【正文】 e major IT risks involved，setting acceptable levels for these risks，and ensuring the implementation of the measures necessary to identify，measure，monitor and control these risks.（4）Setting high ethical and integrity standards，and establishing a culture within the bank that emphasizes and demonstrates to all levels of personnel the importance of IT risk management.（5）Establishing an IT steering mittee which consists of representatives from senior management，the IT organization，and major business units，to oversee these responsibilities and report the effectiveness of strategic IT planning，the IT budget and actual expenditure，and the overall IT performance to the board of directors and senior management periodically.（6）Establishing IT governance structure，proper segregation of duty，clear role and responsibility，maintaining check and balances and clear reporting IT professional staff by developing incentive program.（7）Ensuring that there is an effective internal audit of the IT risk management carried out by operationally independent，welltrained and qualified internal audit report should be submitted directly to the IT audit mittee；（8）Submitting an annual report to the CBRC and its local offices on information system risk management that has been reviewed and approved by the board of directors ；（9）Ensuring the appropriating funding necessary for IT risk management works；（10）Ensuring that all employees of the bank fully understand and adhere to the IT risk management policies and procedures approved by the board of directors and the senior management，and are provided with pertinent training.（11）Ensuring customer information，financial information，product information and core banking system of the legal entity are held independently within the territory，and plying with the regulatory onsite examination requirements of CBRC and guarding against crossborder risk.（12）Reporting in a timely manner to the CBRC and its local offices any serious incident of information systems or unexpected event，and quickly respond to it in accordance with the contingency plan；（13）Cooperating with the CBRC and its local offices in the supervisory inspection of the risk management of information systems，and ensure that supervisory opinions are followed up； and（14）Performing other related IT risk management head of the IT organization，monly known as the Chief Information Officer（CIO）should report directly to the and responsibilities of the CIO should include the following：（1）Playing a direct role in key decisions for the business development involving the use of IT in the bank；（2）The CIO should ensure that information systems meet the needs of the bank，and IT strategies，in particular information system development strategies，ply with the overall business strategies and IT risk management policies of the bank；（3）The CIO should also be responsible for the establishment of an effective and efficient IT organization to carry out the IT functions of the include the IT budget and expenditure，IT risk management，IT policies，standards and procedures，IT internal controls，professional development，IT project initiatives，IT project management，information system maintenance and upgrade，IT operations，IT infrastructure，Information security，disaster recovery plan（DRP），IT outsourcing，and information system retirement；（4）Ensuring the effectiveness of IT risk management throughout the organization including all branches.（5）Organizing professional trainings to improve technical proficiency of staff.（6）Performing other related IT risk management banks should ensure that a clear definition of the IT organization structure and documentation of all job descriptions of important positions are always in place and updated in a timely in each position should meet relevant requirements on professional skills and following risk mitigation measures should be incorporated in the management program of related staff：（1）Verification of personal information including confirmation of personal identification issued by government，academic credentials，prior work experience，professional qualifications；（2）Ensuring that IT staff can meet the required professional ethics by checking character reference；（3）Signing of agreements with employees about understanding of IT policies and guidelines，nondisclosure of confidential information，authorized use of information systems，and adherence to IT policies and procedures； and（4）Evaluation of the risk of losing key IT personnel，especially during major IT development stage or in a period of unstable IT operations，and the relevant risk mitigation measures such as staff backup arrangement and staff succession Article banks should establish or designate a particular department for IT risk should report directly to the CIO and the Chief Risk Officer（or risk management mittee），serve as a member of the IT incident response team，and be responsible for coordinating the establishment of policies regarding IT risk management，especially the areas of information security，BCP，and pliance with the CBRC regulations，advising the business departments and IT department in implementing these policies，providing relevant pliance information，conducting ongoing assessment of IT risks，and ensuring the followup of remediation advice，monitoring and escalating management of IT threats and nonpliance banks should establish a special IT audit role and responsibility within internal audit function，which should put in place IT audit policies and procedures，develop and execute IT audit banks should put in place policies and procedures to protect intellectual property rights according to laws regarding intellectual properties，ensure purchase of legitimate software and hardware，prevention of the use of pirated software，and the protection of the proprietary rights of IT products developed by the bank，and ensure that these are fully understood and plied by all banks should，in accordance with relevant laws an