Regulations on Information System Security in Banking Activities

The State Bank of Vietnam has just issued Circular 18/2018/TT-NHNN (Circular 18) regulating the safety of information systems in banking operations.

Circular 18 categorizes IT assets as such:- Information assets include data and information in digital form processed and stored through information systems;- Physical assets include IT devices, communication means, information carrying devices, and equipment serving the operation of information systems;- Software assets include system software, utility software, middleware, databases, application programs, source codes, and development tools.

Regarding the management of software assets as per Article 9 of Circular 18, each information system must list software assets with basic information including asset name, value, usage purpose, range of usage, managing entity, information about copyrights, version, and corresponding information system. Software assets must be assigned responsibility to individuals or management departments. Software assets must be periodically reviewed and updated with security patches. When stored on information-carrying devices, software assets must comply with regulations in Article 11 of this Circular.

Concerning the management of mobile devices, Circular 18 states clearly: Mobile devices connected to an organization's internal network must be registered for control. They must comply with the connection scope limitations from mobile devices to the organization’s services and information systems; control connections from mobile devices to permitted information systems within the organization. It also details the responsibilities of individuals in the organization when using mobile devices for work.

Notably, mobile devices used for work must adhere to minimum technical measures including: Enabling functions to disable, lock the device, or erase data remotely in cases of loss or theft; Backing up data on mobile devices to protect and restore data when needed; Implementing data protection measures during warranty, maintenance, and repair of mobile devices.

For mobile devices that are organizational assets, besides applying regulations in Clause 4 of this Article, the following minimum technical measures must be applied: Controlling installed software; updating software versions and patches on mobile devices; Using features to protect internal and confidential information (if any); setting secret lock codes; installing anti-malware software and addressing other security issues.

Circular 18 also specifies activities for cyber security incident response, wherein the cyber security response network in the banking sector (the Network) has the duty to coordinate resources inside and outside the sector to effectively respond to cyber security incidents, contributing to the safe operation of the banking system. The Network includes: the Management Board of the Network established by the Governor of the State Bank; the Coordinating Agency - the Information Technology Department (State Bank of Vietnam); Network members: the Information Technology Department (State Bank of Vietnam), credit institutions (dedicated information security departments), and voluntary network members being agencies and organizations voluntarily participating in the network.

Circular 18 consists of 3 chapters and 55 articles and takes effect from January 1, 2019.

Source: Banking Times

>> CLICK HERE TO READ THIS ARTICLE IN VIETNAMESE