Guidelines on the Risk Management of Commercial Banks’ Information Technology ——附加英文版
China Banking Regulatory Commission
Guidelines on the Risk Management of Commercial Banks’ Information Technology
Chapter I General Provisions
Article 1. Pursuant to the Law of the People’s Republic of China on Banking Regulation and Supervision, the Law of the People's Republic of China on Commercial Banks, the Regulations of the People’s Republic of China on Administration of Foreign-funded Banks, and other applicable laws and regulations, the Guidelines on the Risk Management of Commercial Banks’ Information Technology (hereinafter referred to as the Guidelines) is formulated.
Article 2. The Guidelines apply to all the commercial banks legally incorporated within the territory of the People’s Republic of China.
The Guidelines may apply to other banking institutions including policy banks, rural cooperative banks, urban credit cooperatives, rural credit cooperatives, village banks, loan companies, financial asset management companies, trust and investment companies, finance firms, financial leasing companies, automobile financial companies and money brokers.
Article 3. The term “information technology” stated in the Guidelines shall refer to the system built with computer, communication and software technologies, and employed by commercial banks to handle business transactions, operation management, and internal communication, collaborative work and controls. The term also include IT governance, IT organization structure and IT policies and procedures.
Article 4. The risk of information technology refers to the operational risk, legal risk and reputation risk that are caused by natural factor, human factor, technological loopholes or management deficiencies when using information technology.
Article 5. The objective of information system risk management is to establish an effective mechanism that can identify, measure, monitor, and control the risks of commercial banks’ information system, ensure data integrity, availability, confidentiality and consistency, provide the relevant early warning, and thereby enable commercial banks’ business innovations, uplift their capability in utilizing information technology, improve their core competitiveness and capacity for sustainable development.
Chapter II IT governance
Article 6. The legal representative of commercial bank should be responsible to ensure compliance of this guideline.
Article 7. The board of directors of commercial banks should have the following responsibilities with respect to the management of information systems:
(1) Implementing and complying with the national laws, regulations and technical standards pertaining to the management of information systems, as well as the regulatory requirements set by the China Banking Regulatory Commission (hereinafter referred to as the “CBRC”);
(2) Periodically reviewing the alignment of IT strategy with the overall business strategies and significant policies of the bank, assessing the overall effectiveness and efficiency of the IT organization.
(3) Approving IT risk management strategies and policies, understanding the major IT risks involved, setting acceptable levels for these risks, and ensuring the implementation of the measures necessary to identify, measure, monitor and control these risks.
(4) Setting high ethical and integrity standards, and establishing a culture within the bank that emphasizes and demonstrates to all levels of personnel the importance of IT risk management.
(5) Establishing an IT steering committee which consists of representatives from senior management, the IT organization, and major business units, to oversee these responsibilities and report the effectiveness of strategic IT planning, the IT budget and actual expenditure, and the overall IT performance to the board of directors and senior management periodically.
(6) Establishing IT governance structure, proper segregation of duty, clear role and responsibility, maintaining check and balances and clear reporting relationship. Strengthening IT professional staff by developing incentive program.
(7) Ensuring that there is an effective internal audit of the IT risk management carried out by operationally independent, well-trained and qualified staff. The internal audit report should be submitted directly to the IT audit committee;
(8) Submitting an annual report to the CBRC and its local offices on information system risk management that has been reviewed and approved by the board of directors ;
(9) Ensuring the appropriating funding necessary for IT risk management works;
(10) Ensuring that all employees of the bank fully understand and adhere to the IT risk management policies and procedures approved by the board of directors and the senior management, and are provided with pertinent training.
(11) Ensuring customer information, financial information, product information and core banking system of the legal entity are held independently within the territory, and complying with the regulatory on-site examination requirements of CBRC and guarding against cross-border risk.
(12) Reporting in a timely manner to the CBRC and its local offices any serious incident of information systems or unexpected event, and quickly respond to it in accordance with the contingency plan;
(13) Cooperating with the CBRC and its local offices in the supervisory inspection of the risk management of information systems, and ensure that supervisory opinions are followed up; and
(14) Performing other related IT risk management tasks.
Article 8. The head of the IT organization, commonly known as the Chief Information Officer (CIO) should report directly to the president. Roles and responsibilities of the CIO should include the following:
(1) Playing a direct role in key decisions for the business development involving the use of IT in the bank;
(2) The CIO should ensure that information systems meet the needs of the bank, and IT strategies, in particular information system development strategies, comply with the overall business strategies and IT risk management policies of the bank;
(3) The CIO should also be responsible for the establishment of an effective and efficient IT organization to carry out the IT functions of the bank. These include the IT budget and expenditure, IT risk management, IT policies, standards and procedures, IT internal controls, professional development, IT project initiatives, IT project management, information system maintenance and upgrade, IT operations, IT infrastructure, Information security, disaster recovery plan (DRP), IT outsourcing, and information system retirement;
(4) Ensuring the effectiveness of IT risk management throughout the organization including all branches.
(5) Organizing professional trainings to improve technical proficiency of staff.
(6) Performing other related IT risk management tasks.
Article 9. Commercial banks should ensure that a clear definition of the IT organization structure and documentation of all job descriptions of important positions are always in place and updated in a timely manner. Staff in each position should meet relevant requirements on professional skills and knowledge. The following risk mitigation measures should be incorporated in the management program of related staff:
(1) Verification of personal information including confirmation of personal identification issued by government, academic credentials, prior work experience, professional qualifications;
(2) Ensuring that IT staff can meet the required professional ethics by checking character reference;
(3) Signing of agreements with employees about understanding of IT policies and guidelines, non-disclosure of confidential information, authorized use of information systems, and adherence to IT policies and procedures; and
(4) Evaluation of the risk of losing key IT personnel, especially during major IT development stage or in a period of unstable IT operations, and the relevant risk mitigation measures such as staff backup arrangement and staff succession plan.
Article 10. Commercial banks should establish or designate a particular department for IT risk management. It should report directly to the CIO and the Chief Risk Officer (or risk management committee), serve as a member of the IT incident response team, and be responsible for coordinating the establishment of policies regarding IT risk management, especially the areas of information security, BCP, and compliance with the CBRC regulations, advising the business departments and IT department in implementing these policies, providing relevant compliance information, conducting on-going assessment of IT risks, and ensuring the follow-up of remediation advice, monitoring and escalating management of IT threats and non-compliance events.
Article 11. Commercial banks should establish a special IT audit role and responsibility within internal audit function, which should put in place IT audit policies and procedures, develop and execute IT audit plan.
Article 12. Commercial banks should put in place policies and procedures to protect intellectual property rights according to laws regarding intellectual properties, ensure purchase of legitimate software and hardware, prevention of the use of pirated software, and the protection of the proprietary rights of IT products developed by the bank, and ensure that these are fully understood and complied by all employees.
Article 13. Commercial banks should, in accordance with relevant laws and regulations, disclose the risk profile of their IT normatively and timely.
Chapter III IT Risk Management
Article 14. Commercial banks should formulate an IT strategy that aligns with the overall business plan of the bank, IT risk assessment plan and an IT operational plan that can ensure adequate financial resources and human resources to maintain a stable and secure IT environment.
Article 15. Commercial banks should put in place a comprehensive set of IT risk management policies that include the following areas:
(1) Information security classification policy
(2) System development, testing and maintenance policy
(3) IT operation and maintenance policy
(4) Access control policy
(5) Physical security policy
(6) Personnel security policy
(7) Business Continuity Planning and Crisis and Emergency Management procedure
Article 16. Commercial banks should maintain an ongoing risk identification and assessment process that allows the bank to pinpoint the areas of concern in its information systems, assess the potential impact of the risks on its business, rank the risks, and prioritize mitigation actions and the necessary resources (including outsourcing vendors, product vendors and service vendors).
Article 17. Commercial banks should implement a comprehensive set of risk mitigation measures complying with the IT risk management policies and commensurate with the risk assessment of the bank. These mitigation measures should include:
(1) A set of clearly documented IT risk policies, technical standards, and operational procedures, which should be communicated to the staff frequently and kept up to date in a timely manner;
(2) Areas of potential conflicts of interest should be identified, minimized, and subject to careful, independent monitoring. Also it requires that an appropriate control structure is set up to facilitate checks and balances, with control activities defined at every business level, which should include:
- Top level reviews;
- Controls over physical and logical access to data and system;
- Access granted on “need to know” and “minimum authorization” basis;
- A system of approvals and authorizations; and
- A system of verification and reconciliation.
Article 18. Commercial banks should put in place a set of ongoing risk measurement and monitoring mechanisms, which should include
(1) Pre and post-implementation review of IT projects;
(2) Benchmarks for periodic review of system performance;
(3) Reports of incidents and complaints about IT services;
(4) Reports of internal audit, external audit, and issues identified by CBRC; and
(5) Arrangement with vendors and business units for periodic review of service level agreements (SLAs).
(6) The possible impact of new development of technology and new threats to software deployed.
(7) Timely review of operational risk and management controls in operation area.
(8) Assess the risk profile on IT outsourcing projects periodically.
Article 19. Chinese commercial banks operating offshore and the foreign commercial banks in China should comply with the relevant regulatory requirements on information systems in and outside the People’s Republic of China.
Chapter IV Information Security
Article 20. Information technology department of commercial banks should oversee the establishment of an information classification and protection scheme. All employees of the bank should be made aware of the importance of ensuring information confidentiality and provided with the necessary training to fully understand the information protection procedures within their responsibilities.
Article 21. Commercial banks should put in place an information security management function to develop and maintain an ongoing information security management program, promote information security awareness, advise other IT functions on security issues, serve as the leader of IT incident response team, and report the evaluation of the information security of the bank to the IT steering committee periodically. The Information security management program should include Information security standards, strategy, an implementation plan, and an ongoing maintenance plan.
Information security policy should include the following areas:
(1) IT security policy management
(2) Organization information security
(3) Asset management
(4) Personnel security
(5) Physical and environment security
(6) Communication and operation security
(7) Access control and authentication
(8) Acquirement, development and maintenance of information system
(9) Information security event management
(10) Business continuity management
(11) Compliance
Article 22. Commercial banks should have an effective process to manage user authentication and access control. Access to data and system should be strictly limited to authorized individuals whose identity is clearly established, and their activities in the information systems should be limited to the minimum required for their legitimate business use. Appropriate user authentication mechanism commensurate with the classification of information to be accessed should be selected. Timely review and removal of user identity from the system should be implemented when user transfers to a new job or leave the commercial bank.
Article 23. Commercial banks should ensure all physical security zones, such as computer centers or data centers, network closets, areas containing confidential information or critical IT equipment, and respective accountabilities are clearly defined, and appropriate preventive, detective, and recuperative controls are put in place.
Article 24. Commercial banks should divide their networks into logical security domains (hereinafter referred to as the “domain”) with different levels of security. The following security factors have to be assessed in order to define and implement effective security controls, such as physical or logical segregation of network, network filtering, logical access control, traffic encryption, network monitoring, activity log, etc., for each domain and the whole network.
(1) criticality of the applications and user groups within the domain;
(2) Access points to the domain through various communication channels;
(3) Network protocols and ports used by the applications and network equipment deployed within the domain;
(4) Performance requirement or benchmark;
(5) Nature of the domain, i.e. production or testing, internal or external;
(6) Connectivity between various domains; and
(7) Trustworthiness of the domain.
Article 25. Commercial banks should secure the operating system and system software of all computer systems by
(1) Developing baseline security requirement for each operating system and ensuring all systems meet the baseline security requirement;
(2) Clearly defining a set of access privileges for different groups of users, namely, end-users, system development staff, computer operators, and system administrators and user administrators;
(3) Setting up a system of approval, verification, and monitoring procedures for using the highest privileged system accounts;
(4) Requiring technical staff to review available security patches, and report the patch status periodically; and
(5) Requiring technical staff to include important items such as unsuccessful logins, access to critical system files, changes made to user accounts, etc. in system logs, monitors the systems for any abnormal event manually or automatically, and report the monitoring periodically.
Article 26. Commercial banks should ensure the security of all the application systems by
(1) Clearly defining the roles and responsibilities of end-users and IT staff regarding the application security;
(2) Implementing a robust authentication method commensurate with the criticality and sensibility of the application system;
(3) Enforcing segregation of duties and dual control over critical or sensitive functions;
(4) Requiring verification of input or reconciliation of output at critical junctures;
(5) Requiring the input and output of confidential information are handled in a secure manner to prevent theft, tampering, intentional leakage, or inadvertent leakage;
(6) Ensuring system can handle exceptions in a predefined way and provide meaningful message to users when the system is forced to terminate; and
(7) Maintaining audit trail in either paper or electronic format.
(8) Requiring user administrator to monitor and review unsuccessful logins and changes to users accounts.
Article 27. Commercial banks should have a set of policies and procedures controlling the logging of activities in all production systems to support effective auditing, security forensic analysis, and fraud prevention. Logging can be implemented in different layers of software and on different computer and networking equipment, which falls into two broad categories:
(1) Transaction journals. They are generated by application software and database management system, and contain authentication attempts, modification to data, error messages, etc. Transaction journals should be kept according to the national accounting policy.
(2) System logs. They are generated by operating systems, database management system, firewalls, intrusion detection systems, and routers, etc., and contain authentication attempts, system events, network events, error messages, etc. System logs should be kept for a period scaled to the risk classification, but no less than one year.
Banks should ensure that sufficient items be included in the logs to facilitate effective internal controls, system troubleshooting, and auditing while taking appropriate measures to ensure time synchronization on all logs. Sufficient disk space should be allocated to prevent logs from being overwritten. System logs should be reviewed for any exception. The review frequency and retention period for transaction logs or database logs should be determined jointly by IT organization and pertinent business lines, and approved by the IT steering committee.
Article 28. Commercial banks should have the capacity to employ encryption technologies to mitigate the risk of losing confidential information in the information systems or during its transmission. Appropriate management processes of the encryption facilities should be put in place to ensure that
(1) Encryption facilities in use should meet national security standards or requirements;
(2) Staff in charge of encryption facilities are well trained and screened;
(3) Encryption strength is adequate to protect the confidentiality of the information; and
(4) Effective and efficient key management procedures, especially key lifecycle management and certificate lifecycle management, are in place.
Article 29. Commercial banks should put in place an effective and efficient system of securing all end-user computing equipment which include desktop personal computers (PCs), portable PCs, teller terminals, automatic teller machines (ATMs), passbook printers, debit or credit card readers, point of sale (POS) terminals, personal digital assistant (PDAs), etc and conduct periodic security checks on all equipments.
Article 30. Commercial banks should put in place a set of policies and procedures to govern the collection, processing, storage, transmission, dissemination, and disposal of customer information.
Article 31. All employees, including contract staff, should be provided with the necessary trainings to fully understand these policies procedures and the consequences of their violation. Commercial banks should adopt a zero tolerance policy against security violation.
Chapter V Application System Development, Testing and Maintenance
Article 32. Commercial banks should have the capability to identify, plan, acquire, develop, test, deploy, maintain, upgrade, and retire information systems. Policies and procedures should be in place to govern the initiation, prioritization, approval, and control of IT projects. Progress reports of major IT projects should be submitted to and reviewed by the IT steering committee periodically. Decisions involving significant change of schedule, change of key personnel, change of vendors, and major expenditures should be included in the progress report.
Article 33. Commercial banks should recognize the risks associated with IT projects, which include the possibilities of incurring various kinds of operational risk, financial losses, and opportunity costs stemming from ineffective project planning or inadequate project management controls of the bank. Therefore, appropriate project management methodologies should be adopted and implemented to control the risks associated with IT projects.
Article 34. Commercial banks should adopt and implement a system development methodology to control the life cycle of Information systems. The typical phases of system life cycle include system analysis, design, development or acquisition, testing, trial run, deployment, maintenance, and retirement. The system development methodology to be used should be commensurate with the size, nature, and complexity of the IT project, and, generally speaking, should facilitate the management of the following risks.
Article 35. Commercial banks should ensure system reliability, integrity, and maintainability by controlling system changes with a set of policies and procedures, which should include the following elements.
(1) Ensure that production systems are separated from development or testing systems;
(2) Separating the duties of managing production systems and managing development or testing systems;
(3) Prohibiting application development and maintenance staff from accessing production system under normal circumstances unless management approval is granted to perform emergency repair, and all emergency repair activities should be recorded and reviewed promptly;
(4) Promoting changes of program or system configuration from development and testing systems to production systems should be jointly approved by IT organization and business departments, properly documented, and reviewed periodically.
Article 36. Commercial banks should have in place a set of policies, standards, and procedures to ensure data integrity, confidentiality, and availability. These policies should be in accordance with data integrity amid IT development procedure.
Article 37. Commercial banks should ensure that Information system problems could be tracked, analyzed, and resolved systematically through an effective problem management process. Problems should be documented, categorized, and indexed. Support services or technical assistance from vendors, if necessary, should also be documented. Contacts and relevant contract information should be made readily available to the employees concerned. Accountability and line of command should be delineated clearly and communicated to all employees concerned, which is of utmost importance to performing emergency repair.
Article 38. Commercial banks should have a set of policies and procedures controlling the process of system upgrade. System upgrade is needed when the hardware reaches its lifespan or runs out of capacity, the underpinning software, namely, operating system, database management system, middleware, has to be upgraded, or the application software has to be upgraded. The system upgrade should be treated as a project and managed by all pertinent project management controls including user acceptance testing.
Chapter VI IT Operations
Article 39. Commercial banks should consider fully the environmental threats (e.g. proximity to natural disaster zones, dangerous or hazardous facilities or busy/major roads) when selecting the locations of their data centers. Physical and environmental controls should be implemented to monitor environmental conditions could affect adversely the operation of information processing facilities. Equipment facilities should be protected from power failures and electrical supply interference.
Article 40. In controlling access by third-party personnel (e.g. service providers) to secured areas, proper approval of access should be enforced and their activities should be closely monitored. It is important that proper screening procedures including verification and background checks, especially for sensitive technology-related jobs, are developed for permanent and temporary technical staff and contractors.
Article 41. Commercial banks should separate IT operations or computer center operations from system development and maintenance to ensure segregation of duties within the IT organization. The commercial banks should document the roles and responsibilities of data center functions.
Article 42. Commercial banks are required to retain transactional records in compliance with the national accounting policy. Procedures and technology are needed to be put in place to ensure the integrity, safekeeping and retrieval requirements of the archived data.
Article 43. Commercial banks should detail operational instructions such as computer operator tasks, job scheduling and execution in the IT operations manual. The IT operations manual should also cover the procedures and requirements for on-site and off-site backup of data and software in both the production and development environments (i.e. frequency, scope and retention periods of back-up).
Article 44. Commercial banks should have in place a problem management and processing system to respond promptly to IT operations incidents, to escalate reported incidents to relevant IT management staff and to record, analyze and keep tracks of all these incidents until rectification of the incidents with root cause analysis completed. A helpdesk function should be set up to provide front-line support to users on all technology-related problems and to direct the problems to relevant IT functions for investigation and resolution.
Article 45. Commercial banks should establish service level agreement and assess the IT service level standard attained.
Article 46. Commercial banks should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and comprehensive manner. The performance monitoring process should include forecasting capability to enable exceptions to be identified and corrected before they affect system performance.
Article 47. Commercial banks should carry out capacity plan to cater for business growth and transaction increases due to changes of economic conditions. Capacity plan should be extended to cover back-up systems and related facilities in addition to the production environment.
Article 48. Commercial banks should ensure the continued availability of technology related services with timely maintenance and appropriate system upgrades. Proper record keeping (including suspected and actual faults and preventive and corrective maintenance records) is necessary for effective facility and equipment maintenance.
Article 49. Commercial banks should have an effective change management process in place to ensure integrity and reliability of the production environment. Commercial banks should develop a formal change management process.
Chapter VII Business Continuity Management
Article 50. Commercial banks should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.
Article 51. Commercial banks should consider the likelihood and impact of a disruption to the continuity of its operation from unexpected events. This should include assessing the disruptions to which it is particularly susceptible including but not limited to:
(1) Loss of failure of internal and external resources (such as people, systems and other assets);
(2) The loss or corruption of its information; and
(3) External events (such as war, earthquake, typhoon, etc).
Article 52. Commercial bank should act to reduce both the likelihood of disruptions (including system resilience and dual processing); and the impact of disruptions (including by contingency arrangements and insurance).
Article 53. Commercial bank should document its strategy for maintaining continuity of its operations, and its plans for communicating and regularly testing the adequacy and effectiveness of this strategy. Commercial bank should establish:
(1) Formal business continuity plans that outline arrangements to reduce the impact of a short, medium and long-term disruption, including:
a) Resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
b) The recovery priorities for the commercial bank’s operations; and
c) Communication arrangements for internal and external concerned parties (including CBRC, clients and the press);
(2) Escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
(3) Processes to validate the integrity of information affected by the disruption;
(4) Processes to review and update (1) to (3) following changes to the commercial bank’s operations or risk profile.
Article 54. A final BCP plan and an annual drill result must be signed off by the IT Risk management, or internal auditor and IT Steering Committee.
Chapter VIII Outsourcing
Article 55. Commercial banks cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourcing functions.
Article 56. Commercial banks should take particular care to manage material outsourcing arrangement (such as outsourcing of data center, IT infrastructure, etc.), and should notify CBRC when it intends to enter into material outsourcing arrangement.
Article 57. Before entering into, or significantly changing, an outsourcing arrangement, the commercial bank should:
(1) Analyze how the arrangement will fit with its organization and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
(2) Consider whether the arrangements will allow it to monitor and control its operational risk exposure relating to the outsourcing;
(3) Conduct appropriate due diligence of the service provider’s financial stability, expertise and risk assessment of the service provider, facilities and ability to cover the potential liabilities;
(4) Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract); and
(5) Consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms.
Article 58. In negotiating its contract with a service provider, the commercial bank should have regard to ( but not limited to ):
(1) Reporting and negotiation requirements it may wish to impose on the service provider;
(2) Whether sufficient access will be available to its internal auditors, external auditors and banking regulators;
(3) Information ownership rights, confidentiality agreements and Firewalls to protect client and other information (including arrangements at the termination of contract);
(4) The adequacy of any guarantees and indemnities;
(5) The extent to which the service provider must comply with the commercial bank’s polices and procedures covering IT Risk;
(6) The extent to which the service provider will provide business continuity for outsourced operations, and whether exclusive access to its resources is agreed;
(7) The need for continued availability of software following difficulty at a third party supplier;
(8) The processes for making changes to the outsourcing arrangement and the conditions under which the commercial bank or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:
a) A change of ownership or control of the service provider or commercial bank; or
b) Significant change in the business operations of the service provider or commercial bank; or
c) Inadequate provision of services that may lead to the commercial bank being unable to meet its regulatory obligations.
Article 59. In implementing a relationship management framework, and drafting the service level agreement with the service provider, the commercial bank should have regarded to (but not limited to):
(1) The identification of qualitative and quantitative performance targets to assess the adequacy of service provision, to both the commercial bank and its clients, where appropriate;
(2) The evaluation of performance through service delivery reports and periodic self assessment and independent review by internal or external auditors; and
(3) Remediation action and escalation process for dealing with inadequate performance.
Article 60. The commercial bank should enhance IT related outsourcing management, in place following (not limited to ) measures to ensure data security of sensitive information such as customer information:
(1) Effectively separated from other customer information of the service provider;
(2) The related staff of service provider should be authorized on “need to know” and “minimum authorization” basis;
(3) Ensure service provider guarantee its staff for meeting the confidential requests;
(4) All outsourcing arrangements related to customer information should be identified as material outsourcing arrangements and the customers should be notified;
(5) Strictly monitor re-outsourcing actions of the service provider, and implement adequate control measures to ensure information security of the bank;
(6) Ensure all related sensitive information be refunded or deleted from the service provider’s storage when terminating the outsourcing arrangement.
Article 61. The commercial bank should ensure that it has appropriate contingency in the event of a significant loss of services from the service provider. Particular issues to consider include a significant loss of resources, turnover of key staff, or financial failure of, the service provider, and unexpected termination of the outsourcing agreement.
Article 62. All outsourcing contracts must be reviewed or signed off by IT Risk management, internal IT auditors, legal department and IT Steering Committee. There should be a process to periodically review and refine the service level agreements.
Chapter IX Internal Audit
Article 63. Depending on the nature, scale and complexity of its business, it may be appropriate for the commercial banks to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the commercial bank and have appropriate access to the bank’s records.
Article 64. The responsibilities of the internal IT audit function are:
(1) To establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the bank’s systems and internal control mechanisms and arrangements;
(2) To issue recommendations based on the result of work carried out in accordance with 1;
(3) To verify compliance with those recommendations;
(4) To carry out special audit on information technology. The term “special audit” of information technology refers to the investigation, analysis and assessment on the security incidents of the information system, or the audit performed on a special subject based on IT risk assessment result as deemed necessary by the audit department.
Article 65. Based on the nature, scale and complexity of its business, deployment of information technology and IT risk assessment, commercial banks could determine the scope and frequency of IT internal audit. However, a comprehensive IT internal audit shall be performed at a minimum once every 3 years.
Article 66. Commercial banks should engage its internal audit department and IT Risk management department when implementing system development of significant size and scale to ensure it meets the IT Risk standards of the Commercial banks.
Chapter X External Audit
Article 67. The external information technology audit of commercial banks can be carried out by certified service providers in accordance with laws, rules and regulations.
Article 68. The commercial bank should ensure IT audit service provider to review and examine bank’s hardware, software, documentation and data to identify IT risk when they are commissioned to perform the audit. Vital commercial and technical information which is protected by national laws and regulations should not be reviewed.
Article 69. Commercial bank should communicate with the service provider in depth before the audit to determine audit scope, and should not withhold the truth or do not corporate with the service provider intentionally.
Article 70. CBRC and its local offices could designate certified service providers to carry out IT audit or related review on commercial banks when needed. When carrying out audit on commercial banks, as commissioned or authorized by CBRC or its local offices, the service providers shall present the letter of authority, and carry out the audit in accordance to the scope prescribed in the letter of authority.
Article 71. Once the IT audit report produced by the service providers is reviewed and approved by CBRC or its local offices, the report will have the same legal status as if it is produced by the CBRC itself. Commercial banks should come up with a correction action plan prescribed in the report and implement the corrective actions according to the timeframe.
Article 72. Commercial banks should ensure the service providers to strictly comply with laws and regulations to keep confidential and data security of any commercial secrets and private information learnt and IT risk information when conducting the audit. The service provider should not modify copy or take away any documents provided by the commercial banks.
Chapter XI Supplementary Provisions
Article 73. Commercial banks with no board of directors should have their operating decision-making bodies perform the responsibilities of the board with regard to IT risk management specified herein.
Article 74. The China Banking Regulatory Commission supervises and regulates the IT risk management of commercial banks under its authority by law.
Article 75. The power of interpretation and modification of the Guidelines shall rest with the China Banking Regulatory Commission.
Article 76. The Guidelines shall become effective as of the date of its issuance and the former Guidelines on the Risk Management of Banking Institutions’ Information Systems shall be revoked at the same time.
长春市无规定动物疫病区建设管理条例
吉林省长春市人大常委会
长春市无规定动物疫病区建设管理条例
长春市人大常委会
由长春市第十一届人民代表大会常务委员会第十次会议于1999年4月29日通过,经吉林省第九届人民代表大会常务委员会第十一次会议于1999年7月23日批准
第一章 总则
第一条 为了加强无规定动物疫病区的建设管理,有效预防、控制和扑灭动物疫病,保障人体健康,促进牧业经济发展,根据有关法律、法规的规定,结合本市实际,制定本条例。
第二条 本条例所称动物,是指家畜、家禽和人饲养、合法捕获的其他动物。
本条例所称动物产品,是指动物的生皮、原毛、精液、胚胎、种蛋以及未加工的胴体、脂、脏器、鲜奶、血液、绒、骨、角、头、蹄等。
本条例所称规定动物疫病,是指国家规定控制的口蹄疫等动物疫病以及国际动物卫生组织规定的其他A类动物疫病(病种名录附后)。
本条例所称无规定动物疫病区,是指没有前款动物疫病即规定动物疫病危害,并达到国家综合考核标准的区域。
第三条 本条例界定的无规定动物疫病区范围为本市行政区域。
本条例适用无规定动物疫病区的建设管理。
从事动物、动物产品生产、经营活动的单位和个人,必须遵守本条例。
第四条 各级人民政府统一领导无规定动物疫病区的建设管理工作。
市、县(市)、区人民政府的牧业管理部门,组织实施本行政区无规定动物疫病区的建设管理工作。牧业管理部门所属的动物防疫监督机构,具体实施动物防疫和动物防疫监督。
市、县(市)、区人民政府的各有关部门应当按照各自分工,做好相关的管理工作。
第五条 无规定动物疫病区的建设管理实行统一规划、分期实施、辖区管理、依法治理的原则。
第二章 无规定动物疫病区的建设
第六条 无规定动物疫病区的建设,应当符合城市总体规划。市人民政府的牧业管理部门会同有关部门编制无规定动物疫病区的建设规划,报市人民政府批准。
县(市)、区人民政府,应当根据全市无规定动物疫病区建设规划,编制本辖区的详细规划,报市牧业管理部门批准。
第七条 无规定动物疫病区的建设以县(市)、区为单位。出口动物、动物产品的单位,种用、乳用动物饲养场,大型饲养场和铁路、主要公路沿线两侧乡(镇)为无规定动物疫病区的建设重点区域。
第八条 无规定动物疫病区应当符合下列标准:
(一)规定动物疫病的控制,按照病种的不同,必须分别达到国家规定的控制、稳定控制、扑灭和消灭标准;
(二)猪、羊病死率控制在5%以下,禽病死率控制在13%以下,马、驴、骡、牛、鹿病死率控制在1%以下;
(三)产地检疫率,屠宰动物受检率,上市动物产品持证率,免疫证明出证率均达到100%。
(四)具备对动物疫病预防、控制、扑灭的快速反应能力和综合管理能力,动物防治技术和管理达到国家规定标准。
第九条 按照国家规定建立无规定动物疫病区信息网络,对有关法律、规划、标准、疫情动态、重大事件资料、牧业发展状况及国际动物卫生管理办法等,分别归档,并实现微机联网。
第十条 无规定动物疫病区扑灭动物疫病应当组建快速反应队伍,配置扑灭动物疫病指挥、消毒、无害化处理专用车辆,装置二类警示器具和通讯工具。
第十一条 市级畜牧兽医诊断(化验)室应当具备对规定动物疫病快速诊断、疫情监测、兽药检验、饲料质量监测、动物产品药残监控和与国际同类化验室的双边或者多边认证能力。
县级畜牧兽医诊断(化验)室应当具备对常见病、多发病的检验诊断能力。
乡级畜牧兽医诊断(化验)室应当具备对常见病的常规检验能力。
第十二条 市、县(市)、区、乡(镇)冷链系统,应当具备规定的冷藏设备、设施和专用运输工具,保证疫苗的有效使用。
第十三条 完善市、县、乡、村四级动物疫病防疫网络,建设一支与无规定动物疫病区建设管理相适应的防疫队伍。
第十四条 市、县(市)、区人民政府应当安排无规定动物疫病区专项资金,并将预防、控制和扑灭规定动物疫病所需经费列入财政预算。
第三章 规定动物疫病的预防
第十五条 无规定动物疫病区的家畜、家禽实行封闭(圈、舍、庭院)饲养。
马属动物、反刍动物和鸭、鹅限定地点放养。
第十六条 各级动物防疫监督机构和乡(镇)动物防疫组织以及防疫人员应当按照规定负责动物疫病的计划免疫工作,对规定动物疫病实施强制免疫。
第十七条 饲养经营动物和生产经营动物产品的单位和个人,应当依照本条例和国家有关规定做好动物疫病的计划免疫和预防工作,并接受动物防疫监督机构的监测、监督。
出口动物、动物产品的单位和个人,应当依照进口国家和地区的有关免疫规定进行免疫。
第十八条 种用、乳用动物应当达到国家规定的健康合格标准。
第十九条 生产、经营动物、动物产品的单位和个人,必须定期对动物、动物产品生产、经营的有关场所进行消毒。
第二十条 动物预防用生物制品,由县级以上动物防疫监督机构组织供应。从本市行政区域外订购的,由市动物防疫监督机构负责组织。
大型畜禽饲养场也可按规定程序进口本场自用的兽用生物制品,但必须按规定报防疫部门备案。
第二十一条 生产动物饲料必须符合动物防疫条件,所有的动物性原料必须是经检疫合格的动物产品。
第二十二条 从本市行政区域外和国外引进的种用畜禽,应当来自过去3年内未曾发生本条例规定的动物疫病的产地,或者来自非疫区的无规定动物疫病的畜禽场或者农场。
第二十三条 对进出本市的动物、动物产品,动物防疫监督机构应当进行查证验物,查验证明不相符的,可进行抽检或者再次免疫。
第二十四条 无规定动物疫病区动物防疫费,应当由动物饲养的单位或者个人按照其饲养数量承担;属于乡(镇)、村组织防疫的,由乡(镇)、村按照有关规定收取,牧业管理部门统一管理,专款专用,乡(镇)经营管理站监督审计。
第四章 规定动物疫病的控制和扑灭
第二十五条 动物疫情实行报告制度。
任何单位和个人发现患有规定动物疫病或者疑似规定动物疫病的动物,均应当及时向当地动物防疫监督机构或者乡(镇)动物防疫组织报告疫情。
任何单位和个人不得瞒报、谎报或者阻碍他人报告疫情。
第二十六条 生产、经营动物的单位和个人,在报告动物疫情同时,应当对患有规定动物疫病或者疑似规定动物疫病及同群易感动物分别进行隔离观察,并停止销售、使役等活动。
第二十七条 各级动物防疫监督机构或者乡(镇)动物防疫组织在接到疫情报告后,应当立即到现场进行疫病诊断,对患有规定动物疫病或者疑似规定动物疫病的动物,采取必要的控制措施,并按照规定上报疫情。当地不能确诊的,应当采取病料送交上一级动物防疫监督机构确诊。
第二十八条 确定动物已患有规定动物疫病时,市、县(市)、区牧业管理部门应当立即进行划定疫点、疫区和受威胁区,按照程序及时报请同级人民政府发布疫区封锁令,对疫区实行封锁。
第二十九条 有下列情形之一的,市、县(市)、区人民政府可以对动物和其他物品组织扑杀、销毁或者隔离处理:
(一)已患有或者疑似感染了规定动物疫病的动物;
(二)与前项动物接触或者邻近的动物;
(三)已接触或者靠近传染源的动物产品、副产品、秸秆、饲料、粪便、垫料等物品。
任何单位和个人不得对应当予以扑杀的动物拒绝扑杀,不得拒绝进行无害化外理。
第三十条 对病死或者死因不明的动物尸体,不得任意弃置或者剖检,应当在远离住宅、饮用水源、河流、道路和家畜、家禽不易接近的地点进行烧毁后深埋。
第三十一条 禁止输出疫区内的动物、动物产品和动物粪便、秸秆、饲料及其他污染物品。
第三十二条 禁止非疫区的动物进入疫区。
对允许出入疫区的人员、运输工具及物品应当采取消毒和其他限制性措施。
第三十三条 动物防疫监督机构经对疫区所发疾病至少一个潜伏期的监测,确定无病原存在后,按程序报原发布封锁令的人民政府解除封锁。
第三十四条 对因扑杀动物给动物所有者造成的经济损失,各级人民政府应当给予适当的经济补助。具体补助办法由市人民政府制定。
对不按照计划免疫或者不接受强制免疫的动物进行扑杀后,对其所有者不予补助。
第五章 动物和动物产品的检疫
第三十五条 动物、动物产品实行检疫制度。
动物防疫监督机构实施检疫时应当依据国家标准。对出口动物、动物产品检疫应当依据国际惯例或者进口国检疫标准。
第三十六条 动物、动物产品离开原产地之前,必须进行检疫,检疫合格后由动物防疫监督机构发给检疫证明。
第三十七条 运输动物、动物产品时,托运人必须提供检疫证明,承运人须凭检疫证明承运。
动物防疫监督机构应当依法对运输动物、动物产品和运载工具、垫料、包装物等进行防疫检查和消毒。
第三十八条 屠宰加工厂的待宰动物,必须附有产地检疫证明或者运输检疫证明和运载工具消毒证明。不得屠宰加工未经检疫或者检疫不合格的动物。
屠宰的动物,必须对其进行宰前检疫和宰后检疫。
第三十九条 进入本市行政区域内进行动物、动物产品交易的,必须到当地动物防疫监督机构报检。
第四十条 凡经营进口动物、动物产品的,必须在动物、动物产品进入本市24小时内,持海关、出入境检疫检验等部门的有关手续,向当地动物防疫监督机构报检。
第四十一条 进入动物交易市场的动物,必须附有产地检疫证明或者运输检疫证明和运载工具消毒证明。
第四十二条 动物交易市场应当符合动物防疫条件,定期进行清洗和消毒。
动物交易市场应当建立动物交易档案,保存期为1年。
第六章 监督与管理
第四十三条 从事动物、动物产品的饲养、屠宰、加工、贮存、销售的单位(业户),应当按照规定到县级以上牧业管理部门办理《畜禽及其产品经营卫生许可证》。
禁止无证从事前款规定的经营活动。
第四十四条 动物饲养场所、交易市场、贮存场所、屠宰厂、肉类联合加工厂、其他定点屠宰场(点)和动物产品冷藏场所的工程的选址和设计以及动物饲养场、屠宰厂、肉类联合加工厂和其他定点屠宰场(点)等单位,从事动物饲养、经营和动物产品生产、经营活动,均应当符合国
家规定的动物防疫条件,并接受动物防疫监督机构的监督检查。
第四十五条 任何单位和个人禁止贮存、运输、加工、销售下列动物、动物产品:
(一)封锁疫区内与所发生动物疫病有关的;
(二)疫区内易感染的;
(三)依法应当检疫而未经检疫或者不合格的;
(四)染疫的;
(五)病死或者死因不明的;
(六)其他不符合动物防疫规定的。
第四十六条 经营动物产品的单位和个人,应当采购检疫合格的动物产品,并接受动物防疫监督机构的监督检查。
第四十七条 动物检疫证明、印章、标志不得转让、买卖、涂改和伪造。
第四十八条 行政执法人员在依法执行公务时,有权向有关单位和个人查询情况、索验资料,任何单位和个人不得隐瞒和拒绝。
第七章 法律责任
第四十九条 对违反本条例规定,有下列行为之一的,由动物防疫监督机构给予警告;拒不改正的,由动物防疫监督机构依法处理,处理所需费用由违法行为人承担:
(一)对饲养、经营的动物不按照动物疫病的强制免疫计划和国家有关规定进行免疫接种和消毒的;
(二)对动物、动物产品的运载工具、垫料、包装物不按照国家有关规定清洗和消毒的;
(三)不按照国家有关规定处置染疫动物及其排泄物、染疫动物的产品、污染的饲料、垫料、包装物的;
(四)不按照规定对动物、动物产品生产、经营有关场所进行消毒的。
第五十条 对违反本条例第十五条规定的,由牧业管理部门给予警告;拒不改正的,处以10元以上50元以下罚款,直至没收动物。
第五十一条 对违反本条例第二十一条、第四十四条规定,生产、经营活动不符合动物防疫条件的,分别由牧业管理部门和动物防疫监督机构给予警告,责令改正;拒不改正的,处以10000元以上30000元以下的罚款。
第五十二条 对违反本条例第二十五条第三款规定,单位瞒报、谎报或者阻碍他人报告动物疫情的,由动物防疫监督机构给予警告,并处2000元以上5000以下的罚款;对负有责任的单位负责人和直接责任人,由主管部门或者有关部门给予行政处分。
第五十三条 对违反本条例第三十条规定的,由牧业管理部门责令其依法进行处理,并处以10元以上50元以下的罚款。
第五十四条 对违反本条例第三十七条第一款规定的,由动物防疫监督机构给予警告,责令改正;情节严重的,可以对托运人和承运人分别处以运输费用1倍以上3倍以下的罚款。
第五十五条 对违反本条例第三十八条第一款规定的,由动物防疫监督机构责令停止经营,没收违法所得,对未经检疫的动物、动物产品依法补检。经检疫不合格的动物、动物产品作无害化处理;无法作无害化处理的,予以销毁。
第五十六条 对违反本条例第三十九条规定的,由动物防疫监督机构责令暂时停止经营,没收违法所得;没有违法所得的,可处以200元以上500元以下的罚款;对未售出的动物、动物产品依法补检,并按照有关规定处理。
第五十七条 对违反本条例第四十三条第二款规定的,由牧业管理部门责令补办《畜禽及其产品经营卫生许可证》,没收动物及其产品和违法所得,并处500元以上2000元以下罚款。
第五十八条 对违反本条例第四十五条规定的,由动物防疫监督机构责令停止经营,立即采取有效措施收回已售出的动物、动物产品,没收违法所得和未售出的动物、动物产品;情节严重的,可以并处违法所得2倍以上5倍以下的罚款。
第五十九条 对违反本条例第四十七条规定的,由动物防疫监督机构没收违法所得,收缴有关证、章,并处以2000元以上5000元以下罚款;违法所得超过5000元的,并处违法所得1倍以上3倍以下的罚款;买卖、伪造检疫证明的,并处10000元以上30000元以下
罚款;违法所得超过30000元的,并处违法所得1倍以上3倍以下的罚款;构成犯罪的,依法追究刑事责任。
第六十条 阻碍行政执法人员执行公务,构成犯罪的,依法追究刑事责任;尚不构成犯罪的,由公安机关依照《中华人民共和国治安管理处罚条例》给予处罚。
第六十一条 当事人对行政处罚决定不服的,可在15日内依法向复议机关申请复议。对复议决定不服的可在15日内向人民法院提起行政诉讼。当事人也可以直接向人民法院提起诉讼。
当事人逾期不申请复议又未向人民法院起诉,又不履行处罚决定的,作出处罚决定的机关可以申请人民法院强制执行。
对违禁动物及其产品作出控制或无害化处理的决定,在复议诉讼期间不中止执行。
第六十二条 动物防疫监督工作人员滥用职权,玩忽职守、徇私舞弊、隐瞒和延误疫情报告,违法出具检疫证明,伪造检疫结果,构成犯罪的,依法追究刑事责任。尚不构成犯罪的,由主管部门和有关部门给予行政处分。
第八章 附则
第六十三条 本条例由长春市人民代表大会常务委员会负责解释。
第六十四条 本条例自公布之日起施行。
规定动物疫病病种名录:
口蹄疫、猪瘟、猪伪狂犬病、猪传染性水泡病、猪繁殖与呼吸道综合症、猪囊虫病、牛结核病、布氏杆菌病、马传染性贫血、马鼻疽、鸡新城疫、禽流感、鸡传染性法氏囊病、鸡马立克氏病、鸡白痢、鸡白血病、鸡产蛋下降综合症、免病毒性出血症、鸭瘟、水泡性口炎、牛瘟、小反刍
兽疫、牛传染性胸膜肺炎、牛皮肤结节性疹、裂谷热、蓝舌病、绵羊痘和山羊痘、非洲马瘟、非洲猪瘟、鸡瘟。
1999年8月5日