THE STATE BANK OF VIETNAM _________ No. 09/2020/TT-NHNN | THE SOCIALIST REPUBLIC OF VIETNAM Independence – Freedom - Happiness _____________ Hanoi, October 21, 2020 |
CIRCULAR
Promulgating the security of information system in banking operations
_______________
Pursuant to the Law on State Bank of Vietnam dated June 16, 2010;
Pursuant to the Law on the Credit Institutions dated June 16, 2010 and the Law on amending and supplementing a number of Articles of the Law on the Credit institutions dated November 20, 2017;
Pursuant to the Law on E-transactions dated November 29, 2005;
Pursuant to the Law on Information Technology dated June 29, 2006;
Pursuant to the Law on Cyberinformation Security dated November 19, 2015;
Pursuant to the Law on Cybersecurity dated June 12, 2018;
Pursuant to the Decree No. 85/2016/ND-CP dated July 01, 2016 of the Government on the security of information systems by classification;
Pursuant to the Decree No. 16/2017/ND-CP dated February 17, 2017 of the Government defining the functions, tasks, powers and organizational structure of the State Bank of Vietnam;
At the proposal of the Director of the Informatics Technology Department;
The Governor of the State Bank of Vietnam promulgates a Circular on information system security in baking operations
Chapter I
GENERAL PROVISIONS
Article 1. Scope of adjustment and subject of application
1. This Circular specifies minimum requirements for assurance of information system security in baking operations.
2. This Circular applies to credit institutions, branches of foreign banks, and intermediary payment service providers, credit information companies, the National Payment Corporation of Vietnam (NAPAS), Vietnam Asset Management Company (VAMC), National Banknote Printing Plant, Deposit Insurance of Vietnam (hereinafter referred to as "institutions") which have established and used the information system for one or more organization’s technical and professional activities.
Article 2. Definition
For the purpose of this Circular, the terms below shall be construed as follows:
1. “Information technology risk” means probability of loss when carrying out operations relating to information systems. Information technology risk relates to management and use of hardware, software, communication, system interface, operation and people.
2. “Information security incident” means incident in which digital information and information system are attacked or harmed resulting in negative effects on their confidentiality, integrity and availability.
3. “Technical vulnerability" means any component of an information system that is highly vulnerable to be exploited and taken advantages of, when being attacked or illegally penetrated.
4. “Data center” includes technical infrastructure (base station and cable system) and computer system with auxiliary equipment installed into such system for the purpose of processing, storing, exchanging and managing data in a concentrated manner.
5. “Mobile device" means a digital device which can be hand-held without any effect on its operating capability and has an operating system, capability to process or connect to a network as well as a display screen such as a laptop, tablet and smart phone.
6. “Information-bearing object" means physical means used for storing, transmitting and receiving digital information.
7. “Firewall” means a collection of components or a system of equipment and software that is placed between two networks with the aim of controlling all outgoing and incoming connections.
8. “Untrusted network” means an external network connecting to the internal network of an institution which is not under management of such institution or any foreign credit institution in relation to such institution such as affiliated entity or commercial presence of such institution in Vietnam.
9. “Cloud computing service" means offering computing resources (including resources of calculation, network connection, storage, software and other computing resources) through network environment which enables ubiquitous users to access, adjust and pay according to the using requirement.
10. “User account” or "account" means an unique collection of information representative of an user on the information system which is used for logging in and accessing to resources permitted on such information system.
11. “Third party” means any individual or enterprise (excluding foreign credit institution and members of the foreign credit institution in case the institution is an affiliated entity or commercial presence in Vietnam of such foreign credit institution) entering into a written agreement (hereinafter referred to as "contract for service use") with the institution to supply information technology services.
12. “Legal representative” is the at-law representative of credit institutions, enterprises, General Directors (Directors) of the foreign bank branches
13. "Competent authority” means a title or person authorized in writing to perform one or more than one duty of an institution by the legal representative of such institution.
14. “Multi-factor authentication” means the confirmation of the two factors to prove the correct identity. The authentication factors include: (i) Information that users know (PIN number, secret key…); (ii) things user own (smart cards, token device, mobile phones…); (iii) User’s biometric signals.
Article 3. General principles
1. The institution shall take responsibility for ensuring information security under the principle that clearly defines power and responsibility of each department and individual in such institution.
2. Information system shall be categorized in order prescribed at Article 5 of this Circular and applied the suitable information security policy.
3. Information technology risks that can be probably incurred in the institutions must be identified, classified, assessed timely and efficiently.
4. Information security regulations shall be established and adopted according to regulations herein and harmony in interests, costs and the ability to take risk of the institution shall be ensured.
Click download to see the full text