关于印发《再制造产品认定实施指南》的通知
作者:法律资料网 时间:2024-07-22 21:41:46 浏览:8431
来源:法律资料网
下载地址: 点击此处下载
关于印发《再制造产品认定实施指南》的通知
关于印发《再制造产品认定实施指南》的通知
工信厅节〔2010〕192号
各省、自治区、直辖市及计划单列市、新疆生产建设兵团工业和信息化主管部门:
为加强再制造产品认定管理,明确认定要求,规范认定程序,按照《关于印发〈再制造产品认定管理暂行办法〉的通知》(工信部节〔2010〕303号)要求,我部组织编制了《再制造产品认定实施指南》(以下简称《实施指南》)。现印发你们并就认定相关工作通知如下:
一、请各地工业和信息化主管部门组织相关企业根据《再制造产品认定管理暂行办法》和《实施指南》要求,提出认定申请,并对申报材料进行初始审查,出具审查意见后上报。
二、为稳妥推进再制造产品认定工作,认定工作启动初期,优先受理再制造试点企业的认定申请。首批认定申请受理截止时间为2010年10月29日。
三、联系方式:
联系人:曹 妍 王孝洋
电 话:010-66013058 68205357
传 真:010-68205337 邮 箱:jns@miit.gov.cn
地 址:北京市西长安街13号(100804)
附件:再制造产品认定实施指南(表格下载)
二○一○年九月三十日
附件:
再制造产品认定实施指南
工业产品再制造是制造业的一个重要组成部分,是落实《循环经济促进法》和推动经济发展方式转变的重要措施,是促进资源节约型、环境友好型社会建设的有效手段。开展再制造产品认定工作有利于规范再制造产品生产、引导再制造产品消费,推动再制造产业健康有序发展。
根据《再制造产品认定管理暂行办法》的规定,为明确再制造产品认定管理工作中各相关单位的职责,明晰各认定环节的具体要求,确保认定管理工作规范、高效地开展,特制定《再制造产品认定实施指南》(以下简称《实施指南》)。
《实施指南》所涵盖的再制造产品认定范围包括通用机械设备、专用机械设备、办公设备、交通运输设备及其零部件等。
各相关单位应依据《再制造产品认定管理暂行办法》,结合《实施指南》及相关的法律法规、标准和其他要求,开展再制造产品认定申报、推荐、认定评价等管理工作。
一、组织管理
工业和信息化部负责再制造产品认定工作的管理和监督,制定相关制度、标准及实施方案,组织开展认定工作,发布《再制造产品目录》。
省级工业和信息化主管部门负责认定申请的初始审查,向工业和信息化部推荐符合条件的认定申请。
工业和信息化部委托具有合格评定资质的机构具体承担认定评价工作,包括组织进行文件审查、现场评审、产品检验,以及出具认定报告等工作。
二、认定程序
再制造产品认定包括“申报、初审与推荐、认定评价、结果发布”等四个阶段(认定流程见附件一)。
(一)申报
申请企业应按照《再制造产品认定管理暂行办法》的要求,自愿提出认定申请。
1.基本条件。申请企业应符合《再制造产品认定管理暂行办法》规定的基本条件要求,具体包括:
(1)在中国境内注册,具有独立法人资格;
(2)产品符合国家法律、法规及相关产业政策要求;
(3)国家对产品有行政许可要求的,应获得相应许可;
(4)具备再制造产品批量生产能力,采用的再制造技术、工艺先进适用、成熟可靠;
(5)产品质量达到或超过原型新品,且符合国家相关的安全、节能、环保等强制性标准要求。
2.提交申报材料:申请企业按属地化原则向省级工业和信息化主管部门提出认定申请,并按要求提交申报材料。申报材料一式五份(含纸质及电子版),具体包括:
(1)再制造产品认定申报书(见附件二);
(2)有效的法人营业执照副本(复印件);
(3)再制造产品的产品生产许可证、强制性产品认证证书复印件(适用时);
(4)执行的产品标准;
(5)产品型式试验报告和(或)相关质量证明文件;
(6)产品生产工艺流程及再制造技术说明;
(7)质量管理体系文件;
(8)其他需提供的材料。
(二)初审与推荐
省级工业和信息化主管部门负责对本地区申请认定产品进行形式审查和汇总。符合要求或整改后满足要求的,向工业和信息化部推荐;不符合要求的,则不予推荐。
初审的重点包括:
1.申报材料的完整性、有效性;
2.近三年内,是否受到重大行政处罚和投诉,包括产品质量、节能环保和安全等方面;
3.再制造过程管理的规范性、工艺技术水平的先进性等方面。
省级工业和信息化主管部门应在30个工作日内完成对申报材料的初审,出具认定推荐意见。同时,向工业和信息化部提交产品申报材料。
(三)认定评价
再制造产品认定评价包括以下六个环节:
— 标准确认;
— 受理;
— 文件审查;
— 现场评审;
— 产品检验;
— 综合评定。
1.标准确认
为保证申请企业明示的产品标准符合再制造产品认定要求,在认定活动中将对申请企业明示的产品标准进行确认。
认定机构在收到申报材料后,应在3个工作日内组织专家完成再制造产品认定的标准确认工作。
标准确认专家应对申请企业明示的产品标准与相关质量、节能、环保和安全等标准进行比较分析,确认申请企业所明示的产品标准是否符合相关的要求。
标准确认合格后方可进入受理环节;标准确认不合格的,则不对申请企业的申报材料进行受理。
经确认的标准发生变更时,申请企业应及时向再制造产品认定机构通报并提供新版本。认定机构将根据情况决定是否重新进行标准确认工作。
2.受理
标准确认符合要求后,认定机构应及时对申报书和相关资料进行审查,并提出受理意见:
(1)申报材料齐全、符合要求的,应在3个工作日内予以受理,并书面通知申请企业受理结果;
(2)申报材料不齐全或不符合要求的,应在3个工作日内告知申请企业需要补充的材料;
(3)存在不符合认定要求且无法整改的申请事项,不予受理。
3.文件审查
认定机构在完成受理申请后,应于4个工作日内,安排具有专业能力的人员进行文件审查,并出具文件审查报告,对文件审查不符合要求的应通知申请企业进行整改。
文件审查的重点包括:
(1)产品型式试验报告和(或)相关质量证明文件;
(2)产品生产工艺流程及再制造技术说明;
(3)质量管理体系文件;
(4)再制造产品用途与质量状况说明;
(5)再制造产品节能减排效益分析等。
文件审查的结论包括:
(1)符合要求,可以安排现场评审工作;
(2)不符合要求,补充整改后方可安排现场评审工作。
4.现场评审
文件审查合格或经过整改合格后,由认定机构组织专家组实施现场评审工作,现场评审应在文件审查合格后的20个工作日内实施。
现场评审过程的要求包括:
(1)专家评审组应编制评审计划,并于现场评审实施日前5个工作日通知申请企业;
(2)专家评审组应按相关要求对申请企业再制造工艺过程和质量保证能力进行现场评审,重点是关键再制造过程的现场确认及所采用再制造技术的可靠性评价;
(3)现场评审结束后10个工作日内,专家组应向认定机构提交“现场评审报告”,并对现场评审结论负责。
现场评审结论包括:
(1)通过;
(2)整改后通过;
(3)不通过。
现场评审存在不符合要求的,评审组应书面通知申请企业进行整改,如现场评审发现企业存在严重不符合及违法等问题,评审组应报告认定机构并立即结束对其产品的认定工作。
5.产品检验
再制造产品认定检验主要采用型式试验报告确认、抽样检验、现场检验等形式进行。认定机构对申请企业所提交产品型式试验报告和(或)相关质量证明文件进行审查,根据再制造产品特点,必要时结合现场评审情况,决定产品检验方式:
(1)型式试验报告确认:依据所确认标准,对申请企业提交的型式试验报告进行符合性评价和确认。
(2)抽样检验:按所确认标准规定的相关要求,对认定产品和(或)关键过程的产品,由认定机构制定产品抽样检验方案,安排人员进行抽样,委托具有相应资质的第三方检验机构进行检验。
(3)现场检验:对认定产品必须在生产或使用现场进行检验时,认定机构应按照所确认标准规定的相关要求制定现场检验方案,安排人员进行现场产品检验工作。
认定机构收到检验报告后,应在5个工作日内完成对检验结果的判定,判定结论分为合格与不合格两种形式。
6.综合评定
认定机构在组织完成文件审查、现场评审和产品检验后,应安排对申请企业全部材料进行综合评定。重点是对认定过程活动的公正性、规范性、现场评审结论和检验结果的符合性进行评定,基本要求:
(1)所有受理、文件审查、现场评审、检验结果必须完成且经专业人员审核后,方可进行认定综合评定工作。
(2)认定综合评定人员必须具备相应的专业能力。
(3)综合评定人员不能是所评定项目的现场评审人员。
认定机构应在10个工作日内完成综合评定,提出认定意见,完成认定报告,并提交工业和信息化部。认定意见包括:
(1)推荐;
(2)不推荐。
(四)结果发布
工业和信息化部根据认定报告意见,对再制造产品认定过程及意见等进行审批,符合要求的形成《再制造产品目录》并向社会公告。同时,通过工业和信息化部及认定机构网站发布。
再制造产品认定结果不设有效期,当认定的再制造产品生产和管理等发生重大变化时,申请企业应及时向工业和信息化部及认定机构报告。对不再符合认定条件的产品,由工业和信息化部取消产品认定资格,予以公告。
三、认定标志与信息明示
(一)认定标志
(1)标志样式
http://www.gov.cn/zwgk/images/images/001e3741a2cc0e2203c701.jpg
图 再制造产品标志样式及尺寸
(2)认定标志使用
通过认定的再制造产品,应在产品明显位置或包装上使用再制造产品标志。被取消认定资格的产品不得继续使用再制造产品标志。
使用认定标志时,应保证认定标志的完整,可按比例放大或缩小,但应确保认定标志的颜色一致并清晰。
(二)信息明示
经认定的再制造产品应在产品明显位置或包装上明示再制造产品的生产厂名称、产品识别代码、执行标准等相关信息。
四、异议处理
任何对再制造产品认定过程和结果有异议的单位和个人,可向工业和信息化部提出异议,工业和信息化部根据情况进行调查处理,反馈结果。认定机构按工业和信息化部的要求协助进行相关情况调查。
五、专家管理
认定机构应建立专家库并进行动态管理。
(一)专家资格条件
1.中级以上技术职称;
2.具有再制造领域相关专业背景和实践经验;
3.具有良好的职业道德,坚持原则,办事公正;
4.了解国家能源资源节约及再制造产业政策,熟悉再制造产品认定工作有关要求。
(二)专家库及专家选取办法
1.认定机构应建立专家聘任制度,建立专家库,实行动态管理。
2.认定机构根据认定产品所属行业领域,选择相关专家参与认定工作。
(三)专家职责
1.按照《再制造产品认定管理暂行办法》及本指南的要求参加标准确认、文件审查、现场评审、产品检验、综合评定等工作,并填写相关记录和完成有关报告。
2.为认定机构提供技术支持。
(四)专家纪律
1.独立、客观、公正地进行认定评价。
2.不得披露、使用申请企业的技术、经济信息和商业秘密,不得复制保留或向他人扩散评审材料,不得泄露评审结果。
3.不得采取非正常手段为申请企业提供便利。
4.不得以再制造产品认定名义擅自进入申请企业调查。
5.不得收受申请企业给予的任何好处和利益。
下载地址: 点击此处下载
国务院办公厅转发国家国有资产管理局、国务院三线建设调整改造规划办公室关于三线搬迁单位处置国有资产有关问题意见的通知
国务院办公厅转发国家国有资产管理局、国务院三线建设调整改造规划办公室关于三线搬迁单位处置国有资产有关问题意见的通知
国务院办公厅
各省、自治区、直辖市人民政府,国务院各部委、各直属机构:
为了顺利完成三线部分企事业单位的调整搬迁任务,减少调整搬迁过程中的损失浪费,经国务院同意,现将国家国有资产管理局、国务院三线建设调整改造规划办公室《关于三线搬迁单位处置国有资产有关问题的意见》转发给你们,请认真贯彻执行。
关于三线搬迁单位处置国有资产有关问题的意见
国务院:
经国务院同意,国家计委批准实施的“七五”期间三线企业布局调整进展比较顺利,有关地区、部门在搬迁单位原址国有资产(主要是不动产,下同)处置方面做了大量工作,取得了一定成效。但是,目前还存在一些问题。主要是:部分单位国有资产的处置无具体方案,处置不够妥善
;有的虽有方案,但因种种原因不能顺利实施,给国家财产造成了不应有的损失。为圆满完成三线建设布局调整任务,保证搬迁单位原址国有资产的妥善处置,经与有关部门研究,提出以下意见:
一、切实加强对搬迁单位原址国有资产处置工作的领导。有关地区、部门和搬迁单位要把原址国有资产处置作为一项重要工作来抓,指定一位领导同志负责,切实加强领导。搬迁单位原址国有资产处置的组织工作,中央单位由主管部门负责,地方单位由地方政府指定的部门负责。各级
国有资产管理部门和各地三线建设调查改造规划办公室(以下简称:三线办)要积极履行职责,保证这项工作顺利进行。
二、认真制定处置方案。搬迁单位从批准搬迁开始,就要着手研究原址国有资产的处置工作。搬迁单位对需要处置的国有资产要认真清理,做到帐物相符,帐帐相符。要在清理资产和充分调查研究的基础上,制定处置方案。方案应包括处置资产的范围、价值、处置对象等主要内容,经
主管部门审核同意,由主管部门报同级国有资产管理部门商财政部门批准后实施,同时抄送同级三线办备案。
三、搬迁单位原址国有资产的处置,实行有偿转让的原则。在转让过程中,有关地区和部门要顾全大局、积极配合、提供方便,任何单位和个人均不得以任何理由进行干涉。搬迁单位根据处置方案处置原址国有资产时,应首先向全民所有制单位转让;如果全民所有制单位无法使用,搬
迁单位可以向集体所有制单位或个人有偿转让。少数确实不具备有偿转让条件的,可以向全民所有制单位无偿划转。同时,出让方也可采取以其资产作价投资的形式,与接收方联合经营,按比例收取利润;或采取租赁的形式,出租给当地企事业单位。承租方在租赁期间,应保证国有资产的
安全完整。
实行有偿转让的国有资产,原则上接收方应一次付清价款。一次付清确有困难的,经双方协商,可采取延期付款、分期付款等多种方式。但延期、分期付款期限一般不得超过三年。
四、向非全民所有制单位或个人有偿转让国有资产,应进行资产评估。资产评估,由国有资产管理部门认可的具有评估资格的机构进行。评估结果要由同级国有资产管理部门确认。
五、搬迁单位转让国有资产的全部收入,必须纳入新址建设的自筹资金,不得挪作他用。
六、认真办理国有资产划转手续。搬迁单位向全民所有制单位无偿划转国有资产,要按国家国有资产管理局的有关规定办理。向全民所有制单位有偿转让的国有资产,按转让的价格办理资产划转和交接手续。
七、严格执行国有资产报废审批制度。对确实已无使用价值无法进行有偿或无偿转让的资产,搬迁单位应按规定提出报废申请,经批准,搬迁单位方能报废,并由同级国有资产管理部门会同财政部门办理核销国家基金手续,同时做相应的财务处理。
八、搬迁单位需要转让的国有资产必须妥善保护。搬迁完毕尚未对原址国有资产妥善处置的搬迁单位,应对资产的保卫工作负责,制定保卫措施并认真落实,以确保国有资产的完整。
搬迁单位所在地人民政府和公安部门,要积极协助、指导搬迁单位做好原址国有资产的保卫工作,坚决制止强占、哄抢、毁坏、盗窃国有资产的违法行为。一旦发生上述事件,对当事人要依法惩处,并追究有关领导人的责任。
九、转让双方要做好资产交接工作,减少闲置浪费,使国有资产充分发挥效益。
以上意见,如无不妥,请批转有关地区和部门执行。
1992年1月27日
Guidelines on the Risk Management of Commercial Banks’ Information Technology ——附加英文版
Guidelines on the Risk Management of Commercial Banks’ Information Technology
Chapter I General Provisions
Article 1. Pursuant to the Law of the People’s Republic of China on Banking Regulation and Supervision, the Law of the People's Republic of China on Commercial Banks, the Regulations of the People’s Republic of China on Administration of Foreign-funded Banks, and other applicable laws and regulations, the Guidelines on the Risk Management of Commercial Banks’ Information Technology (hereinafter referred to as the Guidelines) is formulated.
Article 2. The Guidelines apply to all the commercial banks legally incorporated within the territory of the People’s Republic of China.
The Guidelines may apply to other banking institutions including policy banks, rural cooperative banks, urban credit cooperatives, rural credit cooperatives, village banks, loan companies, financial asset management companies, trust and investment companies, finance firms, financial leasing companies, automobile financial companies and money brokers.
Article 3. The term “information technology” stated in the Guidelines shall refer to the system built with computer, communication and software technologies, and employed by commercial banks to handle business transactions, operation management, and internal communication, collaborative work and controls. The term also include IT governance, IT organization structure and IT policies and procedures.
Article 4. The risk of information technology refers to the operational risk, legal risk and reputation risk that are caused by natural factor, human factor, technological loopholes or management deficiencies when using information technology.
Article 5. The objective of information system risk management is to establish an effective mechanism that can identify, measure, monitor, and control the risks of commercial banks’ information system, ensure data integrity, availability, confidentiality and consistency, provide the relevant early warning, and thereby enable commercial banks’ business innovations, uplift their capability in utilizing information technology, improve their core competitiveness and capacity for sustainable development.
Chapter II IT governance
Article 6. The legal representative of commercial bank should be responsible to ensure compliance of this guideline.
Article 7. The board of directors of commercial banks should have the following responsibilities with respect to the management of information systems:
(1) Implementing and complying with the national laws, regulations and technical standards pertaining to the management of information systems, as well as the regulatory requirements set by the China Banking Regulatory Commission (hereinafter referred to as the “CBRC”);
(2) Periodically reviewing the alignment of IT strategy with the overall business strategies and significant policies of the bank, assessing the overall effectiveness and efficiency of the IT organization.
(3) Approving IT risk management strategies and policies, understanding the major IT risks involved, setting acceptable levels for these risks, and ensuring the implementation of the measures necessary to identify, measure, monitor and control these risks.
(4) Setting high ethical and integrity standards, and establishing a culture within the bank that emphasizes and demonstrates to all levels of personnel the importance of IT risk management.
(5) Establishing an IT steering committee which consists of representatives from senior management, the IT organization, and major business units, to oversee these responsibilities and report the effectiveness of strategic IT planning, the IT budget and actual expenditure, and the overall IT performance to the board of directors and senior management periodically.
(6) Establishing IT governance structure, proper segregation of duty, clear role and responsibility, maintaining check and balances and clear reporting relationship. Strengthening IT professional staff by developing incentive program.
(7) Ensuring that there is an effective internal audit of the IT risk management carried out by operationally independent, well-trained and qualified staff. The internal audit report should be submitted directly to the IT audit committee;
(8) Submitting an annual report to the CBRC and its local offices on information system risk management that has been reviewed and approved by the board of directors ;
(9) Ensuring the appropriating funding necessary for IT risk management works;
(10) Ensuring that all employees of the bank fully understand and adhere to the IT risk management policies and procedures approved by the board of directors and the senior management, and are provided with pertinent training.
(11) Ensuring customer information, financial information, product information and core banking system of the legal entity are held independently within the territory, and complying with the regulatory on-site examination requirements of CBRC and guarding against cross-border risk.
(12) Reporting in a timely manner to the CBRC and its local offices any serious incident of information systems or unexpected event, and quickly respond to it in accordance with the contingency plan;
(13) Cooperating with the CBRC and its local offices in the supervisory inspection of the risk management of information systems, and ensure that supervisory opinions are followed up; and
(14) Performing other related IT risk management tasks.
Article 8. The head of the IT organization, commonly known as the Chief Information Officer (CIO) should report directly to the president. Roles and responsibilities of the CIO should include the following:
(1) Playing a direct role in key decisions for the business development involving the use of IT in the bank;
(2) The CIO should ensure that information systems meet the needs of the bank, and IT strategies, in particular information system development strategies, comply with the overall business strategies and IT risk management policies of the bank;
(3) The CIO should also be responsible for the establishment of an effective and efficient IT organization to carry out the IT functions of the bank. These include the IT budget and expenditure, IT risk management, IT policies, standards and procedures, IT internal controls, professional development, IT project initiatives, IT project management, information system maintenance and upgrade, IT operations, IT infrastructure, Information security, disaster recovery plan (DRP), IT outsourcing, and information system retirement;
(4) Ensuring the effectiveness of IT risk management throughout the organization including all branches.
(5) Organizing professional trainings to improve technical proficiency of staff.
(6) Performing other related IT risk management tasks.
Article 9. Commercial banks should ensure that a clear definition of the IT organization structure and documentation of all job descriptions of important positions are always in place and updated in a timely manner. Staff in each position should meet relevant requirements on professional skills and knowledge. The following risk mitigation measures should be incorporated in the management program of related staff:
(1) Verification of personal information including confirmation of personal identification issued by government, academic credentials, prior work experience, professional qualifications;
(2) Ensuring that IT staff can meet the required professional ethics by checking character reference;
(3) Signing of agreements with employees about understanding of IT policies and guidelines, non-disclosure of confidential information, authorized use of information systems, and adherence to IT policies and procedures; and
(4) Evaluation of the risk of losing key IT personnel, especially during major IT development stage or in a period of unstable IT operations, and the relevant risk mitigation measures such as staff backup arrangement and staff succession plan.
Article 10. Commercial banks should establish or designate a particular department for IT risk management. It should report directly to the CIO and the Chief Risk Officer (or risk management committee), serve as a member of the IT incident response team, and be responsible for coordinating the establishment of policies regarding IT risk management, especially the areas of information security, BCP, and compliance with the CBRC regulations, advising the business departments and IT department in implementing these policies, providing relevant compliance information, conducting on-going assessment of IT risks, and ensuring the follow-up of remediation advice, monitoring and escalating management of IT threats and non-compliance events.
Article 11. Commercial banks should establish a special IT audit role and responsibility within internal audit function, which should put in place IT audit policies and procedures, develop and execute IT audit plan.
Article 12. Commercial banks should put in place policies and procedures to protect intellectual property rights according to laws regarding intellectual properties, ensure purchase of legitimate software and hardware, prevention of the use of pirated software, and the protection of the proprietary rights of IT products developed by the bank, and ensure that these are fully understood and complied by all employees.
Article 13. Commercial banks should, in accordance with relevant laws and regulations, disclose the risk profile of their IT normatively and timely.
Chapter III IT Risk Management
Article 14. Commercial banks should formulate an IT strategy that aligns with the overall business plan of the bank, IT risk assessment plan and an IT operational plan that can ensure adequate financial resources and human resources to maintain a stable and secure IT environment.
Article 15. Commercial banks should put in place a comprehensive set of IT risk management policies that include the following areas:
(1) Information security classification policy
(2) System development, testing and maintenance policy
(3) IT operation and maintenance policy
(4) Access control policy
(5) Physical security policy
(6) Personnel security policy
(7) Business Continuity Planning and Crisis and Emergency Management procedure
Article 16. Commercial banks should maintain an ongoing risk identification and assessment process that allows the bank to pinpoint the areas of concern in its information systems, assess the potential impact of the risks on its business, rank the risks, and prioritize mitigation actions and the necessary resources (including outsourcing vendors, product vendors and service vendors).
Article 17. Commercial banks should implement a comprehensive set of risk mitigation measures complying with the IT risk management policies and commensurate with the risk assessment of the bank. These mitigation measures should include:
(1) A set of clearly documented IT risk policies, technical standards, and operational procedures, which should be communicated to the staff frequently and kept up to date in a timely manner;
(2) Areas of potential conflicts of interest should be identified, minimized, and subject to careful, independent monitoring. Also it requires that an appropriate control structure is set up to facilitate checks and balances, with control activities defined at every business level, which should include:
- Top level reviews;
- Controls over physical and logical access to data and system;
- Access granted on “need to know” and “minimum authorization” basis;
- A system of approvals and authorizations; and
- A system of verification and reconciliation.
Article 18. Commercial banks should put in place a set of ongoing risk measurement and monitoring mechanisms, which should include
(1) Pre and post-implementation review of IT projects;
(2) Benchmarks for periodic review of system performance;
(3) Reports of incidents and complaints about IT services;
(4) Reports of internal audit, external audit, and issues identified by CBRC; and
(5) Arrangement with vendors and business units for periodic review of service level agreements (SLAs).
(6) The possible impact of new development of technology and new threats to software deployed.
(7) Timely review of operational risk and management controls in operation area.
(8) Assess the risk profile on IT outsourcing projects periodically.
Article 19. Chinese commercial banks operating offshore and the foreign commercial banks in China should comply with the relevant regulatory requirements on information systems in and outside the People’s Republic of China.
Chapter IV Information Security
Article 20. Information technology department of commercial banks should oversee the establishment of an information classification and protection scheme. All employees of the bank should be made aware of the importance of ensuring information confidentiality and provided with the necessary training to fully understand the information protection procedures within their responsibilities.
Article 21. Commercial banks should put in place an information security management function to develop and maintain an ongoing information security management program, promote information security awareness, advise other IT functions on security issues, serve as the leader of IT incident response team, and report the evaluation of the information security of the bank to the IT steering committee periodically. The Information security management program should include Information security standards, strategy, an implementation plan, and an ongoing maintenance plan.
Information security policy should include the following areas:
(1) IT security policy management
(2) Organization information security
(3) Asset management
(4) Personnel security
(5) Physical and environment security
(6) Communication and operation security
(7) Access control and authentication
(8) Acquirement, development and maintenance of information system
(9) Information security event management
(10) Business continuity management
(11) Compliance
Article 22. Commercial banks should have an effective process to manage user authentication and access control. Access to data and system should be strictly limited to authorized individuals whose identity is clearly established, and their activities in the information systems should be limited to the minimum required for their legitimate business use. Appropriate user authentication mechanism commensurate with the classification of information to be accessed should be selected. Timely review and removal of user identity from the system should be implemented when user transfers to a new job or leave the commercial bank.
Article 23. Commercial banks should ensure all physical security zones, such as computer centers or data centers, network closets, areas containing confidential information or critical IT equipment, and respective accountabilities are clearly defined, and appropriate preventive, detective, and recuperative controls are put in place.
Article 24. Commercial banks should divide their networks into logical security domains (hereinafter referred to as the “domain”) with different levels of security. The following security factors have to be assessed in order to define and implement effective security controls, such as physical or logical segregation of network, network filtering, logical access control, traffic encryption, network monitoring, activity log, etc., for each domain and the whole network.
(1) criticality of the applications and user groups within the domain;
(2) Access points to the domain through various communication channels;
(3) Network protocols and ports used by the applications and network equipment deployed within the domain;
(4) Performance requirement or benchmark;
(5) Nature of the domain, i.e. production or testing, internal or external;
(6) Connectivity between various domains; and
(7) Trustworthiness of the domain.
Article 25. Commercial banks should secure the operating system and system software of all computer systems by
(1) Developing baseline security requirement for each operating system and ensuring all systems meet the baseline security requirement;
(2) Clearly defining a set of access privileges for different groups of users, namely, end-users, system development staff, computer operators, and system administrators and user administrators;
(3) Setting up a system of approval, verification, and monitoring procedures for using the highest privileged system accounts;
(4) Requiring technical staff to review available security patches, and report the patch status periodically; and
(5) Requiring technical staff to include important items such as unsuccessful logins, access to critical system files, changes made to user accounts, etc. in system logs, monitors the systems for any abnormal event manually or automatically, and report the monitoring periodically.
Article 26. Commercial banks should ensure the security of all the application systems by
(1) Clearly defining the roles and responsibilities of end-users and IT staff regarding the application security;
(2) Implementing a robust authentication method commensurate with the criticality and sensibility of the application system;
(3) Enforcing segregation of duties and dual control over critical or sensitive functions;
(4) Requiring verification of input or reconciliation of output at critical junctures;
(5) Requiring the input and output of confidential information are handled in a secure manner to prevent theft, tampering, intentional leakage, or inadvertent leakage;
(6) Ensuring system can handle exceptions in a predefined way and provide meaningful message to users when the system is forced to terminate; and
(7) Maintaining audit trail in either paper or electronic format.
(8) Requiring user administrator to monitor and review unsuccessful logins and changes to users accounts.
Article 27. Commercial banks should have a set of policies and procedures controlling the logging of activities in all production systems to support effective auditing, security forensic analysis, and fraud prevention. Logging can be implemented in different layers of software and on different computer and networking equipment, which falls into two broad categories:
(1) Transaction journals. They are generated by application software and database management system, and contain authentication attempts, modification to data, error messages, etc. Transaction journals should be kept according to the national accounting policy.
(2) System logs. They are generated by operating systems, database management system, firewalls, intrusion detection systems, and routers, etc., and contain authentication attempts, system events, network events, error messages, etc. System logs should be kept for a period scaled to the risk classification, but no less than one year.
Banks should ensure that sufficient items be included in the logs to facilitate effective internal controls, system troubleshooting, and auditing while taking appropriate measures to ensure time synchronization on all logs. Sufficient disk space should be allocated to prevent logs from being overwritten. System logs should be reviewed for any exception. The review frequency and retention period for transaction logs or database logs should be determined jointly by IT organization and pertinent business lines, and approved by the IT steering committee.
Article 28. Commercial banks should have the capacity to employ encryption technologies to mitigate the risk of losing confidential information in the information systems or during its transmission. Appropriate management processes of the encryption facilities should be put in place to ensure that
(1) Encryption facilities in use should meet national security standards or requirements;
(2) Staff in charge of encryption facilities are well trained and screened;
(3) Encryption strength is adequate to protect the confidentiality of the information; and
(4) Effective and efficient key management procedures, especially key lifecycle management and certificate lifecycle management, are in place.
Article 29. Commercial banks should put in place an effective and efficient system of securing all end-user computing equipment which include desktop personal computers (PCs), portable PCs, teller terminals, automatic teller machines (ATMs), passbook printers, debit or credit card readers, point of sale (POS) terminals, personal digital assistant (PDAs), etc and conduct periodic security checks on all equipments.
Article 30. Commercial banks should put in place a set of policies and procedures to govern the collection, processing, storage, transmission, dissemination, and disposal of customer information.
Article 31. All employees, including contract staff, should be provided with the necessary trainings to fully understand these policies procedures and the consequences of their violation. Commercial banks should adopt a zero tolerance policy against security violation.
Chapter V Application System Development, Testing and Maintenance
Article 32. Commercial banks should have the capability to identify, plan, acquire, develop, test, deploy, maintain, upgrade, and retire information systems. Policies and procedures should be in place to govern the initiation, prioritization, approval, and control of IT projects. Progress reports of major IT projects should be submitted to and reviewed by the IT steering committee periodically. Decisions involving significant change of schedule, change of key personnel, change of vendors, and major expenditures should be included in the progress report.
Article 33. Commercial banks should recognize the risks associated with IT projects, which include the possibilities of incurring various kinds of operational risk, financial losses, and opportunity costs stemming from ineffective project planning or inadequate project management controls of the bank. Therefore, appropriate project management methodologies should be adopted and implemented to control the risks associated with IT projects.
Article 34. Commercial banks should adopt and implement a system development methodology to control the life cycle of Information systems. The typical phases of system life cycle include system analysis, design, development or acquisition, testing, trial run, deployment, maintenance, and retirement. The system development methodology to be used should be commensurate with the size, nature, and complexity of the IT project, and, generally speaking, should facilitate the management of the following risks.
Article 35. Commercial banks should ensure system reliability, integrity, and maintainability by controlling system changes with a set of policies and procedures, which should include the following elements.
(1) Ensure that production systems are separated from development or testing systems;
(2) Separating the duties of managing production systems and managing development or testing systems;
(3) Prohibiting application development and maintenance staff from accessing production system under normal circumstances unless management approval is granted to perform emergency repair, and all emergency repair activities should be recorded and reviewed promptly;
(4) Promoting changes of program or system configuration from development and testing systems to production systems should be jointly approved by IT organization and business departments, properly documented, and reviewed periodically.
Article 36. Commercial banks should have in place a set of policies, standards, and procedures to ensure data integrity, confidentiality, and availability. These policies should be in accordance with data integrity amid IT development procedure.
Article 37. Commercial banks should ensure that Information system problems could be tracked, analyzed, and resolved systematically through an effective problem management process. Problems should be documented, categorized, and indexed. Support services or technical assistance from vendors, if necessary, should also be documented. Contacts and relevant contract information should be made readily available to the employees concerned. Accountability and line of command should be delineated clearly and communicated to all employees concerned, which is of utmost importance to performing emergency repair.
Article 38. Commercial banks should have a set of policies and procedures controlling the process of system upgrade. System upgrade is needed when the hardware reaches its lifespan or runs out of capacity, the underpinning software, namely, operating system, database management system, middleware, has to be upgraded, or the application software has to be upgraded. The system upgrade should be treated as a project and managed by all pertinent project management controls including user acceptance testing.
Chapter VI IT Operations
Article 39. Commercial banks should consider fully the environmental threats (e.g. proximity to natural disaster zones, dangerous or hazardous facilities or busy/major roads) when selecting the locations of their data centers. Physical and environmental controls should be implemented to monitor environmental conditions could affect adversely the operation of information processing facilities. Equipment facilities should be protected from power failures and electrical supply interference.
Article 40. In controlling access by third-party personnel (e.g. service providers) to secured areas, proper approval of access should be enforced and their activities should be closely monitored. It is important that proper screening procedures including verification and background checks, especially for sensitive technology-related jobs, are developed for permanent and temporary technical staff and contractors.
Article 41. Commercial banks should separate IT operations or computer center operations from system development and maintenance to ensure segregation of duties within the IT organization. The commercial banks should document the roles and responsibilities of data center functions.
Article 42. Commercial banks are required to retain transactional records in compliance with the national accounting policy. Procedures and technology are needed to be put in place to ensure the integrity, safekeeping and retrieval requirements of the archived data.
Article 43. Commercial banks should detail operational instructions such as computer operator tasks, job scheduling and execution in the IT operations manual. The IT operations manual should also cover the procedures and requirements for on-site and off-site backup of data and software in both the production and development environments (i.e. frequency, scope and retention periods of back-up).
Article 44. Commercial banks should have in place a problem management and processing system to respond promptly to IT operations incidents, to escalate reported incidents to relevant IT management staff and to record, analyze and keep tracks of all these incidents until rectification of the incidents with root cause analysis completed. A helpdesk function should be set up to provide front-line support to users on all technology-related problems and to direct the problems to relevant IT functions for investigation and resolution.
Article 45. Commercial banks should establish service level agreement and assess the IT service level standard attained.
Article 46. Commercial banks should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and comprehensive manner. The performance monitoring process should include forecasting capability to enable exceptions to be identified and corrected before they affect system performance.
Article 47. Commercial banks should carry out capacity plan to cater for business growth and transaction increases due to changes of economic conditions. Capacity plan should be extended to cover back-up systems and related facilities in addition to the production environment.
Article 48. Commercial banks should ensure the continued availability of technology related services with timely maintenance and appropriate system upgrades. Proper record keeping (including suspected and actual faults and preventive and corrective maintenance records) is necessary for effective facility and equipment maintenance.
Article 49. Commercial banks should have an effective change management process in place to ensure integrity and reliability of the production environment. Commercial banks should develop a formal change management process.
Chapter VII Business Continuity Management
Article 50. Commercial banks should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.
Article 51. Commercial banks should consider the likelihood and impact of a disruption to the continuity of its operation from unexpected events. This should include assessing the disruptions to which it is particularly susceptible including but not limited to:
(1) Loss of failure of internal and external resources (such as people, systems and other assets);
(2) The loss or corruption of its information; and
(3) External events (such as war, earthquake, typhoon, etc).
Article 52. Commercial bank should act to reduce both the likelihood of disruptions (including system resilience and dual processing); and the impact of disruptions (including by contingency arrangements and insurance).
Article 53. Commercial bank should document its strategy for maintaining continuity of its operations, and its plans for communicating and regularly testing the adequacy and effectiveness of this strategy. Commercial bank should establish:
(1) Formal business continuity plans that outline arrangements to reduce the impact of a short, medium and long-term disruption, including:
a) Resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
b) The recovery priorities for the commercial bank’s operations; and
c) Communication arrangements for internal and external concerned parties (including CBRC, clients and the press);
(2) Escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
(3) Processes to validate the integrity of information affected by the disruption;
(4) Processes to review and update (1) to (3) following changes to the commercial bank’s operations or risk profile.
Article 54. A final BCP plan and an annual drill result must be signed off by the IT Risk management, or internal auditor and IT Steering Committee.
Chapter VIII Outsourcing
Article 55. Commercial banks cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourcing functions.
Article 56. Commercial banks should take particular care to manage material outsourcing arrangement (such as outsourcing of data center, IT infrastructure, etc.), and should notify CBRC when it intends to enter into material outsourcing arrangement.
Article 57. Before entering into, or significantly changing, an outsourcing arrangement, the commercial bank should:
(1) Analyze how the arrangement will fit with its organization and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
(2) Consider whether the arrangements will allow it to monitor and control its operational risk exposure relating to the outsourcing;
(3) Conduct appropriate due diligence of the service provider’s financial stability, expertise and risk assessment of the service provider, facilities and ability to cover the potential liabilities;
(4) Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract); and
(5) Consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms.
Article 58. In negotiating its contract with a service provider, the commercial bank should have regard to ( but not limited to ):
(1) Reporting and negotiation requirements it may wish to impose on the service provider;
(2) Whether sufficient access will be available to its internal auditors, external auditors and banking regulators;
(3) Information ownership rights, confidentiality agreements and Firewalls to protect client and other information (including arrangements at the termination of contract);
(4) The adequacy of any guarantees and indemnities;
(5) The extent to which the service provider must comply with the commercial bank’s polices and procedures covering IT Risk;
(6) The extent to which the service provider will provide business continuity for outsourced operations, and whether exclusive access to its resources is agreed;
(7) The need for continued availability of software following difficulty at a third party supplier;
(8) The processes for making changes to the outsourcing arrangement and the conditions under which the commercial bank or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:
a) A change of ownership or control of the service provider or commercial bank; or
b) Significant change in the business operations of the service provider or commercial bank; or
c) Inadequate provision of services that may lead to the commercial bank being unable to meet its regulatory obligations.
Article 59. In implementing a relationship management framework, and drafting the service level agreement with the service provider, the commercial bank should have regarded to (but not limited to):
(1) The identification of qualitative and quantitative performance targets to assess the adequacy of service provision, to both the commercial bank and its clients, where appropriate;
(2) The evaluation of performance through service delivery reports and periodic self assessment and independent review by internal or external auditors; and
(3) Remediation action and escalation process for dealing with inadequate performance.
Article 60. The commercial bank should enhance IT related outsourcing management, in place following (not limited to ) measures to ensure data security of sensitive information such as customer information:
(1) Effectively separated from other customer information of the service provider;
(2) The related staff of service provider should be authorized on “need to know” and “minimum authorization” basis;
(3) Ensure service provider guarantee its staff for meeting the confidential requests;
(4) All outsourcing arrangements related to customer information should be identified as material outsourcing arrangements and the customers should be notified;
(5) Strictly monitor re-outsourcing actions of the service provider, and implement adequate control measures to ensure information security of the bank;
(6) Ensure all related sensitive information be refunded or deleted from the service provider’s storage when terminating the outsourcing arrangement.
Article 61. The commercial bank should ensure that it has appropriate contingency in the event of a significant loss of services from the service provider. Particular issues to consider include a significant loss of resources, turnover of key staff, or financial failure of, the service provider, and unexpected termination of the outsourcing agreement.
Article 62. All outsourcing contracts must be reviewed or signed off by IT Risk management, internal IT auditors, legal department and IT Steering Committee. There should be a process to periodically review and refine the service level agreements.
Chapter IX Internal Audit
Article 63. Depending on the nature, scale and complexity of its business, it may be appropriate for the commercial banks to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the commercial bank and have appropriate access to the bank’s records.
Article 64. The responsibilities of the internal IT audit function are:
(1) To establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the bank’s systems and internal control mechanisms and arrangements;
(2) To issue recommendations based on the result of work carried out in accordance with 1;
(3) To verify compliance with those recommendations;
(4) To carry out special audit on information technology. The term “special audit” of information technology refers to the investigation, analysis and assessment on the security incidents of the information system, or the audit performed on a special subject based on IT risk assessment result as deemed necessary by the audit department.
Article 65. Based on the nature, scale and complexity of its business, deployment of information technology and IT risk assessment, commercial banks could determine the scope and frequency of IT internal audit. However, a comprehensive IT internal audit shall be performed at a minimum once every 3 years.
Article 66. Commercial banks should engage its internal audit department and IT Risk management department when implementing system development of significant size and scale to ensure it meets the IT Risk standards of the Commercial banks.
Chapter X External Audit
Article 67. The external information technology audit of commercial banks can be carried out by certified service providers in accordance with laws, rules and regulations.
Article 68. The commercial bank should ensure IT audit service provider to review and examine bank’s hardware, software, documentation and data to identify IT risk when they are commissioned to perform the audit. Vital commercial and technical information which is protected by national laws and regulations should not be reviewed.
Article 69. Commercial bank should communicate with the service provider in depth before the audit to determine audit scope, and should not withhold the truth or do not corporate with the service provider intentionally.
Article 70. CBRC and its local offices could designate certified service providers to carry out IT audit or related review on commercial banks when needed. When carrying out audit on commercial banks, as commissioned or authorized by CBRC or its local offices, the service providers shall present the letter of authority, and carry out the audit in accordance to the scope prescribed in the letter of authority.
Article 71. Once the IT audit report produced by the service providers is reviewed and approved by CBRC or its local offices, the report will have the same legal status as if it is produced by the CBRC itself. Commercial banks should come up with a correction action plan prescribed in the report and implement the corrective actions according to the timeframe.
Article 72. Commercial banks should ensure the service providers to strictly comply with laws and regulations to keep confidential and data security of any commercial secrets and private information learnt and IT risk information when conducting the audit. The service provider should not modify copy or take away any documents provided by the commercial banks.
Chapter XI Supplementary Provisions
Article 73. Commercial banks with no board of directors should have their operating decision-making bodies perform the responsibilities of the board with regard to IT risk management specified herein.
Article 74. The China Banking Regulatory Commission supervises and regulates the IT risk management of commercial banks under its authority by law.
Article 75. The power of interpretation and modification of the Guidelines shall rest with the China Banking Regulatory Commission.
Article 76. The Guidelines shall become effective as of the date of its issuance and the former Guidelines on the Risk Management of Banking Institutions’ Information Systems shall be revoked at the same time.
