Guiding Opinions concerning Using Secure and Controllable Information Technology and Strengthening Cybersecurity and Informatization in the Banking Sector

Posted on Updated on

China Banking Regulatory Commission, National Development and Reform Commission, Ministry of Science and Technology, Ministry of Industry and Information Technology

All Banking Regulatory Bureaus, all provincial (autonomous region, municipal and plan-listed city) development and reform commissions, science and technology offices (committees, bureaus), controlling bodies for industry and information technology, all policy banks, all State-owned commercial banks, shareholding-type commercial banks, financial asset management companies, savings banks, all provincial-level rural credit cooperatives, trust companies directly subordinate to banking supervision commissions, enterprise groups’ financial companies, finance and lease companies:

In order to further implement the strategy of innovation driving development, enhance the banking sector’s security protection capacity and informatization levels, promote the deepening of reform and transformation of development in the banking sector, and stimulate the development of new strategic industries, hereby, the following Guiding Opinions concerning the use of secure and controllable information technology and strengthening cybersecurity and informatization in the banking sector are put forward.

I, General objectives

Establish long-term mechanisms for the use of secure and controllable information technology in the banking sector, formulate supplementing policies, establish driving platforms, forcefully expand the use of information technologies that can satisfy the information security needs of the banking sector, in which technological risks, outsourcing risks and supply chain risks are controllable. By 2019, grasp core knowledge and key technologies for informatization in the banking sector; ensure that key network and infrastructure in the banking sector is arranged rationally, and that the concentration of risk in key equipment and services is effectively dissolved; secure and controllable technology in the banking sector is to reach a utilization rate of about 75 per cent, and the cybersecurity protection capability in the banking sector is to clearly strengthen; informatization levels are to increase steadily, in order to ever better protect the rights and interests of consumers and safeguard economic and social security and stability.

II, Guiding principles

(1) Persist in openness and cooperation. Be tolerant and open-minded, bring together the wisdom and strength from all sides, give preference to use technologies and solutions with strong openness, high transparency and broad usage, give preference to choosing bodies that are willing to engage in cooperation in the areas of core knowledge and key technology, and avoid reliance on one single product or technology.

(2) Encourage indigenous innovation. Fully understand the importance of the strategy of innovation driving development, encourage original innovation, integration innovation and re-innovation after import, build efficient and firm common key technology supply systems, and grasp core informatization knowledge and crucial technologies in the banking sector.

(3) Give rein to the role of markets. Accelerate the establishment of efficient innovation systems, arouse the vigour of all kinds of innovation subjects, foster and drive markets with the informatization demands of the banking sector, stimulate the transformation of the banking sector’s development through the development of the information industry, actively grasp development opportunities for new technologies, promote the innovative development of informatization in banks, and stimulate the expansion and strengthening of the information industry.

(4) Strengthen coordination and cooperation. Comprehensively plan matters, strengthen coordination and cooperation between policy, industry, scholarship and research, build a beneficial interactive environment for the research, development and application of secure and controllable information technology, shape a virtuous circle of “demand pull, industrial push and research drive”.

III, Tasks and requirements

(1) Perfect information, science and technology governance mechanisms. The banking sector and financial bodies shall make enhancing their network security protection capabilities and informatization capabilities into strategic objectives, and bring the use of secure and controllable information technology into strategic plans; establish structures and systems directed towards security and controllability, as well as indigenous innovation, clarify objectives, policies and division of duties; strengthen the innovation of organizational construction and talent fostering, and protect innovation resources; move forward with indigenous design of integrated frameworks, the indigenous research and development of core applications, the indigenous control of core knowledge, the indigenous application of key technologies and other such focus tasks in an orderly manner.

(2) Optimize information system structures. The banking sector and financial bodies shall establish secure, reliable, efficient, open and elastic information system frameworks, they shall fully consider security and controllability in the process of framework planning and design; grasp the power to choose key technologies, and avoid reliance on single technologies and products in the area of key information and network infrastructure. Plan and construct systemic frameworks for business continuity from a strategic angle, there shall at least be one kind of data-level or application-level business continuity plan for storage, back-up, archival and disaster-proofing, etc., based on secure and controllable information technology frameworks.

(3) Give priority to the use of secure and controllable information technology. The banking sector and financial bodies shall objectively evaluate their own informatization needs and information technology risks, carry out differential analysis, and formulate plans to move application forward on an annual basis; establish scientific and rational conceptions for information technology and product selection, choose technologies and products matches to the informatization needs of that work unit, and avoid stubborn pursuit of size and perfectionism. In information processing segments involving sensitive user data, priority shall be given to the use of secure and reliable information technologies and services with controllable risk, the current focus is to be on vigorous progress in areas such as network facilities, storage, middle and low-end servers, information security, operational services, word processing software and other such areas, exploration and trials must be strengthened in areas such as operating systems, databases, etc.; from 2015 onwards, all financial bodies in the banking sector must increase their use of secure and controllable technology with a proportion of no less than 15% per year, and achieve an overall proportion of no less than 75% in 2019 (technologies and products adopted in 2014 are included in the numbers for 2015).

(4) Vigorously promote indigenous innovation in information technology. The banking sector and financial bodies shall vigorously try out and use secure, reliable and indigenously innovated information technologies, put forwards demands for improvement through usage, and strengthen the adaptability and robustness of innovative technologies; and explore the acceleration of the adoption, shake-down, adaptation and systemic optimization of indigenously innovated information technologies through uniform standards, comprehensive product planning, joint tackling of key problems, trials, demonstrations, etc. If, in the process of technology selection, secure and reliable indigenously innovated products and technologies exist, at least one group of these products and technologies will be entered into the selection and survey process; suppliers providing exclusive equipment or integrated solutions shall be required to at least use one secure and reliable indigenously innovated product or technology for the software or hardware used in their plans.

(5) Vigorously participate in research and development of secure and controllable information technologies. The banking sector and financial bodies shall strengthen collaboration with industry bodies, universities and scientific research bodies, jointly carry out research, development and production of key technologies, focus in key issues of the usage of secure and controllable information technologies in the banking sector, carry out technological collaboration, implement technological transformation, and shape high-quality scientific and technological achievements valuable for extension across the sector; strengthen research in core applications and basic frameworks, operating systems, databases, intermediate parts, specialized equipment for the banking sector and other such areas, focus on making breakthroughs in key technologies inhibiting the development of security and controllability. From 2015 onwards, financial bodies in the banking sector shall arrange for no less than 5% of the annual informatization budget to be especially used to support long-term, innovative and programmatic research concerning security and controllability involving that body, and to support that body’s grasp of key informatization knowledge and skills.

(6) Strengthen the construction of intellectual property rights protection and standards. The banking sector and financial bodies shall strengthen their consciousness of intellectual property protection, and timely apply for technology patent protection of all research achievements; they shall vigorously participate in the research and formulation of all kinds of technological standards, and move forward the standardization and patenting of secure and controllable information technologies.

IV, Major measures

(1) Establish information security examination and risk assessment systems in the banking sector. Establish supplementary policies suited to the information security demands of the banking sector, on the basis of State policies concerning cybersecurity inspection, establish cybersecurity examination standards for the banking sector, and strengthen the security monitoring of information technologies and products exclusively used in the banking sector; establish regularized risk assessment systems, establish risk identification, assessment and control mechanisms for information technology in the process of application in the banking sector, strengthen surveys of functioning, capacity and security; closely follow the situation of application of secure and controllable information technology, establish error databases and risk databases, and incessantly stimulate the perfection of technology through application in the sector.

(2) Establish platforms for secure and controllable information technology to land and move ahead in the banking sector. Build strategic alliances for innovation in secure and controllable information technology in the banking sector, build technology laboratories and State project laboratories, research and unearth opportunities and requirements for the use of secure and controllable information technologies in the banking sector, coordinate among financial bodies in the banking sector, information technology enterprises, universities, research bodies, etc., to jointly move the research and expansion of secure and controllable information technology forward.

(3) Organize and carry out demonstration projects for secure and controllable information technology in the banking sector. Organize and carry out applied demonstrations of secure and controllable information technology in the banking sector, and organize and promote the banking sector to launch research on security and controllability aimed at the long-term, in integration with other projects on national information security, State plans concerning science and technology and State financial support; strengthen interdepartmental coordination, strengthen policy coordination, strengthen support for the banking sector to use secure and controllable technology, incessantly perfect secure and controllable information technology in the banking sector, and create market space for secure and controllable information technology.

(4) Formulate guidelines to move forward the use of secure and controllable technology in the banking sector. With the support of strategic alliances for innovation in secure and controllable information technology for the banking sector, technology laboratories and State project laboratories, analyse the usage requirements of the banking sector, resolve common problems, successively formulate guidelines to move matters forward, and make more detailed the areas to move forward in, focus information technologies and products, as well as plans of action. All levels’ controlling bodies for industry and information technology shall recommend appropriate technologies, products, services and model solutions, to promote the linkage of requirements.

(5) Sustained supervision and evaluation. Establish supervision and evaluation mechanisms for the usage of secure and controllable information technology in the banking sector, evaluate the maturity of security and controllability capabilities through the adoption rates of secure and controllable technology, indigenous control rates of important systems, the usage rates of indigenously innovated information technology and other such indicators; annually assess the usage situation of secure and controllable information technology in the banking sector and financial bodies, and include the assessment outcomes in the information science and technology supervision and management grading of bodies included in the supervision, management and grading system.

3 September 2014.

中国银监会、国家发展改革委、科技部、工业和信息化部
关于应用安全可控信息技术加强银行业网络安全和信息化建设的指导意见
银监发[2014]39号

各银监局、各省(自治区、直辖市及计划单列市)发展改革委、科技厅(委、局)、工业和信息化主管部门、各政策性银行、国有商业银行、股份制商业银行、金融资产管理公司、储蓄银行、各省级农村信用联社,银监会直接监管的信托公司、企业集团财务公司、金融租赁公司:

为进一步贯彻落实创新驱动发展战略,提升银行业网络安全保障能力和信息化建设水平,推动银行业深化改革、发展转型,促进战略新兴产业发展,现就应用安全可控信息技术加强银行业网络安全和信息化建设提出以下指导意见。
一、总体目标
建立银行业应用安全可控信息技术的长效机制,制定配套政策,建立推进平台,大力推广使用能够满足银行业信息安全需求,技术风险、外包风险和供应链风险可控的信息技术。到2019年,掌握银行业信息化的核心知识和关键技术;实现银行业关键网络和信息基础设施的合理分布,关键设施和服务的集中度风险得到有效缓解;安全可控信息技术在银行业总体达到75%左右的使用率,银行业网络安全保障能力不断加强;信息化建设水平稳步提升,更好地保护消费者权益,维护经济社会安全稳定。
二、指导原则
(一)坚持开放合作。兼容并蓄,凝聚各方智慧和力量,优先应用开放性强、透明度高、适用面广的技术和解决方案,优先选择愿意在核心知识和关键技术领域进行合作的机构,避免对单一产品或技术的依赖。
(二)鼓励自主创新。充分认识创新驱动发展战略的重要意义,鼓励原始创新、集成创新和引进消化吸收再创新,构建高效稳健的共性关键技术供给体系,掌握银行业信息化核心知识和关键技术。
(三)发挥市场作用。加快建立高效的创新体系,激发各类创新主体的积极性,以银行业信息化需求培育和带动市场,以信息产业发展促进银行业发展转型,主动把握新兴技术发展机遇,推动银行业信息化创新发展,促进信息产业做大做强。
(四)加强协同合作。统筹规划,加强政、产、学、研协同合作,营造安全可控信息技术研究、发展和应用的良性互动环境,形成“需求拉动、产业推动、科研驱动”的良性循环。
三、任务要求
(一)完善信息科技治理机制。银行业金融机构应将提升网络安全保障能力和信息化建设能力纳入战略目标,将安全可控信息技术应用纳入战略规划;建立以安全可控、自主创新为导向的制度体系,明确目标、策略与职责分工;加强创新组织建设和人才培养,保障创新资源;有序推进整体架构自主设计、核心应用自主研发、核心知识自主掌握、关键技术自主应用等重点工作。
(二)优化信息系统架构。银行业金融机构要建立安全、可靠、高效、开放、弹性的信息系统总体架构,在架构规划和设计过程中应充分考虑安全可控;掌握关键技术的选择权,摆脱在关键信息和网络基础设施领域对单一技术和产品的依赖。从战略角度规划和建设业务连续性系统架构,应当至少有一种基于安全可控信息技术架构的数据级或应用级存储、备份、归档和容灾等一体化的业务连续性方案。
(三)优先应用安全可控信息技术。银行业金融机构应客观评估自身信息化需求和信息科技风险情况,开展差距分析,按年度制定应用推进计划;建立科学合理的信息技术和产品选型理念,选择与本单位信息化需求相匹配的技术与产品,避免一味求大求全。在涉及客户敏感数据的信息处理环节,应优先使用安全可靠、风险可控的信息技术和服务,当前重点在网络设备、存储、中低端服务器、信息安全、运维服务、文字处理软件等领域积极推进,在操作系统、数据库等领域要加大探索和尝试力度;从2015年起,各银行业金融机构对安全可控信息技术的应用以不低于15%的比例逐年增加,直至2019年达到不低于75%的总体占比(2014年应用的技术和产品可纳入2015年度计算)。
(四)积极推动信息技术自主创新。银行业金融机构应积极尝试应用安全可靠、自主创新的信息技术,通过应用提出改进需求,增强创新技术的适应性和健壮性;探索通过统一标准、统筹产品、联合攻关、试点示范等,加快自主创新信息技术应用磨合适配及系统性优化。在技术选型中,如存在安全可靠的自主创新产品和技术,应至少引入一家此类产品或技术进行选型和测试;对提供专用设备或集成解决方案的供应商,应要求其方案使用的硬件和软件至少能够各应用一项安全可靠的自主创新产品或技术。
(五)积极参与安全可控信息技术研发。银行业金融机构应加强与产业机构、大学和科研机构的合作,联合开展关键技术的研发和生产,围绕安全可控信息技术在银行业应用的关键问题,开展技术合作,实施技术转移,形成高质量、具有行业推广价值的科技成果;在核心应用基础架构、操作系统、数据库、中间件和银行业专用设备等领域加大研究力度,集中突破制约安全可控发展的关键技术。2015年起,银行业金融机构应安排不低于5%的年度信息化预算,专门用于支持本机构围绕安全可控信息系统开展前瞻性、创新性和规划性研究,支持本机构掌握信息化核心知识和技能。
(六)加强知识产权保护与标准规范建设。银行业金融机构应加强知识产权保护意识,对各项研究成果及时申请技术专利保护;应积极参与各类技术标准的研究和制定工作,推进安全可控信息技术的标准化、专利化。
四、主要措施
(一)建立银行业信息安全审查和风险评估制度。依据国家网络安全审查相关政策,建立与银行业信息安全需求相适应的配套政策,建立银行业网络安全审查标准,加强银行业专用信息技术和产品的安全检测;建立常态化的风险评估制度,建立信息技术在银行业应用过程中的风险识别、评估和控制机制,加强功能测试、性能测试和安全性测试;密切跟踪安全可控信息技术的应用情况,建立缺陷库和风险库,结合行业应用不断促进技术的完善。
(二)建立银行业安全可控信息技术落地推进平台。组建银行业安全可控信息技术创新战略联盟,创建技术实验室和国家工程实验室,研究挖掘银行业应用安全可控信息技术的机会和需求,协调银行业金融机构、信息技术企业、大学和研究机构等共同推进安全可控信息技术的研究和推广。
(三)组织开展银行业应用安全可控信息技术示范项目。结合国家信息安全专项、国家有关科技计划和国家财政支持的其他项目,组织开展安全可控信息技术在银行业的应用示范,组织推动银行业开展安全可控前瞻性研究;加强部门间协作,加强政策协同,加大力度支持银行业应用安全可控信息技术,以银行业应用不断完善安全可控信息技术,为安全可控信息技术创造市场空间。
(四)制定银行业应用安全可控信息技术推进指南。依托银行业安全可控信息技术创新战略联盟和技术实验室、国家工程实验室,分析银行业应用需求,解决共性问题,逐年制定推进指南,对推进领域、重点信息技术和产品以及推进方案予以细化。各级工业和信息化主管部门应做好适用技术、产品、服务及典型解决方案推介,推动需求对接。
(五)持续监督和评价。建立银行业金融机构应用安全可控信息技术工作情况的监督评价机制,通过安全可控信息技术应用率、重要系统自主掌控率、自主创新信息技术试用情况等指标评估安全可控能力成熟度;逐年对银行业金融机构应用安全可控信息技术情况进行考核,对纳入监管评级体系的机构,考核结果并入机构信息科技监管评级。

2014年9月3日

(此件发至银监分局与地方法人银行业金融机构)

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s