Guidelines for the Security Evaluation of Electronic Banks January 26, 2006 Article 1 In order to enhance the security and risk management of electronic banks, and ensure the objectivity, timeliness, integrity and effectiveness Article 2 Security evaluation of electronic banks refers to the inspection and evaluation of the security testing as well as the management Article 3 A financial institution that develops the business of electronic banking shall perform at least one comprehensive security evaluation Article 4 A financial institution may employ an external professional assessment institution for evaluating the security of its electronic Article 5 A financial institution shall set up a regulatory rules system and work procedures for the security evaluation of its electronic Article 6 The security evaluation of electronic banks of a financial institution shall be subject to the surveillance and guidance of China Chapter II Security Evaluation Institutions Article 7 Institutions for taking the security evaluation of electronic banks of financial institutions may be external social professional Article 8 An external organization for the security evaluation of electronic banks shall comply with the requirements as follows: (1) having moderately perfect management rules and operational rules for developing the business of the security evaluation of electronic (2) having constituted systematic and complete evaluation handbooks or evaluation guidance documents, and the evaluation procedures, evaluation (3) having various types of professionals in line with the security evaluation of electronic banks, and being familiar with related industrial (4) satisfying other requirements prescribed by the CBRC for developing the business in the security evaluation of electronic banks. Article 9 An internal department of a financial institution shall satisfy the following requirements besides those prescribed in Article 8 (1) being independent from the development department, operation department or management department of the electronic banking system; (2) having not participated in the purchase of related equipments for electronic banks directly. Article 10 The CBRC shall take charge of authorizing the qualifications for security evaluation of electronic banks. A security evaluation institution of electronic banks may apply to the CBRC for the authorization of its qualification before developing Article 11 A financial institution may choose a security evaluation institution that has or has not been authorized by the CBRC when performing Where a financial institution chooses a security evaluation institution that has been authorized by the CBRC, related provisions in A security evaluation institution of electronic banks shall observe the related provisions on the implementation and management of Article 12 The CBRC shall organize an authorization of security evaluation institutions of electronic banks annually, and it shall be announced Article 13 A security evaluation institution of electronic banks that applies for qualification authorization shall submit the materials (in (1) its application report for authorizing the qualification for security evaluation of electronic banks; (2) its introduction: (3) the management framework, management rules, and operating rules, etc., for the security evaluation business; (4) the evaluation handbook or evaluation guidance documents; (5) resumes of major assessors; and (6) other documents and materials as required by the CBRC. Article 14 The CBRC shall organize related experts and supervisory personnel for evaluating the application materials after receiving a complete Article 15 The CBRC shall issue a Letter of Opinions on the Qualification Authorization of the Security Evaluation Institutions of Electronic Article 16 The Letter of Opinions on the Qualification Authorization of the Security Evaluation Institutions of Electronic Banks issued by the No evaluation institution may use the Letter of Opinions on the Qualification Authorization of the Security Evaluation Institutions Article 17 As for an evaluation institution, qualification requirements of which are met upon evaluation of the CBRC, the qualification authorization Where an evaluation institution fails to satisfy the qualification requirements upon evaluation of the CBRC, the evaluation institution Article 18 In case any of the following circumstances occurs to a security evaluation institution of electronic banks within the valid term (1) The evaluation institution is in poor management, and its staff divulges the secrets of any assessed institution; (2) The quality of evaluation work is inferior, and there is major omission in its evaluation activities; (3) The evaluation institution fails to submit the evaluation reports as required, or there are fake statements in the evaluation reports; (4) The evaluation institution uses the Letter of Opinions on the Qualification Authorization of the Security Evaluation Institutions (5) The evaluation institution commits any other act of severely neglecting its duties. Article 19 If an evaluation institution commits any of the following acts, the CBRC shall accept its qualification authorization application (1) Colluding with the entrusting institution for jointly disguising the security loopholes as found during the course of security evaluation, (2) Practicing falsification during the course of evaluation and producing the security evaluation reports; or (3) Divulging the secret information of the evaluated institution, or using the secret materials of the evaluated institution improperly. In case any of the aforesaid circumstances occurs to an internal evaluation department of a financial institution, the related department Article 20 The information on any security evaluation institution of electronic banks authorized by the CBRC, as well as the authorization and A financial institution may not divulge the related information announced by the CBRC to any third party to influence other business Article 21 A financial institution may choose a security evaluation institution of electronic banks independently within the scope of evaluation Article 22 As for a foreign-funded financial institution, main electronic banking system of which is established outside of the territory of The financial institution shall perform the security evaluation with reference to the related provisions in the present Guidelines Article 23 A financial institution shall sign a service agreement in written form with the security evaluation institution of electronic banks The electronic banking management department and the evaluation department of a financial institution shall conclude a letter on the Article 24 A security evaluation institution shall earnestly perform its evaluation duties, and authentically assess the security situation Chapter III Implementation of Security Evaluation Article 25 An evaluation institution shall fully communicate with the evaluated institution concerning the scope, focuses, time and requirements Article 26 An evaluation institution shall assess the security of electronic banks of the entrusting institution on the spot subject to the The security evaluation of electronic banks shall assess the security of the electronic banking system faithfully and comprehensively. Article 27 The security evaluation of electronic banks shall at least contain the matters as follows: (1) security strategies; (2) construction of internal control system; (3) risk management situation; (4) system security; (5) plans for continuous operation of electronic banking business; (6) contingency plans for the operation of electronic banking business; (7) risk warning system of electronic banks; and (8) administration of other important security links and mechanism; Article 28 The evaluation of the security strategies of electronic banks shall at least contain the matters as follows: (1) procedures for establishing security strategies and their rationality; (2) security strategies for system design and development; (3) security strategies for testing and accepting the system; (4) security strategies for system operation and maintenance; (5) security strategies for system backup and contingency; and (6) clients information security strategies. An evaluation institution shall assess the security strategies of a financial institution in terms of whether there are security strategies, Article 29 The evaluation of the internal control systems of electronic banks shall at least contain the matters as follows: (1) the overall scientific and appropriate construction of internal control systems; (2) the duties of the board of directors and the senior management staff in the security and risk management system of electronic banks, (3) the status of construction and operation of security monitoring mechanism; and (4) the status of construction and operation of internal audit systems. Article 30 The evaluation of the risk management situation of electronic banks shall at least contain the matters as follows: (1) the adaptability and justification of the risk management framework of electronic banks; (2) how the board of directors and the senior management personnel understands about the security and risk management of electronic banks, (3) the justification of the duties of the management bodies of electronic banks, and the capacity to control related risks; (4) the situation about employment and training of management personnel; (5) the situation about implementing the rules, systems, operational provisions and procedures for the risk management of electronic banks; (6) major risks and management situation of electronic banking; and (7) the situation about construction and management of business outsourcing management systems. Article 31 The evaluation of the security of electronic banking system shall at least contains the matters as follows: (1) physical security; (2) security of the data communications; (3) security of the applied systems; (4) management of keys; (5) authorization and confidentiality of the clients information; and (6) intrusion detection mechanism and report response mechanism. The evaluation institution shall focus on the evaluation of the security of data communications and the security of the applied systems, Article 32 The evaluation of the continuous operation plans of electronic banking shall at least contain the matters as follows: (1) equipment and systematic capacity for ensuring the continuous business operation; and (2) systematic arrangements and implementation circumstances for ensuring the continuous business operation. Article 33 The evaluation of the contingency plans for the electronic banking business shall at least contain the matters as follows: (1) the construction and implementation of contingency systems of electronic banks; (2) the circumstances on contingency facilities of electronic banks; (3) the circumstances on regular and continuous testing and drillings; and (4) the capability to handle accidents or external attacks. Article 34 An evaluation institution shall constitute its own standards for the security evaluation of electronic banks. It shall determine Article 35 After the evaluation has completed, the evaluation institution shall prepare a report in a timely manner, and submit an evaluation Article 36 An evaluation report shall at least contain the matters as follows: (1) time and scope for evaluation and other important stipulations in any other agreement; (2) the overall framework, procedures, chief methods for evaluation and an introduction of the major assessors; (3) the standards for determining the risk weights of different evaluation contents, the calculation methods for risk grades, and the (4) the evaluation contents for and the descriptions of evaluation activities; (5) the conclusion of evaluation; (6) the suggestions on the security management of electronic banks of the evaluated institution; (7) other issues to be explained as required; (8) the definitions of main terms and the introduction of international or domestic standards (they may be given in the annex); (9) the table of procedures for the evaluation work (it may be given in the annex); and (10) the name list of assessors of the evaluation institution that have participated in the evaluation (it may be given in the annex). The evaluation institution shall adopt quantitative measures to specify the risk grades of electronic banks of an assessed institution Article 37 If it is possible to modify an evaluation report after it has been completed and submitted to the entrusting institution, the reasons, Chapter IV Management of Security Evaluation Activities Article 38 A financial institution shall implement the security evaluation of the electronic banking system that has been tested in accordance Article 39 In case any of the following circumstances occurs to a financial institution after the operation of the electronic banking business (1) The system is attacked and broken down due to security loopholes, and is being repaired for operation; (2) After the electronic banking system has been renewed or upgraded significantly, it has stopped unexpectedly for 12 hours or more; (3) After some major accident when the key equipment or facilities of an electronic bank has been changed, and the continuous operation (4) The evaluation needs to be performed immediately due to the security management of electronic banks. Article 40 The power of employing an external security evaluation institution by a financial institution shall remain with its board of directors Article 41 As for a banking financial institution that has performed the centralized data management, the security evaluation of electronic Article 42 As for a banking financial institution that has not performed the centralized data management, if its branches have developed the Article 43 As for a foreign-funded financial institution that establishes its main business processing system of electronic banks outside the Article 44 As for a foreign-funded financial institution that sets up its main business processing system of electronic banks within the territory Article 45 Where several evaluation institutions are required for joint assumption or implementation of the security evaluation of electronic Where a financial institution entrusts its electronic banking system to different evaluation institutions for security evaluation, Article 46 A financial institution shall submit the introduction of the evaluation institution, the evaluation scheme and procedures to be adopted, Article 47 The CBRC may designate staff members to participate in the security evaluation of electronic banks of any financial institution upon Article 48 An evaluation institution shall perform the evaluation in accordance with the principles of objectivity, fairness, authenticity and Article 49 The entrusting institution and the evaluation institution shall develop an information confidentiality work mechanism during the (1) If it is necessary to consult the related materials, duplicate the related documents or data during the evaluation process, it shall (2) The documents and materials requested for consultation shall be read at a designated place, and may not be taken out of this place; (3) The duplicated documents or data may not be taken out of the working place generally, and if they really need to be carried, it must (4) The documents or materials discarded during the process of evaluation or the data that will not be used any more shall be destroyed (5) The two parties shall sign the notes for the delivery of related confidential data and materials after the evaluation work finishes. Article 50 A financial institution shall submit the evaluation report to the CBRC within one month as of the receipt of an evaluation report The financial institution may make necessary explanations concerning the related issues in the evaluation report when submitting an Article 51 No security evaluation report on electronic banks may, without approval of the supervisory organ, be used as the promotion materials Article 52 Where a security evaluation is not performed as required or in which the evaluation procedures and methods or the evaluation report Article 53 The CBRC may organize independently or entrust an evaluation institution to implement the security evaluation of electronic banks Article 54 The CBRC may directly inquire an evaluation institution about its evaluation methods, scope and procedures, etc. upon it need in Article 55 As for any problem reflected in the evaluation report, a financial institution shall take effective measures to remedy. Chapter V Supplementary Rules Article 56 The present Guidelines are subject to the interpretation of the CBRC. Article 57 The present Guidelines shall enter into force as of March 1, 2006. |
China Banking Regulatory Commission
2006-01-26