More than two years since the enforcement of Circular 31/2015/TT-NHNN as replacement for Circular 01/2011/TT-NHNN, credit institutions (except for people’s credit funds and microcredit institutions), branches of foreign banks and intermediary payment service providers are now entering the new race for compliance with Circular 18/2018/TT-NHNN as a superseder that has been recently signed and adopted by The Governor of State Bank of Vietnam. The new Circular will come into effective in 01st January 2019 – in less than 2 months.
The following key areas are updated in Circular 18/2018/TT-NHNN:
- Classification of information and information systems
Classification of the information system are based on confidentiality level of the information processed and stored through the system. Three categories of information are public, internal and secret. Information system is classified into three levels: normal, important, and critically important. The subsequent provisions have been tuned according to these levels for stringent controls over level-2-and-above information systems.
- Management of using third parties’ IT services
Institutions are now enabled to use new IT services such as cloud, as long as they fully comply with the new provisions on third-party service providers. Reporting to State Bank of Vietnam about vendor capability risk assessment is enforced for the institutions outsourcing the entire operation and management of level-2-and-above information systems. Focal points of the assessment are information security risks, process integrity & continuity risks and obligational risks.
- Management of information system maintenance
Maintenance of the information systems is mandatory for those directly manged by the institutions.
- Management of cyber security incidents
New provisions for cyber security incident response and cyber security operating center have been mandated for level-2-and-above information systems with respect to the proactive monitoring, collecting, analyzing, detecting and timely responding to cyberattack risks and incidents.
- Assurance of information system continuity
Specific criteria are mandated to identify the list of information systems requiring continuous operational assurance and disaster recovery systems:
- Reporting regime
Requirements for reporting have been simplified to two reports:
- Cyber security incidents, and
- Third-party risk assessment for the institutions outsourcing the entire operation and management of level-2-and-above information systems.
- Other areas
Data backup provisions have been updated in compliance with the new Cyber security Law dated June 12, 2018 to be effective in January 01, 2019. Institutions which own both main and standby information systems set outside of the Vietnamese territory must store personal information and transaction data of the customers in Vietnam in accordance with provisions of the Vietnam Law.
Data of the level-2-and-above information systems must be automatically backed up according to the frequencies of data change and is assured to backup within 24 hours for any newly-generated data.
Solutions for load balancing and denial of service attacks are required for level-2-and-above information systems.
The level of risks associated with online transaction is the basis to design and apply the appropriate transaction authentication method.
Connections through the Internet to the institution’s local area network must be segregated in a virtual private network via multi-factor authentication.
Utility software that may affect information systems have been included in scope for access management provisions. Safe connection to servers hosting level-2-and-above information systems must be established with solution to prevent auto logon.
The scope of penetration testing covers information systems connecting and providing services over the Internet, connecting to customers and third parties. Security assessment must be performed prior to go live any level-2-and-above information systems.
Leave a Reply