【正文】 第一篇：商業(yè)銀行信息科技風(fēng)險管理指引_英文版Guidelines on the Risk Management of Commercial Banks’ Information TechnologyChapter I General ProvisionsArticle to the Law of the People’s Republic of China on Banking Regulation and Supervision, the Law of the People39。s Republic of China on Commercial Banks, the Regulations of the People’s Republic of China on Administration of Foreignfunded Banks, and other applicable laws and regulations, the Guidelines on the Risk Management of Commercial Banks’ Information Technology(hereinafter referred to as the Guidelines)is Guidelines apply to all the mercial banks legally incorporated within the territory of the People’s Republic of Guidelines may apply to other banking institutions including policy banks, rural cooperative banks, urban credit cooperatives, rural credit cooperatives, village banks, loan panies, financial asset management panies, trust and investment panies, finance firms, financial leasing panies, automobile financial panies and money term “information technology” stated in the Guidelines shall refer to the system built with puter, munication and software technologies, and employed by mercial banks to handle business transactions, operation management, and internal munication, collaborative work and term also include IT governance, IT organization structure and IT policies and risk of information technology refers to the operational risk, legal risk and reputation risk that are caused by natural factor, human factor, technological loopholes or management deficiencies when using information objective of information system risk management is to establish an effective mechanism that can identify, measure, monitor, and control the risks of mercial banks’ information system, ensure data integrity, availability, confidentiality and consistency, provide the relevant early warning, and thereby enable mercial banks’ business innovations, uplift their capability in utilizing information technology, improve their core petitiveness and capacity for sustainable of 15 4/17/2013Chapter II IT governanceArticle legal representative of mercial bank should be responsible to ensure pliance of this board of directors of mercial banks should have the following responsibilities with respect to the management of information systems:(1)Implementing and plying with the national laws, regulations and technical standards pertaining to the management of information systems, as well as the regulatory requirements set by the China Banking Regulatory Commission(hereinafter referred to as the “CBRC”)。(2)Periodically reviewing the alignment of IT strategy with the overall business strategies and significant policies of the bank, assessing the overall effectiveness and efficiency of the IT organization.(3)Approving IT risk management strategies and policies, understanding the major IT risks involved, setting acceptable levels for these risks, and ensuring the implementation of the measures necessary to identify, measure, monitor and control these risks.(4)Setting high ethical and integrity standards, and establishing a culture within the bank that emphasizes and demonstrates to all levels of personnel the importance of IT risk management.(5)Establishing an IT steering mittee which consists of representatives from senior management, the IT organization, and major business units, to oversee these responsibilities and report the effectiveness of strategic IT planning, the IT budget and actual expenditure, and the overall IT performance to the board of directors and senior management periodically.(6)Establishing IT governance structure, proper segregation of duty, clear role and responsibility, maintaining check and balances and clear reporting IT professional staff by developing incentive program.(7)Ensuring that there is an effective internal audit of the IT risk management carried out by operationally independent, welltrained and qualified internal audit report should be submitted directly to the IT audit mittee。(8)Submitting an annual report to the CBRC and its local offices on information system risk management that has been reviewed and approved by the board of directors。(9)Ensuring the appropriating funding necessary for IT risk management works。(10)Ensuring that all employees of the bank fully understand and adhere to the IT risk management policies and procedures approved by the board of directors and the senior management, and are provided with pertinent training.(11)Ensuring customer information, financial information, product information and core banking system of the legal entity are held independently within the territory, and plying with the regulatory onsite examination requirements of CBRC and guarding against crossborder risk.(12)Reporting in a timely manner to the CBRC and its local offices any serious incident of information systems or unexpected event, and quickly respond to it in accordance with the contingency plan。(13)Cooperating with the CBRC and its local offices in the supervisory inspection of the risk management of information systems, and ensure that supervisory opinions are followed up。and(14)Performing other related IT risk management 154/17/2013 Article head of the IT organization, monly known as the Chief Information Officer(CIO)should report directly to the and responsibilities of the CIO should include the following:(1)Playing a direct role in key decisions for the business development involving the use of IT in the bank。(2)The CIO should ensure that information systems meet the needs of the bank, and IT strategies, in particular information system development strategies, ply with the overall business strategies and IT risk management policies of the bank。(3)The CIO should also be responsible for the establishment of an effective and efficient IT organization to carry out the IT functions of the include the IT budget and expenditure, IT risk management, IT policies, standards and procedures, IT internal controls, profess