广西壮族自治区突发性地质灾害应急预案
作者:法律资料网 时间:2024-06-30 23:02:14 浏览:9575
来源:法律资料网
下载地址: 点击此处下载
广西壮族自治区突发性地质灾害应急预案
广西壮族自治区人民政府办公厅关于印发广西壮族自治区突发性地质灾害应急预案的通知
桂政办发[2004]90号
各市、县人民政府,区直各委、办、厅、局:
经自治区人民政府同意,现将《广西壮族自治区突发性地质灾害应急预案》印发给你们,请认真组织实施。
广西壮族自治区人民政府办公厅
二OO四年六月十八日
广西壮族自治区突发性地质灾害应急预案
为建立和完善地质灾害应急救助体系,提高灾害应急反应能力和防御工作水平,避免或尽可能地减轻灾害造成的损失,确保人民生命财产安全,维护社会稳定,根据《地质灾害防治条例》(国务院令第394号),结合我区实际,特制定本预案。
一、总则
本预案所称突发性地质灾害是指因自然因素或人为活动引发的危害人民生命和财产安全的山体崩塌、滑坡、泥石流、地面塌陷、地裂缝、地面沉降等与地质作用有关的灾害。
地质灾害应急工作必须遵循“统一领导、分工负责;分级管理、属地为主;未雨绸缪、有备无患”的原则。
各市、县人民政府要坚持预防为主的原则,高度重视预防、预报和预警工作,根据本预案制定本行政区的突发性地质灾害应急预案。
二、地质灾害预警和灾情报告
(一)灾害预警。
县级以上国土资源主管部门会同建设、水利、交通、气象等部门加强地质灾害险情的动态监测,对出现地质灾害前兆、可能造成人员伤亡或重大财产损失的区域和地段,要及时发出预警,划定危险区,并设置警示标志予以公告。
(二)灾情报告。
地质灾害发生后,当地人民政府必须立即向上一级人民政府报告初步灾情并迅速组织有关部门调查灾害成因。发生大型以上地质灾害,当地县级人民政府可以直接向自治区人民政府或自治区相关主管部门报告,报告的主要内容包括:灾害发生的位置、时间、伤亡人数、已造成的直接经济损失,可能的间接经济损失,地质灾害类型、规模、成因、发展趋势,已采取的防范和救助措施等。
灾害发生地人民政府向上一级人民政府报告灾情时,应同时通报上一级政府的相关部门,各级人民政府根据灾害等级及时启动应急预案。
三、地质灾害等级划分
按照人员伤亡、经济损失的大小,将地质灾害灾情及险情分为四个等级:
(一)特大型。
1.灾情:因灾死亡30人以上,或直接经济损失1000万元以上的;
2.险情:受灾害威胁需搬迁转移人数在1000人以上,或潜在经济损失在l亿元以上的。
(二)大型。
1.灾情:因灾死亡10人以上30人以下,或直接经济损失500万元以上1000万元以下的;
2.险情:受灾害威胁需搬迁转移人数为500人以上1000人以下,或潜在经济损失在5000万元以上1亿元以下的。
(三)中型。
1.灾情:因灾死亡3人以上10人以下,或直接经济损失100万元以上500万元以下的;
2.险情:受灾害威胁需搬迁转移人数为100人以上500人以下,或潜在经济损失在500万元以上5000万元以下的。
(四)小型。
1.灾情:因灾死亡3人以下,或直接经济损失100万元以下的;
2.险情:受灾害威胁需搬迁转移人数在100人以下,或潜在经济损失在500万元以下的。
四、地质灾害应急组织机构及其主要职责
(一)地质灾害应急组织机构。
大型或大型以上的地质灾害灾情或险情出现后,自治区人民政府和灾害出现地的市、县人民政府成立地质灾害应急指挥部,必要时邀请国务院地质灾害领导小组成员亲临指导。自治区地质灾害应急指挥部指挥长由自治区分管副主席担任,指挥部成员由发展与改革、商务、国土资源、民政、水利、卫生、公安、交通、建设、财政、安监、旅游、药品食品监督、气象、通信、部队等部门负责人组成。指挥部下设若干个应急工作组,各工作组的部门与灾害出现地的对应部门共同开展应急工作。
中型地质灾害灾情或险情出现后,灾害出现地的市、县人民政府根据需要成立地质灾害应急指挥部。
小型地质灾害灾情或险情出现后,灾害出现地的县级人民政府根据需要成立地质灾害应急指挥部。
各级地质灾害应急指挥部为临时机构。
(二)自治区地质灾害应急指挥部各应急工作组的职责。
1.办公室。
主要职责:根据指挥部的指令,结合现场实际情况,具体组织实施抢险救灾工作;协调应急指挥部各应急工作组和各部门之间的各项应急工作,并督促、检查、落实;及时向指挥部汇报灾情和救灾工作进展情况,统一向新闻单位提供灾情及应急工作等信息,做好宣传报道等工作;协调各应急工作组按应急预案的分工及应急指挥部的指令,有效地开展各项应急工作。
2.紧急抢险救灾组。
由部队牵头,公安、建设、水利、电力、旅游等部门参加组成。
主要职责:组织抢险队伍抢救受灾人员,动员受灾害威胁的群众疏散避灾,情况危急时,可强制组织避灾疏散;对已发生的灾害或可能引发的次生灾害进行抢险,抢修或保护供水、供气、供电等生命线工程。
3.应急调查、监测和治理组。
由国土资源部门牵头,气象、水利等部门参加组成。
主要职责:组织应急调查和险情监测工作,并对险情的发展趋势进行预测,会同有关部门对灾情进行评估,提出应急抢险措施的建议;组织专业施工队伍,修建必要的抢险工程,减缓或排除险情;负责提供灾害预警所需的气象资料信息,对灾区的气象条件进行监测预报;负责水情和汛情的监测。
4.医疗救护与卫生防疫组。
由卫生部门牵头,商务部门参加组成。
主要职责:做好急救准备工作,包括所需药品、医疗器械、卫生安全设备的准备等。
5.治安、交通和通讯组。
由公安部门牵头,交通、铁路、通讯部门参加组成。
主要职责:维护社会治安,迅速疏导交通、疏散灾民,保障交通干线及通信设施的安全,打击各种违法活动。
6.基本生活保障组。
由民政部门牵头,财政、商务等部门及保险公司参加组成。
主要职责:及时设置避险场所及救济物资供应点,做好救济物资的供应、调配和管理,妥善安排避险人员的生活,做好保险理赔工作。
7.信息报送和处理组。
由国土资源部门牵头,民政、建设、水利、交通、气象、安监等部门参加组成。
主要职责:调查、核实险情发生的时间、位置、规模、潜在的威胁、影响范围及诱发因素,及时分析、预测险情发展趋势;组织险情监测,实时掌握灾情、险情动态,将险情、灾情应急工作进展情况与随时根据情况变化提出的应急防范对策、措施及时报告应急指挥部。
8.应急资金保障组。
由财政部门牵头,发展与改革、国土资源、民政、建设、交通、铁道、水利等部门参加组成。
主要职责:负责应急抢险资金的筹集和落实,做好应急抢险资金的分配及使用的指导、监督和管理工作。
五、地质灾害抢险救灾应急反应
(一)中、小型地质灾害应急反应。
1.市、县人民政府的应急反应。
(1)发生小型地质灾害,所在县人民政府要及时向地级市人民政府报告,并组织调查和做出应急处理;发生中型地质灾害,所在县人民政府要在24小时内报告地级市人民政府,同时抄报自治区人民政府,由地级市人民政府组织调查和做出应急处理,并将详情报告自治区人民政府。
(2)地质灾害所在市、县人民政府根据需要成立地质灾害应急指挥部,启动中、小型突发性地质灾害应急预案,迅速组织人员开展抢险救灾工作,转移受灾群众,安排好灾民的生活,做好食品、饮水、衣物等救灾物资的调集和发放工作。
2.自治区人民政府的应急反应。
(1)自治区国土资源厅及有关部门迅速了解灾情,向自治区人民政府和国土资源部报告,预测地质灾害发展趋势,并提出应急工作的建议。
(2)自治区地质灾害防治工作领导小组根据灾情的严重程度召开有关部门会议,通报灾情,部署救灾工作,协调当地驻军和武警部队参加抢险救灾。
(3)自治区人民政府视情况派工作组赴灾区指导,协调救灾工作。
(二)大型、特大型地质灾害应急反应。
1.市、县人民政府的应急反应。
(1)灾害发生地所在市、县人民政府迅速了解灾害情况,大型灾害在12小时内,特大型灾害在6小时内,将灾情和发展趋势报告自治区人民政府,并抄送自治区国土资源厅、民政厅。
(2)灾害发生地人民政府或国土资源主管部门接到报告后,应立即派人赶赴现场进行调查,采取有效措施防止灾情扩大,同时根据实际情况,动员受到地质灾害威胁的群众转移到安全地带,情况危急时,可以强制组织避灾疏散。
2.自治区人民政府的应急反应。
(1)自治区人民政府成立地质灾害应急指挥部并进人工作状态,视灾情程度启动相应地质灾害应急预案,统一指挥救灾工作。
(2)自治区地质灾害应急指挥部召开会议,听取灾情汇报,部署救灾工作,向重灾区派出工作组,并向国务院及国土资源部报告灾情,对特大型的地质灾害请求国务院紧急支援。
(3)自治区人民政府协调当地驻军和武警部队迅速调集部队参加抢险救灾。
(三)抢险救灾应急措施。
1.在地质灾害抢险救灾的应急工作中,根据处理灾情的需要,县级以上人民政府可以紧急调集人员和调用物资、交通工具以及相关的设备,必要时可以在抢险救灾区域内实行交通管制等措施,对应急工作中产生的争议应采取紧急措施进行处理。
2.在抢险救灾的应急工作中,临时调用单位或个人的物资、设备及占用房屋、土地等,事后应及时归还;无法归还或造成损失的,应按有关规定给予相应的补偿。
3.经专家组鉴定地质灾害的险情或灾情己消除或者得到有效控制后,当地县级人民政府要及时撤销划定的危险区,宣布应急期结束,并予以公告,同时各级人民政府撤销相应的地质灾害应急指挥部。
六、备灾工作
(一)实行地质灾害调查制度。
县级以上人民政府应对辖区内的地质灾害状况进行调查,建立建全地质灾害群测群防体系,在地质灾害重点防范区内,乡(镇)人民政府、基层群众自治组织应当加强地质灾害险情的巡回检查,对危害较大的地质灾害隐患点,要编制防灾预案,确定发生地质灾害时的预警信号、人员财产撤离转移路线等,加强监测,落实责任人和监测人,发现险情要及时处理和报告。
(二)建立应急分队。
各市、县要加强突发性地质灾害救灾装备、抗险队伍建设,国土资源主管部门要组建地质灾害应急分队,配备专用救灾车辆和通讯工具,确保出现灾情后紧急救助措施能及时到位,受灾群众能得到及时救助。
(三)完善救灾物资储备制度。
灾害多发市、县的民政、卫生、食品、药品等部门,要做好抢险救灾物资,包括救灾帐蓬、衣被、食品、饮用水等的储备工作,确保灾后24小时内能送达灾区。
(四)提高公众防灾减灾意识。
县级以上人民政府应当组织有关部门开展地质灾害防治知识的宣传教育,结合防灾预案进行演练,增强公众的地质灾害防治意识和自救、互救能力,最大限度地减轻灾害造成的损失。
七、其他
(一)本预案自下发之日起执行。
(二)本预案将根据地质灾害应急工作实际需要,由自治区地质灾害防治工作领导小组适时进行修订。
下载地址: 点击此处下载
天津市放射性废物管理办法
天津市放射性废物管理办法
(2004年6月21日天津市人民政府第30次常务会议审议通过 2004年6月30日天津市人民政府令第60号公布 自2004年7月1日起施行)
第一条 为加强对放射性废物的管理,保护环境,保障公众健康,根据《中华人民共和国放射性污染防治法》等有关规定,结合本市实际,制定本办法。
第二条 凡在本市行政区域内应用放射性同位素和辐射技术产生放射性废物的单位,均应遵守本办法。
第三条 市环境保护行政主管部门负责对本市放射性废物实施统一监督管理。
市卫生、公安等部门应根据各自职责,加强对放射性废物的安全防护和安全保卫实施监督管理。
第四条 下列放射性废物属于本办法的管理范围:
(一)受放射污染的各种材料、容器、工具、设备、动物尸体或植株;
(二)废放射源;
(三)含放射性核素的有机闪烁液;
(四)其他放射性废物。
第五条 产生放射性废物的单位,应建立符合国家有关标准的放射性废物暂存室(库)。放射性废物暂存室(库)的建设应符合建设项目环境保护的有关规定。
产生放射性废物的单位,应在暂存室(库)外显著位置设立放射性标志,配备专职或兼职管理人员,防止放射性废物丢失、被盗。
第六条 产生放射性废物的单位,可将半衰期小于60天的放射性废物存入暂存室(库),并按照市环境保护行政主管部门的规定,将处理后的放射性废物送交放射性废物处置单位处置。
第七条 产生放射性废物的单位,对本办法第六条规定以外的放射性废物,不得自行处置,应直接送交放射性废物处置单位处置。
第八条 放射性废物需要移入或移出本市的,应按照国家有关规定执行。
第九条 禁止将废放射源混入其他放射性废物。禁止将放射性废物混入固体废物或者乱弃、乱埋、焚烧。
第十条 送交的放射性废物,应符合下列要求:
(一)废物应干燥,游离液体率不大于1%;
(二)废物性能稳定,无挥发性,无易燃、易爆等不稳定性物质,无强氧化剂、腐蚀剂等物质;
(三)试验植株应脱水、干化或灰化;
(四)动物尸体应固化于水泥中或防腐、干化、灰化;
(五)包装体外表面的污染控制水平和放射性强度应符合国家有关标准;
(六)废放射源应密封包装完整,包装后的外表面放射性强度应符合国家有关标准。
第十一条 包装放射性废物时,应遵守下列规定:
(一)使用统一规格的放射性废物包装容器,每个容器体积不得超过30升,装载放射性废物后总重量不得超过20公斤;
(二)按照放射性废物半衰期的长短,分别装入不同的包装容器。
第十二条 放射性废物处置单位对送交的放射性废物应进行检验。对符合处置要求的,予以接收,并填写放射性废物(源)处置登记卡片;对不符合处置要求的,应经送交单位进行处理并符合处置要求后,予以接收。
废放射源被接收后,产生放射性废物的单位应持放射性废物(源)处置登记卡片到公安机关办理放射源注销手续。
第十三条 放射性废物处置单位应当安排专人和符合辐射防护要求的车辆统一收运放射性废物。
运输放射性废物的行车路线应避开水源保护区、风景名胜区、自然保护区及其他需要保护的区域。运输过程中应减少在人口稠密地区通过的时间和距离。
第十四条 每次收运放射性废物后,工作人员应进行体表污染检查,合格后方能离开放射性废物处置场所。汽车和工具也应进行污染检查,当污染超过国家标准规定的限值时,必须进行去污处理。
第十五条 送交放射性废物的单位,应向放射性废物处置单位交纳放射性废物处置费用。处置费用的收费标准和使用办法,由市财政、市价格主管部门会同市环境保护行政主管部门制定。
第十六条 对在防治放射性废物污染中做出显著成绩的单位或个人,由其所在单位及其上级主管部门或市环境保护行政主管部门给予表彰和奖励。
第十七条 违反本办法第五条第一款规定的,按照国家或本市建设项目环境保护的有关规定进行处罚。
违反本办法第五条第二款规定,不按照要求设置放射性标志的,由市环境保护行政主管部门责令其限期改正;逾期不改正的,处以1万元以下罚款。
第十八条 违反本办法第六条、第七条、第九条规定,自行处置放射性废物的,由市环境保护行政主管部门责令其停止违法行为,限期改正;逾期不改正的,指定有处置能力的单位代为处置,所需费用由产生放射性废物的单位承担,可以并处20万元以下罚款。
第十九条 对违反本办法第十五条,不按规定交纳放射性废物处置费用的,由市环境保护行政主管部门责令其限期交纳,逾期不交纳的按日加收应交费用5‰的滞纳金,并可处3万元以下的罚款。
第二十条 被处以罚款的单位,并不免除其消除污染,排除危害和赔偿损失的责任。
第二十一条 对违反本办法,触犯有关治安管理规定的,由公安机关予以处罚。
第二十二条 本办法自2004年7月1日起施行。1998年6月1日市人民政府《批转市环保局拟定的天津市放射性废物管理办法的通知》(津政发[1998]46号)同时废止。
Guidelines on the Risk Management of Commercial Banks’ Information Technology ——附加英文版
Guidelines on the Risk Management of Commercial Banks’ Information Technology
Chapter I General Provisions
Article 1. Pursuant to the Law of the People’s Republic of China on Banking Regulation and Supervision, the Law of the People's Republic of China on Commercial Banks, the Regulations of the People’s Republic of China on Administration of Foreign-funded Banks, and other applicable laws and regulations, the Guidelines on the Risk Management of Commercial Banks’ Information Technology (hereinafter referred to as the Guidelines) is formulated.
Article 2. The Guidelines apply to all the commercial banks legally incorporated within the territory of the People’s Republic of China.
The Guidelines may apply to other banking institutions including policy banks, rural cooperative banks, urban credit cooperatives, rural credit cooperatives, village banks, loan companies, financial asset management companies, trust and investment companies, finance firms, financial leasing companies, automobile financial companies and money brokers.
Article 3. The term “information technology” stated in the Guidelines shall refer to the system built with computer, communication and software technologies, and employed by commercial banks to handle business transactions, operation management, and internal communication, collaborative work and controls. The term also include IT governance, IT organization structure and IT policies and procedures.
Article 4. The risk of information technology refers to the operational risk, legal risk and reputation risk that are caused by natural factor, human factor, technological loopholes or management deficiencies when using information technology.
Article 5. The objective of information system risk management is to establish an effective mechanism that can identify, measure, monitor, and control the risks of commercial banks’ information system, ensure data integrity, availability, confidentiality and consistency, provide the relevant early warning, and thereby enable commercial banks’ business innovations, uplift their capability in utilizing information technology, improve their core competitiveness and capacity for sustainable development.
Chapter II IT governance
Article 6. The legal representative of commercial bank should be responsible to ensure compliance of this guideline.
Article 7. The board of directors of commercial banks should have the following responsibilities with respect to the management of information systems:
(1) Implementing and complying with the national laws, regulations and technical standards pertaining to the management of information systems, as well as the regulatory requirements set by the China Banking Regulatory Commission (hereinafter referred to as the “CBRC”);
(2) Periodically reviewing the alignment of IT strategy with the overall business strategies and significant policies of the bank, assessing the overall effectiveness and efficiency of the IT organization.
(3) Approving IT risk management strategies and policies, understanding the major IT risks involved, setting acceptable levels for these risks, and ensuring the implementation of the measures necessary to identify, measure, monitor and control these risks.
(4) Setting high ethical and integrity standards, and establishing a culture within the bank that emphasizes and demonstrates to all levels of personnel the importance of IT risk management.
(5) Establishing an IT steering committee which consists of representatives from senior management, the IT organization, and major business units, to oversee these responsibilities and report the effectiveness of strategic IT planning, the IT budget and actual expenditure, and the overall IT performance to the board of directors and senior management periodically.
(6) Establishing IT governance structure, proper segregation of duty, clear role and responsibility, maintaining check and balances and clear reporting relationship. Strengthening IT professional staff by developing incentive program.
(7) Ensuring that there is an effective internal audit of the IT risk management carried out by operationally independent, well-trained and qualified staff. The internal audit report should be submitted directly to the IT audit committee;
(8) Submitting an annual report to the CBRC and its local offices on information system risk management that has been reviewed and approved by the board of directors ;
(9) Ensuring the appropriating funding necessary for IT risk management works;
(10) Ensuring that all employees of the bank fully understand and adhere to the IT risk management policies and procedures approved by the board of directors and the senior management, and are provided with pertinent training.
(11) Ensuring customer information, financial information, product information and core banking system of the legal entity are held independently within the territory, and complying with the regulatory on-site examination requirements of CBRC and guarding against cross-border risk.
(12) Reporting in a timely manner to the CBRC and its local offices any serious incident of information systems or unexpected event, and quickly respond to it in accordance with the contingency plan;
(13) Cooperating with the CBRC and its local offices in the supervisory inspection of the risk management of information systems, and ensure that supervisory opinions are followed up; and
(14) Performing other related IT risk management tasks.
Article 8. The head of the IT organization, commonly known as the Chief Information Officer (CIO) should report directly to the president. Roles and responsibilities of the CIO should include the following:
(1) Playing a direct role in key decisions for the business development involving the use of IT in the bank;
(2) The CIO should ensure that information systems meet the needs of the bank, and IT strategies, in particular information system development strategies, comply with the overall business strategies and IT risk management policies of the bank;
(3) The CIO should also be responsible for the establishment of an effective and efficient IT organization to carry out the IT functions of the bank. These include the IT budget and expenditure, IT risk management, IT policies, standards and procedures, IT internal controls, professional development, IT project initiatives, IT project management, information system maintenance and upgrade, IT operations, IT infrastructure, Information security, disaster recovery plan (DRP), IT outsourcing, and information system retirement;
(4) Ensuring the effectiveness of IT risk management throughout the organization including all branches.
(5) Organizing professional trainings to improve technical proficiency of staff.
(6) Performing other related IT risk management tasks.
Article 9. Commercial banks should ensure that a clear definition of the IT organization structure and documentation of all job descriptions of important positions are always in place and updated in a timely manner. Staff in each position should meet relevant requirements on professional skills and knowledge. The following risk mitigation measures should be incorporated in the management program of related staff:
(1) Verification of personal information including confirmation of personal identification issued by government, academic credentials, prior work experience, professional qualifications;
(2) Ensuring that IT staff can meet the required professional ethics by checking character reference;
(3) Signing of agreements with employees about understanding of IT policies and guidelines, non-disclosure of confidential information, authorized use of information systems, and adherence to IT policies and procedures; and
(4) Evaluation of the risk of losing key IT personnel, especially during major IT development stage or in a period of unstable IT operations, and the relevant risk mitigation measures such as staff backup arrangement and staff succession plan.
Article 10. Commercial banks should establish or designate a particular department for IT risk management. It should report directly to the CIO and the Chief Risk Officer (or risk management committee), serve as a member of the IT incident response team, and be responsible for coordinating the establishment of policies regarding IT risk management, especially the areas of information security, BCP, and compliance with the CBRC regulations, advising the business departments and IT department in implementing these policies, providing relevant compliance information, conducting on-going assessment of IT risks, and ensuring the follow-up of remediation advice, monitoring and escalating management of IT threats and non-compliance events.
Article 11. Commercial banks should establish a special IT audit role and responsibility within internal audit function, which should put in place IT audit policies and procedures, develop and execute IT audit plan.
Article 12. Commercial banks should put in place policies and procedures to protect intellectual property rights according to laws regarding intellectual properties, ensure purchase of legitimate software and hardware, prevention of the use of pirated software, and the protection of the proprietary rights of IT products developed by the bank, and ensure that these are fully understood and complied by all employees.
Article 13. Commercial banks should, in accordance with relevant laws and regulations, disclose the risk profile of their IT normatively and timely.
Chapter III IT Risk Management
Article 14. Commercial banks should formulate an IT strategy that aligns with the overall business plan of the bank, IT risk assessment plan and an IT operational plan that can ensure adequate financial resources and human resources to maintain a stable and secure IT environment.
Article 15. Commercial banks should put in place a comprehensive set of IT risk management policies that include the following areas:
(1) Information security classification policy
(2) System development, testing and maintenance policy
(3) IT operation and maintenance policy
(4) Access control policy
(5) Physical security policy
(6) Personnel security policy
(7) Business Continuity Planning and Crisis and Emergency Management procedure
Article 16. Commercial banks should maintain an ongoing risk identification and assessment process that allows the bank to pinpoint the areas of concern in its information systems, assess the potential impact of the risks on its business, rank the risks, and prioritize mitigation actions and the necessary resources (including outsourcing vendors, product vendors and service vendors).
Article 17. Commercial banks should implement a comprehensive set of risk mitigation measures complying with the IT risk management policies and commensurate with the risk assessment of the bank. These mitigation measures should include:
(1) A set of clearly documented IT risk policies, technical standards, and operational procedures, which should be communicated to the staff frequently and kept up to date in a timely manner;
(2) Areas of potential conflicts of interest should be identified, minimized, and subject to careful, independent monitoring. Also it requires that an appropriate control structure is set up to facilitate checks and balances, with control activities defined at every business level, which should include:
- Top level reviews;
- Controls over physical and logical access to data and system;
- Access granted on “need to know” and “minimum authorization” basis;
- A system of approvals and authorizations; and
- A system of verification and reconciliation.
Article 18. Commercial banks should put in place a set of ongoing risk measurement and monitoring mechanisms, which should include
(1) Pre and post-implementation review of IT projects;
(2) Benchmarks for periodic review of system performance;
(3) Reports of incidents and complaints about IT services;
(4) Reports of internal audit, external audit, and issues identified by CBRC; and
(5) Arrangement with vendors and business units for periodic review of service level agreements (SLAs).
(6) The possible impact of new development of technology and new threats to software deployed.
(7) Timely review of operational risk and management controls in operation area.
(8) Assess the risk profile on IT outsourcing projects periodically.
Article 19. Chinese commercial banks operating offshore and the foreign commercial banks in China should comply with the relevant regulatory requirements on information systems in and outside the People’s Republic of China.
Chapter IV Information Security
Article 20. Information technology department of commercial banks should oversee the establishment of an information classification and protection scheme. All employees of the bank should be made aware of the importance of ensuring information confidentiality and provided with the necessary training to fully understand the information protection procedures within their responsibilities.
Article 21. Commercial banks should put in place an information security management function to develop and maintain an ongoing information security management program, promote information security awareness, advise other IT functions on security issues, serve as the leader of IT incident response team, and report the evaluation of the information security of the bank to the IT steering committee periodically. The Information security management program should include Information security standards, strategy, an implementation plan, and an ongoing maintenance plan.
Information security policy should include the following areas:
(1) IT security policy management
(2) Organization information security
(3) Asset management
(4) Personnel security
(5) Physical and environment security
(6) Communication and operation security
(7) Access control and authentication
(8) Acquirement, development and maintenance of information system
(9) Information security event management
(10) Business continuity management
(11) Compliance
Article 22. Commercial banks should have an effective process to manage user authentication and access control. Access to data and system should be strictly limited to authorized individuals whose identity is clearly established, and their activities in the information systems should be limited to the minimum required for their legitimate business use. Appropriate user authentication mechanism commensurate with the classification of information to be accessed should be selected. Timely review and removal of user identity from the system should be implemented when user transfers to a new job or leave the commercial bank.
Article 23. Commercial banks should ensure all physical security zones, such as computer centers or data centers, network closets, areas containing confidential information or critical IT equipment, and respective accountabilities are clearly defined, and appropriate preventive, detective, and recuperative controls are put in place.
Article 24. Commercial banks should divide their networks into logical security domains (hereinafter referred to as the “domain”) with different levels of security. The following security factors have to be assessed in order to define and implement effective security controls, such as physical or logical segregation of network, network filtering, logical access control, traffic encryption, network monitoring, activity log, etc., for each domain and the whole network.
(1) criticality of the applications and user groups within the domain;
(2) Access points to the domain through various communication channels;
(3) Network protocols and ports used by the applications and network equipment deployed within the domain;
(4) Performance requirement or benchmark;
(5) Nature of the domain, i.e. production or testing, internal or external;
(6) Connectivity between various domains; and
(7) Trustworthiness of the domain.
Article 25. Commercial banks should secure the operating system and system software of all computer systems by
(1) Developing baseline security requirement for each operating system and ensuring all systems meet the baseline security requirement;
(2) Clearly defining a set of access privileges for different groups of users, namely, end-users, system development staff, computer operators, and system administrators and user administrators;
(3) Setting up a system of approval, verification, and monitoring procedures for using the highest privileged system accounts;
(4) Requiring technical staff to review available security patches, and report the patch status periodically; and
(5) Requiring technical staff to include important items such as unsuccessful logins, access to critical system files, changes made to user accounts, etc. in system logs, monitors the systems for any abnormal event manually or automatically, and report the monitoring periodically.
Article 26. Commercial banks should ensure the security of all the application systems by
(1) Clearly defining the roles and responsibilities of end-users and IT staff regarding the application security;
(2) Implementing a robust authentication method commensurate with the criticality and sensibility of the application system;
(3) Enforcing segregation of duties and dual control over critical or sensitive functions;
(4) Requiring verification of input or reconciliation of output at critical junctures;
(5) Requiring the input and output of confidential information are handled in a secure manner to prevent theft, tampering, intentional leakage, or inadvertent leakage;
(6) Ensuring system can handle exceptions in a predefined way and provide meaningful message to users when the system is forced to terminate; and
(7) Maintaining audit trail in either paper or electronic format.
(8) Requiring user administrator to monitor and review unsuccessful logins and changes to users accounts.
Article 27. Commercial banks should have a set of policies and procedures controlling the logging of activities in all production systems to support effective auditing, security forensic analysis, and fraud prevention. Logging can be implemented in different layers of software and on different computer and networking equipment, which falls into two broad categories:
(1) Transaction journals. They are generated by application software and database management system, and contain authentication attempts, modification to data, error messages, etc. Transaction journals should be kept according to the national accounting policy.
(2) System logs. They are generated by operating systems, database management system, firewalls, intrusion detection systems, and routers, etc., and contain authentication attempts, system events, network events, error messages, etc. System logs should be kept for a period scaled to the risk classification, but no less than one year.
Banks should ensure that sufficient items be included in the logs to facilitate effective internal controls, system troubleshooting, and auditing while taking appropriate measures to ensure time synchronization on all logs. Sufficient disk space should be allocated to prevent logs from being overwritten. System logs should be reviewed for any exception. The review frequency and retention period for transaction logs or database logs should be determined jointly by IT organization and pertinent business lines, and approved by the IT steering committee.
Article 28. Commercial banks should have the capacity to employ encryption technologies to mitigate the risk of losing confidential information in the information systems or during its transmission. Appropriate management processes of the encryption facilities should be put in place to ensure that
(1) Encryption facilities in use should meet national security standards or requirements;
(2) Staff in charge of encryption facilities are well trained and screened;
(3) Encryption strength is adequate to protect the confidentiality of the information; and
(4) Effective and efficient key management procedures, especially key lifecycle management and certificate lifecycle management, are in place.
Article 29. Commercial banks should put in place an effective and efficient system of securing all end-user computing equipment which include desktop personal computers (PCs), portable PCs, teller terminals, automatic teller machines (ATMs), passbook printers, debit or credit card readers, point of sale (POS) terminals, personal digital assistant (PDAs), etc and conduct periodic security checks on all equipments.
Article 30. Commercial banks should put in place a set of policies and procedures to govern the collection, processing, storage, transmission, dissemination, and disposal of customer information.
Article 31. All employees, including contract staff, should be provided with the necessary trainings to fully understand these policies procedures and the consequences of their violation. Commercial banks should adopt a zero tolerance policy against security violation.
Chapter V Application System Development, Testing and Maintenance
Article 32. Commercial banks should have the capability to identify, plan, acquire, develop, test, deploy, maintain, upgrade, and retire information systems. Policies and procedures should be in place to govern the initiation, prioritization, approval, and control of IT projects. Progress reports of major IT projects should be submitted to and reviewed by the IT steering committee periodically. Decisions involving significant change of schedule, change of key personnel, change of vendors, and major expenditures should be included in the progress report.
Article 33. Commercial banks should recognize the risks associated with IT projects, which include the possibilities of incurring various kinds of operational risk, financial losses, and opportunity costs stemming from ineffective project planning or inadequate project management controls of the bank. Therefore, appropriate project management methodologies should be adopted and implemented to control the risks associated with IT projects.
Article 34. Commercial banks should adopt and implement a system development methodology to control the life cycle of Information systems. The typical phases of system life cycle include system analysis, design, development or acquisition, testing, trial run, deployment, maintenance, and retirement. The system development methodology to be used should be commensurate with the size, nature, and complexity of the IT project, and, generally speaking, should facilitate the management of the following risks.
Article 35. Commercial banks should ensure system reliability, integrity, and maintainability by controlling system changes with a set of policies and procedures, which should include the following elements.
(1) Ensure that production systems are separated from development or testing systems;
(2) Separating the duties of managing production systems and managing development or testing systems;
(3) Prohibiting application development and maintenance staff from accessing production system under normal circumstances unless management approval is granted to perform emergency repair, and all emergency repair activities should be recorded and reviewed promptly;
(4) Promoting changes of program or system configuration from development and testing systems to production systems should be jointly approved by IT organization and business departments, properly documented, and reviewed periodically.
Article 36. Commercial banks should have in place a set of policies, standards, and procedures to ensure data integrity, confidentiality, and availability. These policies should be in accordance with data integrity amid IT development procedure.
Article 37. Commercial banks should ensure that Information system problems could be tracked, analyzed, and resolved systematically through an effective problem management process. Problems should be documented, categorized, and indexed. Support services or technical assistance from vendors, if necessary, should also be documented. Contacts and relevant contract information should be made readily available to the employees concerned. Accountability and line of command should be delineated clearly and communicated to all employees concerned, which is of utmost importance to performing emergency repair.
Article 38. Commercial banks should have a set of policies and procedures controlling the process of system upgrade. System upgrade is needed when the hardware reaches its lifespan or runs out of capacity, the underpinning software, namely, operating system, database management system, middleware, has to be upgraded, or the application software has to be upgraded. The system upgrade should be treated as a project and managed by all pertinent project management controls including user acceptance testing.
Chapter VI IT Operations
Article 39. Commercial banks should consider fully the environmental threats (e.g. proximity to natural disaster zones, dangerous or hazardous facilities or busy/major roads) when selecting the locations of their data centers. Physical and environmental controls should be implemented to monitor environmental conditions could affect adversely the operation of information processing facilities. Equipment facilities should be protected from power failures and electrical supply interference.
Article 40. In controlling access by third-party personnel (e.g. service providers) to secured areas, proper approval of access should be enforced and their activities should be closely monitored. It is important that proper screening procedures including verification and background checks, especially for sensitive technology-related jobs, are developed for permanent and temporary technical staff and contractors.
Article 41. Commercial banks should separate IT operations or computer center operations from system development and maintenance to ensure segregation of duties within the IT organization. The commercial banks should document the roles and responsibilities of data center functions.
Article 42. Commercial banks are required to retain transactional records in compliance with the national accounting policy. Procedures and technology are needed to be put in place to ensure the integrity, safekeeping and retrieval requirements of the archived data.
Article 43. Commercial banks should detail operational instructions such as computer operator tasks, job scheduling and execution in the IT operations manual. The IT operations manual should also cover the procedures and requirements for on-site and off-site backup of data and software in both the production and development environments (i.e. frequency, scope and retention periods of back-up).
Article 44. Commercial banks should have in place a problem management and processing system to respond promptly to IT operations incidents, to escalate reported incidents to relevant IT management staff and to record, analyze and keep tracks of all these incidents until rectification of the incidents with root cause analysis completed. A helpdesk function should be set up to provide front-line support to users on all technology-related problems and to direct the problems to relevant IT functions for investigation and resolution.
Article 45. Commercial banks should establish service level agreement and assess the IT service level standard attained.
Article 46. Commercial banks should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and comprehensive manner. The performance monitoring process should include forecasting capability to enable exceptions to be identified and corrected before they affect system performance.
Article 47. Commercial banks should carry out capacity plan to cater for business growth and transaction increases due to changes of economic conditions. Capacity plan should be extended to cover back-up systems and related facilities in addition to the production environment.
Article 48. Commercial banks should ensure the continued availability of technology related services with timely maintenance and appropriate system upgrades. Proper record keeping (including suspected and actual faults and preventive and corrective maintenance records) is necessary for effective facility and equipment maintenance.
Article 49. Commercial banks should have an effective change management process in place to ensure integrity and reliability of the production environment. Commercial banks should develop a formal change management process.
Chapter VII Business Continuity Management
Article 50. Commercial banks should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.
Article 51. Commercial banks should consider the likelihood and impact of a disruption to the continuity of its operation from unexpected events. This should include assessing the disruptions to which it is particularly susceptible including but not limited to:
(1) Loss of failure of internal and external resources (such as people, systems and other assets);
(2) The loss or corruption of its information; and
(3) External events (such as war, earthquake, typhoon, etc).
Article 52. Commercial bank should act to reduce both the likelihood of disruptions (including system resilience and dual processing); and the impact of disruptions (including by contingency arrangements and insurance).
Article 53. Commercial bank should document its strategy for maintaining continuity of its operations, and its plans for communicating and regularly testing the adequacy and effectiveness of this strategy. Commercial bank should establish:
(1) Formal business continuity plans that outline arrangements to reduce the impact of a short, medium and long-term disruption, including:
a) Resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
b) The recovery priorities for the commercial bank’s operations; and
c) Communication arrangements for internal and external concerned parties (including CBRC, clients and the press);
(2) Escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
(3) Processes to validate the integrity of information affected by the disruption;
(4) Processes to review and update (1) to (3) following changes to the commercial bank’s operations or risk profile.
Article 54. A final BCP plan and an annual drill result must be signed off by the IT Risk management, or internal auditor and IT Steering Committee.
Chapter VIII Outsourcing
Article 55. Commercial banks cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourcing functions.
Article 56. Commercial banks should take particular care to manage material outsourcing arrangement (such as outsourcing of data center, IT infrastructure, etc.), and should notify CBRC when it intends to enter into material outsourcing arrangement.
Article 57. Before entering into, or significantly changing, an outsourcing arrangement, the commercial bank should:
(1) Analyze how the arrangement will fit with its organization and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
(2) Consider whether the arrangements will allow it to monitor and control its operational risk exposure relating to the outsourcing;
(3) Conduct appropriate due diligence of the service provider’s financial stability, expertise and risk assessment of the service provider, facilities and ability to cover the potential liabilities;
(4) Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract); and
(5) Consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms.
Article 58. In negotiating its contract with a service provider, the commercial bank should have regard to ( but not limited to ):
(1) Reporting and negotiation requirements it may wish to impose on the service provider;
(2) Whether sufficient access will be available to its internal auditors, external auditors and banking regulators;
(3) Information ownership rights, confidentiality agreements and Firewalls to protect client and other information (including arrangements at the termination of contract);
(4) The adequacy of any guarantees and indemnities;
(5) The extent to which the service provider must comply with the commercial bank’s polices and procedures covering IT Risk;
(6) The extent to which the service provider will provide business continuity for outsourced operations, and whether exclusive access to its resources is agreed;
(7) The need for continued availability of software following difficulty at a third party supplier;
(8) The processes for making changes to the outsourcing arrangement and the conditions under which the commercial bank or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:
a) A change of ownership or control of the service provider or commercial bank; or
b) Significant change in the business operations of the service provider or commercial bank; or
c) Inadequate provision of services that may lead to the commercial bank being unable to meet its regulatory obligations.
Article 59. In implementing a relationship management framework, and drafting the service level agreement with the service provider, the commercial bank should have regarded to (but not limited to):
(1) The identification of qualitative and quantitative performance targets to assess the adequacy of service provision, to both the commercial bank and its clients, where appropriate;
(2) The evaluation of performance through service delivery reports and periodic self assessment and independent review by internal or external auditors; and
(3) Remediation action and escalation process for dealing with inadequate performance.
Article 60. The commercial bank should enhance IT related outsourcing management, in place following (not limited to ) measures to ensure data security of sensitive information such as customer information:
(1) Effectively separated from other customer information of the service provider;
(2) The related staff of service provider should be authorized on “need to know” and “minimum authorization” basis;
(3) Ensure service provider guarantee its staff for meeting the confidential requests;
(4) All outsourcing arrangements related to customer information should be identified as material outsourcing arrangements and the customers should be notified;
(5) Strictly monitor re-outsourcing actions of the service provider, and implement adequate control measures to ensure information security of the bank;
(6) Ensure all related sensitive information be refunded or deleted from the service provider’s storage when terminating the outsourcing arrangement.
Article 61. The commercial bank should ensure that it has appropriate contingency in the event of a significant loss of services from the service provider. Particular issues to consider include a significant loss of resources, turnover of key staff, or financial failure of, the service provider, and unexpected termination of the outsourcing agreement.
Article 62. All outsourcing contracts must be reviewed or signed off by IT Risk management, internal IT auditors, legal department and IT Steering Committee. There should be a process to periodically review and refine the service level agreements.
Chapter IX Internal Audit
Article 63. Depending on the nature, scale and complexity of its business, it may be appropriate for the commercial banks to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the commercial bank and have appropriate access to the bank’s records.
Article 64. The responsibilities of the internal IT audit function are:
(1) To establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the bank’s systems and internal control mechanisms and arrangements;
(2) To issue recommendations based on the result of work carried out in accordance with 1;
(3) To verify compliance with those recommendations;
(4) To carry out special audit on information technology. The term “special audit” of information technology refers to the investigation, analysis and assessment on the security incidents of the information system, or the audit performed on a special subject based on IT risk assessment result as deemed necessary by the audit department.
Article 65. Based on the nature, scale and complexity of its business, deployment of information technology and IT risk assessment, commercial banks could determine the scope and frequency of IT internal audit. However, a comprehensive IT internal audit shall be performed at a minimum once every 3 years.
Article 66. Commercial banks should engage its internal audit department and IT Risk management department when implementing system development of significant size and scale to ensure it meets the IT Risk standards of the Commercial banks.
Chapter X External Audit
Article 67. The external information technology audit of commercial banks can be carried out by certified service providers in accordance with laws, rules and regulations.
Article 68. The commercial bank should ensure IT audit service provider to review and examine bank’s hardware, software, documentation and data to identify IT risk when they are commissioned to perform the audit. Vital commercial and technical information which is protected by national laws and regulations should not be reviewed.
Article 69. Commercial bank should communicate with the service provider in depth before the audit to determine audit scope, and should not withhold the truth or do not corporate with the service provider intentionally.
Article 70. CBRC and its local offices could designate certified service providers to carry out IT audit or related review on commercial banks when needed. When carrying out audit on commercial banks, as commissioned or authorized by CBRC or its local offices, the service providers shall present the letter of authority, and carry out the audit in accordance to the scope prescribed in the letter of authority.
Article 71. Once the IT audit report produced by the service providers is reviewed and approved by CBRC or its local offices, the report will have the same legal status as if it is produced by the CBRC itself. Commercial banks should come up with a correction action plan prescribed in the report and implement the corrective actions according to the timeframe.
Article 72. Commercial banks should ensure the service providers to strictly comply with laws and regulations to keep confidential and data security of any commercial secrets and private information learnt and IT risk information when conducting the audit. The service provider should not modify copy or take away any documents provided by the commercial banks.
Chapter XI Supplementary Provisions
Article 73. Commercial banks with no board of directors should have their operating decision-making bodies perform the responsibilities of the board with regard to IT risk management specified herein.
Article 74. The China Banking Regulatory Commission supervises and regulates the IT risk management of commercial banks under its authority by law.
Article 75. The power of interpretation and modification of the Guidelines shall rest with the China Banking Regulatory Commission.
Article 76. The Guidelines shall become effective as of the date of its issuance and the former Guidelines on the Risk Management of Banking Institutions’ Information Systems shall be revoked at the same time.
