THE STATE BANK OF VIETNAM
Circular No. 18/2018/TT-NHNN dated August 21, 2018 of the State Bank of Vietnam on information system security in banking operations
Pursuant to the Law on the State Bank of Vietnam dated June 16, 2010;
Pursuant to the Law on Credit Institutions dated June 16, 2010 and the Law on amendments to the former Law dated November 20, 2017;
Pursuant to the Law on E-Transaction dated November 29, 2005;
Pursuant to the Law on Information Technology dated June 29, 2006;
Pursuant to the Law on Cyber information security dated November 19, 2015;
Pursuant to Decree No.16/2017/ND-CP dated February 17, 2017 of the Government on functions, duties, rights and organizational structure of the State Bank of Vietnam;
At the request of the Director of Information Technology Authority;
Governor of the State Bank of Vietnam promulgates a Circular on information system security in baking operations.
Article 1. Scope of adjustment and subject of application
1. This Circular provides for assurance of information system security in baking operations.
2. This Circular applies to credit institutions (except for people's credit funds and microcredit institutions), branches of foreign banks and intermediary payment service providers (hereinafter referred to as "institutions").
Article 2. Definition
For the purpose of this Circular, the terms below shall be construed as follows:
1. "information system" means a collection of hardware and software appliance, database and network system used for producing, transmitting, receiving, collecting, storing and exchanging digital information that support one or more than one technical and professional operation of an institution.
2. “confidentiality of information” means assurance that information is only accessible to persons who are granted equivalent permissions.
3. “integrity of information” means assurance that accuracy and sufficiency of information are protected and any change to information is only permitted by authorized persons.
4. “availability of information” means assurance that authorized persons are able to extract information whenever they need.
5. “information security” means protection of digital information and information system from unauthorized access, use, disclosure, interruption, change or illegal disruption with the aim of ensuring the confidentiality, integrity and availability of information.
6. “information technology risk” means probability of loss when carrying out operations relating to information systems. Information technology risk relates to management and use of hardware, software, communication, system interface, operation and people.
7. “cyber security incident” means incident in which digital information and information system are attacked or harmed resulting in negative effects on their confidentiality, integrity and availability.
8. "technical vulnerability" means any component of information systems that is highly vulnerable to attack or unauthorized access for use purpose.
9. “data center” includes technical infrastructure (base station and cable system) and computer system with auxiliary equipment installed into such system for the purpose of processing, storing, exchanging and managing data in a concentrated manner.
10. “mobile device" means a digital device which can be hand-held without any effect on its operating capability and has an operating system, capability to process or connect to a network as well as a display screen such as a laptop, tablet and smart phone.
11. “information-bearing object" means physical means used for storing, transmitting and receiving digital information.
12. “firewall” means a collection of components or a system of equipment and software that is placed between two networks with the aim of controlling all outgoing and incoming connections.
13. “untrusted network” means an external network connecting to the internal network of an institution which is not under management of such institution or any foreign credit institution in relation to such institution such as affiliated entity or commercial presence of such institution in Vietnam.
14. “cloud computing service" means offering computing resources through network environment which enables ubiquitous users to access, adjust and pay according to the using requirement.
15. “user account” or "account" means an unique collection of information representative of an user on the information system which is used for logging in and accessing to resources permitted on such information system.
16. “third party” means any individual or enterprise (excluding foreign credit institution and members of the foreign credit institution in case the institution is an affiliated entity or commercial presence in Vietnam of such foreign credit institution) entering into a written agreement (hereinafter referred to as "contract for service use") with the institution to supply information technology services.
17. "competent authority” means a title or person authorized in writing to perform one or more than one duty of an institution by the legal representative of such institution.
Article 3. General principles
1. The institution shall take responsibility to ensure information security under the principle that clearly defines power and responsibility of each department and individual in such institution.
2. Information system shall be categorized in order of importance under an appropriate information security policy.
3. Information technology risks that are probably incurred in the institution must be timely identified, classified, assessed and efficiently handled.
4. Information security regulations shall be established and adopted according to regulations herein and harmony in interests, costs and the ability to take risk of the institution shall be ensured.
Click download to see the full text