DIRECTIVE

ON ORGANIZING AND CONDUCTING CYBERSECURITY MANAGEMENT DRILLS    

Protecting, promoting cybersecurity or preventing cybersecurity threats (hereinafter referred to as cybersecurity management) is a key mission closely associated with the sustainable growth in the digital transformation process.   The practice of cybersecurity management is closely aligned with the improvement of professional qualification and competence of cybersecurity incident response teams in the workplace.

In recent times, a number of exercises to protect and promote information security and respond to cybersecurity incidents (hereinafter referred to as exercise(s)) have been conducted by institutional and business entities. However, very few of them are organized just as a formality, i.e. they are more “discussion-based” than “operations-based”; use ready-made scenarios, mock-up or simulated systems. The weaknesses and disadvantages of these exercises organized in such a fashion are that incident response teams do not have many opportunities for acquisition of hands-on experience and dramatic improvement of their competence, which leads to the consequence that most of them have not yet been capable of response to complex, massive and long-running cyberattacks.

Meanwhile, the exposure of IT systems of ministries, central or local authorities and enterprises to cyber attack, fraud or hack threats exists.  In order for incident response teams to be capable of responding to incidents occurring in systems in their workplace, all exercises that they join need to change to the drills in which new methods, scopes and attributes should be innovated. As a drill, it must be performed on a real system without a ready-made scenario, but may specify objectives, participants, implementation tools, level and time in order to minimize risks.

Activities involved in a drill are integrated with the system that the incident response team is responsible for protecting, thereby helping the team enhance the experience of response to incidents happening to systems in operation.

The drill should change from the static to dynamic state; instead of being conducted according to the given scenario and for a short time, should take place without any scenario and for the duration long enough for response team members to bring their offensive skills into full play and get the response team into a state of full alert and readiness for any incidents like real-life cyberattacks.

The drill should shift from lesser to greater training loads; from the one executed on a case-by-case basis to the one executed on a more long-term and regular basis in order to help trainees improve on their defense and response skills and minimize risks; be accessible to a large number of participants, thereby having more chances of detecting existent weaknesses and defects in technology, technical processes and personnel for timely actions to be taken.

...

...

...

1. Units in charge of cybersecurity of Ministries, Ministry-level agencies, Governmental bodies; Departments of Information and Communications of centrally-affiliated cities and provinces

a) Advise Ministries, ministerial-level agencies, Governmental bodies, People's Committees of provinces and centrally-affiliated cities on the annual plan and budget to organize at least one drill on cybersecurity and response to cyber incidents falling within the remit of their host ministries, central or local authorities according to the guidelines that the Prime Minister issues in Task 4 of Section II of the Decision No. 1622/QD-TTg dated October 25 in 2017, approving the project to promote the operation of the incident response network, enhance the capacity of manpower and units in charge of responding to cybersecurity incidents nationwide by 2020 with vision toward 2025, and the Decision No. 05/2017/QD-TTg dated March 16, 2017, providing for the set of national cybersecurity emergency response plans (hereinafter referred to as Decision 05).

b) Deploy drills on systems that are in operation or rendering services, such as electronic portals, online public service portals, email systems, regulatory document management systems or other necessary systems; focus on carrying out drills on systems available on the Internet, especially software systems and platforms for e-government, smart city, and digital transformation web portals.

c) Carefully and methodically prepare cybersecurity protection plans to reduce risks and ensure that systems involved in drills are always safe when drills are conducted; need to clearly identify which system is the target of the drill, tools and techniques used in the drill so as to prevent any consequences or put any consequences likely to arise within the allowable limit; develop contingency plans to handle risks and get ready for response in case of any incident occurring during the drill.

d) Organize drills by themselves or designate qualified organizations or enterprises to carry out drills. 

dd) Collaborate with the Authority of Information Security during the drills in evaluating the effectiveness of the drills, risks, and assisting in response coordination in case of emergency.

e) Ensure both capacity building for incident response teams and strengthened protection of IT systems and help to raise awareness of cybersecurity management implications amongst agencies, organizations and people during the drill.

g) Fully participate in cybersecurity and cybersecurity incident response drills host by the Ministry of Information and Communications (the Authority of Information Security); encourage the incident response teams under their management to actively participate in drills organized by other units in order to improve their capacity.

2. Organizations and enterprises that are members of the national cybersecurity incident response network

...

...

...

b) Conduct drills on systems that are in operation or rendering services; focus on drills involving systems available on the Internet.

c) Implement the regulations laid down in clause c, d, dd and g of Section 1 herein.

d) Cooperate with and assist others in drills; get ready to take part in activities involved in response to emergencies likely to occur during drills.

3. Authority of Information Security

a) Give instructions on how to carry out drills.

b) Facilitate and supervise implementation of drills by those that are members of the national cybersecurity incident response network

c) Use drill results as one of the benchmarks for assessment of the capacity of incident response teams that are members of the national cybersecurity incident response network.

d) Host a national cybersecurity and cybersecurity incident response drill each year.

e) Evaluate drill results of the network’s members and report on these results to the Minister of Information and Communications on an annual basis; recommend measures to improve drills.

...

...

...

Organizations and enterprises that are members of the national cybersecurity incident response network shall consult the instructions given herein and concentrate on carrying out tasks according to these instructions in order to improve the effectiveness of drills. 

The Authority of Information Security shall supervise and help organizations and enterprises in effectively performing assigned tasks.  Each year, submit progress and review reports on implementation of this Directive to the Minister./.

MINISTER




Nguyen Manh Hung