1
/
of
0
www.ChineseStandard.us (www.ChineseStandard.net)
CBRC63-2006 English PDF
CBRC63-2006 English PDF
Regular price
$0.00 USD
Regular price
Sale price
$0.00 USD
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
Delivery: 3 seconds. Download true-PDF + Invoice.
Get Quotation: Click CBRC63-2006 (Self-service in 1-minute)
Historical versions (Master-website): CBRC63-2006
Preview True-PDF (Reload/Scroll-down if blank)
CBRC63-2006:
CBRC63-2006
Guidelines for Banking Financial Institutions
Information System Risk Management
CBRC [2006] No.63
Chapter One General Provisions
Article 1 In order to prevent the risk created during the process of banking
financial institutions that utilize information system to process business, operate
management and internal controls; promote safe, continuous and healthy
operation of Chinese banking industry, this guideline is formulated according to
“Banking Supervision Management Law of the People's Republic of China”,
relevant requirements of national information security, and laws and regulations
of information system management.
Article 2 This guidelines applies to banking financial institutions.
Banking financial institutions in this guideline refer to policy banks and financial
institutions, established in People’s Republic of China, that absorb public
deposits, such as commercial banks, urban credit cooperation, rural
cooperative banks, and rural credit cooperatives.
Financial asset management company, trust and investment corporation,
finance corporation, financial lease company, auto financing company which
are established in the People’s Republic of China as well as other financial
institutions that are approved by China Banking Regulatory Commission
(Abbreviated as CBRC) or its agencies are also applicable to this guideline.
Article 3 Information system in this guideline refers to processing service,
operation management and internal control system that banking financial
institutions utilize modern information and communication technology.
Article 4 Information system risk in this guideline refers to operation, law and
reputation risks that are caused by information system, because of technical
and managerial defects, during the planning, research, construction, operation,
maintenance, monitoring and quitting process.
Article 5 Goal of information system risk management is to realize the
identification, measurement, evaluation, warning and control of information
system risk by establishing efficient mechanism, so as to promote business
innovation of banking financial institutions, improve information level, and
enhance core competitiveness and sustainable development abilities.
Chapter Two Institutions’ Responsibilities
Article 6 Banking financial institutions shall establish effective information
system risk management framework, complete internal organizational structure
and working mechanism, and prevent and control information system risks.
Article 7 Banking financial institutions shall perform the following information
system management responsibilities seriously.
(1) Implementing relevant national laws, regulations and technical standards
related to information system management and committing relevant
supervision requirements of CBRC.
(2) Establishing effective information security system and internal control
regulations; defining information system risk management post
responsibility system; supervising and implementing it.
(3) Being responsible for inspection, evaluation and analysis of this
institution’s information system risks; submitting relevant management
information to special committee of this institution AND CBRC and its
agencies.
(4) Making quick responses to major information system accidents or
emergencies to CBRC and its agencies according to pre-arranged
planning.
(5) After annual investigation of the board or other policy-making bodies,
submitting annual report of information system risk management to
CBRC and its agencies.
(6) Implementing information system audit work of this institution well.
(7) Implementing information system risk supervision and inspection by
coordinating CBRC and its agencies, and rectifying according to
supervision advices.
(8) Organizing employees of this institution’s information system for business,
technical and security training about information system.
(9) Implementing other work related to information system risk management.
Article 8 The board of banking financial institutions or other policy-making
bodies are responsible for strategic planning, major projects and risk
supervision management of information system; Information Technological
Management Committee, Risk Management Committee or other specialized
committees that are responsible for risk supervision shall formulate general
strategy of information system, plan information system project construction,
assess and report information system risk situation of this institution regularly
so as to provide suggestions to the decision-making level to adopt
corresponding risk control measures.
Article 9 Legal representative or responsible-person of banking financial
institutions shall be the person in charge of information system risk of this
institution.
Article 10 Banking financial institutions shall set up Department of
Information Technology, being responsible for planning, research, operation,
maintenance and monitoring of information system in this institution and
providing daily scientific service and operation technical support; establishing
or defining specialized information system risk management department,
setting up and perfecting information system risk management rules and
regulations, assisting operation department and information science
department to implement strictly; providing relevant regulation information;
setting up auditing department or specialized auditing posts; establishing and
perfecting information system risk auditing system, equipping appropriate
qualified personnel for information system risk auditing.
Article 11 Personnel engaged in information system in banking financial
institutions shall conform to the following requirements.
(1) Possessing good professional ethics; grasping and implementing
professional knowledge and skills required by relevant posts of
information system;
(2) People without training or unqualified trainees shall not take up their posts;
employees that are unqualified during assessments shall be adjusted in
time.
Article 12 Banking financial institutions shall reinforce the professional team
building of information system risk management; establish incentive
mechanism for talented people and adapt to development of information
technology.
Article 13 Banking financial institutions shall disclose conditions of
information system risks according to relevant laws and regulations timely and
normatively.
Chapter Three Overall Risk Control
Article 14 Overall risks refer to the risks of information system in areas such
as strategy, system, generator room, software, hardware, Internet, data and
document that may influence the overall or shared risks.
Article 15 Banking financial institutions shall formulate clear and continuous
risk management strategy according to the overall plan of information system;
analyze and evaluate each integrated element according to sensitivity of
information system; and implement effective control.
Article 16 Banking financial institutions shall adopt measures to prevent
natural disasters and security threats created by operating environment
changes so as to prevent various emergencies and hostile attacks.
Article 17 Banking financial institutions shall establish and perfect relevant
rules and regulations, technical specifications, operating instructions of
information system as well as define duties and authorities of relevant
information system employees; establish restriction mechanisms and
implement minimum authorization.
Article 18 Chinese banking financial institutions established overseas or
overseas banking financial institutions established in China shall prevent
against cross-border risks created by differences between domestic and foreign
regulatory systems of information system.
Article 19 Banking financial institutions shall strictly execute relevant
standards of national information security; refer to relevant international
standards; propel information security standardization actively and implement
classified protection of information security.
Article 20 Banking financial institutions shall reinforce evaluation and testing
of information system; repair and update in time so as to guarantee the security
and integrity of information system.
Article 21 Banking financial institutions’ information system data center
machine-room shall conform to national technical standards of computer site,
environment, power supply and distribution and so on. National data center
shall reach national A-type machine-room at least; provincial data center shall
reach national B-type machine-room at least; Below-provincial data center shall
reach national C-type machine-room at least. Data center machine-room shall
implement strict entrance guard management measures, and no one is allowed
to enter without authorization.
Article 22 Banking financial institutions shall value intellectual property
protection; use copyrighted software; strengthen software version management
and use software and hardware with Chinese propriety intellectual property
shall be reserved.
Article 48 After a period of information system production, banking financial
institutions shall organize post evaluation to the system, and adjust and
optimize the system functions according to evaluations.
Article 49 Banking financial institutions shall implement daily routine-
inspection to room environment, define emergency processing procedures and
plans of information system and room environment facilities when emergencies
happen; data center with real-time transaction service shall implement 24-hour
duty.
Article 50 Banking financial institutions shall implement event re...
CBRC63-2006
Guidelines for Banking Financial Institutions
Information System Risk Management
CBRC [2006] No.63
Chapter One General Provisions
Article 1 In order to prevent the risk created during the process of banking
financial institutions that utilize information system to process business, operate
management and internal controls; promote safe, continuous and healthy
operation of Chinese banking industry, this guideline is formulated according to
“Banking Supervision Management Law of the People's Republic of China”,
relevant requirements of national information security, and laws and regulations
of information system management.
Article 2 This guidelines applies to banking financial institutions.
Banking financial institutions in this guideline refer to policy banks and financial
institutions, established in People’s Republic of China, that absorb public
deposits, such as commercial banks, urban credit cooperation, rural
cooperative banks, and rural credit cooperatives.
Financial asset management company, trust and investment corporation,
finance corporation, financial lease company, auto financing company which
are established in the People’s Republic of China as well as other financial
institutions that are approved by China Banking Regulatory Commission
(Abbreviated as CBRC) or its agencies are also applicable to this guideline.
Article 3 Information system in this guideline refers to processing service,
operation management and internal control system that banking financial
institutions utilize modern information and communication technology.
Article 4 Information system risk in this guideline refers to operation, law and
reputation risks that are caused by information system, because of technical
and managerial defects, during the planning, research, construction, operation,
maintenance, monitoring and quitting process.
Article 5 Goal of information system risk management is to realize the
identification, measurement, evaluation, warning and control of information
system risk by establishing efficient mechanism, so as to promote business
innovation of banking financial institutions, improve information level, and
enhance core competitiveness and sustainable development abilities.
Chapter Two Institutions’ Responsibilities
Article 6 Banking financial institutions shall establish effective information
system risk management framework, complete internal organizational structure
and working mechanism, and prevent and control information system risks.
Article 7 Banking financial institutions shall perform the following information
system management responsibilities seriously.
(1) Implementing relevant national laws, regulations and technical standards
related to information system management and committing relevant
supervision requirements of CBRC.
(2) Establishing effective information security system and internal control
regulations; defining information system risk management post
responsibility system; supervising and implementing it.
(3) Being responsible for inspection, evaluation and analysis of this
institution’s information system risks; submitting relevant management
information to special committee of this institution AND CBRC and its
agencies.
(4) Making quick responses to major information system accidents or
emergencies to CBRC and its agencies according to pre-arranged
planning.
(5) After annual investigation of the board or other policy-making bodies,
submitting annual report of information system risk management to
CBRC and its agencies.
(6) Implementing information system audit work of this institution well.
(7) Implementing information system risk supervision and inspection by
coordinating CBRC and its agencies, and rectifying according to
supervision advices.
(8) Organizing employees of this institution’s information system for business,
technical and security training about information system.
(9) Implementing other work related to information system risk management.
Article 8 The board of banking financial institutions or other policy-making
bodies are responsible for strategic planning, major projects and risk
supervision management of information system; Information Technological
Management Committee, Risk Management Committee or other specialized
committees that are responsible for risk supervision sh...
Get Quotation: Click CBRC63-2006 (Self-service in 1-minute)
Historical versions (Master-website): CBRC63-2006
Preview True-PDF (Reload/Scroll-down if blank)
CBRC63-2006:
CBRC63-2006
Guidelines for Banking Financial Institutions
Information System Risk Management
CBRC [2006] No.63
Chapter One General Provisions
Article 1 In order to prevent the risk created during the process of banking
financial institutions that utilize information system to process business, operate
management and internal controls; promote safe, continuous and healthy
operation of Chinese banking industry, this guideline is formulated according to
“Banking Supervision Management Law of the People's Republic of China”,
relevant requirements of national information security, and laws and regulations
of information system management.
Article 2 This guidelines applies to banking financial institutions.
Banking financial institutions in this guideline refer to policy banks and financial
institutions, established in People’s Republic of China, that absorb public
deposits, such as commercial banks, urban credit cooperation, rural
cooperative banks, and rural credit cooperatives.
Financial asset management company, trust and investment corporation,
finance corporation, financial lease company, auto financing company which
are established in the People’s Republic of China as well as other financial
institutions that are approved by China Banking Regulatory Commission
(Abbreviated as CBRC) or its agencies are also applicable to this guideline.
Article 3 Information system in this guideline refers to processing service,
operation management and internal control system that banking financial
institutions utilize modern information and communication technology.
Article 4 Information system risk in this guideline refers to operation, law and
reputation risks that are caused by information system, because of technical
and managerial defects, during the planning, research, construction, operation,
maintenance, monitoring and quitting process.
Article 5 Goal of information system risk management is to realize the
identification, measurement, evaluation, warning and control of information
system risk by establishing efficient mechanism, so as to promote business
innovation of banking financial institutions, improve information level, and
enhance core competitiveness and sustainable development abilities.
Chapter Two Institutions’ Responsibilities
Article 6 Banking financial institutions shall establish effective information
system risk management framework, complete internal organizational structure
and working mechanism, and prevent and control information system risks.
Article 7 Banking financial institutions shall perform the following information
system management responsibilities seriously.
(1) Implementing relevant national laws, regulations and technical standards
related to information system management and committing relevant
supervision requirements of CBRC.
(2) Establishing effective information security system and internal control
regulations; defining information system risk management post
responsibility system; supervising and implementing it.
(3) Being responsible for inspection, evaluation and analysis of this
institution’s information system risks; submitting relevant management
information to special committee of this institution AND CBRC and its
agencies.
(4) Making quick responses to major information system accidents or
emergencies to CBRC and its agencies according to pre-arranged
planning.
(5) After annual investigation of the board or other policy-making bodies,
submitting annual report of information system risk management to
CBRC and its agencies.
(6) Implementing information system audit work of this institution well.
(7) Implementing information system risk supervision and inspection by
coordinating CBRC and its agencies, and rectifying according to
supervision advices.
(8) Organizing employees of this institution’s information system for business,
technical and security training about information system.
(9) Implementing other work related to information system risk management.
Article 8 The board of banking financial institutions or other policy-making
bodies are responsible for strategic planning, major projects and risk
supervision management of information system; Information Technological
Management Committee, Risk Management Committee or other specialized
committees that are responsible for risk supervision shall formulate general
strategy of information system, plan information system project construction,
assess and report information system risk situation of this institution regularly
so as to provide suggestions to the decision-making level to adopt
corresponding risk control measures.
Article 9 Legal representative or responsible-person of banking financial
institutions shall be the person in charge of information system risk of this
institution.
Article 10 Banking financial institutions shall set up Department of
Information Technology, being responsible for planning, research, operation,
maintenance and monitoring of information system in this institution and
providing daily scientific service and operation technical support; establishing
or defining specialized information system risk management department,
setting up and perfecting information system risk management rules and
regulations, assisting operation department and information science
department to implement strictly; providing relevant regulation information;
setting up auditing department or specialized auditing posts; establishing and
perfecting information system risk auditing system, equipping appropriate
qualified personnel for information system risk auditing.
Article 11 Personnel engaged in information system in banking financial
institutions shall conform to the following requirements.
(1) Possessing good professional ethics; grasping and implementing
professional knowledge and skills required by relevant posts of
information system;
(2) People without training or unqualified trainees shall not take up their posts;
employees that are unqualified during assessments shall be adjusted in
time.
Article 12 Banking financial institutions shall reinforce the professional team
building of information system risk management; establish incentive
mechanism for talented people and adapt to development of information
technology.
Article 13 Banking financial institutions shall disclose conditions of
information system risks according to relevant laws and regulations timely and
normatively.
Chapter Three Overall Risk Control
Article 14 Overall risks refer to the risks of information system in areas such
as strategy, system, generator room, software, hardware, Internet, data and
document that may influence the overall or shared risks.
Article 15 Banking financial institutions shall formulate clear and continuous
risk management strategy according to the overall plan of information system;
analyze and evaluate each integrated element according to sensitivity of
information system; and implement effective control.
Article 16 Banking financial institutions shall adopt measures to prevent
natural disasters and security threats created by operating environment
changes so as to prevent various emergencies and hostile attacks.
Article 17 Banking financial institutions shall establish and perfect relevant
rules and regulations, technical specifications, operating instructions of
information system as well as define duties and authorities of relevant
information system employees; establish restriction mechanisms and
implement minimum authorization.
Article 18 Chinese banking financial institutions established overseas or
overseas banking financial institutions established in China shall prevent
against cross-border risks created by differences between domestic and foreign
regulatory systems of information system.
Article 19 Banking financial institutions shall strictly execute relevant
standards of national information security; refer to relevant international
standards; propel information security standardization actively and implement
classified protection of information security.
Article 20 Banking financial institutions shall reinforce evaluation and testing
of information system; repair and update in time so as to guarantee the security
and integrity of information system.
Article 21 Banking financial institutions’ information system data center
machine-room shall conform to national technical standards of computer site,
environment, power supply and distribution and so on. National data center
shall reach national A-type machine-room at least; provincial data center shall
reach national B-type machine-room at least; Below-provincial data center shall
reach national C-type machine-room at least. Data center machine-room shall
implement strict entrance guard management measures, and no one is allowed
to enter without authorization.
Article 22 Banking financial institutions shall value intellectual property
protection; use copyrighted software; strengthen software version management
and use software and hardware with Chinese propriety intellectual property
shall be reserved.
Article 48 After a period of information system production, banking financial
institutions shall organize post evaluation to the system, and adjust and
optimize the system functions according to evaluations.
Article 49 Banking financial institutions shall implement daily routine-
inspection to room environment, define emergency processing procedures and
plans of information system and room environment facilities when emergencies
happen; data center with real-time transaction service shall implement 24-hour
duty.
Article 50 Banking financial institutions shall implement event re...
CBRC63-2006
Guidelines for Banking Financial Institutions
Information System Risk Management
CBRC [2006] No.63
Chapter One General Provisions
Article 1 In order to prevent the risk created during the process of banking
financial institutions that utilize information system to process business, operate
management and internal controls; promote safe, continuous and healthy
operation of Chinese banking industry, this guideline is formulated according to
“Banking Supervision Management Law of the People's Republic of China”,
relevant requirements of national information security, and laws and regulations
of information system management.
Article 2 This guidelines applies to banking financial institutions.
Banking financial institutions in this guideline refer to policy banks and financial
institutions, established in People’s Republic of China, that absorb public
deposits, such as commercial banks, urban credit cooperation, rural
cooperative banks, and rural credit cooperatives.
Financial asset management company, trust and investment corporation,
finance corporation, financial lease company, auto financing company which
are established in the People’s Republic of China as well as other financial
institutions that are approved by China Banking Regulatory Commission
(Abbreviated as CBRC) or its agencies are also applicable to this guideline.
Article 3 Information system in this guideline refers to processing service,
operation management and internal control system that banking financial
institutions utilize modern information and communication technology.
Article 4 Information system risk in this guideline refers to operation, law and
reputation risks that are caused by information system, because of technical
and managerial defects, during the planning, research, construction, operation,
maintenance, monitoring and quitting process.
Article 5 Goal of information system risk management is to realize the
identification, measurement, evaluation, warning and control of information
system risk by establishing efficient mechanism, so as to promote business
innovation of banking financial institutions, improve information level, and
enhance core competitiveness and sustainable development abilities.
Chapter Two Institutions’ Responsibilities
Article 6 Banking financial institutions shall establish effective information
system risk management framework, complete internal organizational structure
and working mechanism, and prevent and control information system risks.
Article 7 Banking financial institutions shall perform the following information
system management responsibilities seriously.
(1) Implementing relevant national laws, regulations and technical standards
related to information system management and committing relevant
supervision requirements of CBRC.
(2) Establishing effective information security system and internal control
regulations; defining information system risk management post
responsibility system; supervising and implementing it.
(3) Being responsible for inspection, evaluation and analysis of this
institution’s information system risks; submitting relevant management
information to special committee of this institution AND CBRC and its
agencies.
(4) Making quick responses to major information system accidents or
emergencies to CBRC and its agencies according to pre-arranged
planning.
(5) After annual investigation of the board or other policy-making bodies,
submitting annual report of information system risk management to
CBRC and its agencies.
(6) Implementing information system audit work of this institution well.
(7) Implementing information system risk supervision and inspection by
coordinating CBRC and its agencies, and rectifying according to
supervision advices.
(8) Organizing employees of this institution’s information system for business,
technical and security training about information system.
(9) Implementing other work related to information system risk management.
Article 8 The board of banking financial institutions or other policy-making
bodies are responsible for strategic planning, major projects and risk
supervision management of information system; Information Technological
Management Committee, Risk Management Committee or other specialized
committees that are responsible for risk supervision sh...