ランニング Wiki

      financial view             Lin Xiaoxuan: thinking and practice of information technology risk management of ICBC  source: China financial computer, issue 1, 2011 Author: Lin Xiaoxuan, chief information officer of industrial and Commercial Bank of China Date: January 31, 2011        with the increasingly prominent role of information technology in the development of commercial banks, commercial banks are facing traditional credit risk, market risk and operational risk, At the same time, it also faces a new type of risk caused by the integration of information technology and banking business - information technology risk of commercial banks. The development of information technology, on the one hand, has greatly promoted the bank's customer service and management level, reduced the bank's management costs and transaction costs; on the other hand, the bank's dependence on information technology and the resulting risks are increasing. In recent years, regulatory authorities attach great importance to it risk management and put forward clear requirements. Domestic commercial banks have invested a lot of resources in information system software and hardware construction and security management, and paid attention to preventing all kinds of information technology risks. As we enter a new stage of information technology development in the 12th Five Year Plan period,How to further improve the level of information technology risk management is an important issue that commercial banks need to consider and solve in the process of planning information construction in the future. 1、 The importance of strengthening it risk management of commercial banks    the security, reliability and effectiveness of information system are not only the important basis for commercial banks to survive and develop, but also related to the security of the whole banking industry and the stability of the national financial system. Therefore, the state has paid more and more attention to it risk management of banks, and all regulatory agencies have paid more and more attention to bank credit risk management It risk management has put forward clear requirements, and commercial banks have generally increased their attention to it risk management. 1. Strengthening information technology risk management is an important content of financial regulatory authorities    with domestic banks listed one after another and playing an increasingly important role in the global financial structure, information technology risk management including system operation risk has been paid more and more attention by regulatory authorities and listed commercial banks. In March 2009, China Banking Regulatory Commission (CBRC) issued the guidelines on information technology risk management of commercial banks (hereinafter referred to as the guidelines), which provides guidance on information technology risk management of commercial banks from the aspects of information technology governance, information technology risk management, information security, information system development, testing and maintenance, information technology operation, business continuity management, outsourcing, internal audit, external audit, etc Comprehensive requirements have been put forward. The effective management measures taken by the relevant national regulatory authorities are of great importance to the continuous improvement and perfection of the information technology risk management of banksThe guiding significance fully reflects that our government attaches great importance to it risk management in banking industry. 2. It is necessary for commercial banks to strengthen it risk management for their own development and improve it governance level    according to it governance model, it risk management, strategic consistency, resource management and performance evaluation together constitute the overall framework of IT governance, which is one of the important aspects. With the deepening of information construction of banks, the understanding of information technology risk is gradually deepening, from a single information security to a comprehensive information technology risk management covering production operation, application research and development, information security and other aspects. The information technology risk management level reflects the bank's information level and overall risk management level. After the completion of the joint-stock reform and listing of commercial banks, commercial banks generally realize that once the information technology risk event occurs, it will not only affect the normal business operation, but also may have a negative impact on the bank's reputation and market value. Therefore, they pay more attention to the information technology risk, which also puts forward higher requirements for strengthening the information technology risk management. 3. Strengthening information technology risk management is the basic requirement of the New Basel Capital Accord, )As well as the subsequent release of Basel III, it makes clear the classification and definition of bank risk, and emphasizes that banks should not only pay attention to the traditional credit risk, market risk and liquidity risk, but also put the operational risk in an important position and pay attention to itInformation technology risk is clearly classified into the category of operational risk, so that information technology risk management has become an important part of the bank's comprehensive risk management system. 2、 Relevant measures of commercial banks to strengthen it risk management    according to international authoritative institutions“ According to the best practice guidelines for information system risk control and it audit issued by the information system audit and Control Committee (ISACA), information technology risk management should focus on it governance, software life cycle management (i.e. project development and change), it service delivery and support (i.e. system operation and maintenance), information security, business continuity management, etc. The guidelines of CBRC stipulates that "information technology risk refers to the operational, legal and reputation risks caused by natural factors, human factors, technical loopholes and management defects in the application process of information technology business in commercial banks". It also clarifies that information technology risk management of commercial banks covers information technology governance, information technology risk management, information security and information security System development, testing and maintenance, information technology operation, business continuity management, etc. Generally speaking, commercial banks implement it risk management measures mainly from four aspects: Technology Governance, production operation, application research and development, and information security. Over the years, ICBC has adhered to the development strategy of "prospering the bank through science and technology" and "leading by science and technology", established an intensive information technology organization and management system, and gradually established an advanced science and technology system and technology platform suitable for large international banks. Since 2006, ICBCAs an important part of operational risk management, the bank has carried out a lot of work in it risk management around the above four areas. 1. Establishing and improving the information technology management organization system and information technology risk management system is the basis for strengthening information technology risk management    according to the requirements of the guidelines of the CBRC, ICBC has established an information technology management committee with the president as the chairman, the vice president in charge and the chief risk officer as the vice chairman, and all relevant departments as the participants, which is responsible for the audit To discuss the construction planning of IT strategy, technology system and technology specification system, major decision-making matters of it, it risk management and information security management, promote the construction of IT governance, and regularly report the implementation of IT strategy planning, it budget and actual expenditure, and the overall work of it to the board of directors and senior management. At the same time, a technical review committee is set up under the information technology management committee, which is responsible for the review of major science and technology project plans to ensure the rationality and continuity of the bank wide information technology architecture system. In addition, ICBC has recently set up a chief information officer, and the information technology management system has been further improved. Relying on the accumulated experience of its own science and technology management, ICBC has established a relatively perfect information technology management system and technical standard system. Among them, 126 information technology management systems at the head office level, including more than 100 technical specifications of seven categories, including information security, system and application, have effectively improved the standardization of the bank's information technology managementAnd standardization level. In addition to institutional and normative constraints, ICBC has incorporated various management requirements into the system platform, realized the automation of science and technology management, and ensured the effective implementation of established management requirements. At the same time, ICBC has also established an on-site and off-site inspection mechanism for information technology, which carries out on-site inspection twice a year for science and technology departments at all levels, regularly carries out off-site inspection once a month by using various technology management platforms, and continuously tracks, manages and assesses the rectification progress of problems found in the inspection, so as to ensure that the rectification measures are implemented in place. According to the relevant provisions of the guidelines of the CBRC, commercial banks should set up or assign a specific department to be responsible for information technology risk management, and establish three lines of defense by information technology department, information technology risk management department and internal audit department The information technology risk management system is formed to jointly prevent and control the information technology risk. In recent years, ICBC has gradually formed and established three lines of defense for information technology risk management, which are composed of information technology department, risk management department and internal audit department. Relevant departments have implemented relevant responsibilities in information construction, information technology management, risk monitoring, risk control and evaluation, and information technology audit, and continuously improved the bank's credit Information technology risk management level, effectively control the information technology risk. In particular, according to the content of the guidelines of the CBRC and the relevant requirements of comprehensive risk management, we can refer to the information technology risk management and management at home and abroadSince 2010, ICBC has comprehensively sorted out the responsibilities of the second line of defense, and conscientiously implemented the functions of the second line of defense from six aspects: it risk management strategy, it risk assessment, risk control, risk monitoring, risk reporting, and business continuity plan. 3. Effective prevention of production and operation risk is the key to strengthen information technology risk management    production and operation risk is the outstanding external manifestation of information technology risk. ICBC always adheres to the guiding ideology of "putting ensuring the safe and stable operation of information system in the first place of information technology work", and continuously strengthens various measures of operation management operation to reduce operation risk . First of all, the information system security level system is established. According to the system security level, different risk management measures are taken in performance and capacity management, disaster recovery, monitoring and other aspects, which not only ensure the external service level of the system, but also effectively control the cost of science and technology. Secondly, the bank established a unified information system operation monitoring platform, realized the business availability oriented monitoring target for key application systems, and established a data center for remote monitoring of tier one branches and tier one branches for tier two branches. Thirdly, to realize the automatic monitoring and operation of production operation, the data center host system has fully realized the operation automation, and the operation automation rate of the open platform system has reached 55%, which not only effectively improves the production and operation efficiency, but also effectively reduces the risk brought by manual operation. Finally, the remote remote disaster recovery system of the host core business and the local disaster recovery system are establishedThe data backup system realizes the site disaster recovery of the key business centralized operation center, establishes the bank wide unified application disaster recovery level standard with reference to the relevant technical standards of the industry, implements hierarchical disaster recovery protection measures for more than 200 application systems of the bank, and ensures that all application systems have disaster recovery capability; on the basis of the above work, ICBC is planning According to the layout of "two places and three centers", further optimize the production operation and disaster recovery system. 4. Information security runs through the whole process of information technology, and is an important part of information technology risk management    the core of information security management is to establish and improve the internal control system of information security, and ensure the confidentiality, integrity and availability of bank information system and data through technology and management means. In this regard, ICBC has seriously implemented the management measures of information system security level protection, risk assessment and audit inspection, and has taken effective technical protection measures in the aspects of client security, Internet security, application transaction security, etc. On the one hand, on the basis of improving the information security management system and clarifying the responsibilities and management processes of various departments, the management of information security can be strengthened by standardizing relevant systems, implementing information system level protection, implementing risk assessment and security inspection, strengthening daily security detection and management, and security education. On the other hand, we continue to improve the information security technology control measures and enhance the hard control ability. In recent years, we continue to strengthen the technical control of information security from three aspects of information security, information system security and client security, effectively controlling the information security risk. 3Information technology risk management needs technology departments and business departments to jointly promote and share risks    from the practice of information technology risk management, although information technology risk management pays more attention to the field of information technology, a considerable part of it risk management is closely related to business departments. Therefore, it risk management is actually an overall work of commercial banks, which needs the joint participation and promotion of business departments. (1) In the aspect of business continuity management in the field of production and operation, based on the disaster recovery system of the information technology department, the business department needs to formulate the business level emergency plan to guide the business personnel to deal with the business emergency when the information system is interrupted and restored, so as to cooperate with the information technology department to carry out the emergency recovery work. (2) In the aspect of application research and development, product quality will lead to system operation risk, and the factors causing product quality problems are various, including technical factors such as program design and development defects, as well as business factors such as imperfect test verification and requirements or poor quality. Therefore, in the process of application product R & D, the technology department and the business department need to do a good job in project management to realize risk sharing. (3) In terms of information security, information security management involves responsibilities of multiple departments. In addition to information technology department, it also involves information and information system ownership department, information and information system user department, internal control and compliance department, internal audit department, confidentiality management department, etc. in daily work, it is necessary for science and Technology Department and business department to implement information security management according to the division of responsibilities Information security management measures to prevent information security windInsurance.      In short, information technology risk management is a very important and urgent problem in the development and informatization process of commercial banks, which needs the common attention and promotion of all aspects of the banking industry, and also needs the cooperation of internal technology departments and business departments of commercial banks to build a safe and risk-resistant financial IT platform, so as to promote the healthy and rapid development of banking business.    close the window                                            

https://setiweb.ssl.berkeley.edu/beta/team_display.php?teamid=1873850 https://splice.com/spikestar3 http://sc.sie.gov.hk/TuniS/vesna-kreativnostidrugesitnice.blogspot.com/2021/02/vision-and-mission-spoto-club.html http://www.astro.wisc.edu/?URL=spark.adobe.com/page/7lqlGkoBcYIP0/ https://www.allrecipes.com/cook/29726655/



トップ   編集 凍結 差分 バックアップ 添付 複製 名前変更 リロード   新規 一覧 単語検索 最終更新   ヘルプ
Last-modified: 2021-06-12 (土) 17:23:18 (52d)