1、 Guiding Opinions of the China Banking Regulatory Commission on Strengthening the Banking Network Security and Information Technology Construction through the Application of Safe and Controllable Information TechnologiesEffective 中国银行业监督管理委员会关于应用安全可控信息技术加强银行业网络安全和信息化建设的指导意见 现行有效 Issuing authority: C
2、hina Banking Regulatory Commission Document Number: No. 39 2014 of the China Banking Regulatory Commission Date issued: 09-03-2014 Level of Authority: Departmental Regulatory Documents Area of law: Public Security Guiding Opinions of the China Banking Regulatory Commission on Strengthening the Banki
3、ng Network Security and Information Technology Construction through the Application of Safe and Controllable Information Technologies 中国银行业监督管理委员会关于应用安全可控信息技术加强银行业网络安全和信息化建设的指导意见 (No. 39 2014 of the China Banking Regulatory Commission) (银监发201439号) All local offices of the China Banking Regulatory C
4、ommission (“CBRC”); the development and reform commissions, departments (commissions and bureaus) ofscience and technology, and industry and information technology departments of all provinces (autonomous regions, municipalities directly under the Central Government and cities under separate state p
5、lanning); all policy banks, state-owned commercial banks, joint-stock commercial banks, and financial asset management companies; Postal Savings Bank of China; all provincial rural credit cooperative unions; and all trust companies, finance companies of enterprise groups, and financial leasing compa
6、nies under the direct supervision of the CBRC: 各银监局、各省(自治区、直辖市及计划单列市)发展改革委、科技厅(委、局)、工业和信息化主管部门、各政策性银行、国有商业银行、股份制商业银行、金融资产管理公司、储蓄银行、各省级农村信用联社,银监会直接监管的信托公司、企业集团财务公司、金融租赁公司: To further implement the innovation-driven development strategy, improve the banking network security guarantee capabilities and
7、information technology construction level, boost the deepened reform as well as the development and transformation of the banking sector, and promote the development of strategic emerging industries, the following guiding opinions are hereby offered on strengthening the banking network security and
8、information technology construction through the application of safe and controllable information technologies: 为进一步贯彻落实创新驱动发展战略,提升银行业网络安全保障能力和信息化建设水平,推动银行业深化改革、发展转型,促进战略新兴产业发展,现就应用安全可控信息技术加强银行业网络安全和信息化建设提出以下指导意见。 I. Overall Objectives 一、总体目标 The long-term mechanisms for the application of safe and c
9、ontrollable information technologies in the banking sector shall be established, supporting policies shall be developed, and promotion platforms shall be built, so as to vigorously popularize the utilization of the information technologies with controllable technology risks, outsourcing risks and su
10、pply chain risks which can meet the banking information security requirements. By 2019, the core knowledge and key technologies on banking informatization shall be mastered; the reasonable distribution of key banking network and information infrastructures shall be achieved, and the concentration ri
11、sks of key facilities and services shall be effectively mitigated; the overall utilization rate of safe and controllable information technologies shall reach around 75% in the banking sector, and the banking network security guarantee capabilities shall be constantly strengthened; and the level of i
12、nformation technology construction shall be improved in a steady manner so as to better protect the rights and interests of consumers and maintain the economic and socialsafety and stability. 建立银行业应用安全可控信息技术的长效机制,制定配套政策,建立推进平台,大力推广使用能够满足银行业信息安全需求,技术风险、外包风险和供应链风险可控的信息技术。到2019年,掌握银行业信息化的核心知识和关键技术;实现银行
13、业关键网络和信息基础设施的合理分布,关键设施和服务的集中度风险得到有效缓解;安全可控信息技术在银行业总体达到75左右的使用率,银行业网络安全保障能力不断加强;信息化建设水平稳步提升,更好地保护消费者权益,维护经济社会安全稳定。 II. Guiding Principles 二、指导原则 (1) Adhering to openness and cooperation. The wisdoms and forces of all parties shall be united in an inclusive manner. Priority shall be given to the appli
14、cation of technologies and solutions with strong openness, high transparency and wide application, and to the institutions which are willing to conduct cooperation in core knowledge and key technology fields, and dependence on a single product or technology shall be avoided. (一)坚持开放合作。兼容并蓄,凝聚各方智慧和力量
15、,优先应用开放性强、透明度高、适用面广的技术和解决方案,优先选择愿意在核心知识和关键技术领域进行合作的机构,避免对单一产品或技术的依赖。 (2) Encouraging independent innovation. The important significance of the innovation-driven development strategy shall be fully understood; original innovation, integrated innovation, and introduction, digestion and absorption and
16、re-innovationshall be encouraged; effective and steadygeneric and key technology supply systems shall be constructed, and the banking information core knowledge and key technologies shall be mastered. (二)鼓励自主创新。充分认识创新驱动发展战略的重要意义,鼓励原始创新、集成创新和引进消化吸收再创新,构建高效稳健的共性关键技术供给体系,掌握银行业信息化核心知识和关键技术。 (3) Maximizi
17、ng the role of market. The establishment of efficient innovation systems shall be accelerated, the enthusiasm of variousinnovatorsshall be stimulated, market shall be cultivated and driven on the basis of the banking information technology demands, the banking development and transformation shall be
18、 promoted via the development of the information industry, and the opportunity of emerging (三)发挥市场作用。加快建立高效的创新体系,激发各类创新主体的积极性,以银行业信息化需求培育和带动市场,以信息产业发展促进银行业发展转型,主动把握新兴技术发展机遇,推动银行业信息化创新发展,促进信息产业technology development shall be initiatively seized to boost the development of banking information technolo
19、gy innovations and make the information industry bigger and stronger. 做大做强。 (4) Strengthening collaboration. Overall planning shall be made to strengthen the collaboration among government organs, industries, universities, and research institutions, and create a benign interaction environment for th
20、e research, development and application of safe and controllable information technologies, so as to form a “demands, industry and scientific research-driven” virtuous circle. (四)加强协同合作。统筹规划,加强政、产、学、研协同合作,营造安全可控信息技术研究、发展和应用的良性互动环境,形成“需求拉动、产业推动、科研驱动”的良性循环。 III. Tasks and Requirements 三、任务要求 (1) Improv
21、ing the information technology governance mechanisms. Banking financial institutions shall incorporate the improvement of network security guarantee capabilities and information technology construction capacities into the strategic objectives, and include the application of safe and controllable inf
22、ormation technologies in the strategic planning; establish a security, controllability and independent innovation-oriented institutional system, and specify objectives, strategies and division of responsibilities; strengthen the innovation organization construction and talent cultivation, and guaran
23、tee innovation resources; and orderly boost such key tasks as independent design of the overall architecture, independent research and development of core applications, independent mastering of core knowledge, and independent application of key technologies. (一)完善信息科技治理机制。银行业金融机构应将提升网络安全保障能力和信息化建设能力
24、纳入战略目标,将安全可控信息技术应用纳入战略规划;建立以安全可控、自主创新为导向的制度体系,明确目标、策略与职责分工;加强创新组织建设和人才培养,保障创新资源;有序推进整体架构自主设计、核心应用自主研发、核心知识自主掌握、关键技术自主应用等重点工作。 (2) Optimizing information system architectures. Banking financial institutions shall establish safe, reliable, efficient, open and flexible overall information system archit
25、ectures, and take full consideration of security and controllability in the process of architecture planning and design; and master the options of key technologies, and get rid of dependence on a single technology and product in key information and network infrastructure fields. The business continu
26、ity system architecture shall be planned and constructed from a strategic perspective, and at a minimum one data-level or application-level business continuity plan integrating storage, backup, archiving and disaster recovery, among others, which is based on safe and controllable information technol
27、ogy architecture, shall be available. (二)优化信息系统架构。银行业金融机构要建立安全、可靠、高效、开放、弹性的信息系统总体架构,在架构规划和设计过程中应充分考虑安全可控;掌握关键技术的选择权,摆脱在关键信息和网络基础设施领域对单一技术和产品的依赖。从战略角度规划和建设业务连续性系统架构,应当至少有一种基于安全可控信息技术架构的数据级或应用级存储、备份、归档和容灾等一体化的业务连续性方案。 (3) Giving priority to the application of safe and controllable information technolo
28、gies. Banking financial institutions shall objectively evaluate their respective information technology needs and status of information (三)优先应用安全可控信息技术。银行业金融机构应客观评估自身信息化需求和信息科技风险情况,开展差距分technology risks, conduct gap analysis, and develop annual application promotion plans; establish scientific and r
29、easonable information technology and product model selection concepts, and select technologies and products suitable for their information technology demands, and avoidblindly selecting technologies and products as large and all-inclusive as possible. In the process of information processing which i
30、nvolves clients sensitive data, priority shall be given to the utilization of safe, reliable and risk-controllable information technologies and services, which, at present, shall be primarily and actively promoted in such areas as network equipment, storage, middle- and low-end servers, information
31、security, operation and maintenance services and word processing software, and be further explored and tried in such areas as operating system and database; and from 2015, the application of safe and controllable information technologies by all banking financial institutions shall increase year by y
32、ear at the proportion of not less than 15%, and, by 2019, account for not less than 75% in total (the technologies and products applied in 2014 may be incorporated into the scope of calculation in 2015). 析,按年度制定应用推进计划;建立科学合理的信息技术和产品选型理念,选择与本单位信息化需求相匹配的技术与产品,避免一味求大求全。在涉及客户敏感数据的信息处理环节,应优先使用安全可靠、风险可控的信
33、息技术和服务,当前重点在网络设备、存储、中低端服务器、信息安全、运维服务、文字处理软件等领域积极推进,在操作系统、数据库等领域要加大探索和尝试力度;从2015年起,各银行业金融机构对安全可控信息技术的应用以不低于15的比例逐年增加,直至2019年达到不低于75的总体占比(2014年应用的技术和产品可纳入2015年度计算)。 (4) Actively promoting the independent innovation of information technologies. Banking financial institutions shall actively try to apply
34、 safe and reliable self-innovative information technologies, and put forward improvement requirements through application so as to intensify the adaptability and robustness of innovative technologies; and explore to accelerate the running-in and adaption and systemic optimization of application of s
35、elf-innovative information technologies by unifying standards, making overall arrangements for products, making joint efforts in solving major problems, and pilot demonstration, among others. Where, in the process of technology selection, safe and reliable self-innovative products and technologies a
36、re available, at a minimum one type of such products or technologies shall be introduced to be subject to model selection and testing; and a supplier that provides special-purpose equipment or an integrated solution is required to be able to apply at a minimum one safe and reliable self-innovative p
37、roduct or technology respectively to the hardware and software used in its solution. (四)积极推动信息技术自主创新。银行业金融机构应积极尝试应用安全可靠、自主创新的信息技术,通过应用提出改进需求,增强创新技术的适应性和健壮性;探索通过统一标准、统筹产品、联合攻关、试点示范等,加快自主创新信息技术应用磨合适配及系统性优化。在技术选型中,如存在安全可靠的自主创新产品和技术,应至少引入一家此类产品或技术进行选型和测试;对提供专用设备或集成解决方案的供应商,应要求其方案使用的硬件和软件至少能够各应用一项安全可靠的自主
38、创新产品或技术。 (5) Actively participating in the research and development of safe and controllable information technologies. Banking financial institutions shall strengthen the cooperation with industry organizations, universities and scientific research institutions in jointly conducting the research and
39、 development and production of key technologies, and conduct technical cooperation and implement technology transfer around the key issues (五)积极参与安全可控信息技术研发。银行业金融机构应加强与产业机构、大学和科研机构的合作,联合开展关键技术的研发和生产,围绕安全可控信息技术在银行业应用的关键问题,开展技术合作,实施技术转移,形成高质concerning the application of safe and controllable informati
40、on technologies in the banking sector, so as to form high-quality scientific and technological achievements with industry promotional value; and shall intensify research efforts in key application infrastructure, operating system, database, middleware, banking special-purpose equipment and other fie
41、lds, and make concentrated breakthroughs in key technologies which restrict safe and controllable development. From 2015, banking financial institutions shall arrange not less than 5% of annual information technology budgets, which shall be exclusively used for supporting their own forward-looking,
42、innovative and planning researches conducted around safe and controllable information systems, and supporting their mastering of information core knowledge and skills. 量、具有行业推广价值的科技成果;在核心应用基础架构、操作系统、数据库、中间件和银行业专用设备等领域加大研究力度,集中突破制约安全可控发展的关键技术。2015年起,银行业金融机构应安排不低于5的年度信息化预算,专门用于支持本机构围绕安全可控信息系统开展前瞻性、创新性
43、和规划性研究,支持本机构掌握信息化核心知识和技能。 (6) Strengthening the protection of intellectual property rights (“IPR”) and the construction ofstandards and specifications.Banking financial institutions shall strengthen the awareness of IPR protection, and apply for the technical patent protection for various research a
44、chievements in a timely manner; and shall actively participate in the research and development of various technical standards, and boost the standardized and patent-based safe and controllable information technologies. (六)加强知识产权保护与标准规范建设。银行业金融机构应加强知识产权保护意识,对各项研究成果及时申请技术专利保护;应积极参与各类技术标准的研究和制定工作,推进安全可
45、控信息技术的标准化、专利化。 IV. Major Measures 四、主要措施 (1) Establishing banking information security review and risk assessment systems. In accordance with the relevant national network security review policies, the supporting policies appropriate for the banking information security demands shall be established,
46、 the banking network security review standards shall be set up, and the security testing of banking special-purpose information technologies and products shall be strengthened; the normalized risk assessment systems shall be established, the risk identification, assessment and control mechanisms for
47、 the application of information technologies in the banking sector shall be established, and functional tests, performance tests and security tests shall be strengthened; the application of safe and controllable information technologies shall be closely tracked, and defect repository and risk reposi
48、tory shall be established, so as to keep promoting the technology improvement in light of industry applications. (一)建立银行业信息安全审查和风险评估制度。依据国家网络安全审查相关政策,建立与银行业信息安全需求相适应的配套政策,建立银行业网络安全审查标准,加强银行业专用信息技术和产品的安全检测;建立常态化的风险评估制度,建立信息技术在银行业应用过程中的风险识别、评估和控制机制,加强功能测试、性能测试和安全性测试;密切跟踪安全可控信息技术的应用情况,建立缺陷库和风险库,结合行业应用不
49、断促进技术的完善。 (2) Establishing implementation and promotion platforms for the safe and controllable information technologies in the banking sector. The strategic alliances for innovations of safe and controllable information technologies in the banking sector shall be formed, technology laboratories and national engineering laboratories shall be built, research shall be (二)建立银行业安全可控信息技术落地推进平台。组建银行业安全可控信息技术创新战略联盟,创建技术实验室和国家工程实验室,研究挖掘银行业应用安全可控信息技术的机会和需求,协调conducted to explore the opportunities and demands for the application of safe and controllable information technologies i
