商業(yè)銀行突圍科技風(fēng)險(xiǎn)管理初級階段

商業(yè)銀行突圍科技風(fēng)險(xiǎn)管理初級階段

銀監(jiān)會(huì)新《指引》頒布1周年記

雖然人們對全面開放金融市場后內(nèi)資銀行的競爭力的擔(dān)憂，因?yàn)橥赓Y銀行在世界金融危機(jī)中受到重創(chuàng)而沒有成為現(xiàn)實(shí)。內(nèi)資銀行反倒在此漲彼消中身價(jià)倍增，躋身世界前列，甚至名列前茅。但隨著金融危機(jī)的陰霾逐漸散去，世界金融巨頭開始“咸魚翻身”，可以預(yù)見國內(nèi)金融市場的競爭將更加激烈。在風(fēng)險(xiǎn)管理方面“先天不足”的內(nèi)資銀行如果想要保持目前的地位，則必需補(bǔ)上風(fēng)險(xiǎn)管理（包括信息科技風(fēng)險(xiǎn)管理）這一課。

在銀監(jiān)會(huì)頒布《商業(yè)銀行信息科技風(fēng)險(xiǎn)管理指引》1周年之際，記者愿意與您一起關(guān)注銀行信息科技風(fēng)險(xiǎn)管理的總體情況和存在的難題，關(guān)注迅速崛起的中小銀行如何在信息化建設(shè)的同時(shí)兼顧風(fēng)險(xiǎn)管理，關(guān)注規(guī)模巨大而“失去了模子”的大型銀行如何構(gòu)建“特色”的信息科技風(fēng)險(xiǎn)管理體系。

銀監(jiān)會(huì)：加強(qiáng)監(jiān)管促提高

201*年8月7日，銀監(jiān)會(huì)頒布了《銀行業(yè)金融機(jī)構(gòu)信息系統(tǒng)風(fēng)險(xiǎn)管理指引》（以下簡稱“原《指引》”），對銀行業(yè)金融機(jī)構(gòu)的信息系統(tǒng)風(fēng)險(xiǎn)管理提出了基本的、原則性的要求，填補(bǔ)了我國銀行業(yè)信息系統(tǒng)監(jiān)管領(lǐng)域的空白。從實(shí)施效果來看，很多銀行在信息系統(tǒng)風(fēng)險(xiǎn)防范方面取得了長足進(jìn)步。

然而，銀行業(yè)信息化發(fā)展非常迅速，信息科技的作用從業(yè)務(wù)支持逐步走向與業(yè)務(wù)的融合，成為銀行穩(wěn)健運(yùn)營和發(fā)展的支柱，同時(shí)科技由分散走向集中也讓銀行的科技風(fēng)險(xiǎn)進(jìn)一步積聚。這讓銀監(jiān)會(huì)意識(shí)到，原《指引》已難以滿足商業(yè)銀行信息科技風(fēng)險(xiǎn)管理的需要，必須制訂高標(biāo)準(zhǔn)、高要求，且更加全面、系統(tǒng)、可操作的指引。于是，在原《指引》頒布后不久，銀監(jiān)會(huì)即開始廣泛征求銀行業(yè)金融機(jī)構(gòu)的意見，并參照國際經(jīng)驗(yàn)對原《指引》進(jìn)行細(xì)化、深化和充實(shí)。201*年3月3日，銀監(jiān)會(huì)歷時(shí)1年多制定的《商業(yè)銀行信息科技風(fēng)險(xiǎn)管理指引》（以下簡稱“新《指引》”）正式頒布實(shí)施，原《指引》同時(shí)廢止。與此同時(shí)，銀監(jiān)會(huì)還組織銀監(jiān)系統(tǒng)的眾多技術(shù)骨干編寫了《商業(yè)銀行信息科技風(fēng)險(xiǎn)現(xiàn)場檢查指南》、《銀行業(yè)金融機(jī)構(gòu)重要信息系統(tǒng)投產(chǎn)及變更管理辦法》、《商業(yè)銀行數(shù)據(jù)中心監(jiān)管指引》等配套手冊和制度。此后，圍繞新《指引》和有關(guān)監(jiān)管要求而進(jìn)行的自查、檢查、整改、提高在全國商業(yè)銀行系統(tǒng)內(nèi)拉開了序幕，并將持續(xù)深入進(jìn)行。

據(jù)了解，201*年，銀監(jiān)會(huì)及其分支機(jī)構(gòu)對近百家國內(nèi)銀行業(yè)金融機(jī)構(gòu)開展了信息科技風(fēng)險(xiǎn)現(xiàn)場檢查，重點(diǎn)對主要風(fēng)險(xiǎn)點(diǎn)和相關(guān)的管理環(huán)節(jié)進(jìn)行了徹底檢查，以促進(jìn)銀行業(yè)金融機(jī)構(gòu)將信息科技風(fēng)險(xiǎn)管理納入銀行的總體風(fēng)險(xiǎn)管理框架中。針對現(xiàn)場檢查中發(fā)現(xiàn)的重大風(fēng)險(xiǎn)隱患和實(shí)際發(fā)生的重大信息科技事故，銀監(jiān)會(huì)通過下發(fā)風(fēng)險(xiǎn)提示的形式向全國銀行業(yè)金融機(jī)構(gòu)進(jìn)行了通報(bào)并提出了相應(yīng)的管理要求。

某省銀監(jiān)局一位不愿意透露姓名的知情人士說：“從現(xiàn)場檢查的情況來看，無論是大型商業(yè)銀行還是中小型商業(yè)銀行，都存在不同程度的信息科技風(fēng)險(xiǎn)，人員、制度、流程都存在一些問題，特別是有些銀行高管層的IT治理意識(shí)比較薄弱，對信息科技風(fēng)險(xiǎn)管理重視不夠。不過，可喜的是，通過貫徹落實(shí)新《指引》，一些銀行已經(jīng)開展了全面的信息科技風(fēng)險(xiǎn)評估，并制定了長遠(yuǎn)的發(fā)展規(guī)劃，管理力度明顯加大�！�

從近1年來新《指引》的落實(shí)情況來看，成效是顯而易見的。

首先，信息科技治理開始引起重視。公開的資料顯示，一些銀行已經(jīng)設(shè)立了信息科技管理委員會(huì)、首席信息官或功能類似的部門，其中有些是原來就設(shè)有的，有些則是按新《指引》的要求設(shè)立的。例如，中國工商銀行的信息科技管理委員會(huì)，中國農(nóng)業(yè)銀行的電子化建設(shè)委員會(huì)，招商銀行的信息規(guī)劃委員會(huì)，中信銀行的信息技術(shù)委員會(huì)，華夏銀行的科技與創(chuàng)新委員會(huì)，渤海銀行的資訊科技委員會(huì)；交通銀行、華夏銀行、渤海銀行、吉林銀行等設(shè)立了首席信息官。同時(shí)，一些銀行還明確了風(fēng)險(xiǎn)管理部門和審計(jì)部門的信息科技風(fēng)險(xiǎn)管理職責(zé)。

其次，災(zāi)備體系建設(shè)取得新進(jìn)展。大型銀行進(jìn)一步完善了同城和異地災(zāi)備中心建設(shè)，初步實(shí)現(xiàn)了同城中心間業(yè)務(wù)處理的切換和接管，基本建成全面的災(zāi)備體系。一些中小銀行也建成了同城災(zāi)備中心，實(shí)現(xiàn)了重要信息系統(tǒng)的切換和接管，并開始著手建設(shè)異地災(zāi)備中心。此外，一些外資銀行的生產(chǎn)中心和災(zāi)備中心也相繼落成。

再次，應(yīng)急管理體系不斷完善。銀行應(yīng)急預(yù)案更加完善，應(yīng)急演練更加注重規(guī)范性、真實(shí)性和非計(jì)劃性，災(zāi)難恢復(fù)演練范圍也從核心業(yè)務(wù)系統(tǒng)、信用卡等重要信息系統(tǒng)擴(kuò)大到網(wǎng)銀、自助業(yè)務(wù)災(zāi)難恢復(fù)處理，應(yīng)急管理水平進(jìn)一步提高。

據(jù)銀監(jiān)會(huì)信息中心信息科技風(fēng)險(xiǎn)監(jiān)管處陳文雄處長介紹，銀監(jiān)會(huì)預(yù)計(jì)用3年時(shí)間，按照屬地監(jiān)管的原則，對全國的商業(yè)銀行按照新《指引》進(jìn)行一遍現(xiàn)場檢查，具體檢查信息科技風(fēng)險(xiǎn)管理狀況，以推動(dòng)我國銀行業(yè)信息科技風(fēng)險(xiǎn)防控水平不斷提高。

中小銀行：“魚”與“熊掌”能兼得

201*年的6月和7月，各商業(yè)銀行按照新《指引》的要求相繼完成了第一次的自查，其中有些銀行是由內(nèi)部風(fēng)險(xiǎn)管理和審計(jì)部門獨(dú)立完成的，也有部分的銀行請外部的公司協(xié)助完成的，并結(jié)合自身的實(shí)際情況進(jìn)行了整改。

“收到銀監(jiān)會(huì)下發(fā)的新《指引》后，我們做的第一項(xiàng)工作就是召集科技、風(fēng)險(xiǎn)、審計(jì)等部門的業(yè)務(wù)骨干認(rèn)真研究和部署相關(guān)工作，并按要求進(jìn)行了認(rèn)真的整改�！蹦吵巧绦行畔⒖萍疾控�(fù)責(zé)人向記者表示，“為了使員工掌握信息科技風(fēng)險(xiǎn)防控知識(shí)，培養(yǎng)信息科技風(fēng)險(xiǎn)管理意識(shí)，提高管理水平，我們還特別邀請外部咨詢公司的專家對相關(guān)人員等進(jìn)行了嚴(yán)格的培訓(xùn)，并補(bǔ)充了信息科技風(fēng)險(xiǎn)審計(jì)人員�！�

在科技建設(shè)和風(fēng)險(xiǎn)管理的雙重壓力下，一些中小銀行演繹了一場“魚”與“熊掌”兼得的“好戲”。其中，吉林銀行從戰(zhàn)略和信息科技治理入手，制定科技發(fā)展規(guī)劃，重點(diǎn)防控主要風(fēng)險(xiǎn)點(diǎn)的做法值得借鑒。

吉林銀行成立于201*年10月，是由長春市商業(yè)銀行更名為吉林銀行，并吸收合并吉林市商業(yè)銀行及若干城信社而設(shè)立的股份制商業(yè)銀行。在“科技先行”的科技戰(zhàn)略和“整體外包”的信息化策略指導(dǎo)下，在2年多的時(shí)間里，吉林銀行的信息化建設(shè)快速發(fā)展，完成了數(shù)據(jù)大集中及眾多信息系統(tǒng)建設(shè)，在只有45名科技人員的情況下創(chuàng)造了同時(shí)管理近70個(gè)項(xiàng)目的“奇跡”，實(shí)現(xiàn)了科技由制約業(yè)務(wù)發(fā)展、與業(yè)務(wù)同步發(fā)展向引領(lǐng)業(yè)務(wù)發(fā)展的飛躍，而且從未出現(xiàn)大的紕漏和安全事故。

據(jù)吉林銀行信息科技部總經(jīng)理李貴賓介紹，在高層領(lǐng)導(dǎo)的重視下，吉林銀行已經(jīng)建立了比較完善的信息科技治理結(jié)構(gòu)：明確了董事會(huì)、監(jiān)事會(huì)、相關(guān)業(yè)務(wù)部門及科技部門的職責(zé)分工（包括匯報(bào)路線）；成立了以行長為組長的“吉林銀行信息科技工作領(lǐng)導(dǎo)小組”，主要負(fù)責(zé)全行的信息科技資源整合，以及當(dāng)前信息系統(tǒng)運(yùn)營的風(fēng)險(xiǎn)控制等；設(shè)立了首席信息官，直接向行長匯報(bào)工作；風(fēng)險(xiǎn)管理部和審計(jì)部也設(shè)立了專門的信息科技風(fēng)險(xiǎn)管理和信息科技審計(jì)崗位；信息科技部則負(fù)責(zé)規(guī)范和執(zhí)行日常的項(xiàng)目管理、運(yùn)行管理等。同時(shí)，吉林銀行還制定了符合業(yè)務(wù)發(fā)展的科技發(fā)展規(guī)劃，并重點(diǎn)加強(qiáng)了項(xiàng)目的管理和外包風(fēng)險(xiǎn)的控制。

另據(jù)了解，某全國性股份制商業(yè)銀行在按新《指引》的要求完善信息科技管理的同時(shí)，啟動(dòng)了一個(gè)加強(qiáng)信息科技風(fēng)險(xiǎn)管理的項(xiàng)目，希望以科技手段提高信息科技風(fēng)險(xiǎn)管理的效率，準(zhǔn)確識(shí)別、計(jì)量、監(jiān)測和控制風(fēng)險(xiǎn)，并將信息科技風(fēng)險(xiǎn)管理融入到銀行整體風(fēng)險(xiǎn)管理中去，構(gòu)筑高效、立體的銀行風(fēng)險(xiǎn)管理體系。

大型銀行：探索特色科技風(fēng)險(xiǎn)管理

目前，國內(nèi)一些大型銀行無論是規(guī)模還是盈利能力都已經(jīng)走在世界前列，其用戶數(shù)量和IT規(guī)模同樣如此，并處于快速發(fā)展之中。而隨著國內(nèi)大型銀行國際化戰(zhàn)略的實(shí)施，其規(guī)模還將進(jìn)一步擴(kuò)大。

在快速發(fā)展過程中，大型銀行或多或少都發(fā)生過一些事故甚至是影響全國的大事故，其信息科技風(fēng)險(xiǎn)管理也都存在事故推動(dòng)的痕跡。與國外大型銀行相比，國內(nèi)大型銀行在信息科技管理方面還存在較大的差距。

但是，經(jīng)過多年的發(fā)展，國內(nèi)大型銀行已逐步認(rèn)識(shí)到信息科技風(fēng)險(xiǎn)管理的重要性，普遍引入ITIL，ISO201*0，ISO27001，COBIT，CMM等國際標(biāo)準(zhǔn)和最佳實(shí)踐，管理水平有了較大的提升，并正邁向標(biāo)準(zhǔn)化、規(guī)范化、精細(xì)化的信息科技管理。

新《指引》頒布實(shí)施后，大型銀行在原來相對完善的信息科技風(fēng)險(xiǎn)管理體系基礎(chǔ)上，進(jìn)一步改進(jìn)了其信息科技風(fēng)險(xiǎn)管理：設(shè)立了專門的信息科技管理委員會(huì)；完善了相關(guān)制度、標(biāo)準(zhǔn)和流程；加強(qiáng)信息科技風(fēng)險(xiǎn)評估和內(nèi)外部審計(jì)，等等。特別是國內(nèi)銀行業(yè)信息化程度最高的中國工商銀行并沒有因?yàn)楣芾硭�平較高而有所懈怠，而是積極響應(yīng)新《指引》，在大型銀行中率先設(shè)立了信息科技管理委員會(huì)，專門負(fù)責(zé)對信息科技發(fā)展戰(zhàn)略和年度計(jì)劃，信息科技重大工程建設(shè)及信息科技風(fēng)險(xiǎn)管理、信息安全管理等重大決策事項(xiàng)進(jìn)行管理。并將加強(qiáng)信息科技治理和完成“兩地三中心”建設(shè)等。

在國內(nèi)，中國工商銀行是最早旗幟鮮明地以“科技引領(lǐng)”為科技戰(zhàn)略、以“自主創(chuàng)新”為信息化策略的銀行之一，其信息科技建設(shè)和管理都走在國內(nèi)同業(yè)前面，并深受同業(yè)肯定和褒揚(yáng)，成為國內(nèi)眾多銀行紛紛仿效的對象。

在科技隊(duì)伍建設(shè)方面，全行的科技人員超過11000人，其中總行直管的科技人員達(dá)4500人。在知識(shí)產(chǎn)權(quán)保護(hù)方面，目前已擁有的專利數(shù)量近百項(xiàng)，國內(nèi)同業(yè)占比第一。

在組織體系方面，建成了適應(yīng)全行統(tǒng)一經(jīng)營管理要求的集約化的科技組織體系，總行層面形成管理、研發(fā)、運(yùn)行分工協(xié)作的科技體系，分行則負(fù)責(zé)特色應(yīng)用開發(fā)、總行系統(tǒng)推廣、運(yùn)行管理、市場支持等科技工作。

在制度和標(biāo)準(zhǔn)規(guī)范建設(shè)方面，建成了包括運(yùn)行管理、項(xiàng)目管理、綜合管理在內(nèi)的三大類制度，內(nèi)容涵蓋了信息系統(tǒng)生產(chǎn)運(yùn)行、應(yīng)用開發(fā)和測試、科技綜合管理等各個(gè)工作環(huán)節(jié)；制定發(fā)布了涉及信息安全、系統(tǒng)、應(yīng)用、網(wǎng)絡(luò)、設(shè)備和機(jī)房等6大類、71項(xiàng)技術(shù)規(guī)范。

可以說，中國工商銀行在信息科技建設(shè)和管理的很多方面都獨(dú)樹一幟，特色鮮明。此外，一些大型銀行已經(jīng)開始重視信息科技治理文化的形成，探索建設(shè)融合西方管理標(biāo)準(zhǔn)與最佳實(shí)踐，以及國內(nèi)文化和本行實(shí)際情況的信息科技風(fēng)險(xiǎn)管理體系。

多方合力：突圍科技風(fēng)險(xiǎn)管理初級階段

風(fēng)險(xiǎn)管理一直都是國內(nèi)銀行業(yè)金融機(jī)構(gòu)的弱項(xiàng)，信息科技風(fēng)險(xiǎn)管理也不例外。

陳文雄認(rèn)為，目前國內(nèi)銀行業(yè)金融機(jī)構(gòu)在信息科技風(fēng)險(xiǎn)管理上整體處于初級階段。雖然部分銀行的信息科技風(fēng)險(xiǎn)管理工作做得比較好，但總體上“信息科技管理”、“信息科技風(fēng)險(xiǎn)管理”、“信息科技風(fēng)險(xiǎn)審計(jì)”三道防線都沒有建立起來，沒有形成立體屏障，尤其是在IT治理、風(fēng)險(xiǎn)管理等方面還存在不足。雖然新《指引》的貫徹落實(shí)在很大程度上促進(jìn)了國內(nèi)銀行業(yè)金融機(jī)構(gòu)的信息科技風(fēng)險(xiǎn)管理，但在實(shí)踐過程中，也遇到了一些亟待解決的問題。

一是差異化監(jiān)管的問題。雖然新《指引》在適用范圍上體現(xiàn)了差異化監(jiān)管的思想，但由于目前國內(nèi)銀行之間差異極大，即使同是法人商業(yè)銀行之間的信息科技建設(shè)和管理水平也存在巨大的差距，若要求那些實(shí)力較小的城商行也嚴(yán)格按照新《指引》進(jìn)行信息科技風(fēng)險(xiǎn)管理，目前還存在非常多的客觀困難。如果要實(shí)行進(jìn)一步的差異化監(jiān)管，那又應(yīng)該如何實(shí)施呢？

二是監(jiān)管力度大小問題。由于銀行的影響力大小不同，同樣的系統(tǒng)故障對社會(huì)的影響差異也很大，大銀行可能影響全國，城商行則只影響某一個(gè)城市。此外，信息科技風(fēng)險(xiǎn)管理內(nèi)容非常多，對不同內(nèi)容的重要性如何判斷，對不同銀行、不同內(nèi)容的監(jiān)管力度如何確定，輕重緩急如何呢？三是銀行達(dá)標(biāo)時(shí)間問題。目前，無論是大型銀行還是中小銀行，其信息科技風(fēng)險(xiǎn)管理都與新《指引》的要求存在不同程度的差距，尤其是IT治理方面幾乎沒有銀行能夠達(dá)標(biāo)，比如設(shè)立信息科技管理委員會(huì)、首席信息官等。那么，銀監(jiān)會(huì)是否應(yīng)該對不同的銀行和不同的內(nèi)容設(shè)立一個(gè)達(dá)標(biāo)時(shí)間表呢？

銀監(jiān)會(huì)信息中心主任吳躍撰文表示，銀監(jiān)會(huì)將進(jìn)一步推進(jìn)信息科技治理和非現(xiàn)場監(jiān)管工作，加強(qiáng)準(zhǔn)入環(huán)節(jié)信息科技風(fēng)險(xiǎn)和外包風(fēng)險(xiǎn)管理，不斷提高信息科技風(fēng)險(xiǎn)現(xiàn)場檢查的有效性。在信息科技風(fēng)險(xiǎn)管理上，銀監(jiān)會(huì)只是外因，銀行信息科技風(fēng)險(xiǎn)管理水平的提高主要還要靠銀行自身的努力。

而以目前的情況來看，銀行要解決的首要問題是高層領(lǐng)導(dǎo)對信息科技風(fēng)險(xiǎn)管理的重要性認(rèn)識(shí)問題，并從信息科技治理入手，自上而下地推動(dòng)信息科技風(fēng)險(xiǎn)管理，確保銀行持續(xù)、安全、穩(wěn)定運(yùn)行。

擴(kuò)展閱讀：商業(yè)銀行信息科技風(fēng)險(xiǎn)管理指引(EN)

商業(yè)銀行信息科技風(fēng)險(xiǎn)管理指引（英文版）

201*-6-110:20【大中小】【我要糾錯(cuò)】發(fā)文單位：中國銀行業(yè)監(jiān)督管理委員會(huì)

發(fā)布日期：201*-6-1執(zhí)行日期：201*-6-1ChapterIGeneralProvisions

Article1.PursuanttotheLawofthePeoplesRepublicofChinaonBankingRegulationandSupervision，theLawofthePeople"sRepublicofChinaonCommercialBanks，theRegulationsofthePeoplesRepublicofChinaonAdministrationofForeign-fundedBanks，andotherapplicablelawsandregulations，theGuidelinesontheRiskManagementofCommercialBanksInformationTechnology（hereinafterreferredtoastheGuidelines）isformulated.Article2.TheGuidelinesapplytoallthecommercialbankslegallyincorporatedwithinthe

territoryofthePeoplesRepublicofChina.

TheGuidelinesmayapplytootherbankinginstitutionsincludingpolicybanks，ruralcooperativebanks，urbancreditcooperatives，ruralcreditcooperatives，villagebanks，loancompanies，financialassetmanagementcompanies，trustandinvestmentcompanies，financefirms，financialleasingcompanies，automobilefinancialcompaniesandmoneybrokers.Article3.Theterm“informationtechnology”statedintheGuidelinesshallrefertothesystembuiltwithcomputer，communicationandsoftwaretechnologies，andemployedbycommercialbankstohandlebusinesstransactions，operationmanagement，andinternalcommunication，collaborativeworkandcontrols.ThetermalsoincludeITgovernance，IT

organizationstructureandITpoliciesandprocedures.

Article4.Theriskofinformationtechnologyreferstotheoperationalrisk，legalriskandreputationriskthatarecausedbynaturalfactor，humanfactor，technologicalloopholesor

managementdeficiencieswhenusinginformationtechnology.

Article5.Theobjectiveofinformationsystemriskmanagementistoestablishaneffectivemechanismthatcanidentify，measure，monitor，andcontroltherisksofcommercialbanksinformationsystem，ensuredataintegrity，availability，confidentialityandconsistency，providetherelevantearlywarning，andtherebyenablecommercialbanksbusinessinnovations，uplifttheircapabilityinutilizinginformationtechnology，improvetheircorecompetitivenessand

capacityforsustainabledevelopment.ChapterIIITgovernance

Article6.Thelegalrepresentativeofcommercialbankshouldberesponsibletoensure

complianceofthisguideline.Article7.Theboardofdirectorsofcommercialbanksshouldhavethefollowing

responsibilitieswithrespecttothemanagementofinformationsystems：

（1）Implementingandcomplyingwiththenationallaws，regulationsandtechnicalstandardspertainingtothemanagementofinformationsystems，aswellastheregulatoryrequirementssetbytheChinaBankingRegulatoryCommission（hereinafterreferredtoasthe

“CBRC”）；

（2）PeriodicallyreviewingthealignmentofITstrategywiththeoverallbusinessstrategiesandsignificantpoliciesofthebank，assessingtheoveralleffectivenessandefficiencyoftheIT

organization.

（3）ApprovingITriskmanagementstrategiesandpolicies，understandingthemajorITrisksinvolved，settingacceptablelevelsfortheserisks，andensuringtheimplementationofthe

measuresnecessarytoidentify，measure，monitorandcontroltheserisks.

（4）Settinghighethicalandintegritystandards，andestablishingaculturewithinthebankthatemphasizesanddemonstratestoalllevelsofpersonneltheimportanceofITriskmanagement.（5）EstablishinganITsteeringcommitteewhichconsistsofrepresentativesfromseniormanagement，theITorganization，andmajorbusinessunits，tooverseetheseresponsibilitiesandreporttheeffectivenessofstrategicITplanning，theITbudgetandactualexpenditure，and

theoverallITperformancetotheboardofdirectorsandseniormanagementperiodically.（6）EstablishingITgovernancestructure，propersegregationofduty，clearroleandresponsibility，maintainingcheckandbalancesandclearreportingrelationship.StrengtheningIT

professionalstaffbydevelopingincentiveprogram.

（7）EnsuringthatthereisaneffectiveinternalauditoftheITriskmanagementcarriedoutbyoperationallyindependent，well-trainedandqualifiedstaff.Theinternalauditreportshouldbe

submitteddirectlytotheITauditcommittee；

（8）SubmittinganannualreporttotheCBRCanditslocalofficesoninformationsystem

riskmanagementthathasbeenreviewedandapprovedbytheboardofdirectors；（9）EnsuringtheappropriatingfundingnecessaryforITriskmanagementworks；（10）EnsuringthatallemployeesofthebankfullyunderstandandadheretotheITrisk

managementpoliciesandproceduresapprovedbytheboardofdirectorsandthesenior

management，andareprovidedwithpertinenttraining.

（11）Ensuringcustomerinformation，financialinformation，productinformationandcorebankingsystemofthelegalentityareheldindependentlywithintheterritory，andcomplyingwiththeregulatoryon-siteexaminationrequirementsofCBRCandguardingagainstcross-border

risk.（12）ReportinginatimelymannertotheCBRCanditslocalofficesanyseriousincidentofinformationsystemsorunexpectedevent，andquicklyrespondtoitinaccordancewiththe

contingencyplan；

（13）CooperatingwiththeCBRCanditslocalofficesinthesupervisoryinspectionoftheriskmanagementofinformationsystems，andensurethatsupervisoryopinionsarefollowedup；

and

（14）PerformingotherrelatedITriskmanagementtasks.

Article8.TheheadoftheITorganization，commonlyknownastheChiefInformationOfficer（CIO）shouldreportdirectlytothepresident.RolesandresponsibilitiesoftheCIO

shouldincludethefollowing：

（1）Playingadirectroleinkeydecisionsforthebusinessdevelopmentinvolvingtheuseof

ITinthebank；

（2）TheCIOshouldensurethatinformationsystemsmeettheneedsofthebank，andITstrategies，inparticularinformationsystemdevelopmentstrategies，complywiththeoverall

businessstrategiesandITriskmanagementpoliciesofthebank；

（3）TheCIOshouldalsoberesponsiblefortheestablishmentofaneffectiveandefficientIT

organizationtocarryouttheITfunctionsofthebank.TheseincludetheITbudgetandexpenditure，ITriskmanagement，ITpolicies，standardsandprocedures，ITinternalcontrols，professionaldevelopment，ITprojectinitiatives，ITprojectmanagement，informationsystemmaintenanceandupgrade，IToperations，ITinfrastructure，Informationsecurity，disaster

recoveryplan（DRP），IToutsourcing，andinformationsystemretirement；（4）EnsuringtheeffectivenessofITriskmanagementthroughouttheorganizationincluding

allbranches.

（5）Organizingprofessionaltrainingstoimprovetechnicalproficiencyofstaff.

（6）PerformingotherrelatedITriskmanagementtasks.

Article9.CommercialbanksshouldensurethatacleardefinitionoftheITorganizationstructureanddocumentationofalljobdescriptionsofimportantpositionsarealwaysinplaceand

updatedinatimelymanner.Staffineachpositionshouldmeetrelevantrequirementsonprofessionalskillsandknowledge.Thefollowingriskmitigationmeasuresshouldbeincorporated

inthemanagementprogramofrelatedstaff：

（1）Verificationofpersonalinformationincludingconfirmationofpersonalidentificationissuedbygovernment，academiccredentials，priorworkexperience，professionalqualifications；（2）EnsuringthatITstaffcanmeettherequiredprofessionalethicsbycheckingcharacter

reference；（3）SigningofagreementswithemployeesaboutunderstandingofITpoliciesandguidelines，non-disclosureofconfidentialinformation，authorizeduseofinformationsystems，

andadherencetoITpoliciesandprocedures；and

（4）EvaluationoftheriskoflosingkeyITpersonnel，especiallyduringmajorITdevelopmentstageorinaperiodofunstableIToperations，andtherelevantriskmitigation

measuressuchasstaffbackuparrangementandstaffsuccessionplan.

Article10.CommercialbanksshouldestablishordesignateaparticulardepartmentforITriskmanagement.ItshouldreportdirectlytotheCIOandtheChiefRiskOfficer（orriskmanagementcommittee），serveasamemberoftheITincidentresponseteam，andberesponsibleforcoordinatingtheestablishmentofpoliciesregardingITriskmanagement，especiallytheareasofinformationsecurity，BCP，andcompliancewiththeCBRCregulations，advisingthebusinessdepartmentsandITdepartmentinimplementingthesepolicies，providingrelevantcomplianceinformation，conductingon-goingassessmentofITrisks，andensuringthefollow-upofremediationadvice，monitoringandescalatingmanagementofITthreatsand

non-complianceevents.

Article11.CommercialbanksshouldestablishaspecialITauditroleandresponsibilitywithininternalauditfunction，whichshouldputinplaceITauditpoliciesandprocedures，

developandexecuteITauditplan.

Article12.Commercialbanksshouldputinplacepoliciesandprocedurestoprotectintellectualpropertyrightsaccordingtolawsregardingintellectualproperties，ensurepurchaseoflegitimatesoftwareandhardware，preventionoftheuseofpiratedsoftware，andtheprotectionoftheproprietaryrightsofITproductsdevelopedbythebank，andensurethatthesearefully

understoodandcompliedbyallemployees.

Article13.Commercialbanksshould，inaccordancewithrelevantlawsandregulations，

disclosetheriskprofileoftheirITnormativelyandtimely.

ChapterIIIITRiskManagement

Article14.CommercialbanksshouldformulateanITstrategythatalignswiththeoverallbusinessplanofthebank，ITriskassessmentplanandanIToperationalplanthatcanensureadequatefinancialresourcesandhumanresourcestomaintainastableandsecureITenvironment.

Article15.CommercialbanksshouldputinplaceacomprehensivesetofITrisk

managementpoliciesthatincludethefollowingareas：（1）Informationsecurityclassificationpolicy（2）Systemdevelopment，testingandmaintenancepolicy

（3）IToperationandmaintenancepolicy

（4）Accesscontrolpolicy（5）Physicalsecuritypolicy（6）Personnelsecuritypolicy

（7）BusinessContinuityPlanningandCrisisandEmergencyManagementprocedureArticle16.Commercialbanksshouldmaintainanongoingriskidentificationandassessmentprocessthatallowsthebanktopinpointtheareasofconcerninitsinformationsystems，assessthepotentialimpactoftherisksonitsbusiness，ranktherisks，andprioritizemitigationactionsandthenecessaryresources（includingoutsourcingvendors，productvendorsandservice

vendors）。

Article17.CommercialbanksshouldimplementacomprehensivesetofriskmitigationmeasurescomplyingwiththeITriskmanagementpoliciesandcommensuratewiththerisk

assessmentofthebank.Thesemitigationmeasuresshouldinclude：

（1）AsetofclearlydocumentedITriskpolicies，technicalstandards，andoperationalprocedures，whichshouldbecommunicatedtothestafffrequentlyandkeptuptodateinatimely

manner；

（2）Areasofpotentialconflictsofinterestshouldbeidentified，minimized，andsubjecttocareful，independentmonitoring.Alsoitrequiresthatanappropriatecontrolstructureissetuptofacilitatechecksandbalances，withcontrolactivitiesdefinedateverybusinesslevel，which

shouldinclude：-Toplevelreviews；

-Controlsoverphysicalandlogicalaccesstodataandsystem；-Accessgrantedon“needtoknow”and“minimumauthorization”basis；

-Asystemofapprovalsandauthorizations；and-Asystemofverificationandreconciliation.

Article18.Commercialbanksshouldputinplaceasetofongoingriskmeasurementand

monitoringmechanisms，whichshouldinclude

（1）Preandpost-implementationreviewofITprojects；（2）Benchmarksforperiodicreviewofsystemperformance；（3）ReportsofincidentsandcomplaintsaboutITservices；

（4）Reportsofinternalaudit，externalaudit，andissuesidentifiedbyCBRC；and（5）Arrangementwithvendorsandbusinessunitsforperiodicreviewofservicelevel

agreements（SLAs）。（6）Thepossibleimpactofnewdevelopmentoftechnologyandnewthreatstosoftware

deployed.

（7）Timelyreviewofoperationalriskandmanagementcontrolsinoperationarea.

（8）AssesstheriskprofileonIToutsourcingprojectsperiodically.

Article19.ChinesecommercialbanksoperatingoffshoreandtheforeigncommercialbanksinChinashouldcomplywiththerelevantregulatoryrequirementsoninformationsystemsinand

outsidethePeoplesRepublicofChina.ChapterIVInformationSecurity

Article20.Informationtechnologydepartmentofcommercialbanksshouldoverseetheestablishmentofaninformationclassificationandprotectionscheme.Allemployeesofthebankshouldbemadeawareoftheimportanceofensuringinformationconfidentialityandprovidedwiththenecessarytrainingtofullyunderstandtheinformationprotectionprocedureswithintheir

responsibilities.

Article21.Commercialbanksshouldputinplaceaninformationsecuritymanagementfunctiontodevelopandmaintainanongoinginformationsecuritymanagementprogram，promoteinformationsecurityawareness，adviseotherITfunctionsonsecurityissues，serveastheleaderofITincidentresponseteam，andreporttheevaluationoftheinformationsecurityofthebanktotheITsteeringcommitteeperiodically.TheInformationsecuritymanagementprogramshouldincludeInformationsecuritystandards，strategy，animplementationplan，andan

ongoingmaintenanceplan.

Informationsecuritypolicyshouldincludethefollowingareas：

（1）ITsecuritypolicymanagement（2）Organizationinformationsecurity

（3）Assetmanagement（4）Personnelsecurity

（5）Physicalandenvironmentsecurity（6）Communicationandoperationsecurity（7）Accesscontrolandauthentication

（8）Acquirement，developmentandmaintenanceofinformationsystem

（9）Informationsecurityeventmanagement（10）Businesscontinuitymanagement

（11）ComplianceArticle22.Commercialbanksshouldhaveaneffectiveprocesstomanageuserauthenticationandaccesscontrol.Accesstodataandsystemshouldbestrictlylimitedtoauthorizedindividualswhoseidentityisclearlyestablished，andtheiractivitiesintheinformationsystemsshouldbelimitedtotheminimumrequiredfortheirlegitimatebusinessuse.Appropriateuserauthenticationmechanismcommensuratewiththeclassificationofinformationtobeaccessedshouldbeselected.Timelyreviewandremovalofuseridentityfromthesystemshouldbeimplementedwhenuser

transferstoanewjoborleavethecommercialbank.

Article23.Commercialbanksshouldensureallphysicalsecurityzones，suchascomputercentersordatacenters，networkclosets，areascontainingconfidentialinformationorcriticalITequipment，andrespectiveaccountabilitiesareclearlydefined，andappropriatepreventive，

detective，andrecuperativecontrolsareputinplace.

Article24.Commercialbanksshoulddividetheirnetworksintologicalsecuritydomains（hereinafterreferredtoasthe“domain”）withdifferentlevelsofsecurity.Thefollowingsecurityfactorshavetobeassessedinordertodefineandimplementeffectivesecuritycontrols，suchasphysicalorlogicalsegregationofnetwork，networkfiltering，logicalaccesscontrol，trafficencryption，networkmonitoring，activitylog，etc.，foreachdomainandthewhole

network.

（1）criticalityoftheapplicationsandusergroupswithinthedomain；（2）Accesspointstothedomainthroughvariouscommunicationchannels；（3）Networkprotocolsandportsusedbytheapplicationsandnetworkequipmentdeployed

withinthedomain；

（4）Performancerequirementorbenchmark；

（5）Natureofthedomain，i.e.productionortesting，internalorexternal；

（6）Connectivitybetweenvariousdomains；and

（7）Trustworthinessofthedomain.

Article25.Commercialbanksshouldsecuretheoperatingsystemandsystemsoftwareofall

computersystemsby

（1）Developingbaselinesecurityrequirementforeachoperatingsystemandensuringall

systemsmeetthebaselinesecurityrequirement；

（2）Clearlydefiningasetofaccessprivilegesfordifferentgroupsofusers，namely，end-users，systemdevelopmentstaff，computeroperators，andsystemadministratorsanduser

administrators；

（3）Settingupasystemofapproval，verification，andmonitoringproceduresforusing

thehighestprivilegedsystemaccounts；（4）Requiringtechnicalstafftoreviewavailablesecuritypatches，andreportthepatch

statusperiodically；and

（5）Requiringtechnicalstafftoincludeimportantitemssuchasunsuccessfullogins，accesstocriticalsystemfiles，changesmadetouseraccounts，etc.insystemlogs，monitorsthesystemsforanyabnormaleventmanuallyorautomatically，andreportthemonitoring

periodically.

Article26.Commercialbanksshouldensurethesecurityofalltheapplicationsystemsby（1）Clearlydefiningtherolesandresponsibilitiesofend-usersandITstaffregardingthe

applicationsecurity；

（2）Implementingarobustauthenticationmethodcommensuratewiththecriticalityand

sensibilityoftheapplicationsystem；

（3）Enforcingsegregationofdutiesanddualcontrolovercriticalorsensitivefunctions；（4）Requiringverificationofinputorreconciliationofoutputatcriticaljunctures；（5）Requiringtheinputandoutputofconfidentialinformationarehandledinasecuremannertopreventtheft，tampering，intentionalleakage，orinadvertentleakage；（6）Ensuringsystemcanhandleexceptionsinapredefinedwayandprovidemeaningful

messagetouserswhenthesystemisforcedtoterminate；and（7）Maintainingaudittrailineitherpaperorelectronicformat.

（8）Requiringuseradministratortomonitorandreviewunsuccessfulloginsandchangesto

usersaccounts.

Article27.Commercialbanksshouldhaveasetofpoliciesandprocedurescontrollingtheloggingofactivitiesinallproductionsystemstosupporteffectiveauditing，securityforensicanalysis，andfraudprevention.Loggingcanbeimplementedindifferentlayersofsoftwareandondifferentcomputerandnetworkingequipment，whichfallsintotwobroadcategories：（1）Transactionjournals.Theyaregeneratedbyapplicationsoftwareanddatabasemanagementsystem，andcontainauthenticationattempts，modificationtodata，errormessages，

etc.Transactionjournalsshouldbekeptaccordingtothenationalaccountingpolicy.（2）Systemlogs.Theyaregeneratedbyoperatingsystems，databasemanagementsystem，firewalls，intrusiondetectionsystems，androuters，etc.，andcontainauthenticationattempts，systemevents，networkevents，errormessages，etc.Systemlogsshouldbekeptforaperiod

scaledtotheriskclassification，butnolessthanoneyear.

Banksshouldensurethatsufficientitemsbeincludedinthelogstofacilitateeffectiveinternalcontrols，systemtroubleshooting，andauditingwhiletakingappropriatemeasurestoensuretimesynchronizationonalllogs.Sufficientdiskspaceshouldbeallocatedtopreventlogsfrombeingoverwritten.Systemlogsshouldbereviewedforanyexception.ThereviewfrequencyandretentionperiodfortransactionlogsordatabaselogsshouldbedeterminedjointlybyITorganizationandpertinentbusinesslines，andapprovedbytheITsteeringcommittee.Article28.Commercialbanksshouldhavethecapacitytoemployencryptiontechnologiestomitigatetheriskoflosingconfidentialinformationintheinformationsystemsorduringitstransmission.Appropriatemanagementprocessesoftheencryptionfacilitiesshouldbeputin

placetoensurethat

（1）Encryptionfacilitiesinuseshouldmeetnationalsecuritystandardsorrequirements；

（2）Staffinchargeofencryptionfacilitiesarewelltrainedandscreened；

（3）Encryptionstrengthisadequatetoprotecttheconfidentialityoftheinformation；and

（4）Effectiveandefficientkeymanagementprocedures，especiallykeylifecycle

managementandcertificatelifecyclemanagement，areinplace.

Article29.Commercialbanksshouldputinplaceaneffectiveandefficientsystemofsecuringallend-usercomputingequipmentwhichincludedesktoppersonalcomputers（PCs），portablePCs，tellerterminals，automatictellermachines（ATMs），passbookprinters，debitorcreditcardreaders，pointofsale（POS）terminals，personaldigitalassistant（PDAs），

etcandconductperiodicsecuritychecksonallequipments.

Article30.Commercialbanksshouldputinplaceasetofpoliciesandprocedurestogovernthecollection，processing，storage，transmission，dissemination，anddisposalofcustomer

information.

Article31.Allemployees，includingcontractstaff，shouldbeprovidedwiththenecessarytrainingstofullyunderstandthesepoliciesproceduresandtheconsequencesoftheirviolation.

Commercialbanksshouldadoptazerotolerancepolicyagainstsecurityviolation.ChapterVApplicationSystemDevelopment，TestingandMaintenance

Article32.Commercialbanksshouldhavethecapabilitytoidentify，plan，acquire，develop，test，deploy，maintain，upgrade，andretireinformationsystems.Policiesandproceduresshouldbeinplacetogoverntheinitiation，prioritization，approval，andcontrolofITprojects.ProgressreportsofmajorITprojectsshouldbesubmittedtoandreviewedbytheITsteeringcommitteeperiodically.Decisionsinvolvingsignificantchangeofschedule，changeofkeypersonnel，changeofvendors，andmajorexpendituresshouldbeincludedintheprogress

report.

Article33.CommercialbanksshouldrecognizetherisksassociatedwithITprojects，whichincludethepossibilitiesofincurringvariouskindsofoperationalrisk，financiallosses，andopportunitycostsstemmingfromineffectiveprojectplanningorinadequateprojectmanagementcontrolsofthebank.Therefore，appropriateprojectmanagementmethodologiesshouldbe

adoptedandimplementedtocontroltherisksassociatedwithITprojects.Article34.CommercialbanksshouldadoptandimplementasystemdevelopmentmethodologytocontrolthelifecycleofInformationsystems.Thetypicalphasesofsystemlifecycleincludesystemanalysis，design，developmentoracquisition，testing，trialrun，deployment，maintenance，andretirement.Thesystemdevelopmentmethodologytobeusedshouldbecommensuratewiththesize，nature，andcomplexityoftheITproject，and，

generallyspeaking，shouldfacilitatethemanagementofthefollowingrisks.Article35.Commercialbanksshouldensuresystemreliability，integrity，andmaintainabilitybycontrollingsystemchangeswithasetofpoliciesandprocedures，which

shouldincludethefollowingelements.

（1）Ensurethatproductionsystemsareseparatedfromdevelopmentortestingsystems；（2）Separatingthedutiesofmanagingproductionsystemsandmanagingdevelopmentor

testingsystems；

（3）Prohibitingapplicationdevelopmentandmaintenancestafffromaccessingproductionsystemundernormalcircumstancesunlessmanagementapprovalisgrantedtoperformemergency

repair，andallemergencyrepairactivitiesshouldberecordedandreviewedpromptly；（4）Promotingchangesofprogramorsystemconfigurationfromdevelopmentandtesting

systemstoproductionsystemsshouldbejointlyapprovedbyITorganizationandbusiness

departments，properlydocumented，andreviewedperiodically.

Article36.Commercialbanksshouldhaveinplaceasetofpolicies，standards，andprocedurestoensuredataintegrity，confidentiality，andavailability.Thesepoliciesshouldbein

accordancewithdataintegrityamidITdevelopmentprocedure.

Article37.CommercialbanksshouldensurethatInformationsystemproblemscouldbetracked，analyzed，andresolvedsystematicallythroughaneffectiveproblemmanagementprocess.Problemsshouldbedocumented，categorized，andindexed.Supportservicesortechnicalassistancefromvendors，ifnecessary，shouldalsobedocumented.Contactsandrelevantcontractinformationshouldbemadereadilyavailabletotheemployeesconcerned.Accountabilityandlineofcommandshouldbedelineatedclearlyandcommunicatedtoallemployeesconcerned，whichisofutmostimportancetoperformingemergencyrepair.Article38.Commercialbanksshouldhaveasetofpoliciesandprocedurescontrollingtheprocessofsystemupgrade.Systemupgradeisneededwhenthehardwarereachesitslifespanorrunsoutofcapacity，theunderpinningsoftware，namely，operatingsystem，databasemanagementsystem，middleware，hastobeupgraded，ortheapplicationsoftwarehastobeupgraded.Thesystemupgradeshouldbetreatedasaprojectandmanagedbyallpertinentproject

managementcontrolsincludinguseracceptancetesting.ChapterVIITOperations

Article39.Commercialbanksshouldconsiderfullytheenvironmentalthreats（e.g.proximitytonaturaldisasterzones，dangerousorhazardousfacilitiesorbusy/majorroads）when

selectingthelocationsoftheirdatacenters.Physicalandenvironmentalcontrolsshouldbeimplementedtomonitorenvironmentalconditionscouldaffectadverselytheoperationofinformationprocessingfacilities.Equipmentfacilitiesshouldbeprotectedfrompowerfailuresand

electricalsupplyinterference.

Article40.Incontrollingaccessbythird-partypersonnel（e.g.serviceproviders）tosecured

areas，properapprovalofaccessshouldbeenforcedandtheiractivitiesshouldbecloselymonitored.Itisimportantthatproperscreeningproceduresincludingverificationandbackgroundchecks，especiallyforsensitivetechnology-relatedjobs，aredevelopedforpermanentand

temporarytechnicalstaffandcontractors.

Article41.CommercialbanksshouldseparateIToperationsorcomputercenteroperationsfromsystemdevelopmentandmaintenancetoensuresegregationofdutieswithintheITorganization.Thecommercialbanksshoulddocumenttherolesandresponsibilitiesofdatacenter

functions.

Article42.Commercialbanksarerequiredtoretaintransactionalrecordsincompliancewiththenationalaccountingpolicy.Proceduresandtechnologyareneededtobeputinplacetoensure

theintegrity，safekeepingandretrievalrequirementsofthearchiveddata.Article43.Commercialbanksshoulddetailoperationalinstructionssuchascomputeroperatortasks，jobschedulingandexecutionintheIToperationsmanual.TheIToperationsmanualshouldalsocovertheproceduresandrequirementsforon-siteandoff-sitebackupofdataandsoftwareinboththeproductionanddevelopmentenvironments（i.e.frequency，scopeand

retentionperiodsofback-up）。

Article44.CommercialbanksshouldhaveinplaceaproblemmanagementandprocessingsystemtorespondpromptlytoIToperationsincidents，toescalatereportedincidentstorelevant

ITmanagementstaffandtorecord，analyzeandkeeptracksofalltheseincidentsuntilrectificationoftheincidentswithrootcauseanalysiscompleted.Ahelpdeskfunctionshouldbesetuptoprovidefront-linesupporttousersonalltechnology-relatedproblemsandtodirectthe

problemstorelevantITfunctionsforinvestigationandresolution.

Article45.CommercialbanksshouldestablishservicelevelagreementandassesstheIT

servicelevelstandardattained.

Article46.Commercialbanksshouldimplementaprocesstoensurethattheperformanceofapplicationsystemsiscontinuouslymonitoredandexceptionsarereportedinatimelyandcomprehensivemanner.Theperformancemonitoringprocessshouldincludeforecastingcapabilitytoenableexceptionstobeidentifiedandcorrectedbeforetheyaffectsystem

performance.

Article47.Commercialbanksshouldcarryoutcapacityplantocaterforbusinessgrowthandtransactionincreasesduetochangesofeconomicconditions.Capacityplanshouldbeextendedto

coverback-upsystemsandrelatedfacilitiesinadditiontotheproductionenvironment.Article48.Commercialbanksshouldensurethecontinuedavailabilityoftechnologyrelatedserviceswithtimelymaintenanceandappropriatesystemupgrades.Properrecordkeeping（includingsuspectedandactualfaultsandpreventiveandcorrectivemaintenancerecords）is

necessaryforeffectivefacilityandequipmentmaintenance.

Article49.Commercialbanksshouldhaveaneffectivechangemanagementprocessinplacetoensureintegrityandreliabilityoftheproductionenvironment.Commercialbanksshould

developaformalchangemanagementprocess.ChapterVIIBusinessContinuityManagement

Article50.Commercialbanksshouldhaveinplaceappropriatearrangements，havingregardtothenature，scaleandcomplexityofitsbusiness，toensurethatitcancontinuetofunctionandmeetitsregulatoryobligationsintheeventofanunforeseeninterruption.Thesearrangements

shouldberegularlyupdatedandtestedtoensuretheireffectiveness.

Article51.Commercialbanksshouldconsiderthelikelihoodandimpactofadisruptiontothecontinuityofitsoperationfromunexpectedevents.Thisshouldincludeassessingthe

disruptionstowhichitisparticularlysusceptibleincludingbutnotlimitedto：

（1）Lossoffailureofinternalandexternalresources（suchaspeople，systemsandother

assets）；

（2）Thelossorcorruptionofitsinformation；and

（3）Externalevents（suchaswar，earthquake，typhoon，etc）。Article52.Commercialbankshouldacttoreduceboththelikelihoodofdisruptions（includingsystemresilienceanddualprocessing）；andtheimpactofdisruptions（includingby

contingencyarrangementsandinsurance）。

Article53.Commercialbankshoulddocumentitsstrategyformaintainingcontinuityofitsoperations，anditsplansforcommunicatingandregularlytestingtheadequacyandeffectiveness

ofthisstrategy.Commercialbankshouldestablish：

（1）Formalbusinesscontinuityplansthatoutlinearrangementstoreducetheimpactofa

short，mediumandlong-termdisruption，including：

a）Resourcerequirementssuchaspeople，systemsandotherassets，andarrangementsfor

obtainingtheseresources；b）Therecoveryprioritiesforthecommercialbanksoperations；and

c）Communicationarrangementsforinternalandexternalconcernedparties（including

CBRC，clientsandthepress）；

（2）Escalationandinvocationplansthatoutlinetheprocessesforimplementingthebusiness

continuityplans，togetherwithrelevantcontactinformation；

（3）Processestovalidatetheintegrityofinformationaffectedbythedisruption；（4）Processestoreviewandupdate（1）to（3）followingchangestothecommercial

banksoperationsorriskprofile.

Article54.AfinalBCPplanandanannualdrillresultmustbesignedoffbytheITRisk

management，orinternalauditorandITSteeringCommittee.

ChapterVIIIOutsourcing

Article55.Commercialbankscannotcontractoutitsregulatoryobligationsandshouldtake

reasonablecaretosupervisethedischargeofoutsourcingfunctions.

Article56.Commercialbanksshouldtakeparticularcaretomanagematerialoutsourcingarrangement（suchasoutsourcingofdatacenter，ITinfrastructure，etc.），andshouldnotify

CBRCwhenitintendstoenterintomaterialoutsourcingarrangement.

Article57.Beforeenteringinto，orsignificantlychanging，anoutsourcingarrangement，

thecommercialbankshould：

（1）Analyzehowthearrangementwillfitwithitsorganizationandreportingstructure；businessstrategy；overallriskprofile；andabilitytomeetitsregulatoryobligations；（2）Considerwhetherthearrangementswillallowittomonitorandcontrolitsoperational

riskexposurerelatingtotheoutsourcing；

（3）Conductappropriateduediligenceoftheserviceprovidersfinancialstability，expertiseandriskassessmentoftheserviceprovider，facilitiesandabilitytocoverthepotential

liabilities；

（4）Considerhowitwillensureasmoothtransitionofitsoperationsfromitscurrentarrangementstoaneworchangedoutsourcingarrangement（includingwhatwillhappenonthe

terminationofthecontract）；and

（5）Consideranyconcentrationriskimplicationssuchasthebusinesscontinuity

implicationsthatmayariseifasingleserviceproviderisusedbyseveralfirms.

Article58.Innegotiatingitscontractwithaserviceprovider，thecommercialbankshould

haveregardto（butnotlimitedto）：

（1）Reportingandnegotiationrequirementsitmaywishtoimposeontheserviceprovider；（2）Whethersufficientaccesswillbeavailabletoitsinternalauditors，externalauditorsand

bankingregulators；

（3）Informationownershiprights，confidentialityagreementsandFirewallstoprotectclient

andotherinformation（includingarrangementsattheterminationofcontract）；

（4）Theadequacyofanyguaranteesandindemnities；

（5）Theextenttowhichtheserviceprovidermustcomplywiththecommercialbanks

policesandprocedurescoveringITRisk；

（6）Theextenttowhichtheserviceproviderwillprovidebusinesscontinuityforoutsourced

operations，andwhetherexclusiveaccesstoitsresourcesisagreed；

（7）Theneedforcontinuedavailabilityofsoftwarefollowingdifficultyatathirdparty

supplier；

（8）Theprocessesformakingchangestotheoutsourcingarrangementandtheconditionsunderwhichthecommercialbankorserviceprovidercanchoosetochangeorterminatethe

outsourcingarrangement，suchaswherethereis：

a）Achangeofownershiporcontroloftheserviceproviderorcommercialbank；orb）Significantchangeinthebusinessoperationsoftheserviceproviderorcommercialbank；

or

c）Inadequateprovisionofservicesthatmayleadtothecommercialbankbeingunableto

meetitsregulatoryobligations.

Article59.Inimplementingarelationshipmanagementframework，anddraftingtheservicelevelagreementwiththeserviceprovider，thecommercialbankshouldhaveregardedto（but

notlimitedto）：

（1）Theidentificationofqualitativeandquantitativeperformancetargetstoassesstheadequacyofserviceprovision，toboththecommercialbankanditsclients，whereappropriate；（2）Theevaluationofperformancethroughservicedeliveryreportsandperiodicself

assessmentandindependentreviewbyinternalorexternalauditors；and

（3）Remediationactionandescalationprocessfordealingwithinadequateperformance.Article60.ThecommercialbankshouldenhanceITrelatedoutsourcingmanagement，inplacefollowing（notlimitedto）measurestoensuredatasecurityofsensitiveinformationsuch

ascustomerinformation：

（1）Effectivelyseparatedfromothercustomerinformationoftheserviceprovider；（2）Therelatedstaffofserviceprovidershouldbeauthorizedon“needtoknow”and

“minimumauthorization”basis；（3）Ensureserviceproviderguaranteeitsstaffformeetingtheconfidentialrequests；（4）Alloutsourcingarrangementsrelatedtocustomerinformationshouldbeidentifiedas

materialoutsourcingarrangementsandthecustomersshouldbenotified；

（5）Strictlymonitorre-outsourcingactionsoftheserviceprovider，andimplement

adequatecontrolmeasurestoensureinformationsecurityofthebank；

（6）Ensureallrelatedsensitiveinformationberefundedordeletedfromtheservice

providersstoragewhenterminatingtheoutsourcingarrangement.

Article61.Thecommercialbankshouldensurethatithasappropriatecontingencyintheeventofasignificantlossofservicesfromtheserviceprovider.Particularissuestoconsiderincludeasignificantlossofresources，turnoverofkeystaff，orfinancialfailureof，theservice

provider，andunexpectedterminationoftheoutsourcingagreement.

Article62.AlloutsourcingcontractsmustbereviewedorsignedoffbyITRiskmanagement，internalITauditors，legaldepartmentandITSteeringCommittee.Thereshouldbeaprocessto

periodicallyreviewandrefinetheservicelevelagreements.

ChapterIXInternalAudit

Article63.Dependingonthenature，scaleandcomplexityofitsbusiness，itmaybe

appropriateforthecommercialbankstodelegatemuchofthetaskofmonitoringtheappropriatenessandeffectivenessofitssystemsandcontrolstoaninternalauditfunction.Aninternalauditfunctionshouldbeadequatelyresourcedandstaffedbycompetentindividuals，beindependentoftheday-to-dayactivitiesofthecommercialbankandhaveappropriateaccesstothe

banksrecords.

Article64.TheresponsibilitiesoftheinternalITauditfunctionare：

（1）Toestablish，implementandmaintainanauditplantoexamineandevaluatethe

adequacyandeffectivenessofthebankssystemsandinternalcontrolmechanismsand

arrangements；

（2）Toissuerecommendationsbasedontheresultofworkcarriedoutinaccordancewith1；

（3）Toverifycompliancewiththoserecommendations；

（4）Tocarryoutspecialauditoninformationtechnology.Theterm“specialaudit”ofinformationtechnologyreferstotheinvestigation，analysisandassessmentonthesecurityincidentsoftheinformationsystem，ortheauditperformedonaspecialsubjectbasedonITrisk

assessmentresultasdeemednecessarybytheauditdepartment.

Article65.Basedonthenature，scaleandcomplexityofitsbusiness，deploymentofinformationtechnologyandITriskassessment，commercialbankscoulddeterminethescopeandfrequencyofITinternalaudit.However，acomprehensiveITinternalauditshallbeperformedat

aminimumonceevery3years.

Article66.CommercialbanksshouldengageitsinternalauditdepartmentandITRiskmanagementdepartmentwhenimplementingsystemdevelopmentofsignificantsizeandscaleto

ensureitmeetstheITRiskstandardsoftheCommercialbanks.

ChapterXExternalAudit

Article67.Theexternalinformationtechnologyauditofcommercialbankscanbecarriedout

bycertifiedserviceprovidersinaccordancewithlaws，rulesandregulations.Article68.ThecommercialbankshouldensureITauditserviceprovidertoreviewandexaminebankshardware，software，documentationanddatatoidentifyITriskwhentheyare

commissionedtoperformtheaudit.Vitalcommercialandtechnicalinformationwhichis

protectedbynationallawsandregulationsshouldnotbereviewed.

Article69.Commercialbankshouldcommunicatewiththeserviceproviderindepthbeforetheaudittodetermineauditscope，andshouldnotwithholdthetruthordonotcorporatewiththe

serviceproviderintentionally.

Article70.CBRCanditslocalofficescoulddesignatecertifiedserviceproviderstocarryout

ITauditorrelatedreviewoncommercialbankswhenneeded.Whencarryingoutauditoncommercialbanks，ascommissionedorauthorizedbyCBRCoritslocaloffices，theserviceprovidersshallpresenttheletterofauthority，andcarryouttheauditinaccordancetothescope

prescribedintheletterofauthority.

Article71.OncetheITauditreportproducedbytheserviceprovidersisreviewedandapprovedbyCBRCoritslocaloffices，thereportwillhavethesamelegalstatusasifitisproducedbytheCBRCitself.Commercialbanksshouldcomeupwithacorrectionactionplanprescribedinthereportandimplementthecorrectiveactionsaccordingtothetimeframe.Article72.CommercialbanksshouldensuretheserviceproviderstostrictlycomplywithlawsandregulationstokeepconfidentialanddatasecurityofanycommercialsecretsandprivateinformationlearntandITriskinformationwhenconductingtheaudit.Theserviceprovidershould

notmodifycopyortakeawayanydocumentsprovidedbythecommercialbanks.

ChapterXISupplementaryProvisions

Article73.Commercialbankswithnoboardofdirectorsshouldhavetheiroperatingdecision-makingbodiesperformtheresponsibilitiesoftheboardwithregardtoITrisk

managementspecifiedherein.

Article74.TheChinaBankingRegulatoryCommissionsupervisesandregulatestheITrisk

managementofcommercialbanksunderitsauthoritybylaw.Article75.ThepowerofinterpretationandmodificationoftheGuidelinesshallrestwiththe

ChinaBankingRegulatoryCommission.

Article76.TheGuidelinesshallbecomeeffectiveasofthedateofitsissuanceandtheformer

GuidelinesontheRiskManagementofBankingInstitutionsInformationSystemsshallbe

revokedatthesametime.

中國銀行業(yè)監(jiān)督管理委員會(huì)

友情提示：本文中關(guān)于《商業(yè)銀行突圍科技風(fēng)險(xiǎn)管理初級階段》給出的范例僅供您參考拓展思維使用，商業(yè)銀行突圍科技風(fēng)險(xiǎn)管理初級階段：該篇文章建議您自主創(chuàng)作。

來源：網(wǎng)絡(luò)整理 免責(zé)聲明：本文僅限學(xué)習(xí)分享，如產(chǎn)生版權(quán)問題，請聯(lián)系我們及時(shí)刪除。

《商業(yè)銀行突圍科技風(fēng)險(xiǎn)管理初級階段》由互聯(lián)網(wǎng)用戶整理提供,轉(zhuǎn)載分享請保留原作者信息,謝謝!
鏈接地址：http://www.seogis.com/gongwen/655340.html

• 上一篇：貸后管理現(xiàn)場檢查方法及技巧
• 下一篇：公共場所衛(wèi)生管理匯報(bào)