Circular No. 09/2020/TT-NHNN dated October 21, 2020 of the State Bank of Vietnam promulgating the security of information system in banking operations
Each account getting access to the system must be given to a single user
On October 21, 2020, the State Bank of Vietnam issues the Circular No. 09/2020/TT-NHNN promulgating the security of information system in banking operations.
Accordingly, institutions shall provide regulations on access management applied to users, groups of user, equipment and instruments used for accessing to information systems satisfying professional requirements and information security requirements, ensuring basic contents such as: Each account getting access to the system must be given to a single user; in case one account is shared by different persons for access purpose, such common use must be approved by competent authorities and responsibilities of each person at each using time must be defined, etc.
Remarkably, the account of automatic connection application and service must be transferred under one user’s management and limit the assess rights in accordance with using purpose; that user is not allowed to use this account for other purpose, etc.
Besides, the State Bank defines that a third party providing the cloud computing service must be an enterprise. Concurrently, such third party shall commit itself not to replicating, altering, using or providing data of the institution using the service for another individual or institution. Notification of any violations against information security regulations applied to the service in use committed by staff members of the third party shall be sent to institution using such service.
This Circular takes effect on January 01, 2021.
For further details of the Circular 09/2020/TT-NHNN, Click here
translation of the Official Gazette of the Vietnam News Agency
THE STATE BANK OF VIETNAM
THE SOCIALIST REPUBLIC OF VIETNAM
Independence – Freedom - Happiness
Hanoi, October 21, 2020
Promulgating the security of information system in banking operations
Pursuant to the Law on State Bank of Vietnam dated June 16, 2010;
Pursuant to the Law on the Credit Institutions dated June 16, 2010 and the Law on amending and supplementing a number of Articles of the Law on the Credit institutions dated November 20, 2017;
Pursuant to the Law on E-transactions dated November 29, 2005;
Pursuant to the Law on Information Technology dated June 29, 2006;
Pursuant to the Law on Cyberinformation Security dated November 19, 2015;
Pursuant to the Law on Cybersecurity dated June 12, 2018;
Pursuant to the Decree No. 85/2016/ND-CP dated July 01, 2016 of the Government on the security of information systems by classification;
Pursuant to the Decree No. 16/2017/ND-CP dated February 17, 2017 of the Government defining the functions, tasks, powers and organizational structure of the State Bank of Vietnam;
At the proposal of the Director of the Informatics Technology Department;
The Governor of the State Bank of Vietnam promulgates a Circular on information system security in baking operations
Article 1. Scope of adjustment and subject of application
1. This Circular specifies minimum requirements for assurance of information system security in baking operations.
2. This Circular applies to credit institutions, branches of foreign banks, and intermediary payment service providers, credit information companies, the National Payment Corporation of Vietnam (NAPAS), Vietnam Asset Management Company (VAMC), National Banknote Printing Plant, Deposit Insurance of Vietnam (hereinafter referred to as "institutions") which have established and used the information system for one or more organization’s technical and professional activities.
Article 2. Definition
For the purpose of this Circular, the terms below shall be construed as follows:
1. “Information technology risk” means probability of loss when carrying out operations relating to information systems. Information technology risk relates to management and use of hardware, software, communication, system interface, operation and people.
2. “Information security incident” means incident in which digital information and information system are attacked or harmed resulting in negative effects on their confidentiality, integrity and availability.
3. “Technical vulnerability" means any component of an information system that is highly vulnerable to be exploited and taken advantages of, when being attacked or illegally penetrated.