【正文】 (3)Conduct appropriate due diligence of the service provider’s financial stability, expertise and risk assessment of the service provider, facilities and ability to cover the potential liabilities。and c)Communication arrangements for internal and external concernedparties(including CBRC, clients and the press)。and(4)Effective and efficient key management procedures, especially key lifecycle management and certificate lifecycle management, are in banks should put in place an effective and efficient system of securing all enduser puting equipment which include desktop personal puters(PCs), portable PCs, teller terminals, automatic teller machines(ATMs), passbook printers, debit or credit card readers, point of sale(POS)terminals, personal digital assistant(PDAs), etc and conduct periodic security checks on all banks should put in place a set of policies and procedures to govern the collection, processing, storage, transmission, dissemination, and disposal of customer employees, including contract staff, should be provided with the necessary trainings to fully understand these policies procedures and the consequences of their banks should adopt a zero tolerance policy against security V Application System Development, Testing and MaintenanceArticle banks should have the capability to identify, plan, acquire, develop, test, deploy, maintain, upgrade, and retire information and procedures should be in place to govern the initiation, prioritization, approval, and control of IT reports of major IT projects should be submitted to and reviewed by the IT steering mittee involving significant change of schedule, change of key personnel, change of vendors, and major expenditures should be included in the progress banks should recognize the risks associated with IT projects, which include the possibilities of incurring various kinds of operational risk, financial losses, and opportunity costs stemming from ineffective project planning or inadequate project management controls of the , appropriate project management methodologies should be adopted and implemented to control the risks associated with IT banks should adopt and implement a system development of 154/17/2013 methodology to control the life cycle of Information typical phases of system life cycle include system analysis, design, development or acquisition, testing, trial run, deployment, maintenance, and system development methodology to be used should be mensurate with the size, nature, and plexity of the IT project, and, generally speaking, should facilitate the management of the following banks should ensure system reliability, integrity, and maintainability by controlling system changes with a set of policies and procedures, which should include the following elements.(1)Ensure that production systems are separated from development or testing systems。(2)Implementing a robust authentication method mensurate with the criticality and sensibility of the application system。(4)Performance requirement or benchmark。A system of approvals and authorizations。(3)The CIO should also be responsible for the establishment of an effective and efficient IT organization to carry out the IT functions of the include the IT budget and expenditure, IT risk management, IT policies, standards and procedures, IT internal controls, professional development, IT project initiatives, IT project management, information system maintenance and upgrade, IT operations, IT infrastructure, Information security, disaster recovery plan(DRP), IT outsourcing, and information system retirement。s Republic of China on Commercial Banks, the Regulations of the People’s Republic of China on Administration of Foreignfunded Banks, and other applicable laws and regulations, the Guidelines on the Risk Management of Commercial Banks’ Information Technology(hereinafter referred to as the Guidelines)is Guidelines apply to all the mercial banks legally incorporated within the territory of the People’s Republic of Guidelines may apply to other banking institutions including policy banks, rural cooperative banks, urban credit cooperatives, rural credit cooperatives, village banks, loan panies, financial asset management panies, trust and investment panies, finance firms, financial leasing panies, automobile financial panies and money term “information technology” stated in the Guidelines shall refer to the system built with puter, munication and software technologies, and employed by mercial banks to handle business transactions, operation management, and internal munication, collaborative work and term also include IT governance, IT organization structure and IT policies and risk of information technology refers to the operational risk, legal risk and reputation risk that are caused by natural factor, human factor, technological loopholes or management deficiencies when using information objective of information system risk management is to establish an effective mechanism that can identify, measure, monitor, and control the risks of mercial banks’ information system, ensure data integrity, availability, confidentiality and consistency, provide the relevant early warning, and thereby enable mercial banks’ business innovations, uplift their capability in utilizing information technology, improve their core petitiveness and capacity for sustainable of 15 4/17/2013Chapter II IT governanceArticle legal representative of mercial bank should be responsible to ensure pliance of this board of directors of mercial banks should have the following responsibilities with respect to the management of information systems:(1)Implementing and plying with the national laws, regulations and technical standards pertaining to the management of information systems, as well as the regulatory requirements set by the China Banking Regulatory Commission(hereinafter referred to as the “CBRC”)。(13)Cooperating with the CBRC and its local offices in the supervisory inspectio