system files, changes made to user accounts, etc. in system logs, monitors the systems for any abnormal event manually or automatically, and report the monitoring periodically.
Article 26. Commercial banks should ensure the security of all the application systems by
(1) Clearly defining the roles and responsibilities of
end-users and IT staff regarding the application security;
(2) Implementing a robust authentication method
commensurate with the criticality and sensibility of the application system;
(3) Enforcing segregation of duties and dual control over
critical or sensitive functions;
(4) Requiring verification of input or reconciliation of
output at critical junctures;
(5) Requiring the input and output of confidential
information are handled in a secure manner to prevent theft,
tampering,
intentional
leakage,
or
inadvertent leakage;
(6) Ensuring system can handle exceptions in a predefined
way and provide meaningful message to users when the
system is forced to terminate; and
(7) Maintaining audit trail in either paper or electronic
format.
(8) Requiring user administrator to monitor and review
unsuccessful logins and changes to users accounts.
Article 27. Commercial banks should have a set of policies and procedures controlling the logging of activities in all production systems to support effective auditing, security forensic analysis, and fraud prevention. Logging can be implemented in different layers of software and on different computer and networking equipment, which falls into two broad categories:
(1) Transaction journals. They are generated by
application software and database management system, and contain authentication attempts, modification to data, error messages, etc. Transaction journals should be kept according to the national accounting policy.
(2) System logs. They are generated by operating systems,
database management system, firewalls, intrusion detection systems, and routers, etc., and contain authentication attempts, system events, network
events, error messages, etc. System logs should be kept for a period scaled to the risk classification, but no less than one year.
Banks should ensure that sufficient items be included in the logs to facilitate effective internal controls, system troubleshooting, and auditing while taking appropriate measures to ensure time synchronization on all logs. Sufficient disk space should be allocated to prevent logs from being overwritten. System logs should be reviewed for any exception. The review frequency and retention period for transaction logs or database logs should be determined jointly by IT organization and pertinent business lines, and approved by the IT steering committee.
Article 28. Commercial banks should have the capacity to employ encryption technologies to mitigate the risk of losing confidential information in the information systems or during its transmission. Appropriate management processes of the encryption facilities should be put in place to ensure that
(1) Encryption facilities in use should meet national
security standards or requirements;
(2) Staff in charge of encryption facilities are well
trained and screened;
(3) Encryption strength is adequate to protect the
confidentiality of the information; and
(4) Effective and efficient key management procedures,
especially key lifecycle management and certificate lifecycle management, are in place.
Article 29. Commercial banks should put in place an effective and efficient system of securing all end-user computing equipment which include desktop personal computers (PCs), portable PCs, teller terminals, automatic teller machines (ATMs), passbook printers, debit or credit card readers, point of sale (POS) terminals, personal digital assistant (PDAs), etc and conduct periodic security checks on all equipments.
Article 30. Commercial banks should put in place a set of policies and procedures to govern the collection, processing, storage, transmission, dissemination, and disposal of customer information.
Article 31. All employees, including contract staff, should be provided with the necessary trainings to fully understand these policies procedures and the consequences of their violation. Commercial banks should adopt a zero tolerance policy against security violation.
Chapter V Application System Development, Testing and Maintenance
Article 32. Commercial banks should have the capability to identify, plan, acquire, develop, test, deploy, maintain, upgrade, and retire information systems. Policies and procedures should be in place to govern the initiation, prioritization, approval, and control of IT projects. Progress reports of major IT projects should be submitted to and reviewed by the IT steering committee periodically. Decisions involving significant change of schedule, change of key personnel, change of vendors, and major expenditures should be included in the progress report.
Article 33. Commercial banks should recognize the risks associated with IT projects, which include the possibilities of incurring various kinds of operational risk, financial losses, and opportunity costs stemming from ineffective project planning or inadequate project management controls of the bank. Therefore, appropriate project management methodologies should be adopted and implemented to control the risks associated with IT projects.
Article 34. Commercial banks should adopt and implement a system development methodology to control the life cycle of Information systems. The typical phases of system life cycle
商业银行信息科技风险管理指引英文版
