According to the draft, the Online Banking system must comply with regulations on ensuring information system security at level 3 or higher according to the provisions of law on ensuring information system security at level and regulations of the State Bank on information system security in banking activities.
Ensure the confidentiality and integrity of customer information; ensure the availability of the Online Banking system to provide continuous services.
Customer transactions are assessed for minimum risk levels according to each customer group, transaction type, transaction limit (if any) and on that basis, provide appropriate transaction authentication methods for customers to choose, complying with regulations: Apply multi-factor authentication when changing customer identification information; apply authentication methods for each customer group, transaction type, transaction limit according to regulations; for multi-step transactions, at least one authentication measure must be applied at the final approval step.
Conduct annual security checks and assessments of the Online Banking system.
Regularly identify risks, potential risks and determine the causes of risks, promptly take measures to prevent, control and handle risks in providing banking services on the Internet.
Information technology infrastructure equipment providing Online Banking services must have copyright, clear origin and source. For equipment that is nearing the end of its product life cycle and will no longer be supported by the manufacturer, the unit must have an upgrade and replacement plan according to the manufacturer's announcement, ensuring that the infrastructure equipment is capable of installing new software versions.
Has firewalls, monitoring systems, and abnormal behavior alerts
The unit must establish a network, communications and security system that meets the following minimum requirements:
There are minimum security solutions including: Application firewall; database firewall; centralized monitoring and warning system for attacks or unusual behavior.
Customer information is not stored in the Internet connection partition and DMZ partition (intermediate partition between the internal network and the Internet).
Set up a policy to limit services and gateways connecting to the Online Banking system.
Connections from outside the internal network to the Online Banking system for administration can only be made in cases where it is not possible to connect from the internal network and must be secure, complying with at least the following regulations: Must be approved by an authorized person after reviewing the purpose and method of connection; must have a plan for access management, secure remote system administration such as using a virtual private network or equivalent; the connecting device must be installed with security software; must use multi-factor authentication measures when logging into the system; use secure encrypted communication protocols and do not store secret keys in utility software.
The service network connection must ensure high availability and continuous service provision.
Establish a mechanism to detect and prevent intrusions and network attacks on the system
The draft also clearly states that the unit must manage the vulnerabilities and weaknesses of the Online Banking system with the following basic contents:
Have measures to prevent, detect and detect changes to the website and Online Banking application software.
Establish a mechanism to detect and prevent intrusions and network attacks on the Online Banking system.
Coordinate with state management units and information technology partners to promptly grasp incidents and situations of information security and safety loss to take timely preventive measures.
Update information on published security vulnerabilities related to system software, database management systems and application software according to information from the Common Vulnerability Scoring System.
Scan for vulnerabilities and weaknesses of the Online Banking system at least once a year or when receiving information related to new vulnerabilities and weaknesses. Assess the level of impact and risk of each discovered vulnerability and technical weakness of the system and propose solutions and plans for handling.
Implement security patch updates or timely preventive measures based on impact and risk assessment.
Source
Comment (0)