Vietnam: Classification of information systems in banking operations

Vietnam: Classification of information systems in banking operations (Internet image)

1. What is information system?

According to Clause 3, Article 3 of the 2015 Law on Cyber ​​Information Security, information system means a combination of hardware, software and databases established to serve the creation, provision, transmission, collection, processing, storage and exchange of information in cyberspace.

2. Information classification in Vietnam

According to Article 4 of Circular 09/2020/TT-NHNN, information processed and stored in an information system shall be classified by its confidentiality as follows:

- Public information is the information that is publicly disclosed to every entity without identifying and locating such entities;

- Private information (or internal information) is the information managed and exploited by one or some entities that have been identified and located;

- Personal information is the information related to the identification of a particular client, including information on his/her account, deposit accounts, deposited assets and transactions, and other relevant information;

- Classified information includes

= Confidential, secret and top secret information as prescribed by the law on protection of state secret;

= Restricted information as prescribed by the institution.

3. Classification of information systems in Vietnam

Article 5 of Circular 09/2020/TT-NHNN stipulates the classification of information systems in Vietnam as follows:

(1) Information systems that are employed to provide online services to clients shall be classified in accordance with the provisions of the Government’s Decree No. 85/2016/ND-CP dated July 01, 2016. Other information systems shall be classified in accordance with the provisions in Clause 2 through 7 of this Article.

(2) Level 1 information system is the information system that serves internal operations of an institution and only processes public information.

(3) Level 2 information system is the information system that meets one of the following criteria:

- An information system that serves internal operations of an institution, processes private information, personal information of users and restricted information as prescribed by the institution but does not handle classified state information;

- An information system that serves clients who do not request 24/7 service;

- An information infrastructure system that serves operations of some departments of an institution or of a microfinance institution or local people’s credit fund.

(4) Level 3 information system is the information system that meets one of the following criteria:

- An information system that processes state information classified as confidential;

- An information system that serves daily internal operations of an institution and does not halt for over 4 working hours from the time of suspension;

- An information system that serves clients with request for 24/7 service and does not halt without an approved schedule;

- Payment systems that are provided by third parties to make payments outside an institution's system;

- A shared information infrastructure system that serves operations of an institution and the banking sector.

(5) Level 4 information system is the information system that meets one of the following criteria:

- An information system that processes state information classified as secret;

- An information system that serves clients, processes and stores data of at least 10 million clients;

- A national information system in banking sector that operates 24/7 and does not halt without an approved schedule;

- Important payment systems in banking sector as prescribed by the State Bank of Vietnam (SBV);

- A shared information infrastructure system that serves operations in banking sector, operates 24/7 and does not halt without an approved schedule.

(6) Level 5 information system is the information system that meets one of the following criteria:

- An information system that processes state information classified as top secret;

- A national information system in banking sector that serves connections between Vietnam and the world;

- A national information infrastructure system in banking sector that serves connections between Vietnam and the world.

(7) If an information system is comprised of various constituent systems which are classified in different levels, the entire system shall adopt the highest among levels of constituent systems.

(8) Institutions shall determine the classifications of their information systems in accordance with the provisions in Clause 1 through 7 of this Article.

Required documents and procedures for appraisal and approval for information systems by classification shall comply with Decree No. 85/2016/ND-CP.

Documents submitted for approval for level 4 or 5 information system shall be sent to SBV (via the Information Technology Department) for its opinions.

(9) The list of information systems by classification shall be compiled, reviewed and updated after a system is developed and on annual basis.

Quoc Dat

>> CLICK HERE TO READ THIS ARTICLE IN VIETNAMESE