What are access control requirements in banking operations in Vietnam?
According to the latest regulations, what are access control requirements in banking operations in Vietnam? Please get back to me.
What are access control requirements in banking operations in Vietnam? (Image from the Internet)
According to Article 28 of Circular 09/2020/TT-NHNN (Effective from January 1, 2021), regulations on access control requirements are as follows:
1. Each institution shall set out regulations on management of access of users, group of users, devices and tools used for purposes of access to the information system which must ensure conformity to operational requirements and information security requirements, including the following basic contents:
a) Register, grant, renew and revoke access rights of users;
b) Each user account shall be given to the only person to access the system; any sharing of a user account requires an approval from the competent authority and determination of the user’s responsibilities at each time of use;
c) The user account which is automatically connected to applications/services must be managed to an administrator and granted with limited access rights depending on purpose of use; the administrator shall be not allowed to use this user account for any other purposes;
d) The use of administrator’s accounts to obtain access to an information system of level 3 or higher and other information systems that process personal information of clients must be limited and control by means of: (i) Formulate a mechanism for controlling the creation of administrator’s accounts in order to ensure that no administrator’s account shall be used without an approval from the competent authority; (ii) Adopt measures to monitor the use of administrator’s accounts; (iii) Limit the use of administrator’s accounts to an amount of time which is long enough to perform tasks and revoke the access rights upon task completion; (iv) Any system administration connection must be made through the proxy server or centralized management systems and cannot made directly from the administrator's server;
d) Manage and grant password to access information systems;
e) Review, check and revise users’ access rights;
g) Set out information security requirements or conditions in respect of devices and instruments used for access purposes.
2. Each institution shall set out regulations on management of passwords which must meet the following requirements:
a) A password must have at least six characters, including numbers, uppercase letters, lowercase letters and other special characters if allowed by the system. A valid request for a password must be checked automatically during the process of setting up a new password;
b) A default password set by a manufacturer on a device or software must be changed before use;
c) Password management software must be developed with the following functions: (i) Requesting change of a password on first login (except one-time password); (ii) Notifying users of change of an expiring password; (iii) Invalidating an expired password; (iv) Invalidating a password in case the number of incorrect entry exceeds the permitted one; (v) Granting permission to promptly change a password which has been disclosed or is exposed to a risk of being disclosed or upon the request of users; (vi) Preventing use of an old password during a specified period.
3. Each institution shall set out regulations on responsibilities of users who are granted access rights, including the following contents: Use a password in accordance with regulations; treat this password as confidential; use devices or instruments for access and sign out of the systems when stopping work or temporarily leaving the systems.
Above is the content about the access control requirements in banking operations according to the latest regulations.
Best Regards!
