|
MINISTRY OF
INFORMATION AND COMMUNICATIONS
-------
|
SOCIALIST
REPUBLIC OF VIETNAM
Independence - Freedom - Happiness
---------------
|
|
No. 736/QD-BTTTT
|
Hanoi, May 31,
2021
|
DECISION
ISSUING
THE LIST OF BASELINE CYBERSECURITY REQUIREMENTS FOR CONSUMER INTERNET OF THINGS
(CIoT) DEVICES
MINISTER OF INFORMATION AND COMMUNICATIONS
Pursuant to the Law on Cybersecurity dated
November 19, 2015;
Pursuant to the Law on Information Technology
dated June 29, 2006;
Pursuant to the Government's Decree No.
17/2017/ND-CP dated February 17, 2017, defining the functions, tasks, powers
and organizational structure of the Ministry of Information and Communications;
Upon the request of the Director of the
Authority of Information Security.
HEREIN DECIDES
...
...
...
Hãy đăng nhập hoặc đăng ký Thành viên
Pro tại đây để xem toàn bộ văn bản tiếng Anh.
Article 2. The List specified in Article 1 herein shall be recommended
for use to ensure cybersecurity for CIoT devices.
Article 3. The Authority of Information Security shall take charge of
or cooperate with other affiliates in providing instructions for, inspecting
and assessing the application of the requirements set out according to the List
mentioned in Article 1 herein.
Article 4. This Decision is entering into force as of the signature
date.
Article 5. The Chief of the Ministry's Office, the Director of the
Authority of Information Security, Heads of subordinate units of the Ministry,
other involved organizations and individuals shall be responsible for
implementing this Decision./.
PP. MINISTER
DEPUTY MINISTER
Nguyen Huy Dung
LIST
OF BASELINE CYBERSECURITY REQUIREMENTS FOR CONSUMER INTERNET OF THINGS (CIOT)
DEVICES
...
...
...
Hãy đăng nhập hoặc đăng ký Thành viên
Pro tại đây để xem toàn bộ văn bản tiếng Anh.
No.
Description
Applicable
regulations
I
Cybersecurity requirements for CIoT devices
1
No universal default passwords
Fully accepting the requirements specified in
5.1, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer
Internet of Things: Baseline Requirements
...
...
...
Hãy đăng nhập hoặc đăng ký Thành viên
Pro tại đây để xem toàn bộ văn bản tiếng Anh.
Implement a means to manage reports of
vulnerabilities
Fully accepting the requirements specified in
5.2, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer
Internet of Things: Baseline Requirements
3
Keep software updated
Fully accepting the requirements specified in
5.3, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer
Internet of Things: Baseline Requirements
4
Securely store sensitive security parameters
Fully accepting the requirements specified in
5.4, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer Internet
of Things: Baseline Requirements
5
...
...
...
Hãy đăng nhập hoặc đăng ký Thành viên
Pro tại đây để xem toàn bộ văn bản tiếng Anh.
Fully accepting the requirements specified in
5.5, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer
Internet of Things: Baseline Requirements
6
Minimize exposed attack surfaces
Fully accepting the requirements specified in
5.6, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer
Internet of Things: Baseline Requirements
7
Ensure software integrity
Fully accepting the requirements specified in
5.7, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer
Internet of Things: Baseline Requirements
8
Ensure that personal data is secure
...
...
...
Hãy đăng nhập hoặc đăng ký Thành viên
Pro tại đây để xem toàn bộ văn bản tiếng Anh.
9
Make systems resilient to outages
Fully accepting the requirements specified in
5.9, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer
Internet of Things: Baseline Requirements
10
Examine system telemetry data
Fully accepting the requirements specified in
5.10, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer
Internet of Things: Baseline Requirements
11
Make it easy for users to delete user data
Accepting the requirements specified in 5.11,
ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer Internet
of Things: Baseline Requirements
...
...
...
Hãy đăng nhập hoặc đăng ký Thành viên
Pro tại đây để xem toàn bộ văn bản tiếng Anh.
12
Make installation and maintenance of devices easy
Fully accepting the requirements specified in
5.12, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer
Internet of Things: Baseline Requirements
13
Validate input data
Fully accepting the requirements specified in
5.13, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer
Internet of Things: Baseline Requirements
II
Personal data protection requirements for CIoT
devices
Fully accepting the requirements specified in 6,
ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer Internet
of Things: Baseline Requirements
...
...
...
Hãy đăng nhập hoặc đăng ký Thành viên
Pro tại đây để xem toàn bộ văn bản tiếng Anh.
APPENDIX
TERMS AND DEFINITIONS
(to the Decision No. 736/QD-BTTTT dated May 31, 2021 of the Minister of Information
and Communications)
1. CIoT devices
CIoT device refers to network-connected (and
network-connectable) device that has relationships to associated services and
are used by the consumer typically in the home or as electronic wearables.
NOTE 1: Consumer IoT devices are commonly also used
in business contexts. These devices remain classified as consumer IoT devices.
NOTE 2: Consumer IoT devices are often available
for the consumer to purchase in retail environments. Consumer IoT devices can
also be commissioned and/or installed professionally.
A non-exhaustive list of CIoT devices can comprise
the followings:
- Connected children’s toys and baby monitor
- Connected smoke detectors, door locks and window
sensors;
...
...
...
Hãy đăng nhập hoặc đăng ký Thành viên
Pro tại đây để xem toàn bộ văn bản tiếng Anh.
- Smart cameras, TVs and speakers;
- Wearable health trackers;
- Connected home automation and alarm systems,
especially their gateways and hubs;
- Connected appliances, such as washing machines
and fridges;
- Smart home assistants.
2. Constrained devices
Constrained device refers to device which
has physical limitations in either the ability to process data, the ability to
communicate data, the ability to store data or the ability to interact with the
user, due to restrictions that arise from its intended use.
NOTE 1: Physical limitations can be due to power
supply, battery life, processing power, physical access, limited functionality,
limited memory or limited network bandwidth. These limitations can require a constrained
device to be supported by another device, such as a base station or companion
device.
EXAMPLE 1: A window sensor's battery cannot be
charged or changed by the user; this is a constrained device.
...
...
...
Hãy đăng nhập hoặc đăng ký Thành viên
Pro tại đây để xem toàn bộ văn bản tiếng Anh.
EXAMPLE 3: A low-powered device uses a battery to
enable it to be deployed in a range of locations. Performing high power
cryptographic operations would quickly reduce the battery life, so it relies on
a base station or hub to perform validations on updates.
EXAMPLE 4: The device has no display screen to
validate binding codes for Bluetooth pairing.
EXAMPLE 5: The device has no ability to input, such
as via a keyboard, authentication information.
NOTE 2: A device that has a wired power supply and
can support IP-based protocols and the cryptographic primitives used by those
protocols is not constrained.
EXAMPLE 6: A device is mains powered and
communicates primarily using TLS (Transport Layer Security).
3. Associated services
Associated service refers to digital
services that, together with the device, are part of the overall consumer IoT
product and that are typically required to provide the product's intended
functionality.
EXAMPLE 1: Associated services can include mobile
applications, cloud computing/storage and third party Application Programming
Interfaces (APIs).
EXAMPLE 2: A device transmits telemetry data to a
third-party service chosen by the device manufacturer. This service is an
associated service.
Đã cập nhật Luật Đất đai 2024 mới nhất