【正文】 g assessment of IT risks, and ensuring the followup of remediation advice, monitoring and escalating management of IT threats and nonpliance 154/17/2013Article banks should establish a special IT audit role and responsibility within internal audit function, which should put in place IT audit policies and procedures, develop and execute IT audit banks should put in place policies and procedures to protect intellectual property rights according to laws regarding intellectual properties, ensure purchase of legitimate software and hardware, prevention of the use of pirated software, and the protection of the proprietary rights of IT products developed by the bank, and ensure that these are fully understood and plied by all banks should, in accordance with relevant laws and regulations, disclose the risk profile of their IT normatively and III IT Risk ManagementArticle banks should formulate an IT strategy that aligns with the overall business plan of the bank, IT risk assessment plan and an IT operational plan that can ensure adequate financial resources and human resources to maintain a stable and secure IT banks should put in place a prehensive set of IT risk management policies that include the following areas:(1)Information security classification policy(2)System development, testing and maintenance policy(3)IT operation and maintenance policy(4)Access control policy(5)Physical security policy(6)Personnel security policy(7)Business Continuity Planning and Crisis and Emergency Management procedureArticle banks should maintain an ongoing risk identification and assessment process that allows the bank to pinpoint the areas of concern in its information systems, assess the potential impact of the risks on its business, rank the risks, and prioritize mitigation actions and the necessary resources(including outsourcing vendors, product vendors and service vendors).Article banks should implement a prehensive set of risk mitigation measures plying with the IT risk management policies and mensurate with the risk assessment of the mitigation measures should include:(1)A set of clearly documented IT risk policies, technical standards, and operational procedures, which should be municated to the staff frequently and kept up to date in a timely manner。A system of approvals and authorizations。(4)Reports of internal audit, external audit, and issues identified by CBRC。(4)Performance requirement or benchmark。(2)Clearly defining a set of access privileges for different groups of users, namely, endusers, system development staff, puter operators, and system administrators and user administrators。(2)Implementing a robust authentication method mensurate with the criticality and sensibility of the application system。(6)Ensuring system can handle exceptions in a predefined way and provide meaningful message to users when the system is forced to terminate。and(4)Effective and efficient key management procedures, especially key lifecycle management and certificate lifecycle management, are in banks should put in place an effective and efficient system of securing all enduser puting equipment which include desktop personal puters(PCs), portable PCs, teller terminals, automatic teller machines(ATMs), passbook printers, debit or credit card readers, point of sale(POS)terminals, personal digital assistant(PDAs), etc and conduct periodic security checks on all banks should put in place a set of policies and procedures to govern the collection, processing, storage, transmission, dissemination, and disposal of customer employees, including contract staff, should be provided with the necessary trainings to fully understand these policies procedures and the consequences of their banks should adopt a zero tolerance policy against security V Application System Development, Testing and MaintenanceArticle banks should have the capability to identify, plan, acquire, develop, test, deploy, maintain, upgrade, and retire information and procedures should be in place to govern the initiation, prioritization, approval, and control of IT reports of major IT projects should be submitted to and reviewed by the IT steering mittee involving significant change of schedule, change of key personnel, change of vendors, and major expenditures should be included in the progress banks should recognize the risks associated with IT projects, which include the possibilities of incurring various kinds of operational risk, financial losses, and opportunity costs stemming from ineffective project planning or inadequate project management controls of the , appropriate project management methodologies should be adopted and implemented to control the risks associated with IT banks should adopt and implement a system development of 154/17/2013 methodology to control the life cycle of Information typical phases of system life cycle include system analysis, design, development or acquisition, testing, trial run, deployment, maintenance, and system development methodology to be used should be mensurate with the size, nature, and plexity of the IT project, and, generally speaking, should facilitate the management of the following banks should ensure system reliability, integrity, and maintainability by controlling system changes with a set of policies and procedures, which should include the following elements.(1)Ensure that production systems are separated from development or testing systems。(2)The loss or corruption of its information。and c)Communication arrangements for internal and external concernedparties(including CBRC, clients and the press)。business strategy。(3)Conduct appropriate due diligence of the service provider’s financial stability, expertise and risk assessment of the service provider, facilities and ability to cover the potential liabilities。(3)Information ownership rights, confidentiality agreements and Firewalls to protect client and other information(including arrangements at the te