DECISION

ON THE ISSUANCE OF THE REGULATION ON THE PRUDENCE AND CONFIDENTIALITY OF THE INFORMATICS TECHNOLOGY SYSTEM IN BANKING AREA

THE GOVERNOR OF THE STATE BANK

- Pursuant to the Law on the State Bank of Vietnam issued  in 1997; the Law on the amendment, supplement of several articles of the Law on the State Bank of Vietnam issued in 2003;
- Pursuant to the Law on Credit Institutions issued in 1997; the Law on the amendment, supplement of several articles of the Law on Credit Institutions issued in 2004;
- Pursuant to the Ordinance on State secret preservation No.03/2000/PL-UBTVQH10 dated 28/12/2000 of the Standing Committee of the National Assembly;
- Pursuant to the Decree No.33/2002/ND-CP dated 28/03/2002 of the Government providing in details for the implementation of the Ordinance on State secret preservation;
- Pursuant to the Decree No. 52/2003/ND-CP dated 19/5/2003 of the Government providing for the function, assignment, authority and organizational structure of the State Bank of Vietnam;
Upon the proposal of the Director of the Banking Informatics Technology Department,

DECIDES:

Article 1. To issue in conjunction with this Decision the “Regulation on the prudence, confidentiality of the informatics technology system in Banking area”.

Article 2. This Decision shall be effective after 15 days since its publication in the Official Gazette.

Article 3. The Director of Administrative Department, the Director of the Banking Informatics Technology Department, Heads of units of the State Bank, Managers of the State Bank’s branches in provinces, cities under the Central Government’s management, Chairperson of the Board of Directors, General Directors (Directors) of credit institutions shall be responsible for the implementation of this Decision.

...

...

...

FOR THE GOVERNOR OF THE STATE BANK OF VIETNAM
DEPUTY GOVERNOR




Phung Khac Ke

REGULATION

ON THE PRUDENCE, CONFIDENTIALITY OF THE INFORMATICS TECHNOLOGY SYSTEM IN BANKING AREA
(Issued in conjunction with the Decision No.04/2006/QD-NHNN dated 18/01/2006 of the Governor of the State Bank)

Chapter I

GENERAL PROVISIONS

Article 1. Governing scope

This Regulation provides for requirements for the users and basic criteria of the prudential technique of the informatics technology system of the State Bank and Credit Institutions except for the Local People’s Credit Funds (hereinafter referred to as units), for the purpose of unifying the management of the application of informatics technology in banking activities in a prudential and efficient way.

...

...

...

1. Informatics technology system (IT) is a structural group of equipment of hardware, software, database and the network system serving one or several technical, operational activities.

2. Fire wall is a group of components or a system of equipment, software being set between the two networks for the purpose of controlling the entire connections from the inside to the outside of the network or vice versa.

3. The integrity of the data is the existent status of the data like they are in the original documents and not changed in terms of data, structure or the data of which is not lost.

4. Configuration management is the management of changes in hardware, software, technical documents, checking tool, connection interface, operating technical procedure, installation configuration and all other changes of the IT system during the process from the installation to the operation.

5. Archive is to create a copy of the software or data for the purpose of the preservation against losses, corruption of the original software, data.

6. Virus is a computer program which is able to multiply, transmit in the computer network or through information carriers, can destroy data or do some unexpected functions for the IT system.

7. Authority grant: is the permission grant which is given to an individual in accordance with the organizational procedure which has been previously formed for his access, use of a program or a process of the IT system.

8. Password is a string of characters or a confirmation mode of the secrecy identification which is used for authenticating the user’s right.

9. Network security system: is a group of fire wall equipment; equipment for controlling, discovering illegal access; software for the administration, following up, recording diary on the status of network security and other equipment which has a function of prudential assurance for the network operation and all of them synchronously operate under a consistent network security policy for close control over the activities in the network.

...

...

...

Article 3. Responsibilities of the units

1. To issue policies on prudence, confidentiality of the IT system (hereinafter referred to as IT security policies), organize the implementation and examination for the implementation of those policies. To update, on regular basis, the IT security policies in line with changes in the IT system of the units, running environment and scientific technical advances in the IT security area.

2. To arrange necessary resources for carrying out the equipment, deployment, running, management, supervision and processing of breakdowns in the activity of IT application,  ensuring the confidential, prudential operation of the IT systems and corresponding with the requirements of operational activities and the IT security strategy of their units. To take preventive measures, to detect and timely deal with frauds, errors, instability and other extraordinary, unsafe elements.

3. To organize an appropriate IT security management division for uniform management, deployment of IT security activities from the stage of plan preparation, designing, installation deployment to the running stage of the IT system in line with the provisions in this document. To select, train an IT system administrator who satisfies such standards as: having professional virtue, being knowledgeable of IT security and equipped with knowledge concerning operational activities and the IT system of the units. Decision on the assignment of administration duty for the IT system must be made in writing.

4. To ensure that the IT system is always ready at the high level; to set up, test backup plans and restore the system in the event of breakdowns or disaster.

5. To assess the ability, feasibility, risks relating to IT activities supplied by external partners; to set up agreements to clearly define the relationship, obligations and responsibilities of the parties participating in the IT service supply such as: level of service supply, expected running result, ability of implementation, ability of expansion, compliance level, backup plan, backup levels, prudence and confidentiality, service suspension, control over obligations of contract implementation and relationship with related IT systems.

6. To organize, on regular basis, training courses to update users’ the knowledge about IT security in line with the duties they are in charge of;

7. Equipments, software, data used in the operational activities must be supported by the copyright in accordance with provisions of applicable laws

Article 4. Requirements of information security

...

...

...

2. Intactness: incompetent persons shall not be entitled to modify, delete or supplement the information

3. Readiness: information shall be always ready to satisfy using demand of competent persons

4. Non-negation: Information creator shall not be permitted to deny his responsibility for the information he created

5. Truthfulness: source of information must be clearly defined

Article 5. Determination of security requirements of the IT system

The classification of requirements, levels of investment in the security of the IT system of the units shall be clearly determined based on the following elements:

1. Role of the IT system in the implementation of the units’ targets

2. Source, danger to occur risks for the IT system

3. Ability to overcome in case of risk

...

...

...

5. Effect of risks, if any, on the activities of the units in particular and general activities of banking industry.

Article 6. Acts to be strictly forbidden

1. Not to comply with provisions on the security of the IT system of the State, industry and of the units;

2. To access, supply and disperse information illegally

3. To disclose the system architecture, algorithm of the IT security system

4. To illegally modify the architecture, operating mechanism of the IT system

5. To use IT equipments of the units for individual purposes

6. Other acts that obstruct, destroy the operation of the IT system

Chapter II

...

...

...

Article 7. Management, authentication of users in the IT system

1. All the IT systems must be capable of management and authentication of the users who are accessing those systems

2. Activities of transactions which are processed centrally and immediately through the computer network shall be organized based on the system of management, authentication of centralized users

3. Processes, programs, instruments, algorithm used to set up password, identification device and key database which is used to check the access shall be managed, used under the “Confidential” regime

4. Requirements for the organization of the authentication system:

a. Having separate process on management and authentication of the users for each IT system in line with the requirements of prudence, confidentiality of above-mentioned processing operation;

b. Authenticating the access right of the users by account, identification device or by both; and the users shall only be granted enough authority to perform their assigned tasks;

c. Password, identification data used for the access authentication shall be kept secret during the process of archive, transmission through the network and displayed on the users’ monitor;

d. The environment where the authentication equipments are located must be secret, prudential for the use of code, identification device;

...

...

...

e. Temporarily suspending the working right of the users who have been registered on the IT system, but are not temporarily working on this system within a period of 60 days upwards;

g. On weekly basis, examining the system-access diary, detecting and timely dealing with cases which illegally access or carry out manipulation acts beyond the assigned limit of the users.

Article 8. Methods of authentication

1. Authentication by identification (ID) and password must satisfy the following requirements:

a. A password must have the length of 6 characters upwards, consist of numbers, letters and other special characters if permitted by the system. Requirements of valid password shall be automatically checked upon setting up the password;

b. Default passwords availably installed on equipments, software, databases by the producer must be changed right after they are put into use

c. Software on management of passwords must contain such functions as: informing users to change their passwords which are about to expire; canceling the effectiveness of expired passwords, permitting the users to change passwords which have been revealed, are likely to be revealed or upon request of the users; preventing users from reusing old passwords in a certain time.

2. Authentication by card must clearly provide for responsibilities of parties that issue and use cards

3. Authentication by biometric method must ensure the prudence of the users during the collection of biometric elements

...

...

...

a. Checking subjects applying for the grant of number certificate and key code legally and validly

b. Checking the validity of the number certificate prior to examining, accepting transactions which use the number certificate

c. Controlling, timely updating into databases cancelled number certificates to avoid being benefited;

d. Having measures for protecting the prudence of root key and equipments of the number certificate system;

dd. Recording diary on the entire process of granting, changing, canceling the number certificates and key codes;

e. Examining extraordinary events, on regular basis, of the number certificate system to timely detect changes and illegal access.

Article 9. Controlling the access to the IT system

1. All IT systems shall be set up a function of access control, warning, preventing users from illegal access or misusing their function, authority in the system

2. The system of access control must have the following functions:

...

...

...

b. Managing, authenticating the connection of terminal devices as well as accepting the internal devices to carry out the connection;

c. Not permitting the users, except for system administrator, to concurrently access several terminal devices at a certain time;

d. The terminal devices shall be automatically installed to convert to non-operating status, locked monitor status with password or automatically escape from the system after a period of time of non-use.

Article 10. Data encryption

1. The sensitive, important data which is transmitted on the computer network shall be encrypted

2. Only encryption techniques that have been tested, assessed as reliable enough by prestigious IT security organizations in the country or in the world. The complication of selective encryption algorithm must be in line with the confidential level of data that needs protecting and processing ability of the IT system;

3. Secret elements used for encryption technique must be independently installed from supplier and changed on annual basis at the minimum

4. Equipment, software used for encryption solution must be concurrently archived with encrypted data; or convert the encrypted data to new data type in the event of any change in encryption method in order to ensure the original data restoring from data of encryption type at any time;

5. The encryption solution which is in use must be regularly checked, assessed in terms of the prudential level and shortcomings (if any) of which must be timely dealt with.

...

...

...

1. The IT systems must have a function of recording supervision diary for activities of those systems. Clock of equipments in the same IT system must be synchronized from a source for ensuring the accuracy of supervision diary.

2. Accesses and manipulation acts that affect the operation of the system shall be recorded in the diary. Diary file must be protected from any change

3. The Head of units shall provide for the regime on diary record, archive time of diary file for each IT system in order to supervise the system’s activities and support the audit work.

4. System administrator shall be responsible for examining diary files of the system on regular basis in order to detect, settle and timely prevent breakdowns resulting in unsafeness, instability of the IT system

Article 12. Physical safety

1. Server room and other areas where IT equipments are situated, used must have regulations and take measures for protection, entry and exit control to ensure that only persons with duty can enter into those areas

2. All works carried out in the server room shall be recorded in daily working diary

3. Computer room must ensure industrial hygiene: not dilapidated, unabsorbed; the equipments are installed on the technical floor, not directly contact the sunshine; humidity, temperature satisfy standards provided for the equipments and server; to be fully equipped with devices for preventing and protecting fire, explosion, flood, anti-thunder system and security system for preventing illegal access

4. It is required to take measures for supervision, security protection, and prevention from illegal access and management of the use of the equipments used for installation outside the units’ office

...

...

...

6. Programs, data of the units, which are likely to be benefited, must be rejected when handing over the equipments containing those programs, data to external units or upon making assess liquidation

7. Power source supplied to the IT system:

a. The server room must be equipped with a separate power source with industrial technical standards which are in line with the equipments installed in the computer room

b. Backup power source must meet the standard, capacity for normal operation of the IT system during the time when the main power source meets breakdown

Article 13. Prudence of the computer network

1. Documents on technique and operation of the computer network system shall consist of the following types:

a. File on the investigation, design and technical explanation of the network;

b. Documents which determine the design of the network to fully meet standards for safe operation through the self-checking, self-assessment of the units or by specialized agency of the State

c. Process on the management and operation of the network

...

...

...

a. Being able to control, supervise network accesses

b. Being able to prevent illegal accesses;

c. Recording the diary on the network access

d. Having process on breakdown settlement and disaster prevention

dd. Having administrative, technical measures to prevent the illegal access to equipments, network transmitting line

3. Responsibilities of the network users:

a. The network users must register and obtain the using acceptance prior to accessing the network;

b. When detecting any sign of unsafeness, they must immediately inform to the network administrator for settlement

c. They must update new version of anti-virus software and regularly scan virus on the computers connected to the network. They shall not be entitled to change, remove, on their own, programs, technical parameters, which are installed by the administrator

...

...

...

dd. To comply with other provisions of the units in line with the provisions in this Regulation

4. Responsibilities of the network administrator:

a. To check, ensure the safe, stable and continuous operation of the computer network

b. To manage configuration, resources and users on the network

c. To fully setup regimes on network security control. To use equipped tools to check and timely detect weak-points easy to be injured and illegal accesses into the network system. To examine, detect connections, equipments, software illegally installed in the network on regular basis.

d. To detect and timely deal with the gaps in the security of the network system

dd. To guide, support the users to protect accounts, resources on the network, to install the anti-virus software and timely deal with network access breakdowns

e. To check and disconnect computers of the users who fail to comply with provisions of the units on virus prevention and anti-virus and other provisions on the network security

Article 14. Prudence of databases

...

...

...

a. It runs on the network and is independent of the server, operating system

b. It runs stably; it can process, archive a great volume of data upon the operational requirement;

c. It can protect and grant  access right for the database resources;

d. It manages, ensures the consistence of relational data tables and of each operational act processed on the database

dd. The system must integrate structured query language tool (SQL)

e. The system must support online archive of database and restoration of database from archived version;

g. The system of is capable of updating new version

2. Only database that has been tested through factual operations of similar credit institutions inside and outside the country shall be used

3. Responsibilities of the database administrator:

...

...

...

b. To change default passwords right after the database is put into use

c. To grant the access right of resources to database users

d. To prepare plan of, carry out the data archive and check the archive result;

dd. To check, ensure the entire restoration of the database from the archived version when necessary

e. To strictly manage archived versions to avoid the danger of loss, danger of being changed and illegally exploited;

g. To regularly check the status of database both physically and logically. To timely update error versions from the supplier

Article 15. Prudence of application software

1. General requirements:

a. Technical documents:

...

...

...

- Documents attached to packed software, which is supplied by external supplier, shall include technical documents and the documents guiding the use of software

b. The software must integrate solutions of authentication, access control and data encryption in accordance with the provisions in Article 8, Article 9 and Article 10 of this Regulation;

c. The software must run stably, process data accurately and ensure the consistence of the data;

d. Operational software and technical documents must be duplicated and safely archived at two separate places at the minimum

2. Analysis, design and software writing

a. Requirements on prudence, confidentiality of operations must be determined in advance and organized, deployed in an entire process of software development from the analysis to deployment and running;

b. Documents on prudence, confidentiality of the software must be systematized and archived, used under the “Confidential” regime

3. Check, test of software

All software must experience the following test and trial steps before being deployed and put into use:

...

...

...

b. Carrying out the trial on a separate environment. Preparing a report on trial result to submit to competent level for their approval and putting into use;

c. The use of real data during the trial process must be supported by preventive measures to avoid being benefited or making mistakes

4. Deploying, running the software:

a. The deployment of the software must not affect the prudence, confidentiality of the available IT systems;

b. Prior to the deployment of the software, all the risks of the deployment process for the operational activities, related IT systems must be assessed then drawing up and deploying solutions for restraining and overcoming risks

5. Management of software version

a. In respect of the request for the change of software, it is required to analyze, assess the effect of the change on the operation and other related IT systems of the units;

b. After software versions are successfully tested they must be strictly managed to avoid being illegally modified and to be ready for the deployment

c. There must be clear instructions on changing contents, guidance on the software update and other related information attached to the new software version

...

...

...

6. Management of software source code

a. Source codes of the software shall be strictly managed to avoid being used or modified illegally

b. There must have agreements on the management, correction of the source codes used for the maintenance in case where those softwares are developed by external partners and the source codes of which are not handed over

7. To comply with other provisions on prudence, confidentiality stipulated in the Decision No. 1630/2003/QD-NHNN dated 19/12/2003 of the Governor of the State Bank of Vietnam issuing the regulation on technical standards in the processing, procurement of banking operation software

Article 16. Prudence of the operating system of the server

1. The operating system to be selected must satisfy the following requirements:

a. It can run safely and stably;

b. Its readiness is high

c. It can manage the users, protect and grant the resource access right

...

...

...

dd. It must update the new version

e. It must check, restore the system in the event of breakdown

2. Only the operating system that has experienced the factual operations of similar organizations inside and outside the country shall be used

3. Responsibilities of the operating system administrator

a. To ensure that the operating system which is installed on the server can work continuously, stably and safely

b. To regularly check configuration, files on working diary of the operating system, timely detect and deal with breakdowns if any;

c. To grant access right and manage the access of the users on the server which install the operating system

d. To manage changes in technical configurations of the operating system

dd. To regularly update error versions of the operating system from the supplier;

...

...

...

Article 17. Prevention from computer virus and anti-virus

1. The units must deploy the virus prevention and anti-virus for their entire IT systems. To follow up and timely give notice to the users of new viruses and the way of prevention

2. Responsibilities for the virus prevention and anti-virus of the users

a. To regularly check and delete virus

b. Software, data and information carriers received from the outside must be scanned prior to using

c. It is not permitted to open strange mail, attached files or links in strange mails for preventing virus

d. It is not permitted to access website without clear origin

dd. To timely update types of virus and new anti-virus software

e. In case where virus is detected but cannot be deleted, the user must immediately inform to the system administrator for settlement

...

...

...

1. The connection with the outside shall be carried out under the principle of not affecting the security and normal operation of the network system of the units

2. Local area network system of the units shall be separated physically or logically from the externally connected network

3. The connection, data exchange with the outside shall be provided in details in terms of connection standards, services to be used, access right, data syntax and exchanging process

4. Steps of connection deployment

a. To investigate, design system configuration, connection method and services to be used on the network

b. To analyze effects, danger of unsafeness and select an appropriate security solution, prevent from illegal access

c. To submit to the Head of the units for approving the connection plan, the way of data exchange

d. To install, check, test successfully then put into official operation

dd. To deploy measures of preventing from illegal penetration from the outside

...

...

...

1. The units must issue internal regulations on management and use of Internet, ensuring the safe, efficient use of Internet and compliance with provisions of applicable Laws.

2. Computers used for Internet connection must be labeled for easy recognition and shall not be directly connected to the operation processing network if the IT division of the units has not yet determined that they have fully satisfied conditions of prudence protection. It is not permitted to archive the documents, data belonging to the State Secret in the computers which are connected to Internet

3. In case where there is a design of separate network system used for Internet connection of many users, that network system must ensure the following requirements:

a. The network separately used for Internet connection must be separated physically from the operation processing network or they must be separated by a firewall system which is fully capable of controlling entire accesses between the two networks and must ensure the prudence of operation of the software, data in the operation network

b. Sockets specially used for Internet connection must be labeled to help the users easily recognize that it is an Internet connection port

c. There must have a system of supervision, management of the Internet users, management of bands and time of Internet exploitation

4. Responsibilities of the Internet users

a. To be responsible for protecting the network system of the units, to be watchful over the flip side of Internet. To take full responsibility under provisions of applicable laws if screening or permitting other to use their equipment, password for carrying out illegal acts

b. To be subject to the examination, supervision of the units and functional agencies of the State for the information sent to Internet and take legal responsibility for that information

...

...

...

d. To be responsible for compliance with provisions on the content of information posted in the Internet and undertaking to correctly comply with those provisions

dd. Not to be permitted to commit acts that obstruct or destroy Internet’s activities; not to be permitted to affect other information system through Internet, or violate interests, honour of other individuals

e. Not to use instruments, software and technical measures in any form to appropriate transmission line bands, to make network blocked;

g. To comply with internal regulation on using Internet of the units and provisions of the State, of the industry on exploitation and use of Internet

Article 20. Data archive

1. Requirements of the archive system:

a. Ensuring the integrity and sufficiency of archived data during the archive period in accordance with applicable provisions;

b. Each type of data must be archived correctly and in full period of time in accordance with provisions of the State and the industry;

c. The data which are necessary for the maintenance or restoration of the unit’s operation, in case of breakdown, must be archived in two separate places at the minimum;

...

...

...

2. Responsibilities of the units:

a. To have a plan on equipment, technical process on archive, checking, preservation and exploitation of archived data which is approved by a competent authority;

b. To ensure conditions of place, environment for archive, preservation of information carrier in a prudential and scientific manner;

c. To maintain equipments, software used for archive, exploitation in a simultaneous way with the archived data or to convert the archived data in line with changes of the archive solution so as to ensure that the archived data is exploited at any time;

d. To stipulate scope, frequency of archive in line with each type of operational data so that it can restore, maintain the continuous activity of the operation in case where the major operating data meets breakdowns;

dd. To control and reconcile data against the related operational processing phases for the purpose of ensuring the accuracy, correctness and sufficiency of the data prior to the archive;

e. To record in the book to follow up the place, time, list of data, the person who performs the archive and exploitation of data;

g. To issue and deploy the archive process: copying and saving data; exploiting the archived data; checking, supervising the prudence of the archived data; method of preventing and overcoming risk for the archived data; to destroy the archived data which expires; and other contents relating to the techniques of prudential and efficient archive and preservation of archived data;

h. To comply with other provisions of the State and Banking area on the preservation, archive of electronic vouchers.

...

...

...

a. To correctly comply with provisions on archive, preservation of the archived data and take responsibility for the risk of the archived data caused by their subjective reasons;

b. Not entitled to permit any organization, individual to exploit, use the archived data without a written approval of the leader of their organization or an authorized person;

c. In case of risk or detecting a danger of risk for the archived electronic data, to make a report immediately to a competent person for a timely method of settling and overcoming.

Article 21. Standby activity against disaster

1. Units shall, upon the scale and importance of each IT system for the operation of the unit, choose and deploy an appropriate standby solution against disaster.

2. Units, which have a centralized IT system, must build up and maintain the operation of a standby center satisfying the following requirements:

a. Issuing provisions on management and operation of the backup center;

b. The backup center must be located at least 30 km far from the main processing center under the straight line connecting between the two centers;

c. The standby center must have full capacity of material, technical foundation and human resources, be ready to undertake all the role of the main processing center where required;

...

...

...

dd. The database for operational activities shall be immediately archived from the major center to the standby center;

e. Organizing a security system to ensure the prudence for the data and technical equipment system of the center;

e. The time for putting the standby center into operation to absolutely replace the main processing center shall not be in excess of 04 hours.

3. For units, which have not organized a centralized operation system, the organization of the standby system must satisfy the following requirements:

a. The standby system shall not be located in the same building with the main processing system;

b. The standby system must have full technical capacity, be ready to undertake all the role of the main system, which terminates the operation;

c. The design of wire line must be separated from the main system. To equip the electric generator, electric charging device for supplying a continuous, stable power source which satisfies the normal requirement of work settlement;

d. To organize the absolute security, safety for the data and technical equipment system;

dd. The database of the operational activities must be at once copied for backup from the main center to the standby center;

...

...

...

4. Operation of the standby system:

a. Operation from the main system to the standby system shall only be performed in the situation where the main system terminates operation and must be approved by the head of the unit for the performance;

b. The standby system shall be put into practice in compliance with the approved scenarios;

c. The exercise of changing the operation from the main system to the standby system must be performed on the annual basis at the minimum;

d. The standby system must be inspected, supervised to ensure a good operation.

5. Deployment rate of the standby system:

Units should have a plan on the deployment of the standby system against the disaster for the IT system in line with the rate of progress provided for by the State Bank.

Article 22. Requirements and responsibilities of the operators

1. They must be equipped with basic knowledge about IT: computer network (Server, clients and net equipment), operating system, and database in use.

...

...

...

3. They shall be only entitled to perform the assigned works, comply with the operational, technical process, the running technical process.

4. They shall take responsibility for the error, lateness, unsafeness caused by their subjective reasons.

5. They shall be responsible for timely informing the administrator of the system about the breakdown of the IT system if any.

Article 23. Internal inspection

1. Units shall organize by themselves the inspection of the compliance with provisions on the prudence, confidentiality of the IT system in accordance with provisions of this Regulation on the annual basis at the minimum.

2. Inspection contents:

a. Evaluating the policy on the IT security;

b. Inspecting the compliance with the policy on the IT security;

c. Evaluating risk which may occur and suggesting treatment

...

...

...

dd. The inspection contents must be stated in the report and submitted to competent levels.

3. Responsibilities of the head of units:

a. To conduct, inspect and facilitate the IT management division and related divisions to have a plan of immediately overcoming the petitions after the inspection;

b. To inspect the performance of petition under the plan;

c. To determine the reason and responsibility of individuals, organizations in respect of inspection petitions which have not yet been settled from the previous inspection if any.

Article 24. Inspection, maintenance of the IT system

1. Units shall set up a plan on the regular inspection, maintenance in order to ensure a continuous, stable and prudential operation of the IT system. On an annual basis, to arrange appropriate expense, resources for the maintenance activity.

2. All IT systems must be periodically maintained. Upon the importance of each IT system to the operation of the unit, an appropriate maintenance level shall be set up and carried out, providing that each system shall be maintained at least once a year

3. Minimum standby capacity of IT equipments must be kept at least equivalent to 20% against the processing requirements at the peak time.

...

...

...

a. The entire maintenance process of the IT system must be recorded in a diary to follow up changes in design, configuration of the IT system during the repair, upgrading, replacement or new installation;

b. Diary files of a system must be examined regularly, systematically saved and analyzed under different ways. On that basis, breakdown, signal of unsafeness shall be timely found out and overcome.

5. Maintenance activity:

a. Maintenance activity must be performed under plan, scenarios, ensuring that the maintenance activity has no effect to the normal operational activities of the unit;

b. Equipment, software, database must be checked, supervised and timely dealt with breakdown, signal of instability or overload; timely updating error version and filling up the gaps in security.

c. Inspecting, supervising external maintenance units for carrying out the maintenance in conformity with the approved scenarios.

Article 25. Making report on the IT security

1. Units shall be responsible for making the following written reports or electronic reports to the State Bank of Vietnam (the Banking Informatics Technology Department):

a. An internal inspection report of the unit in accordance with provisions in Article 23 of this Regulation. The reporting period shall be 60 days at the latest since the completion of the inspection;

...

...

...

2. Contents of unexpected report:

a. Date, place where the case occurs;

b. Reason of the case;

c. Evaluation of the risk, effect to the IT system and operations at the place where the case occurs and other related places;

d. Methods performed by the unit to stop, overcome and prevent risk;

dd. Proposal, suggestion to the State Bank.

Chapter III

IMPLEMENTING PROVISIONS

Article 26. Dealing with violation

...

...

...

Article 27. Implementing responsibilities

1. The Banking Informatics Technology Department shall be responsible for providing guidance on, following up and examining the compliance with this Regulation by units of the State Bank and credit institutions.

2. The State Bank’s Inspectorate shall be responsible for the coordination with the Banking Informatics Technology Department to inspect the compliance with this Regulation by credit institutions.

3. The General Control Department shall be responsible for conducting the internal inspection activity and performing the internal audit for the compliance with this Regulation by units of the State Bank.

4. Heads of units of the State Bank, Manager of the State Bank branches in provinces, cities under the Central Government’s management, Chairperson of the Board of Directors, General Director (Director) of credit institutions shall be responsible for the deployment and inspection of the compliance with the provisions of this Regulation in their units.

Article 28. Any amendment, supplement of this Regulation shall be decided upon by the Governor of the State Bank.