Article 21 The information technology department of a commercial bank shall perform the functions of information security management. This function should include establishing an information security plan and maintaining a long-term management mechanism, improving the information security awareness of all employees, providing suggestions to other departments on security issues, and submitting the Bank's information security assessment report to the Information Technology Management Committee on a regular basis. The information security management mechanism should include information security standards, strategies, implementation plans and continuous maintenance plans.
Information security policies should cover the following areas:
(1) Security system management.
(2) Organization and management of information security.
(3) Asset management.
(4) Personnel safety management.
(5) Physical and environmental safety management.
(6) Communication and operation management.
(7) Access control management.
(eight) system development and maintenance management.
(9) Information security accident management.
(10) Business continuity management.
(1 1) Compliance management.
Article 22 A commercial bank shall establish a process for effectively managing user authentication and access control. Users' access to data and systems must choose an authentication mechanism that matches the level of information access, and ensure that their activities in the information system are limited to the minimum required to legally carry out related business. When users change jobs or leave commercial banks, they should check, update or cancel their identities in the system in time.
Article 23 Commercial banks should ensure the establishment of physical security protection areas, including computer centers or data centers, areas where confidential information is stored or important information technology equipment such as network equipment is placed, clarify the corresponding responsibilities, and take necessary prevention, detection and recovery control measures.
Article 24 A commercial bank shall divide the network into different logical security domains (hereinafter referred to as security domains) according to the information security level. The following security factors should be evaluated, and effective security control should be implemented according to the security level definition and evaluation results, such as physical or logical partition of each domain and the whole network, network content filtering, logical access control, transmission encryption, network monitoring, activity logging, etc.
(a) The importance of applications and user groups in the domain.
(2) Access points where various communication channels enter the domain.
(3) Network protocols and ports used by network devices and applications configured in the domain.
(4) Performance requirements or standards.
(five) the nature of the domain, such as production domain or test domain, internal domain or external domain.
(6) Connectivity between different domains.
(7) The credibility of the domain name.
Article 25 A commercial bank shall take the following measures to ensure the safety of all computer operating systems and system software:
(1) Formulating the basic security requirements of various operating systems to ensure that all systems meet the basic security requirements.
(2) Clearly define the access rights of different user groups, including end users, system developers, system testers, computer operators, system administrators and user administrators.
(3) Develop the approval, verification and monitoring process of the account of the highest authority system to ensure that the operation log of the highest authority user is recorded and monitored.
(4) Require technicians to regularly check the available security patches and report the patch management status.
(5) Record the unsuccessful login, accessing important system files, modifying user accounts and other important matters in the system log, monitor any abnormal events in the system manually or automatically, and report the monitoring situation regularly.
Article 26 A commercial bank shall take the following measures to ensure the security of all information systems:
(1) Clearly define the roles and responsibilities of end users and information technology personnel in information system security.
(two) according to the importance and sensitivity of the information system, take effective authentication methods.
(3) Strengthen the division of responsibilities and implement dual control over key or sensitive positions.
(4) Input verification or output verification of key nodes.
(5) Handling the input and output of confidential information in a safe manner to prevent information from being leaked, stolen or tampered with.
(6) Ensure that the system handles exceptions in a predefined way, and provide necessary information to users when the system is forced to terminate.
(seven) to save the audit trail in written or electronic format.
(eight) require the user administrator to monitor and audit the unsuccessful login and user account modification.
Article 27 Commercial banks should formulate relevant strategies and processes to manage the activity logs of various production systems, so as to support effective auditing, security forensics analysis and fraud prevention. Logging can be done on different levels of software and different computers and network devices. Logs can be divided into two categories:
(1) transaction log; Transaction log is generated by application software and database management system, including user login attempt, data modification, error information, etc. The transaction log shall be kept in accordance with the requirements of national accounting standards.
(2) System log. System logs are generated by operating system, database management system, firewall, intrusion detection system and router. The content includes management login attempts, system events, network events, error messages, etc. The retention period of system logs shall be determined according to the risk level of the system, but it shall not be less than one year. ?
Commercial banks should ensure that the transaction log and system log contain enough contents to complete effective internal control, solve system failures and meet audit requirements; Appropriate measures should be taken to ensure the synchronization timing of all logs and ensure their integrity. After the exception occurs, you should check the system log in time. The audit frequency and retention period of the transaction log or system log shall be jointly decided by the Information Technology Department and relevant business departments, and reported to the Information Technology Management Committee for approval. ?
Article 28 Commercial banks should adopt encryption technology to prevent the risk of leakage or tampering of confidential information during transmission, processing and storage, and establish a password equipment management system to ensure that:
(a) the use of encryption technology and encryption equipment that meet the requirements of the state.
(2) The employees who manage and use password equipment have undergone professional training and strict examination.
(3) The encryption intensity meets the information confidentiality requirements.
(four) to formulate and implement effective management processes, especially the life cycle management of keys and certificates.
Article 29 Commercial banks should be equipped with effective systems to ensure the safety of all end-user devices, and regularly check the safety of all devices, including desktop personal computers (PCs), portable computers, teller terminals, automatic teller machines (ATMs), passbook printers, card readers, sales terminals (POS) and personal digital assistants (PDA).
Article 30 Commercial banks should formulate relevant systems and procedures to strictly manage the collection, processing, storage, transmission, distribution, backup, recovery, cleaning and destruction of customer information.
Article 31 A commercial bank shall provide all its employees with necessary training, so that they can fully master the information technology risk management system and process, understand the consequences of violating the regulations, and adopt a zero-tolerance policy for violations of safety regulations.