THE STATE BANK OF VIETNAM ----------- | SOCIALIST REPUBLIC OF VIETNAM Independence - Freedom - Happiness ------------------- |
No. 29/2008/QD-NHNN | Hanoi, October 13, 2008 |
DECISION
ON THE ISSUANCE OF REGULATION ON MAINTENANCE OF SYSTEM OF INFORMATICS EQUIPMENTS IN BANKING INDUSTRY
THE GOVERNOR OF THE STATE BANK
- Pursuant to the Law on the State Bank of Vietnam issued in 1997 and the Law on the amendment, supplement of several articles of the Law on the State Bank of Vietnam issued in 2003;
- Pursuant to the Law on Credit Institutions issued in 1997 and the Law on the amendment, supplement of several articles of the Law on Credit Institutions issued in 2004;
- Pursuant to the Decree No. 96/2008/ND-CP dated 26 August 2008 of the Government providing for functions, duties, authorities and organizational structure of the State Bank of Vietnam;
- Upon the proposal of the Director of Banking Information technology Department,
DECIDES:
Article 1. To issue in conjunction with this Decision the Regulation on maintenance of system of informatics equipments in Banking industry.
Article 2. This Decision shall be effective after 15 days since its publication in the Official Gazette.
Article 3. The Director of the Administrative Department, the Director of the Banking Information technology Department, Head of units of the State Bank, General Manager of the State Bank branch in provinces, cities under the Central Governments management; Chairman of the Board of Directors, General Directors (Directors) of Credit Institutions shall be responsible for the implementation of this Decision.
| FOR THE GOVERNOR OF THE STATE BANK OF VIETNAM DEPUTY GOVERNOR Nguyen Toan Thang |
REGULATION
ON THE MAINTENANCE OF SYSTEM OF INFORMATICS EQUIPMENTS IN BANKING INDUSTRY
(Issued in conjunction with the Decision No. 29/2008/QD-NHNN dated 13 October 2008 of the Governor of the State Bank)
Chapter I
GENERAL PROVISIONS
Article 1. Governing scope and subjects of application
1. This Regulation provides for technical standards, sequences, procedures and measures of ensuring security, confidentiality in the maintenance of informatics equipments in Banking industry.
2. This Regulation shall be applied to State Bank system and credit institutions of different types which apply information technology in banking operation (hereinafter referred to as Bank).
Article 2. Interpretation
1. In this Regulation, system of Banking informatics equipments includes devices of hardware, network system, computer software and database serving one or more operational technical activities of the Bank.
2. Maintenance means the maintenance of equipments system during the process of use, exploitation in order to maintain working capacity, increase service life, early detect and prevent the risk of failure, unsafeness of each separate device, group of devices or the entire system of equipments.
3. Off-site maintenance means the performance of off-site maintenance of informatics equipments and software via computer network of the Bank.
4. Unexpected maintenance means the act of timely overcoming or preventing technical breakdowns which may cause effect to the Bank's operation.
5. Periodic maintenance means the act aiming to help the system work continuously in good condition, perform in line with the established plan.
6. Self-maintenance means the maintenance performed by technical officers of the Bank.
7. Warranty means the overcoming of bugs, technical breakdowns arising due to faults of producer within the warranty period of device or software.
8. Scenario means the collection of requirements, procedures, circumstances, data and performance results predetermined, used in the process of examination, installation, warranty, maintenance of equipments, software, information technology database.
9. Outsourced service means the maintenance performed via the contract entered into with maintenance service suppliers.
10. Maintenance book means the book opened by the Bank for recording diary of each maintenance time. After each maintenance time, basic information needs recording includes time, location of performance, maintainer, completed works and uncompleted works, recommendation (if any).
11. Maintenance ticket means a leaflet used to follow up process of repair, replacement, change, additional installation of hardware devices, network devices and these devices shall be maintained from the installation until they are out of service. There contains basic information in each ticket, such as time, maintainer and information relating to the change, additional installation of devices.
12. Managerial officer means the person assigned to administer the system, examine, supervise the maintenance, repair, replacement of components, devices, organize acceptance of results after maintenance for putting into use.
Article 3. Basic principles in the maintenance of informatics equipments
1. The maintenance can be performed in site or off-site.
2. Do not interrupt normal operation of the Bank.
3. The implementation must be organized in scientific and reasonable manner in accordance with the plan approved by competent level or under the signed contract. The maintenance for each device must comply with provisions, conditions, technical standards of the producer or provider.
4. To effectively prevent the risk of failure of devices, do not infect devices, software and database of the Bank with virus in the process of maintenance.
5. To ensure system security, to keep secret of data of the Bank, prevent the stealing or illegal exploitation of data in the process of maintenance.
6. Requirements of maintenance, time and measures of implementation must be specified in writing since the installation of system of informatics equipments and shall be supplemented regularly during the exploitation and use.
Article 4. Hardware devices (hereinafter referred to as hardware) include:
1. Devices of system: Server of different types, storage, tape library and uninterruptible power supply system (UPS from 5 KVA and more, electrical generator).
2. Special purpose devices: Personnel computer, notebook, terminal, laser printer, dot printer, scanner, uninterruptible power supply system (UPS below 5 KVA, voltage regulator), automatic teller machine, card reader of different types.
Article 5. Network system includes:
1. Communication and network devices: router, Switch, Modem, line, main optimizer (optical cable, subscriber line), IP Call processing and other communication devices.
2. Security devices: Firewall, intrusion prevention system device, Encryptor/ Descryptor, identification equipment and other security devices.
3. Network node, network cable and other accessories.
Article 6. Computer software and database of the Bank (hereinafter referred to as software and database) include:
1. Banking operational software, software serving the Bank's administration, specialized Web pages.
2. System software, anti-virus software, spyware, administration software of informatics network, communication network, security software, middleware, firmware.
3. Database includes data and database management system.
Article 7. Conditions for the participation in maintenance of informatics equipments by organizations, individuals
1. Individuals participating in the maintenance activity, including managerial officers, maintainers must possess full virtuous characters, competence, knowledge, professional skill of information technology; sectors requested for maintenance.
2. Organizations supplying maintenance service are specialized companies, units which engage in information technology, communication sector, have legal status and perform legal business activities; have group of qualified maintainers and enough maintainers to carry out the maintenance in line with plan, content of maintenance requested by the Bank.
3. Depending on the reality, the Bank can provide for additional conditions in correspondence with the maintenance activity such as standards of person, means of repair, requirements of software specialized in examination, discovery of errors and acceptance of results after maintenance.
Chapter II
SPECIFIC PROVISIONS
Article 8. Basic contents of the maintenance of informatics equipments
1. Basic contents of the maintenance of hardware and network system:
a. To examine operation situation of devices; examine configuration of devices, examine speed of communication line and carry out industrial hygiene;
b. To discover, recommend and repair, replace broken-down or out of service devices.
2. Basic contents of the maintenance of software and database:
a. Upgrading software: includes timely overcoming of shortcomings of the program (patch), satisfaction of innovation requirement of operation and replacement of algorithm or replacement of backward technology.
b. Adjustment of software: includes the change, supplement of software components more suitable with users' requirements and real state of devices.
c. Maintenance of system software (operating system): to examine the performance of the system, free disk areas. To delete intermediary data files, delete expired log files.
d. To examine, destroy informatics virus, harmful codes, informatics worm and to maintain in line with particular standards of the provider.
Article 9. Time of maintenance of informatics equipments
1. On daily, weekly basis, the user of informatics equipments must be responsible for preserving, cleaning externally equipments, do not let the equipment be dusty, timely making report to responsible person upon discovering abnormal signs of devices, software or database.
2. Periodically, the Bank must carry out the examination of technical situation of devices for timely discovery of errors that possibly occur; optimize parameters of data tables, clean up old, data and redundant data.
3. The Bank must perform the maintenance at least once every 6 month. Equipments in warranty time are still required to be maintained periodically.
Article 10. Process of maintenance of informatics equipments
The maintenance process includes following major steps:
1. To hand over technically operation situation of machines, devices, software and database between related parties for drawing detailed implementation plan.
2. For software, database, machine, device with password, managerial officer must replace with temporary password; keep configuration and important data in order to prevent the loss of data during maintenance time.
3. The maintainer performs the maintenance. During the maintenance, the maintainer must use temporary passwords.
4. After the completion of maintenance, related parties must organize operation for acceptance of operation situation of each separate device, software and the entire system; examine standards of industrial hygiene, reexamine the record of maintenance diary.
5. The managerial officer must organize examination, supervision of maintenance activity, render passwords to their initial state and ensure devices to be ready for use.
Article 11. Organization of maintenance of informatics equipments
1. General principles
Based on the importance and technical difficulty of each information technology system; based on the organization model and qualification of technical officers, the Bank can maintain by itself, choose outsourcing service and choose forms of periodic maintenance, unexpected maintenance, in site maintenance, off-site maintenance, on the basis of compliance with principles provided for in article 3 of this Regulation.
2. Decentralization in the implementation organization
a. Managerial unit of level 1: means units having function of management of information technology of the State Bank or having specialized function of information technology at Head Offices of banks. These units have following main tasks:
- To administer the maintenance of informatics equipments of the entire system, to assign specific tasks to junior managerial units and organize general examination, supervision of the entire system.
- To organize the implementation of maintenance for large or important information technology systems, software and united database of the entire system, server system of different types, WAN network system, backup system and security system; to maintain specialized informatics equipments at working office.
- To make estimates of expenditure and annual expenses settlement in accordance with the regime.
b. Managerial unit of level 2: means bank's branches or equivalent, subject to the direction of managerial unit of level 1 in terms of Information technology. These units have following main tasks:
- To organize the implementation of maintenance of informatics equipments at locations assigned by the managerial unit of level 1 and to maintain specialized informatics equipments at its working office.
- To make estimates of expenditure and annual expenses settlement for assigned works in accordance with the regime.
Article 12. Security in the maintenance of informatics equipments
1. To organize the supervision, acceptance of results in line with the approved scenario. Persons lacking professional capacity or without necessary repairing tools upon maintenance are not permitted to perform maintenance.
2. For software, database, machine, device having password, it is required to use temporary passwords in the maintenance time and to change them right after the completion of maintenance.
3. It is necessary to prepare a standby plan of substitute machines, devices, components, accessories to ensure the convenience, quickness of the maintenance. To have measures of risk prevention upon performing maintenance.
4. Components, accessories must be technically examined before being upgraded, replaced. For devices containing confidential data and still being usable, it is required to preserve them and delete the entire data thereof before repairing, replacing. Changes in design, configuration of devices in each time of repair, replacement or upgrade must be recorded fully in diary.
5. Off-site maintenance shall only be performed when network system of the Bank is equipped with security tools including encryptor of transmission line, firewall, anti-virus devices.
Chapter III
MANAGEMENT OF MAINTENANCE ACTIVITY
Article 13. Responsibilities of the Bank
1. The Bank shall be obliged to have a written plan of maintenance and measures of implementation organization. To draw up plan of expenditures and prepare other resources for the maintenance on the annual basis.
2. To arrange qualified officers for assuming task of management, supervision during the process of maintenance and acceptance of results after the completion of maintenance
3. To create favorable conditions so as maintenance activity is performed in line with the plan, quickly, effectively and safely.
Article 14. Responsibilities of the organization which, individual who manages the maintenance
1. To organize the implementation of maintenance at the Bank in line with the plan and provisions of Chapter II of this Regulation.
2. To organize examination, supervision, guarantee of maintenance and acceptance of results after the completion of maintenance.
3. To manage the maintenance book, maintenance tickets and to draw up report on maintenance.
Article 15. Responsibilities of the organization which, individual who assumes the maintenance
1. To be obliged to perform the maintenance in compliance with the scenario approved by competent level. Any technical breakdown that can affect operation of the Bank must be reported immediately to the competent person for timely settlement, overcoming solutions.
2. When the technical breakdown is solved completely, broken-down equipments, replaced components, accessories and actual technical status of machine, device must be handed over to person in charge of management of the Bank. Breakdowns that defected machines, devices due to objective factors must be indemnified. After completion of maintenance work, it is required to record in the maintenance book and maintenance ticket.
3. To strictly comply with internal regulation on entrance and exit of the company and provisions on security of assets of the Bank.
Chapter IV
IMPLEMENTING PROVISIONS
Article 16. Dealing with violation
Any violation of provisions of this Regulation shall, depending on seriousness of the violation, be subject to the administrative punishment, compensation for material damages, be prosecuted for criminal liability in compliance with provisions of applicable laws.
Article 17. Responsibility of implementation
1. The Director of Banking Information Technology Department shall be responsible for providing guidance and coordinating with Chief Inspector of the State Bank, Director of General Control Department, Director of Finance Accounting Department to examine the implementation of this Regulation.
2. Head of units of the State Bank, General Manager of the State Bank branch in provinces, cities under the Central Governments management; Chairperson of the Board of Directors, General Directors (Directors) of Credit Institutions shall be responsible for the organization of implementation, examination of compliance with this Regulation in their unit.