Securities companies required to immediately fix loopholes and weaknesses before April 15

This afternoon, March 27, the Department of Information Security (Ministry of Information and Communications) sent an official dispatch to securities companies regarding strengthening network information security for information systems.

According to Mr. Tran Dang Khoan, Deputy Director of the Department of Information Security, in recent times, a number of securities company systems have experienced network information security incidents, causing serious damage to securities businesses, causing panic and affecting confidence in the safety of stock exchanges in Vietnam in particular and the financial market in general.

Performing the function of state management of network information security, the Department of Information Security requests securities companies to review and organize the implementation of ensuring network information security for information systems under their management, with the following main tasks.

Accordingly, securities companies need to organize reviews, inspections, and assessments to ensure information security of information systems under their management and immediately implement measures to overcome risks, vulnerabilities, and weaknesses in information systems, especially customer account management information systems, serving online securities transactions. This must be completed before April 15.

In addition, securities companies review and organize the implementation of information security assurance according to the levels prescribed in Decree No. 85/2016/ND-CP of the Government on ensuring information system security according to levels and Circular 12/2022/TT-BTTTT of the Ministry of Information and Communications.

Comply with legal regulations and strengthen information system security assurance by level, especially organizing statistics and classifying information systems under management; develop a plan to implement and complete regulations on information system security assurance by level (according to monthly progress); ensure that 100% of information systems in operation must be approved for information system security level by September at the latest and fully implement information security assurance plans according to the approved level proposal documents by December 2024 at the latest.

Organize effective, substantial, regular and continuous implementation of information security assurance work according to the 4-layer model, especially improving the capacity of the professional monitoring and protection layer and maintaining continuous and stable connections and information sharing with the National Cyber ​​Security Monitoring Center (Information Security Department); prioritize the use of network information security products, solutions and services produced or mastered by Vietnamese enterprises.

Hunt for threats, promptly detect signs of intrusion

In addition, securities companies need to develop incident response plans for information systems under their management as prescribed in Circular No. 20/2017/TT-BTTTT of the Ministry of Information and Communications on coordination and response to network information security incidents nationwide; deploy a plan to periodically back up systems and important data to promptly restore when data encryption attacks occur and report incidents to the Information Security Department as prescribed; participate in the national network for network information security incident response.

Conduct periodic threat hunting to promptly detect signs of system intrusion. For systems that have detected serious security vulnerabilities, immediately conduct threat hunting after fixing the vulnerability to determine the possibility of previous intrusion.

Check and update information security patches for important systems according to warnings from the Information Security Department and related agencies and organizations; periodically check, evaluate, and review to promptly detect information security vulnerabilities and weaknesses existing in the system.

The Department of Information Security requests that companies organize a review, assign a focal point for professional exchange, and report the implementation results to the Department of Information Security before April 15 for synthesis and reporting to competent authorities.