|
THE
STATE BANK OF VIETNAM
-------------
|
SOCIALIST
REPUBLIC OF VIETNAM
Independence – Freedom – Happiness
---------------
|
|
No.
04/2006/QD-NHNN
|
Hanoi,
January 18, 2006
|
DECISION
ON THE ISSUANCE OF THE REGULATION ON THE PRUDENCE AND
CONFIDENTIALITY OF THE INFORMATICS TECHNOLOGY SYSTEM IN BANKING AREA
THE GOVERNOR OF THE STATE BANK
- Pursuant to the Law on the
State Bank of Vietnam issued in 1997; the Law on the amendment, supplement of
several articles of the Law on the State Bank of Vietnam issued in 2003;
- Pursuant to the Law on Credit Institutions issued in 1997; the Law on the
amendment, supplement of several articles of the Law on Credit Institutions
issued in 2004;
- Pursuant to the Ordinance on State secret preservation No.03/2000/PL-UBTVQH10
dated 28/12/2000 of the Standing Committee of the National Assembly;
- Pursuant to the Decree No.33/2002/ND-CP dated 28/03/2002 of the Government
providing in details for the implementation of the Ordinance on State secret
preservation;
- Pursuant to the Decree No. 52/2003/ND-CP dated 19/5/2003 of the Government
providing for the function, assignment, authority and organizational structure
of the State Bank of Vietnam;
Upon the proposal of the Director of the Banking Informatics Technology
Department,
DECIDES:
Article 1.
To issue in conjunction with this Decision the
“Regulation on the prudence, confidentiality of the informatics technology
system in Banking area”.
Article 2.
This Decision shall be effective after 15 days since
its publication in the Official Gazette.
Article 3.
The Director of Administrative Department, the
Director of the Banking Informatics Technology Department, Heads of units of
the State Bank, Managers of the State Bank’s branches in provinces, cities
under the Central Government’s management, Chairperson of the Board of
Directors, General Directors (Directors) of credit institutions shall be
responsible for the implementation of this Decision.
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
FOR
THE GOVERNOR OF THE STATE BANK OF VIETNAM
DEPUTY GOVERNOR
Phung Khac Ke
REGULATION
ON THE PRUDENCE, CONFIDENTIALITY OF THE INFORMATICS
TECHNOLOGY SYSTEM IN BANKING AREA
(Issued in conjunction with the Decision No.04/2006/QD-NHNN dated 18/01/2006
of the Governor of the State Bank)
Chapter I
GENERAL PROVISIONS
Article 1.
Governing scope
This Regulation provides for
requirements for the users and basic criteria of the prudential technique of
the informatics technology system of the State Bank and Credit Institutions except
for the Local People’s Credit Funds (hereinafter referred to as units), for the
purpose of unifying the management of the application of informatics technology
in banking activities in a prudential and efficient way.
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
1. Informatics technology system
(IT) is a structural group of equipment of hardware, software, database and the
network system serving one or several technical, operational activities.
2. Fire wall is a group of
components or a system of equipment, software being set between the two
networks for the purpose of controlling the entire connections from the inside
to the outside of the network or vice versa.
3. The integrity of the data is
the existent status of the data like they are in the original documents and not
changed in terms of data, structure or the data of which is not lost.
4. Configuration management is
the management of changes in hardware, software, technical documents, checking
tool, connection interface, operating technical procedure, installation configuration
and all other changes of the IT system during the process from the installation
to the operation.
5. Archive is to create a copy
of the software or data for the purpose of the preservation against losses,
corruption of the original software, data.
6. Virus is a computer program
which is able to multiply, transmit in the computer network or through
information carriers, can destroy data or do some unexpected functions for the
IT system.
7. Authority grant: is the
permission grant which is given to an individual in accordance with the
organizational procedure which has been previously formed for his access, use
of a program or a process of the IT system.
8. Password is a string of
characters or a confirmation mode of the secrecy identification which is used
for authenticating the user’s right.
9. Network security system: is a
group of fire wall equipment; equipment for controlling, discovering illegal
access; software for the administration, following up, recording diary on the
status of network security and other equipment which has a function of
prudential assurance for the network operation and all of them synchronously
operate under a consistent network security policy for close control over the
activities in the network.
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
Article 3.
Responsibilities of the units
1. To issue policies on
prudence, confidentiality of the IT system (hereinafter referred to as IT
security policies), organize the implementation and examination for the
implementation of those policies. To update, on regular basis, the IT security
policies in line with changes in the IT system of the units, running
environment and scientific technical advances in the IT security area.
2. To arrange necessary
resources for carrying out the equipment, deployment, running, management,
supervision and processing of breakdowns in the activity of IT application,
ensuring the confidential, prudential operation of the IT systems and
corresponding with the requirements of operational activities and the IT
security strategy of their units. To take preventive measures, to detect and
timely deal with frauds, errors, instability and other extraordinary, unsafe
elements.
3. To organize an appropriate IT
security management division for uniform management, deployment of IT security
activities from the stage of plan preparation, designing, installation
deployment to the running stage of the IT system in line with the provisions in
this document. To select, train an IT system administrator who satisfies such
standards as: having professional virtue, being knowledgeable of IT security
and equipped with knowledge concerning operational activities and the IT system
of the units. Decision on the assignment of administration duty for the IT
system must be made in writing.
4. To ensure that the IT system
is always ready at the high level; to set up, test backup plans and restore the
system in the event of breakdowns or disaster.
5. To assess the ability,
feasibility, risks relating to IT activities supplied by external partners; to
set up agreements to clearly define the relationship, obligations and
responsibilities of the parties participating in the IT service supply such as:
level of service supply, expected running result, ability of implementation,
ability of expansion, compliance level, backup plan, backup levels, prudence and
confidentiality, service suspension, control over obligations of contract
implementation and relationship with related IT systems.
6. To organize, on regular
basis, training courses to update users’ the knowledge about IT security in
line with the duties they are in charge of;
7. Equipments, software, data
used in the operational activities must be supported by the copyright in
accordance with provisions of applicable laws
Article 4.
Requirements of information security
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
2. Intactness: incompetent
persons shall not be entitled to modify, delete or supplement the information
3. Readiness: information shall
be always ready to satisfy using demand of competent persons
4. Non-negation: Information
creator shall not be permitted to deny his responsibility for the information
he created
5. Truthfulness: source of
information must be clearly defined
Article 5.
Determination of security requirements of the IT system
The classification of
requirements, levels of investment in the security of the IT system of the
units shall be clearly determined based on the following elements:
1. Role of the IT system in the
implementation of the units’ targets
2. Source, danger to occur risks
for the IT system
3. Ability to overcome in case
of risk
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
5. Effect of risks, if any, on
the activities of the units in particular and general activities of banking
industry.
Article 6.
Acts to be strictly forbidden
1. Not to comply with provisions
on the security of the IT system of the State, industry and of the units;
2. To access, supply and
disperse information illegally
3. To disclose the system
architecture, algorithm of the IT security system
4. To illegally modify the
architecture, operating mechanism of the IT system
5. To use IT equipments of the
units for individual purposes
6. Other acts that obstruct,
destroy the operation of the IT system
Chapter II
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
Article 7.
Management, authentication of users in the IT system
1. All the IT systems must be
capable of management and authentication of the users who are accessing those
systems
2. Activities of transactions
which are processed centrally and immediately through the computer network
shall be organized based on the system of management, authentication of
centralized users
3. Processes, programs,
instruments, algorithm used to set up password, identification device and key
database which is used to check the access shall be managed, used under the
“Confidential” regime
4. Requirements for the
organization of the authentication system:
a. Having separate process on
management and authentication of the users for each IT system in line with the
requirements of prudence, confidentiality of above-mentioned processing
operation;
b. Authenticating the access
right of the users by account, identification device or by both; and the users
shall only be granted enough authority to perform their assigned tasks;
c. Password, identification data
used for the access authentication shall be kept secret during the process of
archive, transmission through the network and displayed on the users’ monitor;
d. The environment where the
authentication equipments are located must be secret, prudential for the use of
code, identification device;
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
e. Temporarily suspending the
working right of the users who have been registered on the IT system, but are
not temporarily working on this system within a period of 60 days upwards;
g. On weekly basis, examining
the system-access diary, detecting and timely dealing with cases which
illegally access or carry out manipulation acts beyond the assigned limit of
the users.
Article 8.
Methods of authentication
1. Authentication by
identification (ID) and password must satisfy the following requirements:
a. A password must have the
length of 6 characters upwards, consist of numbers, letters and other special
characters if permitted by the system. Requirements of valid password shall be
automatically checked upon setting up the password;
b. Default passwords availably
installed on equipments, software, databases by the producer must be changed
right after they are put into use
c. Software on management of
passwords must contain such functions as: informing users to change their
passwords which are about to expire; canceling the effectiveness of expired
passwords, permitting the users to change passwords which have been revealed,
are likely to be revealed or upon request of the users; preventing users from
reusing old passwords in a certain time.
2. Authentication by card must
clearly provide for responsibilities of parties that issue and use cards
3. Authentication by biometric method
must ensure the prudence of the users during the collection of biometric
elements
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
a. Checking subjects applying
for the grant of number certificate and key code legally and validly
b. Checking the validity of the
number certificate prior to examining, accepting transactions which use the
number certificate
c. Controlling, timely updating
into databases cancelled number certificates to avoid being benefited;
d. Having measures for
protecting the prudence of root key and equipments of the number certificate
system;
dd. Recording diary on the
entire process of granting, changing, canceling the number certificates and key
codes;
e. Examining extraordinary
events, on regular basis, of the number certificate system to timely detect
changes and illegal access.
Article 9.
Controlling the access to the IT system
1. All IT systems shall be set
up a function of access control, warning, preventing users from illegal access
or misusing their function, authority in the system
2. The system of access control
must have the following functions:
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
b. Managing, authenticating the
connection of terminal devices as well as accepting the internal devices to
carry out the connection;
c. Not permitting the users,
except for system administrator, to concurrently access several terminal
devices at a certain time;
d. The terminal devices shall be
automatically installed to convert to non-operating status, locked monitor
status with password or automatically escape from the system after a period of
time of non-use.
Article 10.
Data encryption
1. The sensitive, important data
which is transmitted on the computer network shall be encrypted
2. Only encryption techniques
that have been tested, assessed as reliable enough by prestigious IT security
organizations in the country or in the world. The complication of selective
encryption algorithm must be in line with the confidential level of data that
needs protecting and processing ability of the IT system;
3. Secret elements used for
encryption technique must be independently installed from supplier and changed
on annual basis at the minimum
4. Equipment, software used for
encryption solution must be concurrently archived with encrypted data; or
convert the encrypted data to new data type in the event of any change in
encryption method in order to ensure the original data restoring from data of
encryption type at any time;
5. The encryption solution which
is in use must be regularly checked, assessed in terms of the prudential level
and shortcomings (if any) of which must be timely dealt with.
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
1. The IT systems must have a
function of recording supervision diary for activities of those systems. Clock
of equipments in the same IT system must be synchronized from a source for
ensuring the accuracy of supervision diary.
2. Accesses and manipulation
acts that affect the operation of the system shall be recorded in the diary.
Diary file must be protected from any change
3. The Head of units shall
provide for the regime on diary record, archive time of diary file for each IT
system in order to supervise the system’s activities and support the audit
work.
4. System administrator shall be
responsible for examining diary files of the system on regular basis in order
to detect, settle and timely prevent breakdowns resulting in unsafeness,
instability of the IT system
Article 12.
Physical safety
1. Server room and other areas where
IT equipments are situated, used must have regulations and take measures for
protection, entry and exit control to ensure that only persons with duty can
enter into those areas
2. All works carried out in the
server room shall be recorded in daily working diary
3. Computer room must ensure
industrial hygiene: not dilapidated, unabsorbed; the equipments are installed
on the technical floor, not directly contact the sunshine; humidity,
temperature satisfy standards provided for the equipments and server; to be
fully equipped with devices for preventing and protecting fire, explosion,
flood, anti-thunder system and security system for preventing illegal access
4. It is required to take
measures for supervision, security protection, and prevention from illegal
access and management of the use of the equipments used for installation
outside the units’ office
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
6. Programs, data of the units,
which are likely to be benefited, must be rejected when handing over the
equipments containing those programs, data to external units or upon making
assess liquidation
7. Power source supplied to the
IT system:
a. The server room must be
equipped with a separate power source with industrial technical standards which
are in line with the equipments installed in the computer room
b. Backup power source must meet
the standard, capacity for normal operation of the IT system during the time
when the main power source meets breakdown
Article 13.
Prudence of the computer network
1. Documents on technique and
operation of the computer network system shall consist of the following types:
a. File on the investigation,
design and technical explanation of the network;
b. Documents which determine the
design of the network to fully meet standards for safe operation through the
self-checking, self-assessment of the units or by specialized agency of the
State
c. Process on the management and
operation of the network
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
a. Being able to control,
supervise network accesses
b. Being able to prevent illegal
accesses;
c. Recording the diary on the
network access
d. Having process on breakdown
settlement and disaster prevention
dd. Having administrative,
technical measures to prevent the illegal access to equipments, network
transmitting line
3. Responsibilities of the
network users:
a. The network users must
register and obtain the using acceptance prior to accessing the network;
b. When detecting any sign of
unsafeness, they must immediately inform to the network administrator for
settlement
c. They must update new version
of anti-virus software and regularly scan virus on the computers connected to
the network. They shall not be entitled to change, remove, on their own,
programs, technical parameters, which are installed by the administrator
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
dd. To comply with other
provisions of the units in line with the provisions in this Regulation
4. Responsibilities of the
network administrator:
a. To check, ensure the safe,
stable and continuous operation of the computer network
b. To manage configuration,
resources and users on the network
c. To fully setup regimes on
network security control. To use equipped tools to check and timely detect
weak-points easy to be injured and illegal accesses into the network system. To
examine, detect connections, equipments, software illegally installed in the
network on regular basis.
d. To detect and timely deal
with the gaps in the security of the network system
dd. To guide, support the users
to protect accounts, resources on the network, to install the anti-virus
software and timely deal with network access breakdowns
e. To check and disconnect
computers of the users who fail to comply with provisions of the units on virus
prevention and anti-virus and other provisions on the network security
Article 14.
Prudence of databases
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
a. It runs on the network and is
independent of the server, operating system
b. It runs stably; it can
process, archive a great volume of data upon the operational requirement;
c. It can protect and grant
access right for the database resources;
d. It manages, ensures the
consistence of relational data tables and of each operational act processed on
the database
dd. The system must integrate
structured query language tool (SQL)
e. The system must support
online archive of database and restoration of database from archived version;
g. The system of is capable of
updating new version
2. Only database that has been
tested through factual operations of similar credit institutions inside and
outside the country shall be used
3. Responsibilities of the
database administrator:
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
b. To change default passwords
right after the database is put into use
c. To grant the access right of
resources to database users
d. To prepare plan of, carry out
the data archive and check the archive result;
dd. To check, ensure the entire
restoration of the database from the archived version when necessary
e. To strictly manage archived
versions to avoid the danger of loss, danger of being changed and illegally
exploited;
g. To regularly check the status
of database both physically and logically. To timely update error versions from
the supplier
Article 15.
Prudence of application software
1. General requirements:
a. Technical documents:
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
- Documents attached to packed
software, which is supplied by external supplier, shall include technical
documents and the documents guiding the use of software
b. The software must integrate
solutions of authentication, access control and data encryption in accordance
with the provisions in Article 8, Article 9 and Article 10 of this Regulation;
c. The software must run stably,
process data accurately and ensure the consistence of the data;
d. Operational software and
technical documents must be duplicated and safely archived at two separate
places at the minimum
2. Analysis, design and software
writing
a. Requirements on prudence,
confidentiality of operations must be determined in advance and organized,
deployed in an entire process of software development from the analysis to
deployment and running;
b. Documents on prudence,
confidentiality of the software must be systematized and archived, used under
the “Confidential” regime
3. Check, test of software
All software must experience the
following test and trial steps before being deployed and put into use:
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
b. Carrying out the trial on a
separate environment. Preparing a report on trial result to submit to competent
level for their approval and putting into use;
c. The use of real data during
the trial process must be supported by preventive measures to avoid being
benefited or making mistakes
4. Deploying, running the
software:
a. The deployment of the
software must not affect the prudence, confidentiality of the available IT
systems;
b. Prior to the deployment of
the software, all the risks of the deployment process for the operational
activities, related IT systems must be assessed then drawing up and deploying
solutions for restraining and overcoming risks
5. Management of software
version
a. In respect of the request for
the change of software, it is required to analyze, assess the effect of the
change on the operation and other related IT systems of the units;
b. After software versions are
successfully tested they must be strictly managed to avoid being illegally
modified and to be ready for the deployment
c. There must be clear
instructions on changing contents, guidance on the software update and other
related information attached to the new software version
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
6. Management of software source
code
a. Source codes of the software
shall be strictly managed to avoid being used or modified illegally
b. There must have agreements on
the management, correction of the source codes used for the maintenance in case
where those softwares are developed by external partners and the source codes
of which are not handed over
7. To comply with other
provisions on prudence, confidentiality stipulated in the Decision No.
1630/2003/QD-NHNN dated 19/12/2003 of the Governor of the State Bank of Vietnam
issuing the regulation on technical standards in the processing, procurement of
banking operation software
Article 16.
Prudence of the operating system of the server
1. The operating system to be
selected must satisfy the following requirements:
a. It can run safely and stably;
b. Its readiness is high
c. It can manage the users,
protect and grant the resource access right
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
dd. It must update the new
version
e. It must check, restore the
system in the event of breakdown
2. Only the operating system that
has experienced the factual operations of similar organizations inside and
outside the country shall be used
3. Responsibilities of the
operating system administrator
a. To ensure that the operating
system which is installed on the server can work continuously, stably and
safely
b. To regularly check
configuration, files on working diary of the operating system, timely detect
and deal with breakdowns if any;
c. To grant access right and
manage the access of the users on the server which install the operating system
d. To manage changes in
technical configurations of the operating system
dd. To regularly update error
versions of the operating system from the supplier;
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
Article 17.
Prevention from computer virus and anti-virus
1. The units must deploy the
virus prevention and anti-virus for their entire IT systems. To follow up and
timely give notice to the users of new viruses and the way of prevention
2. Responsibilities for the
virus prevention and anti-virus of the users
a. To regularly check and delete
virus
b. Software, data and
information carriers received from the outside must be scanned prior to using
c. It is not permitted to open
strange mail, attached files or links in strange mails for preventing virus
d. It is not permitted to access
website without clear origin
dd. To timely update types of
virus and new anti-virus software
e. In case where virus is
detected but cannot be deleted, the user must immediately inform to the system
administrator for settlement
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
1. The connection with the
outside shall be carried out under the principle of not affecting the security
and normal operation of the network system of the units
2. Local area network system of
the units shall be separated physically or logically from the externally
connected network
3. The connection, data exchange
with the outside shall be provided in details in terms of connection standards,
services to be used, access right, data syntax and exchanging process
4. Steps of connection
deployment
a. To investigate, design system
configuration, connection method and services to be used on the network
b. To analyze effects, danger of
unsafeness and select an appropriate security solution, prevent from illegal
access
c. To submit to the Head of the
units for approving the connection plan, the way of data exchange
d. To install, check, test
successfully then put into official operation
dd. To deploy measures of
preventing from illegal penetration from the outside
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
1. The units must issue internal
regulations on management and use of Internet, ensuring the safe, efficient use
of Internet and compliance with provisions of applicable Laws.
2. Computers used for Internet
connection must be labeled for easy recognition and shall not be directly
connected to the operation processing network if the IT division of the units has
not yet determined that they have fully satisfied conditions of prudence
protection. It is not permitted to archive the documents, data belonging to the
State Secret in the computers which are connected to Internet
3. In case where there is a
design of separate network system used for Internet connection of many users,
that network system must ensure the following requirements:
a. The network separately used
for Internet connection must be separated physically from the operation
processing network or they must be separated by a firewall system which is
fully capable of controlling entire accesses between the two networks and must
ensure the prudence of operation of the software, data in the operation network
b. Sockets specially used for
Internet connection must be labeled to help the users easily recognize that it
is an Internet connection port
c. There must have a system of
supervision, management of the Internet users, management of bands and time of
Internet exploitation
4. Responsibilities of the Internet
users
a. To be responsible for
protecting the network system of the units, to be watchful over the flip side
of Internet. To take full responsibility under provisions of applicable laws if
screening or permitting other to use their equipment, password for carrying out
illegal acts
b. To be subject to the
examination, supervision of the units and functional agencies of the State for
the information sent to Internet and take legal responsibility for that
information
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
d. To be responsible for
compliance with provisions on the content of information posted in the Internet
and undertaking to correctly comply with those provisions
dd. Not to be permitted to
commit acts that obstruct or destroy Internet’s activities; not to be permitted
to affect other information system through Internet, or violate interests,
honour of other individuals
e. Not to use instruments,
software and technical measures in any form to appropriate transmission line
bands, to make network blocked;
g. To comply with internal
regulation on using Internet of the units and provisions of the State, of the
industry on exploitation and use of Internet
Article 20.
Data archive
1. Requirements of the archive
system:
a. Ensuring the integrity and
sufficiency of archived data during the archive period in accordance with
applicable provisions;
b. Each type of data must be
archived correctly and in full period of time in accordance with provisions of
the State and the industry;
c. The data which are necessary
for the maintenance or restoration of the unit’s operation, in case of
breakdown, must be archived in two separate places at the minimum;
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
2. Responsibilities of the
units:
a. To have a plan on equipment,
technical process on archive, checking, preservation and exploitation of
archived data which is approved by a competent authority;
b. To ensure conditions of
place, environment for archive, preservation of information carrier in a
prudential and scientific manner;
c. To maintain equipments,
software used for archive, exploitation in a simultaneous way with the archived
data or to convert the archived data in line with changes of the archive
solution so as to ensure that the archived data is exploited at any time;
d. To stipulate scope, frequency
of archive in line with each type of operational data so that it can restore,
maintain the continuous activity of the operation in case where the major
operating data meets breakdowns;
dd. To control and reconcile
data against the related operational processing phases for the purpose of
ensuring the accuracy, correctness and sufficiency of the data prior to the
archive;
e. To record in the book to
follow up the place, time, list of data, the person who performs the archive
and exploitation of data;
g. To issue and deploy the
archive process: copying and saving data; exploiting the archived data;
checking, supervising the prudence of the archived data; method of preventing
and overcoming risk for the archived data; to destroy the archived data which
expires; and other contents relating to the techniques of prudential and
efficient archive and preservation of archived data;
h. To comply with other
provisions of the State and Banking area on the preservation, archive of
electronic vouchers.
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
a. To correctly comply with
provisions on archive, preservation of the archived data and take
responsibility for the risk of the archived data caused by their subjective
reasons;
b. Not entitled to permit any
organization, individual to exploit, use the archived data without a written
approval of the leader of their organization or an authorized person;
c. In case of risk or detecting
a danger of risk for the archived electronic data, to make a report immediately
to a competent person for a timely method of settling and overcoming.
Article 21.
Standby activity against disaster
1. Units shall, upon the scale
and importance of each IT system for the operation of the unit, choose and
deploy an appropriate standby solution against disaster.
2. Units, which have a
centralized IT system, must build up and maintain the operation of a standby
center satisfying the following requirements:
a. Issuing provisions on
management and operation of the backup center;
b. The backup center must be
located at least 30 km far from the main processing center under the straight
line connecting between the two centers;
c. The standby center must have
full capacity of material, technical foundation and human resources, be ready
to undertake all the role of the main processing center where required;
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
dd. The database for operational
activities shall be immediately archived from the major center to the standby
center;
e. Organizing a security system
to ensure the prudence for the data and technical equipment system of the
center;
e. The time for putting the
standby center into operation to absolutely replace the main processing center
shall not be in excess of 04 hours.
3. For units, which have not
organized a centralized operation system, the organization of the standby
system must satisfy the following requirements:
a. The standby system shall not
be located in the same building with the main processing system;
b. The standby system must have
full technical capacity, be ready to undertake all the role of the main system,
which terminates the operation;
c. The design of wire line must
be separated from the main system. To equip the electric generator, electric
charging device for supplying a continuous, stable power source which satisfies
the normal requirement of work settlement;
d. To organize the absolute
security, safety for the data and technical equipment system;
dd. The database of the
operational activities must be at once copied for backup from the main center
to the standby center;
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
4. Operation of the standby
system:
a. Operation from the main
system to the standby system shall only be performed in the situation where the
main system terminates operation and must be approved by the head of the unit
for the performance;
b. The standby system shall be
put into practice in compliance with the approved scenarios;
c. The exercise of changing the
operation from the main system to the standby system must be performed on the
annual basis at the minimum;
d. The standby system must be
inspected, supervised to ensure a good operation.
5. Deployment rate of the
standby system:
Units should have a plan on the
deployment of the standby system against the disaster for the IT system in line
with the rate of progress provided for by the State Bank.
Article 22.
Requirements and responsibilities of the operators
1. They must be equipped with
basic knowledge about IT: computer network (Server, clients and net equipment),
operating system, and database in use.
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
3. They shall be only entitled
to perform the assigned works, comply with the operational, technical process, the
running technical process.
4. They shall take
responsibility for the error, lateness, unsafeness caused by their subjective
reasons.
5. They shall be responsible for
timely informing the administrator of the system about the breakdown of the IT
system if any.
Article 23.
Internal inspection
1. Units shall organize by
themselves the inspection of the compliance with provisions on the prudence,
confidentiality of the IT system in accordance with provisions of this
Regulation on the annual basis at the minimum.
2. Inspection contents:
a. Evaluating the policy on the
IT security;
b. Inspecting the compliance
with the policy on the IT security;
c. Evaluating risk which may
occur and suggesting treatment
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
dd. The inspection contents must
be stated in the report and submitted to competent levels.
3. Responsibilities of the head
of units:
a. To conduct, inspect and
facilitate the IT management division and related divisions to have a plan of
immediately overcoming the petitions after the inspection;
b. To inspect the performance of
petition under the plan;
c. To determine the reason and
responsibility of individuals, organizations in respect of inspection petitions
which have not yet been settled from the previous inspection if any.
Article 24.
Inspection, maintenance of the IT system
1. Units shall set up a plan on
the regular inspection, maintenance in order to ensure a continuous, stable and
prudential operation of the IT system. On an annual basis, to arrange appropriate
expense, resources for the maintenance activity.
2. All IT systems must be
periodically maintained. Upon the importance of each IT system to the operation
of the unit, an appropriate maintenance level shall be set up and carried out,
providing that each system shall be maintained at least once a year
3. Minimum standby capacity of
IT equipments must be kept at least equivalent to 20% against the processing
requirements at the peak time.
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
a. The entire maintenance
process of the IT system must be recorded in a diary to follow up changes in
design, configuration of the IT system during the repair, upgrading,
replacement or new installation;
b. Diary files of a system must
be examined regularly, systematically saved and analyzed under different ways.
On that basis, breakdown, signal of unsafeness shall be timely found out and
overcome.
5. Maintenance activity:
a. Maintenance activity must be
performed under plan, scenarios, ensuring that the maintenance activity has no
effect to the normal operational activities of the unit;
b. Equipment, software, database
must be checked, supervised and timely dealt with breakdown, signal of
instability or overload; timely updating error version and filling up the gaps
in security.
c. Inspecting, supervising
external maintenance units for carrying out the maintenance in conformity with
the approved scenarios.
Article 25.
Making report on the IT security
1. Units shall be responsible
for making the following written reports or electronic reports to the State
Bank of Vietnam (the Banking Informatics Technology Department):
a. An internal inspection report
of the unit in accordance with provisions in Article 23 of this Regulation. The
reporting period shall be 60 days at the latest since the completion of the
inspection;
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
2. Contents of unexpected
report:
a. Date, place where the case
occurs;
b. Reason of the case;
c. Evaluation of the risk,
effect to the IT system and operations at the place where the case occurs and
other related places;
d. Methods performed by the unit
to stop, overcome and prevent risk;
dd. Proposal, suggestion to the
State Bank.
Chapter III
IMPLEMENTING PROVISIONS
Article 26.
Dealing with violation
...
...
...
Please sign up or sign in to your Pro Membership to see English documents.
Article 27.
Implementing responsibilities
1. The Banking Informatics
Technology Department shall be responsible for providing guidance on, following
up and examining the compliance with this Regulation by units of the State Bank
and credit institutions.
2. The State Bank’s Inspectorate
shall be responsible for the coordination with the Banking Informatics
Technology Department to inspect the compliance with this Regulation by credit
institutions.
3. The General Control
Department shall be responsible for conducting the internal inspection activity
and performing the internal audit for the compliance with this Regulation by
units of the State Bank.
4. Heads of units of the State
Bank, Manager of the State Bank branches in provinces, cities under the Central
Government’s management, Chairperson of the Board of Directors, General Director
(Director) of credit institutions shall be responsible for the deployment and
inspection of the compliance with the provisions of this Regulation in their
units.
Article 28.
Any amendment, supplement of this Regulation shall be
decided upon by the Governor of the State Bank.