【正文】 ironmental conditions could affect adversely the operation of information processing facilities should be protected from power failures and electrical supply controlling access by thirdparty personnel( providers)to secured areas, proper approval of access should be enforced and their activities should be closely is important that proper screening procedures including verification and background checks, especially for sensitive technologyrelated jobs, are developed for permanent and temporary technical staff and banks should separate IT operations or puter center operations from system development and maintenance to ensure segregation of duties within the IT mercial banks should document the roles and responsibilities of data center banks are required to retain transactional records in pliance with the national accounting and technology are needed to be put in place to ensure the integrity, safekeeping and retrieval requirements of the archived banks should detail operational instructions such as puter operator tasks, job scheduling and execution in the IT operations IT operations manual should also cover the procedures and requirements for onsite and offsite backup of data and software in both the production and development environments(, scope and retention periods of backup).Article banks should have in place a problem management and processing system to respond promptly to IT operations incidents, to escalate reported incidents to relevant IT management staff and to record, analyze and keep tracks of all these incidents until rectification of the incidents with root cause analysis helpdesk function should be set up to provide frontline support to users on all technologyrelated problems and to direct the problems to relevant IT functions for investigation and banks should establish service level agreement and assess the IT service level standard banks should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and prehensive performance monitoring process should include forecasting capability to enable exceptions to be identified and corrected before they affect system 154/17/2013Article banks should carry out capacity plan to cater for business growth and transaction increases due to changes of economic plan should be extended to cover backup systems and related facilities in addition to the production banks should ensure the continued availability of technology related services with timely maintenance and appropriate system record keeping(including suspected and actual faults and preventive and corrective maintenance records)is necessary for effective facility and equipment banks should have an effective change management process in place to ensure integrity and reliability of the production banks should develop a formal change management VII Business Continuity ManagementArticle banks should have in place appropriate arrangements, having regard to the nature, scale and plexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen arrangements should be regularly updated and tested to ensure their banks should consider the likelihood and impact of a disruption to the continuity of its operation from unexpected should include assessing the disruptions to which it is particularly susceptible including but not limited to:(1)Loss of failure of internal and external resources(such as people, systems and other assets)。b)The recovery priorities for the mercial bank’s operations。Processes to review and update(1)to(3)following changes to the mercial bank’s operations or risk final BCP plan and an annual drill result must be signed off by the IT Risk management, or internal auditor and IT Steering VIII OutsourcingArticle banks cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourcing banks should take particular care to manage material outsourcing arrangement(such as outsourcing of data center, IT infrastructure, etc.), and should notify CBRC when it intends to enter into material outsourcing entering into, or significantly changing, an outsourcing arrangement, the mercial bank should:(1)Analyze how the arrangement will fit with its organization and reporting structure。(2)Consider whether the arrangements will allow it to monitor and control its operational risk exposure relating to the outsourcing。(2)Whether sufficient access will be available to its internal auditors, external auditors and banking regulators。(4)Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement(including what will happen on the termination of the contract)。overall risk profile。of 154/17/2013(2)(3)(4)Escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information。and(3)External events(such as war, earthquake, typhoon, etc).Article bank should act to reduce both the likelihood of disruptions(including system resilience and dual processing)。(2)Separating the duties of managing production systems and managing development or testing systems。and(7)Maintaining audit trail in either paper or electronic format.(8)Requiring user administrator to monitor and review unsuccessful logins and changes to users banks should have a set of policies and procedures controlling the logging of activities in all production systems to support effective auditing, security forensic analysis, and fraud can be implemented in different layers of software and on different puter and networking equipment, which falls into two broad categories:(1)Transaction are generated by application software and database management system, and contain authentication attempts, modification to data, error messages, jo