【正文】 and(3) External events (such as war, earthquake, typhoon, etc).Article 52. Commercial bank should act to reduce both the likelihood of disruptions (including system resilience and dual processing)。(4) Promoting changes of program or system configuration from development and testing systems to production systems should be jointly approved by IT organization and business departments, properly documented, and reviewed periodically.Article 36. Commercial banks should have in place a set of policies, standards, and procedures to ensure data integrity, confidentiality, and availability. These policies should be in accordance with data integrity amid IT development procedure.Article 37. Commercial banks should ensure that Information system problems could be tracked, analyzed, and resolved systematically through an effective problem management process. Problems should be documented, categorized, and indexed. Support services or technical assistance from vendors, if necessary, should also be documented. Contacts and relevant contract information should be made readily available to the employees concerned. Accountability and line of mand should be delineated clearly and municated to all employees concerned, which is of utmost importance to performing emergency repair.Article 38. Commercial banks should have a set of policies and procedures controlling the process of system upgrade. System upgrade is needed when the hardware reaches its lifespan or runs out of capacity, the underpinning software, namely, operating system, database management system, middleware, has to be upgraded, or the application software has to be upgraded. The system upgrade should be treated as a project and managed by all pertinent project management controls including user acceptance testing.Chapter VI IT OperationsArticle 39. Commercial banks should consider fully the environmental threats (. proximity to natural disaster zones, dangerous or hazardous facilities or busy/major roads) when selecting the locations of their data centers. Physical and environmental controls should be implemented to monitor environmental conditions could affect adversely the operation of information processing facilities. Equipment facilities should be protected from power failures and electrical supply interference.Article 40. In controlling access by thirdparty personnel (. service providers) to secured areas, proper approval of access should be enforced and their activities should be closely monitored. It is important that proper screening procedures including verification and background checks, especially for sensitive technologyrelated jobs, are developed for permanent and temporary technical staff and contractors.Article 41. Commercial banks should separate IT operations or puter center operations from system development and maintenance to ensure segregation of duties within the IT organization. The mercial banks should document the roles and responsibilities of data center functions.Article 42. Commercial banks are required to retain transactional records in pliance with the national accounting policy. Procedures and technology are needed to be put in place to ensure the integrity, safekeeping and retrieval requirements of the archived data.Article 43. Commercial banks should detail operational instructions such as puter operator tasks, job scheduling and execution in the IT operations manual. The IT operations manual should also cover the procedures and requirements for onsite and offsite backup of data and software in both the production and development environments (. frequency, scope and retention periods of backup).Article 44. Commercial banks should have in place a problem management and processing system to respond promptly to IT operations incidents, to escalate reported incidents to relevant IT management staff and to record, analyze and keep tracks of all these incidents until rectification of the incidents with root cause analysis pleted. A helpdesk function should be set up to provide frontline support to users on all technologyrelated problems and to direct the problems to relevant IT functions for investigation and resolution.Article 45. Commercial banks should establish service level agreement and assess the IT service level standard attained.Article 46. Commercial banks should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and prehensive manner. The performance monitoring process should include forecasting capability to enable exceptions to be identified and corrected before they affect system performance.Article 47. Commercial banks should carry out capacity plan to cater for business growth and transaction increases due to changes of economic conditions. Capacity plan should be extended to cover backup systems and related facilities in addition to the production environment.Article 48. Commercial banks should ensure the continued availability of technology related services with timely maintenance and appropriate system upgrades. Proper record keeping (including suspected and actual faults and preventive and corrective maintenance records) is necessary for effective facility and equipment maintenance.Article 49. Commercial banks should have an effective change management process in place to ensure integrity and reliability of the production environment. Commercial banks should develop a formal change management process. Chapter VII Business Continuity ManagementArticle 50. Commercial banks should have in place appropriate arrangements, having regard to the nature, scale and plexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effecti