Vietnam: 08 institution’s responsibilities for use of services provided by a third party

According to the Circular No. 09/2020/TT-NHNN of the State Bank of Vietnam, when using services provided by a third party, each institution shall:

1. Provide, notify and request the third party to comply with the institution’s regulations on information security.

2. Adopt procedures and arrange staff members to supervise and control services provided by the third party in order to ensure the service quality as agreed upon in the signed contract. With regard to cloud computing services, service quality must be supervised and controlled.

3. Impose the institution’s regulations on information security on devices and services provided by the third party which are operated on the infrastructure managed and use by that institution.

4. Manage any change made to services provided by the third party, including change of supplier, change of solution, upgradation of new version, or change of the contents prescribed in Article 41 hereof; Fully evaluate impacts of such change and ensure such services are in safe working conditions.

5. Apply measures to strictly oversee and restrict access rights of the third party when they access the institution’s information systems.

6. Supervise the third party’s personnel during the process of contract execution. Whenever any violation against regulations on information security committed by a staff member of the third party is discovered, the institution must notify and collaborate with the third party in application of measures to deal with such violation in a timely manner.

7. Withdraw the right of access to the information systems granted to the third party, change keys or passwords handed over by the third party immediately after work duties are completed or the contract is terminated.

8. With regard to information systems of level 3 or higher or information systems that process clients’ personal information or use cloud computing services, assessment of compliance with regulations on information security by the third party under provisions of the signed contract must be carried out. Such assessment of compliance shall be carried out on an annual or ad hoc basis whenever necessary. Results of information technology audits conducted by the independent audit organization may be used in such assessment.

View more details at the Circular No. 09/2020/TT-NHNN of the State Bank of Vietnam, effective from January 01, 2021.

Thuy Tram

>> CLICK HERE TO READ THIS ARTICLE IN VIETNAMESE