Article 40 Commercial banks should strictly control the entry of third-party personnel (such as service providers) into safe areas. If it is really necessary to enter, they should be properly authorized and their activities should be monitored. For long-term or temporary technicians and contract workers, especially those engaged in sensitive technology-related work, strict audit procedures should be formulated, including identity verification and background investigation.
Article 41 Commercial banks should separate the operation of information technology from the development and maintenance of the system to ensure the post restriction within the information technology department; Clearly define the positions and responsibilities of the data center.
Article 42 Commercial banks should keep transaction records in accordance with the requirements of relevant laws and regulations, and adopt necessary procedures and technologies to ensure the integrity of archived data and meet the requirements of safe preservation and recoverability.
Article 43 Commercial banks should formulate detailed information technology operating rules. For example, the information technology operation manual explains the tasks, work arrangements and execution steps of computer operators, as well as the on-site and off-site backup processes and requirements of data and software in the production and development environment (that is, the frequency, scope and retention period of backup).
Article 44 A commercial bank should establish an accident management and disposal mechanism to deal with accidents in the operation of information systems in a timely manner, report them to relevant information technology managers step by step, and record, analyze and track them until thorough disposal and root cause analysis are completed. Commercial banks should set up service desks to provide users with online support for related technical problems, and submit the problems to relevant information technology departments for investigation and solution.
Article 45 Commercial banks should establish systems and processes related to service level management and evaluate the service level of information technology operation.
Article 46 Commercial banks should establish relevant procedures for continuously monitoring the performance of information systems and report abnormal situations in a timely and complete manner. The program should provide early warning function to identify and correct anomalies before they affect system performance.
Article 47 A commercial bank should make a capacity plan to adapt to the business development and transaction volume increase caused by changes in the external environment. Capacity planning should cover production systems, backup systems and related equipment.
Article 48 Commercial banks should maintain and upgrade their systems in time to ensure the continuous availability of technology-related services, and keep complete records (including suspected and actual failures, preventive and remedial maintenance records) to ensure the effective maintenance of equipment and facilities.
Article 49 A commercial bank shall formulate an effective change management process to ensure the integrity and reliability of the production environment. All changes, including emergency changes, should be recorded in the log, signed by the information technology department and business department, and backed up in advance, so as to restore the original system version and data files when necessary. After the emergency change is successful, it should pass the normal acceptance test and change management process, and adopt appropriate amendments to replace the emergency change.