|
Welcome Guest
|
|
You are using Guest Account
|
|
||||||||||||||||||||||||||||||||||
|
TABLE OF CONTENTS CHAPTER I GENERAL PROVISIONS CHAPTER II SECURITY ASSESSMENT INSTITUTIONS CHAPTER III IMPLEMENTATION OF SECURITY ASSESSMENT CHAPTER IV MANAGEMENT OF SECURITY ASSESSMENT ACTIVITIES CHAPTER V SUPPLEMENTARY PROVISIONS CHAPTER I GENERAL PROVISIONS Article 1. These Guidelines are formulated according to the Measures for the Administration of Electronic Banking and other relevant legal provisions for the purpose of strengthening the security and risk management of electronic banking, and ensuring the objectivity, timeliness, integrity and effectiveness of the security assessment of electronic banks. Article 2. The "security assessment of electronic banks" refers to the observation and assessment of the security testing as well as the management and control ability of electronic banks in the aspects of security strategies, internal control systems, risk management, system security and protection of clients, etc. Article 3. A financial institution that engages in the electronic banking shall, on the basis of its electronic banking development and management requirements, carry out at least one comprehensive security assessment of its electronic banks every two years. Article 4. A financial institution may hire an external professional assessment institution for the security assessment of its electronic banks, or may ask an internal assessment department independent of the electronic banking operation and management department for security assessment. Article 5. A financial institution shall establish regulatory rules and work procedures for the security assessment of its electronic banks, and ensure that the security assessment of its electronic banks could be conducted in a timely and objective manner. Article 6. The security assessment of electronic banks of a financial institution shall be subject to the supervision and guidance of China Banking Regulatory Commission (hereinafter referred to as CBRC). CHAPTER II SECURITY ASSESSMENT INSTITUTIONS Article 7. Institutions for assuming the security assessment of electronic banks of financial institutions may be external social professional agencies or internal independent departments of financial institutions that meet corresponding requirements. Article 8. An external agency for the security assessment of electronic banks shall meet the following requirements: (1) having fairly perfect management rules and operational rules for engaging in the security assessment of electronic banks; (2) having formulated systematic and comprehensive assessment handbooks or assessment guidance documents, the contents of which shall at least include assessment procedures, assessment methods and foundations as well as assessment criteria, etc.; (3) having various types of professionals corresponding to the security assessment of electronic banks, and knowing relevant industrial standards in the world and China; and (4) meeting other requirements prescribed by the CBRC for engaging in the security assessment of electronic banks. Article 9. An internal department of a financial institution shall, when carrying out the security assessment of electronic banks, meet the following requirements in addition to those prescribed in Article 8: (1) being independent of the department for developing, operating or managing the electronic banking system; and (2) having not directly participated in the purchase of relevant equipment for electronic banks. Article 10. The CBRC shall be responsible for accrediting the qualifications for security assessment of electronic banks. A security assessment institution of electronic banks may, before engaging in the security assessment of electronic banks of financial institutions, apply to the CBRC for the accreditation of its qualification. Article 11. A financial institution may, when conducting the security assessment of its electronic banks, choose a security assessment institution that has or has not been accredited by the CBRC. In case a financial institution chooses a security assessment institution that has been accredited by the CBRC, the management of the relevant security assessment institution shall be governed by the relevant provisions in these Guidelines. In case a financial institution chooses a security assessment institution that has not been accredited by the CBRC, the standards for choosing the security assessment institution shall not be lower than the requirements prescribed in Articles 8 and 9, and relevant materials shall be submitted according to the Measures for the Administration of Electronic Banking. A security assessment institution of electronic banks shall, whether it has been accredited by the CBRC or not, abide by the relevant provisions on the implementation and management of the security assessment of electronic banks when engaging in the security assessment of electronic banks. Article 12. The CBRC shall organize an accreditation of security assessment institutions of electronic banks every year, and an announcement shall be made one month in advance of the accreditation. Article 13. A security assessment institution of electronic banks that applies for qualification accreditation shall submit the following materials (in septuplicate) within the time limit prescribed in the announcement of the CBRC : (1) an application report for accrediting its qualification for security assessment of electronic banks; (2) an introduction of itself: (3) the management framework, management rules, and operating rules, etc, for the security assessment business; (4) the assessment handbook or assessment guidance documents; (5) resumes of main assessors; and (6) other documents and materials required by the CBRC. Article 14. The CBRC shall, upon receipt of a complete set of the application materials for security assessment qualification accreditation, organize relevant experts and supervisory personnel for evaluating the application materials, and evaluate whether the security assessment institution of electronic banks has reached the relevant qualification requirements by way of ballots. Article 15. The CBRC shall, after evaluating the qualification of an assessment institution, issue a Letter of Opinions about the Qualification Accreditation of the Security Assessment Institutions of Electronic Banks, state the evaluation opinions, and accredit the qualification of the assessment institution. Article 16. The Letter of Opinions about the Qualification Accreditation of the Security Assessment Institutions of Electronic Banks issued by the CBRC shall only be used when the assessment institution and financial institutions are discussing the business on security assessment of electronic banks, and shall not affect the assessment institution's carrying out other business activities. No assessment institution may use the Letter of Opinions about the Qualification Accreditation of the Security Assessment Institutions of Electronic Banks for the purpose of publicity or other activities. Article 17. The qualification accreditation of an assessment institution whose qualification requirements are met upon evaluation of the CBRC shall be valid for two years. In case an assessment institution does not meet the qualification requirements upon evaluation of the CBRC, the assessment institution may apply for a new qualification accreditation in the next year. Article 18. If, within the valid term of qualification accreditation, a security assessment institution of electronic banks is under any of the following circumstances, the CBRC shall cancel the evaluation and accreditation opinions it has made: (1) The assessment institution is in poor management, and its staff divulges the secrets of any assessed institution; (2) The quality of assessment work is inferior, and there is major omission in its assessment activities; (3) The assessment institution fails to submit the assessment reports as required, or there are false statements in the assessment reports; (4) The assessment institution uses the Letter of Opinions about the Qualification Accreditation of the Security Assessment Institutions of Electronic Banks for the purpose of publicity or other business activities; or (5) The assessment institution commits any other act of seriously neglecting its duties. Article 19. In case an assessment institution commits any of the following acts, the CBRC shall not accept its qualification accreditation application within a certain time or without day, and no financial institution may entrust this assessment institution for the security assessment: (1) Colluding with the entrusting institution for jointly hiding the security loopholes as found during the course of security assessment, and failing to include them in the assessment report as required; (2) Practicing favoritism during the course of assessment and formulating the security assessment reports; or (3) Divulging the secret information of the assessed institution, or improperly using the secret materials of the assessed institution. In case an internal assessment department of a financial institution is under any of the aforesaid circumstances, the CBRC shall punish the relevant department and persons held to be responsible. Article 20. The information about any security assessment institution of electronic banks accredited by the CBRC, as well as the accreditation and cancellation of its qualification, etc. shall be circulated to all the financial institutions for engaging in the electronic banking only, and shall not be circulated to the general public. A financial institution shall not divulge the relevant information circulated by the CBRC to any third party, affect other business activities of the relevant institution, or use the relevant information for other business activities irrelevant to the security assessment of electronic banks. Article 21. A financial institution may, within the scope of assessment institutions accredited by the CBRC, choose a security assessment institution of electronic banks on its own initiative. Article 22. A foreign-funded financial institution, whose main electronic banking system is established abroad and who carries out the security assessment of electronic banks abroad, or an overseas branch of a Chinese-funded financial institution that needs to carry out the security assessment of electronic banks abroad as required by the local supervisory organ, shall abide by the legal requirements of the local country or region for choosing the assessment institution of electronic banks. Where there is no relevant legal requirement in the local country or region, the financial institution shall carry out the security assessment by referring to the relevant provisions in these Guidelines. Article 23. A financial institution shall conclude a written service agreement with the security assessment institution of electronic banks it hires, and shall contain explicit confidentiality terms and liabilities in the said service agreement. When a financial institution chooses an internal department as the assessment institution, its electronic banking management department and its evaluation department shall conclude a letter on the determination of assessment liabilities. Article 24. A security assessment institution shall, according to the assessment agreement, seriously its perform assessment duties, and faithfully assess the security situation of the electronic banks of any assessed institution. CHAPTER III IMPLEMENTATION OF SECURITY ASSESSMENT Article 25. An assessment institution shall, before carrying out the security assessment of electronic banks, carry out thorough communications with the assessed institution with respect to the scope, focuses, time and requirements for assessment, and formulate the assessment plans, which shall be recognized by both parties through signature. Article 26. An assessment institution shall, according to the assessment plans, assess the security of electronic banks of the entrusting institution on the spot. The security assessment of electronic banks shall authentically and comprehensively assess the security of the electronic banking system. Article 27. The security assessment of electronic banks shall at least include the following contents: (1) security strategies; (2) construction of internal control system; (3) risk management status; (4) systematic security; (5) plans for continuous operation of electronic banking; (6) emergency meeting plans for the operation of electronic banking; (7) risk warning system of electronic banks; and (8) management of other important security links and mechanism; Article 28. The assessment of the security strategies of electronic banks shall at least include the following contents: (1) procedures for formulating security strategies and their rationality; (2) security strategies for system design and development; (3) security strategies for system testing and acceptance; (4) security strategies for system operation and maintenance; (5) security strategies for system backup and emergency meeting; and (6) security strategies for the information about clients. An assessment institution shall assess the security strategies of a financial institution not only in respect to whether there are security strategies, rules, systems and procedures, whether these rules are implemented and are timely updated, but also to whether the electronic banking system has been completely covered. Article 29. The assessment of the internal control systems of electronic banks shall at least include the following contents: (1) how scientific and appropriate the overall construction of internal control systems is; (2) the duties of the board of directors and the senior management staff for the security and risk management system of electronic banks, and the appropriateness of duties and liabilities of relevant departments; (3) the conditions on construction and operation of security monitoring mechanism; and (4) the conditions on construction and operation of internal audit systems. Article 30. The assessment of the risk management situation of electronic banks shall at least include the following contents: (1) the adaptability and appropriateness of the risk management framework of electronic banks; (2) the recognizance of the board of directors and the senior management personnel about the security and risk management of electronic banks, and the conditions on implementing relevant policies and strategies; (3) the appropriateness of the duties of the management bodies of electronic banks, and the ability to control relevant risks; (4) the conditions on employment and training of management personnel; (5) the conditions on implementing the rules, systems, operational provisions and procedures for the risk management of electronic banks; (6) main risks and management situation of electronic banking; and (7) the conditions on construction and management of business outsourcing management systems. Article 31. The assessment of the security of electronic banking system shall at least include the following contents: (1) physical security; (2) data communications security; (3) security of the applied systems; (4) management of keys; (5) accreditation and confidentiality of the information about clients; and (6) intrusion detection mechanism and report reaction mechanism. The assessment institution shall focus on the assessment of the data communications security and the security of the applied systems, objectively evaluate whether the financial institution has adopted proper encryption techniques, reasonably designed and set up servers and firewalls, whether the internal operating systems and database of the bank are safe, etc., and whether the financial institution has formulated the systems and control procedures for controlling and managing the electronic banking system, and can ensure that each alteration can be timely tested and examined. Article 32. The assessment of the continuous operation plans of electronic banking shall at least include the following contents: (1) equipment and systematic ability for ensuring the continuous business operation; and (2) systematic arrangements and implementation conditions for ensuring the continuous business operation. Article 33. The assessment of the emergency meeting plans for the electronic banking business shall at least include the following contents: (1) the construction and implementation of emergency meeting systems of electronic banks; (2) the conditions on emergency meeting facilities of electronic banks; (3) the regular and continuous testing and drillings; and (4) the ability to deal with accidents or external attacks. Article 34. An assessment institution shall formulate its own standards for the security assessment of electronic banks, and when carrying out the security assessment, shall determine the weights of the impacts of different assessment contents to the overall risk of electronic banks according to the actual situation of an entrusting institution, and grade each content for assessment, and comprehensively calculate the risk grade of the electronic banks of the assessed institution. Article 35. Upon completion of the assessment, the assessment institution shall timely work out a report, and submit an assessment report recognized upon signature of its legal representative or the authorized representative to the entrusting institution within one month. Article 36. An assessment report shall at least include the following contents: (1) time and scope for assessment and other important stipulations in any other agreement; (2) the overall framework, procedures, main methods for assessment and an introduction of the main assessors; (3) the standards for determining the risk weights of different contents for assessment, the calculation methods for risk grades, and the definitions of risk grades; (4) the contents for assessment and the descriptions of assessment activities; (5) the assessment conclusion; (6) the suggestions on the security management of electronic banks of the assessed institution; (7) other issues that need to be explained; (8) the definitions of main terms and the introduction of international or domestic standards (they may be given in the attachment); (9) the table of procedures for the assessment work (it may be given in the attachment); and (10) the name list of assessors of the assessment institution that have participated in the assessment (it may be given in the attachment). In the assessment conclusion, the assessment institution shall adopt quantitative measures to show the risk grades of electronic banks of an assessed institution, state main issues and hidden troubles in the security management of electronic banks of the assessed institution, and put forward suggestions for overall reconstruction. Article 37. Where it is necessary to alter an assessment report after it has been completed and submitted to the entrusting institution, the reasons, basis and opinions for alteration shall be affixed to the original report as an attachment, and the original report shall not be directly altered. CHAPTER IV MANAGEMENT OF SECURITY ASSESSMENT ACTIVITIES Article 38. A financial institution shall, when applying for engaging in the electronic banking, carry out the security assessment of the electronic banking system that has been tested according to the relevant provisions. Article 39. A financial institution shall, after starting the operation of the electronic banking business, immediately organize the security assessment if it is under any of the following circumstances: (1) The system is attacked and broken down due to security loopholes, and is being repaired for operation; (2) The electronic banking system has been stopped unexpectedly for 12 hours or more after it is significantly renewed or upgraded; (3) There occurs any major accident after the key equipment or facilities of an electronic bank is changed, and the continuous operation still can not be guaranteed after repair; or (4) The assessment needs to be conducted immediately for the security management of electronic banks. Article 40. The choice of an external security assessment institution by a financial institution shall be in the charge of its board of directors or senior management personnel. Article 41. In case a banking financial institution has implemented the centralized data management, its branches are not required to carry out a separate security assessment when engaging in the electronic banking, and the security assessment of electronic banks by the headquarters (company) shall include the assessment of the security management status of electronic banks of its branches. Article 42. In case a banking financial institution has not implemented the centralized data management, and its branches have engaged in the electronic banking and have independent business processing equipment and system, the electronic banking system of its branches shall be subject to security assessment according to the relevant provisions under the uniform management and guidance of the headquarters (company). Article 43. In case a foreign-funded financial institution establishes its main business processing system of electronic banks abroad, and its overseas headquarters (company) have carried out security assessment and comply with the relevant provisions in these Guidelines, its domestic branch is not required, when engaging in the electronic banking, to separately carry out a security assessment, however, it shall submit a security assessment report to the supervisory organ according to the relevant requirements set down in these Guidelines. Article 44. In case a foreign-funded financial institution establishes its main business processing system of electronic banks at home, or establishes its main business processing system of electronic banks abroad but the overseas headquarters (company) fail to carry out the security assessment or the security assessment does not comply with the relevant provisions in these Guidelines, it shall carry out the security assessment of electronic banks. Article 45. In case several assessment institutions are required for joint assumption or implementation of the security assessment of electronic banks, the financial institution shall determine one main assessment institution to coordinate the overall assessment work and the writing of an overall assessment report. In case a financial institution entrusts its electronic banking system to different assessment institutions for security assessment, it shall determine the security assessment scope of each assessment institution and ensure that the matters under assessment are completely covered and there is no omission. Article 46. A financial institution shall, within two weeks upon conclusion of an assessment agreement, submit the introduction of the assessment institution, as well as the assessment scheme and procedures to be adopted, etc. to the CBRC. Article 47. The CBRC may, in light of the requirements of the supervisory work, assign staff members to participate in the security assessment of electronic banks of any financial institution, however, such staff members shall not be taken as formal assessors or shall not put forward assessment opinions. Article 48. An assessment institution shall, in light of the principles of objectivity, fairness, authenticity and independence, carry out the assessment, and strictly keep confidential the business secrets it has accessed to during the process of assessment. Article 49. During the process of assessment, the entrusting institution and the assessment institution shall establish an information confidentiality work mechanism: (1) A registration and signature system shall be established for requesting relevant materials for consultation, or duplicating relevant documents or data during the process of assessment; (2) The documents and materials requested for consultation shall be read at the designated place, and shall not be brought out of the designated place; (3) The documents or data as duplicated shall generally not be brought out of the working place, and if they really need to be taken away, it is necessary to explicitly register the names, quantity, reasons for taking away, final processing methods, and persons in-charge of the documents or data that have been taken away, and the relevant persons in-charge shall affix their names for it; (4) The documents or materials abandoned during the process of assessment or the data that will not be used any more shall be destroyed or cancelled immediately; and (5) After the assessment work ends, both parties shall sign the notes for the delivery of relevant confidential data and materials. Article 50. A financial institution shall, within one month upon receipt of an assessment report issued by the assessment institution, submit the assessment report to the CBRC. The financial institution may, when submitting an assessment report, make necessary explanations about the relevant issues in the assessment report. Article 51. Without approval of the supervisory organ, no security assessment report on electronic banks may be used as the publicity materials or be provided to any third institution other than the supervisory organ. Article 52. In case a security assessment is not carried out as required or in which the assessment procedures and methods or the assessment report is seriously flawed, the CBRC may require the financial institution to carry out a new assessment. Article 53. The CBRC may, as required by the supervisory work, organize by itself or entrust an assessment institution to carry out the security assessment of electronic banks of a financial institution, and the financial institution shall show assistance. Article 54. The CBRC may, as required by the supervisory work, directly inquire an assessment institution about its assessment methods, scope and procedures, etc. Article 55. With respect to any problem reflected in the assessment report, a financial institution shall take effective measures to correct it. CHAPTER V SUPPLEMENTARY PROVISIONS Article 56. The power to interpret these Guidelines shall remain with the CBRC. Article 57. These Guidelines shall come into force as of March 1, 2006. |
||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
|
Copyright 2002 NovexCn.com
|