信息技术：风险因素和管理PPT文档格式.ppt

1、Information Technology:#Risk Factors and Key Control Areas信息技术：#风险因素和管理信息技术：#风险因素和管理Outline of the Discussion 提纲提纲IT examinations-integration and ratings IT检查综合与分级Key IT risks and mitigating controls IT主要风险与化解方法Integrated supervision-IT and financial 综合监督IT和财务IT issues-business line reviews IT问题业务部门

2、检查Business resiliency 业务恢复Service provider/outsourcing risks 服务提供商/外包的风险E-banking issues 电子银行问题2IT Examinations-Integration and RatingsITIT检查检查综合与分级综合与分级Part of safety and soundness examination 是安全性和稳定性检查的一部分Targeted examination may be done for complex institutions or specific issues 目标检查可用于综合性机构或特别

3、事件Single composite rating of performance -“URSIT”rating-may be a single rating-e.g.strong,satisfactory,fair,marginally satisfactory,unsatisfactory 性能的单一因素评级“URSIT”评级可能是单一评级如很好、满意、一般、基本满意、不满意3Four“URSIT”components:#“URSIT”的4个组成部分：#Audit 审计Management 管理Development and Acquisition 开发和购置Support and Deli

4、very 支持和交付IT risk factors IT风险因素：#Organizational risk 机构风险Infrastructure risk 基础设施风险Integrity risk 完整性风险Security risk 安全性风险Availability risk 有效性风险IT Examinations-Integration and RatingsITIT检查检查综合与分级综合与分级4Scope of IT ExaminationITIT检查的范围检查的范围Other key factors:#其他主要因素implementation of new systems 新系统的

5、使用significant changes in operations including mergers or system conversions 运作发生重大变化，包括合并或系统转化new or modified outsourcing relationships for critical operations 重要运作出现新的或调整后的外包关系5Areas to concentrate on 集中于以下领域：#significant industry trends/issues 重大的行业趋势/事件business lines where internal controls or ri

6、sk management are heavily dependent on information technology 内控或风险管理主要依靠信息技术的业务部门follow-up on issues raised by internal audit or in the last report of examination 跟踪内审或最后检查报告提出的问题Scope of IT ExaminationITIT检查的范围检查的范围6Degree of Control控制的程度控制的程度Level of IT risks-depends on degree of control IT风险的水平取

7、决于控制程度In-house operations-100 percent 内部操作100%retains all responsibility authority and accountability 保留所有的职责权限和义务Outsourced operations-0 percent 外包操作0%delegates some authority to an outside party through a contract while retaining accountability 通过合同将部分权限委派给外部机构，同时保留责任Vendor-0 percent 卖主0%products

8、developed without bank input;#carefully evaluate the risks 不用银行投入的产品开发；#仔细评估风险7Analysis of URSIT Rating FactorsURSITURSIT评级因素的分析评级因素的分析Internal Audit review includes 内部审计检查包括：#Overall effectiveness of the audit process 整个审计过程的有效性Audit independence 审计的独立性Adequacy of risk assessment methodology 风险评估方法

9、的适宜性Scope,frequency,accuracy and timeliness of internal and external audit reports 内部和外部审计报告的范围、频率、准确性和及时性Extent of audit participation in application,development,acquisition and testing 审计在应用、开发、盘购和测试方面的参与程度IT audit staff and qualifications IT审计人员和资格Quality and effectiveness of internal and externa

10、l audit as it relates to It controls 内部和外部审计在IT管理方面的质量和效力Overall adequacy of plan vs.IT risks 计划的充分性与IT风险8Analysis of URSIT Rating Factors,cont.URSITURSIT评级因素的分析（续）评级因素的分析（续）Management review includes 管理层检查包括：#Level/quality of oversight and support of IT processes IT程序监督与支持的水平/质量Effectiveness of ris

11、k monitoring systems including identification,measurement,monitoring and controlling risks 风险监督体系的有效性，包括风险识别、度量、监督和控制Management planning-new activities-succession plan 管理层规划新的活动连续性计划Adequacy of MIS reports 管理信息系统报告的充分性Awareness of and compliance with laws and regulation 法律法规的认知和遵守Management of contr

12、acts,outsourcing,and service delivery and monitoring of the arrangements 合同、外包、服务交付的管理和监督9Development and acquisition review includes:#开发和盘购检查包括：#Oversight and support of systems development and acquisition activities by senior management and Board 高级管理层和董事会对于系统开发和盘购予以监督和支持Accountability for systems

13、 development 系统开发的义务Adequacy of SDLC and programming standards 同步数据链路控制（SDLC）和编程标准的适宜性Quality of project management programs,systems documentation and software releases 专案管理程序、系统文件和软件发布的质量Independence of quality assurance function 保证质量的职能的独立性Integrity and security of the network,system and applicati

14、on software 网络、系统和应用软件的完整性与安全性Involvement of clients in the acquisition process 盘购过程中的客户参与Analysis of URSIT Rating Factors,cont.URSITURSIT评级因素的分析（续）评级因素的分析（续）10Support and delivery review includes adequacy of 支持和交付检查包括：#Operating policies,procedures,and manuals 运做方针、程序和手册Physical and logical securit

15、y including data privacy 可操作的、合理的安全措施，包括数据保密Security policies,procedures,and practices in all units and at all levels of financial institution 金融机构各级别、各部门都有安全方针、程序和操作要求Service levels that meet business requirements 能够满足业务需求的服务水平Data controls over preparation,input,processing,and output 数据准备、输入、处理和输出

16、的管理Corporate contingency planning and business resumption 公司应急计划和业务恢复Programs/processes monitoring capacity/performance 程序/程序监督能力/表现Quality of assistance provided to users 向客户提供的援助的质量Controls over and monitoring of OSPs OSP的管理和监督Firewall architectures/security of public networks 防火墙体系/公共网络安全Analysis of URSIT Rating Factors,cont.URSITURSIT评级因素的分析（续）评级因素的分析（续）11Integration of Key Risk Factors/Ratings主要风险因素的整合主要风险因素的整合/分级分级Review IT risks at an institution-wide level 在机构范围内检查IT风险Develop processes to evaluate the