07:55 (GMT +7) - Monday 21/08/2017

Banking & Finance

Responding to risks

Released at: 03:30, 26/07/2014

Responding to risks

Mr Vu Quoc Khanh, Director of the Vietnam Computer Emergency Response Team (VNCERT) under the Ministry of Information and Technology, tells VET's Ngoc Anh about the steps taken to prevent or resolve information security errors.

by Ngoc Anh

What does VNCERT do when information security errors are identified? How should banks and e-commerce websites react to alert their customers and fix these errors quickly and effectively?

    The first thing we do is verify information on any errors, which can come from international organisations,

Mr Vu Quoc Khanh, Director of the Vietnam Computer Emergency Response Team (VNCERT)

information security experts or information security systems providers. Internationally, when errors are discovered, software manufacturers are notified so they can provide updates to correct them. Errors are then officially announced to the public, as it would be dangerous to announce the errors prior to updates being provided.

    VNCERT keeps track of information relating to security errors and assesses the potential impact on banks, international organisations, and State offices. We immediately check whether a security error actually exists, how significant it is, and the risk it poses, and then provide warnings and recommendations.

    Normally VNCERT will notify the public via different channels, such as the media and the national computer troubleshooting network, whose members include localities, ministries, and enterprises. When discovering or being informed about information loopholes or errors, experts, managers, technical staff and bodies such as banks, enterprises, organizations or State offices should report the matter to VNCERT so that we can share this information.

    When receiving notifications and warnings from VNCERT about loopholes or security errors and the solutions to fix them, these bodies are responsible for immediately implementing those solutions. In particular, if the errors affect customers or other enterprises they must also be notified. In the recent OpenSSL HeartBleed case, it was important for banks and online payment gateways to make contact with customers or other enterprises, regardless of whether they were affected or not.

    It’s important to have a quick response, but providing information to resolve any problems is also crucial. 

Is there any way to alert banks when security errors are about to occur?

    There are different ways to alert banks about security errors, such as the media, which banks can monitor themselves. There are also separate, internal alerts. These alerts are not announced to the public and are only sent to bodies such as banks, State offices, and enterprises that have security errors or are members of the national computer troubleshooting network.

    Banks in Vietnam will receive warnings via two channels, either from the central bank or from their own computer troubleshooting teams. Normally our notifications are sent to banks via an official dispatch from the central bank, so it may take sev