Chương II Thông tư 31/2017/TT-BTTTT: Giám sát an toàn hệ thống thông tin

Chapter II

SURVEILLANCE OF INFORMATION SYSTEM SECURITY

Article 3. Surveillance principles

1. Surveillance is carried out regularly and continuously.

2. Surveillance, analysis and prevention methods are actively implemented to promptly detect and prevent cyber information security incidents and risks.

3. The stability and security of information provided or exchanged during the surveillance are ensured.

4. There are close and effective regulation and cooperation between surveillance carried out by Ministry of Information and Communications and those carried out by managers of information systems. Connection between the surveillance system of the Ministry of Information and Communications and those of managers of information systems are gradually established in the whole country.

Article 4. Surveillance methods

1. Surveillance shall be carried out directly (direct surveillance) or indirectly (indirect surveillance). A manager of an information system may carry out surveillance or use surveillance services. If necessary, according to capacity, situation and actual resources, the manager of an information system may request relevant authorities affiliated to the Ministry of Information and Communications to provide assistance in surveillance in conformity with actual resources.

2. Direct surveillance is the surveillance carried out by installing equipment for analyzing dataflow (surveillance), directly collecting information from log files and warnings about information security intrusions, risks and incidents. A direct surveillance shall include the following activities:

a) Analysis and collection of information on cyber information security. To be specific:

- Analyzing and surveillance cyber information security of network transmission lines or information flow at internet ports using equipment capable of analyzing network transmission lines to detect information security intrusions, risks and incidents such as equipment for detecting or preventing intrusions in conformity with entities under surveillance (Ex: IDS, IPS, Web Firewall, etc.)

- Collecting log files and cyber information security warnings expressing the operation of applications, information system and information security equipment

b) Consolidation, synchronization, verification and processing of information on cyber information security to detect cyber information security intrusions, risk and incidents or remove inaccurate information.

3. Indirect surveillance is surveillance carried out through techniques for collecting information from relevant information sources; inspecting and surveillance of entities under surveillance for determine their operation and capacity to satisfy and connect with other relevant factors to detect cyber information security intrusions, risks and incidents. Indirect surveillance includes the following activities:

a) Collection, analysis and verification of information about cyber information security intrusions, risks and incidents related to entities under surveillance collected from relevant information sources;

b) Remote or direct inspection and review of entities under surveillance for assessing situation and detecting cyber information security intrusions, risks and incidents able to be used, intruded or damaged.

Article 5. Requirements for direct surveillance by managers of information systems

Managers of information systems shall actively carry out surveillance in accordance with applicable regulations. Surveillance of 3^rd -class information systems or higher class by their managers shall satisfy the following requirements:

1.  Central surveillance by the manager shall satisfy the following requirements:

a) Sufficient features of collection and consolidation of information on cyber information security are provided;

b) Collected information is analyzed to detect and warn about cyber information security intrusions, risks and incidents that can affect the system's operation or capacity to provide services of information systems under surveillance;

c) Interfaces facilitating the continuous surveillance and surveillance by supervisors are provided;

d) The following input information is collected and analyzed: wed servers with web applications such as portal, online public services, etc; warnings and log files of basic monitoring equipment; warns and log files of firewalls established for protecting internet connection related to entities requiring surveillance;

e) The central surveillance is suitable for quantity and formats of and able to analyze information on cyber information security collected from information systems under surveillance.

2. Collection of information on cypherinformation security and basic monitoring shall satisfy the following requirements:

a) Information on cyber information security is collected from log files and warnings of software or equipment related to entities requiring surveillance for provision for central host computer servers or at the request of competent authorities affiliated to Ministry of Information and Communications. The following information on cyber information security is collected and provided: wed servers with web applications such as portal, online public services, etc; warnings and log files of basic monitoring equipment; warnings and log files of firewalls established for protecting internet connection related to entities requiring surveillance;

b) Basic monitoring equipment is able to detect cyber information security intrusions, risks and incidents and is established to ensure surveillance of all Internet connections of entities requiring surveillance;

c) Surveillance equipment has functions of detection and establishment of separate rules for detecting intrusions based on the following information: source IP address, destination IP address, source port address, destination port address, special data segments in transmitted packets. If organizations and individuals use basic monitoring equipment themselves, existing applications such as IDS, IPS, Web firewalls, etc are prioritized to be used basic as surveillance equipment;

d) Information systems serving the electronic government using encoded protocol (“https” for example) have technical measures for ensuring that equipment for surveillance cyber information security will have sufficient information to detect cyber information security intrusions, risks and incidents;

e) Basic monitoring equipment is established and connected with the surveillance system of the Ministry of Information and Communications according to instructions and requirement of competent authorities.

3. The surveillance includes the following activities:

a) Monitoring, continuously carrying out surveillance and making daily reports and ensuring the stable and continuous operation of and information collection of by the manager’s surveillance system;

b) Formulating and issuing regulations on cyber information security surveillance which specify time limit for regular collection of processing results and making reports;

c) Surveillance and operating the basic monitoring equipment to ensure the stability, continuity and timely adjustment in case of changes and following instructions provided by the Ministry of Information and Communications to ensure effective surveillance;

d) Making weekly reports on surveillance results and sending them to managers of information systems. A weekly report shall contain time of surveillance, the list of noticeable intruded entities (ID address, description of provided services and time of intrusion); intrusion methods that have been detected and relevant evidence; entities carrying out intrusions; changes in information systems under surveillance and surveillance systems, etc.;

dd) Classifying cyber information security risks and incidents according to specific cases;

e) Regularly getting results of handling of cyber information security risks and incidents for retention and report;

g) The manager of an information system requesting competent authorities affiliated to the Ministry of Information and Communications to monitor the grassroots system or information systems under surveillance of the Ministry of Information and Communications shall provide and update information on the information systems requiring surveillance and descriptions of technical plans for operating the manager’s surveillance system for the Ministry of Information and Communications using the specimen prescribed in Appendix 1, which includes the following information:

- Descriptions of each information system under surveillance, including IP address, domain name, provided services, name and version of the operating system and web applications;

- Position of the manager’s surveillance system, capacity of transmission lines connected with entities under surveillance of the manager, information expected to be collected and protocol of collection such as IDS warning, firewall logs, web server logs, etc.

h) Retaining information on surveillance for at least 30 operating days in normal conditions;

i) Regularly providing information on surveillance or surprisingly provide it at the request of the Ministry of Information and Communications in accordance with regulations of law;

k) Submitting reports on surveillance by the manager of information system every 6 months using the specimen prescribed in Appendix 2.

Article 6. Surveillance by enterprises

Telecommunications enterprises, enterprises providing information technology services and enterprises providing cyber information security services shall:

1. Cooperate with the manager of information system in surveillance at the request of the Ministry of Information and Communications.

2. Provide information on infrastructure, techniques and network system, provide technical assistance at the request of the Ministry of Information and Communications to serve the surveillance of the Ministry.

3. Carry out the tasks of surveillance prescribed in Article 7 of the Prime Minister’s Decision No. 05/2017/QĐ-TTg.

Article 7. Individuals and departments in charge of surveillance and warning

1. The manager of an information system shall appoint individuals or departments to take charge of surveillance and warning of cyber information security and cooperate with competent authorities affiliated to the Ministry of Information and Communications.

2. Individuals and departments in charge of surveillance shall provide and access information promptly and continuously and carry out surveillance within their information systems.

3. Individuals and departments in charge of surveillance shall provide information via one or multiple manners such as official dispatchs, emails, telephone, fax, or exchange on a specialized communications software to ensure information security.

4. Information on an individual or a department in charge of surveillance includes name of individual, name of department, position, address, landline phone and mobile phone numbers, email and digital signature (if any).

Article 8. Information exchange, provision and sharing

1. Individuals and departments in charge of surveillance are encouraged to exchange and provide information for each other in order to cooperate in surveillance, warning of and response to incidents and increase the initiative in dealing with risks to, methods and tricks of intrusions into cyber information security of organizations and individuals.

2. Information that may be shared, provided or exchanged including information on  cyber information security intrusions, risks and incidents; methods, tricks and origins of intrusions; effects caused by incidents and management and technical methods for dealing with these risks, intrusions and incidents.

3. Principles of information exchange, provision and sharing

a) Appropriate management and technical methods are applied promptly and accurately to ensure security of exchanged information;

b) Exchanged information is actively verified to ensure its accuracy;

c) One or multiple manners for exchanging information such as website official dispatch, emails, messages, telephone or fax are used

d) When the information is exchanged with competent authorities affiliated to the Ministry of Information and Communications, instructions provided by this Ministry are followed.

Article 9. Activities for increasing surveillance capacity

1. Organizing regular briefings and seminars in terms of surveillance activities.

2. Providing training and carrying out maneuvers to increase the surveillance capacity.

3. Accelerating and inspecting surveillance and warning by specialized department in charge of cyber information security.

4. Sharing knowledge and experience of surveillance, warning of and response to incidents.

5. Researching into and making devices for providing assistance in cooperating and exchanging information on surveillance, warning of and response to incidents.

6. Developing products and services of advanced surveillance, analysis and warning for each specific entity under surveillance.

7. Promote the development of bilateral and multilateral cooperation agreements between specialized departments in charge of cyber information security in order to increase surveillance and warning capacity.

8. Promoting international cooperation in surveillance, warning of and response to incidents.