Project on Capacity Building for Cyber Security in Vietnam
Socialist Republic of Vietnam
March 8, 2019
Hanoi, Ministry of Information Communication (MIC)
From June 26, 2019 to November 25, 2021
Ministry of Information Communication (MIC), Authority of Information Security(AIS)
(1) Development status (current status) and issues of the cyber security sector in the country
Cyber risk has become enormous rapidly and it is spreading on a global scale. In many countries, "cyber attacks" on critical information infrastructure (e.g. transportation, energy, medical, finance, etc.) has become a reality. Cyber security has become a national issue especially in developing countries where sufficient preventive measures against cyber attacks have not been taken.In the Socialist Republic of Vietnam, the number of incidents has increased sharply since 2014, especially, illegal incursions, DoS / DDoS attacks and Advanced Persistent Threats attack are on the rise. Also, information systems of governmental agencies and organizations have many vulnerabilities and it is becoming clearly that the risk of cyber security is getting higher. Furthermore, malware infection and the threats of malicious software are increasing year by year, especially victims through social networks are increasing. Online phishing is still prevalent and many users suffer from economic loss from overconfidence and negligence on information security. The leakage of personal information is remarkable, and caused economical loss to users in banking, finance, and e-commerce has increased.
(2) Cybersecurity sector development policy in this country and positioning of this project
In Vietnam, the Law on Information Technology (No. 67/2006/QH11), so-called National IT Law stipulating the rights and responsibilities of government, organization was enacted in 2007 together with the concerning decrees for information security on the Internet. In 2010, the criminal law on information security has been revised, stipulating detailed definitions and penalties for DDoS attack, intentional spread of computer virus, online fraud, etc. and Vietnam is focusing on information security measures as a national policy.
National strategies and plans for cyber security have been formulated. Prime Minister's Decision No.63 in 2010 and No.898 in 2016 approved development of a national plan, objectives, activities, etc. for cyber security by 2020. Prime Minister's Decision No. 893 in 2015 approved a plan for propagation, dissemination and enhancement of awareness of cyber security by 2020.
AIS has been able to perform a certain extent of its functions such as awareness activities, incident handling, cyber attack prevention, etc. However, further strengthening of its security engineers is critical for network monitoring of the government, defence against cyber attacks, enhancement of reactive service to incidents. as cyber attacks are expected to increase in future.
The Project aims to enhance capacity of AIS which has a function to formulate policies and equipped with cyber attack mitigation system for cyber security by providing assistance to enhance capacity of security quality management, reactive service and proactive service then contributes to increase cyber resilience for Vietnamese government.
Cyber resilience for Vietnamese government is increased.
Capacity of AIS for cyber security is enhanced.
Output1) Capacity of security quality management and policy making is enhanced
1-1 | Clarify the required roles defined in SecBoK framework |
1-2 | Develop a CDP for each staff based on SecBoK Framework |
1-3 | Develop a training course plan for high prioritized roles defined in SecBoK Framework (e.g. CISO, Commander) |
1-4 | Conduct training |
1-5 | Review CDP (e.g. every six months) |
1-6 | Plan and conduct training for policy maker |
1-7 | Develop/localize awareness raising materials |
2-1 | Develop a training course plan for high prioritized roles defined in SecBoK Framework (e.g. Incident manager, Incident handler, Triage) |
2-2 | Conduct training |
2-3 | Review CDP (e.g. every six months) |
2-4 | Expand reactive infrastructure (e.g. DDoS attack mitigation) in AIS |
3-1 | Develop a training course plan for high prioritized roles defined in SecBoK Framework (e.g. Researcher, Solution analyst, Vulnerability diagnostic consultant, Information security auditor) |
3-2 | Conduct training |
3-3 | Review CDP (e.g. every six months) |
3-4 | Expand proactive infrastructure (e.g. network monitoring) in AIS |
[Japanese side]
[Vietnamese side]