Accordingly, the General Department of Taxation requires the heads of units at the General Department of Taxation and the Tax Departments of provinces and centrally-run cities to strictly enforce all laws, regulations of the Ministry of Finance, and the General Department of Taxation on cybersecurity, personal data protection, and state secret protection in cyberspace. They must organize and ensure cybersecurity for information systems under their management.

“The General Department of Taxation requires tax officials and employees who use the applications of the tax information technology system to keep their accounts and passwords confidential and to change their passwords regularly every 6 months. They must not save passwords on browsers or applications, and must not use official email accounts for personal purposes.”

At the same time, the General Department of Taxation directs the tax information technology units to ensure that 100% of computers are updated with the latest patches, installed with, and updated with anti-malware software; that no connected storage devices (USB, external hard drives, etc.) are used; and that only secure software is installed. Computers on the internal network (LAN) must not be directly connected to the Internet (via wireless networks, 3G, 4G, etc.).

The General Department of Taxation directs the Tax Departments to review accounts on applications to ensure that permissions are assigned correctly to each user role; and to remove unused accounts (every 6 months).

In cases where accessing external websites is necessary for work, it must be done through the Internet access system deployed by the General Department of Taxation. Computers that are not connected to the internal network (provided by the Tax Department for use outside the tax agency) may only access websites for work purposes. Computers used to draft confidential documents must not be connected to the LAN or the Internet, and may only use confidential USB devices provided by the Government Cryptography Agency.

For servers deployed by the Tax Departments, it is necessary to review accounts authorized to access the server, change passwords (every 6 months), configure complex passwords (at least 8 characters, with a minimum of 3 of the following 4 types of characters: uppercase letters (A-Z), lowercase letters (a-z), numbers (0-9), and special characters), and update patches for the server. Anti-malware software provided by the General Department of Taxation must be installed and updated.