Thông tư 09/2020/TT-NHNN

CIRCULAR

PRESCRIBING INFORMATION SYSTEM SECURITY IN BANKING OPERATIONS

Pursuant to the Law on the State Bank of Vietnam dated June 16, 2010;

The Law on Credit Institutions dated June 16, 2010 and the Law on amendments to the Law on Credit Institutions dated November 20, 2017;

Pursuant to the Law on Electronic Transactions dated November 29, 2005;

Pursuant to the Law on Information Technology dated June 29, 2006;

Pursuant to the Law on Cyberinformation Security dated November 19, 2015;

Pursuant to the Cybersecurity Law dated June 12, 2018;

Pursuant to the Government’s Decree No. 85/2016/ND-CP dated July 01, 2016 on the security of information systems by classification;

Pursuant to the Government’s Decree No. 16/2017/ND-CP dated February 17, 2017 defining functions, tasks, powers and organizational structure of the State Bank of Vietnam;

At the request of the Director of Information Technology Department;

The Governor of the State Bank of Vietnam promulgates a Circular prescribing the security of information systems in banking operations.

Chapter I

GENERAL PROVISIONS

Article 1. Scope and regulated entities

1. This Circular provides for minimum requirements for assurance of information system security in banking operations.

2. This Circular applies to credit institutions, foreign bank branches, intermediary payment service providers, credit information companies, National Payment Corporation of Vietnam (NAPAS), Vietnam Asset Management Company (VAMC), National Banknote Printing Plant, and Deposit Insurance of Vietnam (hereinafter referred to as “institutions”) that establish and use information systems to support one or a lot of their technical and professional operations.

Article 2. Definitions

For the purposes of this Circular, the terms used herein shall be construed as follows:

1. “information technology risk” means the probability of loss during the process of carrying out operations related to information systems. Information technology risk relates to management and use of hardware, software, communication, system interface, operation and people.

2. “information security incident” means an event in which digital information or an information system is attacked or harmed resulting in adverse effects on the integrity, confidentiality or usability of information.

3. “technical vulnerability" means any component of an information system which could be easily abused or exploited by intentional attacks or illegal access.

4. “data center” includes technical infrastructure (base station and cable system) and computer system inside which auxiliary devices are installed in order to store, exchange and manage data in a concentrated manner.

5. “mobile device” means a digital device which can be hand-held without any adverse effects on its operating system, capability of processing and connecting to a network as well as a display screen, such as laptops, tablets and smart phones.

6. “information-bearing object” means physical means of storing, disseminating and receiving digital information.

7. “firewall” means a collection of components or one or some systems of equipment and software which are placed between two networks and are aimed at controlling all of outgoing or incoming connections.

8. “untrusted network” means an external network which is connected to the internal network of an institution and is not under the management of that institution or of any foreign credit institution of which that institution is an affiliate or commercial presence in Vietnam.

9. “cloud computing service" means the delivery of computer system resources (including computing, networks, storage and software applications, and other computer system resources) through network environment that enables ubiquitous users to access, adjust and pay according to user demand.

10. “user account” means a collection of information exclusively representing a user on the information system, the one who uses it to sign in and access authorized resources on that information system.

11. “third party” means an individual or enterprise that has entered into a written agreement on provision of information technology services (hereinafter referred to as “service contract”) with an institution (excluding the foreign credit institution of which that institution is an affiliate or commercial presence in Vietnam, and its affiliated entities).

12. “lawful representative” means the legal representative of a credit institution or enterprise, or General Director (Director) of a foreign bank branch.

13. “competent authority” means a title holder or person that is delegated or authorized in writing by the institution’s lawful representative to perform one or certain functions and tasks of that institution.

14. “multi-factor authentication” means an authentication method that requires a user to provide at least two factors to prove the legitimacy of his/her identity. Authentication factors include: (i) Information known to the user (PIN, password, etc.), (ii) Something in the possession of the user (smart card, token, mobile, etc.), (iii) Biometric characteristics of the user.

Article 3. General principles

1. Each institution shall assume responsibility to assure information security by clearly determining powers and responsibilities of each department and individual in that institution.

2. Information systems shall be classified in accordance with the provisions in Article 5 hereof and managed by appropriate information security policies.

3. Information technology risks that may occur in an institution must be promptly recognized, classified and evaluated, and effectively treated.

4. Regulations on information security shall be formulated and implemented on the basis of the provisions herein and balancing benefits, expenses and risk acceptance levels of each institution.

Article 4. Information classification

Information processed and stored in an information system shall be classified by its confidentiality as follows:

1. Public information is the information that is publicly disclosed to every entity without identifying and locating such entities;

2. Private information (or internal information) is the information managed and exploited by one or some entities that have been identified and located;

3. Personal information is the information related to the identification of a particular client, including information on his/her account, deposit accounts, deposited assets and transactions, and other relevant information;

4. Classified information includes (i) confidential, secret and top secret information as prescribed by the law on protection of state secret, and (ii) restricted information as prescribed by the institution.

Article 5. Classification of information systems

1. Information systems that are employed to provide online services to clients shall be classified in accordance with the provisions of the Government’s Decree No. 85/2016/ND-CP dated July 01, 2016. Other information systems shall be classified in accordance with the provisions in Clause 2 through 7 of this Article.

2. Level 1 information system is the information system that serves internal operations of an institution and only processes public information.

3. Level 2 information system is the information system that meets one of the following criteria:

a) An information system that serves internal operations of an institution, processes private information, personal information of users and restricted information as prescribed by the institution but does not handle classified state information;

b) An information system that serves clients who do not request 24/7 service;

c) An information infrastructure system that serves operations of some departments of an institution or of a microfinance institution or local people’s credit fund.

4. Level 3 information system is the information system that meets one of the following criteria:

a) An information system that processes state information classified as confidential;

b) An information system that serves daily internal operations of an institution and does not halt for over 4 working hours from the time of suspension;

c) An information system that serves clients with request for 24/7 service and does not halt without an approved schedule;

d) Payment systems that are provided by third parties to make payments outside an institution's system;

dd) A shared information infrastructure system that serves operations of an institution and the banking sector.

5. Level 4 information system is the information system that meets one of the following criteria:

a) An information system that processes state information classified as secret;

b) An information system that serves clients, processes and stores data of at least 10 million clients;

c) A national information system in banking sector that operates 24/7 and does not halt without an approved schedule;

d) Important payment systems in banking sector as prescribed by the State Bank of Vietnam (SBV);

dd) A shared information infrastructure system that serves operations in banking sector, operates 24/7 and does not halt without an approved schedule.

6. Level 5 information system is the information system that meets one of the following criteria:

a) An information system that processes state information classified as top secret;

b) A national information system in banking sector that serves connections between Vietnam and the world;

c) A national information infrastructure system in banking sector that serves connections between Vietnam and the world.

7. If an information system is comprised of various constituent systems which are classified in different levels, the entire system shall adopt the highest among levels of constituent systems.

8. Institutions shall determine the classifications of their information systems in accordance with the provisions in Clause 1 through 7 of this Article. Required documents and procedures for appraisal and approval for information systems by classification shall comply with Decree No. 85/2016/ND-CP. Documents submitted for approval for level 4 or 5 information system shall be sent to SBV (via the Information Technology Department) for its opinions.

9. The list of information systems by classification shall be compiled, reviewed and updated after a system is developed and on annual basis.

Article 6. Regulations on information security

1. Each institution must set out its own regulations on information security which must be consistent with its specific information system, organizational structure, managerial and operational requirements. The regulations on information security must be signed by the institution’s lawful representative and implemented throughout that institution.

2. Regulations on information security shall, inter alia, include the following basic contents:

a) Management of information technology assets;

b) Human resource management;

c) Assurance of physical safety and the safety of installation environment;

d) Operating and information exchange management;

dd) Access management;

e) Management of third parties’ information technology services;

g) Management of acceptance, development and maintenance of information systems;

h) Management of information security incidents;

i) Assurance of continuous operation of information systems;

k) Internal inspection and reporting regime.

3. Each institution must review its regulations on information security at least once a year and ensure the completeness of these regulations in accordance with the provisions herein. Whenever there is any deficiency or irrationality that may cause the information system insecurity or upon the request of competent authorities, each institution shall immediately amend and modify its existing regulations on information security.

Chapter II

PROVISIONS ON ASSURANCE OF INFORMATION SECURITY

Section 1. MANAGEMENT OF INFORMATION TECHNOLOGY ASSETS

Article 7. Management of information technology assets

1. Information technology assets include:

a) Information asset: data or information expressed in digital format, processed and stored through the information system;

b) Physical asset: information technology equipment, means of communications, information-bearing objects and devices, all of which provide assistance for operations of information systems;

c) Software asset: system software, utility software, middleware, database management system, application programs, source codes and development tools.

2. Each institution shall compile a list of all information technology assets attached to each information system in accordance with the provisions in Clause 9 Article 5 hereof. The list of information technology assets shall be revised and updated at least once a year. 

3. Based on the classification of information systems, each institution shall adopt appropriate measures to manage and protect each type of information technology assets.

4. Based on the classification of information technology assets prescribed in Clause 1 of this Article, each institution shall set out and implement regulations on management and use of such assets in accordance with the provisions in Article 8 through 12 hereof.

Article 8. Management of information assets

1. Each institution shall list information assets of each information system, and stipulate authority and responsibility of persons or departments that are entitled to access, exploit and manage such information assets.

2. Information assets must be classified by classifications of information prescribed in Article 4 hereof.

3. Any information asset that categorized as classified information must be encrypted or secured by appropriate methods in order to ensure the confidentiality of information during the process of creating, exchanging and storing such information.

4. Data loss prevention measures must be adopted for information assets contained on the information system of level 3 or higher.

Article 9. Management of physical assets

1. Apart from the provisions of this Article, physical assets which are mobile devices or information-bearing objects must be managed in accordance with the provisions in Articles 11 and 12 hereof.

2. With regard to each information system under its direct management, the institution shall compile the list of physical assets including the following basic information: name, value, installation position, managing entity, purposes of use, working conditions and corresponding information system.

3. Individuals or departments of the institution must be assigned and bound to take charge of using and managing physical assets. 

4. Movement of any physical asset outside of an institution must be approved by a competent authority. If the physical asset moved out contains classified information, measures to protect the confidentiality of such information must be taken.

5. When changing the purpose of use of physical assets containing certain classified information or liquidating these assets, each institution must apply measures to remove or eliminate such information so that they could not be restored. Where it is impossible to eliminate the classified information, the institution must implement a measure to eliminate data storage constituents of such assets.

Article 10. Management of software assets

1. With regard to each information system under its direct management, the institution shall compile the list of software assets including the following basic information: name, value, purposes of use, scope of use, administrator, copyright information, version and working conditions and constituent information system (if any).

2. Individuals or departments of the institution must be bound to take charge of managing software assets.

3. Software assets must be periodically reviewed and updated with security patches.

4. Software assets stored on information-bearing objects must also comply with the provisions in Article 12 hereof.

Article 11. Management of mobile devices

1. Mobile devices must be registered for controlling purposes when they are connected to an institution’s internal network.

2. Mobile devices must be connected to an institution’s information service networks and systems within a limited area; connecting mobile devices to the institution’s permitted information systems must be controlled.

3. Regulations on responsibilities of mobile device users in each institution must set out.

4. The following technical measures shall be applied to mobile devices which are used for working purposes:

a) Set up the function of remotely disabling or locking devices or removing data in case mobile devices get lost or are stolen;

b) Back up data on mobile devices in order to protect and restore data whenever necessary;

c) Implement measures to protect data when sending mobile devices to warranty, maintenance and repair service providers.

5. With regard to mobile devices that are assets of an institution, apart from the provisions in Clause 4 of this Article, the institution must adopt the following technical measures:

a) Control installed software products; install software updates and patches on mobile devices;

b) Install personal information, internal information and classified information protection functions; password; software or prevention of malicious code and other security errors.

Article 12. Management of information-bearing objects

Each institution shall manage and use information-bearing objects in accordance with the following provisions:

1. Control connection and disconnection of information-bearing objects to and from devices belonging to the information systems.

2. Develop measures to ensure safety of information-bearing objects during the carriage and storage process.

3. Implement measures to protect classified information contained in information-bearing objects.

4. Assign individuals responsibilities for managing and using information-bearing objects.

Section 2. HUMAN RESOURCE MANAGEMENT

Article 13. Organization of human resources

1. Each institution’s lawful representative shall directly provide guidelines and take responsibility for preparation of strategies and plans for assurance of information security and response to information security incidents that occur in that institution.

2. An institution that has information systems of level 2 or lower shall assign a specific department to take charge of assuring information security.

3. An institution that directly manages an information system of level 3 or higher shall:

a) Establish or assign a specialized information security department to perform functions and tasks of assuring information security and responding to any information security incidents that occur in the institution;

b) Separate personnel into the following tasks: (i) Development and administration of information systems; (ii) Development and operation of information systems; (iii) Administration and operation of information systems; (iv) Information security inspection and development, administration and operation of information systems.

Article 14. Recruitment and duty assignment

Each institution shall recruit and assign tasks to its employees in accordance with the following provisions:

1. Determine responsibilities of each position to which an employee is recruited or assigned for assurance of information security.

2. Strictly consider and evaluate ethical behaviors and professional qualifications with reference to an employee's personal background and criminal record before assigning that employee taking up an important position in the information systems, such as operator of an information system of level 3, or higher, or information systems administrator.

3. Request recruited candidates to make a written commitment to information security on a separate basis or give such commitment in employment contracts. This commitment must include terms and conditions regarding responsibilities for assurance of information security during and after the period of time when they work at an institution.

4. Organize training and dissemination of the institution’s regulations on information security to newly recruited employees.

Article 15. Management and use of human resources

Each institution shall manage its human resources in accordance with the following provisions:

1. Disseminate and provide updated regulations on information security to all staff members at least once a year.

2. Inspect the compliance with regulations on information security by its directly-affiliated individuals or departments at least once a year.

3. Take disciplinary actions against individuals or departments that commit violations against regulations on information security in accordance with laws and regulations adopted by the institution.

Article 16. Employment termination or change

If an institution’s staff member terminates or changes his/her employment, the institution shall:

1. Determine his/her responsibilities upon employment termination or change.

2. Request him/her to transfer information technology assets.

3. Immediately revoke the rights to access information systems of the employee who resigns from his/her employment.

4. Change the rights to access information systems of the employee who changes his/her employment in order to adhere to the principle that these rights are adequate for them to perform their assigned tasks.

5. At least every six months, carry out the periodic review and examination between the human resource management department or system and the department in charge of managing distribution and revocation of rights to access information systems in order to ensure the compliance with the provisions in Clause 3 and Clause 4 of this Article.

6. Inform SBV (via the Information Technology Department) of cases in which individuals working in the information technology sector have been disciplined in a form of dismissal, discharge or judicial proceedings on account of violations in Section 2 Chapter XXI of the Criminal Code (Violations against regulations on information technology and telecommunications network).

Section 3. ASSURANCE OF PHYSICAL AND ENVIRONMENTAL SAFETY FOR LOCATIONS FOR INSTALLATION OF INFORMATION TECHNOLOGY EQUIPMENT

Article 17. General requirements of locations for installation of information technology equipment

1. Build guard fences and entrance and exit gates, or adopt measures to control and restrict unauthorized access risks. 

2. Implement measures to prevent and control explosion or flood risks.

3. Isolate areas that require the high level of information security or confidentiality, including areas for installation of servers, storage devices, security instruments and communications equipment of an information technology of level 3 or higher from areas for shared use, distribution and cargo handling; promulgate working rules and instructions as well as apply measures to control the entry and exit into and from such areas.

Article 18. Requirements for data center

Apart from the requirements referred to in Article 17 hereof, a data center must meet the following requirements:

1. Entrance or exit gate/door of the data center must have 24/7 security guards.

2. Entrance and exit door must be firm, have a firefighting capability, use at least two distinct types of security keys and be put under 24/7 guard and surveillance.

3. Areas for installation of information technology equipment must be protected from direct sunlight, and prevented from leakage and flood. Areas for installation of equipment of an important information system of level 3 or higher must be put under 24/7 guard and surveillance.

4. The data center must have at least one power source supplied by the power transmission grid and one supplied by the power generator. There is an automatic transfer switch between two power sources. Whenever power source supplied by the power transmission grid is cut, the power generator must automatically run to supply power. The power source must be connected through the uninterruptible power supply (UPS) system to supply power for equipment and ensure the capability of maintaining operations of such equipment.

5. It must be equipped with an air conditioning system which must be capable of continuously operating.

6. It must be equipped with a lightning protection system and a surge protection device.

7. It must be equipped with an automatic fire alarming and firefighting system. Firefighting activities must not cause damage to built-in equipment, unless the institution has established a standby system which shall ensure the absolute security of data and be capable of completely substituting the main system for 01 hour.

8. It must be equipped with a technical floor system or electrification insulating layer, and grounding system.

9. It must be equipped with a surveillance camera system which has capacity for storing data within at least 90 days.

10. It must be equipped with a temperature and humidity monitoring and controlling system.

11. It must have an entry and exit logbook.

Article 19. Physical asset security

1. Physical assets must be arranged or installed in a safe and guarded position in order to reduce risks incurred by environmental threats or perils and unauthorized access.

2. Physical assets belonging to an information system of level 3 or higher must be provided with an adequate power source and support systems whenever interruption of the main power source occurs. Electric overload, voltage sag or surge protection solutions, grounding system, standby generation system and UPS system must be in place to ensure continuous operations.

3. Power supply and communications cables used for transmission of data or other information support services must be protected from any infringement or damage.

4. Equipment and devices used for professional operations which are installed outside of each institution’s office must be protected and guarded from any act of unauthorized access.

Section 4. MANAGEMENT OF OPERATION AND INFORMATION EXCHANGE

Article 20. Responsibility for management and operational procedures

1. Promulgate procedures or manual for operation of the information system of level 3 or higher, which shall, inter alia, include the following contents: procedures for system startup and shutdown, data backup and restoration, application operation, troubleshooting, supervision and recording of system operations into the logbook. For the purposes of such procedures, scope of work and responsibilities of persons who use and operate the information system must be clearly defined. The procedures for operation of the information system must be reviewed, updated and amended at least once a year to ensure its conformity with actual conditions.

2. Disseminate promulgated procedures to all persons who engage in the operation of the information system, and supervise their compliance with such procedures.

3. The operating environment of an information system of level 3 or higher and any information system that processes client's personal information must meet the following requirements:

a) It must be independent of development environment and examination and testing environment;

b) Measures to ensure information security must be applied;

c) Application development tools and equipment are not installed on the system;

d) Functions and utility software that are not currently in use on the information system must be eliminated or turned off.

4. An information system that is employed to process client’s transactions must meet the following requirements:

a) A single individual is not allowed to participate in different processes varying from initiation to approval of a transaction;

b) Multi-factor authentication shall be taken at the final step of approving a financial transaction which is conducted to make an interbank electronic funds transfer of VND 100 million or more (except the Straight Through Process through which transactions between intersystems are automatically authenticated);

c) Measures to ensure the integrity of data of transactions must be applied;

d) All activities on the information system must be tracked and recorded so that they are traceable to facilitate examination or control efforts whenever necessary.

Article 21. Planning and acceptance of information systems

1. Each institution must establish technical standards, norms and requirements in order to ensure that all existing systems and any information systems normally operate before they are officially brought into operation.

2. Based on technical standards, norms and requirements which have already been formulated, each institution shall carry out supervision and optimization of performance of the information systems; assess the demand satisfaction, operating status and configuration of the information systems to forecast and formulate the plan for expansion and improvement in order to ensure its demand satisfaction capability in the future.

3. Each institution must review and update technical standards, norms and requirements whenever there is any change made to the information systems. It should provide relevant staff members with opportunities to participate in technical training and transfer in terms of elements subject to such changes.

Article 22. Data backup

Each institution shall carry out backup to ensure data security in accordance with the following provisions:

1. Compile the list of information systems that require to be replicated in which they are classified in order of importance, storage period, backup time, backup method and time of testing for system restoration from backup data.

2. Data stored in an information system of level 3 or higher must be automatically backed up on a basis that is consistent with the frequency of changes to data and ensures principle that any newly-generated data must be backed up within 24 hours. Data of other information systems shall be periodically backed up according to regulations adopted by each institution.

3. Data of an information system of level 3 or higher must be backed up in external storage devices (such as magnetic tapes, hard disks, optical discs or other storage devices), and must be safely retained and stored, and separated from the area where the source information system is install within the working day following the date in which the backup is completed.

4. Backup data stored in external storage devices shall be checked and restored on the following periodical basis:

a) Every year, as regards information systems of level 3 or higher; or

b) Every two years, as regards other information systems.

Article 23. Management of network safety and security

Each institution shall manage the safety and security of its network system in accordance with the following provisions:

1. Formulate regulations on management of network safety and security and management of terminal devices of the entire network system.

2. Create and store documentation relating to logic and physical diagrams in respect of network systems, including wide area network (WAN/Intranet) and local area network (LAN).

3. Develop the institution’s network system which must meet the following requirements:

a) Divide the network system into different network areas, depending on types of users, purpose of use and information system, including: (i) A separate zone for the server and database of the information system of level 3 or higher, (ii) Demilitarized zone (DMZ) for providing services on the Internet, and (iii) A separate zone for providing wireless network services;

b) Equip firewall devices to control connections and access to important network areas;

c) Equip devices that have firewall and intrusion detection functions to monitor any connections and access from untrusted networks to the institution's network;

d) Provide solutions for controlling, detecting and preventing, in a timely manner, any unauthorized connections or access to the internal network of the institution that has the information system of level 3 or higher;

dd) Provide measures for network load balancing and response to denial-of-service attack in respect of the information system of level 3 or higher that provides services on the Internet.

4. Set up and configure functions according to design of network security equipment; implement measures and solutions to search and detect technical vulnerabilities and holes of the network system; regularly check and detect any illegal connection, equipment or software which is installed without permission into the network system.

Article 24. Information exchange

When exchanging information with clients and third parties, each institution shall take the following responsibilities:

1. Promulgate regulations on information exchange, at least including the followings: types of information to be exchanged; rights and responsibilities of each individual granted access to information; means of information exchange; measures to ensure integrity and confidentiality of information during the process of transmitting, receiving, processing and storing such information; information storage policies.

2. Enter into written agreements when exchanging personal information, internal information and classified information with external parties, in which responsibilities and obligations of contracting parties for use and assurance of information security must be defined.

3. Encrypt or apply measures to keep confidentiality of classified information before they are exchanged. As regards level 5 information systems, the institution must use safe network connections and specialized equipment and means for encrypting and decrypting classified information and during the process of exchanging such information.

4. Implement measures to protect equipment and software that supports information exchange in order to restrict any infringement and illegal access to information.

5. Implement measures to strictly manage, oversee and control electronic information websites which provide information, service and support online transactions with clients.

Article 25. Management of information systems providing online transaction services

1. An information system that serves online transaction services to clients must comply with TCVN 11930:2017 (Information technology - Security techniques - Basic requirements for securing information system according to security levels) and meet the following requirements:

a) Ensure the integrity of data exchanged with clients during the process of conducting online transactions;

b) Data available on the transmission line must be kept confidential and fully delivered to the right address, and protected by appropriate measures to detect any illegal revision or replication;

c) Assess levels of risks in online transactions according to groups of clients, types of transaction and transaction limit in order to provide appropriate authentication solutions in accordance with SBV’s regulations;

d) Any electronic information website used for online transactions must have anti-phishing authentication and must be protected by applying illegal anti-revision measures.

2. The information system that serves online transaction services must be strictly monitored to ensure its capability of detecting and warning about:

a) Suspected transactions based on the following criteria: time and position of transaction (geographical position and IP address), transactional frequency rate, transactional monetary amount, and number of authentications inconsistent with regulations;

b) Abnormal operations of the system;

c) Denial of Service attacks (DoS), Distributed Denial of Service attacks (DDoS).

3. Before using online transaction services and on a periodical basis, clients must be provided with measures for ensuring information security and warned about potential risks they may incur.

4. When providing online transaction application software on the Internet, the institution must adopt measures to ensure the integrity of such software.

Article 26. Supervision and recording of information systems operations into logbooks

Each institution shall supervise and record operations of information systems of level 2 or higher into the logbook in accordance with the following provisions:

1. Enter and preserve the logbook of operations of information systems and users, errors and information security incidents, including the followings:

a) Firewall log;

b) Login log;

c) Configuration change log;

d) Log of access to important data and services (if any);

dd) Log of errors occurring during operations of the system;

e) Log of warnings from devices;

g) Log of operation performance of devices (as regards an information system of level 3 or higher).

2. Data contained in the logbook of a level 2 information system must be preserved online for at least 1 month and backed up at least 6 months. Data contained in the logbook of an information system of level 3 or higher must be preserved online for at least 3 months in a concentrated manner and backed up at least one year.

3. Adopt measures to monitor and warn about changes to classified information contained in storage systems/devices of an information system of level 4 or higher.

4. Protect functions of logbook writing functions and information contained in the logbook, anti-phishing, anti-revision and illegal access. System administrator and users shall not be allowed to delete or revise the logbook containing their own activities on the system.

5. Synchronize the time of different information systems.

Article 27. Malicious code protection

Formulate and implement regulations on malicious code protection which contain the following contents:

1. Determine responsibilities of users and departments relating to malicious code protection activities.

2. Apply malicious code protection measures or solutions to the entire information systems of each institution.

3. Regularly update new malicious code samples and malware protection software by setting automatic updates or daily updates.

4. Check and remove malicious codes for information-bearing objects before use.

5. Control installation of software which ensures compliance with regulations on information security of each institution.

6. Take control of strange electronic mails and attached files or other links contained in such emails.

Section 5. ACCESS MANAGEMENT

Article 28. Access control requirements

1. Each institution shall set out regulations on management of access of users, group of users, devices and tools used for purposes of access to the information system which must ensure conformity to operational requirements and information security requirements, including the following basic contents: 

a) Register, grant, renew and revoke access rights of users;

b) Each user account shall be given to the only person to access the system; any sharing of a user account requires an approval from the competent authority and determination of the user’s responsibilities at each time of use;

c) The user account which is automatically connected to applications/services must be managed to an administrator and granted with limited access rights depending on purpose of use; the administrator shall be not allowed to use this user account for any other purposes;

d) The use of administrator’s accounts to obtain access to an information system of level 3 or higher and other information systems that process personal information of clients must be limited and control by means of: (i) Formulate a mechanism for controlling the creation of administrator’s accounts in order to ensure that no administrator’s account shall be used without an approval from the competent authority; (ii) Adopt measures to monitor the use of administrator’s accounts; (iii) Limit the use of administrator’s accounts to an amount of time which is long enough to perform tasks and revoke the access rights upon task completion; (iv) Any system administration connection must be made through the proxy server or centralized management systems and cannot made directly from the administrator's server;

d) Manage and grant password to access information systems;

e) Review, check and revise users’ access rights;

g) Set out information security requirements or conditions in respect of devices and instruments used for access purposes.

2. Each institution shall set out regulations on management of passwords which must meet the following requirements:

a) A password must have at least six characters, including numbers, uppercase letters, lowercase letters and other special characters if allowed by the system. A valid request for a password must be checked automatically during the process of setting up a new password;

b) A default password set by a manufacturer on a device or software must be changed before use;

c) Password management software must be developed with the following functions: (i) Requesting change of a password on first login (except one-time password); (ii) Notifying users of change of an expiring password; (iii) Invalidating an expired password; (iv) Invalidating a password in case the number of incorrect entry exceeds the permitted one; (v) Granting permission to promptly change a password which has been disclosed or is exposed to a risk of being disclosed or upon the request of users; (vi) Preventing use of an old password during a specified period. 

3. Each institution shall set out regulations on responsibilities of users who are granted access rights, including the following contents: Use a password in accordance with regulations; treat this password as confidential; use devices or instruments for access and sign out of the systems when stopping work or temporarily leaving the systems.

Article 29. Management of access to internal networks

Each institution shall formulate and implement regulations on management of access to its internal network, which must meet the following requirements:

1. Formulate and implement regulations on management of access to a network and network services, which shall consist of the following basic contents:

a) Permitted networks and network services, methods, means and requirements of information security for access purposes;

b) Responsibilities of administrators and users;

c) Procedures for grant, change and revocation of connection rights;

d) Control of network administration, access and use.

2. Implement measures to strictly control the connections from untrusted networks to the institution’s internal network for the purpose of information security. 

3. Take control of installation and use of remote access control software.

4. Control access to ports used for setting and administration of network devices.

5. Grant the right of access to a network and network services according to the principle that such right is sufficient enough to perform assigned tasks.

6. Make connections from the Internet to the institution's internal network to serve activities that require the use of virtual private network and multi-factor authentication.

Article 30. Management of access to information systems and applications

Each institution shall formulate and implement regulations on management of access which must meet the following requirements:

1. Take control of utility software possibly affecting information systems.

2. Regulate time of access to applications corresponding with the time of professional operations and services provided by such applications. Automatically switch off a work session during a rest time in order to prevent unauthorized access efforts.

3. Manage and delegate authority to access information and applications according to the principle that such authority is sufficient for users:

a) Delegation of authority to access specific folders and functions of a program;

b) Delegation of authority to read, record, delete and execute information, data or program.

4. Information systems which use the same resource must be approved by the competent authority.

5. With regard to servers of information systems of level 3 or higher and information systems that process clients’ personal information, secure connections and auto login prevention plans are required.

6. With regard to servers of information systems of level 4 or higher, multi-factor authentication must be employed when accessing servers, applications and important network and network security equipment.

Article 31. Management of Internet connection

Each institution shall formulate and implement regulations on management of Internet connection which must meet the following requirements:

1. Regulations on management of Internet connection include the following basic contents:

a) Responsibilities of each individual and departments involved in Internet usage and operation;

b) Types of users permitted to access and connect to the Internet;

c) Prohibited or restricted acts;

d) Internet access and connection control;

dd) Methods of information security for Internet access.

2. Manage all Internet connection ports in the institution in a concentrated and consistent manner. 

3. Provide network security solutions for Internet connection ports in order to ensure safety before any risk of Internet attacks against the institution’s internal network.

4. Use detection tools for promptly finding out vulnerabilities or holes, malicious attacks, unauthorized access to the institution’s internal network through Internet connection ports.

Section 6. MANAGEMENT OF THIRD PARTIES’ INFORMATION TECHNOLOGY SERVICES

Article 32. General principles of use of third parties' services

When using a third party’s information technology services, each institution must ensure the following principles:

1. Do not reduce the institution’s capacity to provide continuous services for its clients.

2. Do not negatively affect the institution’s control of operational procedures.

3. Do not change the institution’s responsibility for assurance of information security.

4. Information technology services provided by a third party must comply with the institution’s regulations on assurance of information security.

Article 33. Requirements for use of third parties’ services

Before using a third party’s services for information systems of level 3 or higher and information systems that process clients’ personal information, each institution shall:

1. Carry out an assessment of information technology risks and operating risks, including the following contents:

a) Identify risks, analyze and estimate the extent of damage and threats to information security;

b) Define the capacity to control operational procedures, provide continuous services for clients and provide information to regulatory authorities;

c) Clearly define roles and responsibilities for assurance of service quality of relevant parties;

d) Work out risk minimization methods and trouble preventing and solving methods;

dd) Review and amend risk management policies (if any).

2. If an institution uses cloud computing services, apart from the provisions in Clause 1 of this Article, it shall:

a) Classify activities and professional operations expected to be performed on cloud computing based on assessment of impacts of the aforesaid activities and professional tasks on operations of the institution;

b) Develop backup plans for components of information systems of level 3 or higher. Backup plans must be tested and assessed to determine whether they are available to replace activities and professional tasks performed on the cloud computing;

c) Establish criteria for selection of third parties meeting the requirements in Article 34 hereof;

d) Review, amend and apply information security methods of the institution, and limit access through cloud computing to the institution’s information systems.

3. In case a third party is hired to perform all administration tasks for an information system of level 3 or higher or an information system that processes clients’ personal information, the institution shall carry out risk assessment according to the provisions in Clause 1 of this Article, and send assessment reports to SBV (via the Information Technology Authority).

Article 34. Criteria for selection of a third party providing cloud computing services

Criteria for selecting a qualified third party shall, inter alia, include the following contents:

1. The third party to be selected must be an enterprise;

2. It owns information technology infrastructure corresponding to the service requested by the institution which must:

a) comply with regulations of the law of Vietnam;

b) has been granted an international certificate of information security which is still valid.

Article 35. Conclusion of service contract with a third party

A service contract signed with a third party that shall provide services for information systems of level 3 or higher and information systems that process clients’ personal information shall, inter alia, include the following contents:

1. The third party’s information security commitments, including:

a) Not to replicate, alter, use or provide the institution’s data for other individuals or institutions, unless the data is provided at the request of a regulatory authority as prescribed by law; in such case, the third party is required to give a prior notice to the institution before providing its data, unless giving notice will violate the law of Vietnam;

b) Disseminate the institution’s regulations on assurance of information security to all staff members of the third party involving in the contract execution, and implement methods for supervising their compliance with such regulations.

2. Specific provisions on maximum allowable amount of time of service interruption and troubleshooting time limit, requirements for assurance of continuous operation (on-site backup, data backup, disaster recovery), requirements regarding processing, calculating and storing capacity as well as actions taken in case of failure to ensure service quality.

3. Cases in which lease of a sub-contractor by the third party causes no change in responsibilities of such third party for services rendered to the institution.

4. Data generated during the provision of service that is considered the institution’s asset. When the provision of service is terminated:

a) The third party shall return or support the transmission of the entire data used and generated during its provision of service to the institution;

b) The third party shall make a commitment to delete all data of the institution within a specified period of time.

5. Notification of any violations against regulations on information security applied to the provided service committed by staff members of the third party.

6. Apart from the provisions in Clauses 1, 2, 3, 4, 5 of this Article, a contract for use of cloud computing service shall also include the following contents :

a) The third party must provide reports on audit of compliance with information technology regulations which is annually conducted by an independent audit organization during the validity of the contract;

b) The third party must provide instruments for control of cloud service quality and procedures for monitoring and control of cloud service quality;

c) The third party must clearly designate locations (cities or countries) for establishment of the data center outside of the territory of Vietnam which provides services for the institution;

d) Responsibilities for data protection and prevention of unauthorized access to data through service distribution channels from the third party to institution must be defined;

dd) The third party must assist and cooperate in investigation carried out at the request of regulatory authorities of Vietnam as per law regulations;

e) Data of the institution must be separated from other clients’ data used on the same technical basis provided by the third party.

Article 36. Institution’s responsibilities for use of services provided by a third party

When using services provided by a third party, each institution shall:

1. Provide, notify and request the third party to comply with the institution’s regulations on information security.

2. Adopt procedures and arrange staff members to supervise and control services provided by the third party in order to ensure the service quality as agreed upon in the signed contract. With regard to cloud computing services, service quality must be supervised and controlled.

3. Impose the institution’s regulations on information security on devices and services provided by the third party which are operated on the infrastructure managed and use by that institution.

4. Manage any change made to services provided by the third party, including change of supplier, change of solution, upgradation of new version, or change of the contents prescribed in Article 41 hereof; Fully evaluate impacts of such change and ensure such services are in safe working conditions.

5. Apply measures to strictly oversee and restrict access rights of the third party when they access the institution’s information systems.

6. Supervise the third party’s personnel during the process of contract execution. Whenever any violation against regulations on information security committed by a staff member of the third party is discovered, the institution must notify and collaborate with the third party in application of measures to deal with such violation in a timely manner.

7. Withdraw the right of access to the information systems granted to the third party, change keys or passwords handed over by the third party immediately after work duties are completed or the contract is terminated.

8. With regard to information systems of level 3 or higher or information systems that process clients’ personal information or use cloud computing services, assessment of compliance with regulations on information security by the third party under provisions of the signed contract must be carried out. Such assessment of compliance shall be carried out on an annual or ad hoc basis whenever necessary. Results of information technology audit conducted by the independent audit organization may be used in such assessment.

Section 7. MANAGEMENT OF ACCEPTANCE, DEVELOPMENT AND MAINTENANCE OF INFORMATION SYSTEMS

Article 37. Requirements of information system security and confidentiality

When setting up or improving information systems under its direct management, each institution shall classify such information systems in accordance with the provisions in Article 5 hereof. With regard to an information system of level 2 or higher, the institution shall:

1. Compile design documents and description of plans for assurance of information system security. In such documents and description, security and confidentiality requirements shall be set out along with technical and operational requirements.

2. Prepare the system testing and verification plan which must be launched in consistent with the design documents and meet information security requirements before acceptance. Testing results must be reported in writing and approved by the competent authority before the system is put into official use.

3. Strictly supervise and manage the hire-purchase of software from outside in accordance with the provisions in Article 36 hereof.

Article 38. Assurance of safety and security for applications

Application programs supporting each institution’s operations must meet the following requirements: 

1. Check validity of data imported to applications, and ensure that imported data are accurate and valid.

2. Check validity of data subject to the automatic processing contained in applications in order to detect information deviations incurred by processing errors or intentional information change.

3. Implement measures to protect the authenticity and integrity of data processed by applications.

4. Check validity of data exported from applications, and ensure that processing activities of such application are accurate and valid.

5. Passwords of users in information systems of level 2 or higher must be encrypted at the application layer.

Article 39. Encryption management

Each institution shall manage encryption as follows:

1. Adopt regulations on and apply encryption measures in conformance to national technical regulations on data encryption used in banking or accredited international standards.

2. Take measures to manage the institution’s encryption keys to protect its information. 

Article 40. Safety and security during software development

1. Each institution shall provide regulations on software development management as follows:

a) Manage and control source codes. Access or approach to source codes must be approved by the competent authority;

b) Manage and protect system configuration folders;

c) Request the third party to provide source codes of outsourced software of the information systems of level 2 or higher.

2. Each institution must select and control test data. Use of real data contained in the information systems which have been officially brought into operation for test purposes shall not be allowed if measures to hide or change data containing clients’ information and classified information have not been implemented yet.

Article 41. Management of changes to information system

Each institution shall issue procedures and methods for management and control of changes to its information systems which shall, inter alia, include the following contents:

1. Record changes; set up a plan for changes; carry out examination and testing for such changes, and report on results thereof; apply for approval for the plan for changes before the official application of changes made to software versions, hardware configuration, software parameters and operational procedures. Prepare emergency plans for recovery of the systems in the event that such changes fail or unpredictable breakdowns occur.

2. Carry out inspection and assessment of impacts in order to ensure that the information system of level 3 or higher operates in a stable and safe manner in the new environment upon changes to the operating system, database management system or middleware.

Article 42. Evaluation of information security

1. An evaluation of information security shall, inter alia, include the following contents:

a) Check the compliance with regulations of law on security of information systems by classification;

b) Evaluate the efficiency of measures to ensure security of information systems;

c) Evaluate and detect malicious codes, holes and technical vulnerabilities in accordance with the provisions in Article 43 hereof;

d) Conduct penetration tests required for information systems which have connection to and provide information and services on Internet, or connections to clients and third parties;

dd) Check configuration of security devices, systems for automatic grant of access rights, systems for management of terminal devices, and list of user accounts.

2. Each institutions shall carry out the evaluation of information security for the information systems of level 3 or higher and other information systems that process clients’ personal information according to the provisions in Clause 1 of this Article before they are put into official operation.

3. During the operation of an information system, each institution shall carry out the evaluation of information security as prescribed in Clause 1 of this Article on the following periodical basis:

a) Every six months, as regards the information systems of level 5 or higher; or

b) Every year, as regards the level 4 and level 3 information systems, and equipment directly exposed to external environments such as Internet, or connected to third parties;

c) Every two years, a comprehensive evaluation of information security and management of information security risks during the institution’s operations shall be carried out.

4. The evaluation result must be reported in writing to the lawful representative and competent authority of the institution. As for any content which fails to comply with regulations on information security (if any), measures, plans and time limit for treatment and resolution must be recommended.

Article 43. Management of technical vulnerabilities

Each institution shall manage technical vulnerabilities as follows:

1. Set out regulations on evaluation, management and control of technical vulnerabilities of active information systems.

2. Regularly update information about technical holes and vulnerabilities.

3. Carry out scanning and detection of technical holes and vulnerabilities contained in active information systems on the periodical basis prescribed in Clause 3 Article 42 hereof or upon receiving any information about a new hole or vulnerability.

4. Evaluate the level of impact or risk caused by each technical hole or vulnerability which has already been detected in respect of active information systems, and recommend possible solutions or plans.

5. Develop and organize implementation of any remedial and mitigation measures and reporting of the result obtained from implementation of such measures.

Article 44. Management of information system maintenance

Each institution shall manage the maintenance of information systems as follows:

1. Promulgate regulations on maintenance of the information system immediately after it is put into official operation. Maintenance regulations shall, inter alia, include the following basic contents:

a) Maintenance scope and subjects;

b) Maintenance time and frequency;

c) Technical scenario and procedures for maintenance of each component of and the entire information system;

d) Reporting on any incident found or occurred during the maintenance to the competent authority;

dd) Assignment and determination of responsibilities of the department in charge of maintenance and maintenance supervision.

2. Carry out the maintenance tasks in accordance with the provisions in Clause 1 of this Article in respect of information systems under direct management of the institution.

3. Review the maintenance regulations at least once a year or upon occurrence of any change to the information system.

Section 8. MANAGEMENT OF INFORMATION SECURITY INCIDENTS

Article 45. Procedures for incident handling

Each institution shall manage incidents as follows:

1. Promulgate procedures for handling of information security incidents which include the following basic contents:

a) Receive information about any incident;

b) Evaluate the level and extent of impact caused by the incident on operations of the information system. Depending on the level and extent of impact caused by such incidents, the institution must report to equivalent level of management for possible directions for handling;

c) Implement incident handling and mitigation measures.

d) Record in files and report on results of incident handling.

2. Define responsibilities of individuals and collectives for reporting, receipt and handling of information systems incidents.

3. Formulate forms and templates for documentation of incident handling results. 

Article 46. Control and mitigation of incidents

Each institution shall control and mitigate incidents as follows:

1. Make a list of information security incidents and incident handling plan in respect of information systems of level 3 or higher and information systems that process clients’ personal information; review and update such list and plan at least once every six months.

2. Promptly report information security incidents to the competent authority and other related persons to have them resolved as soon as possible.

3. Collect, record, protect and retain proofs and evidence at the institution during the process of inspection, handling and mitigation of such incidents.

4. Evaluate and determine reasons for such incidents and implement preventive measures to prevent it from recurring in the future.

5. If information security incidents relating to any breach of laws and regulations, the institution shall be responsible for collecting and providing proofs and evidence for competent regulatory authorities in accordance with prevailing laws.

6. Organize the annual drill for the plan for handling of information security incidents for at least one of the information systems of level 3 or higher. If there are 02 or more information systems of level 3 or higher, such drill shall be organized for all systems in turns.

Article 47. Network security operation center

1. Each institution that directly manages an information system of level 3 or higher shall establish or designate a department in charge of managing and operating the network security operation center (this provision does not apply to foreign bank branches, intermediary payment service providers, non-bank credit institutions, microfinance institutions, local people’s credit funds, credit information companies, Vietnam Asset Management Company and National Banknote Printing Plant).

2. The network security operation center shall perform the following tasks:

a) Proactively monitor, collect and receive information and warnings about internal and external information security risks and threats.

b) Develop a security information and event management (SIEM) system, collect and store information in a concentrated manner, at least including: logbooks of information systems of level 3 or higher and information systems that process clients’ personal information, and warnings and logbooks of network security equipment such as firewall and 4 IPS/IDS.

c) Analyze information in order to detect and warn about cyberattack risks and threats and information security incidents, and send reports to the system administrator if finding any incident relating to information systems of level 3 or higher and information systems that process clients’ personal information.

d) Coordinate incident response activities, zone, prevent and minimize adverse impacts and damage to information systems if any incident occurs.

dd) Carry out investigation and determination of attack sources, methods and modes, and take measures to prevent incident recurrence.

e) Provide information at the request of SBV for the purpose of network security surveillance in banking.

Article 48. Response to information security incidents

1. The network for response to information security incidents in banking sector (hereinafter referred to as the “incident response network”) is comprised of:

a) The steering committee established by the SBV’s Governor;

b) The coordinating agency which is the Information Technology Authority (affiliated to SBV);

c) Members of the incident response network, including: The Information Technology Authority (affiliated to SBV), credit institutions (departments in charge of information security) and voluntary members that are authorities and organizations voluntarily joining the incident response network.

2. The incident response network shall cooperate with human resources in banking sector and other sectors to efficiently respond to information security incidents and thus ensure the safe operations of banking system.

3. Principles for incident coordination and response

a) The steering committee shall: (i) consider approving the network’s annual operation strategies and plans; (ii) manage the network’s operations (including incident response, drills, training and exercises in incident response); (iii) evaluate and submit annual report on the network’s performance to the SBV’s Governor;

b) The organizations mentioned in Point c Clause 2 of this Article shall take responsibility to provide resources and perform tasks as a member of the network;

c) When an incident occurs, the network’s members shall report it to the coordinating agency in accordance with the provisions in Clause 1 Article 54 hereof;

d) In case of serious incidents that they cannot be handled, the network’s members shall send written request for support to the coordinating agency;

dd) Depending on each incident, the coordinating agency shall report it to the steering committee and request the network’s members or regulatory authorities to give support and response.

4. Principles for managing and using information in incident coordination and response:

a) Any information exchanged or provided during the process of coordinating and responding to an incident shall be consider classified information;

b) Any act of use of information exchanged during the incident coordination and response which harms the prestige and/or image of the organization providing such information is prohibited.

Section 9. ASSURANCE OF CONTINUOUS OPERATION OF INFORMATION SYSTEMS

Article 49. Principles for assurance of continuous operation

1. Each institution shall meet the following minimum requirements:

a) Analyze impacts and assess risks in respect of interruption or termination of information system operation;

b) Establish a scenario and procedure for assurance of continuous operation of information systems as prescribed in Article 51 hereof;

c) Perform activities to ensure continuous operation as prescribed in Article 52 hereof.

2. Based on the impact analysis and risk assessment specified Point a Clause 1 of this Article, the institution shall make a list of information systems requiring continuous operation assurance, which must include information systems of level 3 or higher.

3. Information systems requiring continuous operation assurance specified in Clause 2 of this Article must ensure a high level of availability and have disaster recovery systems.

Article 50. Establishment of disaster recovery systems

1. Each institution shall establish a disaster recovery system which must meet the following requirements:

a) It is required to carry out risk assessment and consider the possibility of disasters having impact on both main information system and disaster recovery system when selecting the location of the disaster recovery system such as natural disaster including earthquake, flood, hurricanes and pandemics, disasters caused by human and technologies including power network incidents, fire, traffic incidents and cybersecurity attacks;

b) The location of the disaster recovery system must meet the requirements laid down in Article 17 hereof;

c) The disaster recovery system must be capable of substituting the main system for a period of: (i) 4 hours after in respect of an information system of level 3 or higher (except information systems that process classified state information); (ii) 24 hours in respect of an information system that processes classified state information; (iii) or an amount of hours prescribed by the institution in respect of other systems.

2. Any institution which has only one working office in Vietnam (excluding microfinance institutions and local people’s credit funds) must establish a standby office at another location which is separated from its working office and equipped with necessary devices to ensure continuous operation substituting the working office.

Article 51. Formulation of procedures and scenario for assurance of continuous operation

Each institution shall formulate procedures and scenario for assurance of continuous operation as follows:

1. Establish procedures for response to operational insecurities and interruptions of each component of the information system of level 3 or higher.

2. Any institution which has both main and standby information systems located outside of Vietnam must develop a plan for assurance of continuous operation in case of interruption of transmission lines connected to main and standby information systems.

3. Establish the scenario of conversion to the standby system in place of the main system, including work contents, conversion process and scheduled completion date which meet the following contents:

a) Necessary resources, equipment and requirements for such conversion;

b) Forms or templates used for recording conversion results;

c) Arrangement and assignment of work duties of responsible staff members, including directing, overseeing and carrying out such conversion, official operation and examining the result of such conversion;

d) Measures to ensure information security;

dd) Plans for ensuing continuous operation in case of unsuccessful conversion.

4. Any institution which has only one working office in Vietnam (excluding microfinance institutions and local people’s credit funds) must establish the scenario of conversion of operation to the standby office.

5. Procedure and scenario for such conversion must be checked and updated when there is any change to the information systems, organizational structure, personnel and assignment of duties in relevant departments of an institution.

Article 52. Implementation of plans for continuous operation assurance

1. Each institution must establish and implement a plan for assurance of continuous operation of information systems (unless the main information system operates parallel with the standby system), which must meet the following requirements:

a) Carry out inspection and assess operation of the standby system at least every six months;

b) Carry out operational conversion from the main system to the standby system and carry out operations on the standby system for at least 1 working day in respect of each of the information systems listed as prescribed in Clause 2 Article 49 hereof, once every year in respect of the information system of level 4 or higher, or once every two year in respect of the information system of level 3 or lower; assess results and update conversion procedures and scenarios (if any). In case the operational conversion cannot be carried out in the working day, the standby system must be established to have the same capacity and configuration with the main system, and the operational conversion must be carried out every year to check the availability of the standby system.

2. Any institution which has only one working office in Vietnam (excluding microfinance institutions and local people’s credit funds) must organize annual drills for the purpose of ensuring continuous system operation.

3. The institution shall inform the drill plan, contents and scenario for conversion for continuous operation to the SBV (via the Information Technology Authority) no later than 5 working days before conversion via the following email: [email protected].

Section 10. INTERNAL INSPECTION AND REPORTING REGIME

Article 53. Internal inspection

Each institution shall carry out the internal inspection as follows:

1. Formulate regulations on internal inspection regarding the work of assurance of information security.

2. Draw up the plan and carry out the work of internal inspection of compliance with regulations laid down in this Circular and those of each institution on assurance of information security at least once a year. With regard to commercial banks and foreign bank branches, the internal inspection shall be conducted by risk management departments or compliance departments at least once a year, and by internal audit departments or independent audit organizations at least once every three years.

3. The result of inspection of assurance of information security of each institution must be specified in a report sent to the legal representative and competent authority of the institution which points out unsolved issues relating to compliance with regulations on information security (if any) which are subject to recommended or proposed resolution plans or measures.

4. Organize the implementation and reporting of result of resolution of unsolved issues stated in the report must comply with regulations laid down in Clause 3 of this Article.

Article 54. Reporting regime

Each institution shall be responsible for sending a report to SBV (via the Information Technology Administration), including:

1. Reports on information security incident (made according to the Appendix 01 enclosed herewith) shall be submitted within 24 hours from the time of detection of the incident, and reports on incident handling results (made according to the Appendix 02 enclosed herewith) shall be submitted within 05 working days from the completion of handling works. Reports shall be sent to the following email: [email protected].

2. Reports on risk assessment as prescribed in Clause 3 Article 33 hereof shall be sent directly or by post to SBV (via the Information Technology Administration) in case outsourced administration services are employed for information systems of level 3 or higher and information systems that process clients’ information at least 10 working days before using such services.

3. Reports on cases in which individuals working in the information technology sector of the institution have been disciplined according to Clause 6 Article 16 hereof shall be sent directly or by post to SBV (via the Information Technology Administration) within 5 working days from the date of issue of disciplinary decision.

Chapter III

IMPLEMENTATION

Article 55. Responsibility of SBV’s affiliated units

1. The Information Technology Administration shall:

a) Monitor and submit consolidated reports to the SBV’s Governor on the implementation of this Circular by institutions on an annual basis;

b) Work out annual plan for inspection of implementation of this Circular;

c) Play the leading role and cooperate with relevant units affiliated to SBV to deal with any difficulties that may arise during the implementation of this Circular.

2. The Payment Department shall cooperate with the Information Technology Administration to inspect the implementation of this Circular in each intermediary payment service provider.

3. The Banking Supervision Authority shall carry out the inspection of implementation of this Circular by institutions and impose penalties for administrative violations against regulations herein in accordance with regulations of law.

4. Provincial branches of SBV shall carry out the inspection of implementation of this Circular by local institutions and impose penalties for administrative violations against regulations herein in accordance with regulations of law.

Article 56. Effect

1. This Circular comes into force from January 01, 2021, except the provisions in Clause 2 of this Article, and supersedes the Circular No. 18/2018/TT-NHNN dated August 21, 2018 of SBV’s Governor.

2. Point b Clause 4 Article 20 of this Circular shall come into force from January 01, 2022.

Article 57. Implementation organization

Director of Information Technology Administration, heads of relevant SBV’s affiliated units, Directors of provincial branches of SBV, credit institutions, foreign bank branches, intermediary payment service providers, credit information companies, National Payment Corporation of Vietnam (NAPAS), Vietnam Asset Management Company (VAMC), National Banknote Printing Plant, and Deposit Insurance of Vietnam shall be responsible for implementation of this Circular./.