THE STATE BANK OF VIETNAM
Circular No.31/2015/TT-NHNN dated December 28, 2015 of the State Bank of Vietnam providing for assurance of information systems safety and security in banking operations
Pursuant to the Law on the State Bank of Vietnam No. 46/2010/QH12 dated June 16, 2010;
Pursuant to the Law on Credit Institutions No. 47/2010/QH12 dated June 16, 2010;
Pursuant to the Law on Electronic Transaction No. 51/2005/QH11 dated November 29, 2005;
Pursuant to the Law on Information Technology No. 67/2006/QH11 dated June 29, 2006;
Pursuant to the Law on Network Security No. 86/2015/QH13 dated November 19, 2015;
Pursuant to the Government s Decree No. 156/2013/ND-CP dated November 11, 2013 providing for the functions, tasks, powers and organizational structure of the State Bank of Vietnam;
At the request of the Director of Information Technology Administration,
The Governor of State Bank of Vietnam hereby adopts the Circular providing for assurance of information systems safety and security in banking operations.
Chapter I
GENERAL PROVISIONS
Article 1. Scope of adjustment and subject of application
1. This Circular provides for assurance of information systems safety and security in banking operations.
2. This Circular shall apply to the State Bank of Vietnam (the State Bank), credit institutions (except for grassroots people s credit funds with total asset of below VND 10 billion,microfinance institutions),foreign bank branches and providers of payment intermediary services (hereinafter referred to as institutional unit)
Article 2. Term definitions
For the purposes of this Circular, terms used herein shall be construed as follows:
1. Information systems refer to a structured combination of hardware and software appliance, database and network system used for manufacturing, communicating, receiving, collecting, processing, storing and exchanging digital information that supports one or a lot of technical and professional operations of an institutional unit.
2. Important information systems refer to the information systems which can cause substantial damage to operations of an institutional unit or harm interests of clients of this institutional unit in case of any breakdown that may occur.
3. The data center includes technical infrastructure (base station, cable system) and computer system inside which auxiliary devices are installed in order to store, exchange and manage data of one or more organizations or individuals in a concentrated manner.
4. Mobile device refers to a digital device which can be hand-held, has the operating system, capability of processing and connecting to a network as well as a display screen, such as laptops, tablets and smart phones.
5. Information-bearing object refers to physical means of storing, disseminating and receiving electronic information.
6. Information technology risk refers to the probability of loss during the process of carrying out operations related to information systems. Information technology risk relates to use and management of hardware, software, communication, system interface, operation and people.
7. Information technology risk management refers to combined actions to be taken to recognize and control any possible information technology risk.
8. Sensitive data refer to data containing confidential information, or internally disseminated information possessed or managed by an institutional unit which may cause negative effects on reputation, finance and operations of such unit if being leaked to the public.
9. User account refers to a collection of information exclusively representing users on the information systems, those who use it to sign in and access authorized resources on such information systems. User account must include at least nominal name and secret enciphering code (sometimes referred to as password).
10. Third party refers to any organization or individual hired by or cooperating with an institutional unit for the purpose of supplying goods and technical services to information systems.
11. Firewall refers to a collection of components or a system of equipment and software which is placed between two networks and is aimed at controlling all of outgoing or incoming connections.
12. Malicious software (malicious code) refers to software which can partially or completely cause abnormal operations of information systems, or can copy, change or delete information stored in information systems without permission.
13. Technical weakness refers to any position existing in information systems which is vulnerable to acts of abuse and exploitation in case of intentional attacks or illegal access.
14. Confidentiality of information refers to an information assurance under which information is only accessible to persons who are granted relevant permissions.
15. Integrity of information refers to an information assurance under which accuracy and sufficiency of information is protected and any change to information is only permitted by authorized persons.
16. Availability of information refers to an information assurance under which authorized persons can export information whenever they need.
17. Network security refers to protection of information systems and online information from unauthorized access, use, disclosure, interruption, change or disruption with the intention of assuring integrity, confidentiality and availability of information.
Article 3. General principles
1. Assure information systems safety and security of each institutional unit.
2. Determine important information systems and apply relevant policies to assure information safety and security.
3. Promptly recognize, categorize, evaluate and effectively treat information technology risks that may occur in each institutional unit.
4. Establish and implement regulations on information systems safety and security on the basis of balancing benefits, expenses and risk acceptance levels of each institutional unit.
5. Assign full-time staff members to take charge of assuring information systems safety and security.
6. Clearly determine powers and responsibilities of the head of each institutional unit (or the legal representative), division and individual in each institutional unit with respect to the work of assuring information systems safety and security.
Article 4. Regulations on information systems safety and security
1. Institutional units must set out regulations on information systems safety and security which are consistent with specific information systems, organizational structure, managerial and operational requirements of these institutional units. The head (or the legal representative) of each institutional unit must sign, conduct implementation and dissemination of such regulations on information systems safety and security throughout the institutional unit.
2. Regulations on information systems safety and security include the following basic elements:
a) Management of information technology assets; management of use of mobile devices; management of use of information bearing objects;
b) Human resource management;
c) Assurance of physical and environmental safety;
d) Operating and communications management;
dd) Online access management;
e) Management of third parties’ information technology services;
g) Management of acceptance, development and maintenance of information systems;
h) Management of information technology failures and emergencies;
i) Assurance of continuous operation of information systems;
k) Checking and reporting of information technology operations.
3. Each institutional unit must review, revise and improve regulations on information systems safety and security at least once a year and ensure completeness of these regulations in accordance with provisions laid down in this Circular. Whenever there is any deficiency or irrationality that may risk information systems safety or upon the request of competent authorities, each institutional unit must immediately amend and modify existing regulations on information systems safety and security.
Chapter II
PROVISIONS ON ASSURANCE OF INFORMATION SYSTEMS SAFETY AND SECURITY
Section 1: MANAGEMENT OF INFORMATION TECHNOLOGY ASSETS
Article 5. Management of information technology assets
1. Information technology assets shall be categorized as follows:
a) Physical asset: information technology equipment, means of communications and devices, all of which provide assistance for operations of information systems;
b) Information asset: data, information expressed in digital format, or materials expressed in paper form or other equipment;
c) Software asset: system software, utility software, database, application programs and programming or software development tools.
2. Each institutional unit shall compile a list of all information technology assets, revise and update this list at least once a year.
3. With reference to categorization of information technology assets referred to in paragraph 1 of this Article, each institutional unit shall set out and implement regulations on management and use of such assets in accordance with Article 6, 6, 8, 9 and 10 hereof.
Article 6. Management of physical assets
1. The list of physical assets is compiled with basic information including name, value, level of importance, installation position, useful purpose, working condition and copyright information (if any) of specific assets.
2. Each institutional unit must determine and evaluate the risk level, importance level and availability of specific physical assets in order to classify and arrange these assets as well as provide proper equipment and measures to protect these assets. As for physical assets which are constituents of important information systems located at the main data center, there must be provisional measures to ensure the greater availability of these assets which enables incessant operations.
3. Individuals and collectives must be assigned and bound to take charge of using and managing physical assets.
4. Movement of any physical asset outside of an institutional unit must be approved by the head of each institutional unit or his/her authorized person. With regard to any physical asset containing sensitive data or information, before being moved out of each institutional unit, a measure to protect the confidentiality of such data and information stored on this asset must be taken.
5. Each institutional unit must establish the maintenance and overhaul plan and procedure, and conduct implementation of such plan and procedure with respect to each type of physical asset as per regulations set forth by the State Bank on maintenance of computer equipment used in the banking sector.
6. When changing the purpose of use of physical assets containing certain sensitive data or liquidating these assets, each institutional unit must apply measures to completely and permanently remove and eliminate such data so that they could not be restored. Where it is impossible to eliminate data, the institutional unit must implement a measure to eliminate data storage constituents of such assets.
7. As for physical assets which are mobile devices or information bearing objects, in addition to complying with regulations laid down in this Article, an institutional unit must establish and implement the management system under the provisions of Article 9, 10 hereof.
Article 7. Management of information assets
1. Each institutional unit must list and stipulated authority, responsibility of persons who are entitled to access and use different types of information asset.
2. The institutional unit must categorize and evaluate risk and importance levels of information assets on the basis of requirements relating to confidentiality, integrity and availability for use of such information assets with a view to implementing appropriate measures to manage and safeguard them.
3. As regards any information asset containing sensitive data, the institutional unit must take encryption measures to ensure information safety and security during the process of exchanging and storing such information.
Article 8. Management of software assets
1. The list of software assets shall be compiled with the following basic information, such as name, value, importance level, purpose of use, scope of use, administrator, copyright information, version and storage location of such assets.
2. The institutional unit must categorize and evaluate levels of risks posed to software assets on the basis of requirements relating to confidentiality, integrity and availability for use of such software assets with a view to implementing appropriate measures to manage and safeguard them.
3. Each institutional unit must establish the maintenance plan and procedure, and conduct implementation of such plan and procedure with respect to each type of software asset as per regulations set forth by the State Bank on maintenance of computer equipment used in the banking sector.
Article 9. Management of use of mobile devices
1. Mobile devices must be registered for controlling purposes when connecting to the internal network of each institutional unit.
2. Mobile devices must be connected to information service networks and systems of each institutional unit within a limited area; connecting mobile devices to permitted information systems of each institutional unit must be controlled.
3. Institutional units must set out regulations on responsibilities of mobile device users, at least including the followings:
a) Protect mobile devices from being damaged, stolen or getting lost;
b) Control installed software products; install software updates and patches on mobile devices;
c) Install data encryption function; secret enciphering code; malicious code prevention software and other security errors;
d) Set up the function of remotely disabling or locking devices or removing data in case mobile devices get lost or are stolen;
dd) Back up data on mobile devices in order to protect and restore data whenever necessary;
e) Implement measures to protect data when sending mobile devices to warranty, maintenance and repair service providers.
Article 10. Management of use of information bearing object
Each institutional unit shall take the following responsibilities:
1.Control connection and disconnection of information bearing objects to and from devices belonging to the information systems.
2.Develop measures to ensure safety for information bearing objects during the carriage and storage process.
3. Implement measures to protect sensitive data contained in information bearing objects.
4. With respect to information bearing objects which are not able to be used or those which contain sensitive data to serve other purposes, permanently and completely remove or eliminate stored data in order to ensure that they are unlikely to be restored.
5. Assign individuals responsibilities for managing and using information bearing objects.
Section 2: HUMAN RESOURCE MANAGEMENT
Article 11. Recruitment or duty assignment
1. Determine responsibilities of each position to which an employee is recruited or assigned for assurance of information systems safety and security.
2. When recruiting or assigning an employee taking up an important position in the information systems, such as information systems administrator, security systems administrator, systems operator, database administrator, each institutional unit must strictly consider and evaluate ethical behaviors and professional qualifications with reference to this employee s personal background and criminal record.
3. Request recruited candidates to make a written commitment to information security on a separate basis or give such commitment in employment contracts. This commitment must include terms and conditions regarding responsibilities for assurance of information systems safety and security during and after the period of time when they work at an institutional unit.
4. Newly-recruited employees must have access to training and dissemination of each institutional unit’s regulations on information systems safety and security.
Article 12. Management of utilization of human resources
Each institutional unit shall assume the following responsibilities:
1. Disseminate and provide updated regulations on information systems safety and security to all staff members.
2. Inspect implementation of regulations on information systems safety and security applied to directly-affiliated individuals or organizations at least once a year.
3. Apply measures to impose sanctions on any staff member of each institutional unit who commits any violation against regulations on information systems safety and security in accordance with laws and regulations.
4. Whilst installing and configuring important systems or devices (including server, application software and network security systems) on the official environment by its staff members, the institutional unit must adopt supervisory measures. If such installation or configuration is carried out on the database or by a third party, a staff member of that institutional unit must be appointed to take charge of supervisory activities.
5. Separate personnel into the following work groups:
a) Development and administration of operation of information systems;
b) Database administration and application development;
c) Database administration and application operation;
d) Principal and standby information systems administration.
6. Develop measures to manage user s accounts of each institutional unit s staff members on important information systems when these staff members leave their offices.
7. Review and examine rights of all staff members to have access to information systems with respect with a view to ensuring that such access rights are corresponding to assigned duties at least every three months in respect of important information systems and every six months in respect of other information systems.
Article 13. Employment termination or change
If staff member terminates or changes their employments, each institutional unit shall fulfill the following obligations:
1. Clearly define responsibilities of these staff members and parties involved in management, operation and utilization of information systems.
2. Make a record of information technology property transfer signed by staff members.
3. Revoke their access rights of employees resigning from their employments to information systems
4. Change access rights of staff members who change their employments to information systems in order to adhere to the principle that these rights are adequate for them to perform their assigned duties.
5. At least every three months, carry out the periodic review and checking between the department of human resource administration and the department of administration of distribution and revocation of access rights to information systems in order to ensure that user s accounts of these staff members who resign from their employments are withheld.
6. Inform the State Bank (Information Technology Administration) of cases in which individuals working in the information technology sector have been disciplined in a form of dismissal, discharge or judicial proceedings on account of violations against regulations on information systems safety and security.
Section 3: ASSURANCE OF PHYSICAL AND ENVIRONMENTAL SAFETY FOR THE LOCATION FOR INSTALLATION OF INFORMATION TECHNOLOGY EQUIPMENT
Article 14. General requirements of the location for installation of information technology equipment
1. Build guard fences and entrance and exit gates, or adopt measures to control and restrict unauthorized access risks.
2. Implement measures to prevent and control explosion or flood risks.
3. Areas that require the high level of information safety or security, including areas for installation of servers, storage devices, security instruments and communications equipment must be isolated from areas for common use, distribution and cargo handling; must have working rules and instructions as well as apply measures to control persons who enter or leave such areas.
Article 15. Requirements of the data center
In addition to conformity to requirements referred to in Article 14 hereof, the data center must meet the following requirements:
1. Entrance or exit gate/door of the data center must have 24/7 security guards.
2. Areas for installation of information technology equipment must be protected from direct sunlight, and prevented from leakage and flood. Entrance and exit door must be firm, have a firefighting capability and use at least two distinct types of security keys (mechanical keys, cards, ciphering codes, biometric security codes).
3. Areas for installation of equipment of important information systems must be put under 24/7 guard and surveillance.
4. Have at least one power source supplied by the power transmission grid and one supplied by the power generator. Have the automatic transfer switch between two power sources. Whenever power source supplied by the power transmission grid is cut, the power generator must automatically run to supply power within a maximum duration of three minutes. The power source must be connected through UPS system to supply power for equipment and ensure the capability of maintaining operations of such equipment within a minimum duration of 30 minutes.
5. Have an air conditioning system to ensure continuous operations.
6. Have a lightning protection system and a surge protection device.
7. Have an automatic fire alarming and firefighting system to ensure that firefighting activities do not cause damage to built-in equipment.
8. Have a technical floor system or electrification insulating layer.
9. Have a surveillance camera and data storage system which has capacity for storing data within at least 100 days.
10. Have a temperature and humidity monitoring and controlling system.
11. Have an entry and exit logbook.
Article 16. Physical asset safety and security
1. Physical assets must be arranged or installed in a safe and guarded position in order to reduce risks incurred by environmental threats or perils and unauthorized access.
2. Physical assets belonging to important information systems must be provided with an adequate amount of power and support systems whenever interruption of the main power source occurs. Electric overload, voltage sag or surge protection solutions, grounding system, standby generation system and UPS system must be in place to ensure continuous operations.
3. Power supply and communications cables used for transmission of data or other information support services must be protected from any infringement or damage.
4. All of data storage devices must be checked to ensure important data and copyrighted software stored on devices are permanently and completely deleted or overwritten so that they are not restorable before being eliminated or reused for other purposes.
5. Equipment and devices used for professional operations which are installed outside of each institutional unit’s office must be protected and guarded from any act of infringement or unauthorized access.
Section 4: MANAGEMENT OF OPERATION AND INFORMATION EXCHANGE
Article 17. Administrative responsibilities and operational procedures of institutional units
1. Formulate procedures for operation of information systems, including system startup and shutdown; data backup and restoration; application operation; troubleshooting; supervision and recording of system operations into the logbook. For the purposes of such procedures, scope of work and responsibilities of persons who use and operate the systems must be clearly defined.
2. Take control of any change made to a software version, hardware configuration and operational procedure, including recording changes, setting up a plan, carrying out examination, testing such changes, reporting on results and applying for approval before such procedures are officially put into effect. Prepare emergency plans for recovery of the systems in the event that such changes fail or unpredictable breakdowns occur.
3. The information systems which have been officially brought into operation must meet the following requirements:
a) Such systems must be independent of its development environment and examination and testing environment;
b) Measures to ensure its safety and security must be applied;
c) Application development tools and equipment are not installed on the systems being officially brought into operation.
4. The information systems which process client s transactions must meet the following requirements:
a) A single individual is not allowed to participate in different processes varying from initiation to approval of a transaction;
b) Measures to ensure the integrity of data of a transaction must be applied;
c) All activities on the information systems must be tracked and recorded so that they are traceable to facilitate examination or control efforts whenever necessary.
Article 18. Plan formulation and acceptance of the information systems
1. Each institutional unit must establish technical standards, norms and requirements in order to ensure that the existing systems and any information systems normally operate before they are officially brought into operation.
2. Based on technical standards, norms and requirements which have already been formulated, each institutional unit shall carry out supervision and optimization of performance of the information systems; assess the demand satisfaction of the information systems to forecast and formulate the plan for expansion and improvement in order to ensure its demand satisfaction capability in the future.
3. Each institutional unit must review and update technical standards, norms and requirements whenever there is any change made to the information systems. It should provide relevant staff members with opportunities to participate in technical training and transfer in terms of elements subject to such changes.
Article 19. Backup copy
1. Compile the list of data and software that require to be replicated in which they are classified in order of importance, storage period, backup time, backup method and time of testing for system restoration from backup data. All data stored in important information systems must be backed up on a daily basis.
2. Data of important information systems must be backed up in external storage devices (such as magnetic tapes, hard disks, optical discs or other storage devices), and must be safely retained and stored and separated from backup areas. Check and restore backup data stored in external storage devices at least every six months.
3. Any institutional unit which has both main and standby information systems located outside of Vietnam must back up electronic data on transactions on a daily basis and store such backup data within the territory of Vietnam. Such institutional unit must ensure the capability of converting original data from backup data. Check and convert backup data at least every six months.
Article 20. Network safety and security administration
1. Formulate regulations on management of network safety and security and management of terminal devices of the entire network system.
2. The network system must be divided into different network areas, depending on types of users and purposes of use and information system. Important network areas must be equipped with firewall devices to control information safety and security.
3. Create and store documentation relating to logic and physical diagrams in respect of computer network systems, wide area network (WAN/Intranet) and local area network (LAN).
4. Provide network security solutions to control, detect and prevent any unauthorized connection or access to the network system in a timely manner.
5. Set up and configure a full amount of functions for the network security system. Implement measures and solutions to search and detect security vulnerabilities and holes of the network system. Regularly check and detect any illegal connection, equipment or software which is installed without permission into the network system.
Article 21. Information exchange
Each institutional unit shall take the following responsibilities:
1. It shall adopt regulations on information exchange, at least including the followings: classification of information by sensitivity levels; rights and responsibilities of each individual granted access to information; measure to ensure integrity, confidentiality of information during the process of transmitting, receiving, processing and storing such information; information storage policies.
2. Sensitive information, documents or data must be encrypted before being exchanged, transmitted or received through any computer network or information bearing object.
3. It shall implement measures to strictly manage, oversee and control electronic information websites which provide information, service and support online transactions with clients.
4. It must enter into an information exchange agreement with external parties. Legal responsibilities and obligations of contracting parties must be defined.
5. It must implement measures to protect equipment and software that supports internal information exchange in order to restrict any infringement and illegal access to sensitive information.
Article 22. Management of online transaction services
1. Requirements of the information systems that assist in providing online transaction services for clients must include the followings:
a) Ensure a high level of availability and fast restorability;
b) Data available on the transmission line must be fully encrypted and delivered to the right address, and must avoid being corrected, revealed or replicated in a illegitimate manner;
c) A transaction must be authenticated by at least two elements. As for any transaction which has high value, the method of strong authentication should be employed, including biometrics (finger print, finger or hand palm vein, iris, voice and face) or digital signature;
d) Any electronic information website used for online transactions must have anti-phishing authentication and must be protected by applying illegal anti-revision measures.
2. Authentication of a client’s transaction must be directly performed at the information systems of an institutional unit.
3. Access to the online transaction system must be strictly controlled from inside of the internal network.
4. The online transaction system must be strictly monitored to ensure its capability of detecting and warning about:
a) Suspected or fraudulent transactions based on determination of time, geographical position, transactional frequency rate, transactional monetary amount, number of authentications inconsistent with regulations and other abnormal signs;
b) Abnormal operations of this online transaction system;
c) Denial of Service attacks (DoS), Distributed Denial of Service attacks (DDoS).
5. Sensitive information of clients (PIN code and private enciphering code) must be encrypted at the application layer.
6. Before using online transaction services, clients must be warned about risks and provided with safety and security instructions.
7. Online transaction application software shall not be allowed to be available online if measures to ensure safety and security for clients have yet to be applied.
Article 23. Supervision and recording of information systems operations into the logbook
1. Enter and preserve the logbook of operations of information systems and users, and errors or breakdowns that may cause information systems insecurities. Data contained in this logbook must be preserved online at least three months and backed up at least one year.
2. Implement measures to monitor and analyze the logbook, warn about risks, deal with and report on results.
3. Protect functions of logbook writing functions and information contained in the logbook, anti-phishing and illegal access. System administrator and users shall not be allowed to delete or revise the logbook containing their own activities on the system.
4. Synchronize the time of different information systems.
Article 24. Malicious code protection
Formulate and implement regulations on malicious code protection which conform to the following basic requirements:
1. Determine responsibilities of users and departments relating to malicious code protection activities.
2. Apply malicious code protection measures or solutions to the entire information systems of each institutional unit.
3. Update new malicious code samples and malware protection software.
4. Check and remove malicious codes for externally-received information bearing objects before use.
5. Control installation of software which ensures compliance with information safety and security regulations of each institutional unit.
6. Take control of strange electronic mails and attached files or other links contained in such emails.
Section 5: ACCESS MANAGEMENT SOLUTIONS
Article 25. Access control practice’s requirements
1. Regulations on management of access of users, group of users, devices and tools used for access purposes must ensure conformity to operational requirements and information safety and security requirements, including the following basic contents:
a) Register, grant, renew and revoke access rights of users;
b) Limit and control use of administrator’s accounts to obtain access to the information systems.
c) Manage and grant secret enciphering code to access networks, operating systems and information and application systems;
d) Review, check and revise users’ access rights;
dd) Set out information safety and security requirements or conditions in respect of devices and instruments used for access purposes.
2. Regulations on secret enciphering code must meet the following requirements:
a) Any secret enciphering code must be at least six characters, including numbers, uppercase letters, lowercase letters and other special characters if allowed by the systems. A valid request for a secret enciphering code must be checked automatically during the process of setting up a new secret enciphering code;
b) A default secret enciphering code set by a manufacturer on a device, software and database must be changed before use;
c) Password management software must be developed with the following functions: Notifying users of change of an expired secret enciphering code; invalidating an expired secret enciphering code; granting permission to promptly change a secret enciphering code which has been disclosed or is exposed to a risk of being disclosed or upon the request of users; preventing use of old secret enciphering code during a specified period.
3. Regulations on responsibilities of users who are granted access rights: Use a secret enciphering code in accordance with regulations, treat this code as confidential, use devices or instruments for access in accordance with regulations, sign out of the systems when stopping work or temporarily leaving the systems.
Article 26. Management of access to the internal network
1. Regulations on management of access to a network and network services shall consist of the following basic contents:
a) Permitted networks and network services, modality, means and requirements of information safety and security for access purposes;
b) Responsibilities of administrators and users;
c) Procedure for grant, change and revocation of connection rights;
d) Control of network administration, access and use.
2. Implement measures to strictly control the external connections to the internal network of each institutional unit for the purpose of information safety and security.
3. Take control of installation and use of remote access control software.
4. Control access to ports used for setting and administration of network devices.
5. Grant the right of access to a network and network service according to the principle that such right is sufficient enough to perform assigned duties.
Article 27. Management of access to the operating system
1. Each user of an operating system must have an exclusive identity, must be authenticated, identified and tracked for his/her access to this operating system.
2. Require that multi-factor authentication method, nominal name/ secret enciphering code and other factor be used (such as biometrics, security cards or one-time password, etc.) for the remote access to important information systems, at least including server, network device and information safety and security system.
3. Set limits on and strictly control utilities belonging to the systems that may have influence over the systems and other application programs.
4. Automatically switch off a work session during a rest time in order to prevent unauthorized access efforts.
5. Set the timeout limit for the connection to high-risk applications.
Article 28. Management of Internet access
1. Regulations on management of Internet access or connection include the following basic information:
a) Responsibilities of each individual and departments involved in Internet usage and operation.
b) Types of users permitted to access and connect to the Internet;
c) Prohibited or restricted acts;
d) Internet access and connection control;
dd) Method of information security for Internet access.
2. Manage Internet connection ports in each institutional unit in a manner of concentration and consistency. Take control of client’s access to Internet through the connection port provided by each institutional unit.
3. Provide network security solutions for Internet connection ports in order to ensure safety before any risk of Internet attacks against the institutional unit’s internal network.
4. Use detection tools for promptly finding out vulnerabilities or holes, malicious attacks, unauthorized access to the institutional unit’s internal network through Internet connection ports.
Article 29. Control of access to information and application
1. Manage and delegate authority to access information and applications according to the principle that such authority is sufficient for users:
a) Delegation of authority to access specific folders and functions of a program;
b) Delegation of authority to read, record, delete and execute information, data or program, whichever is appropriate.
2. All important information systems must be placed in a private computer network environment. Information systems which use the same resource must be approved by the system administrator.
Section 6: MANAGEMENT OF THE THIRD PARTY’S INFORMATION TECHNOLOGY SERVICES
Article 30. Conclusion of the contract with a third party
Each institutional unit shall take on the following duties:
1. Evaluate technical, personnel and financial capability of the third party before entering into the contract for provision of goods or services.
2. Clearly define responsibilities, powers and obligations of contracting parties regarding information safety and security when signing such contract. The contract with a third party must include terms and conditions regarding imposition of penalties for violations and responsibilities for compensation assumed by the third party who commits such violations.
3. Determine and evaluate risks that may arise and apply risk management measures in respect of the information systems of each institutional unit in relation to the third party’s execution of this contract.
4. An institutional unit shall be allowed to hire the third party to execute all of administration work activities (including revision of configuration, data or logbook) in respect of important information systems.
Article 31. Each institutional unit’s responsibilities for management of services provided by a third party
1. Provide, notify and request the third party to comply with regulations of the institutional unit on information systems safety and security.
2. Monitor and inspect services provided by the third party in order to ensure the extent of service provision and operational capability of the systems meet agreed requirements.
3. Ensure implementation and maintenance of information safety and security measures for services provided by the third party as agreed upon in the contract.
4. Manage any change made to services provided by the third party, including up-gradation of new version up-gradation, use of new techniques, tools and development environment. Fully evaluate impacts of such change and ensure such services are in safe working conditions.
5. Clearly determine and specify safe functions, levels of security for such services and administration requirements as agreed upon in third-party service contracts.
6. Apply measures to strictly oversee and restrict access rights of the third party when they access an institutional unit s information systems.
7. Supervise the third party’s personnel during the process of contract execution. Whenever any violation against regulations on information safety and security by committed by the third party is discovered, the institutional unit must notify and collaborate with this third party in application of measures to deal with such violation in a timely manner.
8. Withdraw the right of access to the information systems granted to the third party, change keys or secret enciphering codes handed over by the third party immediately after work duties are completed or the contract is terminated.
Article 32. The third party’s responsibilities regarding provision of information technology services
1. Sign and execute information security commitments when the contract is executed and after the contract is completed.
2. Plan and arrange for personnel and other resources to execute a contract. Send the list of responsible personnel to the other contracting party and request approval from the institutional unit. The third party’s personnel must sign commitments against disclosure of important information of the other contracting party.
3. Communicate information safety and security rules and regulations of the contracting party to employees who take charge of developing and implementing compliance assurance measures. Temporarily cease or suspend operations, revoke access rights and immediately notify the contracting party of any violation that responsible employees may commit against information safety and security. Compensate for any loss caused by employees defaulting on contracts.
4. Contract completion records must be composed of a detailed technical report, as-built dossier of equipment installation, software configuration, operational instructions (if any) according to scope of work duties performed by the third party.
5. Transfer assets and rights of access to the information systems to the contracting party upon completion of work duties or completion of the contract.
Section 7. ACCEPTANCE, DEVELOPMENT AND MAINTENANCE OF INFORMATION SYSTEMS
Article 33. Requirements of information systems safety and security
When setting up or improving information systems, each institutional unit shall take on the following obligations:
1. Set out requirements regarding information safety and security along with technical and operational requirements.
2. Assess the level of conformity to information safety and security requirements after completion of system construction or improvement. The assessment result must be reported and approved by the head of institutional unit before such systems are officially brought into operation.
Article 34. Assurance of safety and security for applications
Application programs supporting each institutional unit’s operations must meet requirements, at least including:
1. Check validity of data imported to applications, and ensure imported data are accurate and valid.
2. Check validity of data subject to the automatic processing contained in applications in order to detect information deviations incurred by processing errors or intentional information change.
3. Measures to protect the authenticity and integrity of data processed by applications.
4. Check validity of data exported from applications, and ensure that processing activities of such application are accurate and valid.
5. Secret enciphering codes of users in important information systems must be encrypted at the application layer.
Article 35. Encryption management
1. Adopt regulations on and apply encryption measures in conformance to accredited national or international standards, and take measures to manage information security keys of each institutional unit. Use cryptographic algorithms, including:
a) AES: Advanced Encryption Standard;
b) 3DES: Triple Data Encryption Standard;
c) RSA: Rivest-Shamir-Adleman;
d) Others.
2. Data of client’s secret enciphering code, user s secret enciphering code and other sensitive data must be encrypted and protected during the online transmission and storage process.
Article 36. Safety and security for source programs, test data and system configuration folders
1. Each institutional unit must provide regulations on:
a) Management and control of source programs. Access or approach to source programs must be approved by the head of institutional unit.
b) Management and protection of system configuration folders.
2. Each institutional unit must establish the procedure for selection, management and control of test data. Use of real data contained in the information systems which have been officially brought into operation for test purposes shall not be allowed if measures to hide or change sensitive information have not been implemented yet.
Article 37. Management of changes made to information systems
Information systems change control procedures and measures shall conform to at least the following requirements:
1. Upon changing the operating system, the institutional unit must carefully check and review important applications for its operation in order to ensure that it operates in a stable and safe manner in the new environment.
2. Changes of software packages must be strictly managed and controlled.
3. The hire-purchase of software from outside must be strictly managed and supervised.
Article 38. Evaluation of information systems safety and security
1.Each institutional unit shall be obliged to carry out evaluation of information systems safety and security, including the following basic contents:
a) Evaluating the system architecture for the purpose of determining relevance of installed devices to the general system architecture and security requirements;
b) Evaluating the operational condition and information systems configuration to ensure that such systems operate in conformance to technical standards, norms and requirements as referred to in paragraph 1 Article 18 hereof;
c) Checking configuration of security devices, systems for automatic grant of access rights, and systems for management of terminal devices, and list of user s accounts;
d) Conducting penetration tests required for information systems which have connection to and provide information and services on Internet.
2. Periodically carry out evaluation of information systems safety and security, including:
a) At least every six months in respect of equipment directly exposed to external environments such as Internet, or connected to customers and third parties in accordance with contents referred to in subparagraph b, c, d paragraph 1 of this Article;
b) At least every year in respect of important information systems; at least every two years in respect of other information systems in accordance with contents referred to in paragraph 1 of this Article.
3. The evaluation result must be reported in writing to the head of institutional unit.As for any content which fails to comply with regulations on safety and security for information technology operations (if any), solutions, measures, plans and time limit for treatment and resolution must be recommended.
Article 39. Management of technical vulnerabilities
1. Set out regulations on evaluation, management and control of technical vulnerabilities of active information systems.
2. Each institutional unit must proactively detect technical vulnerabilities:
a) Regularly update information about technical holes and vulnerabilities;
b) Carry out scanning and detection of technical holes and vulnerabilities contained in active information systems at least every three months in respect of the systems which have external connection, and at least every six months in respect of other systems.
3. Evaluate the level of impact or risk caused by each technical hole or vulnerability which has already been detected in respect of active information systems, and recommend possible solutions.
4. Develop and conduct implementation of any remedial and mitigation measure and reporting of the result obtained from implementation of such measure.
Section 8: MANAGEMENT OF INFORMATION SYSTEMS FAILURE
Article 40. Procedure for systems failure resolution
1. Receive information about any failure.
2. Evaluate and determine level and extent of impact caused by operational failures of information systems. Depending on level and extent of impact caused by such failures, the institutional unit must report to equivalent level of management for possible directions for resolution.
3. Implement failure resolution and mitigation measures.
4. Record in files and report on results of failure resolution.
5. Define responsibilities of individuals and collectives for reporting, receipt and resolution of information systems failures.
6. Formulate forms and templates for documentation of failure resolution results.
Article 41. Control and mitigation of failures
1. Failures that cause insecurity for the information systems must be promptly reported to competent persons and other related ones to have them resolved as soon as possible.
2. Evaluate and determine reasons for such failures and implement preventive measures to prevent it from recurring in the future.
3. The process for failure resolution must be recorded in documents stored in each institutional unit. Implement measures to protect and prevent revision and destruction of stored documents on failures.
4. Collect, record and preserve proofs and evidence for inspection, resolution and mitigation and prevention of such failures. If information systems failures relating to any breach of laws and regulations, the institutional unit shall be responsible for collecting and providing proofs and evidence for competent authorities in accordance with prevailing laws.
Section 9: ASSURANCE OF CONTINUOUS OPERATION OF INFORMATION SYSTEMS
Article 42. Establishment of standby emergency response system
1. Institutional units must establish a standby emergency response system for important information systems, which conforms to the following requirements:
a) System installation position must be located in the distance of at least 20 km calculated by the straight line connecting two locations of systems and meet requirements referred to in Article 14 hereof;
b) Each standby emergency response system must be capable of substituting the main systems for a maximum of four hours after the time of unrecoverable failure occurring in the main system.
2. Any institutional unit which has only one set of information system at a single time located within the territory of Vietnam must establish a standby emergency response system at another time to meet requirements referred to in subparagraph a paragraph 1 of this Article.
3. The plan for establishment of standby emergency response system
a) With regard to credit institutions or foreign bank branches, such establishment should be completed within six months after the entry into force of this Circular;
b) With regard to providers of payment intermediary services, such establishment should be completed within twelve months after the entry into force of this Circular.
Article 43. Formulation of procedures and scenario for assurance of continuous operation of the information systems
1. Establish procedures for response to operational insecurities and interruptions of each component of important information systems such as server, network device, security and communications equipment.
2. Construct the scenario of conversion to the standby system in place of the main system, including the following basic contents:
a) Work contents, conversion process and scheduled completion date;
b) Arrangement and assignment of work duties of responsible staff members, including directing, overseeing and carrying out such conversion, and examining the result of such conversion and performing test operations;
c) Necessary resources, equipment and requirements for such conversion;
d) Measures to ensure information and information systems safety and security;
dd) Forms or templates used for recording conversion results.
3. Any institutional unit which has only one set of information system at a single time located within the territory of Vietnam must construct the scenario for conversion of its information systems to the standby information system as defined in paragraph 2 Article 42 hereof.
4. The scenario for conversion must be made known to all of participants in order to gasp work contents that need to be carried out.
5. Procedure and scenario for such conversion must be checked and updated when there is any change to the information systems, organizational structure, personnel and assignment of duties in relevant departments of an institutional unit.
Article 44. Organization of emergency drills for the purpose of ensuring continuous system operation
1. Each institutional unit must draw up and implement the plan for organization of emergency drills for continuous information systems operations:
a) Carrying out examination and evaluation of operations of the standby system at least every three months;
b) Performing drills for operational conversion of the main system to the standby system under the scenario stated in Article 43 hereof. Carrying out evaluation of results and updating procedures and scenario for such drills (if any).
2. The institutional unit must inform the State Bank (Information Technology Administration) of the drill plan no later than 05 (five) working days before conversion of the main system to the standby system (including those which do not have both main and standby information systems within the territory of Vietnam).
Section 10: INTERNAL INSPECTION AND REPORTING MECHANISM
Article 45. Internal inspection
1. Formulate regulations on internal inspection regarding the work of assurance of safety and security for information technology activities of each institutional unit.
2. Draw up the plan and carry out the work of autonomous examination of compliance with regulations laid down in this Circular and those of each institutional unit on assurance of safety and security for information technology operations at least once a year.
3. The result of inspection of assurance of safety and security for information technology activities of each institutional unit must be specified in a report sent to the head of institutional unit which points out unsolved issues relating to compliance with regulations on assurance of safety and security for information technology activities (if any) which must be subject to recommended or proposed resolution and mitigation measures.
4. Conduct of implementation and reporting of result of resolution of unsolved issues stated in the report must comply with regulations laid down in paragraph 3 of this Article.
Article 46. Reporting mechanism
The institutional unit (except the State Bank) shall be responsible for sending a report to the State Bank (Information Technology Administration) prepared in Vietnamese language, including:
1. Annual report
a) Elements of a report:
- Work contents which have been done to ensure information systems safety and security under regulations laid down in this Circular;
- Revised and modified contents of regulations on information systems safety and security of each institutional unit (if any).
b) Deadline for sending reports: prior to January 31 of the subsequent year;
c) Method and form of a report: in accordance with instructions provided by the State Bank (Information Technology Administration).
2. Ad-hoc report
a) Failures resulting in information systems insecurities:
- Deadline for sending a report: within 01 (one) day from the time when any failure is detected;
- Detailed accounts of the case;
- Time and location of the case arising;
- Reasons (if any)
- Evaluation of risks and impacts to information systems and operations at the place of the case occurring and other related locations;
- Measures that an institutional unit has implemented to prevent, control and mitigate risks;
- Recommendations or suggestions.
b) Development, improvement and operation of new important information systems:
- Deadline for delivery of reports: no later than 05 (five) days before officially being brought into operation;
- Systems or applications which are proposed to be brought into operation;
- Scope of application;
- Test and pilot operation result;
- Plan for performing such activities;
- Evaluation of risks and levels of impact of new information systems on active information systems of an institutional unit;
- Recommendations or suggestions.
c) Other ad-hoc reports requested by the State Bank.
Chapter III
IMPLEMENTARY PROVISIONS
Article 47. Sanction settlement
Organizations or individuals committing violations against regulations of this Circular, depending on the seriousness of such violations, shall be subject to statutory sanctions.
Article 48. Implementation effect
1. This Circular takes effect on March 1, 2016 and replace the Circular No. 01/2011/TT-NHNN dated February 21, 2011 of the Governor of the State bank of Vietnam on introduction of regulations on assurance of information systems safety and security in the banking sector.
2. If there is any difficulties arising in the course of implementation, each institutional unit is advised to report to the State Bank for review, modification or revision.
Article 49. Implementation responsibilities
1. The Information Technology Administration shall assume the following responsibilities:
a) Set out technical standards for the purpose of standardizing information technology activities in the banking sector;
b) Monitor and prepare reports for submission to the Governor on review of assurance of information systems safety and security in each institutional unit in accordance with regulations laid down in this Circular;
c) Annually plan and check implementation of this Circular in institutional units;
d) Take charge of, cooperate with other relevant institutional units affiliated to the State Bank in resolution of difficulties that may arise in the process of implementing this Circular.
2. The Bank Supervision and Inspection Agency shall be responsible for cooperating with the Information Technology Administration in inspection of implementation of this Circular in each institutional unit (except the State Bank) and imposition of administrative sanctions for violations prescribed by laws.
3. The Internal Audit shall be responsible for carrying out internal inspections at institutional units affiliated to the State Bank under regulations laid down in paragraph 1, 2, 3 Article 45 hereof.
4. Heads of relevant institutional units affiliated to the State Bank; Directors of branches of the State Bank located in centrally-affiliated cities and provinces; Chairmen of the Board of Directors, Board of Members, Directors General (Directors) of credit institutions, foreign bank branches, and payment intermediary service organizations, shall be responsible for conducting implementation of this Circular.
For the Governor
The Deputy Governor
Nguyen Toan Thang