商业银行信息科技风险管理指引_英文版

1、Guidelines on the Risk Management ofCommercial Banks Information TechnologyChapter IGeneral ProvisionsArticle 1. Pursuant to the Law of the Peoples Republic of China on Banking Regulation and Supervision, the Law of the People's Republic of China on Commercial Banks, the Regulations of the Peopl

2、es Republic of China on Administration of Foreign-funded Banks, and other applicable laws and regulations, the Guidelines on the Risk Management of Commercial Banks Information Technology (hereinafter referred to as the Guidelines) is formulated.Article 2. The Guidelines apply to all the commercial

3、banks legally incorporated within the territory of the Peoples Republic of China.The Guidelines may apply to other banking institutions including policy banks, rural cooperative banks, urban credit cooperatives, rural credit cooperatives, village banks, loan companies, financial asset management com

4、panies, trust and investment companies, finance firms, financial leasing companies, automobile financial companies and money brokers.Article 3. The term “information technology” stated in the Guidelines shall refer to the system built with computer, communication and software technologies, and emplo

5、yed by commercial banks to handle business transactions, operation management, and internal communication, collaborative work and controls. The term also include IT governance, IT organization structure and IT policies and procedures.Article 4. The risk of information technology refers to the operat

6、ional risk, legal risk and reputation risk that are caused by natural factor, human factor, technological loopholes or management deficiencies when using information technology.Article 5. The objective of information system risk management is to establish an effective mechanism that can identify, me

7、asure, monitor, and control the risks of commercial banks information system, ensure data integrity, availability, confidentiality and consistency, provide the relevant early warning, and thereby enable commercial banks business innovations, uplift their capability in utilizing information technolog

8、y, improve their core competitiveness and capacity for sustainable development.Chapter IIIT governanceArticle 6. The legal representative of commercial bank should be responsible to ensure compliance of this guideline. Article 7. The board of directors of commercial banks should have the following r

9、esponsibilities with respect to the management of information systems:(1) Implementing and complying with the national laws, regulations and technical standards pertaining to the management of information systems, as well as the regulatory requirements set by the China Banking Regulatory Commission

10、(hereinafter referred to as the “CBRC”);(2) Periodically reviewing the alignment of IT strategy with the overall business strategies and significant policies of the bank, assessing the overall effectiveness and efficiency of the IT organization.(3) Approving IT risk management strategies and policie

11、s, understanding the major IT risks involved, setting acceptable levels for these risks, and ensuring the implementation of the measures necessary to identify, measure, monitor and control these risks. (4) Setting high ethical and integrity standards, and establishing a culture within the bank that

12、emphasizes and demonstrates to all levels of personnel the importance of IT risk management. (5) Establishing an IT steering committee which consists of representatives from senior management, the IT organization, and major business units, to oversee these responsibilities and report the effectivene

13、ss of strategic IT planning, the IT budget and actual expenditure, and the overall IT performance to the board of directors and senior management periodically. (6) Establishing IT governance structure, proper segregation of duty, clear role and responsibility, maintaining check and balances and clea

14、r reporting relationship. Strengthening IT professional staff by developing incentive program.(7) Ensuring that there is an effective internal audit of the IT risk management carried out by operationally independent, well-trained and qualified staff. The internal audit report should be submitted dir

15、ectly to the IT audit committee;(8) Submitting an annual report to the CBRC and its local offices on information system risk management that has been reviewed and approved by the board of directors ;(9) Ensuring the appropriating funding necessary for IT risk management works;(10) Ensuring that all

16、employees of the bank fully understand and adhere to the IT risk management policies and procedures approved by the board of directors and the senior management, and are provided with pertinent training.(11) Ensuring customer information, financial information, product information and core banking s

17、ystem of the legal entity are held independently within the territory, and complying with the regulatory on-site examination requirements of CBRC and guarding against cross-border risk.(12) Reporting in a timely manner to the CBRC and its local offices any serious incident of information systems or

18、unexpected event, and quickly respond to it in accordance with the contingency plan;(13) Cooperating with the CBRC and its local offices in the supervisory inspection of the risk management of information systems, and ensure that supervisory opinions are followed up; and(14) Performing other related

19、 IT risk management tasks.Article 8. The head of the IT organization, commonly known as the Chief Information Officer (CIO) should report directly to the president. Roles and responsibilities of the CIO should include the following:(1) Playing a direct role in key decisions for the business developm

20、ent involving the use of IT in the bank;(2) The CIO should ensure that information systems meet the needs of the bank, and IT strategies, in particular information system development strategies, comply with the overall business strategies and IT risk management policies of the bank;(3) The CIO shoul

21、d also be responsible for the establishment of an effective and efficient IT organization to carry out the IT functions of the bank. These include the IT budget and expenditure, IT risk management, IT policies, standards and procedures, IT internal controls, professional development, IT project init

22、iatives, IT project management, information system maintenance and upgrade, IT operations, IT infrastructure, Information security, disaster recovery plan (DRP), IT outsourcing, and information system retirement;(4) Ensuring the effectiveness of IT risk management throughout the organization includi

23、ng all branches.(5) Organizing professional trainings to improve technical proficiency of staff.(6) Performing other related IT risk management tasks.Article 9. Commercial banks should ensure that a clear definition of the IT organization structure and documentation of all job descriptions of import

24、ant positions are always in place and updated in a timely manner. Staff in each position should meet relevant requirements on professional skills and knowledge. The following risk mitigation measures should be incorporated in the management program of related staff:(1) Verification of personal infor

25、mation including confirmation of personal identification issued by government, academic credentials, prior work experience, professional qualifications;(2) Ensuring that IT staff can meet the required professional ethics by checking character reference; (3) Signing of agreements with employees about

26、 understanding of IT policies and guidelines, non-disclosure of confidential information, authorized use of information systems, and adherence to IT policies and procedures; and(4) Evaluation of the risk of losing key IT personnel, especially during major IT development stage or in a period of unsta

27、ble IT operations, and the relevant risk mitigation measures such as staff backup arrangement and staff succession plan.Article 10. Commercial banks should establish or designate a particular department for IT risk management. It should report directly to the CIO and the Chief Risk Officer (or risk

28、management committee), serve as a member of the IT incident response team, and be responsible for coordinating the establishment of policies regarding IT risk management, especially the areas of information security, BCP, and compliance with the CBRC regulations, advising the business departments an

29、d IT department in implementing these policies, providing relevant compliance information, conducting on-going assessment of IT risks, and ensuring the follow-up of remediation advice, monitoring and escalating management of IT threats and non-compliance events. Article 11. Commercial banks should e

30、stablish a special IT audit role and responsibility within internal audit function, which should put in place IT audit policies and procedures, develop and execute IT audit plan.Article 12. Commercial banks should put in place policies and procedures to protect intellectual property rights according

31、 to laws regarding intellectual properties, ensure purchase of legitimate software and hardware, prevention of the use of pirated software, and the protection of the proprietary rights of IT products developed by the bank, and ensure that these are fully understood and complied by all employees. Art

32、icle 13. Commercial banks should, in accordance with relevant laws and regulations, disclose the risk profile of their IT normatively and timely.Chapter IIIIT Risk ManagementArticle 14. Commercial banks should formulate an IT strategy that aligns with the overall business plan of the bank, IT risk a

33、ssessment plan and an IT operational plan that can ensure adequate financial resources and human resources to maintain a stable and secure IT environment.Article 15. Commercial banks should put in place a comprehensive set of IT risk management policies that include the following areas:(1) Informati

34、on security classification policy(2) System development, testing and maintenance policy(3) IT operation and maintenance policy(4) Access control policy(5) Physical security policy (6) Personnel security policy(7) Business Continuity Planning and Crisis and Emergency Management procedureArticle 16. C

35、ommercial banks should maintain an ongoing risk identification and assessment process that allows the bank to pinpoint the areas of concern in its information systems, assess the potential impact of the risks on its business, rank the risks, and prioritize mitigation actions and the necessary resour

36、ces (including outsourcing vendors, product vendors and service vendors).Article 17. Commercial banks should implement a comprehensive set of risk mitigation measures complying with the IT risk management policies and commensurate with the risk assessment of the bank. These mitigation measures shoul

37、d include:(1) A set of clearly documented IT risk policies, technical standards, and operational procedures, which should be communicated to the staff frequently and kept up to date in a timely manner;(2) Areas of potential conflicts of interest should be identified, minimized, and subject to carefu

38、l, independent monitoring. Also it requires that an appropriate control structure is set up to facilitate checks and balances, with control activities defined at every business level, which should include:- Top level reviews; - Controls over physical and logical access to data and system; - Access g

39、ranted on “need to know” and “minimum authorization” basis;- A system of approvals and authorizations; and- A system of verification and reconciliation.Article 18. Commercial banks should put in place a set of ongoing risk measurement and monitoring mechanisms, which should include(1) Pre and post-i

40、mplementation review of IT projects;(2) Benchmarks for periodic review of system performance;(3) Reports of incidents and complaints about IT services;(4) Reports of internal audit, external audit, and issues identified by CBRC; and(5) Arrangement with vendors and business units for periodic review

41、of service level agreements (SLAs).(6) The possible impact of new development of technology and new threats to software deployed.(7) Timely review of operational risk and management controls in operation area.(8) Assess the risk profile on IT outsourcing projects periodically.Article 19. Chinese com

42、mercial banks operating offshore and the foreign commercial banks in China should comply with the relevant regulatory requirements on information systems in and outside the Peoples Republic of China.Chapter IVInformation SecurityArticle 20. Information technology department of commercial banks shoul

43、d oversee the establishment of an information classification and protection scheme. All employees of the bank should be made aware of the importance of ensuring information confidentiality and provided with the necessary training to fully understand the information protection procedures within their

44、 responsibilities.Article 21. Commercial banks should put in place an information security management function to develop and maintain an ongoing information security management program, promote information security awareness, advise other IT functions on security issues, serve as the leader of IT i

45、ncident response team, and report the evaluation of the information security of the bank to the IT steering committee periodically. The Information security management program should include Information security standards, strategy, an implementation plan, and an ongoing maintenance plan.Information

46、 security policy should include the following areas:(1) IT security policy management(2) Organization information security(3) Asset management(4) Personnel security(5) Physical and environment security(6) Communication and operation security(7) Access control and authentication(8) Acquirement, devel

47、opment and maintenance of information system(9) Information security event management(10) Business continuity management(11) ComplianceArticle 22. Commercial banks should have an effective process to manage user authentication and access control. Access to data and system should be strictly limited

48、to authorized individuals whose identity is clearly established, and their activities in the information systems should be limited to the minimum required for their legitimate business use. Appropriate user authentication mechanism commensurate with the classification of information to be accessed s

49、hould be selected. Timely review and removal of user identity from the system should be implemented when user transfers to a new job or leave the commercial bank.Article 23. Commercial banks should ensure all physical security zones, such as computer centers or data centers, network closets, areas c

50、ontaining confidential information or critical IT equipment, and respective accountabilities are clearly defined, and appropriate preventive, detective, and recuperative controls are put in place.Article 24. Commercial banks should divide their networks into logical security domains (hereinafter ref

51、erred to as the “domain”) with different levels of security. The following security factors have to be assessed in order to define and implement effective security controls, such as physical or logical segregation of network, network filtering, logical access control, traffic encryption, network mon

52、itoring, activity log, etc., for each domain and the whole network.(1) criticality of the applications and user groups within the domain;(2) Access points to the domain through various communication channels;(3) Network protocols and ports used by the applications and network equipment deployed with

53、in the domain;(4) Performance requirement or benchmark;(5) Nature of the domain, i.e. production or testing, internal or external;(6) Connectivity between various domains; and(7) Trustworthiness of the domain.Article 25. Commercial banks should secure the operating system and system software of all

54、computer systems by(1) Developing baseline security requirement for each operating system and ensuring all systems meet the baseline security requirement;(2) Clearly defining a set of access privileges for different groups of users, namely, end-users, system development staff, computer operators, an

55、d system administrators and user administrators;(3) Setting up a system of approval, verification, and monitoring procedures for using the highest privileged system accounts;(4) Requiring technical staff to review available security patches, and report the patch status periodically; and(5) Requiring

56、 technical staff to include important items such as unsuccessful logins, access to critical system files, changes made to user accounts, etc. in system logs, monitors the systems for any abnormal event manually or automatically, and report the monitoring periodically.Article 26. Commercial banks sho

57、uld ensure the security of all the application systems by(1) Clearly defining the roles and responsibilities of end-users and IT staff regarding the application security;(2) Implementing a robust authentication method commensurate with the criticality and sensibility of the application system;(3) En

58、forcing segregation of duties and dual control over critical or sensitive functions;(4) Requiring verification of input or reconciliation of output at critical junctures;(5) Requiring the input and output of confidential information are handled in a secure manner to prevent theft, tampering, intentional leakage, or inadvertent leakage; (6) Ensuring system can handle exceptions in a predefined way and provide meaningful message to users when the system is forced to terminate; and(7) Maintaining audit trail in either paper or electronic f