CIRCULAR rules on safety, security for the provision of banking services on the Internet _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ pursuant to the law the State Bank of Vietnam the number 46/2010/QH12 16 June 2010;
Pursuant to the law on credit institutions the number 47/2010/QH12 16 June 2010;
Electronic transactions pursuant to the law No. 51/2005/QH11 on November 29, 2005;
Pursuant to Decree No. 35/2007/ND-CP of July 8, 2007 the Government electronic transactions in banking activities;
Pursuant to Decree 64/2001/ND-CP dated 20 September 2001 of the Government on the payment activities through the institutions providing payment services;
Pursuant to Decree No. 26/2007/ND-CP dated 25 February 2007, detailing the Government's enforcement of the law on electronic transactions of digital signature and digital signature authentication services;
Pursuant to Decree No. 96/2008/ND-CP on August 26, 2008 Government's functions, tasks, powers and structure of the State Bank of Vietnam;
Pursuant to Decree No. 97/2008/ND-CP on August 28, 2008 by the Government on the management, supply, use of Internet services and electronic information on the Internet;
The State Bank of Vietnam rules on safety, security for the provision of banking services on the Internet as follows: chapter I GENERAL PROVISIONS article 1. Scope and objects 1. This circular stipulates that the requirements to ensure safety, security for the provision of banking services on the Internet.
2. This circular applies to credit institutions, branches of foreign banks offer Internet banking service (hereinafter referred to as service providers) in Vietnam.
Article 2. Explanation of terms and terminology in this circular, the terms below are interpreted as follows: 1. Internet banking (Internet Banking): is the Bank services are provided through the Internet, including: a) information about the provider of the service and the service of the unit.
b) information lookup services such as information retrieval, query, account balances and other information.
c) make financial transactions online, such as: account services, transfer, granting credit, payment through my account.
d) other services prescribed by the State Bank.
2. Internet Banking System: is a structured collection of equipment hardware, software, database, network, communications and security service for the management and provision of banking services on the Internet.
3. Customers: is the individual organization concerned to use Internet Banking service.
4. two factor authentication: an authentication method requires two different elements to prove the correctness of an identity. Two-factor authentication based on the information that the users know as customer number, password, along with what that user one-time use as password (OTP), random grid matrix, biometric markers, or other support devices to prove identity.
5. privileged account: account access information technology systems to perform special tasks or access sensitive data. Privileged accounts often used for device configuration, system management, operating system administration, database administration, or business administration (e.g. the root account, supervisors, system administrator).
Article 3. General principles for the provision of banking services on the Internet of the Unit provide services 1. Ensure confidentiality a) ensure confidentiality of information related to accounts, deposits, assets and transactions of the client under the provisions of the law.
b) client password, encryption key and the other key must be encoded in the transaction process, on the media and stored at the service providers.
2. Ensure the availability a) committing continuous operation capabilities of the Internet Banking system openly, and clearly stated in the contract to provide services to customers. This commitment must include the minimum commitment of time stop system during the year, the period of time to provide services during the day, the time for recovery after system crash.
b) meet all the resources of the information technology infrastructure and personnel guarantee continuous Internet Banking as the unit's commitment to provide services to customers.
c) building, enact and adhere to the processes of the Internet Banking System.
d) using the monitoring tool, tracking the performance of the main system and backup systems ensure continuous operation.
3. Ensure the integrity a) ensure the integrity of information in the processing, storage and transmission between service providers and customers.
b) combine the security measure is politically and technically in:-physical access;
-The import, processing, transmission, storage, dump, restore data.
4. client authentication and authentication transactions a) ensure authentication and identification are the customer when the customer access and use Internet Banking service.
b) use two-factor authentication on the Internet Banking system when making payment transactions and significant transactions such as: make the connection between the accounts, register for third party payment, change the transaction limit of the day, change account information related to the customer's personal data (such as address or home , contact phone number, e-mail address and other information in order to authenticate the client).
5. Protect the client a) provides full information about the rights and obligations of client before signing a contract to provide services to customers. In the contract service providers must specify the units providing services to ensure the terms outlined in this article to the customer. The unit provides services is responsible to fulfill the terms of their responsibility stated in the contract concluded with the customer service.
b) In service provider contracts, provider of the service is clearly responsible for the security of the personal information of customers when using Internet Banking service; specify how the Bank collected; use of customer information, commitment does not sell, disclose, leak the information.
c) take measures to ensure safety, security in case of units provide services to distribute software to clients via the Internet environment.
d) is responsible for checking, warnings and implement measures in prevention of the fake website offering Internet Banking services of the unit provides services; at the same time have the responsibility to inform the method determining the real website to customers.
Chapter I SPECIFIC PROVISIONS article 4. Safety policy, building security system, issued the regulations, security for Internet Banking system in line with the regulations on safety, security and information technology systems of the State, the banking industry and the regulation of safety of the information technology security unit. Periodically a minimum of once a year, the unit is reviewing, editing, improving these regulations guarantee the suitability, completeness and effective of the regulations.
Article 5. Human resource management 1. Selection of staff to have enough moral character, qualifications, ability to meet professional requirements and technology when assigned tasks related to Internet Banking System.
2. The tasks of system administrators; development, maintenance, application software and operating system must be assigned for each Department, different individuals. Ensure cross-control and not one individual would have the full control on the system or may be self initiated, to intervene in the transaction of the Internet Banking System. There are rules of responsibility and clear permission for each group or individual parts listed above. Privileged accounts on the Internet Banking system must be designed to be accessible only when there's at least two people and must be tightly controlled for every activity of this account.
3. Have specific rules, clear and full implementation of the management, monitoring third party personnel when access to the Internet Banking System. The requirements on safety, security and the agreement should clearly identify in the contract with the third party.
Article 6. Media network 1. Take measures to separate the partitions to ensure network access control system.
2. measures for detection and intrusion prevention, prevention of spreading malicious code for the system.
3. construction and made backup plans for the important position of high influence degree to the network or are capable of causing paralysis of the entire network system of the unit when the incident occurred.
4. wireless connections must use authentication measures to ensure safety.
5. Ensure the bandwidth requirements for the provision of Internet Banking service.
6. the updated system patches, update the configuration for network devices and security devices to a minimum of six months. In case of fault detection system must perform the update now.
7. The network, security equipment, security, anti-virus, software analysis tools, network administrators are installed in the network of the unit must have the copyright and origin, made clear.
Article 7. Hardware and system software 1. Make sure you have the server infrastructure and accompanying equipment serving the Internet Banking System (hereafter referred to as the Internet Banking server) enough capacity, performance requirements, ensuring traceability processor speed to meet the requirements of the customers using the service.
2. Requirements for the Internet Banking server a) has a high availability features, flexible backup mechanisms to ensure continuous operation.
b) Was put in place was secure and monitored closely.
c) separate logical or physical server with other business activities.
3. Requirements for software systems: a) Are reviewing, updating the system software patches as recommended by the House provides a minimum of six months.
b) Established the list of allowed software installed on the server in Internet Banking and the minimum periodic three-monthly update, test, ensure compliance with this list.
Article 8. Application software 1. The General requirements
a) safety requirements, the security of the services must be identified in advance and organize, deploy into the entire software development cycle from analysis to design, deploy and maintain.
b) the materials on safety, the security of the software must be codified and stored, use a "Suite".
c) before deploying new application programs, to evaluate the risks of the deployment process for business activities, systems and related information technology, deployment of the limited approach, fix vulnerabilities. d) must identify, statistics are the activities and extraordinary transactions arising in the system.
2. Check the application software testing a) Established and approved plans, test scripts for applications that offer Internet Banking service, which stated the conditions of security, the security must be met.
b) detection and elimination of errors, fraud can occur when entering the input data and the security flaws in the process of testing the system.
c) record the error and the error handling process, especially the safety, security, errors in the reported test.
d) testing the safety features, security must be implemented on common browsers such as Internet Explorer, Mozilla, Firefox, Google Chrome.
DD) conducted tests on the environment and does not affect the normal operation of businesses. Reporting test results to the authority for approval before put into use.
e) using data for the testing process must take precautions to avoid being taken advantage of or cause confusion.
3. Manage and upgrade version a) for each request to change the software to analyze, evaluate the impact of the changes to the current system as well as the business and the information technology systems of other relevant units.
b) The version of the software includes the source program should be centralized management, storage, security and decentralization mechanisms for each Member in the manipulations with the files.
c) information about the version, update time, who updated the version must be saved.
d) Each version to be upgraded must be checked to test the safety features, security and stability before formal implementation.
DD) the upgrade version is based on results of testing and are approved by the authority.
e) The version of the software after successful testing to be managed tightly; prevent illegal modifications and are ready for deployment.
g) comes with a new version of the software must contain clear instructions about the content changes, the Guide updated software and other related information and must be through the approval authority before you deploy to the client.
4. a source program control) check out the source code, in order to eliminate the malicious code, security vulnerabilities (back-door).
b) specifically indicated the individual program management system of Internet Banking.
c) The access to the program source to be the approval of the authority and be monitored, logged.
d) source program must be safely stored in at least two separate locations.
DD) in the case of service providers buy software from third parties without handing the program source, the unit provides services to request a third party signed the pledge without the malicious code in the console application software for the unit to provide services.
Article 9. Database security 1. Only used the database management system of copyright and origin, origin and have been tested through practice of the professional activities of similar institutions in or outside the country.
2. database management system to use for Internet Banking systems to meet operational requirements; processed, stored in large data volumes on demand services; protection mechanisms and decentralization of access to the database resources.
3. Reviewing, updating the patch, fixes database management system a minimum of six months or soon after recommended by the supplier.
4. Build options for the backup, backup the database, ensure the Internet Banking system of continuous operations in the event of a problem with the database.
5. Implement decentralization and has strict regulations with individual access to the database. Are logs for the database, access the configuration database.
6. Has the solution to prevent the attacks form the database.
Article 10. Encrypt data 1. The choice of encryption algorithm to meet require warrant confidentiality and ability to handle the Internet Banking System.
2. Pros are using encryption algorithm must be periodically checked once a year, re-evaluate the level of safe and timely processing of these weak points if there is.
3. Not to an individual made the entire process of creating the encryption key. The encryption key must be created, modified, distributed, stored in a secure manner.
4. Be sure to restore the encrypted information when necessary.
5. There are strict regulations on the recovery of encryption keys, including the cancel lock and key recovery.
Article 11. Log management 1. Logs the following events for the Internet Banking System: a) the process of accessing the system.
b) system configuration operations.
c) authentication events.
d)-level events, recovery of system access and use the service.
e) The extraordinary access.
2. transaction logging and monitoring of financial transactions on the Internet Banking System.
3. The diary of Internet Banking system must be secure, protect, archive and retrieve when needed. Time logged a minimum of 3 years.
4. Checking the access logs to detect any access prevention, often illegal, a minimum of once a month.
Article 12. Incident management 1. The construction management process, which must specify the responsibilities of the departments concerned, details the steps including notifying customers and State Bank report.
2. incident management process must be reviewing, updating and process a minimum of six months.
3. Application of technical solutions for the detection, timely processing denial of service attacks such as the use of firewalls; the device detection and prevention; the appliance warns attack, divert network traffic; the packet filter when attacked.
4. Require the third party to provide troubleshooting procedures for services provided by third parties related to the Internet Banking System.
Article 13. Customer instructions 1. Regulation clearly states rights, obligations of the customer and of the Unit provide services with respect to the provision, use Internet Banking service.
2. Guide for the customer content guarantee safety during using Internet Banking services such as: a) setting the password and password protection.
b) not sharing the password storage devices, digital signatures.
c) is not the option of your web browser allows to save the user name and password.
d) escape the Internet Banking system when not in use.
DD) caution, limiting the use of public computers, public wireless networks to access the Internet Banking System.
e) how to access the address of the Internet Banking application units.
g) notify the provider of the service the bugs and problems in the course of using the service.
h) warning the other risks.
Chapter III article 14 REPORT. General requirements The service provider is responsible for submitting the report of the State Bank of Vietnam (Department of information technology) under the provisions of article 15, article 16 of this circular.
Article 15. The type of the report 1. The report provides Internet Banking: a) for the unit has provided the service prior to the date of this circular effect: the unit posted the report within 10 working days from the date of this circular effect.
b) with respect to the provider of the service after this circular effect: The minimum reporting unit before 10 working days before the official offering Internet Banking services.
2. report: The service providers have to submit the report of the previous year on March 15 every year.
3. irregular reports: the Unit provide services must send report irregular incidents occur when unsafe or affect the operation of the Internet Banking system within 5 days from the time of arising problems or detect the problem.
Article 16. Report contents 1. The report offers Internet Banking services include the following: a) the service provider's website address.
b) products, the service it is providing.
c) on offer.
d) unit provides Internet Banking System products.
DD) third parties are hired or working together to build, operate the Internet Banking System; the activities related to the Internet Banking system involving a third party and forms of participation of third parties.
e) documents including: information technology infrastructure and communications, human resources, technical processes, the process of risk and other related matters under the provisions of chapter II of this circular.
2. The report includes the following year: a) The product, Internet Banking services are currently provided.
b) The change of the product, Internet Banking service since the previous report.
c) changes of documents specified in point e, paragraph 1, article 16 since the previous report.
d) the number of customers using Internet Banking service and client growth rate compared with the same period a year ago.
DD) problems arose in States. The issue risks reported by group risk, the damage and handling measures were applied.
e) recommendations, proposals.
3. irregular reports include the following: a) the date, the venue arising problems.
b) preliminary description of the incident, the situation when the incident occurred.
c) causes the problem.
d) risk assessment, effects on the Internet Banking systems and other related systems.
e) measures the unit has conducted to troubleshoot, stop and prevent risks. g) recommendations, proposals.
Article 17 ENFORCEMENT TERMS. Effect 1. This circular effect since January 4, 2011.
2. Circular No. 09/2003/TT-NHNN on 5/8/2003 of the Governor of the State Bank of instructions made some provisions of Decree No. 55/2001/ND-CP dated 23 August 2001 of the Government on management, provision and use of the Internet and circular No. 01/2008/TT-NHNN on 10/3/2008 amending supplements circular No. 09/2003/TT-NHNN DATED JAN. discontinued since the day this circular effect enforcement power.
3. in the implementation process if problems arise, problems, institutions, individuals related to timely reflection of the State Bank of Vietnam (Department of information technology in addressing of 64 Nguyen Chi Thanh, Dong da, Hanoi) to consider, handle.
Article 18. Responsibility 1. The Department of information technology has the responsibility to monitor, examine the implementation of this circular of the provider of the service. Through the annual reports of the unit or perform checks in place to evaluate compliance with regulations and ensure safety, security for the Internet Banking system of units; General, the Governor reported the situation on safety, security of Internet Banking services of the Bank system in Vietnam.
2. Inspection Agency, responsible for bank supervision in collaboration with the Department of information technology auditing, monitoring the implementation of this circular and handling administrative violations for violations of the provisions of the law.
3. Office, Director of Department of information technology and the heads of the units of the State Bank of Vietnam, the Director of State Bank branch in the province, central cities; Chairman of the Board, the President of the Council members, the Director-General (Executive Director) of the credit institutions, branches of foreign banks offer Internet Banking services is responsible for implementation of this circular.