【正文】 ssets)。(5)Requiring the input and output of confidential information are handled in a secure manner to prevent theft, tampering, intentional leakage, or inadvertent leakage。and(7)Trustworthiness of the banks should secure the operating system and system software of all puter systems by(1)Developing baseline security requirement for each operating system and ensuring all systems meet the baseline security requirement。(3)Reports of incidents and plaints about IT services。(3)Signing of agreements with employees about understanding of IT policies and guidelines, nondisclosure of confidential information, authorized use of information systems, and adherence to IT policies and procedures。(9)Ensuring the appropriating funding necessary for IT risk management works。(8)Submitting an annual report to the CBRC and its local offices on information system risk management that has been reviewed and approved by the board of directors。(2)Ensuring that IT staff can meet the required professional ethics by checking character reference。(2)Benchmarks for periodic review of system performance。(6)Connectivity between various domains。(4)Requiring verification of input or reconciliation of output at critical junctures。(3)Prohibiting application development and maintenance staff from accessing production system under normal circumstances unless management approval is granted to perform emergency repair, and all emergency repair activities should be recorded and reviewed promptly。Processes to validate the integrity of information affected by the disruption。and(5)Consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several negotiating its contract with a service provider, the mercial bank should have regard to(but not limited to):(1)Reporting and negotiation requirements it may wish to impose on the service provider。and ability to meet its regulatory obligations。and the impact of disruptions(including by contingency arrangements and insurance).Article bank should document its strategy for maintaining continuity of its operations, and its plans for municating and regularly testing the adequacy and effectiveness of this bank should establish:(1)Formal business continuity plans that outline arrangements to reduce the impact of a short, medium and longterm disruption, including: a)Resource requirements such as people, systems and other assets, andarrangements for obtaining these resources。(2)Staff in charge of encryption facilities are well trained and screened。Requiring technical staff to review available security patches, and report the patch status periodically。(2)Access points to the domain through various munication channels。Controls over physical and logical access to data and system。and(14)Performing other related IT risk management 154/17/2013 Article head of the IT organization, monly known as the Chief Information Officer(CIO)should report directly to the and responsibilities of the CIO should include the following:(1)Playing a direct role in key decisions for the business development involving the use of IT in the bank。第一篇：商業(yè)銀行信息科技風險管理指引_英文版Guidelines on the Risk Management of Commercial Banks’ Information TechnologyChapter I General ProvisionsArticle to the Law of the People’s Republic of China on Banking Regulation and Supervision, the Law of the People39。(2)The CIO should ensure that information systems meet the needs of the bank, and IT strategies, in particular information system development strategies, ply with the overall business strategies and IT risk management policies of the bank。Access granted on “need to know” and “minimum authorization” basis。(3)Network protocols and ports used by the applications and network equipment deployed within the domain。and Requiring technical staff to include important items such as unsuccessful logins, access to critical system files, changes made to user accounts, system logs, monitors the systems for any abnormal event manually or automatically, and report the monitoring banks should ensure the security of all the application systems by(1)Clearly defining the roles and responsibilities of endusers and IT staff regarding the application security。(3)Encryption strength is adequate to protect the confidentiality of the information。b)The recovery priorities for the mercial bank’s operations。(2)Consider whether the arrangements will allow it to monitor and control its operational risk exposure relating to the outsourcing。(4)Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement(including what will happen on the termination of the contract)。of 154/17/2013(2)(3)(4)Escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information。(2)Separating the duties of managing production systems and managing development or testing systems。(3)Enforcing segregation of duties and dual control over critical or sensitive functions。(5)Nature of the domain, or testing, internal or external。and A system of verification and banks should put in place a set of ongoing risk measurement and monitoring mechanisms, which should include(1)Pre and postimplementation review of IT projects。(4)Ensuring the effectiveness of IT risk management throughout the organization including all branches.(5)Organizing professional trainings to improve technical proficiency of staff.(6)Performing other related IT risk management banks should ensure that a clear definition of the IT organization structure and documentation of all job descriptions of important positions are always in place and updated in a timely in each position should meet relevant requirements on professional skills and following risk mitigation measures should be incorporated in the management program of related staff:(1)Verification of personal i