Decision 379/QD-UBCK 2021 standards for technical foundations of information technology systems in providing online securities trading services

 DECISION

Promulgating standards for technical foundations of information technology systems in providing online trading services on the securities market

_________

THE CHAIRMAN OF STATE SECURITIES COMMISSION OF VIETNAM

Pursuant to the Law on E-transactions dated November 29, 2005;

Pursuant to the Law on Securities dated November 26, 2019;

Pursuant to the Law on Cyberinformation Security dated November 19, 2015;

Pursuant to the Law on Standards and Technical Regulations dated June 29, 2006;

Pursuant to the Government’s Decree No. 85/2016/ND-CP dated July 01, 2016 on the security of information systems by classification;

Pursuant to the Government’s Decree No. 155/2020/ND-CP dated December 12, 2020 detailing the implementation of a number of articles of the Law on Securities;

Pursuant to the Prime Minister’s Decision No. 48/2015/QD-TTg dated October 08, 2015, on defining the functions, tasks, powers and organizational structure of the State Securities Commission of Vietnam under the Ministry of Finance;

Pursuant to the Minister of Science and Technology’s Circular No. 21/2007/TT-BKHCN dated September 28, 2007 providing guidelines on developing and applying standards;

Pursuant to the Minister of Information and Communications’ Circular No. 03/2017/TT-BTTTT dated April 24, 2017 guiding the Government’s Decree No. 85/2016/ND-CP dated July 01, 2016 on the security of information system by classification;

Pursuant to the Minister of Finance’s Circular No. 134/2017/TT-BTC dated December 19, 2017 guiding e-transactions in the securities market;

Pursuant to Circular No. 73/2020/TT-BTC dated August 07, 2020 amending and supplementing a number of articles of Circular No. 134/2017/TT-BTC dated December 19, 2017 of the Minister of Finance guiding e-transactions in the securities market;

At the request of the Director of the Department of Information Technology.

DECIDES:

Article 1. To issue the standards for technical foundations of information technology systems in providing online trading services on the securities market together with this Decision, specifically as follows:

- Name of the Standard: Standards for technical foundations of information technology systems in providing online trading services on the securities market.

- Code TCCS 01:2021/UBCK.

- Referencing National Technical Regulations: TCVN 11930:2017 Information technology - Security techniques - Basic requirements for securing information system according to security levels; TCVN 9250:2012 Data Centers - Telecommunications Technical Infrastructure Requirement.

Article 2. Responsibilities of units

1. The Department of Information Technology shall assume the prime responsibility for guiding, inspecting and supervising securities companies, fund management companies, fund certificate distribution agents and organizations and individuals related to the provision of online securities trading services on the securities market in accordance with this Standard.

2. The Securities Business Management Department and Fund Managers and Securities Investment Funds Management Department - State Securities Commission of Vietnam, Stock Exchanges, Vietnam Securities Depository shall coordinate with the Department of Information Technology in the process of monitoring and inspecting subjects complying with this Standard.

Article 3. This Decision takes effect from the date of signing and annuls Decision No. 106/QD-UBCK dated February 8, 2010, of the Chairman of the State Securities Commission of Vietnam, promulgating guidelines for information technology system requirements of securities companies.

Article 4. Chief of Office, Director of the Department of Information Technology, Director of the Securities Business Management Department, Director of the Fund Managers and Securities Investment Funds Management Department, Heads of relevant units under the State Securities Commission of Vietnam, General Director of Vietnam Stock Exchange, General Director of Hanoi Stock Exchange, General Director of Ho Chi Minh Stock Exchange, General Director of the Vietnam Securities Depository, securities companies, fund management companies, fund certificate distribution agents and relevant organizations and individuals shall be responsible for implementing this Decision./.

(Issued together with Decision No. 370/QD-UBCK dated June 03, 2021 of the Chairman of the State Securities Commission of Vietnam

TCCS 01:2021/UBCK

STANDARDS FOR TECHNICAL FOUNDATIONS OF INFORMATION TECHNOLOGY SYSTEMS IN PROVIDING ONLINE TRADING SERVICES ON THE SECURITIES MARKET

TABLE OF CONTENTS

OPENING

INTRODUCTION

CHAPTER I. GENERAL PROVISIONS

1.1. Scope of regulation and subjects of application

1.2. Interpretation of terms

1.3. General requirements for information technology system

CHAPTER II. TECHNICAL REGULATIONS

2.1. Requirements about technical infrastructure of information technology systems in providing online securities trading services on the securities market

2.2. Requirements for server rooms

2.3. Power requirements

CHAPTER III. REGULATIONS ON SOFTWARE AND BACKUP DATA

3.1. Requirements for application software

3.2. Requirements on storing and providing data to authorities

3.3. Requirements on data backup and recovery

CHAPTER IV. REGULATIONS ON SAFETY AND SECURITY

4.1. Requirements on server system and network infrastructure

4.2. Requirements for application software

4.3. Requirements for electronic information websites

CHAPTER V. REGULATIONS ON AUTHENTICATION AND IDENTIFICATION OF ORDER PLACING DEVICES

5.1. Requirements on using digital signatures and transaction authentication

5.2. Requirements on identifying order placing devices

CHAPTER VI. REGULATIONS ON HUMAN RESOURCES FOR MANAGING INFORMATION TECHNOLOGY SYSTEMS

OPENING

The in-house standard TCCS 01:2021/UBCK shall regulate technical standards for information technology systems in the provision of online securities trading services on the securities market, compiled by the Department of Information Technology - State Securities Commission of Vietnam.

The Standard TCCS 01:2021/UBCK is developed in reference to national standards and regulatory documents on information technology systems and has been adjusted, amended and supplemented to comply with regulations on the application of information technology in providing online securities trading services on the securities market as follows:

- TCVN 11930:2017 Information technology - Security techniques - Basic requirements for securing information system according to security levels;

- The Standard TCVN 9250:2012 Data Centers - Telecommunications Technical Infrastructure Requirement;

- Circular No. 31/2017/TT-BTTTT dated November 15, 2017 of the Minister of Information and Communications on surveillance of information system security;

Circular No. 134/2017/TT-BTC dated December 19, 2017 of the Minister of Finance guiding e-transactions in the securities market.

- Circular No. 73/2020/TT-BTC dated August 07, 2020 amending and supplementing a number of articles of Circular No. 134/2017/TT-BTC dated December 19, 2017 of the Minister of Finance guiding e-transactions in the securities market.

INTRODUCTION

The In-house Standard TCCS 01:2021/UBCK regulates technical standards for information technology systems in the provision of online securities trading services on the securities market and promulgate detailed requirements for information technology systems in providing online securities trading services on the securities market, including the following groups of content:

- General provisions

- Regulations on technical infrastructure.

- Regulations on software and backup data.

- Regulations on safety and security.

- Regulations on authentication and identification of order placing devices

- Regulations on human resources for managing information technology systems.

The information technology system in providing online securities trading services on the securities market must ensure to comply with the regulations in Circular No. 134/2017/TT-BTC dated December 19, 2017 of the Minister of Finance guiding electronic transactions on the securities market (hereinafter referred to as Circular 134/2017/TT-BTC), Circular No. 73/2020/TT-BTC dated August 07, 2020 amending and supplementing a number of articles of Circular No. 134/2017/TT-BTC dated December 19, 2017 of the Minister of Finance guiding electronic transactions on the securities market (hereinafter referred to as Circular 73/2020/TT -BTC) and instructions in this standard.

Chapter I

GENERAL PROVISIONS

1.1. Scope of regulation and subjects of application

1.1.1. This regulation provides detailed guidelines on standards for technical foundations of information technology systems in providing online trading services on the securities market.

Electronic information exchange activities on the securities market and other activities related to electronic transactions on the securities market shall be carried out in accordance with the provisions of Circular 134/2017/TT-BTC dated December 19, 2017 of the Minister of Finance guiding electronic transactions on the securities market, Circular No. 73/2020/TT-BTC dated August 7, 2020 amending and supplementing a number of Articles of Circular No. 134/2017/TT-BTC and law regulations on electronic transactions in financial activities.

1.1.2. Subjects of application: securities companies, fund management companies, fund certificate distribution agents and organizations and individuals related to the provision of online securities trading services on the securities market.

1.2. Interpretation of terms

1.2.1. Information technology system includes hardware equipment, software, databases, telecommunications network systems, Internet networks, computer networks, and electronic information websites for online securities transactions.

1.2.2. Manager of the information system for online securities trading (hereinafter referred to as "information system manager") is an agency, organization or individual with the authority to directly manage the information system for providing online securities trading services.

1.2.3. Edge network is a network area established to provide system connections outside to the Internet and other networks.

1.2.4. DMZ (demilitarized zone) is a network area set up to place public servers, allowing direct access from external networks and the Internet.

1.2.5. Local area network (LAN) is a network area established to provide network connections for workstations and terminals and other network devices of users to the system.

1.2.6. Hot standby is the ability to replace the function of a device when a problem occurs without interrupting system operations.

1.2.7. Specialized server is a computer designed to operate 24/7; supports backup and hot replacement of power supplies, hard drives connected to a computer network or Internet, with a static IP address, high processing capacity and on which software can be installed to serve giving other computers access to request services and resources.

1.2.8. One-way encryption is an encryption method that uses a hash function to turn a string of information into a string of a certain length (hash string) that cannot be decrypted.

1.2.9. Identification information of order placement device is information attached to each device used to identify the device when performing online securities transactions.

1.2.10. Transaction execution time is the time an investor logs into the online securities trading system to execute online securities trading orders.

1.2.11. SSL (Secure Sockets Layer) is a technology standard that allows the establishment of a secure encrypted connection between a web server and a user's browser, ensuring the privacy and integrity of data transmitted between the web server and user's browser.

1.2.12. Physical address of an order placing device (also known as MAC - Media Access Control address) is a unique code assigned by the manufacturer to identify the device.

1.2.13. Biometric authentication (Biometric) is a technology that uses each individual's unique physical attributes and biological characteristics such as fingerprints, face, iris, veins, etc. for identification and security authentication.

1.3. General requirements for information technology system

1.3.1. The information technology system must ensure to meet requirements on services, technical infrastructure, security and data storage as prescribed in Circular 134/2017/TT-BTC, Circular 73/2020/TT-BTC and in accordance with other regulations in specialized legal documents on securities and securities markets.

1.3.2. Information technology systems must be designed with backup; being able to quickly recover when problems occur, ready to provide securities trading services and provide information to customers; ensuring the ability to expand and upgrade in the future and optimize the information processing capacity of the computer network.

1.3.3. Information system managers shall promulgate regulations on information safety, security, and incident handling; regulations on responsibility for updating, patching, and overcoming security vulnerabilities of information technology systems; develop plans to periodically inspect and review information security during system operation process.

Chapter II.

REGULATIONS ON TECHNICAL INFRASTRUCTURE

2.1. Requirements on technical infrastructure of information technology systems in providing online securities trading services on the securities market.

2.1.1. Information system managers must use specialized servers for information technology systems for providing online securities trading services. Application software and services related to investors' trading activities must be maintained on servers. Personal computers must not be used as servers and servers must not be shared with other units.

2.1.2. The transmission line system connecting to the Stock Exchange and Vietnam Securities Depository must have hot backup.

2.1.3. Servers that install securities trading software, database servers and specialized information technology equipment for online securities trading systems must have backup.

2.2. Requirements for server rooms

2.2.1. The server room must be arranged to ensure adequate conditions for equipment to operate: Place in a dry place, avoid direct sunlight, avoid the risk of fire or explosion or high heat sources, avoid flooding and ensure safety and security.

2.2.2. The server room must have rules and apply protection measures, access control, doors must be sturdy, fireproof, and use at least two different types of locks (mechanical locks, cards, code numbers, biometrics); have a surveillance camera system which records information about entrance and exit of the server room and all activities in areas within the server room; the system must be centrally managed and monitored 24/7, with access control logs. Camera log data must be stored for at least one (01) month; System equipment must be placed in the server room and have a protective cabinet (rack cabinet) is placed stably and labeled with a description.

2.2.3. The server room must be installed with an automatic fire warning and fire extinguishing system; the fire extinguishing agent must be a gas that does not cause suffocation to the users or staffs who do not have time to escape, ensuring that firefighting does not cause damage to the equipment installed inside; such room must have different forms of fire warning signals (sound, light, etc.).

2.2.4. To have a direct and surge lightning protection system; have a system to monitor and control temperature and humidity; have an air conditioning system which ensures continuous operation. The air conditioning system in the server room must ensure continuous operation and be completely separate from other air conditioning systems in the building.

2.2.5. The server room must not have windows, and equipment not related to the support of server room (such as duct systems, steam systems, etc.) must not be placed in the server room. Drain pipes and water pipes must not be run near or directly over equipment in the server room.

2.2.6. To promulgate regulations on management, operation and use of server rooms.

2.3. Power requirements

2.3.1. The server room has at least one main power source and one generator power source. The server room must have an automatic switching system between the two power sources, when the grid is cut off, within a maximum of three (03) minutes the generator must automatically start supplying power; the power source in the server room must be stable, able to prevent overload, and must be connected via an online uninterruptible power supply (UPS) to power the device, ensuring the device's ability to maintain operation for a minimum of 30 minutes.

2.3.2. The backup power source must meet the standards and capacity for normal operation of the information technology system during times when the main power source has a problem.

Chapter III.

REGULATIONS ON SOFTWARE AND BACKUP DATA

3.1. Requirements for application software

3.1.1. Must comply with current law regulations on software copyright. Technology solutions to develop application software must meet the ability to upgrade and expand, be able to control access to professional operations in transactions, and ensure to follow the process. Must be able to automatically check data entered into the application, ensuring the data entered is accurate and valid; capable of tracking transactions and user interactions.

3.1.2. Before being put into use, such application software must be named, clearly explain the origin, technical features and have specific instructions such as: the system design analysis, user requirements, and instructions for use.

3.1.3. The online securities trading software system must have user monitoring features such as: account and access time to the system (seconds:minutes:hours, day/month/year); account and data creation time, last data modification time, login information (account name and login/logout time, operations performed during that time), identification information of order placement devices.

3.1.4. Changes in software versions and operating procedures must be controlled; changes must be recorded, inspections must be planned and executed, changes must be tested, results must be reported and approved by competent people before official application.

3.2. Requirements for storing and providing data to authorities

3.2.1. Stock transaction data must be stored for a minimum of ten (10) years, ensuring legal value during the storage process and ensuring to meet the conditions specified in Clause 1, Article 15 of the Law on Electronic Transactions.

3.2.2. Stock transaction data must be accessible and usable in complete form when necessary.

3.2.3. In necessary cases, when requested by authorities, the information system manager must provide complete and timely stock transaction data.

3.3. Requirements for data backup and recovery

3.3.1. The information system managers shall be responsible for developing, deploying and strictly implementing procedures for duplication, storage, backup, and recovery of information systems, data, and device configuration files; organizing data recovery when necessary for information technology systems.

3.3.2. Must develop a list of data, software, system configuration files, server operating system backups, professional information, and command recording files that need to be backed up, classified according to importance level, storage time, backup time, backup method and time to test system recovery from backup data.

3.3.3. Data of the online securities trading system must be backed up to external storage media (such as magnetic tape, hard disk, optical disc or other storage media) and the storage media must be preserved separately from backup area. Data stored on storage devices must be physically protected in a secure environment and ensure recovery of information and data within twenty-four (24) hours since an incident occurs.

3.3.4. There should be a separation between data backup and application backup. Any applications installed or removed from the information system need to be backed up to a backup system, separate from the data backup system. Data must be controlled and reconciled after backup.

3.3.5. Backup and restoration of websites must meet the following requirements: Electronic information websites must be completely backed up, including software and databases that store information. In case where any incident arises, the website must be restored within no more than twenty-four (24) hours from the time incident arises.

Chapter IV.

REGULATIONS ON SAFETY AND SECURITY

4.1. Requirements on server system and network infrastructure

4.1.1. To use solutions to detect and prevent intrusions and prevent direct attacks on important information of such system.

4.1.2. The online securities trading service system shall be closely monitored; have ability to detect and warn about: Suspicious and fraudulent transactions based on determining time, transaction frequency, transaction volume, number of incorrect authentication times and other unusual signs; abnormal system operation; Denial of service attacks (DoS), distributed denial of service attacks (DDoS).

4.1.3. To use anti-virus software, anti-spyware on all servers, workstations and at ports connecting to external networks including ports connecting to partners and the Internet. This software must be copyrighted and have a clear origin. To periodically update appropriate patches for server operating systems, workstations, firewalls, intrusion prevention systems (IPS) and other system software.

4.1.4. Use solutions such as: virtual private network, encrypting data on transmission, controlling web access to minimize security risks for workstations when accessing the web, preventing spam, firewall for web applications. Access to the system must be decentralized to each department and individual user to protect different layers of information. Servers must be installed and configured so that the system can track any intrusions.

4.1.5. The network system of organizations providing online securities trading services must be set up with at least the following partitions: internal network area, edge network area, DMZ area.

4.1.6. Network partitions must have security policies for each area.

4.1.7. Information system managers must have measures to ensure that only personnel assigned to manage the system can access and operate computers to perform system administration work; computers performing system administration work must not be connected to the Internet.

4.1.8. Workstations, especially computers equipped for professional staff involved in securities transactions, must have safety and security measures: Seal the computer case and peripheral connection ports, set a password for the computer, and revoke access rights when such staff terminates or changes jobs.

4.1.9. The information system managers must clearly define the tasks, powers and responsibilities of those participating in the management and use of the information technology systems and provided services.

4.1.10. To develop a list and determine the importance of data, on that basis, to apply security policies and solutions appropriate to the importance of each type of data.

4.1.11. Information system managers must sign contracts with organizations hired to upgrade, maintain, and fix software errors, which detail the work contents and data, clearly specifying the responsibilities of related parties. To ensure the safety and security of information and data of the company's online securities trading system and investors' information and data.

4.2. Requirements for application software

4.2.1. Application software must ensure the ability to assign functional rights to each user. Each user shall have clearly defined tasks and powers. Unauthorized people cannot access other people's work. To set up application configuration to authenticate users when accessing, administering, and configuring the application.

4.2.2. Application software with transaction functions through the Internet must have a mechanism to authenticate users and encrypt data on the transmission line.

4.2.3. When providing online securities trading application software on the Internet, measures must be taken to ensure the integrity of the software.

4.2.4. Password of users when stored must be one-way encrypted. It is strictly forbidden to exchange user passwords in clear text, except when providing them directly to the customer when the customer comes to complete the procedures for new or reissued passwords.

4.2.5. Application software must have the following mechanisms:

- Require users to change their password the first time they log in and periodically change it;

- Set up password rules according to the number of characters and type of characters; set password change request time;

- Limit the number of incorrect login attempts, have a warning mechanism and temporarily lock the user account if incorrect information is logged multiple times;

- Online securities trading software must have a time set for each transaction and a period of time when the customer does not operate on the system to enable the logout feature from the system.

4.3. Requirements for electronic information websites

4.3.1. The server system of a website must be equipped with a solution to monitor changes in control rights and changes in content of the website.

4.3.2. For websites that conduct online securities transactions, the online securities trading content must be separated and placed on a separate server. Transaction information, accounts and passwords must be encrypted to ensure customer confidentiality.

4.3.3. Websites must be authenticated using SSL digital certificates, and protective measures must be applied to prevent unauthorized modifications and tampering.

Chapter V

REGULATIONS ON AUTHENTICATION AND IDENTIFICATION OF ORDER PLACING DEVICES

5.1. Requirements for using digital signatures and transaction authentication

5.1.1. To encourage investors to choose to use digital certificates and digital signatures from organizations providing public digital signature authentication services when executing online securities trading orders.

5.1.2. The online securities trading software system must integrate a solution using digital certificates and digital signatures for investors to authenticate their identities and sign electronic orders when choosing this solution to perform transactions.

5.1.3. Information system managers can integrate other authentication solutions with minimum security equivalent to two-factor authentication solutions (OTP, matrix card, biometrics, etc.). In case of using a third-party service (authentication solution provider), there must be at least one authentication factor managed by the information system manager.

5.1.4. Authentication mechanism based on each transaction execution time:

- During each transaction, the investor can execute many trading orders; investors must authenticate when making the first trading order; authentication is not required when making subsequent orders. The transaction ends if after a period of time (set by the information system manager) the investor does not continue to execute the transaction order.

- Authentication information of each transaction must be attached to all electronic order tickets created during that transaction time, ensuring compliance with regulations on electronic order tickets in Circular No. 134/2017/TT-BTC and Circular 73/2020/TT-BTC.

5.2. Requirements for identifying order placing devices

The system can access identification information of the order placing devices as follows:

5.2.1. For mobile or desktop apps:

- Mobile apps can access information such as: IMEI number, Serial number, WLAN MAC number, Android ID number or other unique identification information of such devices

- Applications running directly on computers with operating systems (Linux, Windows, MacOS, etc.) can access MAC address information or other device identification information through APIs (Application Programming Interface) of such operating system.

5.2.2. For browsers (for mobile or desktop): To develop an extensible tool that allows device identification information to be retrieved via APIs (e.g. plugin, etc.) for users to install on their browser when they need to place orders via websites.

Chapter VI.

REGULATIONS ON HUMAN RESOURCES FOR MANAGING INFORMATION TECHNOLOGY SYSTEMS

6.1. Personnel in charge of managing information technology systems must have a clear background and professional qualifications appropriate to the assigned job position. The information system managers must have a policy to verify and examine the backgrounds of management officers and operational technical officers who are responsible for important positions in the information system such as: System administration, security system administration, system operation, database administration.

6.2. Contracts for recruitment of information technology officers must include a commitment to ensure information confidentiality. This commitment must include provisions on responsibility for ensuring safety and security of the information system during and after working at the assigned job position; terms of handling violations and compensation liability due to violations of regulations on information technology system safety and security of such recruited officers during and after working at their assigned job position.

6.3. When information technology officers and staffs terminate or change their job positions, there must be a record of handover of information technology assets; revocation of the information system access rights of officers and staffs who leave their jobs or change of the information technology system access rights of such officers and staffs in accordance with their changed job.

6.4. The information system manager shall disseminate and update regulations on information technology safety and security to officials and staffs at their unit. To request and inspect the implementation of regulations on information technology safety and security of individuals and organizations within the unit at least once a year.

6.5. Important tasks such as configuring network security systems, changing operating system parameters, installing firewall devices, installing devices to detect and prevent intrusion must be performed by at least two people or must be performed with a supervisor./.