【正文】 function should be set up to provide frontline support to users on all technologyrelated problems and to direct the problems to relevant IT functions for investigation and resolution.Article 45. Commercial banks should establish service level agreement and assess the IT service level standard attained.Article 46. Commercial banks should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and prehensive manner. The performance monitoring process should include forecasting capability to enable exceptions to be identified and corrected before they affect system performance.Article 47. Commercial banks should carry out capacity plan to cater for business growth and transaction increases due to changes of economic conditions. Capacity plan should be extended to cover backup systems and related facilities in addition to the production environment.Article 48. Commercial banks should ensure the continued availability of technology related services with timely maintenance and appropriate system upgrades. Proper record keeping (including suspected and actual faults and preventive and corrective maintenance records) is necessary for effective facility and equipment maintenance.Article 49. Commercial banks should have an effective change management process in place to ensure integrity and reliability of the production environment. Commercial banks should develop a formal change management process. Chapter VII Business Continuity ManagementArticle 50. Commercial banks should have in place appropriate arrangements, having regard to the nature, scale and plexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.Article 51. Commercial banks should consider the likelihood and impact of a disruption to the continuity of its operation from unexpected events. This should include assessing the disruptions to which it is particularly susceptible including but not limited to:(1) Loss of failure of internal and external resources (such as people, systems and other assets)。(3) Encryption strength is adequate to protect the confidentiality of the information。(5) Requiring the input and output of confidential information are handled in a secure manner to prevent theft, tampering, intentional leakage, or inadvertent leakage。 and(5) Requiring technical staff to include important items such as unsuccessful logins, access to critical system files, changes made to user accounts, etc. in system logs, monitors the systems for any abnormal event manually or automatically, and report the monitoring periodically.Article 26. Commercial banks should ensure the security of all the application systems by(1) Clearly defining the roles and responsibilities of endusers and IT staff regarding the application security。 and(7) Trustworthiness of the domain.Article 25. Commercial banks should secure the operating system and system software of all puter systems by(1) Developing baseline security requirement for each operating system and ensuring all systems meet the baseline security requirement。(3) Network protocols and ports used by the applications and network equipment deployed within the domain。(3) Reports of incidents and plaints about IT services。 Access granted on “need to know” and “minimum authorization” basis。 (3) Signing of agreements with employees about understanding of IT policies and guidelines, nondisclosure of confidential information, authorized use of information systems, and adherence to IT policies and procedures。(2) The CIO should ensure that information systems meet the needs of the bank, and IT strategies, in particular information system development strategies, ply with the overall business strategies and IT risk management policies of the bank。(9) Ensuring the appropriating funding necessary for IT risk management works。Guidelines on the Risk Management ofCommercial Banks’ Information TechnologyChapter I General ProvisionsArticle 1. Pursuant to the Law of the People’s Republic of China on Banking Regulation and Supervision, the Law of the People39。(8) Submitting an annual report to the CBRC and its local offices on information system risk management that has been reviewed and approved by the board of directors 。 and(14) Performing other related IT risk management tasks.Article 8. The head of the IT organization, monly known as the Chief Information Officer (CIO) should report directly to the president. Roles and responsibilities of the CIO should include the following:(1) Playing a direct role in key decisions for the business development involving the use of IT in the bank。(2) Ensuring that IT staff can meet the required professional ethics by checking character reference。 Controls over physical and logical access to data and system。(2) Benchmarks for periodic review of system performance。(2) Access points to the domain through various munication channels。(6) Connectivity between various domains。(4) Requiring technical staff to review available security patches, and report the patch status periodically。(4) Requiring verification of input or reconciliation of output at critical junctures。(2) Staff in charge of encryption facilities are well trained and screened。(3) Prohibiting application development and maintenance staff from accessing production system under normal circumstances unless management approval is granted to perform emergency repair, and all emergency repair activities should be recorded and reviewed promptly。 and the impact of disruptions (including by contingency arrangements and insurance).Article 53. Commercial bank should document its strategy for maintaining continuity