好文档 - 专业文书写作范文服务资料分享网站

商业银行信息科技风险管理指引英文版

天下 分享 时间: 加入收藏 我要投稿 点赞

system files, changes made to user accounts, etc. in system logs, monitors the systems for any abnormal event manually or automatically, and report the monitoring periodically.

Article 26. Commercial banks should ensure the security of all the application systems by

(1) Clearly defining the roles and responsibilities of

end-users and IT staff regarding the application security;

(2) Implementing a robust authentication method

commensurate with the criticality and sensibility of the application system;

(3) Enforcing segregation of duties and dual control over

critical or sensitive functions;

(4) Requiring verification of input or reconciliation of

output at critical junctures;

(5) Requiring the input and output of confidential

information are handled in a secure manner to prevent theft,

tampering,

intentional

leakage,

or

inadvertent leakage;

(6) Ensuring system can handle exceptions in a predefined

way and provide meaningful message to users when the

system is forced to terminate; and

(7) Maintaining audit trail in either paper or electronic

format.

(8) Requiring user administrator to monitor and review

unsuccessful logins and changes to users accounts.

Article 27. Commercial banks should have a set of policies and procedures controlling the logging of activities in all production systems to support effective auditing, security forensic analysis, and fraud prevention. Logging can be implemented in different layers of software and on different computer and networking equipment, which falls into two broad categories:

(1) Transaction journals. They are generated by

application software and database management system, and contain authentication attempts, modification to data, error messages, etc. Transaction journals should be kept according to the national accounting policy.

(2) System logs. They are generated by operating systems,

database management system, firewalls, intrusion detection systems, and routers, etc., and contain authentication attempts, system events, network

events, error messages, etc. System logs should be kept for a period scaled to the risk classification, but no less than one year.

Banks should ensure that sufficient items be included in the logs to facilitate effective internal controls, system troubleshooting, and auditing while taking appropriate measures to ensure time synchronization on all logs. Sufficient disk space should be allocated to prevent logs from being overwritten. System logs should be reviewed for any exception. The review frequency and retention period for transaction logs or database logs should be determined jointly by IT organization and pertinent business lines, and approved by the IT steering committee.

Article 28. Commercial banks should have the capacity to employ encryption technologies to mitigate the risk of losing confidential information in the information systems or during its transmission. Appropriate management processes of the encryption facilities should be put in place to ensure that

(1) Encryption facilities in use should meet national

security standards or requirements;

(2) Staff in charge of encryption facilities are well

trained and screened;

(3) Encryption strength is adequate to protect the

confidentiality of the information; and

(4) Effective and efficient key management procedures,

especially key lifecycle management and certificate lifecycle management, are in place.

Article 29. Commercial banks should put in place an effective and efficient system of securing all end-user computing equipment which include desktop personal computers (PCs), portable PCs, teller terminals, automatic teller machines (ATMs), passbook printers, debit or credit card readers, point of sale (POS) terminals, personal digital assistant (PDAs), etc and conduct periodic security checks on all equipments.

Article 30. Commercial banks should put in place a set of policies and procedures to govern the collection, processing, storage, transmission, dissemination, and disposal of customer information.

Article 31. All employees, including contract staff, should be provided with the necessary trainings to fully understand these policies procedures and the consequences of their violation. Commercial banks should adopt a zero tolerance policy against security violation.

Chapter V Application System Development, Testing and Maintenance

Article 32. Commercial banks should have the capability to identify, plan, acquire, develop, test, deploy, maintain, upgrade, and retire information systems. Policies and procedures should be in place to govern the initiation, prioritization, approval, and control of IT projects. Progress reports of major IT projects should be submitted to and reviewed by the IT steering committee periodically. Decisions involving significant change of schedule, change of key personnel, change of vendors, and major expenditures should be included in the progress report.

Article 33. Commercial banks should recognize the risks associated with IT projects, which include the possibilities of incurring various kinds of operational risk, financial losses, and opportunity costs stemming from ineffective project planning or inadequate project management controls of the bank. Therefore, appropriate project management methodologies should be adopted and implemented to control the risks associated with IT projects.

Article 34. Commercial banks should adopt and implement a system development methodology to control the life cycle of Information systems. The typical phases of system life cycle

商业银行信息科技风险管理指引英文版

systemfiles,changesmadetouseraccounts,etc.insystemlogs,monitorsthesystemsforanyabnormaleventmanuallyorautomatically,andreportthemonitoringperiodically.Article26.
推荐度:
点击下载文档文档为doc格式
6t8p35rfnc5s23r4b01m9s4tl8lgrm00e5m
领取福利

微信扫码领取福利

微信扫码分享