Global Cybersecurity Index - AIS

Global Cybersecurity Index (GCI) 2015/16 Questionnaire Guide
 
This document is for information only. The GCI measures the commitment of countries to cybersecurity in the five pillars of the Global Cybersecurity Agenda: Legal Measures, Technical Measures, Organizational Measures, Capacity Building, and Cooperation.
 
This questionnaire has merged questions elaborated for establishing the GCI 2015/16 Score together with those required by ITU-D Study Group 2 Question 3. The questionnaire is composed of three separate sections, where questions in the first two sections have yes/no responses whilst the questions in the last section are open ended. The questionnaire should be completed online. Each respondent will be provided (via an official email from ITU) a unique url for his/her safekeeping. The online questionnaire enables the respondents to upload relevant documents (and urls) for each question as supporting information.
Information being provided by respondents to this questionnaire is not expected to be of confidential nature.
 
SECTION 1
1. Is there any Cyber related legislation?
 
1.1. Is there any cybercriminal law?
No, there isn’t. (It’s regulated partly in the Criminal law from Article 285 to Article 294)
1.1.1.     Is there any substantive cybercriminal law? 
Yes, there’s.
1.1.1.1. Are there any articles on the unauthorized access of computers, systems and data?
Yes, there’re.
1.1.1.2. Are there any articles on the unauthorized interference / modification of computers, systems and data?
Yes, there’re.
1.1.1.3. Are there any articles on the unauthorized interception of computers, systems and data?
Yes, there’re.
1.1.2.     Is there any procedural cybercriminal law?
             No, there isn’t. (It’s partly regulated in the Decree No. 174/2013/ND-CP stipulating for the sanctioning of administrative violation in the field of post, telecommunications, information technologies and radio frequency which we has considered revising)
1.1.2.1.- 1.1.2.7Are there any articles on the expedited preservation of stored computer data? ExpData preservation is an obligation imposed on a person or organization by a state authority, requiring the safekeeping of a specified type of data from loss or modification for a specific period of time.
1.1.2.2.         Are there any articles on production orders?
Exp: A production order is an obligation imposed on a person or organization by a state authority, requiring delivery of available and a specified type of computer data to law enforcement officials within a specified period of time.
1.1.2.3. Are there any articles concerning search and seizure of stored computer data? Exp: Search and seizure of computer data refers to measures, including legislative ones, empowering authorities to search and access a computer system and computer data stored in its territory.
1.1.2.4. Are there any articles concerning real-time collection of computer data?
Exp: Real-time collection of data refers to measures, including legislatives ones, empowering authorities to collect or record traffic data in real time, in its territory, transmitted by means of a computer system.
1.1.2.5.         Are there any articles related to extradition of cyber perpetrators?
Exp: Extradition is a procedure by which a state or nation, upon receipt of a formal request by another state or nation, turns over to that second jurisdiction an individual charged with or convicted of a cyber-crime in that jurisdiction.
1.1.2.6.         Are there any articles relating to mutual assistance?
Exp: An agreement between two or more countries for the purpose of gathering and exchanging information in an effort to enforce public or criminal laws.
                    1.1.2.7. Are there any articles related to confidentiality and limitation of use?
ExpA Party may use the data provided it adheres to certain confidentiality clauses or uses the data only for specific agreed usage.
1.1.3. Is there any case law on cybercrime or computer misuse?
            No, there isn’t. (It’s regulated partly in the Criminal law)
 
1.2. Is there any cybersecurity legislation or regulation?
Yes, there is. (Information security law)
      1.2.1. Is there any data protection legislation or regulation                     ?
              Yes, there’s. (That’s regulated on the Information security law).
1.2.2. Is there any system and network protection legislation or regulation?
         Yes, there’s.(That’s regulated on the information security law and the Gove mental Decree No. 85/2016/ND-CP).
1.2.3. Is there any breach notification legislation or regulation?
           No, it there isn’t
1.2.3.1.         For data?
1.2.3.2.         For systems and networks        
1.2.4. Is there any cybersecurity certification/standardization legislation or regulation?
          Yes, there’s. (It’s regulated partly in the Information security law. Vietnamese MIC’s till drafting this standardization in information security arear).
1.2.4.1.         For public sector?
(Not yet)
1.2.4.2.         For private sector?
(Not yet)
1.2.5. Does the legislation or regulation impose the implementation of cybersecurity measures?
          Yes, it does. (That’s regulated on the Governmental Decree No. 85/2016/ND-CP, Circle 03/2017/TT-BTTT and on the Decision No. 632/QD-TTg).
1.2.5.1.         On the public sector? Yes
1.2.5.2.         On the critical infrastructure operators? Yes
1.2.5.3.         On the private sector?
1.2.6. Does the legislation or regulation impose cybersecurity audits?
Yes, it does. (That’s regulated in the information security law partly)
1.2.7. Is there a legislation or regulation detailing the protection of privacy?
            Yes, there’s. (That’s regulated on the information security law)
1.2.8. Is there a legislation or regulation related to digital signatures and e-transactions?
Yes, there’s. (that’s regulated on the E-transaction law, Information security law).
1.2.9. Is there a legislation or regulation related to the liability and responsibility of Internet Service Providers?
Yes, there’s. (That’s regulated on the Governmental Decree No. 72/2013/ND-CP)
1.2.10 Is there a legislation or regulation related to the containment or curbing of spam?
Yes, there’s. (That’s regulated on the Governmental Decree No. 90/2008/ND-CP)
 
1.3. Is there any cybersecurity training for law enforcement officers, judicial and other legal actors?
                      Yes, there is.
1.3.1. For law enforcement (police officers and enforcement agents)?
        Yes
1.3.2. For judicial and other legal actors (judges, solicitors, barristers, attorneys, lawyers, paralegals, etc.)?
Yes
1.3.3. Is the training recurring?
Yes, it is.
 
2. Do you have any technical measures?
 
2.1. Is there a CIRT, CSIRT or CERT with national responsibility?
Yes, there is. (The VNCERT)
2.1.1. Does it have a government mandate?
Yes, it does
2.1.2. Does the CIRT, CSIRT or CERT conduct recurring cybersecurity exercises?
Yes, it does.
2.1.3. Is the CIRT, CSIRT or CERT affiliated with FIRST?
Yes, it is. (in progress of joining in as a member)
2.1.4. Is the CIRT, CSIRT or CERT affiliated with any other CERT communities?
Yes, it is (with APCERT)
 
2.2. Is there a Government CERT?
        Yes, there is.
 
2.3. Are there any sectoral CERTs?
No, there aren’t
 
2.4. Is there any framework for the implementation of cybersecurity standards?
Yes, there is
2.4.1. In the public sector? (it’s regulated on the Information security law)
2.4.2. In the private sector?
2.4.2. In the private sector?
 
2.5. Is there a framework for the certification and accreditation of cybersecurity professionals?
No, there isn’t
              2.5.1. In the public sector?
2.5.2. In the private sector?
 
2.6. Are there any technical mechanisms and capabilities deployed to address spam?
Yes, there are.
 
2.7. Are there certain tools and technical measures related to providing cybersecurity, such as anti-virus or anti-spam software, available to the persons with disabilities?
Yes, there are.
 
3. Do you have any organizational measures?
 
3.1. Is there a national strategy for cybersecurity?
Yes, there is
3.1.1. Is your national strategy standalone?
 Yes, it is (The decision 63/QĐ-TTg dated on 13rd Jan, 2010, the decision 898/QĐ-TTg  date on 27th May, 2016 and the decision 632/QĐ-TTg date on 10th  May 2017)
3.1.1.1.         Does it address the private sector?
Yes, it does.
3.1.1.2.         Does it address the public sector?
Yes, it does.
3.1.1.3.         Is there a section on the protection of critical information infrastructure?
Yes, there is. (The decision 632/QĐ-TTg date on 10th May 2017)
3.1.1.4.         Is there a roadmap for governance?
Yes, there is.
3.1.1.5.         Is the strategy revised on a recurring basis?
Yes, there is.
3.1.1.6.         Is the strategy open to public consultation?
Yes, there is.
3.1.1.7.         Does the strategy include a national resiliency plan?
Yes, there is.
3.1.2. Is your national cybersecurity strategy included as part of another broader national strategy?
3.1.2.1.         Is there a section on the protection of critical information infrastructure?
Exp: Critical infrastructures are key systems crucial for safety, security, economic security and public health of a nation. These systems may include, but are not limited to: Defense systems, Banking and Finance, Telecommunications, Transport, Health, Energy etc.
3.1.2.2.         Is there a roadmap for governance of the cybersecurity section?
3.1.3.Does it define priorities for the public sector? No, it doesn’t
3.1.4.If there is not a cybersecurity strategy in place, is one currently in development? It’s Already placed
3.1.5.Does the existing strategy or the one in development, include actions pertaining to
 
3.2. Is there a national body/agency responsible for cybersecurity?
No, there isn’t
3.2.1.Is there an agency responsible for critical information infrastructure protection?
No, there isn’t
3.2.2.Is there a national agency acting as focal point for Spam related issues?
Yes, there is
 
3.3. Are there any metrics used to measure cybersecurity development at a national level?
Yes, there are
3.3.1. Are cybersecurity risk assessments performed periodically?
Yes, they are
3.3.1.1.         Is there a cybersecurity benchmark for assessing risk? Yes, there is
3.3.1.2.         Are the results rated or evaluated for future improvements? Yes, they are
3.3.2. Are recurring cybersecurity audits performed?
Yes, they are
3.3.2.1.         Are they mandatory?
No, they aren’t
 
4. Do you have any capacity building activities?
 
4.1. Is there a standardization body within the country?
Yes, there is. (The MOST and the MIC)
4.1.1. Does it develop its own cybersecurity standards?
Yes, it does
4.1.2. Does it adopt existing international cybersecurity standards?
Yes, it does. (Guiding for the Decree 85/2016/ND-CP)
 
4.2. Are national or sectoral cybersecurity best practices collected or guidelines created?
Yes, they are
 
4.3. Is there investment in cybersecurity research & development programs?
Yes, there is.
4.3.1. In the public sector? Yes
4.3.2. In higher education institutions? Yes
4.3.3. Is there a nationally recognized institutional body overseeing cybersecurity R&D activity? Yes, there is
 
4.4. Are public awareness campaigns in cybersecurity developed and implemented?
        Yes, they are.
4.4.1. For organizations?
Yes
4.4.2. For civil society?
Yes
4.4.2.1.         For adults (>18 yrs)? Yes
4.4.2.2.         For youth (12-17 yrs)? Yes
4.4.2.3.         For children (<12yrs)? Yes
4.4.3. As a part of public awareness campaigns, is the public informed about the benefits of using cybersecurity software, hardware or service-based solutions? Yes, it is
4.4.4. Are any such cybersecurity software, hardware or service-based solutions made available to the public?
          No, they aren’t
 
4.5. Does your organization/government develop or support the development of any professional training courses in cybersecurity?
Yes, we do.
4.5.1. For organizations?  Yes
4.5.2. For the public sector? Yes
4.5.3. For civil society? Yes
 
4.6. Does your organization/government develop or support the development of any educational programs or academic curricula in cybersecurity?
Yes, we do
4.6.1. In primary school? No
4.6.2. In secondary school? No
4.6.3. In higher education? Yes
 
4.7. Are there any government incentive mechanisms to encourage capacity building in the field of cybersecurity?
Exp: Yes, there are. (The Decision No. 99/QD-TTg date on 14th Jan, 2014)
4.7.1. Is there a nationally recognized institutional body overseeing cybersecurity capacity
building activities? Yes
 
4.8. Is there a homegrown cybersecurity industry?
No, there isn’t.
4.8.1. Is there a cyber-insurance market?
No, there isn’t
4.8.1.1 Do you provide subsidies to businesses and other entities that are unable to acquire cyber risk insurance on the open market? No, we don’t
4.8.2. Are there any incentives provided for the development of a cybersecurity industry?
Yes, there are
4.8.2.1.         Is there any support provided to cybersecurity startups?
Yes, there is
 
5. Do you have any cooperative measures?
 
5.1. Are there any bilateral agreements for cybersecurity cooperation?
Yes, there’re.
5.1.1. With nation states? Yes
5.1.1.1.         Is the agreement legally binding?
         No, isn’t
                             5.1.1.1.1.             For information sharing? Yes.
5.1.1.1.2.             For asset sharing? No
5.1.1.2.         Is the agreement non-legally binding, informal or pending ratification? No, isn’t
5.1.1.2.1.             For information sharing?
5.1.1.2.2.             For asset sharing?
                      5.1.2. With international organizations? Yes
5.1.2.1.        Is the agreement legally binding? No, it isn’t
5.1.2.1.1.             For information sharing? Yes
5.1.2.1.2.             For asset sharing? No
       5.1.2.2. Is the agreement non-legally binding, informal or pending ratification?
5.1.2.2.1.             For information sharing? Yes,
5.1.2.2.2.             For asset sharing? No
 
5.2. Are there any multilateral or international agreements on cybersecurity cooperation?
No, there aren’t. (However we recently have taken part in to conduct and build up agreements on information security in the ASEAN and between ASEAN and partners. They’re still in drafting).
5.2.1. Is the agreement legally binding?
5.2.1.1.         For information sharing?
5.2.1.2.         For asset sharing?
5.2.2. Is the agreement non-legally binding, informal or pending ratification? No, it isn’t
5.2.2.1.         For information sharing?
5.2.2.2.         For asset sharing?
 
5.3. Does your organization/government participate international fora/associations dealing with cybersecurity?
Yes, we do.
 
5.4. Are there any public-private partnerships in place?
Yes, there are. (As the state administration in cyber security field of Viet Nam, we always strive to create favorable conditions for both of domestic and foreign enterprises to approach and participate in the market conveniently and transparently. We are always ready to share, guide for enterprises with related regulation, policy in this arear. Moreover, we also collaborate with enterprises to share information, update the infosec situation and new trends in information security field).
5.4.1. With local companies?
5.4.1.1.         For information sharing? Yes
5.4.1.2.         For asset sharing?
5.4.2. With foreign companies?
5.4.2.1.         For information sharing? Yes
5.4.2.2.         For asset sharing?
 
5.5. Are there any interagency partnerships in place?
Yes, there’re.
5.5.1. For information sharing? Yes.
5.5.2. For asset sharing?
 
SECTION 2
 
1. Do you have measures for protecting Children Online?
 
1.1. Is there legislation related to child online protection?
Yes, there is (on the Article 54 of the law on Children )
 
1.2. Is there an agency/entity responsible for Child Online Protection?
Yes, there is
1.2.1. Is there an established public mechanism for reporting issues associated with child online protection?
Yes, there is
1.2.2. Are there any technical mechanisms and capabilities deployed to help protect children online? Yes, there’re
1.2.3. Has there been any activity by government or non-government institutions to provide knowledge and support to stakeholders on how to protect children online? Yes, there’re
1.2.4. Are there any child online protection education programs?
1.2.4.1.         For educators? yes
1.2.4.2.         For parents? yes
1.2.4.3.         For children? yes
 
1.3. Is there a national strategy for child online protection? No, there isn’t
 
1.4. Are there public awareness campaigns on child online protection? Yes, there’re
1.4.1.1.         For adults (>18 yrs)?
1.4.1.2.         For youth (12-17 yrs)?
1.4.1.3.         For children (<12yrs)?
 
SECTION 3
Addendum: opinion based survey
  1. In your opinion, how important is raising awareness on cybersecurity as a basic step to achieving security in cyberspace?
  2. Not important
  1. Somewhat important
  1. Important
  1. Very Important
  1. Which groups are targeted by cybersecurity awareness campaigns in your country ?
a.
Children
e.
Persons with disabilities
b.
Youth
f.
Private institutions
c.
Students
g.
Government agencies
d.
Elderly people
h.
Others
 
3.    Which one of the groups identified below is more targeted? Please arrange in order of 1 to 6 for the highly targeted to the less targeted?
a.
Children (4)
e.
Persons with disabilities
b.
Youth (2)
f.
Private institutions (5)
c.
Students (3)
g.
Government agencies (1)
d.
Elderly people (6)
h.
Others
 
4.    What are the cybersecurity issues that are addressed by existing awareness campaigns? (Replies to more than one item possible)
a.
Internet safety (1)
e.
Malware (5)
b.
Privacy (2)
f.
Child Online Protection (3)
c.
Fraud (6)
g.
Others
  1. Phishing (4)
  1. What is the degree of importance of each issue? Please arrange in order of the most important to the less important and give reasons for such order?
a.
Internet safety (1)
e.
Malware (5)
b.
Privacy (2)
f.
Child Online Protection (3)
c.
Fraud (6)
g.
Others (7)
  1. Phishing (4)
  1. Have you been receiving assistance from or collaborating with ITU in Cybersecurity?
  2. If yes, please give details and your opinion on the effectiveness of this assistance/collaboration and tell us how us any specific cybersecurity areas to be looked into
  1. If no, please inform us why and tell us how we can assist?
Information security has still been a quite new field in Vietnam that we’ve looked forward to having a chance to expand and enhance our cooperation with international organization as ITU. However, we haven’t had the opportunity to collaborate directly with the ITU in the information security field so far. Hopefully, we could strengthen our cooperation in our information security field in the future, especially in exchanging the information security status and legal/ political documents, cooperating to respond for incidents in information security and sharing best practice in responding for incidents.        
 
Nguồn: Cục An toàn thông tin