【正文】 records in pliance with the national accounting and technology are needed to be put in place to ensure the integrity, safekeeping and retrieval requirements of the archived banks should detail operational instructions such as puter operator tasks, job scheduling and execution in the IT operations IT operations manual should also cover the procedures and requirements for onsite and offsite backup of data and software in both the production and development environments(, scope and retention periods of backup).Article banks should have in place a problem management and processing system to respond promptly to IT operations incidents, to escalate reported incidents to relevant IT management staff and to record, analyze and keep tracks of all these incidents until rectification of the incidents with root cause analysis helpdesk function should be set up to provide frontline support to users on all technologyrelated problems and to direct the problems to relevant IT functions for investigation and banks should establish service level agreement and assess the IT service level standard banks should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and prehensive performance monitoring process should include forecasting capability to enable exceptions to be identified and corrected before they affect system 154/17/2013Article banks should carry out capacity plan to cater for business growth and transaction increases due to changes of economic plan should be extended to cover backup systems and related facilities in addition to the production banks should ensure the continued availability of technology related services with timely maintenance and appropriate system record keeping(including suspected and actual faults and preventive and corrective maintenance records)is necessary for effective facility and equipment banks should have an effective change management process in place to ensure integrity and reliability of the production banks should develop a formal change management VII Business Continuity ManagementArticle banks should have in place appropriate arrangements, having regard to the nature, scale and plexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen arrangements should be regularly updated and tested to ensure their banks should consider the likelihood and impact of a disruption to the continuity of its operation from unexpected should include assessing the disruptions to which it is particularly susceptible including but not limited to:(1)Loss of failure of internal and external resources(such as people, systems and other assets)。(2)The loss or corruption of its information。and(3)External events(such as war, earthquake, typhoon, etc).Article bank should act to reduce both the likelihood of disruptions(including system resilience and dual processing)。and the impact of disruptions(including by contingency arrangements and insurance).Article bank should document its strategy for maintaining continuity of its operations, and its plans for municating and regularly testing the adequacy and effectiveness of this bank should establish:(1)Formal business continuity plans that outline arrangements to reduce the impact of a short, medium and longterm disruption, including: a)Resource requirements such as people, systems and other assets, andarrangements for obtaining these resources。b)The recovery priorities for the mercial bank’s operations。and c)Communication arrangements for internal and external concernedparties(including CBRC, clients and the press)。of 154/17/2013(2)(3)(4)Escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information。Processes to validate the integrity of information affected by the disruption。Processes to review and update(1)to(3)following changes to the mercial bank’s operations or risk final BCP plan and an annual drill result must be signed off by the IT Risk management, or internal auditor and IT Steering VIII OutsourcingArticle banks cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourcing banks should take particular care to manage material outsourcing arrangement(such as outsourcing of data center, IT infrastructure, etc.), and should notify CBRC when it intends to enter into material outsourcing entering into, or significantly changing, an outsourcing arrangement, the mercial bank should:(1)Analyze how the arrangement will fit with its organization and reporting structure。business strategy。overall risk profile。and ability to meet its regulatory obligations。(2)Consider whether the arrangements will allow it to monitor and control its operational risk exposure relating to the outsourcing。(3)Conduct appropriate due diligence of the service provider’s financial stability, expertise and risk assessment of the service provider, facilities and ability to cover the potential liabilities。(4)Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement(including what will happen on the termination of the contract)。and(5)Consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several negotiating its contract with a service provider, the mercial bank should have regard to(but not limited to):(1)Reporting and negotiation requirements it may wish to impose on the service provider。(2)Whether sufficient access will be available to its internal auditors, external auditors and banking regulators。(3)Information ownership rights, confidentiality agreements and Firewalls to protect client and other information(including arrangements at the te