国产精品色无码视频,国产av毛片影院精品资源,亚洲人成网站77777·c0m,囯产av无码片毛片一级,夜夜操www99视频,美女白嫩胸交在线观看,亚洲a毛片性生活

薈聚奇文、博采眾長(zhǎng)、見(jiàn)賢思齊
當(dāng)前位置:公文素材庫(kù) > 公文素材 > 范文素材 > 商業(yè)銀行突圍科技風(fēng)險(xiǎn)管理初級(jí)階段

商業(yè)銀行突圍科技風(fēng)險(xiǎn)管理初級(jí)階段

網(wǎng)站:公文素材庫(kù) | 時(shí)間:2019-05-29 03:46:52 | 移動(dòng)端:商業(yè)銀行突圍科技風(fēng)險(xiǎn)管理初級(jí)階段

商業(yè)銀行突圍科技風(fēng)險(xiǎn)管理初級(jí)階段

商業(yè)銀行突圍科技風(fēng)險(xiǎn)管理初級(jí)階段

銀監(jiān)會(huì)新《指引》頒布1周年記

雖然人們對(duì)全面開(kāi)放金融市場(chǎng)后內(nèi)資銀行的競(jìng)爭(zhēng)力的擔(dān)憂,因?yàn)橥赓Y銀行在世界金融危機(jī)中受到重創(chuàng)而沒(méi)有成為現(xiàn)實(shí)。內(nèi)資銀行反倒在此漲彼消中身價(jià)倍增,躋身世界前列,甚至名列前茅。但隨著金融危機(jī)的陰霾逐漸散去,世界金融巨頭開(kāi)始“咸魚(yú)翻身”,可以預(yù)見(jiàn)國(guó)內(nèi)金融市場(chǎng)的競(jìng)爭(zhēng)將更加激烈。在風(fēng)險(xiǎn)管理方面“先天不足”的內(nèi)資銀行如果想要保持目前的地位,則必需補(bǔ)上風(fēng)險(xiǎn)管理(包括信息科技風(fēng)險(xiǎn)管理)這一課。

在銀監(jiān)會(huì)頒布《商業(yè)銀行信息科技風(fēng)險(xiǎn)管理指引》1周年之際,記者愿意與您一起關(guān)注銀行信息科技風(fēng)險(xiǎn)管理的總體情況和存在的難題,關(guān)注迅速崛起的中小銀行如何在信息化建設(shè)的同時(shí)兼顧風(fēng)險(xiǎn)管理,關(guān)注規(guī)模巨大而“失去了模子”的大型銀行如何構(gòu)建“特色”的信息科技風(fēng)險(xiǎn)管理體系。

銀監(jiān)會(huì):加強(qiáng)監(jiān)管促提高

201*年8月7日,銀監(jiān)會(huì)頒布了《銀行業(yè)金融機(jī)構(gòu)信息系統(tǒng)風(fēng)險(xiǎn)管理指引》(以下簡(jiǎn)稱“原《指引》”),對(duì)銀行業(yè)金融機(jī)構(gòu)的信息系統(tǒng)風(fēng)險(xiǎn)管理提出了基本的、原則性的要求,填補(bǔ)了我國(guó)銀行業(yè)信息系統(tǒng)監(jiān)管領(lǐng)域的空白。從實(shí)施效果來(lái)看,很多銀行在信息系統(tǒng)風(fēng)險(xiǎn)防范方面取得了長(zhǎng)足進(jìn)步。

然而,銀行業(yè)信息化發(fā)展非常迅速,信息科技的作用從業(yè)務(wù)支持逐步走向與業(yè)務(wù)的融合,成為銀行穩(wěn)健運(yùn)營(yíng)和發(fā)展的支柱,同時(shí)科技由分散走向集中也讓銀行的科技風(fēng)險(xiǎn)進(jìn)一步積聚。這讓銀監(jiān)會(huì)意識(shí)到,原《指引》已難以滿足商業(yè)銀行信息科技風(fēng)險(xiǎn)管理的需要,必須制訂高標(biāo)準(zhǔn)、高要求,且更加全面、系統(tǒng)、可操作的指引。于是,在原《指引》頒布后不久,銀監(jiān)會(huì)即開(kāi)始廣泛征求銀行業(yè)金融機(jī)構(gòu)的意見(jiàn),并參照國(guó)際經(jīng)驗(yàn)對(duì)原《指引》進(jìn)行細(xì)化、深化和充實(shí)。201*年3月3日,銀監(jiān)會(huì)歷時(shí)1年多制定的《商業(yè)銀行信息科技風(fēng)險(xiǎn)管理指引》(以下簡(jiǎn)稱“新《指引》”)正式頒布實(shí)施,原《指引》同時(shí)廢止。與此同時(shí),銀監(jiān)會(huì)還組織銀監(jiān)系統(tǒng)的眾多技術(shù)骨干編寫(xiě)了《商業(yè)銀行信息科技風(fēng)險(xiǎn)現(xiàn)場(chǎng)檢查指南》、《銀行業(yè)金融機(jī)構(gòu)重要信息系統(tǒng)投產(chǎn)及變更管理辦法》、《商業(yè)銀行數(shù)據(jù)中心監(jiān)管指引》等配套手冊(cè)和制度。此后,圍繞新《指引》和有關(guān)監(jiān)管要求而進(jìn)行的自查、檢查、整改、提高在全國(guó)商業(yè)銀行系統(tǒng)內(nèi)拉開(kāi)了序幕,并將持續(xù)深入進(jìn)行。

據(jù)了解,201*年,銀監(jiān)會(huì)及其分支機(jī)構(gòu)對(duì)近百家國(guó)內(nèi)銀行業(yè)金融機(jī)構(gòu)開(kāi)展了信息科技風(fēng)險(xiǎn)現(xiàn)場(chǎng)檢查,重點(diǎn)對(duì)主要風(fēng)險(xiǎn)點(diǎn)和相關(guān)的管理環(huán)節(jié)進(jìn)行了徹底檢查,以促進(jìn)銀行業(yè)金融機(jī)構(gòu)將信息科技風(fēng)險(xiǎn)管理納入銀行的總體風(fēng)險(xiǎn)管理框架中。針對(duì)現(xiàn)場(chǎng)檢查中發(fā)現(xiàn)的重大風(fēng)險(xiǎn)隱患和實(shí)際發(fā)生的重大信息科技事故,銀監(jiān)會(huì)通過(guò)下發(fā)風(fēng)險(xiǎn)提示的形式向全國(guó)銀行業(yè)金融機(jī)構(gòu)進(jìn)行了通報(bào)并提出了相應(yīng)的管理要求。

某省銀監(jiān)局一位不愿意透露姓名的知情人士說(shuō):“從現(xiàn)場(chǎng)檢查的情況來(lái)看,無(wú)論是大型商業(yè)銀行還是中小型商業(yè)銀行,都存在不同程度的信息科技風(fēng)險(xiǎn),人員、制度、流程都存在一些問(wèn)題,特別是有些銀行高管層的IT治理意識(shí)比較薄弱,對(duì)信息科技風(fēng)險(xiǎn)管理重視不夠。不過(guò),可喜的是,通過(guò)貫徹落實(shí)新《指引》,一些銀行已經(jīng)開(kāi)展了全面的信息科技風(fēng)險(xiǎn)評(píng)估,并制定了長(zhǎng)遠(yuǎn)的發(fā)展規(guī)劃,管理力度明顯加大。”

從近1年來(lái)新《指引》的落實(shí)情況來(lái)看,成效是顯而易見(jiàn)的。

首先,信息科技治理開(kāi)始引起重視。公開(kāi)的資料顯示,一些銀行已經(jīng)設(shè)立了信息科技管理委員會(huì)、首席信息官或功能類(lèi)似的部門(mén),其中有些是原來(lái)就設(shè)有的,有些則是按新《指引》的要求設(shè)立的。例如,中國(guó)工商銀行的信息科技管理委員會(huì),中國(guó)農(nóng)業(yè)銀行的電子化建設(shè)委員會(huì),招商銀行的信息規(guī)劃委員會(huì),中信銀行的信息技術(shù)委員會(huì),華夏銀行的科技與創(chuàng)新委員會(huì),渤海銀行的資訊科技委員會(huì);交通銀行、華夏銀行、渤海銀行、吉林銀行等設(shè)立了首席信息官。同時(shí),一些銀行還明確了風(fēng)險(xiǎn)管理部門(mén)和審計(jì)部門(mén)的信息科技風(fēng)險(xiǎn)管理職責(zé)。

其次,災(zāi)備體系建設(shè)取得新進(jìn)展。大型銀行進(jìn)一步完善了同城和異地災(zāi)備中心建設(shè),初步實(shí)現(xiàn)了同城中心間業(yè)務(wù)處理的切換和接管,基本建成全面的災(zāi)備體系。一些中小銀行也建成了同城災(zāi)備中心,實(shí)現(xiàn)了重要信息系統(tǒng)的切換和接管,并開(kāi)始著手建設(shè)異地災(zāi)備中心。此外,一些外資銀行的生產(chǎn)中心和災(zāi)備中心也相繼落成。

再次,應(yīng)急管理體系不斷完善。銀行應(yīng)急預(yù)案更加完善,應(yīng)急演練更加注重規(guī)范性、真實(shí)性和非計(jì)劃性,災(zāi)難恢復(fù)演練范圍也從核心業(yè)務(wù)系統(tǒng)、信用卡等重要信息系統(tǒng)擴(kuò)大到網(wǎng)銀、自助業(yè)務(wù)災(zāi)難恢復(fù)處理,應(yīng)急管理水平進(jìn)一步提高。

據(jù)銀監(jiān)會(huì)信息中心信息科技風(fēng)險(xiǎn)監(jiān)管處陳文雄處長(zhǎng)介紹,銀監(jiān)會(huì)預(yù)計(jì)用3年時(shí)間,按照屬地監(jiān)管的原則,對(duì)全國(guó)的商業(yè)銀行按照新《指引》進(jìn)行一遍現(xiàn)場(chǎng)檢查,具體檢查信息科技風(fēng)險(xiǎn)管理狀況,以推動(dòng)我國(guó)銀行業(yè)信息科技風(fēng)險(xiǎn)防控水平不斷提高。

中小銀行:“魚(yú)”與“熊掌”能兼得

201*年的6月和7月,各商業(yè)銀行按照新《指引》的要求相繼完成了第一次的自查,其中有些銀行是由內(nèi)部風(fēng)險(xiǎn)管理和審計(jì)部門(mén)獨(dú)立完成的,也有部分的銀行請(qǐng)外部的公司協(xié)助完成的,并結(jié)合自身的實(shí)際情況進(jìn)行了整改。

“收到銀監(jiān)會(huì)下發(fā)的新《指引》后,我們做的第一項(xiàng)工作就是召集科技、風(fēng)險(xiǎn)、審計(jì)等部門(mén)的業(yè)務(wù)骨干認(rèn)真研究和部署相關(guān)工作,并按要求進(jìn)行了認(rèn)真的整改!蹦吵巧绦行畔⒖萍疾控(fù)責(zé)人向記者表示,“為了使員工掌握信息科技風(fēng)險(xiǎn)防控知識(shí),培養(yǎng)信息科技風(fēng)險(xiǎn)管理意識(shí),提高管理水平,我們還特別邀請(qǐng)外部咨詢公司的專(zhuān)家對(duì)相關(guān)人員等進(jìn)行了嚴(yán)格的培訓(xùn),并補(bǔ)充了信息科技風(fēng)險(xiǎn)審計(jì)人員!

在科技建設(shè)和風(fēng)險(xiǎn)管理的雙重壓力下,一些中小銀行演繹了一場(chǎng)“魚(yú)”與“熊掌”兼得的“好戲”。其中,吉林銀行從戰(zhàn)略和信息科技治理入手,制定科技發(fā)展規(guī)劃,重點(diǎn)防控主要風(fēng)險(xiǎn)點(diǎn)的做法值得借鑒。

吉林銀行成立于201*年10月,是由長(zhǎng)春市商業(yè)銀行更名為吉林銀行,并吸收合并吉林市商業(yè)銀行及若干城信社而設(shè)立的股份制商業(yè)銀行。在“科技先行”的科技戰(zhàn)略和“整體外包”的信息化策略指導(dǎo)下,在2年多的時(shí)間里,吉林銀行的信息化建設(shè)快速發(fā)展,完成了數(shù)據(jù)大集中及眾多信息系統(tǒng)建設(shè),在只有45名科技人員的情況下創(chuàng)造了同時(shí)管理近70個(gè)項(xiàng)目的“奇跡”,實(shí)現(xiàn)了科技由制約業(yè)務(wù)發(fā)展、與業(yè)務(wù)同步發(fā)展向引領(lǐng)業(yè)務(wù)發(fā)展的飛躍,而且從未出現(xiàn)大的紕漏和安全事故。

據(jù)吉林銀行信息科技部總經(jīng)理李貴賓介紹,在高層領(lǐng)導(dǎo)的重視下,吉林銀行已經(jīng)建立了比較完善的信息科技治理結(jié)構(gòu):明確了董事會(huì)、監(jiān)事會(huì)、相關(guān)業(yè)務(wù)部門(mén)及科技部門(mén)的職責(zé)分工(包括匯報(bào)路線);成立了以行長(zhǎng)為組長(zhǎng)的“吉林銀行信息科技工作領(lǐng)導(dǎo)小組”,主要負(fù)責(zé)全行的信息科技資源整合,以及當(dāng)前信息系統(tǒng)運(yùn)營(yíng)的風(fēng)險(xiǎn)控制等;設(shè)立了首席信息官,直接向行長(zhǎng)匯報(bào)工作;風(fēng)險(xiǎn)管理部和審計(jì)部也設(shè)立了專(zhuān)門(mén)的信息科技風(fēng)險(xiǎn)管理和信息科技審計(jì)崗位;信息科技部則負(fù)責(zé)規(guī)范和執(zhí)行日常的項(xiàng)目管理、運(yùn)行管理等。同時(shí),吉林銀行還制定了符合業(yè)務(wù)發(fā)展的科技發(fā)展規(guī)劃,并重點(diǎn)加強(qiáng)了項(xiàng)目的管理和外包風(fēng)險(xiǎn)的控制。

另?yè)?jù)了解,某全國(guó)性股份制商業(yè)銀行在按新《指引》的要求完善信息科技管理的同時(shí),啟動(dòng)了一個(gè)加強(qiáng)信息科技風(fēng)險(xiǎn)管理的項(xiàng)目,希望以科技手段提高信息科技風(fēng)險(xiǎn)管理的效率,準(zhǔn)確識(shí)別、計(jì)量、監(jiān)測(cè)和控制風(fēng)險(xiǎn),并將信息科技風(fēng)險(xiǎn)管理融入到銀行整體風(fēng)險(xiǎn)管理中去,構(gòu)筑高效、立體的銀行風(fēng)險(xiǎn)管理體系。

大型銀行:探索特色科技風(fēng)險(xiǎn)管理

目前,國(guó)內(nèi)一些大型銀行無(wú)論是規(guī)模還是盈利能力都已經(jīng)走在世界前列,其用戶數(shù)量和IT規(guī)模同樣如此,并處于快速發(fā)展之中。而隨著國(guó)內(nèi)大型銀行國(guó)際化戰(zhàn)略的實(shí)施,其規(guī)模還將進(jìn)一步擴(kuò)大。

在快速發(fā)展過(guò)程中,大型銀行或多或少都發(fā)生過(guò)一些事故甚至是影響全國(guó)的大事故,其信息科技風(fēng)險(xiǎn)管理也都存在事故推動(dòng)的痕跡。與國(guó)外大型銀行相比,國(guó)內(nèi)大型銀行在信息科技管理方面還存在較大的差距。

但是,經(jīng)過(guò)多年的發(fā)展,國(guó)內(nèi)大型銀行已逐步認(rèn)識(shí)到信息科技風(fēng)險(xiǎn)管理的重要性,普遍引入ITIL,ISO201*0,ISO27001,COBIT,CMM等國(guó)際標(biāo)準(zhǔn)和最佳實(shí)踐,管理水平有了較大的提升,并正邁向標(biāo)準(zhǔn)化、規(guī)范化、精細(xì)化的信息科技管理。

新《指引》頒布實(shí)施后,大型銀行在原來(lái)相對(duì)完善的信息科技風(fēng)險(xiǎn)管理體系基礎(chǔ)上,進(jìn)一步改進(jìn)了其信息科技風(fēng)險(xiǎn)管理:設(shè)立了專(zhuān)門(mén)的信息科技管理委員會(huì);完善了相關(guān)制度、標(biāo)準(zhǔn)和流程;加強(qiáng)信息科技風(fēng)險(xiǎn)評(píng)估和內(nèi)外部審計(jì),等等。特別是國(guó)內(nèi)銀行業(yè)信息化程度最高的中國(guó)工商銀行并沒(méi)有因?yàn)楣芾硭捷^高而有所懈怠,而是積極響應(yīng)新《指引》,在大型銀行中率先設(shè)立了信息科技管理委員會(huì),專(zhuān)門(mén)負(fù)責(zé)對(duì)信息科技發(fā)展戰(zhàn)略和年度計(jì)劃,信息科技重大工程建設(shè)及信息科技風(fēng)險(xiǎn)管理、信息安全管理等重大決策事項(xiàng)進(jìn)行管理。并將加強(qiáng)信息科技治理和完成“兩地三中心”建設(shè)等。

在國(guó)內(nèi),中國(guó)工商銀行是最早旗幟鮮明地以“科技引領(lǐng)”為科技戰(zhàn)略、以“自主創(chuàng)新”為信息化策略的銀行之一,其信息科技建設(shè)和管理都走在國(guó)內(nèi)同業(yè)前面,并深受同業(yè)肯定和褒揚(yáng),成為國(guó)內(nèi)眾多銀行紛紛仿效的對(duì)象。

在科技隊(duì)伍建設(shè)方面,全行的科技人員超過(guò)11000人,其中總行直管的科技人員達(dá)4500人。在知識(shí)產(chǎn)權(quán)保護(hù)方面,目前已擁有的專(zhuān)利數(shù)量近百項(xiàng),國(guó)內(nèi)同業(yè)占比第一。

在組織體系方面,建成了適應(yīng)全行統(tǒng)一經(jīng)營(yíng)管理要求的集約化的科技組織體系,總行層面形成管理、研發(fā)、運(yùn)行分工協(xié)作的科技體系,分行則負(fù)責(zé)特色應(yīng)用開(kāi)發(fā)、總行系統(tǒng)推廣、運(yùn)行管理、市場(chǎng)支持等科技工作。

在制度和標(biāo)準(zhǔn)規(guī)范建設(shè)方面,建成了包括運(yùn)行管理、項(xiàng)目管理、綜合管理在內(nèi)的三大類(lèi)制度,內(nèi)容涵蓋了信息系統(tǒng)生產(chǎn)運(yùn)行、應(yīng)用開(kāi)發(fā)和測(cè)試、科技綜合管理等各個(gè)工作環(huán)節(jié);制定發(fā)布了涉及信息安全、系統(tǒng)、應(yīng)用、網(wǎng)絡(luò)、設(shè)備和機(jī)房等6大類(lèi)、71項(xiàng)技術(shù)規(guī)范。

可以說(shuō),中國(guó)工商銀行在信息科技建設(shè)和管理的很多方面都獨(dú)樹(shù)一幟,特色鮮明。此外,一些大型銀行已經(jīng)開(kāi)始重視信息科技治理文化的形成,探索建設(shè)融合西方管理標(biāo)準(zhǔn)與最佳實(shí)踐,以及國(guó)內(nèi)文化和本行實(shí)際情況的信息科技風(fēng)險(xiǎn)管理體系。

多方合力:突圍科技風(fēng)險(xiǎn)管理初級(jí)階段

風(fēng)險(xiǎn)管理一直都是國(guó)內(nèi)銀行業(yè)金融機(jī)構(gòu)的弱項(xiàng),信息科技風(fēng)險(xiǎn)管理也不例外。

陳文雄認(rèn)為,目前國(guó)內(nèi)銀行業(yè)金融機(jī)構(gòu)在信息科技風(fēng)險(xiǎn)管理上整體處于初級(jí)階段。雖然部分銀行的信息科技風(fēng)險(xiǎn)管理工作做得比較好,但總體上“信息科技管理”、“信息科技風(fēng)險(xiǎn)管理”、“信息科技風(fēng)險(xiǎn)審計(jì)”三道防線都沒(méi)有建立起來(lái),沒(méi)有形成立體屏障,尤其是在IT治理、風(fēng)險(xiǎn)管理等方面還存在不足。雖然新《指引》的貫徹落實(shí)在很大程度上促進(jìn)了國(guó)內(nèi)銀行業(yè)金融機(jī)構(gòu)的信息科技風(fēng)險(xiǎn)管理,但在實(shí)踐過(guò)程中,也遇到了一些亟待解決的問(wèn)題。

一是差異化監(jiān)管的問(wèn)題。雖然新《指引》在適用范圍上體現(xiàn)了差異化監(jiān)管的思想,但由于目前國(guó)內(nèi)銀行之間差異極大,即使同是法人商業(yè)銀行之間的信息科技建設(shè)和管理水平也存在巨大的差距,若要求那些實(shí)力較小的城商行也嚴(yán)格按照新《指引》進(jìn)行信息科技風(fēng)險(xiǎn)管理,目前還存在非常多的客觀困難。如果要實(shí)行進(jìn)一步的差異化監(jiān)管,那又應(yīng)該如何實(shí)施呢?

二是監(jiān)管力度大小問(wèn)題。由于銀行的影響力大小不同,同樣的系統(tǒng)故障對(duì)社會(huì)的影響差異也很大,大銀行可能影響全國(guó),城商行則只影響某一個(gè)城市。此外,信息科技風(fēng)險(xiǎn)管理內(nèi)容非常多,對(duì)不同內(nèi)容的重要性如何判斷,對(duì)不同銀行、不同內(nèi)容的監(jiān)管力度如何確定,輕重緩急如何呢?三是銀行達(dá)標(biāo)時(shí)間問(wèn)題。目前,無(wú)論是大型銀行還是中小銀行,其信息科技風(fēng)險(xiǎn)管理都與新《指引》的要求存在不同程度的差距,尤其是IT治理方面幾乎沒(méi)有銀行能夠達(dá)標(biāo),比如設(shè)立信息科技管理委員會(huì)、首席信息官等。那么,銀監(jiān)會(huì)是否應(yīng)該對(duì)不同的銀行和不同的內(nèi)容設(shè)立一個(gè)達(dá)標(biāo)時(shí)間表呢?

銀監(jiān)會(huì)信息中心主任吳躍撰文表示,銀監(jiān)會(huì)將進(jìn)一步推進(jìn)信息科技治理和非現(xiàn)場(chǎng)監(jiān)管工作,加強(qiáng)準(zhǔn)入環(huán)節(jié)信息科技風(fēng)險(xiǎn)和外包風(fēng)險(xiǎn)管理,不斷提高信息科技風(fēng)險(xiǎn)現(xiàn)場(chǎng)檢查的有效性。在信息科技風(fēng)險(xiǎn)管理上,銀監(jiān)會(huì)只是外因,銀行信息科技風(fēng)險(xiǎn)管理水平的提高主要還要靠銀行自身的努力。

而以目前的情況來(lái)看,銀行要解決的首要問(wèn)題是高層領(lǐng)導(dǎo)對(duì)信息科技風(fēng)險(xiǎn)管理的重要性認(rèn)識(shí)問(wèn)題,并從信息科技治理入手,自上而下地推動(dòng)信息科技風(fēng)險(xiǎn)管理,確保銀行持續(xù)、安全、穩(wěn)定運(yùn)行。

擴(kuò)展閱讀:商業(yè)銀行信息科技風(fēng)險(xiǎn)管理指引(EN)

商業(yè)銀行信息科技風(fēng)險(xiǎn)管理指引(英文版)

201*-6-110:20【大中小】【我要糾錯(cuò)】發(fā)文單位:中國(guó)銀行業(yè)監(jiān)督管理委員會(huì)

發(fā)布日期:201*-6-1執(zhí)行日期:201*-6-1ChapterIGeneralProvisions

Article1.PursuanttotheLawofthePeoplesRepublicofChinaonBankingRegulationandSupervision,theLawofthePeople"sRepublicofChinaonCommercialBanks,theRegulationsofthePeoplesRepublicofChinaonAdministrationofForeign-fundedBanks,andotherapplicablelawsandregulations,theGuidelinesontheRiskManagementofCommercialBanksInformationTechnology(hereinafterreferredtoastheGuidelines)isformulated.Article2.TheGuidelinesapplytoallthecommercialbankslegallyincorporatedwithinthe

territoryofthePeoplesRepublicofChina.

TheGuidelinesmayapplytootherbankinginstitutionsincludingpolicybanks,ruralcooperativebanks,urbancreditcooperatives,ruralcreditcooperatives,villagebanks,loancompanies,financialassetmanagementcompanies,trustandinvestmentcompanies,financefirms,financialleasingcompanies,automobilefinancialcompaniesandmoneybrokers.Article3.Theterm“informationtechnology”statedintheGuidelinesshallrefertothesystembuiltwithcomputer,communicationandsoftwaretechnologies,andemployedbycommercialbankstohandlebusinesstransactions,operationmanagement,andinternalcommunication,collaborativeworkandcontrols.ThetermalsoincludeITgovernance,IT

organizationstructureandITpoliciesandprocedures.

Article4.Theriskofinformationtechnologyreferstotheoperationalrisk,legalriskandreputationriskthatarecausedbynaturalfactor,humanfactor,technologicalloopholesor

managementdeficiencieswhenusinginformationtechnology.

Article5.Theobjectiveofinformationsystemriskmanagementistoestablishaneffectivemechanismthatcanidentify,measure,monitor,andcontroltherisksofcommercialbanksinformationsystem,ensuredataintegrity,availability,confidentialityandconsistency,providetherelevantearlywarning,andtherebyenablecommercialbanksbusinessinnovations,uplifttheircapabilityinutilizinginformationtechnology,improvetheircorecompetitivenessand

capacityforsustainabledevelopment.ChapterIIITgovernance

Article6.Thelegalrepresentativeofcommercialbankshouldberesponsibletoensure

complianceofthisguideline.Article7.Theboardofdirectorsofcommercialbanksshouldhavethefollowing

responsibilitieswithrespecttothemanagementofinformationsystems:

(1)Implementingandcomplyingwiththenationallaws,regulationsandtechnicalstandardspertainingtothemanagementofinformationsystems,aswellastheregulatoryrequirementssetbytheChinaBankingRegulatoryCommission(hereinafterreferredtoasthe

“CBRC”);

(2)PeriodicallyreviewingthealignmentofITstrategywiththeoverallbusinessstrategiesandsignificantpoliciesofthebank,assessingtheoveralleffectivenessandefficiencyoftheIT

organization.

(3)ApprovingITriskmanagementstrategiesandpolicies,understandingthemajorITrisksinvolved,settingacceptablelevelsfortheserisks,andensuringtheimplementationofthe

measuresnecessarytoidentify,measure,monitorandcontroltheserisks.

(4)Settinghighethicalandintegritystandards,andestablishingaculturewithinthebankthatemphasizesanddemonstratestoalllevelsofpersonneltheimportanceofITriskmanagement.(5)EstablishinganITsteeringcommitteewhichconsistsofrepresentativesfromseniormanagement,theITorganization,andmajorbusinessunits,tooverseetheseresponsibilitiesandreporttheeffectivenessofstrategicITplanning,theITbudgetandactualexpenditure,and

theoverallITperformancetotheboardofdirectorsandseniormanagementperiodically.(6)EstablishingITgovernancestructure,propersegregationofduty,clearroleandresponsibility,maintainingcheckandbalancesandclearreportingrelationship.StrengtheningIT

professionalstaffbydevelopingincentiveprogram.

(7)EnsuringthatthereisaneffectiveinternalauditoftheITriskmanagementcarriedoutbyoperationallyindependent,well-trainedandqualifiedstaff.Theinternalauditreportshouldbe

submitteddirectlytotheITauditcommittee;

(8)SubmittinganannualreporttotheCBRCanditslocalofficesoninformationsystem

riskmanagementthathasbeenreviewedandapprovedbytheboardofdirectors;(9)EnsuringtheappropriatingfundingnecessaryforITriskmanagementworks;(10)EnsuringthatallemployeesofthebankfullyunderstandandadheretotheITrisk

managementpoliciesandproceduresapprovedbytheboardofdirectorsandthesenior

management,andareprovidedwithpertinenttraining.

(11)Ensuringcustomerinformation,financialinformation,productinformationandcorebankingsystemofthelegalentityareheldindependentlywithintheterritory,andcomplyingwiththeregulatoryon-siteexaminationrequirementsofCBRCandguardingagainstcross-border

risk.(12)ReportinginatimelymannertotheCBRCanditslocalofficesanyseriousincidentofinformationsystemsorunexpectedevent,andquicklyrespondtoitinaccordancewiththe

contingencyplan;

(13)CooperatingwiththeCBRCanditslocalofficesinthesupervisoryinspectionoftheriskmanagementofinformationsystems,andensurethatsupervisoryopinionsarefollowedup;

and

(14)PerformingotherrelatedITriskmanagementtasks.

Article8.TheheadoftheITorganization,commonlyknownastheChiefInformationOfficer(CIO)shouldreportdirectlytothepresident.RolesandresponsibilitiesoftheCIO

shouldincludethefollowing:

(1)Playingadirectroleinkeydecisionsforthebusinessdevelopmentinvolvingtheuseof

ITinthebank;

(2)TheCIOshouldensurethatinformationsystemsmeettheneedsofthebank,andITstrategies,inparticularinformationsystemdevelopmentstrategies,complywiththeoverall

businessstrategiesandITriskmanagementpoliciesofthebank;

(3)TheCIOshouldalsoberesponsiblefortheestablishmentofaneffectiveandefficientIT

organizationtocarryouttheITfunctionsofthebank.TheseincludetheITbudgetandexpenditure,ITriskmanagement,ITpolicies,standardsandprocedures,ITinternalcontrols,professionaldevelopment,ITprojectinitiatives,ITprojectmanagement,informationsystemmaintenanceandupgrade,IToperations,ITinfrastructure,Informationsecurity,disaster

recoveryplan(DRP),IToutsourcing,andinformationsystemretirement;(4)EnsuringtheeffectivenessofITriskmanagementthroughouttheorganizationincluding

allbranches.

(5)Organizingprofessionaltrainingstoimprovetechnicalproficiencyofstaff.

(6)PerformingotherrelatedITriskmanagementtasks.

Article9.CommercialbanksshouldensurethatacleardefinitionoftheITorganizationstructureanddocumentationofalljobdescriptionsofimportantpositionsarealwaysinplaceand

updatedinatimelymanner.Staffineachpositionshouldmeetrelevantrequirementsonprofessionalskillsandknowledge.Thefollowingriskmitigationmeasuresshouldbeincorporated

inthemanagementprogramofrelatedstaff:

(1)Verificationofpersonalinformationincludingconfirmationofpersonalidentificationissuedbygovernment,academiccredentials,priorworkexperience,professionalqualifications;(2)EnsuringthatITstaffcanmeettherequiredprofessionalethicsbycheckingcharacter

reference;(3)SigningofagreementswithemployeesaboutunderstandingofITpoliciesandguidelines,non-disclosureofconfidentialinformation,authorizeduseofinformationsystems,

andadherencetoITpoliciesandprocedures;and

(4)EvaluationoftheriskoflosingkeyITpersonnel,especiallyduringmajorITdevelopmentstageorinaperiodofunstableIToperations,andtherelevantriskmitigation

measuressuchasstaffbackuparrangementandstaffsuccessionplan.

Article10.CommercialbanksshouldestablishordesignateaparticulardepartmentforITriskmanagement.ItshouldreportdirectlytotheCIOandtheChiefRiskOfficer(orriskmanagementcommittee),serveasamemberoftheITincidentresponseteam,andberesponsibleforcoordinatingtheestablishmentofpoliciesregardingITriskmanagement,especiallytheareasofinformationsecurity,BCP,andcompliancewiththeCBRCregulations,advisingthebusinessdepartmentsandITdepartmentinimplementingthesepolicies,providingrelevantcomplianceinformation,conductingon-goingassessmentofITrisks,andensuringthefollow-upofremediationadvice,monitoringandescalatingmanagementofITthreatsand

non-complianceevents.

Article11.CommercialbanksshouldestablishaspecialITauditroleandresponsibilitywithininternalauditfunction,whichshouldputinplaceITauditpoliciesandprocedures,

developandexecuteITauditplan.

Article12.Commercialbanksshouldputinplacepoliciesandprocedurestoprotectintellectualpropertyrightsaccordingtolawsregardingintellectualproperties,ensurepurchaseoflegitimatesoftwareandhardware,preventionoftheuseofpiratedsoftware,andtheprotectionoftheproprietaryrightsofITproductsdevelopedbythebank,andensurethatthesearefully

understoodandcompliedbyallemployees.

Article13.Commercialbanksshould,inaccordancewithrelevantlawsandregulations,

disclosetheriskprofileoftheirITnormativelyandtimely.

ChapterIIIITRiskManagement

Article14.CommercialbanksshouldformulateanITstrategythatalignswiththeoverallbusinessplanofthebank,ITriskassessmentplanandanIToperationalplanthatcanensureadequatefinancialresourcesandhumanresourcestomaintainastableandsecureITenvironment.

Article15.CommercialbanksshouldputinplaceacomprehensivesetofITrisk

managementpoliciesthatincludethefollowingareas:(1)Informationsecurityclassificationpolicy(2)Systemdevelopment,testingandmaintenancepolicy

(3)IToperationandmaintenancepolicy

(4)Accesscontrolpolicy(5)Physicalsecuritypolicy(6)Personnelsecuritypolicy

(7)BusinessContinuityPlanningandCrisisandEmergencyManagementprocedureArticle16.Commercialbanksshouldmaintainanongoingriskidentificationandassessmentprocessthatallowsthebanktopinpointtheareasofconcerninitsinformationsystems,assessthepotentialimpactoftherisksonitsbusiness,ranktherisks,andprioritizemitigationactionsandthenecessaryresources(includingoutsourcingvendors,productvendorsandservice

vendors)。

Article17.CommercialbanksshouldimplementacomprehensivesetofriskmitigationmeasurescomplyingwiththeITriskmanagementpoliciesandcommensuratewiththerisk

assessmentofthebank.Thesemitigationmeasuresshouldinclude:

(1)AsetofclearlydocumentedITriskpolicies,technicalstandards,andoperationalprocedures,whichshouldbecommunicatedtothestafffrequentlyandkeptuptodateinatimely

manner;

(2)Areasofpotentialconflictsofinterestshouldbeidentified,minimized,andsubjecttocareful,independentmonitoring.Alsoitrequiresthatanappropriatecontrolstructureissetuptofacilitatechecksandbalances,withcontrolactivitiesdefinedateverybusinesslevel,which

shouldinclude:-Toplevelreviews;

-Controlsoverphysicalandlogicalaccesstodataandsystem;-Accessgrantedon“needtoknow”and“minimumauthorization”basis;

-Asystemofapprovalsandauthorizations;and-Asystemofverificationandreconciliation.

Article18.Commercialbanksshouldputinplaceasetofongoingriskmeasurementand

monitoringmechanisms,whichshouldinclude

(1)Preandpost-implementationreviewofITprojects;(2)Benchmarksforperiodicreviewofsystemperformance;(3)ReportsofincidentsandcomplaintsaboutITservices;

(4)Reportsofinternalaudit,externalaudit,andissuesidentifiedbyCBRC;and(5)Arrangementwithvendorsandbusinessunitsforperiodicreviewofservicelevel

agreements(SLAs)。(6)Thepossibleimpactofnewdevelopmentoftechnologyandnewthreatstosoftware

deployed.

(7)Timelyreviewofoperationalriskandmanagementcontrolsinoperationarea.

(8)AssesstheriskprofileonIToutsourcingprojectsperiodically.

Article19.ChinesecommercialbanksoperatingoffshoreandtheforeigncommercialbanksinChinashouldcomplywiththerelevantregulatoryrequirementsoninformationsystemsinand

outsidethePeoplesRepublicofChina.ChapterIVInformationSecurity

Article20.Informationtechnologydepartmentofcommercialbanksshouldoverseetheestablishmentofaninformationclassificationandprotectionscheme.Allemployeesofthebankshouldbemadeawareoftheimportanceofensuringinformationconfidentialityandprovidedwiththenecessarytrainingtofullyunderstandtheinformationprotectionprocedureswithintheir

responsibilities.

Article21.Commercialbanksshouldputinplaceaninformationsecuritymanagementfunctiontodevelopandmaintainanongoinginformationsecuritymanagementprogram,promoteinformationsecurityawareness,adviseotherITfunctionsonsecurityissues,serveastheleaderofITincidentresponseteam,andreporttheevaluationoftheinformationsecurityofthebanktotheITsteeringcommitteeperiodically.TheInformationsecuritymanagementprogramshouldincludeInformationsecuritystandards,strategy,animplementationplan,andan

ongoingmaintenanceplan.

Informationsecuritypolicyshouldincludethefollowingareas:

(1)ITsecuritypolicymanagement(2)Organizationinformationsecurity

(3)Assetmanagement(4)Personnelsecurity

(5)Physicalandenvironmentsecurity(6)Communicationandoperationsecurity(7)Accesscontrolandauthentication

(8)Acquirement,developmentandmaintenanceofinformationsystem

(9)Informationsecurityeventmanagement(10)Businesscontinuitymanagement

(11)ComplianceArticle22.Commercialbanksshouldhaveaneffectiveprocesstomanageuserauthenticationandaccesscontrol.Accesstodataandsystemshouldbestrictlylimitedtoauthorizedindividualswhoseidentityisclearlyestablished,andtheiractivitiesintheinformationsystemsshouldbelimitedtotheminimumrequiredfortheirlegitimatebusinessuse.Appropriateuserauthenticationmechanismcommensuratewiththeclassificationofinformationtobeaccessedshouldbeselected.Timelyreviewandremovalofuseridentityfromthesystemshouldbeimplementedwhenuser

transferstoanewjoborleavethecommercialbank.

Article23.Commercialbanksshouldensureallphysicalsecurityzones,suchascomputercentersordatacenters,networkclosets,areascontainingconfidentialinformationorcriticalITequipment,andrespectiveaccountabilitiesareclearlydefined,andappropriatepreventive,

detective,andrecuperativecontrolsareputinplace.

Article24.Commercialbanksshoulddividetheirnetworksintologicalsecuritydomains(hereinafterreferredtoasthe“domain”)withdifferentlevelsofsecurity.Thefollowingsecurityfactorshavetobeassessedinordertodefineandimplementeffectivesecuritycontrols,suchasphysicalorlogicalsegregationofnetwork,networkfiltering,logicalaccesscontrol,trafficencryption,networkmonitoring,activitylog,etc.,foreachdomainandthewhole

network.

(1)criticalityoftheapplicationsandusergroupswithinthedomain;(2)Accesspointstothedomainthroughvariouscommunicationchannels;(3)Networkprotocolsandportsusedbytheapplicationsandnetworkequipmentdeployed

withinthedomain;

(4)Performancerequirementorbenchmark;

(5)Natureofthedomain,i.e.productionortesting,internalorexternal;

(6)Connectivitybetweenvariousdomains;and

(7)Trustworthinessofthedomain.

Article25.Commercialbanksshouldsecuretheoperatingsystemandsystemsoftwareofall

computersystemsby

(1)Developingbaselinesecurityrequirementforeachoperatingsystemandensuringall

systemsmeetthebaselinesecurityrequirement;

(2)Clearlydefiningasetofaccessprivilegesfordifferentgroupsofusers,namely,end-users,systemdevelopmentstaff,computeroperators,andsystemadministratorsanduser

administrators;

(3)Settingupasystemofapproval,verification,andmonitoringproceduresforusing

thehighestprivilegedsystemaccounts;(4)Requiringtechnicalstafftoreviewavailablesecuritypatches,andreportthepatch

statusperiodically;and

(5)Requiringtechnicalstafftoincludeimportantitemssuchasunsuccessfullogins,accesstocriticalsystemfiles,changesmadetouseraccounts,etc.insystemlogs,monitorsthesystemsforanyabnormaleventmanuallyorautomatically,andreportthemonitoring

periodically.

Article26.Commercialbanksshouldensurethesecurityofalltheapplicationsystemsby(1)Clearlydefiningtherolesandresponsibilitiesofend-usersandITstaffregardingthe

applicationsecurity;

(2)Implementingarobustauthenticationmethodcommensuratewiththecriticalityand

sensibilityoftheapplicationsystem;

(3)Enforcingsegregationofdutiesanddualcontrolovercriticalorsensitivefunctions;(4)Requiringverificationofinputorreconciliationofoutputatcriticaljunctures;(5)Requiringtheinputandoutputofconfidentialinformationarehandledinasecuremannertopreventtheft,tampering,intentionalleakage,orinadvertentleakage;(6)Ensuringsystemcanhandleexceptionsinapredefinedwayandprovidemeaningful

messagetouserswhenthesystemisforcedtoterminate;and(7)Maintainingaudittrailineitherpaperorelectronicformat.

(8)Requiringuseradministratortomonitorandreviewunsuccessfulloginsandchangesto

usersaccounts.

Article27.Commercialbanksshouldhaveasetofpoliciesandprocedurescontrollingtheloggingofactivitiesinallproductionsystemstosupporteffectiveauditing,securityforensicanalysis,andfraudprevention.Loggingcanbeimplementedindifferentlayersofsoftwareandondifferentcomputerandnetworkingequipment,whichfallsintotwobroadcategories:(1)Transactionjournals.Theyaregeneratedbyapplicationsoftwareanddatabasemanagementsystem,andcontainauthenticationattempts,modificationtodata,errormessages,

etc.Transactionjournalsshouldbekeptaccordingtothenationalaccountingpolicy.(2)Systemlogs.Theyaregeneratedbyoperatingsystems,databasemanagementsystem,firewalls,intrusiondetectionsystems,androuters,etc.,andcontainauthenticationattempts,systemevents,networkevents,errormessages,etc.Systemlogsshouldbekeptforaperiod

scaledtotheriskclassification,butnolessthanoneyear.

Banksshouldensurethatsufficientitemsbeincludedinthelogstofacilitateeffectiveinternalcontrols,systemtroubleshooting,andauditingwhiletakingappropriatemeasurestoensuretimesynchronizationonalllogs.Sufficientdiskspaceshouldbeallocatedtopreventlogsfrombeingoverwritten.Systemlogsshouldbereviewedforanyexception.ThereviewfrequencyandretentionperiodfortransactionlogsordatabaselogsshouldbedeterminedjointlybyITorganizationandpertinentbusinesslines,andapprovedbytheITsteeringcommittee.Article28.Commercialbanksshouldhavethecapacitytoemployencryptiontechnologiestomitigatetheriskoflosingconfidentialinformationintheinformationsystemsorduringitstransmission.Appropriatemanagementprocessesoftheencryptionfacilitiesshouldbeputin

placetoensurethat

(1)Encryptionfacilitiesinuseshouldmeetnationalsecuritystandardsorrequirements;

(2)Staffinchargeofencryptionfacilitiesarewelltrainedandscreened;

(3)Encryptionstrengthisadequatetoprotecttheconfidentialityoftheinformation;and

(4)Effectiveandefficientkeymanagementprocedures,especiallykeylifecycle

managementandcertificatelifecyclemanagement,areinplace.

Article29.Commercialbanksshouldputinplaceaneffectiveandefficientsystemofsecuringallend-usercomputingequipmentwhichincludedesktoppersonalcomputers(PCs),portablePCs,tellerterminals,automatictellermachines(ATMs),passbookprinters,debitorcreditcardreaders,pointofsale(POS)terminals,personaldigitalassistant(PDAs),

etcandconductperiodicsecuritychecksonallequipments.

Article30.Commercialbanksshouldputinplaceasetofpoliciesandprocedurestogovernthecollection,processing,storage,transmission,dissemination,anddisposalofcustomer

information.

Article31.Allemployees,includingcontractstaff,shouldbeprovidedwiththenecessarytrainingstofullyunderstandthesepoliciesproceduresandtheconsequencesoftheirviolation.

Commercialbanksshouldadoptazerotolerancepolicyagainstsecurityviolation.ChapterVApplicationSystemDevelopment,TestingandMaintenance

Article32.Commercialbanksshouldhavethecapabilitytoidentify,plan,acquire,develop,test,deploy,maintain,upgrade,andretireinformationsystems.Policiesandproceduresshouldbeinplacetogoverntheinitiation,prioritization,approval,andcontrolofITprojects.ProgressreportsofmajorITprojectsshouldbesubmittedtoandreviewedbytheITsteeringcommitteeperiodically.Decisionsinvolvingsignificantchangeofschedule,changeofkeypersonnel,changeofvendors,andmajorexpendituresshouldbeincludedintheprogress

report.

Article33.CommercialbanksshouldrecognizetherisksassociatedwithITprojects,whichincludethepossibilitiesofincurringvariouskindsofoperationalrisk,financiallosses,andopportunitycostsstemmingfromineffectiveprojectplanningorinadequateprojectmanagementcontrolsofthebank.Therefore,appropriateprojectmanagementmethodologiesshouldbe

adoptedandimplementedtocontroltherisksassociatedwithITprojects.Article34.CommercialbanksshouldadoptandimplementasystemdevelopmentmethodologytocontrolthelifecycleofInformationsystems.Thetypicalphasesofsystemlifecycleincludesystemanalysis,design,developmentoracquisition,testing,trialrun,deployment,maintenance,andretirement.Thesystemdevelopmentmethodologytobeusedshouldbecommensuratewiththesize,nature,andcomplexityoftheITproject,and,

generallyspeaking,shouldfacilitatethemanagementofthefollowingrisks.Article35.Commercialbanksshouldensuresystemreliability,integrity,andmaintainabilitybycontrollingsystemchangeswithasetofpoliciesandprocedures,which

shouldincludethefollowingelements.

(1)Ensurethatproductionsystemsareseparatedfromdevelopmentortestingsystems;(2)Separatingthedutiesofmanagingproductionsystemsandmanagingdevelopmentor

testingsystems;

(3)Prohibitingapplicationdevelopmentandmaintenancestafffromaccessingproductionsystemundernormalcircumstancesunlessmanagementapprovalisgrantedtoperformemergency

repair,andallemergencyrepairactivitiesshouldberecordedandreviewedpromptly;(4)Promotingchangesofprogramorsystemconfigurationfromdevelopmentandtesting

systemstoproductionsystemsshouldbejointlyapprovedbyITorganizationandbusiness

departments,properlydocumented,andreviewedperiodically.

Article36.Commercialbanksshouldhaveinplaceasetofpolicies,standards,andprocedurestoensuredataintegrity,confidentiality,andavailability.Thesepoliciesshouldbein

accordancewithdataintegrityamidITdevelopmentprocedure.

Article37.CommercialbanksshouldensurethatInformationsystemproblemscouldbetracked,analyzed,andresolvedsystematicallythroughaneffectiveproblemmanagementprocess.Problemsshouldbedocumented,categorized,andindexed.Supportservicesortechnicalassistancefromvendors,ifnecessary,shouldalsobedocumented.Contactsandrelevantcontractinformationshouldbemadereadilyavailabletotheemployeesconcerned.Accountabilityandlineofcommandshouldbedelineatedclearlyandcommunicatedtoallemployeesconcerned,whichisofutmostimportancetoperformingemergencyrepair.Article38.Commercialbanksshouldhaveasetofpoliciesandprocedurescontrollingtheprocessofsystemupgrade.Systemupgradeisneededwhenthehardwarereachesitslifespanorrunsoutofcapacity,theunderpinningsoftware,namely,operatingsystem,databasemanagementsystem,middleware,hastobeupgraded,ortheapplicationsoftwarehastobeupgraded.Thesystemupgradeshouldbetreatedasaprojectandmanagedbyallpertinentproject

managementcontrolsincludinguseracceptancetesting.ChapterVIITOperations

Article39.Commercialbanksshouldconsiderfullytheenvironmentalthreats(e.g.proximitytonaturaldisasterzones,dangerousorhazardousfacilitiesorbusy/majorroads)when

selectingthelocationsoftheirdatacenters.Physicalandenvironmentalcontrolsshouldbeimplementedtomonitorenvironmentalconditionscouldaffectadverselytheoperationofinformationprocessingfacilities.Equipmentfacilitiesshouldbeprotectedfrompowerfailuresand

electricalsupplyinterference.

Article40.Incontrollingaccessbythird-partypersonnel(e.g.serviceproviders)tosecured

areas,properapprovalofaccessshouldbeenforcedandtheiractivitiesshouldbecloselymonitored.Itisimportantthatproperscreeningproceduresincludingverificationandbackgroundchecks,especiallyforsensitivetechnology-relatedjobs,aredevelopedforpermanentand

temporarytechnicalstaffandcontractors.

Article41.CommercialbanksshouldseparateIToperationsorcomputercenteroperationsfromsystemdevelopmentandmaintenancetoensuresegregationofdutieswithintheITorganization.Thecommercialbanksshoulddocumenttherolesandresponsibilitiesofdatacenter

functions.

Article42.Commercialbanksarerequiredtoretaintransactionalrecordsincompliancewiththenationalaccountingpolicy.Proceduresandtechnologyareneededtobeputinplacetoensure

theintegrity,safekeepingandretrievalrequirementsofthearchiveddata.Article43.Commercialbanksshoulddetailoperationalinstructionssuchascomputeroperatortasks,jobschedulingandexecutionintheIToperationsmanual.TheIToperationsmanualshouldalsocovertheproceduresandrequirementsforon-siteandoff-sitebackupofdataandsoftwareinboththeproductionanddevelopmentenvironments(i.e.frequency,scopeand

retentionperiodsofback-up)。

Article44.CommercialbanksshouldhaveinplaceaproblemmanagementandprocessingsystemtorespondpromptlytoIToperationsincidents,toescalatereportedincidentstorelevant

ITmanagementstaffandtorecord,analyzeandkeeptracksofalltheseincidentsuntilrectificationoftheincidentswithrootcauseanalysiscompleted.Ahelpdeskfunctionshouldbesetuptoprovidefront-linesupporttousersonalltechnology-relatedproblemsandtodirectthe

problemstorelevantITfunctionsforinvestigationandresolution.

Article45.CommercialbanksshouldestablishservicelevelagreementandassesstheIT

servicelevelstandardattained.

Article46.Commercialbanksshouldimplementaprocesstoensurethattheperformanceofapplicationsystemsiscontinuouslymonitoredandexceptionsarereportedinatimelyandcomprehensivemanner.Theperformancemonitoringprocessshouldincludeforecastingcapabilitytoenableexceptionstobeidentifiedandcorrectedbeforetheyaffectsystem

performance.

Article47.Commercialbanksshouldcarryoutcapacityplantocaterforbusinessgrowthandtransactionincreasesduetochangesofeconomicconditions.Capacityplanshouldbeextendedto

coverback-upsystemsandrelatedfacilitiesinadditiontotheproductionenvironment.Article48.Commercialbanksshouldensurethecontinuedavailabilityoftechnologyrelatedserviceswithtimelymaintenanceandappropriatesystemupgrades.Properrecordkeeping(includingsuspectedandactualfaultsandpreventiveandcorrectivemaintenancerecords)is

necessaryforeffectivefacilityandequipmentmaintenance.

Article49.Commercialbanksshouldhaveaneffectivechangemanagementprocessinplacetoensureintegrityandreliabilityoftheproductionenvironment.Commercialbanksshould

developaformalchangemanagementprocess.ChapterVIIBusinessContinuityManagement

Article50.Commercialbanksshouldhaveinplaceappropriatearrangements,havingregardtothenature,scaleandcomplexityofitsbusiness,toensurethatitcancontinuetofunctionandmeetitsregulatoryobligationsintheeventofanunforeseeninterruption.Thesearrangements

shouldberegularlyupdatedandtestedtoensuretheireffectiveness.

Article51.Commercialbanksshouldconsiderthelikelihoodandimpactofadisruptiontothecontinuityofitsoperationfromunexpectedevents.Thisshouldincludeassessingthe

disruptionstowhichitisparticularlysusceptibleincludingbutnotlimitedto:

(1)Lossoffailureofinternalandexternalresources(suchaspeople,systemsandother

assets);

(2)Thelossorcorruptionofitsinformation;and

(3)Externalevents(suchaswar,earthquake,typhoon,etc)。Article52.Commercialbankshouldacttoreduceboththelikelihoodofdisruptions(includingsystemresilienceanddualprocessing);andtheimpactofdisruptions(includingby

contingencyarrangementsandinsurance)。

Article53.Commercialbankshoulddocumentitsstrategyformaintainingcontinuityofitsoperations,anditsplansforcommunicatingandregularlytestingtheadequacyandeffectiveness

ofthisstrategy.Commercialbankshouldestablish:

(1)Formalbusinesscontinuityplansthatoutlinearrangementstoreducetheimpactofa

short,mediumandlong-termdisruption,including:

a)Resourcerequirementssuchaspeople,systemsandotherassets,andarrangementsfor

obtainingtheseresources;b)Therecoveryprioritiesforthecommercialbanksoperations;and

c)Communicationarrangementsforinternalandexternalconcernedparties(including

CBRC,clientsandthepress);

(2)Escalationandinvocationplansthatoutlinetheprocessesforimplementingthebusiness

continuityplans,togetherwithrelevantcontactinformation;

(3)Processestovalidatetheintegrityofinformationaffectedbythedisruption;(4)Processestoreviewandupdate(1)to(3)followingchangestothecommercial

banksoperationsorriskprofile.

Article54.AfinalBCPplanandanannualdrillresultmustbesignedoffbytheITRisk

management,orinternalauditorandITSteeringCommittee.

ChapterVIIIOutsourcing

Article55.Commercialbankscannotcontractoutitsregulatoryobligationsandshouldtake

reasonablecaretosupervisethedischargeofoutsourcingfunctions.

Article56.Commercialbanksshouldtakeparticularcaretomanagematerialoutsourcingarrangement(suchasoutsourcingofdatacenter,ITinfrastructure,etc.),andshouldnotify

CBRCwhenitintendstoenterintomaterialoutsourcingarrangement.

Article57.Beforeenteringinto,orsignificantlychanging,anoutsourcingarrangement,

thecommercialbankshould:

(1)Analyzehowthearrangementwillfitwithitsorganizationandreportingstructure;businessstrategy;overallriskprofile;andabilitytomeetitsregulatoryobligations;(2)Considerwhetherthearrangementswillallowittomonitorandcontrolitsoperational

riskexposurerelatingtotheoutsourcing;

(3)Conductappropriateduediligenceoftheserviceprovidersfinancialstability,expertiseandriskassessmentoftheserviceprovider,facilitiesandabilitytocoverthepotential

liabilities;

(4)Considerhowitwillensureasmoothtransitionofitsoperationsfromitscurrentarrangementstoaneworchangedoutsourcingarrangement(includingwhatwillhappenonthe

terminationofthecontract);and

(5)Consideranyconcentrationriskimplicationssuchasthebusinesscontinuity

implicationsthatmayariseifasingleserviceproviderisusedbyseveralfirms.

Article58.Innegotiatingitscontractwithaserviceprovider,thecommercialbankshould

haveregardto(butnotlimitedto):

(1)Reportingandnegotiationrequirementsitmaywishtoimposeontheserviceprovider;(2)Whethersufficientaccesswillbeavailabletoitsinternalauditors,externalauditorsand

bankingregulators;

(3)Informationownershiprights,confidentialityagreementsandFirewallstoprotectclient

andotherinformation(includingarrangementsattheterminationofcontract);

(4)Theadequacyofanyguaranteesandindemnities;

(5)Theextenttowhichtheserviceprovidermustcomplywiththecommercialbanks

policesandprocedurescoveringITRisk;

(6)Theextenttowhichtheserviceproviderwillprovidebusinesscontinuityforoutsourced

operations,andwhetherexclusiveaccesstoitsresourcesisagreed;

(7)Theneedforcontinuedavailabilityofsoftwarefollowingdifficultyatathirdparty

supplier;

(8)Theprocessesformakingchangestotheoutsourcingarrangementandtheconditionsunderwhichthecommercialbankorserviceprovidercanchoosetochangeorterminatethe

outsourcingarrangement,suchaswherethereis:

a)Achangeofownershiporcontroloftheserviceproviderorcommercialbank;orb)Significantchangeinthebusinessoperationsoftheserviceproviderorcommercialbank;

or

c)Inadequateprovisionofservicesthatmayleadtothecommercialbankbeingunableto

meetitsregulatoryobligations.

Article59.Inimplementingarelationshipmanagementframework,anddraftingtheservicelevelagreementwiththeserviceprovider,thecommercialbankshouldhaveregardedto(but

notlimitedto):

(1)Theidentificationofqualitativeandquantitativeperformancetargetstoassesstheadequacyofserviceprovision,toboththecommercialbankanditsclients,whereappropriate;(2)Theevaluationofperformancethroughservicedeliveryreportsandperiodicself

assessmentandindependentreviewbyinternalorexternalauditors;and

(3)Remediationactionandescalationprocessfordealingwithinadequateperformance.Article60.ThecommercialbankshouldenhanceITrelatedoutsourcingmanagement,inplacefollowing(notlimitedto)measurestoensuredatasecurityofsensitiveinformationsuch

ascustomerinformation:

(1)Effectivelyseparatedfromothercustomerinformationoftheserviceprovider;(2)Therelatedstaffofserviceprovidershouldbeauthorizedon“needtoknow”and

“minimumauthorization”basis;(3)Ensureserviceproviderguaranteeitsstaffformeetingtheconfidentialrequests;(4)Alloutsourcingarrangementsrelatedtocustomerinformationshouldbeidentifiedas

materialoutsourcingarrangementsandthecustomersshouldbenotified;

(5)Strictlymonitorre-outsourcingactionsoftheserviceprovider,andimplement

adequatecontrolmeasurestoensureinformationsecurityofthebank;

(6)Ensureallrelatedsensitiveinformationberefundedordeletedfromtheservice

providersstoragewhenterminatingtheoutsourcingarrangement.

Article61.Thecommercialbankshouldensurethatithasappropriatecontingencyintheeventofasignificantlossofservicesfromtheserviceprovider.Particularissuestoconsiderincludeasignificantlossofresources,turnoverofkeystaff,orfinancialfailureof,theservice

provider,andunexpectedterminationoftheoutsourcingagreement.

Article62.AlloutsourcingcontractsmustbereviewedorsignedoffbyITRiskmanagement,internalITauditors,legaldepartmentandITSteeringCommittee.Thereshouldbeaprocessto

periodicallyreviewandrefinetheservicelevelagreements.

ChapterIXInternalAudit

Article63.Dependingonthenature,scaleandcomplexityofitsbusiness,itmaybe

appropriateforthecommercialbankstodelegatemuchofthetaskofmonitoringtheappropriatenessandeffectivenessofitssystemsandcontrolstoaninternalauditfunction.Aninternalauditfunctionshouldbeadequatelyresourcedandstaffedbycompetentindividuals,beindependentoftheday-to-dayactivitiesofthecommercialbankandhaveappropriateaccesstothe

banksrecords.

Article64.TheresponsibilitiesoftheinternalITauditfunctionare:

(1)Toestablish,implementandmaintainanauditplantoexamineandevaluatethe

adequacyandeffectivenessofthebankssystemsandinternalcontrolmechanismsand

arrangements;

(2)Toissuerecommendationsbasedontheresultofworkcarriedoutinaccordancewith1;

(3)Toverifycompliancewiththoserecommendations;

(4)Tocarryoutspecialauditoninformationtechnology.Theterm“specialaudit”ofinformationtechnologyreferstotheinvestigation,analysisandassessmentonthesecurityincidentsoftheinformationsystem,ortheauditperformedonaspecialsubjectbasedonITrisk

assessmentresultasdeemednecessarybytheauditdepartment.

Article65.Basedonthenature,scaleandcomplexityofitsbusiness,deploymentofinformationtechnologyandITriskassessment,commercialbankscoulddeterminethescopeandfrequencyofITinternalaudit.However,acomprehensiveITinternalauditshallbeperformedat

aminimumonceevery3years.

Article66.CommercialbanksshouldengageitsinternalauditdepartmentandITRiskmanagementdepartmentwhenimplementingsystemdevelopmentofsignificantsizeandscaleto

ensureitmeetstheITRiskstandardsoftheCommercialbanks.

ChapterXExternalAudit

Article67.Theexternalinformationtechnologyauditofcommercialbankscanbecarriedout

bycertifiedserviceprovidersinaccordancewithlaws,rulesandregulations.Article68.ThecommercialbankshouldensureITauditserviceprovidertoreviewandexaminebankshardware,software,documentationanddatatoidentifyITriskwhentheyare

commissionedtoperformtheaudit.Vitalcommercialandtechnicalinformationwhichis

protectedbynationallawsandregulationsshouldnotbereviewed.

Article69.Commercialbankshouldcommunicatewiththeserviceproviderindepthbeforetheaudittodetermineauditscope,andshouldnotwithholdthetruthordonotcorporatewiththe

serviceproviderintentionally.

Article70.CBRCanditslocalofficescoulddesignatecertifiedserviceproviderstocarryout

ITauditorrelatedreviewoncommercialbankswhenneeded.Whencarryingoutauditoncommercialbanks,ascommissionedorauthorizedbyCBRCoritslocaloffices,theserviceprovidersshallpresenttheletterofauthority,andcarryouttheauditinaccordancetothescope

prescribedintheletterofauthority.

Article71.OncetheITauditreportproducedbytheserviceprovidersisreviewedandapprovedbyCBRCoritslocaloffices,thereportwillhavethesamelegalstatusasifitisproducedbytheCBRCitself.Commercialbanksshouldcomeupwithacorrectionactionplanprescribedinthereportandimplementthecorrectiveactionsaccordingtothetimeframe.Article72.CommercialbanksshouldensuretheserviceproviderstostrictlycomplywithlawsandregulationstokeepconfidentialanddatasecurityofanycommercialsecretsandprivateinformationlearntandITriskinformationwhenconductingtheaudit.Theserviceprovidershould

notmodifycopyortakeawayanydocumentsprovidedbythecommercialbanks.

ChapterXISupplementaryProvisions

Article73.Commercialbankswithnoboardofdirectorsshouldhavetheiroperatingdecision-makingbodiesperformtheresponsibilitiesoftheboardwithregardtoITrisk

managementspecifiedherein.

Article74.TheChinaBankingRegulatoryCommissionsupervisesandregulatestheITrisk

managementofcommercialbanksunderitsauthoritybylaw.Article75.ThepowerofinterpretationandmodificationoftheGuidelinesshallrestwiththe

ChinaBankingRegulatoryCommission.

Article76.TheGuidelinesshallbecomeeffectiveasofthedateofitsissuanceandtheformer

GuidelinesontheRiskManagementofBankingInstitutionsInformationSystemsshallbe

revokedatthesametime.

中國(guó)銀行業(yè)監(jiān)督管理委員會(huì)

友情提示:本文中關(guān)于《商業(yè)銀行突圍科技風(fēng)險(xiǎn)管理初級(jí)階段》給出的范例僅供您參考拓展思維使用,商業(yè)銀行突圍科技風(fēng)險(xiǎn)管理初級(jí)階段:該篇文章建議您自主創(chuàng)作。

來(lái)源:網(wǎng)絡(luò)整理 免責(zé)聲明:本文僅限學(xué)習(xí)分享,如產(chǎn)生版權(quán)問(wèn)題,請(qǐng)聯(lián)系我們及時(shí)刪除。


商業(yè)銀行突圍科技風(fēng)險(xiǎn)管理初級(jí)階段》由互聯(lián)網(wǎng)用戶整理提供,轉(zhuǎn)載分享請(qǐng)保留原作者信息,謝謝!
鏈接地址:http://m.hmlawpc.com/gongwen/655340.html