Circular No. 09/2020/TT-NHNN security of information system in banking operations

  • Summary
  • Content
  • Status
  • Vietnamese
  • Download
Save

Please log in to use this function

Send link to email

Please log in to use this function

Error message
Font size:

ATTRIBUTE

Circular No. 09/2020/TT-NHNN dated October 21, 2020 of the State Bank of Vietnam promulgating the security of information system in banking operations
Issuing body: State Bank of VietnamEffective date:
Known

Please log in to a subscriber account to use this function.

Don’t have an account? Register here

Official number:09/2020/TT-NHNNSigner:Nguyen Kim Anh
Type:CircularExpiry date:Updating
Issuing date:21/10/2020Effect status:
Known

Please log in to a subscriber account to use this function.

Don’t have an account? Register here

Fields:Finance - Banking , Information - Communications

SUMMARY

Each account getting access to the system must be given to a single user

On October 21, 2020, the State Bank of Vietnam issues the Circular No. 09/2020/TT-NHNN promulgating the security of information system in banking operations.

Accordingly, institutions shall provide regulations on access management applied to users, groups of user, equipment and instruments used for accessing to information systems satisfying professional requirements and information security requirements, ensuring basic contents such as: Each account getting access to the system must be given to a single user; in case one account is shared by different persons for access purpose, such common use must be approved by competent authorities and responsibilities of each person at each using time must be defined, etc.

Remarkably, the account of automatic connection application and service must be transferred under one user’s management and limit the assess rights in accordance with using purpose; that user is not allowed to use this account for other purpose, etc.

Besides, the State Bank defines that a third party providing the cloud computing service must be an enterprise. Concurrently, such third party shall commit itself not to replicating, altering, using or providing data of the institution using the service for another individual or institution. Notification of any violations against information security regulations applied to the service in use committed by staff members of the third party shall be sent to institution using such service.

This Circular takes effect on January 01, 2021.

For more details, click here.
Download files here.
LuatVietnam.vn is the SOLE distributor of English translations of Official Gazette published by the Vietnam News Agency
Effect status: Known

THE STATE BANK OF VIETNAM

_________

No. 09/2020/TT-NHNN

THE SOCIALIST REPUBLIC OF VIETNAM

Independence – Freedom - Happiness

_____________

Hanoi, October 21, 2020

 

 

CIRCULAR

Promulgating the security of information system in banking operations

_______________

 

Pursuant to the Law on State Bank of Vietnam dated June 16, 2010;

Pursuant to the Law on the Credit Institutions dated June 16, 2010 and the Law on amending and supplementing a number of Articles of the Law on the Credit institutions dated November 20, 2017;

Pursuant to the Law on E-transactions dated November 29, 2005;

Pursuant to the Law on Information Technology dated June 29, 2006;

Pursuant to the Law on Cyberinformation Security dated November 19, 2015;

Pursuant to the Law on Cybersecurity dated June 12, 2018;

Pursuant to the Decree No. 85/2016/ND-CP dated July 01, 2016 of the Government on the security of information systems by classification;

Pursuant to the Decree No. 16/2017/ND-CP dated February 17, 2017 of the Government defining the functions, tasks, powers and organizational structure of the State Bank of Vietnam;

At the proposal of the Director of the Informatics Technology Department;

The Governor of the State Bank of Vietnam promulgates a Circular on information system security in baking operations

 

Chapter I

GENERAL PROVISIONS

 

Article 1. Scope of adjustment and subject of application

1. This Circular specifies minimum requirements for assurance of information system security in baking operations.

2. This Circular applies to credit institutions, branches of foreign banks, and intermediary payment service providers, credit information companies, the National Payment Corporation of Vietnam (NAPAS), Vietnam Asset Management Company (VAMC), National Banknote Printing Plant, Deposit Insurance of Vietnam (hereinafter referred to as "institutions") which have established and used the information system for one or more organization’s technical and professional activities.

Article 2. Definition

For the purpose of this Circular, the terms below shall be construed as follows:

1. “Information technology risk” means probability of loss when carrying out operations relating to information systems. Information technology risk relates to management and use of hardware, software, communication, system interface, operation and people.

2. “Information security incident” means incident in which digital information and information system are attacked or harmed resulting in negative effects on their confidentiality, integrity and availability.

3. “Technical vulnerability" means any component of an information system that is highly vulnerable to be exploited and taken advantages of, when being attacked or illegally penetrated.

4. “Data center” includes technical infrastructure (base station and cable system) and computer system with auxiliary equipment installed into such system for the purpose of processing, storing, exchanging and managing data in a concentrated manner.

5. “Mobile device" means a digital device which can be hand-held without any effect on its operating capability and has an operating system, capability to process or connect to a network as well as a display screen such as a laptop, tablet and smart phone.

6. “Information-bearing object" means physical means used for storing, transmitting and receiving digital information.

7. “Firewall” means a collection of components or a system of equipment and software that is placed between two networks with the aim of controlling all outgoing and incoming connections.

8. “Untrusted network” means an external network connecting to the internal network of an institution which is not under management of such institution or any foreign credit institution in relation to such institution such as affiliated entity or commercial presence of such institution in Vietnam.

9. “Cloud computing service" means offering computing resources (including resources of calculation, network connection, storage, software and other computing resources) through network environment which enables ubiquitous users to access, adjust and pay according to the using requirement.

10. “User account” or "account" means an unique collection of information representative of an user on the information system which is used for logging in and accessing to resources permitted on such information system.

11. “Third party” means any individual or enterprise (excluding foreign credit institution and members of the foreign credit institution in case the institution is an affiliated entity or commercial presence in Vietnam of such foreign credit institution) entering into a written agreement (hereinafter referred to as "contract for service use") with the institution to supply information technology services.

12. “Legal representative” is the at-law representative of credit institutions, enterprises, General Directors (Directors) of the foreign bank branches

13. "Competent authority” means a title or person authorized in writing to perform one or more than one duty of an institution by the legal representative of such institution.

14. “Multi-factor authentication” means the confirmation of the two factors to prove the correct identity. The authentication factors include: (i) Information that users know (PIN number, secret key…); (ii) things user own (smart cards, token device, mobile phones…); (iii) User’s biometric signals.

Article 3. General principles

1. The institution shall take responsibility for ensuring information security under the principle that clearly defines power and responsibility of each department and individual in such institution.

2. Information system shall be categorized in order prescribed at Article 5 of this Circular and applied the suitable information security policy.

3. Information technology risks that can be probably incurred in the institutions must be identified, classified, assessed timely and efficiently.

4. Information security regulations shall be established and adopted according to regulations herein and harmony in interests, costs and the ability to take risk of the institution shall be ensured.

Click download to see the full text

Please log in to a subscriber account to see the full text. Don’t have an account? Register here
Please log in to a subscriber account to see the full text. Don’t have an account? Register here
Processing, please wait...
LuatVietnam.vn is the SOLE distributor of English translations of Official Gazette published by the Vietnam News Agency

ENGLISH DOCUMENTS

LuatVietnam's translation
Circular 09/2020/TT-NHNN DOC (Word)

This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here

Circular 09/2020/TT-NHNN PDF

This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here

* Note: To view documents downloaded from LuatVietnam.vn, please install DOC, DOCX and PDF file readers
For further support, please call 19006192

SAME CATEGORY

loading