【正文】 nformation including confirmation of personal identification issued by government, academic credentials, prior work experience, professional qualifications。(2)Periodically reviewing the alignment of IT strategy with the overall business strategies and significant policies of the bank, assessing the overall effectiveness and efficiency of the IT organization.(3)Approving IT risk management strategies and policies, understanding the major IT risks involved, setting acceptable levels for these risks, and ensuring the implementation of the measures necessary to identify, measure, monitor and control these risks.(4)Setting high ethical and integrity standards, and establishing a culture within the bank that emphasizes and demonstrates to all levels of personnel the importance of IT risk management.(5)Establishing an IT steering mittee which consists of representatives from senior management, the IT organization, and major business units, to oversee these responsibilities and report the effectiveness of strategic IT planning, the IT budget and actual expenditure, and the overall IT performance to the board of directors and senior management periodically.(6)Establishing IT governance structure, proper segregation of duty, clear role and responsibility, maintaining check and balances and clear reporting IT professional staff by developing incentive program.(7)Ensuring that there is an effective internal audit of the IT risk management carried out by operationally independent, welltrained and qualified internal audit report should be submitted directly to the IT audit mittee。(10)Ensuring that all employees of the bank fully understand and adhere to the IT risk management policies and procedures approved by the board of directors and the senior management, and are provided with pertinent training.(11)Ensuring customer information, financial information, product information and core banking system of the legal entity are held independently within the territory, and plying with the regulatory onsite examination requirements of CBRC and guarding against crossborder risk.(12)Reporting in a timely manner to the CBRC and its local offices any serious incident of information systems or unexpected event, and quickly respond to it in accordance with the contingency plan。and(4)Evaluation of the risk of losing key IT personnel, especially during major IT development stage or in a period of unstable IT operations, and the relevant risk mitigation measures such as staff backup arrangement and staff succession banks should establish or designate a particular department for IT risk should report directly to the CIO and the Chief Risk Officer(or risk management mittee), serve as a member of the IT incident response team, and be responsible for coordinating the establishment of policies regarding IT risk management, especially the areas of information security, BCP, and pliance with the CBRC regulations, advising the business departments and IT department in implementing these policies, providing relevant pliance information, conducting ongoing assessment of IT risks, and ensuring the followup of remediation advice, monitoring and escalating management of IT threats and nonpliance 154/17/2013Article banks should establish a special IT audit role and responsibility within internal audit function, which should put in place IT audit policies and procedures, develop and execute IT audit banks should put in place policies and procedures to protect intellectual property rights according to laws regarding intellectual properties, ensure purchase of legitimate software and hardware, prevention of the use of pirated software, and the protection of the proprietary rights of IT products developed by the bank, and ensure that these are fully understood and plied by all banks should, in accordance with relevant laws and regulations, disclose the risk profile of their IT normatively and III IT Risk ManagementArticle banks should formulate an IT strategy that aligns with the overall business plan of the bank, IT risk assessment plan and an IT operational plan that can ensure adequate financial resources and human resources to maintain a stable and secure IT banks should put in place a prehensive set of IT risk management policies that include the following areas:(1)Information security classification policy(2)System development, testing and maintenance policy(3)IT operation and maintenance policy(4)Access control policy(5)Physical security policy(6)Personnel security policy(7)Business Continuity Planning and Crisis and Emergency Management procedureArticle banks should maintain an ongoing risk identification and assessment process that allows the bank to pinpoint the areas of concern in its information systems, assess the potential impact of the risks on its business, rank the risks, and prioritize mitigation actions and the necessary resources(including outsourcing vendors, product vendors and service vendors).Article banks should implement a prehensive set of risk mitigation measures plying with the IT risk management policies and mensurate with the risk assessment of the mitigation measures should include:(1)A set of clearly documented IT risk policies, technical standards, and operational procedures, which should be municated to the staff frequently and kept up to date in a timely manner。(4)Reports of internal audit, external audit, and issues identified by CBRC。(2)Clearly defining a set of access privileges for different groups of users, namely, endusers, system development staff, puter operators, and system administrators and user administrators。(6)Ensuring system can handle exceptions in a predefined way and provide meaningful message to users when the system is forced to terminate。(2)The loss or corruption of its information。business strategy。(3)Information ownership rights, confidentiality agreements and Firewalls to protect client and other information(including arrangements at the te