【正文】 ional development, IT project initiatives, IT project management, information system maintenance and upgrade, IT operations, IT infrastructure, Information security, disaster recovery plan(DRP), IT outsourcing, and information system retirement。(4)Ensuring the effectiveness of IT risk management throughout the organization including all branches.(5)Organizing professional trainings to improve technical proficiency of staff.(6)Performing other related IT risk management banks should ensure that a clear definition of the IT organization structure and documentation of all job descriptions of important positions are always in place and updated in a timely in each position should meet relevant requirements on professional skills and following risk mitigation measures should be incorporated in the management program of related staff:(1)Verification of personal information including confirmation of personal identification issued by government, academic credentials, prior work experience, professional qualifications。(2)Ensuring that IT staff can meet the required professional ethics by checking character reference。(3)Signing of agreements with employees about understanding of IT policies and guidelines, nondisclosure of confidential information, authorized use of information systems, and adherence to IT policies and procedures。and(4)Evaluation of the risk of losing key IT personnel, especially during major IT development stage or in a period of unstable IT operations, and the relevant risk mitigation measures such as staff backup arrangement and staff succession banks should establish or designate a particular department for IT risk should report directly to the CIO and the Chief Risk Officer(or risk management mittee), serve as a member of the IT incident response team, and be responsible for coordinating the establishment of policies regarding IT risk management, especially the areas of information security, BCP, and pliance with the CBRC regulations, advising the business departments and IT department in implementing these policies, providing relevant pliance information, conducting ongoing assessment of IT risks, and ensuring the followup of remediation advice, monitoring and escalating management of IT threats and nonpliance 154/17/2013Article banks should establish a special IT audit role and responsibility within internal audit function, which should put in place IT audit policies and procedures, develop and execute IT audit banks should put in place policies and procedures to protect intellectual property rights according to laws regarding intellectual properties, ensure purchase of legitimate software and hardware, prevention of the use of pirated software, and the protection of the proprietary rights of IT products developed by the bank, and ensure that these are fully understood and plied by all banks should, in accordance with relevant laws and regulations, disclose the risk profile of their IT normatively and III IT Risk ManagementArticle banks should formulate an IT strategy that aligns with the overall business plan of the bank, IT risk assessment plan and an IT operational plan that can ensure adequate financial resources and human resources to maintain a stable and secure IT banks should put in place a prehensive set of IT risk management policies that include the following areas:(1)Information security classification policy(2)System development, testing and maintenance policy(3)IT operation and maintenance policy(4)Access control policy(5)Physical security policy(6)Personnel security policy(7)Business Continuity Planning and Crisis and Emergency Management procedureArticle banks should maintain an ongoing risk identification and assessment process that allows the bank to pinpoint the areas of concern in its information systems, assess the potential impact of the risks on its business, rank the risks, and prioritize mitigation actions and the necessary resources(including outsourcing vendors, product vendors and service vendors).Article banks should implement a prehensive set of risk mitigation measures plying with the IT risk management policies and mensurate with the risk assessment of the mitigation measures should include:(1)A set of clearly documented IT risk policies, technical standards, and operational procedures, which should be municated to the staff frequently and kept up to date in a timely manner。(2)Areas of potential conflicts of interest should be identified, minimized, and subject to careful, independent it requires that an appropriate of 154/17/2013 control structure is set up to facilitate checks and balances, with control activities defined at every business level, which should include:Top level reviews。Controls over physical and logical access to data and system。Access granted on “need to know” and “minimum authorization” basis。A system of approvals and authorizations。and A system of verification and banks should put in place a set of ongoing risk measurement and monitoring mechanisms, which should include(1)Pre and postimplementation review of IT projects。(2)Benchmarks for periodic review of system performance。(3)Reports of incidents and plaints about IT services。(4)Reports of internal audit, external audit, and issues identified by CBRC。and(5)Arrangement with vendors and business units for periodic review of service level agreements(SLAs).(6)The possible impact of new development of technology and new threats to software deployed.(7)Timely review of operational risk and management controls in operation area.(8)Assess the risk profile on IT outsourcing projects mercial banks operating offshore and the foreign mercial banks in China should ply with the relevant regulatory requirements on information systems in and outside the People’s Republic of IV Information SecurityArticle technology department of mercial banks should oversee the establishment of an information classification and protection employees of