps have been implemented, entities operating
information system shall send incident notification and report to their
relevant internal and external organizations, individuals according to Article
9 hereof and internal regulations (if any).
e) Coordinating response
efforts
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Cooperating entities:
Entities and individuals operating information system, incident response
specialists, relevant network members.
Details: Depending on the
nature of the incident and request for assistance of entities and individuals
operating information system and incident response specialists,
Ministerial/Provincial steering committees and National coordinating authority
shall coordinate, supervise cooperation and information sharing within their
functions, powers, and tasks in order to mobilize incident response resources.
2. Implementing
incident response, prevention, and handling
Presiding entities: Entities
and individuals operating information system; incident response specialists.
Cooperating entities:
Entities responsible for maintaining information security for the system to
which the incident occurs, incident response specialists, relevant network
members, and National coordinating authority.
Details:
a) Collecting evidence,
analyzing, identifying scope and affected entities.
)b)
Analyzing, identifying origin of the attack, responding, preventing, and
minimizing impact, damage to information system.
3. Handling
incident, removing, and restoring
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Presiding entities: Entities
and individuals operating information system; incident response specialists.
Cooperating entities:
Entities responsible for maintaining information security for the system to
which the incident occurs, incident response specialists, relevant network
members, and National coordinating authority.
Details: After preventing the
incident, entities and individuals operating information system, incident
response specialists, incident response teams/units shall remove eliminate and
remove malware, harmful software, and rectify information security weaknesses
of information system.
b) Restoring
Presiding entities:
Entities, individuals operating information system;
Cooperating entities:
Incident response teams/units, entities responsible for maintaining information
security for the system to which the incident occurs, incident response
specialists, relevant network members, and National coordinating authority.
Details: entities and
individuals operating information system shall take charge and cooperate with
relevant entities in restoring information system, data, and connection;
configuring safe system; adding equipment, hardware, and software to ensure
information security for information system.
c) Inspecting and evaluating
information system
Presiding entities:
Entities, individuals operating information system.
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Details: Entities and
individuals operating information system and relevant entities shall inspect,
evaluate operation of the entire information system after the incident has been
rectified. If stable operation of the system has not been achieved, continue to
collect, re-identify the causes, and take steps specified under Clause 2 and
Clause 3 of this Article in order to extensively rectify and restore normal
operation of information system.
4. Concluding
and evaluating
Presiding entities:
Entities, individuals operating information system.
Cooperating entities:
Incident response specialists; incident response teams/units; entities
presiding information system; Ministerial/Provincial steering committees;
National coordinating authority.
Details: Entities and
individuals operating information system to which the incident occurs shall
cooperate with incident response specialists and incident response teams/units
in consolidating information, report, analysis relating to the incident, the
implementation of incident response efforts, sending to entities presiding
information system, Ministerial/Provincial steering committees, and National
coordinating authority; analyzing causes, learning from experience in incident
response, and proposing additional solutions in order to prevent and respond to
similar incidents in the future.
Chapter
IV
SOLUTIONS FOR ASSURING RESPONSE TO CYBER INFORMATION SECURITY
INCIDENTS
Article
12. Developing and implementing cyber information security incident response
plans
1. Agencies,
organizations, and enterprises shall develop and implement cyber information
security incident response plans of their agencies, organizations, and
enterprises, in which:
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
b) In regard to information
systems not specified under Point a Clause 1 of this Article, conform to
Appendix III attached hereto.
2. Entities
presiding information systems and competent agencies, authorities approving
incident response plans shall identify conditions and order of priority in
order to maintain operation of information system when deploying incident
response and consider this a requirement in incident response plan.
3. National
coordinating authority shall provide guidelines on developing and implementing
incident response plans, implementing response provision, dealing with cyber information
security incidents; organizing regional, sectoral, national, and international
trainings and drills; developing plans and organizing periodic inspection,
evaluation of implementation of cyber information response plans of ministries,
central departments, local governments, organizations and enterprises.
Article
13. Expenditure
Expenditure on coordinating
and responding to nation-wide cyber information security incidents shall
conform to Article 17 of Decision No. 05/2017/QD-TTg and relevant guiding
documents.
Chapter
V
ORGANIZING IMPLEMENTATION
Article
14. Entry into force
1. This
Circular comes into force from November 1, 2017 and annuls Circular No.
27/2011/TT-BTTTT dated October 4, 2011 of the Ministry of Information and
Communications.
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
MINISTER
Truong Minh Tuan
APPENDIX
I
LIST OF FORMS IN COORDINATION AND RESPONSE TO NATION-WIDE
CYBER INFORMATION SECURITY INCIDENTS
(Attached to Circular No. 20/2017/TT-BTTTT dated September 12, 2017 of the
Minister of Information and Communications)
No.
Form
number
Form
title
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Form
No. 01
Declaration of members of
incident response network
2
Form
No. 02
Application for
participation in incident response network
(Applicable to
organizations, enterprises, and individuals voluntarily participating in
incident response plan)
3
Form
No. 03
Initial cyber information
security incident report
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Form
No. 04
Final incident report
5
Form
No. 05
Report on receipt and
handling of cyber information security incidents
6
Form
No. 06
Cooperation order/request
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Form No. 1
Attached to Circular No. 20/2017/TT-BTTT dated September
12, 2017 of the Minister of Information and Communications
ORGANIZATION
...............................
-------
SOCIALIST
REPUBLIC OF VIETNAM
Independence - Freedom - Happiness
----------------
DECLARATION OF MEMBERS OF INCIDENT RESPONSE NETWORK
1. General
information on the organization
▪ Name
of organization: .......................................................................................................
▪ Name
of presiding authority: ..............................................................................................
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
▪ Phone:
…………………………………………………… ▪ Fax:
..................................................
▪
Email: ……………………………………………………….... ▪
Website: .....................................
▪
Information security officer: ………………………………………………… Position: ..................
2. Incident
notification recipient information
▪
Address: ..........................................................................................................................
▪
Fixed telephone: …………………………………….▪ Mobile phone: ........................................
▪
Fax: ……………………………………………………..▪ Email: ..................................................
3. Incident response liaison
3.1 Primary incident
response liaison
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
▪
Address: ..........................................................................................................................
▪
Fixed telephone: ………………………………………… ▪
Mobile phone: ..................................
▪
Fax: ……………………………………………………… ▪
Email: ................................................
4. Introduction to operation
of the organization
(Provide National
coordinating authority with information on incident response capacity of the
organization such as human resources, technology, experience, serving targets,
etc.)
...........................................................................................................................................
5. Name of information
systems under their management or provided as service:
▪
Level 1:
1.
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
….
▪
Level 2:
1.
2.
….
▪
Level 3:
1.
2.
….
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
1.
2.
….
▪
Level 5:
1.
2.
….
6. Information on List of
personnel and experts in information security, information technology, and
similar
(Provide information on information
security, information technology personnel of the entity or relevant entities
using summary form under Form No. 1)
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
, (Location
and date)
LEGAL REPRESENTATIVE
(Signature, seal, or digital signature)
[sample]
CONSOLIDATED LIST OF PERSONNEL, EXPERTS IN INFORMATION TECHNOLOGY, INFORMATION
SECURITY, OR SIMILAR FIELDS
(Attached to Form No. 1)
1. Number
of personnel relating to information technology, information security, or similar
fields
No.
Category
Quantity
(person)
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Number of officials by
fields of training
a)
Information technology
b)
Information security
c)
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
1.2
Number of officials by
levels of training
a)
Postgraduate
b)
Graduate
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
c)
College
d)
Intermediate education
1.3
Number of officials
holding certificates relating to information technology, information security,
or similar fields
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
uNumber
of officials holding international certificates
b)
Number of officials
holding domestic certificates
2. Number
of personnel with experience, training regarding information security
No.
Category
Quantity
(person)
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Information security
experts
a)
High-level information
security administration
b)
Information security
management system
c)
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
d)
Cyber security and
infrastructure administration
dd)
Information security
policy-making
2.2
Defense and counter-attack
technical experts
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
a)
Cyber attack and
counter-attack, counter-terrorism and anti-cyberwarfare techniques
b)
Malware analysis, defense
against malware and spyware
c)
Response to information
security incidents
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
System examination,
supervision, and analysis, security vulnerability scan
dd)
Information security
incident analysis
e)
Investigation and
collection of incident information and electronic evidence
g)
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
h)
Monitoring and controlling
online information
2.3
System, application
security and protection experts
a)
Encryption, cryptanalysis,
information hiding and security
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
b)
gDigital
signature, identification, authentication
c)
Information security
system integration
d)
Safe network system
counseling, design, and development
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Safe programming (Web
application, information portal)
e)
Safety assurance for
telecommunication system, mobile network, wireless network
g)
Safety assurance in
electronic transactions, online payment, electronic commerce
h)
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
2.4
Information security
inspection and evaluation experts
a)
Information security
conformity counseling
b)
Risk analysis and management,
maintaining of operation of information system
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
c)
Safety evaluation of
information technology system and products
d)
Safety inspection and
evaluation of Web applications and web portal
3. List
of personnel specializing in information security, information technology, or
similar fields
No.
Full
name
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Training
major
Certificates,
degrees, qualifications relating to information technology, information
security, or similar fields
Month/year
of completion
1
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
…
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Note: Degree: Doctor of
Science, Bachelor, Master, Engineer, etc.
Form No. 2
Attached to Circular No. 20/2017/TT-BTTT dated September
12, 2017 of the Minister of Information and Communications
SOCIALIST
REPUBLIC OF VIETNAM
Independence - Freedom - Happiness
--------------------
APPLICATION FOR PARTICIPATION IN INCIDENT RESPONSE NETWORK
(Applicable to organizations, enterprises, and individuals
voluntarily participating in incident response network)
I. General information on
the applicant
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
2. Address:
.................................................................................................................
3. Telephone:
..............................................................................................................
4. Fax:
........................................................................................................................
5. Email:
.....................................................................................................................
II. Introduction to
operation of the applicant
1. Introduction
to operation of the applicant
(Provide National
coordinating authority about brief information on fields of operation of the
applicant, incident response capacity of the applicant, human resources,
technology, experience, serving targets, etc.)
...................................................................................................................................
...................................................................................................................................
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
▪
Level 1:
1.
2.
….
▪
Level 2:
1.
2.
….
▪
Level 3:
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
2.
….
▪
Level 4:
1.
2.
….
▪
Level 5:
1.
2.
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
3 Information on personnel
and experts in information security, information technology, and similar fields
(Provide information on
their human resources, information security, information technology using
schedule under Form No. 1 hereof)
III. Communication and
contact information in the network
1. Website
address: ....................................................................................................
2. Email
address(1):
PGP/GPG Public Key of PoC
email address of the applicant:(2)
a) User ID: ..................................................................................................................
b) Fingerprint : ............................................................................................................
c) Connection to Public key
of the applicant(3): .............................................................
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
(2) If
the applicant does not have this, it is permissible to leave this field empty
or request the VNCERT to provide instructions to create one.
(3) The
applicant may send Public Key to the VNCERT via [email protected]
3. Contact liaison during working hours
a) Name of
department/individual in charge: .................................................................
b) Fixed telephone:
…………………………… c) Mobile phone: .......................................
d) Fax: ........................................................................................................................
4. Contact liaison outside of working hours
a) Name of
department/individual in charge: .................................................................
b) Fixed telephone:
…………………………… c) Mobile phone: .......................................
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
5. Information security officer of the
applicant (4)
a) Name of
department/individual in charge: .................................................................
b) Fixed telephone:
…………………………… c) Mobile phone: .......................................
(4)
Information security officer of the applicant shall only be reached if other
liaisons cannot be contacted or in serious situations
6. Post
mail and official dispatched receipt address:
a) Name of receiving
department/individual: ..................................................................
b) Position, title: ..........................................................................................................
c) Name of applicant: ..................................................................................................
d) Address: .................................................................................................................
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
7. Other
means of communication (5)
Other
means of communication via instant messaging system
a) Yahoo ID:
b) Skype:
c) Google Talk:
d) Hotmail:
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
dd) Others:
(5) Not
mandatory
We hereby guarantee to
adhere to responsibilities and powers of network members, regulation on
coordination and response to incidents according to regulations and law and
instructions of National coordinating authority.
(Location
and date)
LEGAL REPRESENTATIVE
(Signature and seal)
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
INITIAL CYBER INCIDENT REPORT
INFORMATION
ON ORGANIZATION/INDIVIDUAL REPORTING THE INCIDENT
▪ Name
of organization/individual reporting the incident (*) .............................................
▪
Address: (*) ..............................................................................................................
▪
Phone (*) ……………………………………….Email (*) ...................................................
CONTACT INDIVIDUAL
▪
Full name (*) ………………………………… Position: ....................................................
▪
Phone (*) …………………………………… Email (*) ......................................................
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Name of entity operating
information system (*):
Specify entity operating
or hired to operate information system
Presiding authority:
Specify presiding
authority
System to which the
incident occurs
Specify the system to
which the incident occurs, relevant domain name and IP address
Level of the information system
(if any)
□
Level 1
□
Level 2
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
□
Level 4
□
Level 5
Information security
service provide (if any):
Specify service provider
External connection
service provider (if any)
Specify service provider
Specify supplier
Specify supplier’s
information
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Provide brief description
of the incident, including initial assessment of whether the attack has
occurred and risk leading to further damage or service disruption. Identify
sensitiveness of relevant information or entities affected by the incident: ...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
/
/
Time in which the incident
is discovered (*):
……
……… (hour and minute)
CURRENT SITUATION OF THE
INCIDENT (*)
□
Has been handled
□
Has not been handled
MEANS OF DISCOVERY * (Tick
methods employed to discover the incident)
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
□ Notification
sent by: .................................................................................................
□ Others,
elaborate ......................................................................................................
INCIDENT NOTIFICATION SENT
TO *
□ Network
members responsible for responding to incident
□ ISP
providing the service
□ Coordinating
authority
ADDITIONAL INFORMATION ON
THE SYSTEM TO WHICH THE INCIDENT OCCURS
▪ Operating
system ……………………………… Version .................................................
▪ Services
available on the system (Tick services used on the system)
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
□ Other
services, elaborate ..........................................................................................
▪ Information
security measures deployed (Tick measures that have been implemented)
□ Antivirus
□ Firewall □ Intrusion detective system
□ Others:
▪ IP
address of the system (List all IP address on the Internet, do not list
internal IP address)
...................................................................................................................................
▪ Domain
names of the system
...................................................................................................................................
▪ Main
usage of the system .........................................................................................
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
▪ Additional
information
□ System
log □ Sample virus / malware □ Others: …………………………………..
▪ Is
confidentiality required for information provided in this notification? □ Yes □
No
ASSISTANCE PROPOSITION AND
REQUEST
Description of the
proposition and request
Provide a summary of
assistance proposition and request (if any) ............................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
...........................................................................................................................................
INCIDENT REPORT TIME *: ……………………..
(date and time)
LEGAL
REPRESENTATIVE
(Signature and seal)
Note: 1. The (*) indicates
mandatory information. Other sections can be left empty if no information is
available.
2. Email
subject shall start with “[TBSC]”
3. See
more on website of VNCERT (www.vncert.gov vn)
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Form No. 4
Attached to Circular No. …/2017/TT-BTTT dated ……, 2017 of
the Minister of Information and Communications
FINAL INCIDENT REPORT
INFORMATION
ON ORGANIZATION/INDIVIDUAL FILING THE REPORT
▪ Name
of organization/individual reporting the incident (*) .............................................
▪ Address:
(*) ..............................................................................................................
▪ Phone
(*) …………………………………… Email (*) ......................................................
INITIAL INCIDENT REPORT
NUMBER: Number …………… Reporting date: …………/ 201…
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Name of entity operating
information system (*):
Specify entity operating
or hired to operate information system
Presiding authority:
Specify presiding
authority
System to which the
incident occurs
Specify the system to
which the incident occurs
Level of the information
system (if any)
□ Level
1
□ Level
2
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
□ Level
4
□ Level
5
Name/Description of the
incident
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Date
on which the incident is discovered (*) (dd/mm/yy)
/
/
Time in which the incident
is discovered (*):
…….. ………
(hour and minute)
Incident handling results
Provide and summarize the
situation, handling solutions, proposed response solutions in order to
rapidly handle the incident, mitigate risks and damage in case of similar
incidents in the future…
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Attachments
List all relevant
attachments (incident development report; handling solutions, log file, etc.)
LEGAL
REPRESENTATIVE
(Signature and seal)
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Form No. 5
Attached to Circular No. 20/2017/TT-BTTT dated September
12, 2017 of the Minister of Information and Communications
SOCIALIST
REPUBLIC OF VIETNAM
Independence - Freedom - Happiness
To: Vietnam
Cybersecurity Emergency Response Center
6-MONTHLY/ANNUAL SUMMARY REPORT ON INCIDENT RECEPTION AND
HANDLING
□ From
……/201… to ……/201…
Name of agency/organization:
......................................................................................
Address: .....................................................................................................................
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
1. Number
of incidents and handling solutions
Type
of incident/cyber attack
Quantity
Number
of self-handled incidents
Number
of incidents handled via assistance from other organizations
Number
of incidents handled via assistance from foreign organizations
Number
of incidents requested for assistance from VNCERT
Estimated
damage
Denial-of-service attack
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Phishing attack
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Malware attack
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Defacement attack
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Encryption of software,
data, equipment
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Damage to information,
data, software
Eavesdropping attack,
cyber espionage, information or data theft
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Attacks combining multiple
methods
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Other forms of attack
Total
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
2. List
of organizations assisting in the incident handling
...................................................................................................................................
3. List
of foreign organizations assisting in the incident handling
...................................................................................................................................
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
...................................................................................................................................
(Location
and date)
LEGAL REPRESENTATIVE
(Seal or digital signature)
Form No. 6
Attached to Circular No. 20/2017/TT-BTTT dated September
12, 2017 of the Minister of Information and Communications
MINISTRY
OF INFORMATION AND COMMUNICATIONS VIETNAM CYBERSECURITY EMERGENCY RESPONSE
CENTER
-------
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
No.
/VNCERT-NV
On coordination and response to cyber security
incident
(Location
and date)
To:
……………………………………………
Pursuant to tasks and
powers, on the basis of practical request, the Vietnam Cybersecurity Emergency
Response Center - VNCERT hereby requests Agency/Entity to execute coordination
order/request below:
1. Type
of coordination request
□ Notifying
risks, incident situations, and preventive measures
□ Requesting
incident handling
□ Requesting
technical assistance, implementing administrative, technical measures
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
□ Requesting
resource mobilization (personnel, resources, technology, etc.)
2. Organizations/systems
related to the incident
...................................................................................................................................
...................................................................................................................................
3. Specific
request
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
...................................................................................................................................
4. Expiry
of coordination request: ………………… (date)
(Location
and date)
DIRECTOR
(Seal or digital signature)
APPENDIX
II
REGULAR INCIDENT RESPONSE PROCEDURES
(Attached to Circular No. 20/2017/TT-BTTTT dated September 12, 2017 of the
Minister of Information and Communications)
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
APPENDIX
III
SCHEME FOR CYBER INFORMATION SECURITY INCIDENT RESPONSE
(Attached to Circular No. 20/2017/TT-BTTTT dated September 12, 2017 of the
Minister of Information and Communications)
1. General
provisions
a) Scope and regulated
entities of the plan.
b) Conditions, general
principles, order of priority in maintaining operation of the system when
responding to incidents; rules in responding to incidents.
c) Forces participating in
incident response.
d) Functions, tasks,
responsibilities, and cooperation regulations, procedures between agencies and
entities
- Entities
and individuals operating information system;
- Contractors
providing cyber information security services (if any);
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
- Incident
response teams;
- Ministerial/Provincial
steering committees;
- National
coordinating authority;
- Standing
authority;
- Other
relevant entities.
2. Evaluation
of cyber information security risks and incidents
a) Evaluating current
situations and possibility of cyber information security assurance of
information systems and entities requiring protection under the plan;
b) Evaluating and predicting
possible cyber risks, incidents, attacks of information systems and entities
requiring protection;
c) Evaluating and predicting
possible consequences, damage, and impact if incident occurs;
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
3. Response,
handling measures for specific situations
In regard to each
information system and application program, develop specific situations and
scenarios, provide corresponding response solutions. Within response solutions,
indicators shall be set forth in order to rapidly identify nature and severity
of the incident. Development of incident response solutions shall satisfy
regulations below:
a) Implementation procedures
and initial response when incident occurs to information system, based on type
of incidents.
b) Methods of rapidly,
promptly identifying causes, origin of the incidents in order to take
appropriate response solutions
- Incidents
caused by cyber attack;
- Incidents
caused by error of system, equipment, software, technical infrastructure,
electric line, transmission, hosting, etc.;
- Incidents
caused by errors of system administrators or operators;
- Incidents
relating to natural disasters such as storms, flood, inundation, earthquake,
fire, etc.
c) Response, rectification
solutions for any or some of the situations below:
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
+ Denial-of-service attack;
+ Phishing attack;
+ Malware attack;
+ Hijack;
+ Defacement attack;
+ Encryption of software,
data, equipment;
+ Damaging to information,
data, software;
+ Eavesdropping attack,
cyber espionage, information or data theft;
+ Attacks combining multiple
methods
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
- Incidents
caused by errors of the system, equipment, software, technical infrastructures
+ Incidents caused by
electricity transmission;
+ Incidents caused by Internet
connection;
+ Incidents caused by errors
of software, hardware, or application of information system;
+ Incidents relating to
system overloading;
+ Other incidents caused by
errors of system, equipment, software, technical infrastructures.
- Incidents
caused by error of system administrators, operators
+ Errors in updates,
changes, configuration of hardware;
+ Errors in update, changes,
configuration of software;
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
+ Errors relating to
mandatory suspension of services;
+ Other errors relating to
system administrators, operators.
- Incidents
relating to natural disasters such as storms, flood, inundation, earthquake,
fire, etc.
d) Arrangement,
coordination, and cooperation between forces, organizations in responding to,
preventing, handling the incidents;
dd) Solutions regarding
human resources, equipment, software, instruments, tools, and expected
expenditure on executing, responding to, and handling specific incidents.
4. Implementing
regular operation, incident coordination, response
a) Implement activities
within responsibilities of relevant agencies, entities under Article 9 through
Article 11 and other relevant provisions of this Circular;
b) Implement provision expenditure,
standby personnel and equipment for incident response; implement cooperation in
responding to, preventing, and rectifying incidents.
5. Implementing
incident prevention training, drills, monitoring, ensuring conditions for
incident response and rectification
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
a) Implementing training and
drill programs:
- Provide
training and drills for incident response solutions corresponding to specific
scenarios, specific incidents under Section 4;
- Provide
advanced training and drills for cooperation, response, counter-attack, malware
defense, and incident handling operations;
- Participate
in regional, area, national, and international trainings, drills.
b) Implementing tasks and
regulations for the purpose of preventing and discovering incidents:
- Implement
incident, risk supervision and early discovery;
- Inspect,
evaluate cyber information security; scan, remove, analyze, and eliminate
malware;
- Prevent
incidents, manage risks; study, analyze, verify, issue warnings for cyber
information security incidents, risks, malware;
- Develop
and apply information security protocols, regulations, and standards;
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
c) Implementing provisions
and tasks for the purpose of ensuring conditions for immediately responding to
and rectifying incidents:
- Procure,
upgrade, extend copyright of equipment, software, instruments, and tools
serving incident response and rectification;
- Fulfill
conditions for ensuring and arranging backup of human resources, material
resources, and financial resources in order to immediately respond to and
rectify incidents;
- Organize
operation of incident response teams, incident response units; hire technical
services and organize, maintain incident response specialists;
- Organize
and participate in operation of incident response network.
6. Implementing
solutions for ensuring and organizing plans, expenditure
a) Solutions for plan
execution;
b) Resources and conditions
for guaranteeing plan execution;
c) Expenditure and funding
sources for plan execution;
...
...
...
Please sign up or sign in to your
TVPL Pro Membership to see English documents.
Provisions and tasks
hereunder shall be implemented internally or by hiring service contractors or
by combining both of these methods./.