【正文】 business strategy。(6)Ensuring system can handle exceptions in a predefined way and provide meaningful message to users when the system is forced to terminate。(4)Reports of internal audit, external audit, and issues identified by CBRC。(10)Ensuring that all employees of the bank fully understand and adhere to the IT risk management policies and procedures approved by the board of directors and the senior management, and are provided with pertinent training.(11)Ensuring customer information, financial information, product information and core banking system of the legal entity are held independently within the territory, and plying with the regulatory onsite examination requirements of CBRC and guarding against crossborder risk.(12)Reporting in a timely manner to the CBRC and its local offices any serious incident of information systems or unexpected event, and quickly respond to it in accordance with the contingency plan。(4)Ensuring the effectiveness of IT risk management throughout the organization including all branches.(5)Organizing professional trainings to improve technical proficiency of staff.(6)Performing other related IT risk management banks should ensure that a clear definition of the IT organization structure and documentation of all job descriptions of important positions are always in place and updated in a timely in each position should meet relevant requirements on professional skills and following risk mitigation measures should be incorporated in the management program of related staff:(1)Verification of personal information including confirmation of personal identification issued by government, academic credentials, prior work experience, professional qualifications。(5)Nature of the domain, or testing, internal or external。(2)Separating the duties of managing production systems and managing development or testing systems。(4)Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement(including what will happen on the termination of the contract)。b)The recovery priorities for the mercial bank’s operations。and Requiring technical staff to include important items such as unsuccessful logins, access to critical system files, changes made to user accounts, system logs, monitors the systems for any abnormal event manually or automatically, and report the monitoring banks should ensure the security of all the application systems by(1)Clearly defining the roles and responsibilities of endusers and IT staff regarding the application security。Access granted on “need to know” and “minimum authorization” basis。第一篇：商業(yè)銀行信息科技風(fēng)險(xiǎn)管理指引_英文版Guidelines on the Risk Management of Commercial Banks’ Information TechnologyChapter I General ProvisionsArticle to the Law of the People’s Republic of China on Banking Regulation and Supervision, the Law of the People39。Controls over physical and logical access to data and system。Requiring technical staff to review available security patches, and report the patch status periodically。and the impact of disruptions(including by contingency arrangements and insurance).Article bank should document its strategy for maintaining continuity of its operations, and its plans for municating and regularly testing the adequacy and effectiveness of this bank should establish:(1)Formal business continuity plans that outline arrangements to reduce the impact of a short, medium and longterm disruption, including: a)Resource requirements such as people, systems and other assets, andarrangements for obtaining these resources。and(5)Consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several negotiating its contract with a service provider, the mercial bank should have regard to(but not limited to):(1)Reporting and negotiation requirements it may wish to impose on the service provider。(3)Prohibiting application development and maintenance staff from accessing production system under normal circumstances unless management approval is granted to perform emergency repair, and all emergency repair activities should be recorded and reviewed promptly。(6)Connectivity between various domains。(2)Ensuring that IT staff can meet the required professional ethics by checking character reference。(9)Ensuring the appropriating funding necessary for IT risk management works。(3)Reports of incidents and plaints about IT services。(5)Requiring the input and output of confidential information are handled in a secure manner to prevent theft, tampering, intentional leakage, or inadvertent leakage。Processes to review and update(1)to(3)following changes to the mercial bank’s operations or risk final BCP plan and an annual drill result must be signed off by the IT Risk management, or internal auditor and IT Steering VIII OutsourcingArticle banks cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourcing banks should take particular care to manage material outsourcing arrangement(such as outsourcing of data center, IT infrastructure, etc.), and should notify CBRC when it intends to enter into material outsourcing entering into, or significantly changing, an outsourcing arrangement, the mercial bank should:(1)Analyze how the arrangement will fit with its organization and reporting structure。overall risk profile。and(7)Maintaining audit trail in either paper or electronic format.(8)Requiring user administrator to monitor and review unsuccessful logins and changes to users banks should have a set of policies and procedures controlling the logging of activities in all production systems to support effective auditing, security forensic analysis, and fraud can be implemented in different layers of software and on different puter and networking equipment, which falls into two broad categories:(1)Transaction are generated by application