Circular No. 34/2018/TT-NHNN dated December 24, 2018 of the State Bank of Vietnam providing for the management and use of the State Bank of Vietnam’s computer network

CIRCULAR

PROVIDING FOR MANAGEMENT AND USE OF THE STATE BANK OF VIETNAM S COMPUTER NETWORK

Pursuant to the Law on the State Bank of Vietnam dated June 16, 2010;

Pursuant to the Law on Information Technology dated June 29, 2006;

Pursuant to the Law on Telecommunications dated November 23, 2009;

Pursuant to the Government s Decree No. 16/2017/ND-CP dated February 17, 2017, defining the functions, tasks, powers and organizational structure of the State Bank of Vietnam;

Pursuant to the Government s Decree No. 64/2007/ND-CP dated April 10, 2007, on information technology application in state agencies’ operations;

Pursuant to the Government s Decree No. 72/2013/ND-CP dated July 15, 2013, on the management, provision and use of Internet services and online information;

Pursuant to the Government s Decree No. 27/2018/ND-CP on amending and supplementing a number of articles of the Government s Decree No. 72/2013/ND-CP dated July 15, 2013, on the management, provision and use of Internet services and online information;

At the proposal of Director of Department of Information Technology;

The Governor of the State Bank of Vietnam promulgates Circular providing for the management and use of the State Bank of Vietnam’s computer network.

Chapter I

GENERAL PROVISION

Article 1. Scope of regulation and subjects of application

1. This Circular provides for the management and use of the State bank of Vietnam’s computer network (hereinafter referred to as theSstateBbank’s network).

2. This Circular applies to individuals and units under the State bank of Vietnam (hereinafter referred to as the StateBbank); outside organizations connecting and using the State Bank’s network.

3. Non-business units under the organizational structure of the State Bank that are allowed to connect and use the State Bank’s network under the guidance of the Information Technology Department.

Article 2. Interpretation of terms

In this Circular, the terms below are construed as follows:

1.The State Bank’s affiliated unitmeans an administrative unit within the State Bank’s organizational structure.

2.Property management unitmeans the State Bank’s affiliated unit that is assigned the task of property management.

3.Unit using propertiesmeans the State Bank’s affiliated unit that is assigned the right to use properties.

4.User means an individual or affiliated unit of the StateBbank that is allowed to connect and use the State bank’s network.

5.Technical officermeans a person who is trained in information technology and assigned thetask of managing and operating the information technology system in administrative units within the State Bank’s organizational structure.

6.Outside organizations connecting and using the State Bank network(hereinafter referred to as outside organizations) include: credit institutions, foreign bank branches and other organizations that are allowed to connect and use the State Bank’s network.

7.Data centermeans the data center of the State Bank, including a main data center and a reserve data center.

8.The State Bank’s networkincludes the State Bank’s local area network and the State Bank’s wide area network.

9.The State Bank’s local area networkmeans a network system connecting terminal devicesin scope of a geography areaof ​​the State Bank s head office.

10.The State Bank’s wide area networkmeans a network system connecting between the data center and the State Bank’s local area networks.

11.The State Bank’s internetmeans a network system providing Internet services to users at the State Bank.

12.Wireless networkmeans a network system connecting terminal devices through radio waves or ultra-short waves.

13.Terminal devicesmean devices including workstations, printers, scanners, fax machines, phones using IP addresses, and types of smart mobile devices with network connection.

14.Transmission infrastructure of wide area network means the system of transmission lines of the State Bank and transmission channels hired from providers of telecommunication services by the State Bank.

15.Transmission infrastructure of local area networkmeansthe system of internal transmission cables and drives for network connection.

16.Network equipmentincludes switches, routers, transmission equipment, security equipment, load balancing devices, system software and network monitoring equipment.

17.Core network layermeans a network layer of the network systemwith task of connection among network layers with each other.

18.Distribution network layermeans a network layer with the role as an interface connecting between the access network and the core network layer.

19. Access network layer means a network layerwith task of connectingusers with systems.

20.Network partitionsmean separate areas in a local area network divided according to users and purposes of use, including: Network zone for professional server, intermediate zone (DMZ zone) for providing services on Internet, network zone for providing wireless network services and management zone to monitor the State Bank’s network management.

21.Identification name means a sole name assigned to terminal devices connecting and accessingthe State Bank’s network.

22.Video conferencing servicemeans technology of transmitting images and sounds through information network that uses the TCP/IP protocol suite.

Article 3. Architecture of the State Bank’s network

1. The logical architecture of the State Bank’s network:

a) The logical architecture of the State Bank’s local area network includes the following main layers:  core network layer, distribution network layer, access network layer;

b) The logical architecture of the State Bank’s wide area network at the data center includes the following main partitions: network zone for professional server, Internet zone, Intranet zone, Extranet zone, DMZ zone and management zone;

c) The logical architecture of local network at administrative units within the State Bank’s organizational structure includes the following main partitions: Intranet zone, Extranet zone, Internet zone and management zone;

d) The logical architecture of the State Bank’s wide area network architecture includes network connections between the main data center and reserve data center; the data center and the State Bank’s affiliated units, the State Bank’s branches in provinces, cities; communication port connecting the State Bank with outside organizations.

2. The physical structure of the State Bank’s network includes: network equipment, local network transmission infrastructure and wide area network transmission infrastructure.

3. The local network shall be divided into network partitions according to the scope of access and access control among network partitions by firewall.

Article 4.Principles on building, managing and using the State Bank’s network

1. The State Bank’s network shall be designed and built with the ability to expand and apply advanced network technologies, with high availability, assurance of safety, confidentiality and bandwidth to satisfy operational and professional demand of the State Bank.

2. The State Bank’s network shall be designed and built in the direction of smart network and virtualized network infrastructure in order to optimize the management and use of network resources and support the State Bank’s cloud computing building.

3. The StateBbank’s network shall be managed in concentrated and unified way at the Information Technology Department and have assignment and decentralization to property management units.

4. Users shall be entitled to use the State Bank’s network to serve for specialized and professional activities.

5. The use and share of information on the State Bank’s network shall comply with the State Bank’s regulations on safety of information in banking operations and relevant law.

6. The users who fail to observe the provisions of Article 234of this Circular shall be temporarily stop provision of service.

The outside organizations that fail to observe the provisions of Article 14 of this Circular shall be considered for disconnection from the State Bank network.

Article 5. Resources and services of the State Bank’s network

1. Resources of the State Bank’s network shall include:

a) Transmission infrastructure, network equipment;

b) System of IP addresses, system of domain names, identification names of equipment.

2. Services of the State Bank’s network shall include: data transmission services, video conferencing services, network monitoring and managing services and other network services.

Article 6. Ensuring the readiness and safety of the State Bank’s network

1. The State bank’s network must be equipped with technical systems for network management and supervision in order to detect and prevent unauthorized access and ensure safety for data exchanged on the network environment. 

2. Network connections between outside organizations and the State Bank’s network must be controlled by network security systems and comply with the State Bank s regulations on safety of information in banking operations.

3. Network connections between the State Bank’s network and centrally-run units or outside organizations’ head offices shall be through at least02 independent transmission lines for transmission cable infrastructure.

4. Data transmitted between the State Bank’s network and outside organizations shall be encrypted on the transmission line.

5. Terminal devicesthat connect and use resources as well as services of the State Bank’s networkshall becertifiedby the network security system; be installed with anti-malware software; periodically be updated the versions with security hole patches on a basis of 03 months once minimallyunder the guidance of the Information Technology Department.

Chapter II

SPECIFIC PROVISIONS

Section 1. Local area network of The State Bank

Article 7. Regulations on installing newly, upgrading and repairing

1. The operation of installing newly, upgrading or repairing the local network of the State Bank shall satisfy the requirements of the State Bank’s network architecture as prescribed in Article 3 of this Circular and the architecture of security infrastructure of the State Bank s information technology system.

2.For installing newly and upgrading the transmission infrastructure of local area network: Property management units shall make a design dossier of transmission infrastructure and send it to the Information Technology Department for appraisal on the technical side before submitting to competent authorities for approval.

3. With regard toinstalling newly and upgrading thenetwork equipment: Annually, the Information Technology Department shall comply with the State Bank s regulations on management and implementation of investment in information technology application in the State Bank system.

4. Repair of local area network shall ensure that there is no change in technical configuration and design of local area network.

5. With regard to repair of transmission infrastructure of local area network:

a) For units using property other than units managing property, when they have demand for repair, they must notify units managing properties.  

b) Property management units shall proactively conduct repair in accordance with the State Bank’s regulations on financial management and notify the Information Technology Department for the technical cooperation.

6. With regard to repair of network equipment, property management units shall notify the Information Technology Department to coordinate in determining the conditions of equipment and handle as follows:

a) For error equipment which still remains warrant time or has been signed a maintenance contract, repair of equipment shall be implemented under the signed contract;

b) For equipment expired the warrant time, and has no maintenance contract, property management units shall conduct repair in accordance with regulations on the State Bank’s regulations on financial management and notify the Information Technology Department for the technical cooperation.

7. Property management units shall build, update and store design documents and completion drawings of the local network upon new installation, upgrade or repair.

Article 8. Regulations on maintenance,periodic inspectionand handling of incidents

1. Regulations on maintenance:

a) The State Bank’s local network at the Data Center must be periodically maintainedon a basistwice a yearof02 years once minimally;Thethelocal area network at administrative units within the State Bank’s organizational structure must be maintainedon a basis of 01 years once minimally;

b)The maintenance must be conducted without interruption or impact to professional activities of the State Bank;

c) The maintenance process must be recorded in diary on operational status before and after the maintenance.

d) For equipment that has been signed with a maintenance contract, the maintenance shall be performed under the signed contract;

dd) If the network equipment is out of warranty and there is no maintenance contract, the maintenance shall be performed as follows:

(i) The Information Technology Department shall formulate network maintenance procedures for property management units and coordinate in maintenance of network equipment remotely;

(ii) Property management units shall maintain network equipment in the scope of their management in accordance with the network maintenance procedure issued by the Information Technology Department;

e) Property management units shall be responsible for the maintenance of the transmission infrastructure in the scope of their management.

2. Regulations on periodic inspection:

a) The Department of Information Technology shall formulate and promulgate procedures for the periodic inspection of local network system;

b) Property management units shall conduct the periodic inspection of local network in accordance with the inspection procedures issued by the Information Technology Department.

3. Regulations on handling of incidents:

a) The Information Technology Department shall formulate and promulgate procedures for the periodic inspection of local network system;

b)When arising incidents, property management units shallrecord in diary and handle incidents inaccordance with the procedures and instructions of the Information Technology Department. For arising incidents that are not stated in the procedures and instructions orhandling of incident is failed, the property management units shall notify the Information Technology Department to coordinate in handling;

c) If the incident is handled by the Information Technology Department, the property management units and units using property shall be notified of the time and handling plan.

Article 9. Regulations on administration and use

1. Terminal devices shall be only allowed to connect to the access network layer.

2. The Information Technology Department shall provide for the unified allocation and use of IP address, identification names of equipment and control of equipment which connects into the State Bank s local network.

Section 2. Wide area network of the State Bank

Article 10. Regulations on newly installing, upgrading and repairing

1. Annually, the Information Technology Department shall make plans for newly installing and upgrading the wide area networks, and submit them to competent authorities for approval. The Information Technology Department shall install newly and upgrade the wide area networks in accordance with the approved plan.

2. The Department of Information Technology shall organize the repair of the State Bank’s wide-area network equipment.

Article 11. Regulations on maintenance, periodic inspection and handling of incidents

1. Regulations on maintenance:

a) Wide area network shall be maintainedon a basistwice a yearof 02 years once minimally, including 01 on-site maintenance and 01 remote maintenance;

b) The maintenance of wide area network shall be implemented without interruption andimpact to professional activities of the State Bank;

c) The maintenance process shall be carried out in accordance with the approved plan and recorded in diary on operational status before and after maintenance;

d) The Information Technology Department shall formulate plans on maintenance, assume the prime responsibility for, and notify property management units as well as units using property to coordinate in implementation. In case of hiring maintenance services, the Information Technology Department shall comply with current regulations;

dd) Property management units shall coordinate with the Department of Information Technology to implement and confirm the maintenance results.

2. Regulations on periodic inspection and handling of incidents:

a) The Department of Information Technology shall formulate and promulgate procedures, and guide periodic inspection and handling of incidents;

b) Property management units shall conduct periodic inspection, record in diary and handle incidents in accordance with the Information Technology Department s procedures and instructions.

Article 12. Regulations on administration and use

The Information Technology Department shall assume responsibility for:

1. Centrally managing and controlling the State Bank s wide area network.

2. Building, updating and storing design documents and completion drawings of wide area networks upon newly installing, upgrading or repairing.

3. Recording daily activities in diary and make general evaluation report of wide area network on the basis of06 months once.

Section 3. Regulations on connection with the State Bank’s network.

Article 13. Management on connection with the State Bank’s network.

1. The State Bank (the Information Technology Department) shall perform the unified management on connection methods and IP address ranges for terminal devices of outside organizations when they connect to the State Bank’s network.

2. Outside organizations shall connect and change connection with the State Bank’s network in accordance with Article 15 of this Circular; disconnect from the State Bank’s network in accordance with Article 16 of this Circular.

3. In case ofsupplementing equipment or changingtransmissionlines, outside organizations shall send written notification,documents of design, configuration and plan of implementation tothe Information Technology Department beforecarrying out.

Article 14. Requirements on connection with the State Bank’s network

1. Complying with regulations on connection with the State Bank’s network.

2. Ensuring security and confidentiality in accordance with the regulations on safety of information system in the State Bank’s operations for terminal equipment, network equipment and transmission lines connected to the State Bank’s network.

3. Having sufficient technical equipment for connecting to the network and ensuring information security as well as confidentiality in lines under the State Bank’s current regulations.

4. Having a contingent of cadreswith qualification and ability for administration ofthe organization’sconnectedterminal devices and network equipment.

5. Selecting providers of transmission line and bandwidth services, paying costs of connection and installation, subscription, repair and maintenance of connection lines to the State Bank.

Article 15. Guidance on making connection or changing connection with the State Bank’s network

1. Outside organizations that wish to connect or change connection with the State Bank’s network shall make a written request for instructions on connection or change of connection according to Appendix No.01 promulgated together with this Circular, send it by post or in person at the State Bank (Information Technology Department) or through the State Bank s public service portal.

2. Within07 working days after receiving the written request, the Information Technology Department shall notify the relevant units and guide the connection.

Article 16.Guidance  onGuidance oncanceling connection with the State Bank’s network

1. Outside organizations that no longer wish to connect to the State Bank’s network shall make a written request for instructions on disconnection according to Appendix No.02 promulgated together with this Circular, send it by post or in person at the State Bank (Information Technology Department) or through the State Bank’s public service portal.

2. Within05 working days after receiving the written request, the Information Technology shall notify the relevant units and guide the disconnection.

Section 4. Internet connection

Article 17. Management of Internet connection

1. If computers of the State Bank’s local area network connect to the Internet, they shall pass through centralized connection ports which are set up and managed by the Information Technology Department.

2. If computers of the State Bank’s local area network connect and use the State Bank’s information systems at the 3^thgrade or higher under the Government s regulations on ensuring the safety of the information system by level, they shall not be allowed to connect to the Internet.

3. If units having computers belonging to the State Bank’s local area network wish to connect directly Internet without passing through the connection ports which are set up and managed by the Information Technology Department, the units shall submit to the Governor of the State Bank for consideration and approval (through Department of Information Technology).

4. If computers not belonging to the State Bank’s local area network connect internet, they shall be decided by heads of units using property and shall comply with the State Bank’s regulations on safety and confidentiality of information and relevant law.

5. It shall be prohibited to use Internet-connected devices without passing through connection ports set up and managed by the Information Technology Department to directly connect to the State Bank’s network, excluding the case specified in Clause 3 of this Article.

Article 18. Requirements for Internet connection

1. Terminal devices that are connected to the Internet through centralized portals managed by the Information Technology Department shall join the State Bank’s Domain; be installed with anti-malware softwareand updated the versions with security hole patchesof operating system and other software under the Information Technology Department’s guidance.

2. Users who connect to the Internet through centralized portals managed by the Information Technology Department shall use access accounts issued by the Information Technology Department.

Article 19. Regulations on supervision and control of Internet connection

1. The Department of Information Technology shall assume responsibility for setting up network security systems to ensure safety and confidentiality between the State Bank’s network and the Internet.

2. The Department of Information Technology shall assume responsibility for managing, formulating policies and controlling the devices of the State Bank’s network which connect to the Internet.

3. The Department of Information Technology shall manage and allocateaccounts for access into internet of users.In necessary cases, to ensure safety for the network system of the State bank, the Information Technology Department shall be entitled to take the initiative in temporarily stopping or revoking accounts having access into internetand send notices to users.

Article 20. Regulations on connecting to wireless networks and mobile equipment

1. The State Bank’s wireless network system which connects to the Internet shall be designed and set up independently with the State Bank’s network system.

 2. The Information Technology Department shall manage activities of network equipment which provides for service of wireless connection and control equipment having access to the State bank’s network through wireless network.

Section 5. Responsibilities in management and use of the State Bank’s network

Article 21. Responsibilities of the Information Technology Department

1. Assuming responsibility for technical management of the State Bank’s network system.

2. Managing the allocation and use of resources of the State Bank’s network within its decentralized management scope.

3. Monitoring and supervising activities of the State Bank’s network system to ensure continuous, stable and safe operations.

4. Warning and guiding units of the State Bank to handle holes in confidentiality and risks to the operation of the State Bank’s network after detecting and assessing the seriousness.

5. Informing to property management units within minimally 03 working days before temporarily stopping provision of network service for repair, upgrading or maintenance.

6. Checking the network connections of outside organizations to the State Bank’s network.

7. Researching and applying advanced technologies to set up, manage and operate the State Bank’s network in a concentrated and unified orientation.

8. Researching and building the State Bank’s network infrastructure to operate in parallel mode (Active/Active) between the State Bank’s data centers.

9. Organizing training and guidance for units and individuals of the State Bank on the management and use of the State Bank’s network.

10. Performing other duties as prescribed in this Circular.

Article 22. Responsibilities of property management units

1. Guiding and inspecting the use of local area network managed by the units.

2. Coordinating with the Department of Information Technology in connecting, changing connection and cancelling network connection for organizations with connections to their units.

3. Checking the network connections of outside organizations to the State Bank’s network which are conducted through the connection portals established and managed by the Information Technology Department.

4. Coordinating with the Information Technology Department in managing the network connections of outside organizations connected to the units.

5. Assigning technical officers to manage network equipment and coordinate in handling of incidents arising at units.

6. Ensuring necessary conditions for network equipment at units to operate safely and stably.

Article 23. Responsibilities of users

1. Using resources, exploiting information on the State Bank’s network and Internet within the allowed scope and subject to the supervision and control of the Information Technology Department.

2. Observing the State Bank’s regulations on safety and confidentiality of information system in banking operations and relevant law.

3. Observing the State Bank’s regulations and the law on Internet connection, use and exploitation.

4. Only using and installing instruments and software in accordance with the State Bank’s regulations when participating in the State Bank’s network system.

5. In case of arising incidents or unsafe signals when using the State Bank’s network, notifying technical officers the property management unit for guidance and handling support.

6. Coordinating with technical division in handling and certifying result of handling incidents.

Chapter III

PROVISIONS OF IMPLEMENTATION

Article 24. Effect

This Circular takes effect on March01, 2019 and replaces the Circular No. 11/2012/QD-NHNN dated April 25, 2012 of the State Bank of Vietnam’s Governor on promulgating regulations on management and use the State Bank of Vietnam’s computer network.

Article 25. Organization of implementation

Chief of Office, Director of the Information Technology Department, Heads of relevant units under the State Bank, Chairman of Board of Directors, Board of Members, General Director (Director) of credit institutions, foreign bank branches and relevant organizations shall assume responsibility for organizing the implementation of this Circular./.

FortheGovernor

TheDeputy Governor

Nguyen Kim Anh