商業(yè)銀行突圍科技風(fēng)險(xiǎn)管理初級(jí)階段
商業(yè)銀行突圍科技風(fēng)險(xiǎn)管理初級(jí)階段
銀監(jiān)會(huì)新《指引》頒布1周年記
雖然人們對(duì)全面開(kāi)放金融市場(chǎng)后內(nèi)資銀行的競(jìng)爭(zhēng)力的擔(dān)憂,因?yàn)橥赓Y銀行在世界金融危機(jī)中受到重創(chuàng)而沒(méi)有成為現(xiàn)實(shí)。內(nèi)資銀行反倒在此漲彼消中身價(jià)倍增,躋身世界前列,甚至名列前茅。但隨著金融危機(jī)的陰霾逐漸散去,世界金融巨頭開(kāi)始“咸魚(yú)翻身”,可以預(yù)見(jiàn)國(guó)內(nèi)金融市場(chǎng)的競(jìng)爭(zhēng)將更加激烈。在風(fēng)險(xiǎn)管理方面“先天不足”的內(nèi)資銀行如果想要保持目前的地位,則必需補(bǔ)上風(fēng)險(xiǎn)管理(包括信息科技風(fēng)險(xiǎn)管理)這一課。
在銀監(jiān)會(huì)頒布《商業(yè)銀行信息科技風(fēng)險(xiǎn)管理指引》1周年之際,記者愿意與您一起關(guān)注銀行信息科技風(fēng)險(xiǎn)管理的總體情況和存在的難題,關(guān)注迅速崛起的中小銀行如何在信息化建設(shè)的同時(shí)兼顧風(fēng)險(xiǎn)管理,關(guān)注規(guī)模巨大而“失去了模子”的大型銀行如何構(gòu)建“特色”的信息科技風(fēng)險(xiǎn)管理體系。
銀監(jiān)會(huì):加強(qiáng)監(jiān)管促提高
201*年8月7日,銀監(jiān)會(huì)頒布了《銀行業(yè)金融機(jī)構(gòu)信息系統(tǒng)風(fēng)險(xiǎn)管理指引》(以下簡(jiǎn)稱“原《指引》”),對(duì)銀行業(yè)金融機(jī)構(gòu)的信息系統(tǒng)風(fēng)險(xiǎn)管理提出了基本的、原則性的要求,填補(bǔ)了我國(guó)銀行業(yè)信息系統(tǒng)監(jiān)管領(lǐng)域的空白。從實(shí)施效果來(lái)看,很多銀行在信息系統(tǒng)風(fēng)險(xiǎn)防范方面取得了長(zhǎng)足進(jìn)步。
然而,銀行業(yè)信息化發(fā)展非常迅速,信息科技的作用從業(yè)務(wù)支持逐步走向與業(yè)務(wù)的融合,成為銀行穩(wěn)健運(yùn)營(yíng)和發(fā)展的支柱,同時(shí)科技由分散走向集中也讓銀行的科技風(fēng)險(xiǎn)進(jìn)一步積聚。這讓銀監(jiān)會(huì)意識(shí)到,原《指引》已難以滿足商業(yè)銀行信息科技風(fēng)險(xiǎn)管理的需要,必須制訂高標(biāo)準(zhǔn)、高要求,且更加全面、系統(tǒng)、可操作的指引。于是,在原《指引》頒布后不久,銀監(jiān)會(huì)即開(kāi)始廣泛征求銀行業(yè)金融機(jī)構(gòu)的意見(jiàn),并參照國(guó)際經(jīng)驗(yàn)對(duì)原《指引》進(jìn)行細(xì)化、深化和充實(shí)。201*年3月3日,銀監(jiān)會(huì)歷時(shí)1年多制定的《商業(yè)銀行信息科技風(fēng)險(xiǎn)管理指引》(以下簡(jiǎn)稱“新《指引》”)正式頒布實(shí)施,原《指引》同時(shí)廢止。與此同時(shí),銀監(jiān)會(huì)還組織銀監(jiān)系統(tǒng)的眾多技術(shù)骨干編寫(xiě)了《商業(yè)銀行信息科技風(fēng)險(xiǎn)現(xiàn)場(chǎng)檢查指南》、《銀行業(yè)金融機(jī)構(gòu)重要信息系統(tǒng)投產(chǎn)及變更管理辦法》、《商業(yè)銀行數(shù)據(jù)中心監(jiān)管指引》等配套手冊(cè)和制度。此后,圍繞新《指引》和有關(guān)監(jiān)管要求而進(jìn)行的自查、檢查、整改、提高在全國(guó)商業(yè)銀行系統(tǒng)內(nèi)拉開(kāi)了序幕,并將持續(xù)深入進(jìn)行。
據(jù)了解,201*年,銀監(jiān)會(huì)及其分支機(jī)構(gòu)對(duì)近百家國(guó)內(nèi)銀行業(yè)金融機(jī)構(gòu)開(kāi)展了信息科技風(fēng)險(xiǎn)現(xiàn)場(chǎng)檢查,重點(diǎn)對(duì)主要風(fēng)險(xiǎn)點(diǎn)和相關(guān)的管理環(huán)節(jié)進(jìn)行了徹底檢查,以促進(jìn)銀行業(yè)金融機(jī)構(gòu)將信息科技風(fēng)險(xiǎn)管理納入銀行的總體風(fēng)險(xiǎn)管理框架中。針對(duì)現(xiàn)場(chǎng)檢查中發(fā)現(xiàn)的重大風(fēng)險(xiǎn)隱患和實(shí)際發(fā)生的重大信息科技事故,銀監(jiān)會(huì)通過(guò)下發(fā)風(fēng)險(xiǎn)提示的形式向全國(guó)銀行業(yè)金融機(jī)構(gòu)進(jìn)行了通報(bào)并提出了相應(yīng)的管理要求。
某省銀監(jiān)局一位不愿意透露姓名的知情人士說(shuō):“從現(xiàn)場(chǎng)檢查的情況來(lái)看,無(wú)論是大型商業(yè)銀行還是中小型商業(yè)銀行,都存在不同程度的信息科技風(fēng)險(xiǎn),人員、制度、流程都存在一些問(wèn)題,特別是有些銀行高管層的IT治理意識(shí)比較薄弱,對(duì)信息科技風(fēng)險(xiǎn)管理重視不夠。不過(guò),可喜的是,通過(guò)貫徹落實(shí)新《指引》,一些銀行已經(jīng)開(kāi)展了全面的信息科技風(fēng)險(xiǎn)評(píng)估,并制定了長(zhǎng)遠(yuǎn)的發(fā)展規(guī)劃,管理力度明顯加大。”
從近1年來(lái)新《指引》的落實(shí)情況來(lái)看,成效是顯而易見(jiàn)的。
首先,信息科技治理開(kāi)始引起重視。公開(kāi)的資料顯示,一些銀行已經(jīng)設(shè)立了信息科技管理委員會(huì)、首席信息官或功能類(lèi)似的部門(mén),其中有些是原來(lái)就設(shè)有的,有些則是按新《指引》的要求設(shè)立的。例如,中國(guó)工商銀行的信息科技管理委員會(huì),中國(guó)農(nóng)業(yè)銀行的電子化建設(shè)委員會(huì),招商銀行的信息規(guī)劃委員會(huì),中信銀行的信息技術(shù)委員會(huì),華夏銀行的科技與創(chuàng)新委員會(huì),渤海銀行的資訊科技委員會(huì);交通銀行、華夏銀行、渤海銀行、吉林銀行等設(shè)立了首席信息官。同時(shí),一些銀行還明確了風(fēng)險(xiǎn)管理部門(mén)和審計(jì)部門(mén)的信息科技風(fēng)險(xiǎn)管理職責(zé)。
其次,災(zāi)備體系建設(shè)取得新進(jìn)展。大型銀行進(jìn)一步完善了同城和異地災(zāi)備中心建設(shè),初步實(shí)現(xiàn)了同城中心間業(yè)務(wù)處理的切換和接管,基本建成全面的災(zāi)備體系。一些中小銀行也建成了同城災(zāi)備中心,實(shí)現(xiàn)了重要信息系統(tǒng)的切換和接管,并開(kāi)始著手建設(shè)異地災(zāi)備中心。此外,一些外資銀行的生產(chǎn)中心和災(zāi)備中心也相繼落成。
再次,應(yīng)急管理體系不斷完善。銀行應(yīng)急預(yù)案更加完善,應(yīng)急演練更加注重規(guī)范性、真實(shí)性和非計(jì)劃性,災(zāi)難恢復(fù)演練范圍也從核心業(yè)務(wù)系統(tǒng)、信用卡等重要信息系統(tǒng)擴(kuò)大到網(wǎng)銀、自助業(yè)務(wù)災(zāi)難恢復(fù)處理,應(yīng)急管理水平進(jìn)一步提高。
據(jù)銀監(jiān)會(huì)信息中心信息科技風(fēng)險(xiǎn)監(jiān)管處陳文雄處長(zhǎng)介紹,銀監(jiān)會(huì)預(yù)計(jì)用3年時(shí)間,按照屬地監(jiān)管的原則,對(duì)全國(guó)的商業(yè)銀行按照新《指引》進(jìn)行一遍現(xiàn)場(chǎng)檢查,具體檢查信息科技風(fēng)險(xiǎn)管理狀況,以推動(dòng)我國(guó)銀行業(yè)信息科技風(fēng)險(xiǎn)防控水平不斷提高。
中小銀行:“魚(yú)”與“熊掌”能兼得
201*年的6月和7月,各商業(yè)銀行按照新《指引》的要求相繼完成了第一次的自查,其中有些銀行是由內(nèi)部風(fēng)險(xiǎn)管理和審計(jì)部門(mén)獨(dú)立完成的,也有部分的銀行請(qǐng)外部的公司協(xié)助完成的,并結(jié)合自身的實(shí)際情況進(jìn)行了整改。
“收到銀監(jiān)會(huì)下發(fā)的新《指引》后,我們做的第一項(xiàng)工作就是召集科技、風(fēng)險(xiǎn)、審計(jì)等部門(mén)的業(yè)務(wù)骨干認(rèn)真研究和部署相關(guān)工作,并按要求進(jìn)行了認(rèn)真的整改!蹦吵巧绦行畔⒖萍疾控(fù)責(zé)人向記者表示,“為了使員工掌握信息科技風(fēng)險(xiǎn)防控知識(shí),培養(yǎng)信息科技風(fēng)險(xiǎn)管理意識(shí),提高管理水平,我們還特別邀請(qǐng)外部咨詢公司的專(zhuān)家對(duì)相關(guān)人員等進(jìn)行了嚴(yán)格的培訓(xùn),并補(bǔ)充了信息科技風(fēng)險(xiǎn)審計(jì)人員!
在科技建設(shè)和風(fēng)險(xiǎn)管理的雙重壓力下,一些中小銀行演繹了一場(chǎng)“魚(yú)”與“熊掌”兼得的“好戲”。其中,吉林銀行從戰(zhàn)略和信息科技治理入手,制定科技發(fā)展規(guī)劃,重點(diǎn)防控主要風(fēng)險(xiǎn)點(diǎn)的做法值得借鑒。
吉林銀行成立于201*年10月,是由長(zhǎng)春市商業(yè)銀行更名為吉林銀行,并吸收合并吉林市商業(yè)銀行及若干城信社而設(shè)立的股份制商業(yè)銀行。在“科技先行”的科技戰(zhàn)略和“整體外包”的信息化策略指導(dǎo)下,在2年多的時(shí)間里,吉林銀行的信息化建設(shè)快速發(fā)展,完成了數(shù)據(jù)大集中及眾多信息系統(tǒng)建設(shè),在只有45名科技人員的情況下創(chuàng)造了同時(shí)管理近70個(gè)項(xiàng)目的“奇跡”,實(shí)現(xiàn)了科技由制約業(yè)務(wù)發(fā)展、與業(yè)務(wù)同步發(fā)展向引領(lǐng)業(yè)務(wù)發(fā)展的飛躍,而且從未出現(xiàn)大的紕漏和安全事故。
據(jù)吉林銀行信息科技部總經(jīng)理李貴賓介紹,在高層領(lǐng)導(dǎo)的重視下,吉林銀行已經(jīng)建立了比較完善的信息科技治理結(jié)構(gòu):明確了董事會(huì)、監(jiān)事會(huì)、相關(guān)業(yè)務(wù)部門(mén)及科技部門(mén)的職責(zé)分工(包括匯報(bào)路線);成立了以行長(zhǎng)為組長(zhǎng)的“吉林銀行信息科技工作領(lǐng)導(dǎo)小組”,主要負(fù)責(zé)全行的信息科技資源整合,以及當(dāng)前信息系統(tǒng)運(yùn)營(yíng)的風(fēng)險(xiǎn)控制等;設(shè)立了首席信息官,直接向行長(zhǎng)匯報(bào)工作;風(fēng)險(xiǎn)管理部和審計(jì)部也設(shè)立了專(zhuān)門(mén)的信息科技風(fēng)險(xiǎn)管理和信息科技審計(jì)崗位;信息科技部則負(fù)責(zé)規(guī)范和執(zhí)行日常的項(xiàng)目管理、運(yùn)行管理等。同時(shí),吉林銀行還制定了符合業(yè)務(wù)發(fā)展的科技發(fā)展規(guī)劃,并重點(diǎn)加強(qiáng)了項(xiàng)目的管理和外包風(fēng)險(xiǎn)的控制。
另?yè)?jù)了解,某全國(guó)性股份制商業(yè)銀行在按新《指引》的要求完善信息科技管理的同時(shí),啟動(dòng)了一個(gè)加強(qiáng)信息科技風(fēng)險(xiǎn)管理的項(xiàng)目,希望以科技手段提高信息科技風(fēng)險(xiǎn)管理的效率,準(zhǔn)確識(shí)別、計(jì)量、監(jiān)測(cè)和控制風(fēng)險(xiǎn),并將信息科技風(fēng)險(xiǎn)管理融入到銀行整體風(fēng)險(xiǎn)管理中去,構(gòu)筑高效、立體的銀行風(fēng)險(xiǎn)管理體系。
大型銀行:探索特色科技風(fēng)險(xiǎn)管理
目前,國(guó)內(nèi)一些大型銀行無(wú)論是規(guī)模還是盈利能力都已經(jīng)走在世界前列,其用戶數(shù)量和IT規(guī)模同樣如此,并處于快速發(fā)展之中。而隨著國(guó)內(nèi)大型銀行國(guó)際化戰(zhàn)略的實(shí)施,其規(guī)模還將進(jìn)一步擴(kuò)大。
在快速發(fā)展過(guò)程中,大型銀行或多或少都發(fā)生過(guò)一些事故甚至是影響全國(guó)的大事故,其信息科技風(fēng)險(xiǎn)管理也都存在事故推動(dòng)的痕跡。與國(guó)外大型銀行相比,國(guó)內(nèi)大型銀行在信息科技管理方面還存在較大的差距。
但是,經(jīng)過(guò)多年的發(fā)展,國(guó)內(nèi)大型銀行已逐步認(rèn)識(shí)到信息科技風(fēng)險(xiǎn)管理的重要性,普遍引入ITIL,ISO201*0,ISO27001,COBIT,CMM等國(guó)際標(biāo)準(zhǔn)和最佳實(shí)踐,管理水平有了較大的提升,并正邁向標(biāo)準(zhǔn)化、規(guī)范化、精細(xì)化的信息科技管理。
新《指引》頒布實(shí)施后,大型銀行在原來(lái)相對(duì)完善的信息科技風(fēng)險(xiǎn)管理體系基礎(chǔ)上,進(jìn)一步改進(jìn)了其信息科技風(fēng)險(xiǎn)管理:設(shè)立了專(zhuān)門(mén)的信息科技管理委員會(huì);完善了相關(guān)制度、標(biāo)準(zhǔn)和流程;加強(qiáng)信息科技風(fēng)險(xiǎn)評(píng)估和內(nèi)外部審計(jì),等等。特別是國(guó)內(nèi)銀行業(yè)信息化程度最高的中國(guó)工商銀行并沒(méi)有因?yàn)楣芾硭捷^高而有所懈怠,而是積極響應(yīng)新《指引》,在大型銀行中率先設(shè)立了信息科技管理委員會(huì),專(zhuān)門(mén)負(fù)責(zé)對(duì)信息科技發(fā)展戰(zhàn)略和年度計(jì)劃,信息科技重大工程建設(shè)及信息科技風(fēng)險(xiǎn)管理、信息安全管理等重大決策事項(xiàng)進(jìn)行管理。并將加強(qiáng)信息科技治理和完成“兩地三中心”建設(shè)等。
在國(guó)內(nèi),中國(guó)工商銀行是最早旗幟鮮明地以“科技引領(lǐng)”為科技戰(zhàn)略、以“自主創(chuàng)新”為信息化策略的銀行之一,其信息科技建設(shè)和管理都走在國(guó)內(nèi)同業(yè)前面,并深受同業(yè)肯定和褒揚(yáng),成為國(guó)內(nèi)眾多銀行紛紛仿效的對(duì)象。
在科技隊(duì)伍建設(shè)方面,全行的科技人員超過(guò)11000人,其中總行直管的科技人員達(dá)4500人。在知識(shí)產(chǎn)權(quán)保護(hù)方面,目前已擁有的專(zhuān)利數(shù)量近百項(xiàng),國(guó)內(nèi)同業(yè)占比第一。
在組織體系方面,建成了適應(yīng)全行統(tǒng)一經(jīng)營(yíng)管理要求的集約化的科技組織體系,總行層面形成管理、研發(fā)、運(yùn)行分工協(xié)作的科技體系,分行則負(fù)責(zé)特色應(yīng)用開(kāi)發(fā)、總行系統(tǒng)推廣、運(yùn)行管理、市場(chǎng)支持等科技工作。
在制度和標(biāo)準(zhǔn)規(guī)范建設(shè)方面,建成了包括運(yùn)行管理、項(xiàng)目管理、綜合管理在內(nèi)的三大類(lèi)制度,內(nèi)容涵蓋了信息系統(tǒng)生產(chǎn)運(yùn)行、應(yīng)用開(kāi)發(fā)和測(cè)試、科技綜合管理等各個(gè)工作環(huán)節(jié);制定發(fā)布了涉及信息安全、系統(tǒng)、應(yīng)用、網(wǎng)絡(luò)、設(shè)備和機(jī)房等6大類(lèi)、71項(xiàng)技術(shù)規(guī)范。
可以說(shuō),中國(guó)工商銀行在信息科技建設(shè)和管理的很多方面都獨(dú)樹(shù)一幟,特色鮮明。此外,一些大型銀行已經(jīng)開(kāi)始重視信息科技治理文化的形成,探索建設(shè)融合西方管理標(biāo)準(zhǔn)與最佳實(shí)踐,以及國(guó)內(nèi)文化和本行實(shí)際情況的信息科技風(fēng)險(xiǎn)管理體系。
多方合力:突圍科技風(fēng)險(xiǎn)管理初級(jí)階段
風(fēng)險(xiǎn)管理一直都是國(guó)內(nèi)銀行業(yè)金融機(jī)構(gòu)的弱項(xiàng),信息科技風(fēng)險(xiǎn)管理也不例外。
陳文雄認(rèn)為,目前國(guó)內(nèi)銀行業(yè)金融機(jī)構(gòu)在信息科技風(fēng)險(xiǎn)管理上整體處于初級(jí)階段。雖然部分銀行的信息科技風(fēng)險(xiǎn)管理工作做得比較好,但總體上“信息科技管理”、“信息科技風(fēng)險(xiǎn)管理”、“信息科技風(fēng)險(xiǎn)審計(jì)”三道防線都沒(méi)有建立起來(lái),沒(méi)有形成立體屏障,尤其是在IT治理、風(fēng)險(xiǎn)管理等方面還存在不足。雖然新《指引》的貫徹落實(shí)在很大程度上促進(jìn)了國(guó)內(nèi)銀行業(yè)金融機(jī)構(gòu)的信息科技風(fēng)險(xiǎn)管理,但在實(shí)踐過(guò)程中,也遇到了一些亟待解決的問(wèn)題。
一是差異化監(jiān)管的問(wèn)題。雖然新《指引》在適用范圍上體現(xiàn)了差異化監(jiān)管的思想,但由于目前國(guó)內(nèi)銀行之間差異極大,即使同是法人商業(yè)銀行之間的信息科技建設(shè)和管理水平也存在巨大的差距,若要求那些實(shí)力較小的城商行也嚴(yán)格按照新《指引》進(jìn)行信息科技風(fēng)險(xiǎn)管理,目前還存在非常多的客觀困難。如果要實(shí)行進(jìn)一步的差異化監(jiān)管,那又應(yīng)該如何實(shí)施呢?
二是監(jiān)管力度大小問(wèn)題。由于銀行的影響力大小不同,同樣的系統(tǒng)故障對(duì)社會(huì)的影響差異也很大,大銀行可能影響全國(guó),城商行則只影響某一個(gè)城市。此外,信息科技風(fēng)險(xiǎn)管理內(nèi)容非常多,對(duì)不同內(nèi)容的重要性如何判斷,對(duì)不同銀行、不同內(nèi)容的監(jiān)管力度如何確定,輕重緩急如何呢?三是銀行達(dá)標(biāo)時(shí)間問(wèn)題。目前,無(wú)論是大型銀行還是中小銀行,其信息科技風(fēng)險(xiǎn)管理都與新《指引》的要求存在不同程度的差距,尤其是IT治理方面幾乎沒(méi)有銀行能夠達(dá)標(biāo),比如設(shè)立信息科技管理委員會(huì)、首席信息官等。那么,銀監(jiān)會(huì)是否應(yīng)該對(duì)不同的銀行和不同的內(nèi)容設(shè)立一個(gè)達(dá)標(biāo)時(shí)間表呢?
銀監(jiān)會(huì)信息中心主任吳躍撰文表示,銀監(jiān)會(huì)將進(jìn)一步推進(jìn)信息科技治理和非現(xiàn)場(chǎng)監(jiān)管工作,加強(qiáng)準(zhǔn)入環(huán)節(jié)信息科技風(fēng)險(xiǎn)和外包風(fēng)險(xiǎn)管理,不斷提高信息科技風(fēng)險(xiǎn)現(xiàn)場(chǎng)檢查的有效性。在信息科技風(fēng)險(xiǎn)管理上,銀監(jiān)會(huì)只是外因,銀行信息科技風(fēng)險(xiǎn)管理水平的提高主要還要靠銀行自身的努力。
而以目前的情況來(lái)看,銀行要解決的首要問(wèn)題是高層領(lǐng)導(dǎo)對(duì)信息科技風(fēng)險(xiǎn)管理的重要性認(rèn)識(shí)問(wèn)題,并從信息科技治理入手,自上而下地推動(dòng)信息科技風(fēng)險(xiǎn)管理,確保銀行持續(xù)、安全、穩(wěn)定運(yùn)行。
擴(kuò)展閱讀:商業(yè)銀行信息科技風(fēng)險(xiǎn)管理指引(EN)
商業(yè)銀行信息科技風(fēng)險(xiǎn)管理指引(英文版)
201*-6-110:20【大中小】【我要糾錯(cuò)】發(fā)文單位:中國(guó)銀行業(yè)監(jiān)督管理委員會(huì)
發(fā)布日期:201*-6-1執(zhí)行日期:201*-6-1ChapterIGeneralProvisions
Article1.PursuanttotheLawofthePeoplesRepublicofChinaonBankingRegulationandSupervision,theLawofthePeople"sRepublicofChinaonCommercialBanks,theRegulationsofthePeoplesRepublicofChinaonAdministrationofForeign-fundedBanks,andotherapplicablelawsandregulations,theGuidelinesontheRiskManagementofCommercialBanksInformationTechnology(hereinafterreferredtoastheGuidelines)isformulated.Article2.TheGuidelinesapplytoallthecommercialbankslegallyincorporatedwithinthe
territoryofthePeoplesRepublicofChina.
TheGuidelinesmayapplytootherbankinginstitutionsincludingpolicybanks,ruralcooperativebanks,urbancreditcooperatives,ruralcreditcooperatives,villagebanks,loancompanies,financialassetmanagementcompanies,trustandinvestmentcompanies,financefirms,financialleasingcompanies,automobilefinancialcompaniesandmoneybrokers.Article3.Theterm“informationtechnology”statedintheGuidelinesshallrefertothesystembuiltwithcomputer,communicationandsoftwaretechnologies,andemployedbycommercialbankstohandlebusinesstransactions,operationmanagement,andinternalcommunication,collaborativeworkandcontrols.ThetermalsoincludeITgovernance,IT
organizationstructureandITpoliciesandprocedures.
Article4.Theriskofinformationtechnologyreferstotheoperationalrisk,legalriskandreputationriskthatarecausedbynaturalfactor,humanfactor,technologicalloopholesor
managementdeficiencieswhenusinginformationtechnology.
Article5.Theobjectiveofinformationsystemriskmanagementistoestablishaneffectivemechanismthatcanidentify,measure,monitor,andcontroltherisksofcommercialbanksinformationsystem,ensuredataintegrity,availability,confidentialityandconsistency,providetherelevantearlywarning,andtherebyenablecommercialbanksbusinessinnovations,uplifttheircapabilityinutilizinginformationtechnology,improvetheircorecompetitivenessand
capacityforsustainabledevelopment.ChapterIIITgovernance
Article6.Thelegalrepresentativeofcommercialbankshouldberesponsibletoensure
complianceofthisguideline.Article7.Theboardofdirectorsofcommercialbanksshouldhavethefollowing
responsibilitieswithrespecttothemanagementofinformationsystems:
(1)Implementingandcomplyingwiththenationallaws,regulationsandtechnicalstandardspertainingtothemanagementofinformationsystems,aswellastheregulatoryrequirementssetbytheChinaBankingRegulatoryCommission(hereinafterreferredtoasthe
“CBRC”);
(2)PeriodicallyreviewingthealignmentofITstrategywiththeoverallbusinessstrategiesandsignificantpoliciesofthebank,assessingtheoveralleffectivenessandefficiencyoftheIT
organization.
(3)ApprovingITriskmanagementstrategiesandpolicies,understandingthemajorITrisksinvolved,settingacceptablelevelsfortheserisks,andensuringtheimplementationofthe
measuresnecessarytoidentify,measure,monitorandcontroltheserisks.
(4)Settinghighethicalandintegritystandards,andestablishingaculturewithinthebankthatemphasizesanddemonstratestoalllevelsofpersonneltheimportanceofITriskmanagement.(5)EstablishinganITsteeringcommitteewhichconsistsofrepresentativesfromseniormanagement,theITorganization,andmajorbusinessunits,tooverseetheseresponsibilitiesandreporttheeffectivenessofstrategicITplanning,theITbudgetandactualexpenditure,and
theoverallITperformancetotheboardofdirectorsandseniormanagementperiodically.(6)EstablishingITgovernancestructure,propersegregationofduty,clearroleandresponsibility,maintainingcheckandbalancesandclearreportingrelationship.StrengtheningIT
professionalstaffbydevelopingincentiveprogram.
(7)EnsuringthatthereisaneffectiveinternalauditoftheITriskmanagementcarriedoutbyoperationallyindependent,well-trainedandqualifiedstaff.Theinternalauditreportshouldbe
submitteddirectlytotheITauditcommittee;
(8)SubmittinganannualreporttotheCBRCanditslocalofficesoninformationsystem
riskmanagementthathasbeenreviewedandapprovedbytheboardofdirectors;(9)EnsuringtheappropriatingfundingnecessaryforITriskmanagementworks;(10)EnsuringthatallemployeesofthebankfullyunderstandandadheretotheITrisk
managementpoliciesandproceduresapprovedbytheboardofdirectorsandthesenior
management,andareprovidedwithpertinenttraining.
(11)Ensuringcustomerinformation,financialinformation,productinformationandcorebankingsystemofthelegalentityareheldindependentlywithintheterritory,andcomplyingwiththeregulatoryon-siteexaminationrequirementsofCBRCandguardingagainstcross-border
risk.(12)ReportinginatimelymannertotheCBRCanditslocalofficesanyseriousincidentofinformationsystemsorunexpectedevent,andquicklyrespondtoitinaccordancewiththe
contingencyplan;
(13)CooperatingwiththeCBRCanditslocalofficesinthesupervisoryinspectionoftheriskmanagementofinformationsystems,andensurethatsupervisoryopinionsarefollowedup;
and
(14)PerformingotherrelatedITriskmanagementtasks.
Article8.TheheadoftheITorganization,commonlyknownastheChiefInformationOfficer(CIO)shouldreportdirectlytothepresident.RolesandresponsibilitiesoftheCIO
shouldincludethefollowing:
(1)Playingadirectroleinkeydecisionsforthebusinessdevelopmentinvolvingtheuseof
ITinthebank;
(2)TheCIOshouldensurethatinformationsystemsmeettheneedsofthebank,andITstrategies,inparticularinformationsystemdevelopmentstrategies,complywiththeoverall
businessstrategiesandITriskmanagementpoliciesofthebank;
(3)TheCIOshouldalsoberesponsiblefortheestablishmentofaneffectiveandefficientIT
organizationtocarryouttheITfunctionsofthebank.TheseincludetheITbudgetandexpenditure,ITriskmanagement,ITpolicies,standardsandprocedures,ITinternalcontrols,professionaldevelopment,ITprojectinitiatives,ITprojectmanagement,informationsystemmaintenanceandupgrade,IToperations,ITinfrastructure,Informationsecurity,disaster
recoveryplan(DRP),IToutsourcing,andinformationsystemretirement;(4)EnsuringtheeffectivenessofITriskmanagementthroughouttheorganizationincluding
allbranches.
(5)Organizingprofessionaltrainingstoimprovetechnicalproficiencyofstaff.
(6)PerformingotherrelatedITriskmanagementtasks.
Article9.CommercialbanksshouldensurethatacleardefinitionoftheITorganizationstructureanddocumentationofalljobdescriptionsofimportantpositionsarealwaysinplaceand
updatedinatimelymanner.Staffineachpositionshouldmeetrelevantrequirementsonprofessionalskillsandknowledge.Thefollowingriskmitigationmeasuresshouldbeincorporated
inthemanagementprogramofrelatedstaff:
(1)Verificationofpersonalinformationincludingconfirmationofpersonalidentificationissuedbygovernment,academiccredentials,priorworkexperience,professionalqualifications;(2)EnsuringthatITstaffcanmeettherequiredprofessionalethicsbycheckingcharacter
reference;(3)SigningofagreementswithemployeesaboutunderstandingofITpoliciesandguidelines,non-disclosureofconfidentialinformation,authorizeduseofinformationsystems,
andadherencetoITpoliciesandprocedures;and
(4)EvaluationoftheriskoflosingkeyITpersonnel,especiallyduringmajorITdevelopmentstageorinaperiodofunstableIToperations,andtherelevantriskmitigation
measuressuchasstaffbackuparrangementandstaffsuccessionplan.
Article10.CommercialbanksshouldestablishordesignateaparticulardepartmentforITriskmanagement.ItshouldreportdirectlytotheCIOandtheChiefRiskOfficer(orriskmanagementcommittee),serveasamemberoftheITincidentresponseteam,andberesponsibleforcoordinatingtheestablishmentofpoliciesregardingITriskmanagement,especiallytheareasofinformationsecurity,BCP,andcompliancewiththeCBRCregulations,advisingthebusinessdepartmentsandITdepartmentinimplementingthesepolicies,providingrelevantcomplianceinformation,conductingon-goingassessmentofITrisks,andensuringthefollow-upofremediationadvice,monitoringandescalatingmanagementofITthreatsand
non-complianceevents.
Article11.CommercialbanksshouldestablishaspecialITauditroleandresponsibilitywithininternalauditfunction,whichshouldputinplaceITauditpoliciesandprocedures,
developandexecuteITauditplan.
Article12.Commercialbanksshouldputinplacepoliciesandprocedurestoprotectintellectualpropertyrightsaccordingtolawsregardingintellectualproperties,ensurepurchaseoflegitimatesoftwareandhardware,preventionoftheuseofpiratedsoftware,andtheprotectionoftheproprietaryrightsofITproductsdevelopedbythebank,andensurethatthesearefully
understoodandcompliedbyallemployees.
Article13.Commercialbanksshould,inaccordancewithrelevantlawsandregulations,
disclosetheriskprofileoftheirITnormativelyandtimely.
ChapterIIIITRiskManagement
Article14.CommercialbanksshouldformulateanITstrategythatalignswiththeoverallbusinessplanofthebank,ITriskassessmentplanandanIToperationalplanthatcanensureadequatefinancialresourcesandhumanresourcestomaintainastableandsecureITenvironment.
Article15.CommercialbanksshouldputinplaceacomprehensivesetofITrisk
managementpoliciesthatincludethefollowingareas:(1)Informationsecurityclassificationpolicy(2)Systemdevelopment,testingandmaintenancepolicy
(3)IToperationandmaintenancepolicy
(4)Accesscontrolpolicy(5)Physicalsecuritypolicy(6)Personnelsecuritypolicy
(7)BusinessContinuityPlanningandCrisisandEmergencyManagementprocedureArticle16.Commercialbanksshouldmaintainanongoingriskidentificationandassessmentprocessthatallowsthebanktopinpointtheareasofconcerninitsinformationsystems,assessthepotentialimpactoftherisksonitsbusiness,ranktherisks,andprioritizemitigationactionsandthenecessaryresources(includingoutsourcingvendors,productvendorsandservice
vendors)。
Article17.CommercialbanksshouldimplementacomprehensivesetofriskmitigationmeasurescomplyingwiththeITriskmanagementpoliciesandcommensuratewiththerisk
assessmentofthebank.Thesemitigationmeasuresshouldinclude:
(1)AsetofclearlydocumentedITriskpolicies,technicalstandards,andoperationalprocedures,whichshouldbecommunicatedtothestafffrequentlyandkeptuptodateinatimely
manner;
(2)Areasofpotentialconflictsofinterestshouldbeidentified,minimized,andsubjecttocareful,independentmonitoring.Alsoitrequiresthatanappropriatecontrolstructureissetuptofacilitatechecksandbalances,withcontrolactivitiesdefinedateverybusinesslevel,which
shouldinclude:-Toplevelreviews;
-Controlsoverphysicalandlogicalaccesstodataandsystem;-Accessgrantedon“needtoknow”and“minimumauthorization”basis;
-Asystemofapprovalsandauthorizations;and-Asystemofverificationandreconciliation.
Article18.Commercialbanksshouldputinplaceasetofongoingriskmeasurementand
monitoringmechanisms,whichshouldinclude
(1)Preandpost-implementationreviewofITprojects;(2)Benchmarksforperiodicreviewofsystemperformance;(3)ReportsofincidentsandcomplaintsaboutITservices;
(4)Reportsofinternalaudit,externalaudit,andissuesidentifiedbyCBRC;and(5)Arrangementwithvendorsandbusinessunitsforperiodicreviewofservicelevel
agreements(SLAs)。(6)Thepossibleimpactofnewdevelopmentoftechnologyandnewthreatstosoftware
deployed.
(7)Timelyreviewofoperationalriskandmanagementcontrolsinoperationarea.
(8)AssesstheriskprofileonIToutsourcingprojectsperiodically.
Article19.ChinesecommercialbanksoperatingoffshoreandtheforeigncommercialbanksinChinashouldcomplywiththerelevantregulatoryrequirementsoninformationsystemsinand
outsidethePeoplesRepublicofChina.ChapterIVInformationSecurity
Article20.Informationtechnologydepartmentofcommercialbanksshouldoverseetheestablishmentofaninformationclassificationandprotectionscheme.Allemployeesofthebankshouldbemadeawareoftheimportanceofensuringinformationconfidentialityandprovidedwiththenecessarytrainingtofullyunderstandtheinformationprotectionprocedureswithintheir
responsibilities.
Article21.Commercialbanksshouldputinplaceaninformationsecuritymanagementfunctiontodevelopandmaintainanongoinginformationsecuritymanagementprogram,promoteinformationsecurityawareness,adviseotherITfunctionsonsecurityissues,serveastheleaderofITincidentresponseteam,andreporttheevaluationoftheinformationsecurityofthebanktotheITsteeringcommitteeperiodically.TheInformationsecuritymanagementprogramshouldincludeInformationsecuritystandards,strategy,animplementationplan,andan
ongoingmaintenanceplan.
Informationsecuritypolicyshouldincludethefollowingareas:
(1)ITsecuritypolicymanagement(2)Organizationinformationsecurity
(3)Assetmanagement(4)Personnelsecurity
(5)Physicalandenvironmentsecurity(6)Communicationandoperationsecurity(7)Accesscontrolandauthentication
(8)Acquirement,developmentandmaintenanceofinformationsystem
(9)Informationsecurityeventmanagement(10)Businesscontinuitymanagement
(11)ComplianceArticle22.Commercialbanksshouldhaveaneffectiveprocesstomanageuserauthenticationandaccesscontrol.Accesstodataandsystemshouldbestrictlylimitedtoauthorizedindividualswhoseidentityisclearlyestablished,andtheiractivitiesintheinformationsystemsshouldbelimitedtotheminimumrequiredfortheirlegitimatebusinessuse.Appropriateuserauthenticationmechanismcommensuratewiththeclassificationofinformationtobeaccessedshouldbeselected.Timelyreviewandremovalofuseridentityfromthesystemshouldbeimplementedwhenuser
transferstoanewjoborleavethecommercialbank.
Article23.Commercialbanksshouldensureallphysicalsecurityzones,suchascomputercentersordatacenters,networkclosets,areascontainingconfidentialinformationorcriticalITequipment,andrespectiveaccountabilitiesareclearlydefined,andappropriatepreventive,
detective,andrecuperativecontrolsareputinplace.
Article24.Commercialbanksshoulddividetheirnetworksintologicalsecuritydomains(hereinafterreferredtoasthe“domain”)withdifferentlevelsofsecurity.Thefollowingsecurityfactorshavetobeassessedinordertodefineandimplementeffectivesecuritycontrols,suchasphysicalorlogicalsegregationofnetwork,networkfiltering,logicalaccesscontrol,trafficencryption,networkmonitoring,activitylog,etc.,foreachdomainandthewhole
network.
(1)criticalityoftheapplicationsandusergroupswithinthedomain;(2)Accesspointstothedomainthroughvariouscommunicationchannels;(3)Networkprotocolsandportsusedbytheapplicationsandnetworkequipmentdeployed
withinthedomain;
(4)Performancerequirementorbenchmark;
(5)Natureofthedomain,i.e.productionortesting,internalorexternal;
(6)Connectivitybetweenvariousdomains;and
(7)Trustworthinessofthedomain.
Article25.Commercialbanksshouldsecuretheoperatingsystemandsystemsoftwareofall
computersystemsby
(1)Developingbaselinesecurityrequirementforeachoperatingsystemandensuringall
systemsmeetthebaselinesecurityrequirement;
(2)Clearlydefiningasetofaccessprivilegesfordifferentgroupsofusers,namely,end-users,systemdevelopmentstaff,computeroperators,andsystemadministratorsanduser
administrators;
(3)Settingupasystemofapproval,verification,andmonitoringproceduresforusing
thehighestprivilegedsystemaccounts;(4)Requiringtechnicalstafftoreviewavailablesecuritypatches,andreportthepatch
statusperiodically;and
(5)Requiringtechnicalstafftoincludeimportantitemssuchasunsuccessfullogins,accesstocriticalsystemfiles,changesmadetouseraccounts,etc.insystemlogs,monitorsthesystemsforanyabnormaleventmanuallyorautomatically,andreportthemonitoring
periodically.
Article26.Commercialbanksshouldensurethesecurityofalltheapplicationsystemsby(1)Clearlydefiningtherolesandresponsibilitiesofend-usersandITstaffregardingthe
applicationsecurity;
(2)Implementingarobustauthenticationmethodcommensuratewiththecriticalityand
sensibilityoftheapplicationsystem;
(3)Enforcingsegregationofdutiesanddualcontrolovercriticalorsensitivefunctions;(4)Requiringverificationofinputorreconciliationofoutputatcriticaljunctures;(5)Requiringtheinputandoutputofconfidentialinformationarehandledinasecuremannertopreventtheft,tampering,intentionalleakage,orinadvertentleakage;(6)Ensuringsystemcanhandleexceptionsinapredefinedwayandprovidemeaningful
messagetouserswhenthesystemisforcedtoterminate;and(7)Maintainingaudittrailineitherpaperorelectronicformat.
(8)Requiringuseradministratortomonitorandreviewunsuccessfulloginsandchangesto
usersaccounts.
Article27.Commercialbanksshouldhaveasetofpoliciesandprocedurescontrollingtheloggingofactivitiesinallproductionsystemstosupporteffectiveauditing,securityforensicanalysis,andfraudprevention.Loggingcanbeimplementedindifferentlayersofsoftwareandondifferentcomputerandnetworkingequipment,whichfallsintotwobroadcategories:(1)Transactionjournals.Theyaregeneratedbyapplicationsoftwareanddatabasemanagementsystem,andcontainauthenticationattempts,modificationtodata,errormessages,
etc.Transactionjournalsshouldbekeptaccordingtothenationalaccountingpolicy.(2)Systemlogs.Theyaregeneratedbyoperatingsystems,databasemanagementsystem,firewalls,intrusiondetectionsystems,androuters,etc.,andcontainauthenticationattempts,systemevents,networkevents,errormessages,etc.Systemlogsshouldbekeptforaperiod
scaledtotheriskclassification,butnolessthanoneyear.
Banksshouldensurethatsufficientitemsbeincludedinthelogstofacilitateeffectiveinternalcontrols,systemtroubleshooting,andauditingwhiletakingappropriatemeasurestoensuretimesynchronizationonalllogs.Sufficientdiskspaceshouldbeallocatedtopreventlogsfrombeingoverwritten.Systemlogsshouldbereviewedforanyexception.ThereviewfrequencyandretentionperiodfortransactionlogsordatabaselogsshouldbedeterminedjointlybyITorganizationandpertinentbusinesslines,andapprovedbytheITsteeringcommittee.Article28.Commercialbanksshouldhavethecapacitytoemployencryptiontechnologiestomitigatetheriskoflosingconfidentialinformationintheinformationsystemsorduringitstransmission.Appropriatemanagementprocessesoftheencryptionfacilitiesshouldbeputin
placetoensurethat
(1)Encryptionfacilitiesinuseshouldmeetnationalsecuritystandardsorrequirements;
(2)Staffinchargeofencryptionfacilitiesarewelltrainedandscreened;
(3)Encryptionstrengthisadequatetoprotecttheconfidentialityoftheinformation;and
(4)Effectiveandefficientkeymanagementprocedures,especiallykeylifecycle
managementandcertificatelifecyclemanagement,areinplace.
Article29.Commercialbanksshouldputinplaceaneffectiveandefficientsystemofsecuringallend-usercomputingequipmentwhichincludedesktoppersonalcomputers(PCs),portablePCs,tellerterminals,automatictellermachines(ATMs),passbookprinters,debitorcreditcardreaders,pointofsale(POS)terminals,personaldigitalassistant(PDAs),
etcandconductperiodicsecuritychecksonallequipments.
Article30.Commercialbanksshouldputinplaceasetofpoliciesandprocedurestogovernthecollection,processing,storage,transmission,dissemination,anddisposalofcustomer
information.
Article31.Allemployees,includingcontractstaff,shouldbeprovidedwiththenecessarytrainingstofullyunderstandthesepoliciesproceduresandtheconsequencesoftheirviolation.
Commercialbanksshouldadoptazerotolerancepolicyagainstsecurityviolation.ChapterVApplicationSystemDevelopment,TestingandMaintenance
Article32.Commercialbanksshouldhavethecapabilitytoidentify,plan,acquire,develop,test,deploy,maintain,upgrade,andretireinformationsystems.Policiesandproceduresshouldbeinplacetogoverntheinitiation,prioritization,approval,andcontrolofITprojects.ProgressreportsofmajorITprojectsshouldbesubmittedtoandreviewedbytheITsteeringcommitteeperiodically.Decisionsinvolvingsignificantchangeofschedule,changeofkeypersonnel,changeofvendors,andmajorexpendituresshouldbeincludedintheprogress
report.
Article33.CommercialbanksshouldrecognizetherisksassociatedwithITprojects,whichincludethepossibilitiesofincurringvariouskindsofoperationalrisk,financiallosses,andopportunitycostsstemmingfromineffectiveprojectplanningorinadequateprojectmanagementcontrolsofthebank.Therefore,appropriateprojectmanagementmethodologiesshouldbe
adoptedandimplementedtocontroltherisksassociatedwithITprojects.Article34.CommercialbanksshouldadoptandimplementasystemdevelopmentmethodologytocontrolthelifecycleofInformationsystems.Thetypicalphasesofsystemlifecycleincludesystemanalysis,design,developmentoracquisition,testing,trialrun,deployment,maintenance,andretirement.Thesystemdevelopmentmethodologytobeusedshouldbecommensuratewiththesize,nature,andcomplexityoftheITproject,and,
generallyspeaking,shouldfacilitatethemanagementofthefollowingrisks.Article35.Commercialbanksshouldensuresystemreliability,integrity,andmaintainabilitybycontrollingsystemchangeswithasetofpoliciesandprocedures,which
shouldincludethefollowingelements.
(1)Ensurethatproductionsystemsareseparatedfromdevelopmentortestingsystems;(2)Separatingthedutiesofmanagingproductionsystemsandmanagingdevelopmentor
testingsystems;
(3)Prohibitingapplicationdevelopmentandmaintenancestafffromaccessingproductionsystemundernormalcircumstancesunlessmanagementapprovalisgrantedtoperformemergency
repair,andallemergencyrepairactivitiesshouldberecordedandreviewedpromptly;(4)Promotingchangesofprogramorsystemconfigurationfromdevelopmentandtesting
systemstoproductionsystemsshouldbejointlyapprovedbyITorganizationandbusiness
departments,properlydocumented,andreviewedperiodically.
Article36.Commercialbanksshouldhaveinplaceasetofpolicies,standards,andprocedurestoensuredataintegrity,confidentiality,andavailability.Thesepoliciesshouldbein
accordancewithdataintegrityamidITdevelopmentprocedure.
Article37.CommercialbanksshouldensurethatInformationsystemproblemscouldbetracked,analyzed,andresolvedsystematicallythroughaneffectiveproblemmanagementprocess.Problemsshouldbedocumented,categorized,andindexed.Supportservicesortechnicalassistancefromvendors,ifnecessary,shouldalsobedocumented.Contactsandrelevantcontractinformationshouldbemadereadilyavailabletotheemployeesconcerned.Accountabilityandlineofcommandshouldbedelineatedclearlyandcommunicatedtoallemployeesconcerned,whichisofutmostimportancetoperformingemergencyrepair.Article38.Commercialbanksshouldhaveasetofpoliciesandprocedurescontrollingtheprocessofsystemupgrade.Systemupgradeisneededwhenthehardwarereachesitslifespanorrunsoutofcapacity,theunderpinningsoftware,namely,operatingsystem,databasemanagementsystem,middleware,hastobeupgraded,ortheapplicationsoftwarehastobeupgraded.Thesystemupgradeshouldbetreatedasaprojectandmanagedbyallpertinentproject
managementcontrolsincludinguseracceptancetesting.ChapterVIITOperations
Article39.Commercialbanksshouldconsiderfullytheenvironmentalthreats(e.g.proximitytonaturaldisasterzones,dangerousorhazardousfacilitiesorbusy/majorroads)when
selectingthelocationsoftheirdatacenters.Physicalandenvironmentalcontrolsshouldbeimplementedtomonitorenvironmentalconditionscouldaffectadverselytheoperationofinformationprocessingfacilities.Equipmentfacilitiesshouldbeprotectedfrompowerfailuresand
electricalsupplyinterference.
Article40.Incontrollingaccessbythird-partypersonnel(e.g.serviceproviders)tosecured
areas,properapprovalofaccessshouldbeenforcedandtheiractivitiesshouldbecloselymonitored.Itisimportantthatproperscreeningproceduresincludingverificationandbackgroundchecks,especiallyforsensitivetechnology-relatedjobs,aredevelopedforpermanentand
temporarytechnicalstaffandcontractors.
Article41.CommercialbanksshouldseparateIToperationsorcomputercenteroperationsfromsystemdevelopmentandmaintenancetoensuresegregationofdutieswithintheITorganization.Thecommercialbanksshoulddocumenttherolesandresponsibilitiesofdatacenter
functions.
Article42.Commercialbanksarerequiredtoretaintransactionalrecordsincompliancewiththenationalaccountingpolicy.Proceduresandtechnologyareneededtobeputinplacetoensure
theintegrity,safekeepingandretrievalrequirementsofthearchiveddata.Article43.Commercialbanksshoulddetailoperationalinstructionssuchascomputeroperatortasks,jobschedulingandexecutionintheIToperationsmanual.TheIToperationsmanualshouldalsocovertheproceduresandrequirementsforon-siteandoff-sitebackupofdataandsoftwareinboththeproductionanddevelopmentenvironments(i.e.frequency,scopeand
retentionperiodsofback-up)。
Article44.CommercialbanksshouldhaveinplaceaproblemmanagementandprocessingsystemtorespondpromptlytoIToperationsincidents,toescalatereportedincidentstorelevant
ITmanagementstaffandtorecord,analyzeandkeeptracksofalltheseincidentsuntilrectificationoftheincidentswithrootcauseanalysiscompleted.Ahelpdeskfunctionshouldbesetuptoprovidefront-linesupporttousersonalltechnology-relatedproblemsandtodirectthe
problemstorelevantITfunctionsforinvestigationandresolution.
Article45.CommercialbanksshouldestablishservicelevelagreementandassesstheIT
servicelevelstandardattained.
Article46.Commercialbanksshouldimplementaprocesstoensurethattheperformanceofapplicationsystemsiscontinuouslymonitoredandexceptionsarereportedinatimelyandcomprehensivemanner.Theperformancemonitoringprocessshouldincludeforecastingcapabilitytoenableexceptionstobeidentifiedandcorrectedbeforetheyaffectsystem
performance.
Article47.Commercialbanksshouldcarryoutcapacityplantocaterforbusinessgrowthandtransactionincreasesduetochangesofeconomicconditions.Capacityplanshouldbeextendedto
coverback-upsystemsandrelatedfacilitiesinadditiontotheproductionenvironment.Article48.Commercialbanksshouldensurethecontinuedavailabilityoftechnologyrelatedserviceswithtimelymaintenanceandappropriatesystemupgrades.Properrecordkeeping(includingsuspectedandactualfaultsandpreventiveandcorrectivemaintenancerecords)is
necessaryforeffectivefacilityandequipmentmaintenance.
Article49.Commercialbanksshouldhaveaneffectivechangemanagementprocessinplacetoensureintegrityandreliabilityoftheproductionenvironment.Commercialbanksshould
developaformalchangemanagementprocess.ChapterVIIBusinessContinuityManagement
Article50.Commercialbanksshouldhaveinplaceappropriatearrangements,havingregardtothenature,scaleandcomplexityofitsbusiness,toensurethatitcancontinuetofunctionandmeetitsregulatoryobligationsintheeventofanunforeseeninterruption.Thesearrangements
shouldberegularlyupdatedandtestedtoensuretheireffectiveness.
Article51.Commercialbanksshouldconsiderthelikelihoodandimpactofadisruptiontothecontinuityofitsoperationfromunexpectedevents.Thisshouldincludeassessingthe
disruptionstowhichitisparticularlysusceptibleincludingbutnotlimitedto:
(1)Lossoffailureofinternalandexternalresources(suchaspeople,systemsandother
assets);
(2)Thelossorcorruptionofitsinformation;and
(3)Externalevents(suchaswar,earthquake,typhoon,etc)。Article52.Commercialbankshouldacttoreduceboththelikelihoodofdisruptions(includingsystemresilienceanddualprocessing);andtheimpactofdisruptions(includingby
contingencyarrangementsandinsurance)。
Article53.Commercialbankshoulddocumentitsstrategyformaintainingcontinuityofitsoperations,anditsplansforcommunicatingandregularlytestingtheadequacyandeffectiveness
ofthisstrategy.Commercialbankshouldestablish:
(1)Formalbusinesscontinuityplansthatoutlinearrangementstoreducetheimpactofa
short,mediumandlong-termdisruption,including:
a)Resourcerequirementssuchaspeople,systemsandotherassets,andarrangementsfor
obtainingtheseresources;b)Therecoveryprioritiesforthecommercialbanksoperations;and
c)Communicationarrangementsforinternalandexternalconcernedparties(including
CBRC,clientsandthepress);
(2)Escalationandinvocationplansthatoutlinetheprocessesforimplementingthebusiness
continuityplans,togetherwithrelevantcontactinformation;
(3)Processestovalidatetheintegrityofinformationaffectedbythedisruption;(4)Processestoreviewandupdate(1)to(3)followingchangestothecommercial
banksoperationsorriskprofile.
Article54.AfinalBCPplanandanannualdrillresultmustbesignedoffbytheITRisk
management,orinternalauditorandITSteeringCommittee.
ChapterVIIIOutsourcing
Article55.Commercialbankscannotcontractoutitsregulatoryobligationsandshouldtake
reasonablecaretosupervisethedischargeofoutsourcingfunctions.
Article56.Commercialbanksshouldtakeparticularcaretomanagematerialoutsourcingarrangement(suchasoutsourcingofdatacenter,ITinfrastructure,etc.),andshouldnotify
CBRCwhenitintendstoenterintomaterialoutsourcingarrangement.
Article57.Beforeenteringinto,orsignificantlychanging,anoutsourcingarrangement,
thecommercialbankshould:
(1)Analyzehowthearrangementwillfitwithitsorganizationandreportingstructure;businessstrategy;overallriskprofile;andabilitytomeetitsregulatoryobligations;(2)Considerwhetherthearrangementswillallowittomonitorandcontrolitsoperational
riskexposurerelatingtotheoutsourcing;
(3)Conductappropriateduediligenceoftheserviceprovidersfinancialstability,expertiseandriskassessmentoftheserviceprovider,facilitiesandabilitytocoverthepotential
liabilities;
(4)Considerhowitwillensureasmoothtransitionofitsoperationsfromitscurrentarrangementstoaneworchangedoutsourcingarrangement(includingwhatwillhappenonthe
terminationofthecontract);and
(5)Consideranyconcentrationriskimplicationssuchasthebusinesscontinuity
implicationsthatmayariseifasingleserviceproviderisusedbyseveralfirms.
Article58.Innegotiatingitscontractwithaserviceprovider,thecommercialbankshould
haveregardto(butnotlimitedto):
(1)Reportingandnegotiationrequirementsitmaywishtoimposeontheserviceprovider;(2)Whethersufficientaccesswillbeavailabletoitsinternalauditors,externalauditorsand
bankingregulators;
(3)Informationownershiprights,confidentialityagreementsandFirewallstoprotectclient
andotherinformation(includingarrangementsattheterminationofcontract);
(4)Theadequacyofanyguaranteesandindemnities;
(5)Theextenttowhichtheserviceprovidermustcomplywiththecommercialbanks
policesandprocedurescoveringITRisk;
(6)Theextenttowhichtheserviceproviderwillprovidebusinesscontinuityforoutsourced
operations,andwhetherexclusiveaccesstoitsresourcesisagreed;
(7)Theneedforcontinuedavailabilityofsoftwarefollowingdifficultyatathirdparty
supplier;
(8)Theprocessesformakingchangestotheoutsourcingarrangementandtheconditionsunderwhichthecommercialbankorserviceprovidercanchoosetochangeorterminatethe
outsourcingarrangement,suchaswherethereis:
a)Achangeofownershiporcontroloftheserviceproviderorcommercialbank;orb)Significantchangeinthebusinessoperationsoftheserviceproviderorcommercialbank;
orc)Inadequateprovisionofservicesthatmayleadtothecommercialbankbeingunableto
meetitsregulatoryobligations.
Article59.Inimplementingarelationshipmanagementframework,anddraftingtheservicelevelagreementwiththeserviceprovider,thecommercialbankshouldhaveregardedto(but
notlimitedto):
(1)Theidentificationofqualitativeandquantitativeperformancetargetstoassesstheadequacyofserviceprovision,toboththecommercialbankanditsclients,whereappropriate;(2)Theevaluationofperformancethroughservicedeliveryreportsandperiodicself
assessmentandindependentreviewbyinternalorexternalauditors;and
(3)Remediationactionandescalationprocessfordealingwithinadequateperformance.Article60.ThecommercialbankshouldenhanceITrelatedoutsourcingmanagement,inplacefollowing(notlimitedto)measurestoensuredatasecurityofsensitiveinformationsuch
ascustomerinformation:
(1)Effectivelyseparatedfromothercustomerinformationoftheserviceprovider;(2)Therelatedstaffofserviceprovidershouldbeauthorizedon“needtoknow”and
“minimumauthorization”basis;(3)Ensureserviceproviderguaranteeitsstaffformeetingtheconfidentialrequests;(4)Alloutsourcingarrangementsrelatedtocustomerinformationshouldbeidentifiedas
materialoutsourcingarrangementsandthecustomersshouldbenotified;
(5)Strictlymonitorre-outsourcingactionsoftheserviceprovider,andimplement
adequatecontrolmeasurestoensureinformationsecurityofthebank;
(6)Ensureallrelatedsensitiveinformationberefundedordeletedfromtheservice
providersstoragewhenterminatingtheoutsourcingarrangement.
Article61.Thecommercialbankshouldensurethatithasappropriatecontingencyintheeventofasignificantlossofservicesfromtheserviceprovider.Particularissuestoconsiderincludeasignificantlossofresources,turnoverofkeystaff,orfinancialfailureof,theservice
provider,andunexpectedterminationoftheoutsourcingagreement.
Article62.AlloutsourcingcontractsmustbereviewedorsignedoffbyITRiskmanagement,internalITauditors,legaldepartmentandITSteeringCommittee.Thereshouldbeaprocessto
periodicallyreviewandrefinetheservicelevelagreements.
ChapterIXInternalAudit
Article63.Dependingonthenature,scaleandcomplexityofitsbusiness,itmaybe
appropriateforthecommercialbankstodelegatemuchofthetaskofmonitoringtheappropriatenessandeffectivenessofitssystemsandcontrolstoaninternalauditfunction.Aninternalauditfunctionshouldbeadequatelyresourcedandstaffedbycompetentindividuals,beindependentoftheday-to-dayactivitiesofthecommercialbankandhaveappropriateaccesstothe
banksrecords.
Article64.TheresponsibilitiesoftheinternalITauditfunctionare:
(1)Toestablish,implementandmaintainanauditplantoexamineandevaluatethe
adequacyandeffectivenessofthebankssystemsandinternalcontrolmechanismsand
arrangements;
(2)Toissuerecommendationsbasedontheresultofworkcarriedoutinaccordancewith1;
(3)Toverifycompliancewiththoserecommendations;
(4)Tocarryoutspecialauditoninformationtechnology.Theterm“specialaudit”ofinformationtechnologyreferstotheinvestigation,analysisandassessmentonthesecurityincidentsoftheinformationsystem,ortheauditperformedonaspecialsubjectbasedonITrisk
assessmentresultasdeemednecessarybytheauditdepartment.
Article65.Basedonthenature,scaleandcomplexityofitsbusiness,deploymentofinformationtechnologyandITriskassessment,commercialbankscoulddeterminethescopeandfrequencyofITinternalaudit.However,acomprehensiveITinternalauditshallbeperformedat
aminimumonceevery3years.
Article66.CommercialbanksshouldengageitsinternalauditdepartmentandITRiskmanagementdepartmentwhenimplementingsystemdevelopmentofsignificantsizeandscaleto
ensureitmeetstheITRiskstandardsoftheCommercialbanks.
ChapterXExternalAudit
Article67.Theexternalinformationtechnologyauditofcommercialbankscanbecarriedout
bycertifiedserviceprovidersinaccordancewithlaws,rulesandregulations.Article68.ThecommercialbankshouldensureITauditserviceprovidertoreviewandexaminebankshardware,software,documentationanddatatoidentifyITriskwhentheyare
commissionedtoperformtheaudit.Vitalcommercialandtechnicalinformationwhichis
protectedbynationallawsandregulationsshouldnotbereviewed.
Article69.Commercialbankshouldcommunicatewiththeserviceproviderindepthbeforetheaudittodetermineauditscope,andshouldnotwithholdthetruthordonotcorporatewiththe
serviceproviderintentionally.
Article70.CBRCanditslocalofficescoulddesignatecertifiedserviceproviderstocarryout
ITauditorrelatedreviewoncommercialbankswhenneeded.Whencarryingoutauditoncommercialbanks,ascommissionedorauthorizedbyCBRCoritslocaloffices,theserviceprovidersshallpresenttheletterofauthority,andcarryouttheauditinaccordancetothescope
prescribedintheletterofauthority.
Article71.OncetheITauditreportproducedbytheserviceprovidersisreviewedandapprovedbyCBRCoritslocaloffices,thereportwillhavethesamelegalstatusasifitisproducedbytheCBRCitself.Commercialbanksshouldcomeupwithacorrectionactionplanprescribedinthereportandimplementthecorrectiveactionsaccordingtothetimeframe.Article72.CommercialbanksshouldensuretheserviceproviderstostrictlycomplywithlawsandregulationstokeepconfidentialanddatasecurityofanycommercialsecretsandprivateinformationlearntandITriskinformationwhenconductingtheaudit.Theserviceprovidershould
notmodifycopyortakeawayanydocumentsprovidedbythecommercialbanks.
ChapterXISupplementaryProvisions
Article73.Commercialbankswithnoboardofdirectorsshouldhavetheiroperatingdecision-makingbodiesperformtheresponsibilitiesoftheboardwithregardtoITrisk
managementspecifiedherein.
Article74.TheChinaBankingRegulatoryCommissionsupervisesandregulatestheITrisk
managementofcommercialbanksunderitsauthoritybylaw.Article75.ThepowerofinterpretationandmodificationoftheGuidelinesshallrestwiththe
ChinaBankingRegulatoryCommission.
Article76.TheGuidelinesshallbecomeeffectiveasofthedateofitsissuanceandtheformer
GuidelinesontheRiskManagementofBankingInstitutionsInformationSystemsshallbe
revokedatthesametime.
中國(guó)銀行業(yè)監(jiān)督管理委員會(huì)
友情提示:本文中關(guān)于《商業(yè)銀行突圍科技風(fēng)險(xiǎn)管理初級(jí)階段》給出的范例僅供您參考拓展思維使用,商業(yè)銀行突圍科技風(fēng)險(xiǎn)管理初級(jí)階段:該篇文章建議您自主創(chuàng)作。
來(lái)源:網(wǎng)絡(luò)整理 免責(zé)聲明:本文僅限學(xué)習(xí)分享,如產(chǎn)生版權(quán)問(wèn)題,請(qǐng)聯(lián)系我們及時(shí)刪除。