Guidelines on the Risk Management of Commercial Banks’ Information Technology ——附加英文版
China Banking Regulatory Commission
Guidelines on the Risk Management of Commercial Banks’ Information Technology
Chapter I General Provisions
Article 1. Pursuant to the Law of the People’s Republic of China on Banking Regulation and Supervision, the Law of the People's Republic of China on Commercial Banks, the Regulations of the People’s Republic of China on Administration of Foreign-funded Banks, and other applicable laws and regulations, the Guidelines on the Risk Management of Commercial Banks’ Information Technology (hereinafter referred to as the Guidelines) is formulated.
Article 2. The Guidelines apply to all the commercial banks legally incorporated within the territory of the People’s Republic of China.
The Guidelines may apply to other banking institutions including policy banks, rural cooperative banks, urban credit cooperatives, rural credit cooperatives, village banks, loan companies, financial asset management companies, trust and investment companies, finance firms, financial leasing companies, automobile financial companies and money brokers.
Article 3. The term “information technology” stated in the Guidelines shall refer to the system built with computer, communication and software technologies, and employed by commercial banks to handle business transactions, operation management, and internal communication, collaborative work and controls. The term also include IT governance, IT organization structure and IT policies and procedures.
Article 4. The risk of information technology refers to the operational risk, legal risk and reputation risk that are caused by natural factor, human factor, technological loopholes or management deficiencies when using information technology.
Article 5. The objective of information system risk management is to establish an effective mechanism that can identify, measure, monitor, and control the risks of commercial banks’ information system, ensure data integrity, availability, confidentiality and consistency, provide the relevant early warning, and thereby enable commercial banks’ business innovations, uplift their capability in utilizing information technology, improve their core competitiveness and capacity for sustainable development.
Chapter II IT governance
Article 6. The legal representative of commercial bank should be responsible to ensure compliance of this guideline.
Article 7. The board of directors of commercial banks should have the following responsibilities with respect to the management of information systems:
(1) Implementing and complying with the national laws, regulations and technical standards pertaining to the management of information systems, as well as the regulatory requirements set by the China Banking Regulatory Commission (hereinafter referred to as the “CBRC”);
(2) Periodically reviewing the alignment of IT strategy with the overall business strategies and significant policies of the bank, assessing the overall effectiveness and efficiency of the IT organization.
(3) Approving IT risk management strategies and policies, understanding the major IT risks involved, setting acceptable levels for these risks, and ensuring the implementation of the measures necessary to identify, measure, monitor and control these risks.
(4) Setting high ethical and integrity standards, and establishing a culture within the bank that emphasizes and demonstrates to all levels of personnel the importance of IT risk management.
(5) Establishing an IT steering committee which consists of representatives from senior management, the IT organization, and major business units, to oversee these responsibilities and report the effectiveness of strategic IT planning, the IT budget and actual expenditure, and the overall IT performance to the board of directors and senior management periodically.
(6) Establishing IT governance structure, proper segregation of duty, clear role and responsibility, maintaining check and balances and clear reporting relationship. Strengthening IT professional staff by developing incentive program.
(7) Ensuring that there is an effective internal audit of the IT risk management carried out by operationally independent, well-trained and qualified staff. The internal audit report should be submitted directly to the IT audit committee;
(8) Submitting an annual report to the CBRC and its local offices on information system risk management that has been reviewed and approved by the board of directors ;
(9) Ensuring the appropriating funding necessary for IT risk management works;
(10) Ensuring that all employees of the bank fully understand and adhere to the IT risk management policies and procedures approved by the board of directors and the senior management, and are provided with pertinent training.
(11) Ensuring customer information, financial information, product information and core banking system of the legal entity are held independently within the territory, and complying with the regulatory on-site examination requirements of CBRC and guarding against cross-border risk.
(12) Reporting in a timely manner to the CBRC and its local offices any serious incident of information systems or unexpected event, and quickly respond to it in accordance with the contingency plan;
(13) Cooperating with the CBRC and its local offices in the supervisory inspection of the risk management of information systems, and ensure that supervisory opinions are followed up; and
(14) Performing other related IT risk management tasks.
Article 8. The head of the IT organization, commonly known as the Chief Information Officer (CIO) should report directly to the president. Roles and responsibilities of the CIO should include the following:
(1) Playing a direct role in key decisions for the business development involving the use of IT in the bank;
(2) The CIO should ensure that information systems meet the needs of the bank, and IT strategies, in particular information system development strategies, comply with the overall business strategies and IT risk management policies of the bank;
(3) The CIO should also be responsible for the establishment of an effective and efficient IT organization to carry out the IT functions of the bank. These include the IT budget and expenditure, IT risk management, IT policies, standards and procedures, IT internal controls, professional development, IT project initiatives, IT project management, information system maintenance and upgrade, IT operations, IT infrastructure, Information security, disaster recovery plan (DRP), IT outsourcing, and information system retirement;
(4) Ensuring the effectiveness of IT risk management throughout the organization including all branches.
(5) Organizing professional trainings to improve technical proficiency of staff.
(6) Performing other related IT risk management tasks.
Article 9. Commercial banks should ensure that a clear definition of the IT organization structure and documentation of all job descriptions of important positions are always in place and updated in a timely manner. Staff in each position should meet relevant requirements on professional skills and knowledge. The following risk mitigation measures should be incorporated in the management program of related staff:
(1) Verification of personal information including confirmation of personal identification issued by government, academic credentials, prior work experience, professional qualifications;
(2) Ensuring that IT staff can meet the required professional ethics by checking character reference;
(3) Signing of agreements with employees about understanding of IT policies and guidelines, non-disclosure of confidential information, authorized use of information systems, and adherence to IT policies and procedures; and
(4) Evaluation of the risk of losing key IT personnel, especially during major IT development stage or in a period of unstable IT operations, and the relevant risk mitigation measures such as staff backup arrangement and staff succession plan.
Article 10. Commercial banks should establish or designate a particular department for IT risk management. It should report directly to the CIO and the Chief Risk Officer (or risk management committee), serve as a member of the IT incident response team, and be responsible for coordinating the establishment of policies regarding IT risk management, especially the areas of information security, BCP, and compliance with the CBRC regulations, advising the business departments and IT department in implementing these policies, providing relevant compliance information, conducting on-going assessment of IT risks, and ensuring the follow-up of remediation advice, monitoring and escalating management of IT threats and non-compliance events.
Article 11. Commercial banks should establish a special IT audit role and responsibility within internal audit function, which should put in place IT audit policies and procedures, develop and execute IT audit plan.
Article 12. Commercial banks should put in place policies and procedures to protect intellectual property rights according to laws regarding intellectual properties, ensure purchase of legitimate software and hardware, prevention of the use of pirated software, and the protection of the proprietary rights of IT products developed by the bank, and ensure that these are fully understood and complied by all employees.
Article 13. Commercial banks should, in accordance with relevant laws and regulations, disclose the risk profile of their IT normatively and timely.
Chapter III IT Risk Management
Article 14. Commercial banks should formulate an IT strategy that aligns with the overall business plan of the bank, IT risk assessment plan and an IT operational plan that can ensure adequate financial resources and human resources to maintain a stable and secure IT environment.
Article 15. Commercial banks should put in place a comprehensive set of IT risk management policies that include the following areas:
(1) Information security classification policy
(2) System development, testing and maintenance policy
(3) IT operation and maintenance policy
(4) Access control policy
(5) Physical security policy
(6) Personnel security policy
(7) Business Continuity Planning and Crisis and Emergency Management procedure
Article 16. Commercial banks should maintain an ongoing risk identification and assessment process that allows the bank to pinpoint the areas of concern in its information systems, assess the potential impact of the risks on its business, rank the risks, and prioritize mitigation actions and the necessary resources (including outsourcing vendors, product vendors and service vendors).
Article 17. Commercial banks should implement a comprehensive set of risk mitigation measures complying with the IT risk management policies and commensurate with the risk assessment of the bank. These mitigation measures should include:
(1) A set of clearly documented IT risk policies, technical standards, and operational procedures, which should be communicated to the staff frequently and kept up to date in a timely manner;
(2) Areas of potential conflicts of interest should be identified, minimized, and subject to careful, independent monitoring. Also it requires that an appropriate control structure is set up to facilitate checks and balances, with control activities defined at every business level, which should include:
- Top level reviews;
- Controls over physical and logical access to data and system;
- Access granted on “need to know” and “minimum authorization” basis;
- A system of approvals and authorizations; and
- A system of verification and reconciliation.
Article 18. Commercial banks should put in place a set of ongoing risk measurement and monitoring mechanisms, which should include
(1) Pre and post-implementation review of IT projects;
(2) Benchmarks for periodic review of system performance;
(3) Reports of incidents and complaints about IT services;
(4) Reports of internal audit, external audit, and issues identified by CBRC; and
(5) Arrangement with vendors and business units for periodic review of service level agreements (SLAs).
(6) The possible impact of new development of technology and new threats to software deployed.
(7) Timely review of operational risk and management controls in operation area.
(8) Assess the risk profile on IT outsourcing projects periodically.
Article 19. Chinese commercial banks operating offshore and the foreign commercial banks in China should comply with the relevant regulatory requirements on information systems in and outside the People’s Republic of China.
Chapter IV Information Security
Article 20. Information technology department of commercial banks should oversee the establishment of an information classification and protection scheme. All employees of the bank should be made aware of the importance of ensuring information confidentiality and provided with the necessary training to fully understand the information protection procedures within their responsibilities.
Article 21. Commercial banks should put in place an information security management function to develop and maintain an ongoing information security management program, promote information security awareness, advise other IT functions on security issues, serve as the leader of IT incident response team, and report the evaluation of the information security of the bank to the IT steering committee periodically. The Information security management program should include Information security standards, strategy, an implementation plan, and an ongoing maintenance plan.
Information security policy should include the following areas:
(1) IT security policy management
(2) Organization information security
(3) Asset management
(4) Personnel security
(5) Physical and environment security
(6) Communication and operation security
(7) Access control and authentication
(8) Acquirement, development and maintenance of information system
(9) Information security event management
(10) Business continuity management
(11) Compliance
Article 22. Commercial banks should have an effective process to manage user authentication and access control. Access to data and system should be strictly limited to authorized individuals whose identity is clearly established, and their activities in the information systems should be limited to the minimum required for their legitimate business use. Appropriate user authentication mechanism commensurate with the classification of information to be accessed should be selected. Timely review and removal of user identity from the system should be implemented when user transfers to a new job or leave the commercial bank.
Article 23. Commercial banks should ensure all physical security zones, such as computer centers or data centers, network closets, areas containing confidential information or critical IT equipment, and respective accountabilities are clearly defined, and appropriate preventive, detective, and recuperative controls are put in place.
Article 24. Commercial banks should divide their networks into logical security domains (hereinafter referred to as the “domain”) with different levels of security. The following security factors have to be assessed in order to define and implement effective security controls, such as physical or logical segregation of network, network filtering, logical access control, traffic encryption, network monitoring, activity log, etc., for each domain and the whole network.
(1) criticality of the applications and user groups within the domain;
(2) Access points to the domain through various communication channels;
(3) Network protocols and ports used by the applications and network equipment deployed within the domain;
(4) Performance requirement or benchmark;
(5) Nature of the domain, i.e. production or testing, internal or external;
(6) Connectivity between various domains; and
(7) Trustworthiness of the domain.
Article 25. Commercial banks should secure the operating system and system software of all computer systems by
(1) Developing baseline security requirement for each operating system and ensuring all systems meet the baseline security requirement;
(2) Clearly defining a set of access privileges for different groups of users, namely, end-users, system development staff, computer operators, and system administrators and user administrators;
(3) Setting up a system of approval, verification, and monitoring procedures for using the highest privileged system accounts;
(4) Requiring technical staff to review available security patches, and report the patch status periodically; and
(5) Requiring technical staff to include important items such as unsuccessful logins, access to critical system files, changes made to user accounts, etc. in system logs, monitors the systems for any abnormal event manually or automatically, and report the monitoring periodically.
Article 26. Commercial banks should ensure the security of all the application systems by
(1) Clearly defining the roles and responsibilities of end-users and IT staff regarding the application security;
(2) Implementing a robust authentication method commensurate with the criticality and sensibility of the application system;
(3) Enforcing segregation of duties and dual control over critical or sensitive functions;
(4) Requiring verification of input or reconciliation of output at critical junctures;
(5) Requiring the input and output of confidential information are handled in a secure manner to prevent theft, tampering, intentional leakage, or inadvertent leakage;
(6) Ensuring system can handle exceptions in a predefined way and provide meaningful message to users when the system is forced to terminate; and
(7) Maintaining audit trail in either paper or electronic format.
(8) Requiring user administrator to monitor and review unsuccessful logins and changes to users accounts.
Article 27. Commercial banks should have a set of policies and procedures controlling the logging of activities in all production systems to support effective auditing, security forensic analysis, and fraud prevention. Logging can be implemented in different layers of software and on different computer and networking equipment, which falls into two broad categories:
(1) Transaction journals. They are generated by application software and database management system, and contain authentication attempts, modification to data, error messages, etc. Transaction journals should be kept according to the national accounting policy.
(2) System logs. They are generated by operating systems, database management system, firewalls, intrusion detection systems, and routers, etc., and contain authentication attempts, system events, network events, error messages, etc. System logs should be kept for a period scaled to the risk classification, but no less than one year.
Banks should ensure that sufficient items be included in the logs to facilitate effective internal controls, system troubleshooting, and auditing while taking appropriate measures to ensure time synchronization on all logs. Sufficient disk space should be allocated to prevent logs from being overwritten. System logs should be reviewed for any exception. The review frequency and retention period for transaction logs or database logs should be determined jointly by IT organization and pertinent business lines, and approved by the IT steering committee.
Article 28. Commercial banks should have the capacity to employ encryption technologies to mitigate the risk of losing confidential information in the information systems or during its transmission. Appropriate management processes of the encryption facilities should be put in place to ensure that
(1) Encryption facilities in use should meet national security standards or requirements;
(2) Staff in charge of encryption facilities are well trained and screened;
(3) Encryption strength is adequate to protect the confidentiality of the information; and
(4) Effective and efficient key management procedures, especially key lifecycle management and certificate lifecycle management, are in place.
Article 29. Commercial banks should put in place an effective and efficient system of securing all end-user computing equipment which include desktop personal computers (PCs), portable PCs, teller terminals, automatic teller machines (ATMs), passbook printers, debit or credit card readers, point of sale (POS) terminals, personal digital assistant (PDAs), etc and conduct periodic security checks on all equipments.
Article 30. Commercial banks should put in place a set of policies and procedures to govern the collection, processing, storage, transmission, dissemination, and disposal of customer information.
Article 31. All employees, including contract staff, should be provided with the necessary trainings to fully understand these policies procedures and the consequences of their violation. Commercial banks should adopt a zero tolerance policy against security violation.
Chapter V Application System Development, Testing and Maintenance
Article 32. Commercial banks should have the capability to identify, plan, acquire, develop, test, deploy, maintain, upgrade, and retire information systems. Policies and procedures should be in place to govern the initiation, prioritization, approval, and control of IT projects. Progress reports of major IT projects should be submitted to and reviewed by the IT steering committee periodically. Decisions involving significant change of schedule, change of key personnel, change of vendors, and major expenditures should be included in the progress report.
Article 33. Commercial banks should recognize the risks associated with IT projects, which include the possibilities of incurring various kinds of operational risk, financial losses, and opportunity costs stemming from ineffective project planning or inadequate project management controls of the bank. Therefore, appropriate project management methodologies should be adopted and implemented to control the risks associated with IT projects.
Article 34. Commercial banks should adopt and implement a system development methodology to control the life cycle of Information systems. The typical phases of system life cycle include system analysis, design, development or acquisition, testing, trial run, deployment, maintenance, and retirement. The system development methodology to be used should be commensurate with the size, nature, and complexity of the IT project, and, generally speaking, should facilitate the management of the following risks.
Article 35. Commercial banks should ensure system reliability, integrity, and maintainability by controlling system changes with a set of policies and procedures, which should include the following elements.
(1) Ensure that production systems are separated from development or testing systems;
(2) Separating the duties of managing production systems and managing development or testing systems;
(3) Prohibiting application development and maintenance staff from accessing production system under normal circumstances unless management approval is granted to perform emergency repair, and all emergency repair activities should be recorded and reviewed promptly;
(4) Promoting changes of program or system configuration from development and testing systems to production systems should be jointly approved by IT organization and business departments, properly documented, and reviewed periodically.
Article 36. Commercial banks should have in place a set of policies, standards, and procedures to ensure data integrity, confidentiality, and availability. These policies should be in accordance with data integrity amid IT development procedure.
Article 37. Commercial banks should ensure that Information system problems could be tracked, analyzed, and resolved systematically through an effective problem management process. Problems should be documented, categorized, and indexed. Support services or technical assistance from vendors, if necessary, should also be documented. Contacts and relevant contract information should be made readily available to the employees concerned. Accountability and line of command should be delineated clearly and communicated to all employees concerned, which is of utmost importance to performing emergency repair.
Article 38. Commercial banks should have a set of policies and procedures controlling the process of system upgrade. System upgrade is needed when the hardware reaches its lifespan or runs out of capacity, the underpinning software, namely, operating system, database management system, middleware, has to be upgraded, or the application software has to be upgraded. The system upgrade should be treated as a project and managed by all pertinent project management controls including user acceptance testing.
Chapter VI IT Operations
Article 39. Commercial banks should consider fully the environmental threats (e.g. proximity to natural disaster zones, dangerous or hazardous facilities or busy/major roads) when selecting the locations of their data centers. Physical and environmental controls should be implemented to monitor environmental conditions could affect adversely the operation of information processing facilities. Equipment facilities should be protected from power failures and electrical supply interference.
Article 40. In controlling access by third-party personnel (e.g. service providers) to secured areas, proper approval of access should be enforced and their activities should be closely monitored. It is important that proper screening procedures including verification and background checks, especially for sensitive technology-related jobs, are developed for permanent and temporary technical staff and contractors.
Article 41. Commercial banks should separate IT operations or computer center operations from system development and maintenance to ensure segregation of duties within the IT organization. The commercial banks should document the roles and responsibilities of data center functions.
Article 42. Commercial banks are required to retain transactional records in compliance with the national accounting policy. Procedures and technology are needed to be put in place to ensure the integrity, safekeeping and retrieval requirements of the archived data.
Article 43. Commercial banks should detail operational instructions such as computer operator tasks, job scheduling and execution in the IT operations manual. The IT operations manual should also cover the procedures and requirements for on-site and off-site backup of data and software in both the production and development environments (i.e. frequency, scope and retention periods of back-up).
Article 44. Commercial banks should have in place a problem management and processing system to respond promptly to IT operations incidents, to escalate reported incidents to relevant IT management staff and to record, analyze and keep tracks of all these incidents until rectification of the incidents with root cause analysis completed. A helpdesk function should be set up to provide front-line support to users on all technology-related problems and to direct the problems to relevant IT functions for investigation and resolution.
Article 45. Commercial banks should establish service level agreement and assess the IT service level standard attained.
Article 46. Commercial banks should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and comprehensive manner. The performance monitoring process should include forecasting capability to enable exceptions to be identified and corrected before they affect system performance.
Article 47. Commercial banks should carry out capacity plan to cater for business growth and transaction increases due to changes of economic conditions. Capacity plan should be extended to cover back-up systems and related facilities in addition to the production environment.
Article 48. Commercial banks should ensure the continued availability of technology related services with timely maintenance and appropriate system upgrades. Proper record keeping (including suspected and actual faults and preventive and corrective maintenance records) is necessary for effective facility and equipment maintenance.
Article 49. Commercial banks should have an effective change management process in place to ensure integrity and reliability of the production environment. Commercial banks should develop a formal change management process.
Chapter VII Business Continuity Management
Article 50. Commercial banks should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.
Article 51. Commercial banks should consider the likelihood and impact of a disruption to the continuity of its operation from unexpected events. This should include assessing the disruptions to which it is particularly susceptible including but not limited to:
(1) Loss of failure of internal and external resources (such as people, systems and other assets);
(2) The loss or corruption of its information; and
(3) External events (such as war, earthquake, typhoon, etc).
Article 52. Commercial bank should act to reduce both the likelihood of disruptions (including system resilience and dual processing); and the impact of disruptions (including by contingency arrangements and insurance).
Article 53. Commercial bank should document its strategy for maintaining continuity of its operations, and its plans for communicating and regularly testing the adequacy and effectiveness of this strategy. Commercial bank should establish:
(1) Formal business continuity plans that outline arrangements to reduce the impact of a short, medium and long-term disruption, including:
a) Resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
b) The recovery priorities for the commercial bank’s operations; and
c) Communication arrangements for internal and external concerned parties (including CBRC, clients and the press);
(2) Escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
(3) Processes to validate the integrity of information affected by the disruption;
(4) Processes to review and update (1) to (3) following changes to the commercial bank’s operations or risk profile.
Article 54. A final BCP plan and an annual drill result must be signed off by the IT Risk management, or internal auditor and IT Steering Committee.
Chapter VIII Outsourcing
Article 55. Commercial banks cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourcing functions.
Article 56. Commercial banks should take particular care to manage material outsourcing arrangement (such as outsourcing of data center, IT infrastructure, etc.), and should notify CBRC when it intends to enter into material outsourcing arrangement.
Article 57. Before entering into, or significantly changing, an outsourcing arrangement, the commercial bank should:
(1) Analyze how the arrangement will fit with its organization and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
(2) Consider whether the arrangements will allow it to monitor and control its operational risk exposure relating to the outsourcing;
(3) Conduct appropriate due diligence of the service provider’s financial stability, expertise and risk assessment of the service provider, facilities and ability to cover the potential liabilities;
(4) Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract); and
(5) Consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms.
Article 58. In negotiating its contract with a service provider, the commercial bank should have regard to ( but not limited to ):
(1) Reporting and negotiation requirements it may wish to impose on the service provider;
(2) Whether sufficient access will be available to its internal auditors, external auditors and banking regulators;
(3) Information ownership rights, confidentiality agreements and Firewalls to protect client and other information (including arrangements at the termination of contract);
(4) The adequacy of any guarantees and indemnities;
(5) The extent to which the service provider must comply with the commercial bank’s polices and procedures covering IT Risk;
(6) The extent to which the service provider will provide business continuity for outsourced operations, and whether exclusive access to its resources is agreed;
(7) The need for continued availability of software following difficulty at a third party supplier;
(8) The processes for making changes to the outsourcing arrangement and the conditions under which the commercial bank or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:
a) A change of ownership or control of the service provider or commercial bank; or
b) Significant change in the business operations of the service provider or commercial bank; or
c) Inadequate provision of services that may lead to the commercial bank being unable to meet its regulatory obligations.
Article 59. In implementing a relationship management framework, and drafting the service level agreement with the service provider, the commercial bank should have regarded to (but not limited to):
(1) The identification of qualitative and quantitative performance targets to assess the adequacy of service provision, to both the commercial bank and its clients, where appropriate;
(2) The evaluation of performance through service delivery reports and periodic self assessment and independent review by internal or external auditors; and
(3) Remediation action and escalation process for dealing with inadequate performance.
Article 60. The commercial bank should enhance IT related outsourcing management, in place following (not limited to ) measures to ensure data security of sensitive information such as customer information:
(1) Effectively separated from other customer information of the service provider;
(2) The related staff of service provider should be authorized on “need to know” and “minimum authorization” basis;
(3) Ensure service provider guarantee its staff for meeting the confidential requests;
(4) All outsourcing arrangements related to customer information should be identified as material outsourcing arrangements and the customers should be notified;
(5) Strictly monitor re-outsourcing actions of the service provider, and implement adequate control measures to ensure information security of the bank;
(6) Ensure all related sensitive information be refunded or deleted from the service provider’s storage when terminating the outsourcing arrangement.
Article 61. The commercial bank should ensure that it has appropriate contingency in the event of a significant loss of services from the service provider. Particular issues to consider include a significant loss of resources, turnover of key staff, or financial failure of, the service provider, and unexpected termination of the outsourcing agreement.
Article 62. All outsourcing contracts must be reviewed or signed off by IT Risk management, internal IT auditors, legal department and IT Steering Committee. There should be a process to periodically review and refine the service level agreements.
Chapter IX Internal Audit
Article 63. Depending on the nature, scale and complexity of its business, it may be appropriate for the commercial banks to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the commercial bank and have appropriate access to the bank’s records.
Article 64. The responsibilities of the internal IT audit function are:
(1) To establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the bank’s systems and internal control mechanisms and arrangements;
(2) To issue recommendations based on the result of work carried out in accordance with 1;
(3) To verify compliance with those recommendations;
(4) To carry out special audit on information technology. The term “special audit” of information technology refers to the investigation, analysis and assessment on the security incidents of the information system, or the audit performed on a special subject based on IT risk assessment result as deemed necessary by the audit department.
Article 65. Based on the nature, scale and complexity of its business, deployment of information technology and IT risk assessment, commercial banks could determine the scope and frequency of IT internal audit. However, a comprehensive IT internal audit shall be performed at a minimum once every 3 years.
Article 66. Commercial banks should engage its internal audit department and IT Risk management department when implementing system development of significant size and scale to ensure it meets the IT Risk standards of the Commercial banks.
Chapter X External Audit
Article 67. The external information technology audit of commercial banks can be carried out by certified service providers in accordance with laws, rules and regulations.
Article 68. The commercial bank should ensure IT audit service provider to review and examine bank’s hardware, software, documentation and data to identify IT risk when they are commissioned to perform the audit. Vital commercial and technical information which is protected by national laws and regulations should not be reviewed.
Article 69. Commercial bank should communicate with the service provider in depth before the audit to determine audit scope, and should not withhold the truth or do not corporate with the service provider intentionally.
Article 70. CBRC and its local offices could designate certified service providers to carry out IT audit or related review on commercial banks when needed. When carrying out audit on commercial banks, as commissioned or authorized by CBRC or its local offices, the service providers shall present the letter of authority, and carry out the audit in accordance to the scope prescribed in the letter of authority.
Article 71. Once the IT audit report produced by the service providers is reviewed and approved by CBRC or its local offices, the report will have the same legal status as if it is produced by the CBRC itself. Commercial banks should come up with a correction action plan prescribed in the report and implement the corrective actions according to the timeframe.
Article 72. Commercial banks should ensure the service providers to strictly comply with laws and regulations to keep confidential and data security of any commercial secrets and private information learnt and IT risk information when conducting the audit. The service provider should not modify copy or take away any documents provided by the commercial banks.
Chapter XI Supplementary Provisions
Article 73. Commercial banks with no board of directors should have their operating decision-making bodies perform the responsibilities of the board with regard to IT risk management specified herein.
Article 74. The China Banking Regulatory Commission supervises and regulates the IT risk management of commercial banks under its authority by law.
Article 75. The power of interpretation and modification of the Guidelines shall rest with the China Banking Regulatory Commission.
Article 76. The Guidelines shall become effective as of the date of its issuance and the former Guidelines on the Risk Management of Banking Institutions’ Information Systems shall be revoked at the same time.
网络游戏中的侵权问题初探
张蔚
关键词:网络游戏 侵权 物理空间 虚拟空间 外挂 木马 虚拟财产
[摘要] 网络游戏在全球受到普遍的欢迎,根据业内人士介绍,网络游戏可能IT业内唯一盈利的机会。根据美国专门研究电子游戏时常的DFC情报公司发表的预测报告,到2006年,全球上网玩游戏的人数将从目前的大约5000万人增加到1。14亿人。根据世界数据公司的研究,2002年中国网络游戏产业直接产值近10亿元人民币,比2001年增长187.6%,游戏用户超过1200万人,电信业务因网络游戏产生的直接收入高达68.3亿人民币,IT行业由网络游戏产生的直接收入达32.8亿人民币。2003年中国网络游戏产值已经突破了20亿人民币,用户超过2000万。网络游戏正成为互联网行业中重要的赢利点,然而,几乎伴随着网络游戏成长的同时,种种的法律困惑也应运而生,传统民法理论受到时代的挑战。
一、网络游戏的出现以及特征
从游戏理论上讲,麦克卢汉认为,“游戏是人为设计的情景,旨在容许多人同时参与他们自己团体生活中某种有意义的模式。”同时,“游戏是传播媒介。”游戏作为一项很重要的传播,它的目的完全赖于群体的互动,传统游戏强调合作,古代社会和无文字社会自然把游戏看作是活生生的宇宙戏剧模式,竞技者绕圆形跑道奔跑,观众带着宗教般的热情观看。正是这种“集体的通俗艺术形式”,造就了“严格的程式”。传统的游戏中,人们都应该是真实的,因此他们的身份是不可以转移的,固定的,这种真实的活动需要付出真实的情感,因此得到了人们的格外重视。
麦克卢汉认为游戏是人的延伸,“任何游戏,正像任何信息媒介一样,是个人或群体的延伸。它对群体或个人的影响,是使群体或个人尚未如此延伸的部分实现重构。”实际上游戏就是人的“本能”和“本我”的延伸。网络游戏就是一种“自言自语的行为”,网络游戏没有特定的观众与竞争者,二者的界限十分模糊。无论是在人山人海的“剧场”,还是在孤芳自赏的“舞台”,演员都可以在表演。没有观众或者观众已经消解在网络中,这样的网络游戏是在一些身份虚幻、镜象破裂的主题之间展开的。
(一)网络游戏的历史
网络游戏早在BBS的时代就开始崭露头角,当时最受欢迎的网络游戏是类似纯文字角色扮演游戏的MUD,玩家借由网际网络的连接,利用纯文字输入角色的动作指令,在单纯由文字描述的世界探险,并达到与其他玩家互动的目的。这些可以说是目前大部分图形化网络游戏的前身,只是后者有绚丽的声光效果,更繁杂的规则设定与组织化的故事背景。由于MUD上手容易,又不需要太高级的硬件与频宽要求,在当时的网吧经常可以看到有人沉浸在MUD的世界里。
1. 早期的网络游戏
在浏览器出现后,开始有一些益智性的猜谜、拼图等等在浏览器上可以进行的游戏出现,使用者不需要安装任何游戏软件,下载网页后就可以立即在浏览器上游乐一番。在五六年前,网吧刚刚开始盛行之时,这样的网络游戏较多。不过这样的游戏无法拥有高度的吸引力,对消费者来说,来网吧消费与在家即时连接上网并没多大区别。之后,出现了以JAVA语言或者是支援INTERNET WEB BROWSER 共通的PLUGIN软件所写的简单的网页游戏,此时,游戏本身必须外加一写PLUGIN软件才可以执行,因此就必须下载PLUGIN软件并在电脑上安装后才能进行游戏。网络游戏发展到此时,已经比较有互动性,玩家可以利用即时参与或者结合的方式开局对战。由于便利性极高,在任何时候连上网络玩游戏,甚至不需要知道对方是什么人,就可以呼朋换友进行娱乐,例如现在盛行的 QQ游戏。虽然这一时期的网络游戏的游戏性已有显著提高,不过毕竟游戏本身缺乏明显的刺激性,而且安装方便的使用界面让玩家可以在家里自行下载安装,从而使得网络游戏缺乏足够的吸引力,其吸引力尚未强烈到能够吸引玩家专门到网吧来参与竞争和厮杀。
2. 网络游戏的流行
技术的进步,导致一些套装游戏开始具备网络连接功能。其中的第一人称游戏与即使战略游戏,开始把网络连线所带来的游戏性发挥到淋漓尽致的地步。第一人称射击游戏以“QUAKE雷神之锤”系列为代表,到第三代“雷神之锤”时,甚至已经不包含单人任务,而是纯粹针对网络连线模式来开发,深受玩家的喜爱和好评。对于即使战略游戏而言,则以“STARCRAFT”星际争霸为最完美的典范。客观地讲,均衡的游戏性与相异的种族特性,导致这款游戏多年来深受欢迎,至今仍然可以在许多网吧中见到。由于此类游戏大部分都需要较高的硬件配制与较大的频宽,尤其频宽部分的消耗早已经超过当时数据机的最大极限,因此,专业的网吧渐渐显露出对游戏参与者的诱惑力。真正打开网络连接游戏市场的游戏,则是“线上创世纪”之类的图形话决扮演游戏,此类游戏逐渐成为网络游戏的主流。从参与方式上讲,参与此类游戏必须先以购买以杂志附送的方式取得游戏片,安装在电脑上后,过了试用期还得再购买使用时间点数才能继续,这就延伸到了今天的各个网络游戏。虽然如此,由于游戏内容极具变化性,满足了玩家求新求变的快感,线上游戏开始大行其道。
网络游戏侵权是指发生在网络游戏的经营者和用户使用各种手段或通过某种途径侵害他人民事权益的行为。可以简称为“网络游戏侵权行为”或“网游侵权”。对这个这么新鲜的侵权行为的研究,是对互联网局部空间内发生的若干侵权行为的研究,以此发生在现实空间(物理空间)的侵权,纸媒体上的侵权以及广播电视媒体上的侵权区别开来。
1. 主体的虚拟性
互联网是网络游戏的载体,网络游戏具有与互联网同样的虚拟性。网络游戏的虚拟性先表现为主体的虚拟性。这种虚拟性表现在两个方面:某个主体或者根本不存在或者以伪装的形象出现。网络游戏玩家在网络游戏上既可使用真名(如,张三),也可以使用假名(如,浪客剑心),你可以是“恐怖分子”,也可以是“警察”。主体虚拟性和强,可以非常机动地变更。
2. 环境和“物品”及财产的虚拟性。
网络经营者或者网游开发者可以在网络游戏上添加许多虚拟的场景,如天宫,炼狱,“大话西游”的洛阳城等等。这样的场景并非物理世界的客观存在或真实反应,而是数字化的虚拟空间。此外,网络游戏的许多“物品”“财产”也同样是虚拟的,如龙王套装,网络游戏交易获得的金钱。这些“装备”和“等级”同样是虚拟的。
3. 人际关系的虚拟性
陌生玩家可以以真实的或者虚拟的身份在网络游戏中交朋友,甚至如“大话西游”中可以在游戏情节中“结婚”共为连理,然后夫妻的“物品”和“财产”可以共用,不亚于真实的夫妻关系。这种虚拟的人际关系可以在一定程度上脱离客观物理世界而存在。
虽然“虚拟空间”具有一定的独立性,但是“虚拟空间”对待物理空间的依赖、网络游戏与显示社会的密切联系是不容忽视的。
二、使用互联网游戏外挂侵权问题
案例:[一起网络游戏引发的讼争凸现法律的空白:李某等4人是网络游戏《奇迹》的高级玩家。在网络游戏的奇妙世界里,他们拥有较高级的“装备”。但是前不久,他们却被游戏世界拒之门外,理由是使用“外挂”。为此,他们来到伤害市静安区法院,将运营商第九城市计算机技术公司推上了被告席。据介绍,该法院最近已经接了好几件类似的起诉。
这是一起惩罚玩家“作弊”引发的官司。网络游戏的程序设置十分严格,玩家一般需耗费大量时间、精力逐步闯关、升级,才能进入更高级别。但是,有人破解了正版网络游戏的服务器代码,制作程序卡出售。利用这些程序(外挂),玩家的“功力”可大大增强,在短时间内轻松进入更高级别。
李某等人诉称,被告第九城市公司认为他们使用“外挂”,违反用户协议,因此停止了他们的帐户,并公开宣布他们是“外挂使用者”。为此,诉请法院判令第九城市公司解封张好,恢复数据,退还点卡销售价值及其在《奇迹》中的游戏任务装备,并赔礼道歉、恢复名誉、赔偿精神损失。]
这样的案件能否被受理?如何审理?怎样执行?其中存在不少难题。比如,玩家与运营商之间的法律关系是侵权还是违约?适用什么法律?网名的“名誉损害”可否进行精神损害赔偿?当事人的身份如何认定?为此,静安区人民法院邀请众多电子商务法律专家及律师展开专题研讨。在专家看来,网络空间虽然没有专门的法律规定,但这样的纠纷还是暂时能通过现有法律的到解决。熟悉网络游戏的上海交通大学法学院教授寿步说,在网络游戏中,游戏用户位于客户端,运营商掌握服务器,客户操作后,数据返回服务器。“外挂”这种软件,能截获在传送中的客户数据进行修改,使其“功力”增强。按协议规定“外挂”等于作弊,是不允许的,运营商有权对完家进行限制。但是,一些运营商封号的做法,也引起玩家的抗议。因为在诉讼中,运营商对“外挂”行为的举证很难,运营商提供的只能是服务器显示的数据,从客户端到服务器的过程难以记录,认定上不够完整。上海市律师协会电子商务法律研究委员副主任赵学明律师认为,社会发展中出现多种新形态的纠纷或问题,如果法律不能解决,就会阻碍产业发展。他认为,“外挂”纠纷应该可以受理,完家购买点卡进行游戏,形成合同关系,运营商封号相当于终止协议,可以作为合同纠纷处理,适用《合同法》。
外挂。对于玩家而言,外挂就是加速,瞬间移动,复制金钱装备,自动练级,自动加血,甚至可以修改游戏中的任务属性值。但从技术角度而言,外挂就是指独立于主游戏程序之外的显示某种功能的模块。通过外挂,外挂的制作者和使用者可以侵入游戏进行作弊,一个刚出道的游侠可以大大缩短练级时间,在较段的时间内拥有极品装备,达到更高的级别。从游戏自身的规则而言,外挂打破了虚拟世界中的平衡性,拥有外挂者影响更多的玩家去获取外挂,游戏不再成为玩家的游戏,而是外挂制作者的游戏,外挂的游戏。
外挂横行的背后仍然遵循着利益的法则。外挂的制作者不再象最初那样,仅仅是为了追求在游戏这一虚拟世界中的辉煌,更多的是关注现实世界中的利益。有许多外挂制作者成立了专门的工作室,给自己的外挂设帐号和密码,要玩家交费使用。而游戏运营商有的是出于经济利益的考虑,不愿真正去打击外挂,因为打击外挂意味着玩家的减少和利益的削减,因此只是口头上提提而已,再加上立法不健全,外挂制作成了合法化,外挂制作者和转播者更是肆无忌惮。目前几乎所有的网络游戏流行的外挂程序都包含有用于盗窃用户帐号和密码的“木马”程序,更甚至者直接出售盗窃来的帐号,更经常偷盗和出售这些帐号中具有很大价值的极品装备或宠物
2004年5月8日,网星公司开始以“绿色网络游戏新世界”为主题的打击外挂系列活动。7月9日第三波、目标、清华同方、欢乐时代、亚联等六大游戏厂商在《中国主流网络游戏厂商反外挂联合宣言》上签名。这一切代表着反外挂行动的开始,而反外挂是一项复杂的工程,绝不是几个游戏商的联合签名,几家每体的造势就能从根本上解决,必须聚集社会各种力量共同打击外挂才能加以制止。
当务之急的是加快法律完善的步伐,赋予打击外挂行动法律上的依据。对于制作外挂程序的可以依据软件著作权保护的相关规定加以制止,因为外挂程序本质上是一种程序且侵入原软件程序,而任何非经软件版权人许可加以复制,修改,侵入原软件程序的行为均构成侵权。对于传播外挂者构成间接侵权,应当承担连带责任。至于购买外挂者,其行为理应不受法律保护,是不正当交易行为。但是这些也存在一些法律上需要更进的问题:1。部分外挂并非运行在游戏客户端上,而是运行在WINDOWS平台上;2。外挂程序多是PC机用户个人安装的。3有些外挂并不直接修改游戏服务器的数据库,很难认定其对游戏数据库构成侵权。
其次就是依据技术,加强对外挂屏蔽措施,建立监察,防范网络系统,严格封堵外挂,对于使用外挂者的帐号即使查封。短期情况下,网络游戏方面的法规还难以健全,玩家的法律意识也不强,依据法律打击外挂工程也很浩大,费时费力。因此利用技术保护作为网络游戏法律保护的代替物打击外挂是应急之举。
目前,我国尚没有专门的法律条文对此类引发的纠纷加以明确规范。但在美国,韩国等游戏大国,这一领域的立法工作已被逐渐重视。据悉,文化部、信息产业部、工商总局、公安部等部门今日开展行动,将“外挂”的智力纳入整顿规范时常经济秩序和“扫黄”“打非”的部署,坚决予以打击。但是,也有玩家提出,如今“外挂”泛滥,大面积打击必然流失大量客户,对游戏时常也有沉重打击,因此,何不将不合法却有广受玩家喜爱的“外挂”,转变为一种合法、公平的辅助程序,变为“内挂”呢?
三、 联网游戏中“虚拟财产”的保护问题
案例1:[2003年8月,北京市朝阳区人民法院受理了被妹体称为我国首例虚拟财产失窃案。网络游戏“红月”玩家李某,因辛苦获得的装备在一夜之间消失而将“红月”的经营者北极冰可以公司告上了法庭。据悉,这种想法院起诉要求追讨无形财产的,在全国还是第一次。李某诉称,他玩此游戏已经有两年,且在两个ID中曾拥有许多“生化装备”。今年2月17日,他发现其中一个ID中所有的装备不翼而飞。他与被告多次联系,但都被拒绝协助找回丢失的装备。李某要求被告赔偿他丢失的各种装备,并赔偿精神损失费10000元。被告方网络游戏运营商则认为,李某所称的两个ID在注册时,没有使用真实姓名,李某不能证明他就是有两个ID的玩家;且不能就虚拟装备被盗提供证明;即使能提供证明,根据游戏规则,公司也不应承担任何责任。]
案例2:[网络游戏《传奇》的开发商韩国Actoz公司,单方面终止了对上海盛大网络发展有限公司的授权后,《传奇》的游戏用户与“盛大”关于网络游戏中的权益问题---游戏玩家的虚拟财产纠纷浮出水面。虽然“盛大”宣布《新传奇》即将面市,并承诺“所有《传奇》用户都可以根据自身需要平移到新游戏中。”但是,对于6000万《传奇》的用户来说,他们在游戏中形成的数据资料,其中最重要的虚拟财产的损失,将是无法弥补的。他们曾经委托律师,查遍所有的法律条文,却无法找到可以适用的现行法规来维护自己的合法权益。]
网络游戏虚拟财产是指网络游戏的玩家所控制的帐号(ID)项下,所记载的该ID所拥有的网络游戏中的“宝物”、“装备”、“等级”等可变的参数。网络游戏虚拟财产有以下几个特点:(1)可修改。随着玩家参与网络游戏的时间和投入,该ID的相关参数是变化的,这正是网络游戏的乐趣所在和网络游戏得以被玩家接受的本质原因。(2)可交易。正是由于这些参数是可以被修改,因此可以交易、转让、过户,就象现实生活中交易房屋一样,通过过户使得一个ID的指数添加到另一个ID。(3)与金钱挂钩。这个参数与玩家投入的资金,时间有关。既可以通过委托其他玩家练级的办法提高登记,也可以直接购买其他玩家的装备,还可以自行从网络游戏中获得。(4)可量化。基于网络游戏虚拟财产的交易不利于网络游戏的公平竞争,不是我们社会主义国家所提倡的合法致富的就业途径,因此被认为是非法的。但网络游戏相关装备的价值还是可以量化的,正如毒品交易是非法的,但毒品的价值是可以评估和量化一样。举《传奇》游戏为例,一个初学者要修炼到38级,花费共计约数千元,还付出大量的时间和精力。
关于财产,我国法律本来就没有明确的定义。《民法通则》第75条规定:公民的个人财产,包括公民的合法收入、房屋、储蓄、生活用品、文物、图书资料、林木、畜生和法律允许公民所有的生产资料以及其他合法财产。从这个循环论证的定义中。我们可以看到,关于财产,本来就 没有定义的。我国的物权法还没有制定出来,现实生活中很多物权尚未明确概念,何况网络虚拟物?从经济学角度分析,有观点认为,网络游戏活动是一种纯粹的娱乐休闲活动,不具备经济学意义上的价值论基础。笔者认为,这个经济学观点具有明显的时代局限性。为什么纯粹的娱乐休闲活动就不能创造价值?比如设置巨额奖金ESWC(世界电子竞技世界杯),WCG(三星电子竞技大赛),都是世界性的电子运动大赛,是游戏职业化的标志。据网络游戏公司的专业人士介绍,“职业玩家”最早诞生于韩国,从2002年开始,中国内地开始出现首批招聘上岗的职业玩家。主要以在校大学生和兼职人员为主体,流动性非常大,平均每天的工作时间在10个小时以上。专业人士认为,作为诞生不过半年的新兴职业,职业玩家尚未形成规模,目前聘请职业玩家仅仅是游戏公司宣传促销的一种手段。职业玩家的头衔具有一定的鼓惑性,但鉴于其前景并不明朗,靠玩游戏赚钱未必是个好选择,但当然可以产生价值的。
虚拟财产是网络游戏总虚构出来的财产和物质。进行网络游戏,现在普遍的做法是,玩家下载游戏的客户端后,可以登陆到营运商的服务器,用购买的点卡换成游戏时间进行游戏,而营运商以出售点卡的收入为利润来源。因此,玩家所购买的其实是经营商的服务而非游戏产品本身。双方形成了服务和消费关系。但是,网络游戏与传统服务行业并不完全相同,玩家在游戏时可以不断升级虚拟角色的身份,获得虚拟财产并以此为游戏主要目的。网络游戏的另一个特点是,虚拟角色的身本和虚拟财产是可以持续保存的,即使玩家下线后,经营商仍在其服务器内保存玩家的数据资料。玩家在接受营运商服务时,主要体现在两个方面:一是运营商在玩家游戏时间内,提供符合一定要求的网络和技术环境服务。如果其服务质量没有达到其承诺或法律所规定的标准,则应向玩家承担响应的赔偿责任。国内的网络游戏业,虽然在这方面还没形成成熟的行业规范和标准,但是仍可以接见传统的服务业规则,将玩家购买的点数视为预付款来处理。二是运营商应当合法保存玩家的个人信息和数据和玩家在游戏中获得的虚拟财产的数据。
虚拟财产归谁所有?网络游戏终止运营或者因运营商的原因,导致虚拟财产数据的灭失,游戏运营商应当承担怎样的责任?有一种观点认为,虚拟财产是完家在游戏中取得的,其取得方式与状态由游戏的规则所确定,属于游戏内容的一部分,因此其所有权属于营运商,而玩家只有使用权。另一种观点认为,这些虚拟财产、经验值等是玩家通过自己努力取得的,而经营者只存储这些数据,所以虚拟财产的所有权是属于用户的。笔者认为,虚拟财产虽然产生于特定游戏运营商的服务器,并且通常只能存储在服务器上,但是虚拟财务的产生和变化并不由营运商控制,而是玩家在接受营运商服务时,由特定行为产生的结果,具体虚拟角色和财产的种类和数量,则完全取决于玩家自身的活动营运商知识提供游戏时段的服务及相关的保管工作。从这个角度考虑,虚拟财务的所有权应当归属玩家。而营运商知识在服务器上保存这些数据,并且没有对其做任何修改的权利。这样的规定,有利于保证游戏的稳定性,规范营运商的行为和保护玩家的合法权益。
