【正文】 (2)Whether sufficient access will be available to its internal auditors, external auditors and banking regulators。(4)Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement(including what will happen on the termination of the contract)。(2)Consider whether the arrangements will allow it to monitor and control its operational risk exposure relating to the outsourcing。overall risk profile。Processes to review and update(1)to(3)following changes to the mercial bank’s operations or risk final BCP plan and an annual drill result must be signed off by the IT Risk management, or internal auditor and IT Steering VIII OutsourcingArticle banks cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourcing banks should take particular care to manage material outsourcing arrangement(such as outsourcing of data center, IT infrastructure, etc.), and should notify CBRC when it intends to enter into material outsourcing entering into, or significantly changing, an outsourcing arrangement, the mercial bank should:(1)Analyze how the arrangement will fit with its organization and reporting structure。of 154/17/2013(2)(3)(4)Escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information。b)The recovery priorities for the mercial bank’s operations。and(3)External events(such as war, earthquake, typhoon, etc).Article bank should act to reduce both the likelihood of disruptions(including system resilience and dual processing)。(4)Promoting changes of program or system configuration from development and testing systems to production systems should be jointly approved by IT organization and business departments, properly documented, and reviewed banks should have in place a set of policies, standards, and procedures to ensure data integrity, confidentiality, and policies should be in accordance with data integrity amid IT development banks should ensure that Information system problems could be tracked, analyzed, and resolved systematically through an effective problem management should be documented, categorized, and services or technical assistance from vendors, if necessary, should also be and relevant contract information should be made readily available to the employees and line of mand should be delineated clearly and municated to all employees concerned, which is of utmost importance to performing emergency banks should have a set of policies and procedures controlling the process of system upgrade is needed when the hardware reaches its lifespan or runs out of capacity, the underpinning software, namely, operating system, database management system, middleware, has to be upgraded, or the application software has to be system upgrade should be treated as a project and managed by all pertinent project management controls including user acceptance VIIT Operations of 15 4/17/2013 Article banks should consider fully the environmental threats( to natural disaster zones, dangerous or hazardous facilities or busy/major roads)when selecting the locations of their data and environmental controls should be implemented to monitor environmental conditions could affect adversely the operation of information processing facilities should be protected from power failures and electrical supply controlling access by thirdparty personnel( providers)to secured areas, proper approval of access should be enforced and their activities should be closely is important that proper screening procedures including verification and background checks, especially for sensitive technologyrelated jobs, are developed for permanent and temporary technical staff and banks should separate IT operations or puter center operations from system development and maintenance to ensure segregation of duties within the IT mercial banks should document the roles and responsibilities of data center banks are required to retain transactional records in pliance with the national accounting and technology are needed to be put in place to ensure the integrity, safekeeping and retrieval requirements of the archived banks should detail operational instructions such as puter operator tasks, job scheduling and execution in the IT operations IT operations manual should also cover the procedures and requirements for onsite and offsite backup of data and software in both the production and development environments(, scope and retention periods of backup).Article banks should have in place a problem management and processing system to respond promptly to IT operations incidents, to escalate reported incidents to relevant IT management staff and to record, analyze and keep tracks of all these incidents until rectification of the incidents with root cause analysis helpdesk function should be set up to provide frontline support to users on all technologyrelated problems and to direct the problems to relevant IT functions for investigation and banks should establish service level agreement and assess the IT service level standard banks should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and prehensive performance monitoring process should include forecasting capability to enable exceptions to be identified and corrected before they affect system 154/17/2013Article banks should carry out capacity plan to cater for business growth and transaction increases due to changes of economic plan should be extended to cover backup systems and related facilities in addition to the production banks should ensure the continued availability of technology related services with timely maintenance and appropriate system record keeping(including suspected and actual faults and preventive and corrective mainten