On 21 August 08 2018, State bank governor promulgated Circular No. 18/2018/TT-NHNN replaces Circular No. 31/2015/TT-NHNN dated 28/12/2018 providing for assurance of information systems safety and security in banking operations. This Circular will take effect from 01 January 2019.
Accordingly, Circular No. 18/2018/TT-NHNN, process information, archive through the system information with the secret type as follows:
– Public information is information that is publicly available to all persons without identifying the identity or specific address of such persons;
– Internal information is the information of the organization which is assigned the right to manage or exploit one or a group of objects in the organization that is identified.;
– Confidential information is information: (i) Ranked at the confidentiality level of the organization and restricting the audience; Secret, top secret under regulation of the law on protecting state secret.
The minimum information security regulations cover the following basic contents: Asset management information technology; Human Resource Management; ensure the physical and environmental safety of installation; operation management and information exchange; access management; To manage and use information technology services of third parties; Management of receiving, developing, maintaining information systems; information safety management; to ensure continuous operation of the information system.
Requirements for the information system of the organization providing online transaction services to customers: Ensure the integrity of the data exchanged with customers in online transactions; Data on the transmission line must be confidential and must be transmitted in full, in the correct address and safeguarded to avoid unauthorized modification or duplication; Online transaction sites must be subject to the application of measures to counter fraud and prevent or combat unauthorized modification.
Authentication of customer transactions must be done directly in the information system of the organization. Where an organization uses third-party authentication services, the organization must manage at least one authentication element.
The online transaction service system must be applied to closely monitor and detect and warn about: Suspicious transactions are based on minimum criteria: transaction time, place of transaction (geographical location, network IP address), transaction frequency, amount of transaction, number of incorrect times.
To provide guidance on measures to ensure information safety and risk warnings for customers before participating in the online and periodical service.
As can be seen, Circular No. 18/2018/TT-NHNN was issued to update the new regulations of the Law on Information Security and guiding documents, simultaneously adjust the security requirements in accordance with the rapid development, the diversity of information technology and information security situation in the banking industry.