ratte商业银行信息科技风险管理制度(英文版)(doc 16页)

2021年1月21日发(作者：突然)

商业银行信息科技风险管理制
度
(
英文版
)(doc 16
页
)







Guidelines on the Risk Management of
Commercial Banks
’ Information
Technology






Chapter I

General Provisions

Article 1.

Pursuant to the Law of the People’s
Republic
of
China
on
Banking
Regulation
and
Supervision, the Law of the People's Republic of
China on Commercial Banks, the Regulations of
the
People’s
Republic
of
China
on
Administration
of
Foreign-funded
Banks,
and
other
applicable
laws
and
regulations,
the
Guidelines
on
the
Risk
Management
of
Commercial
Banks
’
Information
Technology
(hereinafter referred to as the Guidelines) is


Article 2.



Article 3.


Article 4.

transactions,
operation
management,
and
internal
communication,
collaborative
work
and
controls.
The
term
also
include

Article 5.

The
risk
of
information
technology
refers
to
the
operational
risk,
legal
risk
and
reputation risk that are caused by natural factor,
human
factor,
technological
loopholes
or
management

Article 6.

The objective of information system
risk
management
is
to
establish
an
effective
mechanism that can identify, measure, monitor,
and
control
the
risks
of
commercial
banks
’
information
system,
ensure
data
integrity,
availability,
confidentiality
and
consistency,
provide the relevant early warning, and thereby
enable commercial bank
s’ business innovations,

IT
governance,
IT
organization
structure and IT policies and procedures.
deficiencies
when
using
information technology.

uplift
their
capability
in
utilizing
information
technology,
improve
their
core
competitiveness
and capacity for sustainable development.



Chapter II

IT governance

Article 7.

The
legal
representative
of
commercial
bank
should
be
responsible
to
ensure compliance of this guideline.


Article 8.

The
board
of
directors
of
commercial
banks
should
have
the
following
responsibilities with respect to the management
of information systems:
(1)

Implementing
and
complying
with
the
national
laws,
regulations
and
technical
standards
pertaining
to
the
management
of
information systems, as well as the regulatory
requirements
set
by
the
China
Banking
Regulatory Commission (hereinafter referred


to as the “CBRC”);

(2)

Periodically
reviewing
the
alignment
of
IT
strategy
with
the
overall
business
strategies and significant policies of the bank,
assessing
the
overall
effectiveness
and
efficiency of the IT organization.
(3)

Approving
IT
risk
management
strategies
and
policies,
understanding
the
major
IT
risks
involved,
setting
acceptable
levels
for
these
risks,
and
ensuring
the
implementation
of
the
measures
necessary
to
identify,
measure,
monitor
and
control
these
risks.

(4)

Setting
high
ethical
and
integrity
standards,
and
establishing
a
culture
within
the
bank
that
emphasizes
and
demonstrates
to all levels of personnel the importance of IT
risk management.

(5)

Establishing
an
IT
steering
committee
which
consists
of
representatives
from
senior
management, the IT organization, and major
business units, to oversee these responsibilities


and
report
the
effectiveness
of
strategic
IT
planning,
the
IT
budget
and
actual
expenditure,
and
the
overall
IT
performance
to
the
board
of
directors
and
senior
management periodically.

(6)

Establishing
IT
governance
structure,
proper
segregation
of
duty,
clear
role
and
responsibility,
maintaining
check
and
balances
and
clear
reporting
relationship.
Strengthening
IT
professional
staff
by
developing incentive program.
(7)

Ensuring
that
there
is
an
effective
internal
audit
of
the
IT
risk
management
carried
out
by
operationally
independent,
well-trained
and
qualified
staff.

The
internal
audit
report
should
be
submitted
directly to the IT audit committee;
(8)

Submitting
an
annual
report
to
the
CBRC
and
its
local
offices
on
information
system
risk
management
that
has
been
reviewed
and
approved
by
the
board
of
directors


(9)

Ensuring
the
appropriating
funding
necessary for IT risk management works;
(10)

Ensuring that all employees of the bank
fully
understand
and
adhere
to
the
IT
risk
management
policies
and
procedures
approved
by
the
board
of
directors
and
the
senior
management,
and
are
provided
with
pertinent training.
(11)

Ensuring
customer
information,
financial
information,
product
information
and
core
banking
system
of
the
legal
entity
are
held
independently
within
the
territory,
and
complying
with
the
regulatory
on-site
examination
requirements
of
CBRC
and
guarding against cross-border risk.
(12)

Reporting
in
a
timely
manner
to
the
CBRC
and
its
local
offices
any
serious
incident of information systems or unexpected
event, and quickly respond to it in accordance
with the contingency plan;
(13)

Cooperating with the CBRC and its local
offices
in
the
supervisory
inspection
of
the


risk management of information systems, and
ensure that supervisory opinions are followed
up; and
(14)

Performing
other
related
IT
risk
management tasks.

Article 9.

The
head
of
the
IT
organization,
commonly
known
as
the
Chief
Information
Officer
(CIO)
should
report
directly
to
the
president. Roles and responsibilities of the CIO
should include the following:
(1)

Playing a direct role in key decisions for the
business development involving the use of IT in
the bank;
(2)

The
CIO
should
ensure
that
information
systems
meet
the
needs
of
the
bank,
and
IT
strategies,
in
particular
information
system
development strategies, comply with the overall
business
strategies
and
IT
risk
management
policies of the bank;
(3)

The CIO should also be responsible for the
establishment
of
an
effective
and
efficient
IT


organization to carry out the IT functions of the
bank.

These
include
the
IT
budget
and
expenditure,
IT
risk
management,
IT
policies,
standards and
procedures,
IT
internal
controls,
professional development, IT project initiatives,
IT
project
management,
information
system
maintenance
and
upgrade,
IT
operations,
IT
infrastructure,
Information
security,
disaster
recovery
plan
(DRP),
IT
outsourcing,
and
information system retirement;
(4)

Ensuring
the
effectiveness
of
IT
risk
management
throughout
the
organization
including all branches.
(5)

Organizing
(6)

Performing
management tasks.

Article 10.

Commercial
banks
should
ensure
that
a
clear
definition
of
the
IT
organization
structure
and
documentation
of
all
job
descriptions of important positions are always in

professional
other
trainings
IT
to
risk
improve technical proficiency of staff.
related

place
and
updated
in
a
timely
manner.
Staff
in
each position should meet relevant requirements
on
professional
skills
and
knowledge.
The
following
risk
mitigation
measures
should
be
incorporated
in
the
management
program
of
related staff:
(1)

Verification
including
credentials,
of
personal
of
information
personal
experience,
confirmation
prior
work
identification issued by government, academic
professional qualifications;
(2)

Ensuring
that
IT
staff
can
meet
the
required
professional
ethics
by
checking
character reference;

(3)

Signing
of
agreements
with
employees
about
understanding
of
IT
policies
and
guidelines,
non-disclosure
of
confidential
information,
authorized
use
of
information
systems,
and
adherence
to
IT
policies
and
procedures; and
(4)

Evaluation
of
the
risk
of
losing
key
IT
personnel,
especially
during
major
IT


development
stage
or
in a period
of
unstable
IT
operations,
and
the
relevant
risk
mitigation
measures
such
as
staff
backup
arrangement and staff succession plan.

Article 11.

Commercial
banks
should
establish
or designate a particular department for IT risk
management.

It
should
report
directly
to
the
CIO
and
the
Chief
Risk
Officer
(or
risk
management committee),
serve
as
a
member
of
the
IT
incident
response
team,
and
be
responsible
for
coordinating
the
establishment
of
policies
regarding
IT
risk
management,
especially the areas of information security, BCP,
and
compliance
with
the
CBRC
regulations,
advising
the
business
departments
and
IT
department
in
implementing
these
policies,
providing
relevant
compliance
information,
conducting on- going assessment of IT risks, and
ensuring
the
follow-up
of
remediation
advice,
monitoring
and
escalating
management
of
IT
threats and non- compliance events.




Article 12.

Commercial
banks
should
establish
a special IT audit role and responsibility within
internal
audit
function,
which
should
put
in
place IT audit
policies
and
procedures, develop
and execute IT audit plan.

Article 13.

Commercial
banks
should
put
in
place
policies
and
procedures
to
protect
intellectual
property
rights
according
to
laws
regarding
intellectual
properties,
ensure
purchase
of
legitimate
software
and
hardware,
prevention
of
the
use
of
pirated
software,
and
the
protection
of
the
proprietary
rights
of
IT
products developed by the bank, and ensure that
these
are
fully
understood
and
complied
by
all
employees.


Article 14.

Commercial
banks
should,
in
accordance
with
relevant
laws
and
regulations,
disclose the risk
profile of
their
IT
normatively
and timely.




Chapter III
IT Risk Management

Article 15.

Commercial
banks
should
formulate
an
IT
strategy
that
aligns
with
the
overall
business
plan
of
the
bank,
IT
risk
assessment plan and an IT operational plan that
can
ensure
adequate
financial
resources
and
human resources to maintain a stable and secure
IT environment.

Article 16.

Commercial
banks
should
put
in
place
a
comprehensive
set
of
IT
risk
management
policies
that
include
the
following
areas:
(1)

Information
policy
(2)

System
development,
testing
and
maintenance policy
(3)

IT operation and maintenance policy
(4)

Access control policy

security
classification

(5)

Physical security policy

(6)

Personnel security policy
(7)

Business Continuity Planning and Crisis
and Emergency Management procedure

Article 17.

Commercial banks should maintain
an
ongoing
risk
identification
and
assessment
process
that
allows
the
bank
to
pinpoint
the
areas
of
concern
in
its
information
systems,
assess
the
potential
impact
of
the
risks
on
its
business,
rank
the
risks,
and
prioritize
mitigation
actions
and
the
necessary
resources
(including

Article 18.

Commercial
banks
should
implement
a
comprehensive
set
of
risk
mitigation measures complying with the IT risk
management
policies
and
commensurate
with
the
risk
assessment
of
the
bank.

These
mitigation measures should include:
(1)

A
set
of
clearly
documented
IT
risk

outsourcing
vendors,
product
vendors and service vendors).

policies,
technical
standards,
and
operational procedures, which should be
communicated
to
the
staff
frequently
and kept up to date in a timely manner;
(2)

Areas
of
potential
conflicts
of
interest
should
be
identified,
minimized,
and
subject
to
careful,
independent
monitoring.

Also
it
requires
that
an
appropriate control structure is set up to
facilitate
checks
and
balances,
with
control
activities
defined
at
every
business level, which should include:
-

T
op level reviews;

-

C
ontrols
over
physical
and
logical
access to data and system;

-

A
ccess granted on “need to know” and

“minimum authorization” basis;

-

A

-

A



system
system
of
of
approvals
verification
and
and
authorizations; and
reconciliation.

Article 19.

Commercial
banks
should
put
in
place
a
set
of
ongoing
risk
measurement
and
monitoring mechanisms, which should include
(1)

Pre
and
post- implementation
review
of
IT projects;
(2)

Benchmarks
for
periodic
review
of
system performance;
(3)

Reports
of
incidents
and
complaints
about IT services;
(4)

Reports of internal audit, external audit,
and issues identified by CBRC; and
(5)

Arrangement with vendors and business
units for periodic review of service level
agreements (SLAs).
(6)

The possible impact of new development
of
technology
and
new
threats
to
software deployed.
(7)

Timely
review
of
operational
risk
and
management controls in operation area.
(8)

Assess the risk profile on IT outsourcing
projects periodically.



Article 20.

Chinese
commercial
banks
operating
offshore
and
the
foreign
commercial
banks in China should comply with the relevant
regulatory requirements on information systems
in and outside the People’s Republic of Chin
a.


Chapter IV
Information Security

Article 21.

Information technology department
of
commercial
banks
should
oversee
the
establishment
of
an
information
classification
and
protection
scheme.

All
employees
of
the
bank
should
be
made
aware
of
the
importance
of
ensuring
information
confidentiality
and
provided
with
the
necessary
training
to
fully
understand

Article 22.

Commercial
banks
should
put
in
place
an
information
security
management
function
to
develop
and
maintain
an
ongoing

the
information
protection
procedures within their responsibilities.

information
security
management
program,
promote information security awareness, advise
other
IT
functions
on
security
issues,
serve
as
the
leader
of
IT
incident
response
team,
and
report the evaluation of the information security
of
the
bank
to
the
IT
steering
committee
periodically.
management
implementation
maintenance plan.
Information
security
policy
should
include
the
following areas:
(1)

IT security policy management
(2)

Organization information security
(3)

Asset management
(4)

Personnel security
(5)

Physical and environment security
(6)

Communication and operation security
(7)

Access control and authentication
(8)

Acquirement,
development
and
maintenance of information system


The
Information
should
and
an
security
include
ongoing
program
plan,
Information
security
standards,
strategy,
an

(9)

Information security event management
(10)

Business continuity management
(11)

Compliance

Article 23.

Commercial
banks
should
have
an
effective
process
to
manage
user
authentication
and access control.

Access to data and system
should
be
strictly
limited
to
authorized
individuals whose identity is clearly established,
and
their
activities
in
the
information
systems
should be
limited
to
the
minimum
required
for
their
legitimate
business
use.
Appropriate
user
authentication
mechanism
commensurate
with
the
classification
of
information
to
be
accessed
should
be
selected.
Timely
review
and
removal
of
user
identity
from
the
system
should
be
implemented
when
user
transfers
to
a
new
job
or leave the commercial bank.

Article 24.

Commercial
banks
should
ensure
all
physical
security
zones,
such
as
computer
centers
or
data
centers,
network
closets,
areas


containing
confidential
information
or
critical
IT
equipment,
and
respective
accountabilities
are clearly defined, and appropriate preventive,
detective,
and
recuperative
controls
are
put
in
place.

Article 25.

Commercial
banks
should
divide
their
networks
into
logical
security
domains
(hereinafter
referred
to
as
the
“domain”)
with
different
levels
of
security.

The
following
security
factors
have
to
be
assessed
in
order
to
define and implement effective security controls,
such
as
physical
or
logical
segregation
of
network, network filtering, logical access control,
traffic
encryption, network
monitoring, activity
log,
etc.,
for
each
domain
and
the
whole
network.
(1)

criticality
of
the
applications
and
user
groups within the domain;
(2)

Access
points
to
the
domain
through
various communication channels;
(3)

Network protocols and ports used by the


applications
and
network
equipment
deployed within the domain;
(4)

Performance
benchmark;
(5)

Nature of the domain, i.e. production or
testing, internal or external;
(6)

Connectivity
between
various
domains;
and
(7)

Trustworthiness of the domain.

Article 26.

Commercial
banks
should
secure
the operating system and system software of all
computer systems by
(1)

Developing
baseline
security
requirement
for
each
operating
system
and
ensuring
all
systems
meet
the
baseline security requirement;
(2)

Clearly
defining
a
set
of
access
privileges
for
different
groups
of
users,
namely,
end-users,
system
development
staff,
computer
operators,
and
system
administrators and user administrators;

requirement
or

(3)

Setting
up
a
system
of
approval,
verification, and monitoring procedures
for
using
the
highest
privileged
system
accounts;
(4)

Requiring
technical
staff
to
review
available
security
patches,
and
report
the patch status periodically; and
(5)

Requiring
technical
staff
to
include
important
items
such
as
unsuccessful
logins,
access
to
critical
system
files,
changes
made
to
user
accounts,
etc.
in
system
logs,
monitors
the
systems
for
any
abnormal
event
manually
or
automatically,

Article 27.

Commercial
banks
should
ensure
the security of all the application systems by
(1)

Clearly
defining
the
roles
and
responsibilities of end-users and IT staff
regarding the application security;
(2)

Implementing
a
robust
authentication

and
report
the
monitoring periodically.

method
criticality
commensurate
and
with
of
the
the
sensibility
application system;
(3)

Enforcing segregation of duties and dual
control
over
critical
or
sensitive
functions;
(4)

Requiring
verification
of
input
or
reconciliation
of
output
at
critical
junctures;
(5)

Requiring
the
input
and
output
of
confidential
information
are
handled
in
a
secure
manner
to
prevent
theft,
tampering,
intentional
leakage,
or
inadvertent leakage;


(6)

Ensuring
system
can
handle
exceptions
in
a
predefined
way
and
provide
meaningful
message
to
users
when
the
system is forced to terminate; and
(7)

Maintaining
audit
trail
in
either
paper
or electronic format.
(8)

Requiring user administrator to monitor
and
review
unsuccessful
logins
and


changes to users accounts.

Article 28.

Commercial
banks
should
have
a
set
of
policies
and
procedures
controlling
the
logging of activities in all production systems to
support
effective
auditing,
security
forensic
analysis, and fraud prevention.

Logging can be
implemented in different layers of software and
on
different
computer
and
networking
equipment,
which
falls
into
two
broad
categories:
(1)

Transaction
journals.

They
are
generated
by
application
software
and
database
management
system,
and
contain
authentication
attempts,
modification to data, error messages, etc.
Transaction
journals
should
be
kept
according
to
the
national
accounting
policy.
(2)

System
logs.
They
are
generated
by
operating
systems,
database
management system, firewalls, intrusion


detection systems, and routers, etc., and
contain
authentication
attempts,
system
events,
network
events,
error
messages,
etc.
System
logs
should
be
kept
for
a
period
scaled
to
the
risk
classification,
but no less than one year.
Banks
should
ensure
that
sufficient
items
be
included in the logs to facilitate effective internal
controls,
system
troubleshooting,
and
auditing
while
taking
appropriate
measures
to
ensure
time synchronization on all logs. Sufficient disk
space
should
be
allocated
to
prevent
logs
from
being
overwritten.
System
logs
should
be
reviewed
for
any
exception.

The
review
frequency
and
retention
period
for
transaction
logs
or
database
logs
should
be
determined
jointly
by
IT
organization
and
pertinent
business lines, and approved by the IT steering
committee.

Article 29.

Commercial
banks
should
have
the
capacity
to
employ
encryption
technologies
to


mitigate
the
risk
of
losing
confidential
information
in
the
information
systems
or
during
its
transmission.

Appropriate
management
processes
of
the
encryption
facilities should be put in place to ensure that
(1)

Encryption
facilities
in use should
meet
national
security
standards
or
requirements;
(2)

Staff
in
charge
of
encryption
facilities
are well trained and screened;
(3)

Encryption
strength
is
adequate
to
protect
the
confidentiality
of
the
information; and
(4)

Effective
and
efficient
key
management
procedures,
especially
key
lifecycle
management
and
certificate
lifecycle
management, are in place.

Article 30.

Commercial
banks
should
put
in
place
an
effective
and
efficient
system
of
securing
all
end-user
computing
equipment
which
include
desktop
personal
computers