商业银行信息科技风险管理指引英文版

Commercial Banks ' Information TechnologyChapter I General ProvisionsArticle 1. Pursuant to the Law of the People 's Republic of China on Banking Regulation and Supervision, the Law of the People's Republic of China on Commercial Banks, the Regulations of the People's Republic of China on Administration of Foreign-funded Banks, and other applicable laws and regulations, the Guidelines on the Risk Management of Commercial Banks' Information Technology (hereinafter referred to as the Guidelines) is formulated.Article 2. The Guidelines apply to all the commercial banks legally incorporated within the territory of the People's Republic of China.The Guidelines may apply to other banking institutions including policy banks, rural cooperative banks, urban credit cooperatives, rural credit cooperatives, village banks, loan companies, financial asset management companies, trust and investment companies, finance firms, financial leasing companies, automobile financial companies and money brokers. Article 3. The term “information technology ” stated in theGuidelines shall refer to the system built with computer,communication and software technologies, and employed by commercial banks to handle business transactions, operation management,and internal communication, collaborative work and controls. The term also include IT governance, IT organization structure and IT policies and procedures.Article 4. The risk of information technology refers to the operational risk, legal risk and reputation risk that are caused by natural factor, human factor, technological loopholes or management deficiencies when using information technology.Article 5. The objective of information system risk management is to establish an effective mechanism that can identify, measure, monitor, and control the risks of commercial banks' information system, ensure data integrity, availability, confidentiality and consistency, provide the relevant early warning, and thereby enable commercial banks' business innovations, uplift their capability in utilizing information technology, improve their core competitiveness and capacityfor sustainable development.Chapter II IT governanceArticle 6. The legal representative of commercial bank should be responsible to ensure compliance of this guideline.The board of directors of commercial banksArticle 7.should have the following responsibilities with respect to the management of information systems:(1)Implementing and complying with the national laws, regulations and technical standards pertaining to the management of information systems, as well as the regulatory requirements set by the China Banking Regulatory Commission (hereinafter referred to as the “CBRC”);(2)Periodically reviewing the alignment of IT strategy with the overall business strategies and significant policies of the bank, assessing the overall effectiveness and efficiencyof the IT organization.(3)Approving IT risk management strategies and policies, understanding the major IT risks involved, setting acceptable levels for these risks, and ensuring the implementation of the measures necessary to identify, measure, monitor and control these risks.(4)Setting high ethical and integrity standards, and establishing a culture within the bank that emphasizes and demonstrates to all levels of personnel the importance of IT risk management.(5)Establishing an IT steering committee which consists ofrepresentatives from senior management, the IT organization, and major business units, to oversee these responsibilities and report the effectiveness of strategic IT planning, the IT budget and actual expenditure, and the overall IT performance to the board of directors and senior management periodically.(6)Establishing IT governance structure, proper segregation of duty, clear role and responsibility, maintaining check and balances and clear reporting relationship. Strengthening IT professional staff by developing incentive program.(7)Ensuring that there is an effective internal audit of the IT risk management carried out by operationally independent, well-trained and qualified staff. The internal audit report should be submitted directly to the IT audit committee;(8)Submitting an annual report to the CBRC and its local offices on information system risk management that has been reviewed and approved by the board of directors ;(9)Ensuring the appropriating funding necessary for IT risk management works;(10)Ensuring that all employees of the bank fully understand and adhere to the IT risk management policies and procedures approved by the board of directors and the senior management,and are provided with pertinent training.(11)Ensuring customer information, financial information, product information and core banking system of the legalentity are held independently within the territory, and complying with the regulatory on-site examination requirements of CBRC and guarding against cross-border risk.(12)Reporting in a timely manner to the CBRC and its local offices any serious incident of information systems or unexpected event, and quickly respond to it in accordance with the contingency plan;(13)Cooperating with the CBRC and its local offices in the supervisory inspection of the risk management of information systems, and ensure that supervisory opinions are followed up; and(14)Performing other related IT risk management tasks. Article 8. The head of the IT organization, commonlyknown as the Chief Information Officer (CIO) should report directly to the president. Roles and responsibilities of the CIO should include the following:(1)Playing a direct role in key decisions for the business development involving the use of IT in the bank;(2)The CIO should ensure that information systems meet theneeds of the bank, and IT strategies, in particularinformation system development strategies, comply with the overall business strategies and IT risk management policies of the bank;(3)The CIO should also be responsible for the establishment of an effective and efficient IT organization to carry out the IT functions of the bank. These include the IT budget and expenditure, IT risk management, IT policies, standards and procedures, IT internal controls, professional development, IT project initiatives, IT project management,information system maintenance and upgrade, IT operations, IT infrastructure, Information security, disaster recovery plan (DRP), IT outsourcing, and information system retirement;(4)Ensuring the effectiveness of IT risk management throughout the organization including all branches.(5)Organizing professional trainings to improve technical proficiency of staff.(6)Performing other related IT risk management tasks. Article 9. Commercial banks should ensure that a clear definition of the IT organization structure and documentation of all job descriptions of important positions are always in place and updated in a timely manner. Staff in each positionshould meet relevant requirements on professional skills and knowledge. The following risk mitigation measures should be incorporated in the management program of related staff:(1)V erification of personal information including confirmationof personal identification issued by government, academic credentials, prior work experience, professionalqualifications;(2)E nsuring that IT staff can meet the required professionalethics by checking character reference;(3)S igning of agreements with employees about understanding ofIT policies and guidelines, non-disclosure of confidential information, authorized use of information systems, andadherence to IT policies and procedures; and(4)E valuation of the risk of losing key IT personnel,especially during major IT development stage or in a period of unstable IT operations, and the relevant risk mitigation measures such as staff backup arrangement and staffsuccession plan.Article 10. Commercial banks should establish or designate a particular department for IT risk management. It should report directly to the CIO and the Chief Risk Officer (or risk management committee), serve as a member of the IT incidentresponse team, and be responsible for coordinating the establishment of policies regarding IT risk management, especially the areas of information security, BCP, and compliance with the CBRC regulations, advising the business departments and IT department in implementing these policies, providing relevant compliance information, conducting on-going assessment of IT risks, and ensuring the follow-up of remediation advice, monitoring and escalating managementof IT threats and non-compliance events.Article 11. Commercial banks should establish a special IT audit role and responsibility within internal audit function, which should put in place IT audit policies and procedures, develop and execute IT audit plan.Article 12. Commercial banks should put in place policies and procedures to protect intellectual property rights according to laws regarding intellectual properties, ensure purchase of legitimate software and hardware, prevention of the use of pirated software, and the protection of the proprietary rights of IT products developed by the bank, and ensure that these are fully understood and complied by all employees.Article 13. Commercial banks should, in accordance withrelevant laws and regulations, disclose the risk profile of their IT normatively and timely.Chapter III IT Risk ManagementArticle 14. Commercial banks should formulate an IT strategy that aligns with the overall business plan of the bank, IT risk assessment plan and an IT operational plan that can ensure adequate financial resources and human resources to maintain a stable and secure IT environment.Article 15. Commercial banks should put in place a comprehensive set of IT risk management policies that include the following areas:(1)Information security classification policy(2)System development, testing and maintenance policy(3)IT operation and maintenance policy(4)Access control policy(5)Physical security policy(6)Personnel security policy(7)Business Continuity Planning and Crisis andEmergency Management procedureArticle 16. Commercial banks should maintain an ongoing risk identification and assessment process that allows the bank to pinpoint the areas of concern in its information systems,assess the potential impact of the risks on its business, rank the risks, and prioritize mitigation actions and the necessary resources (including outsourcing vendors, product vendors and service vendors).Article 17. Commercial banks should implement a comprehensive set of risk mitigation measures complying with the IT risk managementpolicies and commensurate with the risk assessmentof the bank. These mitigation measures should include:(1)A set of clearly documented IT risk policies,technical standards, and operational procedures,which should be communicated to the staff frequentlyand kept up to date in a timely manner;(2)Areas of potential conflicts of interest should beidentified, minimized, and subject to careful,independent monitoring. Also it requires that anappropriate control structure is set up tofacilitate checks and balances, with controlactivities defined at every business level, whichshould include:- Top level reviews;- Controls over physical and logical access to data and system;- Access granted on “ need to know ” and “ minimum- A system of approvals and authorizations; and- A system of verification and reconciliation.Article 18. Commercial banks should put in place a set of ongoing risk measurement and monitoring mechanisms, which should include(1) Pre and post-implementation review of IT projects;(2) Benchmarks for periodic review of systemperformance;(3) Reports of incidents and complaints about ITservices;(4) Reports of internal audit, external audit, andissues identified by CBRC; and(5) Arrangement with vendors and business units forperiodic review of service level agreements (SLAs).(6) The possible impact of new development of technologyand new threats to software deployed.(7) Timely review of operational risk and managementcontrols in operation area.(8) Assess the risk profile on IT outsourcing projectsperiodically.Chinese commercial banks operating offshore andthe foreign commercial banks in China shouldauthorization basis;Article 19.comply with the relevant regulatory requirements on information systems in and outside the People 's Republic of China.Chapter IV Information SecurityArticle 20. Information technology department of commercial banks should oversee the establishment of an information classification and protection scheme. All employees of the bank should be made aware of the importance of ensuring information confidentiality and provided with thenecessary training to fully understand the information protection procedures within theirresponsibilities.Article 21. Commercial banks should put in place an information security management function to develop and maintain an ongoing information security management program, promote information security awareness, advise other IT functions on security issues, serve as the leader of IT incident response team, and report the evaluation of the information security of the bank to the IT steering committee periodically. The Information security management program should include Information security standards, strategy, an implementation plan, and an ongoing maintenance plan. Information security policy should include the following areas:(1)IT security policy management(2)Organization information security(3)Asset management(4)Personnel security(5)Physical and environment security(6)Communication and operation security(7)Access control and authentication(8)Acquirement, development and maintenance ofinformation system(9)Information security event management(10)Business continuity management(11)ComplianceArticle 22. Commercial banks should have an effective process to manage user authentication and access control. Access to data and system should be strictly limited to authorized individuals whose identity is clearly established, and their activities in the information systems should be limited to the minimum required for their legitimate business use. Appropriate user authentication mechanism commensurate with the classification of information to be accessed should be selected. Timely review and removal of user identity from the system should be implemented when user transfers to a new jobor leave the commercial bank.Article 23. Commercial banks should ensure all physical security zones, such as computer centers or data centers, network closets, areas containing confidential information or critical IT equipment, and respective accountabilities are clearly defined, and appropriate preventive, detective, and recuperative controls are put in place.Article 24. Commercial banks should divide their networks into logical security domains (hereinafter referred to as the “domain” ) with different levels of security. The following security factors have to be assessed in order to define and implement effective security controls, such as physical or logical segregation of network, network filtering, logical access control, traffic encryption, network monitoring,activity log, etc., for each domain and the whole network.(1)criticality of the applications and user groupswithin the domain;(2)Access points to the domain through variouscommunication channels;(3)Network protocols and ports used by the applicationsand network equipment deployed within the domain;(4)Performance requirement or benchmark;(5)Nature of the domain, . production or testing,internal or external;(6)Connectivity between various domains; and(7)Trustworthiness of the domain.Article 25. Commercial banks should secure the operating system and system software of all computer systems by(1)Developing baseline security requirement for eachoperating system and ensuring all systems meet thebaseline security requirement;(2)Clearly defining a set of access privileges fordifferent groups of users, namely, end-users, systemdevelopment staff, computer operators, and systemadministrators and user administrators;(3)Setting up a system of approval, verification, andmonitoring procedures for using the highestprivileged system accounts;(4)Requiring technical staff to review availablesecurity patches, and report the patch statusperiodically; and(5)Requiring technical staff to include important itemssuch as unsuccessful logins, access to criticalsystem files, changes madeto user accounts, etc. insystem logs, monitors the systems for any abnormalevent manually or automatically, and report themonitoring periodically.Article 26. Commercial banks should ensure the security of all the application systems by(1) Clearly defining the roles and responsibilities ofend-users and IT staff regarding the applicationsecurity;(2) Implementing a robust authentication methodcommensurate with the criticality the applicationand sensibilityof(3 ) Enforcing segregation ofdutiesand dualcontrol over critical or sensitivefunctions;(4 ) Requiring verification ofinputorreconciliationofoutput at critical junctures;(5)Requiring the input and output of confidentialinformation are handled in a secure manner toprevent theft, tampering, intentional leakage, or inadvertent leakage;(6)Ensuring system can handle exceptions in apredefined way and provide meaningful messagetousers when the system is forced to terminate; and(7)Maintaining audit trail in either paper orelectronic format.(8)Requiring user administrator to monitor and reviewunsuccessful logins and changes to users accounts. Article 27. Commercial banks should have a set of policies and procedures controlling the logging of activities in all production systems to support effective auditing, security forensic analysis, and fraud prevention. Logging can be implemented in different layers of software and on different computer and networking equipment, which falls into two broad categories:(1)Transaction journals. They are generated byapplication software and database managementsystem,and contain authentication attempts, modification todata, error messages, etc. Transaction journalsshould be kept according to the national accountingpolicy.(2)System logs. They are generated by operatingsystems, database management system, firewalls,intrusion detection systems, and routers, etc., andcontain authentication attempts, system events,network events, error messages, etc. System logsshould be kept for a period scaled to the riskclassification, but no less than one year.Banks should ensure that sufficient items be included in the logs to facilitate effective internal controls, system troubleshooting, and auditing while taking appropriate measures to ensure time synchronization on all logs.Sufficient disk space should be allocated to prevent logs from being overwritten. System logs should be reviewed for any exception. The review frequency and retention period for transaction logs or database logs should be determined jointly by IT organization and pertinent business lines, and approved by the IT steering committee.Article 28. Commercial banks should have the capacity to employ encryption technologies to mitigate the risk of losing confidential information in the information systems or during its transmission. Appropriate management processes of the encryption facilities should be put in place to ensure that(1) Encryption facilities in use should meet nationalsecurity standards or requirements;(2) Staff in charge of encryption facilities are welltrained and screened;(3)Encryption strength is adequate to protect theconfidentiality of the information; and(4)Effective and efficient key management procedures,especially key lifecycle managementand certificatelifecycle management, are in place.Article 29. Commercial banks should put in place an effective and efficient system of securing all end-user computing equipment which include desktop personal computers (PCs), portable PCs, teller terminals, automatic teller machines (ATMs), passbook printers, debit or credit card readers, point of sale (POS) terminals, personal digital assistant (PDAs), etc and conduct periodic security checks on all equipments.Article 30. Commercial banks should put in place a set of policies and procedures to govern the collection, processing, storage, transmission, dissemination, and disposal of customer information.Article 31. All employees, including contract staff, should be provided with the necessary trainings to fully understand these policies procedures and the consequences of their violation. Commercial banks should adopt a zero tolerancepolicy against security violation.Chapter V Application System Development, Testing and MaintenanceArticle 32. Commercial banks should have the capability to identify, plan, acquire, develop, test, deploy, maintain, upgrade, and retire information systems. Policies and procedures should be in place to govern the initiation, prioritization, approval, and control of IT projects. Progress reports of major IT projects should be submitted to and reviewed by the IT steering committee periodically. Decisions involving significant change of schedule, change of key personnel, change of vendors, and major expenditures should be included in the progress report.Article 33. Commercial banks should recognize the risks associated with IT projects, which include the possibilities of incurring various kinds of operational risk, financial losses, and opportunity costs stemming from ineffectiveproject planning or inadequate project managementcontrols of the bank. Therefore, appropriate project management methodologies should be adopted and implemented to control the risks associated with IT projects.Article 34. Commercial banks should adopt and implement a system development methodology to control the life cycle of Information systems. The typical phases of system life cycle include system analysis, design, development or acquisition,testing, trial run, deployment, maintenance, and retirement. The system development methodology to be used should be commensurate with the size, nature, and complexity of the IT project, and, generally speaking, should facilitate the management of the following risks.Article 35. Commercial banks should ensure system reliability, integrity, and maintainability by controlling system changes with a set of policies and procedures, which should include the following elements.(1) Ensure that production systems are separated fromdevelopment or testing systems;(2) Separating the duties of managing production systemsand managing development or testing systems;(3)Prohibiting application development and maintenancestaff from accessing production system under normalcircumstances unless managementapproval is grantedto perform emergency repair, and all emergencyrepair activities should be recorded and reviewedpromptly;(4)Promoting changes of program or system configurationfrom development and testing systems to productionsystems should be jointly approved by ITorganizationand business departments, properly documented, andreviewed periodically.Commercial banks should have in place a set of policies, standards, and procedures to ensure data integrity, confidentiality, and availability. These policies should be in accordance with data integrity amid IT development procedure. Commercial banks should ensure thatInformation system problems could be tracked, analyzed, and resolved systematically through an effective problemProblems should be documented, categorized, and indexed. Support servicesor technical assistance from vendors, if necessary, should also be documented. Contacts and relevant contract information should be made readily available to the employees concerned. Accountability and line of commandshould be delineated clearly and communicated to all employees concerned, which is of utmost importance to performing emergency repair.Article 38. Commercial banks should have a set of policies and procedures controlling the process of system upgrade. System upgrade is needed when the hardware reaches its lifespan or runs out of capacity, the underpinning software, namely, operating system, database managementsystem, middleware, has Article 36. Article 37. management process.to be upgraded, or the application software has to be upgraded. The system upgrade should be treated as a project and managed by all pertinent project management controls including user acceptance testing.Chapter VI IT OperationsArticle 39. Commercial banks should consider fully the environmental threats . proximity to natural disaster zones, dangerous or hazardous facilities or busy/major roads) when selecting the locations of their data centers. Physical and environmental controls should be implemented to monitor environmental conditions could affect adversely the operation of information processing facilities. Equipment facilities should be protected from power failures and electrical supply interference.Article 40. In controlling access by third-party personnel service providers) to secured areas, proper approval of access should be enforced and their activities should be closely monitored. It is important that proper screening procedures including verification and background checks, especially for sensitive technology-related jobs, are developed for permanent and temporary technical staff and contractors.Commercial banks should separate IT operations or Article 41.computer center operations from system development andmaintenance to ensure segregation of duties within theIT organization. The commercial banks should documentthe roles and responsibilities of data center functions. Article 42. Commercial banks are required to retain transactional records in compliance with the national accounting policy. Procedures and technology are needed to be put in place to ensure the integrity, safekeeping andretrieval requirements of the archived data.Article 43. Commercial banks should detail operational instructions such as computer operator tasks, job scheduling and execution in the IT operations manual. The IT operations manual should also cover the procedures and requirements for on-site and off-site backup of data and software in both the production and development environments . frequency, scope and retention periods of back-up).Article 44. Commercial banks should have in place a problem management and processing system to respond promptly to IT operations incidents, to escalate reported incidents to relevant IT management staff and to record, analyze and keep tracks of all these incidents until rectification of the incidents with root cause analysis completed. A helpdesk function should be set up to provide front-line support tousers on all technology-related problems and to direct the problems to relevant IT functions for investigation and resolution.Article 45. Commercial banks should establish service level agreement and assess the IT service level standard attained. Article 46. Commercial banks should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and comprehensive manner. The performance monitoring process should include forecasting capability to enable exceptions to be identified and corrected before they affect system performance.Article 47. Commercial banks should carry out capacity plan to cater for business growth and transaction increases due to changes of economic conditions. Capacity plan should be extended to cover back-up systems and related facilities in addition to the production environment.Article 48. Commercial banks should ensure the continued availability of technology related services with timely maintenance and appropriate system upgrades. Proper record keeping (including suspected and actual faults and preventive and corrective maintenance records) is necessary for effective。