【正文】 n of the risk management of information systems, and ensure that supervisory opinions are followed up。(2)Areas of potential conflicts of interest should be identified, minimized, and subject to careful, independent it requires that an appropriate of 154/17/2013 control structure is set up to facilitate checks and balances, with control activities defined at every business level, which should include:Top level reviews。and(5)Arrangement with vendors and business units for periodic review of service level agreements(SLAs).(6)The possible impact of new development of technology and new threats to software deployed.(7)Timely review of operational risk and management controls in operation area.(8)Assess the risk profile on IT outsourcing projects mercial banks operating offshore and the foreign mercial banks in China should ply with the relevant regulatory requirements on information systems in and outside the People’s Republic of IV Information SecurityArticle technology department of mercial banks should oversee the establishment of an information classification and protection employees of the bank should be made aware of the importance of ensuring information confidentiality and provided with the necessary training to fully understand the information protection procedures within their banks should put in place an information security management function to develop and maintain an ongoing information security management program, promote information security awareness, advise other IT functions on security issues, serve as the leader of IT incident response team, and report the evaluation of the information security of the bank to the IT steering mittee Information security management program should include Information security standards, strategy, an implementation plan, and an ongoing maintenance security policy should include the following areas:(1)IT security policy management(2)Organization information security of 154/17/2013(3)(4)(5)(6)(7)(8)(9)(10)(11)Asset management Personnel security Physical and environment security Communication and operation security Access control and authentication Acquirement, development and maintenance of information system Information security event management Business continuity management ComplianceArticle banks should have an effective process to manage user authentication and access to data and system should be strictly limited to authorized individuals whose identity is clearly established, and their activities in the information systems should be limited to the minimum required for their legitimate business user authentication mechanism mensurate with the classification of information to be accessed should be review and removal of user identity from the system should be implemented when user transfers to a new job or leave the mercial banks should ensure all physical security zones, such as puter centers or data centers, network closets, areas containing confidential information or critical IT equipment, and respective accountabilities are clearly defined, and appropriate preventive, detective, and recuperative controls are put in banks should divide their networks into logical security domains(hereinafter referred to as the “domain”)with different levels of following security factors have to be assessed in order to define and implement effective security controls, such as physical or logical segregation of network, network filtering, logical access control, traffic encryption, network monitoring, activity log, etc., for each domain and the whole network.(1)criticality of the applications and user groups within the domain。of 154/17/2013(3)(4)(5)Setting up a system of approval, verification, and monitoring procedures for using the highest privileged system accounts。and(7)Maintaining audit trail in either paper or electronic format.(8)Requiring user administrator to monitor and review unsuccessful logins and changes to users banks should have a set of policies and procedures controlling the logging of activities in all production systems to support effective auditing, security forensic analysis, and fraud can be implemented in different layers of software and on different puter and networking equipment, which falls into two broad categories:(1)Transaction are generated by application software and database management system, and contain authentication attempts, modification to data, error messages, journals should be kept according to the national accounting policy.(2)System are generated by operating systems, database management system, firewalls, intrusion detection systems, and routers, etc., and contain authentication attempts, system events, network events, error messages, logs should be kept for a period scaled to the risk classification, but no less than one should ensure that sufficient items be included in the logs to facilitate effective internal controls, system troubleshooting, and auditing while taking appropriate measures to ensure time synchronization on all disk space should be allocated to prevent logs from being logs should be reviewed for any review frequency and retention period for transaction logs or database logs should be determined jointly by IT organization and pertinent business lines, and approved by the IT steering 154/17/2013Article banks should have the capacity to employ encryption technologies to mitigate the risk of losing confidential information in the information systems or during its management processes of the encryption facilities should be put in place to ensure that(1)Encryption facilities in use should meet national security standards or requirements。and(3)External events(such as war, earthquake, typhoon, etc).Article bank should act to reduce both the likelihood of disruptions(including system resilience and dual processing)。overall risk profile。(2)Whether sufficient access will be available to its internal auditors, external auditors and banking regulators。Proc