好文档 - 专业文书写作范文服务资料分享网站

商业银行信息科技风险管理指引英文版

天下 分享 时间: 加入收藏 我要投稿 点赞

needs of the bank, and IT strategies, in particular information system development strategies, comply with the overall business strategies and IT risk management policies of the bank; (3)

The CIO should also be responsible for the establishment

of an effective and efficient IT organization to carry out the IT functions of the bank. These include the IT budget and expenditure, IT risk management, IT policies, standards and procedures, IT internal controls, professional development, IT project initiatives, IT project management, information system maintenance and upgrade, IT operations, IT infrastructure, Information security, disaster recovery plan (DRP), IT outsourcing, and information system retirement; (4)

Ensuring the effectiveness of IT risk management

throughout the organization including all branches. (5)

Organizing professional trainings to improve technical

proficiency of staff. (6)

Performing other related IT risk management tasks.

Commercial banks should ensure that a clear

Article 9.

definition of the IT organization structure and documentation of all job descriptions of important positions are always in place and updated in a timely manner. Staff in each position

should meet relevant requirements on professional skills and knowledge. The following risk mitigation measures should be incorporated in the management program of related staff: (1)

Verification of personal information including

confirmation of personal identification issued by government, academic credentials, prior work experience, professional qualifications; (2)

Ensuring that IT staff can meet the required professional

ethics by checking character reference; (3)

Signing of agreements with employees about understanding

of IT policies and guidelines, non-disclosure of confidential information, authorized use of information systems, and adherence to IT policies and procedures; and (4)

Evaluation of the risk of losing key IT personnel,

especially during major IT development stage or in a period of unstable IT operations, and the relevant risk mitigation measures such as staff backup arrangement and staff succession plan.

Article 10. Commercial banks should establish or designate a particular department for IT risk management. It should report directly to the CIO and the Chief Risk Officer (or risk management committee), serve as a member of the IT incident

response team, and be responsible for coordinating the establishment of policies regarding IT risk management, especially the areas of information security, BCP, and compliance with the CBRC regulations, advising the business departments and IT department in implementing these policies, providing relevant compliance information, conducting on-going assessment of IT risks, and ensuring the follow-up of remediation advice, monitoring and escalating management of IT threats and non-compliance events.

Article 11. Commercial banks should establish a special IT audit role and responsibility within internal audit function, which should put in place IT audit policies and procedures, develop and execute IT audit plan.

Article 12. Commercial banks should put in place policies and procedures to protect intellectual property rights according to laws regarding intellectual properties, ensure purchase of legitimate software and hardware, prevention of the use of pirated software, and the protection of the proprietary rights of IT products developed by the bank, and ensure that these are fully understood and complied by all employees. Article 13. Commercial banks should, in accordance with relevant laws and regulations, disclose the risk profile of

their IT normatively and timely.

Chapter III

IT Risk Management

Article 14. Commercial banks should formulate an IT strategy that aligns with the overall business plan of the bank, IT risk assessment plan and an IT operational plan that can ensure adequate financial resources and human resources to maintain a stable and secure IT environment.

Article 15. Commercial banks should put in place a comprehensive set of IT risk management policies that include the following areas:

(1) Information security classification policy (2) System development, testing and maintenance policy (3) IT operation and maintenance policy (4) Access control policy (5) Physical security policy (6) Personnel security policy

(7) Business Continuity Planning and Crisis and

Emergency Management procedure

Article 16. Commercial banks should maintain an ongoing risk identification and assessment process that allows the bank to pinpoint the areas of concern in its information systems, assess the potential impact of the risks on its business, rank

the risks, and prioritize mitigation actions and the necessary resources (including outsourcing vendors, product vendors and service vendors). Article 17. Commercial

banks

should

implement

a

comprehensive set of risk mitigation measures complying with the IT risk management policies and commensurate with the risk assessment of the bank. These mitigation measures should include:

(1) A set of clearly documented IT risk policies,

technical standards, and operational procedures, which should be communicated to the staff frequently and kept up to date in a timely manner;

(2) Areas of potential conflicts of interest should be

identified, minimized, and subject to careful, independent monitoring. Also it requires that an appropriate control structure is set up to facilitate checks and balances, with control activities defined at every business level, which should include: - Top level reviews;

- Controls over physical and logical access to data

and system;

- Access granted on “need to know” and “minimum

商业银行信息科技风险管理指引英文版

needsofthebank,andITstrategies,inparticularinformationsystemdevelopmentstrategies,complywiththeoverallbusinessstrategiesandITriskmanagementpoliciesofthebank;(3)Th
推荐度:
点击下载文档文档为doc格式
6t8p35rfnc5s23r4b01m9s4tl8lgrm00e5m
领取福利

微信扫码领取福利

微信扫码分享