人民法院如何弘扬司法核心价值观/吴金成
作者:法律资料网 时间:2024-06-22 18:30:53 浏览:8678
来源:法律资料网
下载地址: 点击此处下载
人民法院如何弘扬司法核心价值观
吴金成
公正、廉洁、为民的司法核心价值观,是社会主义核心价值体系在司法领域的集中体现,是所有法官共同的价值追求,是推进人民司法事业不断前进的强大精神动力。大力培育和弘扬司法核心价值观,对提高法院队伍素质、促进法院整体工作具有至关重要的作用。大力弘扬司法核心价值观,是法院队伍建设的一项长期任务,这就要求我们正确理解和掌握司法核心价值观的内涵,找准切入点,将司法核心价值观融入到人民法院的整体工作中。
一、司法核心价值观的内涵。
(一)公正是司法核心价值观的灵魂。公正,是现代社会民主、文明、进步的重要标志,也是社会主义国家经济发展和社会稳定的重要保证。司法公正可以让民众感受到切实的安全感,有利于在全社会之中形成和强化公正意识。人民法院只有公正司法,才能真正化解纠纷,制裁不法,为社会消除不和谐因素,保证法律的威严。只有公正司法,才能使权力被规范、权利受尊重、利益有保障、纠纷可诉求、秩序得维护。公正是人民群众对人民法院的殷切期望,是法官的基本职责。公正是建设中国特色社会主义,构建和谐社会、打造平安中国、发展社会生产力、建设社会主义现代化事业的要求与保证。公正是新时期人民法院工作的最高准则与价值追求。
(二)廉洁是司法核心价值观的基石。廉洁是人民法官基本的行为准则和重要评断标准,也是实现公正的基本保障。没有队伍的清正廉洁,就不可能实现司法公正,一切司法工作也就无从谈起。人民法官是法律的使者,承载着断是非、化纠纷的重任,高尚的职业道德情操要求每名法官必须不断加强职业道德修养,确立忠于法律、刚正不阿、廉洁自律、司法为民的道德信念,维护法官职业的尊严,进而维护司法的尊严。人民法官是否司法廉洁,关系到公平正义能否实现,关系到人民司法事业兴衰成败。没有廉洁这个基石,公平正义的大厦无从建立,人民司法事业无法稳固。司法工作只有清正廉洁,不谋私利,不徇私情,深怀爱民之心,恪守为民之责,多办利民之事,才能得到广大人民群众的拥护和支持。反腐倡廉是人民法院队伍建设的重中之重,也是人民群众关心关注的热点焦点。作为人民法官,我们要始终保持职业良知,保持清廉如水、执法如山的本色,严格遵守“五个严禁”等审判纪律和廉政规定,不为金钱所诱,不为人情所惑,不为关系所扰,不为权势所迫,堂堂正正办案,干干净净做人,以清正廉洁取信于民。
(三)为民是司法核心价值观的根本目的。在我国,人民利益高于一切。为民是人民法官行使司法权的本质属性。胡锦涛总书记在同全国政法工作会议代表和全国大法官、大检察官座谈时指出:“政法工作搞得好不好,最终要看人民满意不满意”。人民满意是人民法院工作的出发点和落脚点,同时也是检验法院工作的根本标准,要把人民群众的呼声作为第一信号、把人民群众的需要作为第一选择、把人民群众的满意作为第一标准。人民法官只有把人民性作为核心价值和精神支撑,才能有效抵御各种错误思想和观念的干扰与侵蚀,才能不断推进社会主义司法事业向前发展,才能使中国特色社会主义司法制度永远立于不败之地。人民法官要以对待自己亲人一样的感情、一样的方式、一样的态度为人民群众提供司法服务,把人民群众的呼声作为第一信号,树立平民意识,甘当平民法官。为民,是司法核心价值观的根本目的。只有怀着为民之心,我们在工作中才能将为人民服务落到实处,才能使我们的一切工作为人民。共产党作为中国最广大人民群众根本利益的忠实代表,除了人民的利益,没有自己的任何其他利益。政法机关作为党领导下的人民民主专政工具,其自身性质和宗旨必然符合党以及国家政权的性质和宗旨,并始终与之保持一致。党的宗旨就是为人民服务,所以法院必须树立司法为民理念,要有为民之心。为民就是要心中始终想着人民,要把人民的利益放在首位,用自己的司法行为让当事人体会到社会主义司法的人文关怀。为民就是要牢记党的宗旨,恪守为民之责,力行为民之举,永葆对人民群众的真挚感情,始终将全心全意为人民服务作为理想的起点、信念的支点和事业的轴心,心里装着群众、凡事想着群众、一切为了群众,真正做到权为民所用,情为民所系,利为民所谋。
司法核心价值观体现了人民法院工作的科学性、权威性、人民性,是社会主义核心价值体系在司法领域的集中体现,是法院文化的精髓。坚持公正、廉洁、为民,人民法官为人民主题实践活动才能真正落到实处、发挥实效。司法核心价值观的三个方面相辅相成、相互交融,深深熔铸在人民法院的生命力、创造力和凝聚力之中,共同构成人民法官的精神品格,成为推动人民司法事业不断发展的精神动力。提倡、弘扬司法核心价值观,要求全体法官做到公平、廉洁、为民,通过不懈的学习、宣传、教育,使之转化为法官这个群体意识和共同行动。这是对法官普遍性的要求,是法官职业道德操守的底线。正如法律之于公众,是必须遵守的行为规范和准则,是人民意志的体现,是显露的道德和良好的秩序。
二、弘扬司法核心价值观的途径。
司法核心价值观从宏观方面给人民法院指明了道路,提出了标准。根据人民法院工作和队伍建设的具体情况,大力弘扬司法核心价值观要做到以下几个方面:
(一)依法履行审判职能,为社会的稳定发展提供更加有力的司法保障。全面做好民事、刑事、行政审判和执行等工作,依法妥善处理在调结构、促转变、扩内需中发生的各类矛盾纠纷,确保党中央关于加快经济发展方式转变、保持经济平稳较快发展的战略部署和政策措施的贯彻落实。依法严厉打击危害国家安全和社会稳定犯罪,严惩境内外敌对势力的各种分裂、恐怖、渗透、颠覆等犯罪活动。加大对破坏资源、污染环境等违法犯罪行为的制裁力度,促进可持续发展。加大知识产权司法保护力度,加强支持自主创新的司法环境建设。依法妥善审理民间借贷、损害赔偿、农村土地承包经营以及教育、医疗、住房、社会保障、征地拆迁、环境保护、食品药品安全、劳动争议等与群众生产生活密切相关的案件,推进社会矛盾化解工作,切实保障人民权益。进一步落实“调解优先、调判结合”的工作原则,完善诉讼与非诉讼相衔接的矛盾纠纷解决机制,推进社会管理创新,维护社会和谐稳定。
(二)在审判机构设置上,形成分工有序,相互监督制约的运行机制。严格实行“立审分立、审执分立、审监分立”,使案件立案、审理、执行、审判监督四个基本环节职能分明,各审判机构依法运作,相互监督,保证审判工作规范有序地进行。扩大监督渠道。坚持自身纪检监察部门内部监督外,充分发挥人民检察院的法律监督、人民群众的信访监督、聘请的监督员的社会监督、新闻媒体的舆论监督等监督平台的作用。
(三)建立符合审判特点和执法责任制要求的工作规范。建立利于提高司法质量和效率的工作规范,主要包括:一是庭前准备规范,确定了不同类型案件庭前准备的内容、程序和要求,实行庭前证据交换和听证制度,建立限期举证制度;二是制定适用普通程序、简易程序案件的庭审规范。就庭审质证、认证、说理、宣判等重要环节统一要求;三是规范合议庭工作。强化合议庭在审判长指挥下充分发扬民主、集体负责、相互制约的运作方式,改变客观存在的合议制流于形式,主审法官决定案件裁判的做法,建立符合民主集中制原则的合议庭运作机制;四是规范审判委员会工作。强化审委会作为最高审判组织的监督指导职能,改变以往审委会过多分解合议庭职能,合议庭依赖于审委会的状况;五是规范院、庭长领导方式。进一步明确院、庭长对合议庭的监督、管理和指导作用,行使好提议权、复议权、监督权,彻底改变院、庭长个人决定案件裁决及包揽签发法律文书的传统做法;六是推行法官和书记员分类管理模式,优化审书配置,规范书记员参与执法的责任;七是规范执行工作方式,以最高法院《关于执行工作若干问题的规定(试行)》为依据,规范执行工作程序。
(四)不断深化审判方式改革,增强审判工作的透明度。在刑事、民事、行政、执行等各审判领域全面坚持公开审判,凡是法律规定应该公开审判的一、二审案件,一律公开审理,并将审判活动的重点转移到法庭上,改革“纠问式”的庭审模式,全面推行“诉辩式”的庭审方式,做到当庭举证、当庭质证、当庭认证,把公开“审”和“判”贯穿于审判活动的全过程。为使这一要求落到实处,全市法院把它列为岗位目标责任制考核的“硬指标”,实行量化管理。公开开庭日期、地点和案由,邀请社会各界和人民群众旁听庭审,新闻媒体进行跟踪报道,促进了公开审判制度的落实。
(五)增强裁判文书的说理性,使裁判文书能够全面真实地反映审判活动的全过程。改革诉讼文书,提升文书法律品位和质量。过去,许多案件的裁判文书千案一面,缺乏认证说理,公信力低,在一定程度上影响司法裁判的权威。因此,我们要在司法核心价值观的指引下,提高裁判文书的制作质量,使裁判文书无懈可击,让裁判文书成为向社会公众展示法院文明、公正司法的形象载体,真正具有司法权威。
(六)要努力提高法院队伍素质,提升法院队伍司法能力,确保司法的公正性。司法能力是法官惩善扬恶、定分止争过程中处理实际问题的能力,是实现案结事了、促进社会和谐的手段和技巧。术业有专攻、素质有优劣、水平有高低,法官队伍要进一步加强政治、业务学习和实践锻炼,着力提高实际工作能力。我们推进干部培训制度要注意以下几点:1、注重培训方式的多样性、培训对象的广泛性、培训内容的全面性;2、是进行岗位练兵,提升法官特别是年轻法官做好审判、执行工作、化解矛盾的能力,可采取业务竞赛或优秀案件讲评活动、推行法官下访、回访活动等方式深入推进;3、是推行干部交流轮岗制度,上下级法院间要有合理流动、部门间要定期轮岗。
(七)加强廉政教育,建立惩治和预防腐败体系。加强社会主义法治理念教育,深化“人民法官为人民”主题实践活动,培养法官良好的职业道德。把反腐倡廉建设放在更加突出的位置,以更加扎实的工作,重点抓好教育、监督、预防、查处等制度建设,严格落实“五个严禁”,进一步加大查办惩处力度,完善惩防体系,确保司法廉洁。采取灵活、多样、有效的形式开展思想道德教育,如组织观看有关廉政的优秀影视剧,使其中倡导的廉洁、自律等基本道德驻进心间,达到润物无声中树立廉政意识的目的;可以用正反典型对比、廉政文化展厅等方式来进行廉政教育。落实“五个严禁”规定,查处惩戒不执行“五个严禁”的干警,取信于民。严格岗位职责,防范腐败风险。贯彻落实合议制度,实现合议庭的内部监督,统一司法尺度,限制审判人员不当自由裁量权的发挥空间,在法院系统形成廉洁自律的良好局面。
作者:吴金成。
工作单位:广西荔浦县人民法院。
吴金成
公正、廉洁、为民的司法核心价值观,是社会主义核心价值体系在司法领域的集中体现,是所有法官共同的价值追求,是推进人民司法事业不断前进的强大精神动力。大力培育和弘扬司法核心价值观,对提高法院队伍素质、促进法院整体工作具有至关重要的作用。大力弘扬司法核心价值观,是法院队伍建设的一项长期任务,这就要求我们正确理解和掌握司法核心价值观的内涵,找准切入点,将司法核心价值观融入到人民法院的整体工作中。
一、司法核心价值观的内涵。
(一)公正是司法核心价值观的灵魂。公正,是现代社会民主、文明、进步的重要标志,也是社会主义国家经济发展和社会稳定的重要保证。司法公正可以让民众感受到切实的安全感,有利于在全社会之中形成和强化公正意识。人民法院只有公正司法,才能真正化解纠纷,制裁不法,为社会消除不和谐因素,保证法律的威严。只有公正司法,才能使权力被规范、权利受尊重、利益有保障、纠纷可诉求、秩序得维护。公正是人民群众对人民法院的殷切期望,是法官的基本职责。公正是建设中国特色社会主义,构建和谐社会、打造平安中国、发展社会生产力、建设社会主义现代化事业的要求与保证。公正是新时期人民法院工作的最高准则与价值追求。
(二)廉洁是司法核心价值观的基石。廉洁是人民法官基本的行为准则和重要评断标准,也是实现公正的基本保障。没有队伍的清正廉洁,就不可能实现司法公正,一切司法工作也就无从谈起。人民法官是法律的使者,承载着断是非、化纠纷的重任,高尚的职业道德情操要求每名法官必须不断加强职业道德修养,确立忠于法律、刚正不阿、廉洁自律、司法为民的道德信念,维护法官职业的尊严,进而维护司法的尊严。人民法官是否司法廉洁,关系到公平正义能否实现,关系到人民司法事业兴衰成败。没有廉洁这个基石,公平正义的大厦无从建立,人民司法事业无法稳固。司法工作只有清正廉洁,不谋私利,不徇私情,深怀爱民之心,恪守为民之责,多办利民之事,才能得到广大人民群众的拥护和支持。反腐倡廉是人民法院队伍建设的重中之重,也是人民群众关心关注的热点焦点。作为人民法官,我们要始终保持职业良知,保持清廉如水、执法如山的本色,严格遵守“五个严禁”等审判纪律和廉政规定,不为金钱所诱,不为人情所惑,不为关系所扰,不为权势所迫,堂堂正正办案,干干净净做人,以清正廉洁取信于民。
(三)为民是司法核心价值观的根本目的。在我国,人民利益高于一切。为民是人民法官行使司法权的本质属性。胡锦涛总书记在同全国政法工作会议代表和全国大法官、大检察官座谈时指出:“政法工作搞得好不好,最终要看人民满意不满意”。人民满意是人民法院工作的出发点和落脚点,同时也是检验法院工作的根本标准,要把人民群众的呼声作为第一信号、把人民群众的需要作为第一选择、把人民群众的满意作为第一标准。人民法官只有把人民性作为核心价值和精神支撑,才能有效抵御各种错误思想和观念的干扰与侵蚀,才能不断推进社会主义司法事业向前发展,才能使中国特色社会主义司法制度永远立于不败之地。人民法官要以对待自己亲人一样的感情、一样的方式、一样的态度为人民群众提供司法服务,把人民群众的呼声作为第一信号,树立平民意识,甘当平民法官。为民,是司法核心价值观的根本目的。只有怀着为民之心,我们在工作中才能将为人民服务落到实处,才能使我们的一切工作为人民。共产党作为中国最广大人民群众根本利益的忠实代表,除了人民的利益,没有自己的任何其他利益。政法机关作为党领导下的人民民主专政工具,其自身性质和宗旨必然符合党以及国家政权的性质和宗旨,并始终与之保持一致。党的宗旨就是为人民服务,所以法院必须树立司法为民理念,要有为民之心。为民就是要心中始终想着人民,要把人民的利益放在首位,用自己的司法行为让当事人体会到社会主义司法的人文关怀。为民就是要牢记党的宗旨,恪守为民之责,力行为民之举,永葆对人民群众的真挚感情,始终将全心全意为人民服务作为理想的起点、信念的支点和事业的轴心,心里装着群众、凡事想着群众、一切为了群众,真正做到权为民所用,情为民所系,利为民所谋。
司法核心价值观体现了人民法院工作的科学性、权威性、人民性,是社会主义核心价值体系在司法领域的集中体现,是法院文化的精髓。坚持公正、廉洁、为民,人民法官为人民主题实践活动才能真正落到实处、发挥实效。司法核心价值观的三个方面相辅相成、相互交融,深深熔铸在人民法院的生命力、创造力和凝聚力之中,共同构成人民法官的精神品格,成为推动人民司法事业不断发展的精神动力。提倡、弘扬司法核心价值观,要求全体法官做到公平、廉洁、为民,通过不懈的学习、宣传、教育,使之转化为法官这个群体意识和共同行动。这是对法官普遍性的要求,是法官职业道德操守的底线。正如法律之于公众,是必须遵守的行为规范和准则,是人民意志的体现,是显露的道德和良好的秩序。
二、弘扬司法核心价值观的途径。
司法核心价值观从宏观方面给人民法院指明了道路,提出了标准。根据人民法院工作和队伍建设的具体情况,大力弘扬司法核心价值观要做到以下几个方面:
(一)依法履行审判职能,为社会的稳定发展提供更加有力的司法保障。全面做好民事、刑事、行政审判和执行等工作,依法妥善处理在调结构、促转变、扩内需中发生的各类矛盾纠纷,确保党中央关于加快经济发展方式转变、保持经济平稳较快发展的战略部署和政策措施的贯彻落实。依法严厉打击危害国家安全和社会稳定犯罪,严惩境内外敌对势力的各种分裂、恐怖、渗透、颠覆等犯罪活动。加大对破坏资源、污染环境等违法犯罪行为的制裁力度,促进可持续发展。加大知识产权司法保护力度,加强支持自主创新的司法环境建设。依法妥善审理民间借贷、损害赔偿、农村土地承包经营以及教育、医疗、住房、社会保障、征地拆迁、环境保护、食品药品安全、劳动争议等与群众生产生活密切相关的案件,推进社会矛盾化解工作,切实保障人民权益。进一步落实“调解优先、调判结合”的工作原则,完善诉讼与非诉讼相衔接的矛盾纠纷解决机制,推进社会管理创新,维护社会和谐稳定。
(二)在审判机构设置上,形成分工有序,相互监督制约的运行机制。严格实行“立审分立、审执分立、审监分立”,使案件立案、审理、执行、审判监督四个基本环节职能分明,各审判机构依法运作,相互监督,保证审判工作规范有序地进行。扩大监督渠道。坚持自身纪检监察部门内部监督外,充分发挥人民检察院的法律监督、人民群众的信访监督、聘请的监督员的社会监督、新闻媒体的舆论监督等监督平台的作用。
(三)建立符合审判特点和执法责任制要求的工作规范。建立利于提高司法质量和效率的工作规范,主要包括:一是庭前准备规范,确定了不同类型案件庭前准备的内容、程序和要求,实行庭前证据交换和听证制度,建立限期举证制度;二是制定适用普通程序、简易程序案件的庭审规范。就庭审质证、认证、说理、宣判等重要环节统一要求;三是规范合议庭工作。强化合议庭在审判长指挥下充分发扬民主、集体负责、相互制约的运作方式,改变客观存在的合议制流于形式,主审法官决定案件裁判的做法,建立符合民主集中制原则的合议庭运作机制;四是规范审判委员会工作。强化审委会作为最高审判组织的监督指导职能,改变以往审委会过多分解合议庭职能,合议庭依赖于审委会的状况;五是规范院、庭长领导方式。进一步明确院、庭长对合议庭的监督、管理和指导作用,行使好提议权、复议权、监督权,彻底改变院、庭长个人决定案件裁决及包揽签发法律文书的传统做法;六是推行法官和书记员分类管理模式,优化审书配置,规范书记员参与执法的责任;七是规范执行工作方式,以最高法院《关于执行工作若干问题的规定(试行)》为依据,规范执行工作程序。
(四)不断深化审判方式改革,增强审判工作的透明度。在刑事、民事、行政、执行等各审判领域全面坚持公开审判,凡是法律规定应该公开审判的一、二审案件,一律公开审理,并将审判活动的重点转移到法庭上,改革“纠问式”的庭审模式,全面推行“诉辩式”的庭审方式,做到当庭举证、当庭质证、当庭认证,把公开“审”和“判”贯穿于审判活动的全过程。为使这一要求落到实处,全市法院把它列为岗位目标责任制考核的“硬指标”,实行量化管理。公开开庭日期、地点和案由,邀请社会各界和人民群众旁听庭审,新闻媒体进行跟踪报道,促进了公开审判制度的落实。
(五)增强裁判文书的说理性,使裁判文书能够全面真实地反映审判活动的全过程。改革诉讼文书,提升文书法律品位和质量。过去,许多案件的裁判文书千案一面,缺乏认证说理,公信力低,在一定程度上影响司法裁判的权威。因此,我们要在司法核心价值观的指引下,提高裁判文书的制作质量,使裁判文书无懈可击,让裁判文书成为向社会公众展示法院文明、公正司法的形象载体,真正具有司法权威。
(六)要努力提高法院队伍素质,提升法院队伍司法能力,确保司法的公正性。司法能力是法官惩善扬恶、定分止争过程中处理实际问题的能力,是实现案结事了、促进社会和谐的手段和技巧。术业有专攻、素质有优劣、水平有高低,法官队伍要进一步加强政治、业务学习和实践锻炼,着力提高实际工作能力。我们推进干部培训制度要注意以下几点:1、注重培训方式的多样性、培训对象的广泛性、培训内容的全面性;2、是进行岗位练兵,提升法官特别是年轻法官做好审判、执行工作、化解矛盾的能力,可采取业务竞赛或优秀案件讲评活动、推行法官下访、回访活动等方式深入推进;3、是推行干部交流轮岗制度,上下级法院间要有合理流动、部门间要定期轮岗。
(七)加强廉政教育,建立惩治和预防腐败体系。加强社会主义法治理念教育,深化“人民法官为人民”主题实践活动,培养法官良好的职业道德。把反腐倡廉建设放在更加突出的位置,以更加扎实的工作,重点抓好教育、监督、预防、查处等制度建设,严格落实“五个严禁”,进一步加大查办惩处力度,完善惩防体系,确保司法廉洁。采取灵活、多样、有效的形式开展思想道德教育,如组织观看有关廉政的优秀影视剧,使其中倡导的廉洁、自律等基本道德驻进心间,达到润物无声中树立廉政意识的目的;可以用正反典型对比、廉政文化展厅等方式来进行廉政教育。落实“五个严禁”规定,查处惩戒不执行“五个严禁”的干警,取信于民。严格岗位职责,防范腐败风险。贯彻落实合议制度,实现合议庭的内部监督,统一司法尺度,限制审判人员不当自由裁量权的发挥空间,在法院系统形成廉洁自律的良好局面。
作者:吴金成。
工作单位:广西荔浦县人民法院。
下载地址: 点击此处下载
Guidelines on the Risk Management of Commercial Banks’ Information Technology ——附加英文版
Guidelines on the Risk Management of Commercial Banks’ Information Technology
Chapter I General Provisions
Article 1. Pursuant to the Law of the People’s Republic of China on Banking Regulation and Supervision, the Law of the People's Republic of China on Commercial Banks, the Regulations of the People’s Republic of China on Administration of Foreign-funded Banks, and other applicable laws and regulations, the Guidelines on the Risk Management of Commercial Banks’ Information Technology (hereinafter referred to as the Guidelines) is formulated.
Article 2. The Guidelines apply to all the commercial banks legally incorporated within the territory of the People’s Republic of China.
The Guidelines may apply to other banking institutions including policy banks, rural cooperative banks, urban credit cooperatives, rural credit cooperatives, village banks, loan companies, financial asset management companies, trust and investment companies, finance firms, financial leasing companies, automobile financial companies and money brokers.
Article 3. The term “information technology” stated in the Guidelines shall refer to the system built with computer, communication and software technologies, and employed by commercial banks to handle business transactions, operation management, and internal communication, collaborative work and controls. The term also include IT governance, IT organization structure and IT policies and procedures.
Article 4. The risk of information technology refers to the operational risk, legal risk and reputation risk that are caused by natural factor, human factor, technological loopholes or management deficiencies when using information technology.
Article 5. The objective of information system risk management is to establish an effective mechanism that can identify, measure, monitor, and control the risks of commercial banks’ information system, ensure data integrity, availability, confidentiality and consistency, provide the relevant early warning, and thereby enable commercial banks’ business innovations, uplift their capability in utilizing information technology, improve their core competitiveness and capacity for sustainable development.
Chapter II IT governance
Article 6. The legal representative of commercial bank should be responsible to ensure compliance of this guideline.
Article 7. The board of directors of commercial banks should have the following responsibilities with respect to the management of information systems:
(1) Implementing and complying with the national laws, regulations and technical standards pertaining to the management of information systems, as well as the regulatory requirements set by the China Banking Regulatory Commission (hereinafter referred to as the “CBRC”);
(2) Periodically reviewing the alignment of IT strategy with the overall business strategies and significant policies of the bank, assessing the overall effectiveness and efficiency of the IT organization.
(3) Approving IT risk management strategies and policies, understanding the major IT risks involved, setting acceptable levels for these risks, and ensuring the implementation of the measures necessary to identify, measure, monitor and control these risks.
(4) Setting high ethical and integrity standards, and establishing a culture within the bank that emphasizes and demonstrates to all levels of personnel the importance of IT risk management.
(5) Establishing an IT steering committee which consists of representatives from senior management, the IT organization, and major business units, to oversee these responsibilities and report the effectiveness of strategic IT planning, the IT budget and actual expenditure, and the overall IT performance to the board of directors and senior management periodically.
(6) Establishing IT governance structure, proper segregation of duty, clear role and responsibility, maintaining check and balances and clear reporting relationship. Strengthening IT professional staff by developing incentive program.
(7) Ensuring that there is an effective internal audit of the IT risk management carried out by operationally independent, well-trained and qualified staff. The internal audit report should be submitted directly to the IT audit committee;
(8) Submitting an annual report to the CBRC and its local offices on information system risk management that has been reviewed and approved by the board of directors ;
(9) Ensuring the appropriating funding necessary for IT risk management works;
(10) Ensuring that all employees of the bank fully understand and adhere to the IT risk management policies and procedures approved by the board of directors and the senior management, and are provided with pertinent training.
(11) Ensuring customer information, financial information, product information and core banking system of the legal entity are held independently within the territory, and complying with the regulatory on-site examination requirements of CBRC and guarding against cross-border risk.
(12) Reporting in a timely manner to the CBRC and its local offices any serious incident of information systems or unexpected event, and quickly respond to it in accordance with the contingency plan;
(13) Cooperating with the CBRC and its local offices in the supervisory inspection of the risk management of information systems, and ensure that supervisory opinions are followed up; and
(14) Performing other related IT risk management tasks.
Article 8. The head of the IT organization, commonly known as the Chief Information Officer (CIO) should report directly to the president. Roles and responsibilities of the CIO should include the following:
(1) Playing a direct role in key decisions for the business development involving the use of IT in the bank;
(2) The CIO should ensure that information systems meet the needs of the bank, and IT strategies, in particular information system development strategies, comply with the overall business strategies and IT risk management policies of the bank;
(3) The CIO should also be responsible for the establishment of an effective and efficient IT organization to carry out the IT functions of the bank. These include the IT budget and expenditure, IT risk management, IT policies, standards and procedures, IT internal controls, professional development, IT project initiatives, IT project management, information system maintenance and upgrade, IT operations, IT infrastructure, Information security, disaster recovery plan (DRP), IT outsourcing, and information system retirement;
(4) Ensuring the effectiveness of IT risk management throughout the organization including all branches.
(5) Organizing professional trainings to improve technical proficiency of staff.
(6) Performing other related IT risk management tasks.
Article 9. Commercial banks should ensure that a clear definition of the IT organization structure and documentation of all job descriptions of important positions are always in place and updated in a timely manner. Staff in each position should meet relevant requirements on professional skills and knowledge. The following risk mitigation measures should be incorporated in the management program of related staff:
(1) Verification of personal information including confirmation of personal identification issued by government, academic credentials, prior work experience, professional qualifications;
(2) Ensuring that IT staff can meet the required professional ethics by checking character reference;
(3) Signing of agreements with employees about understanding of IT policies and guidelines, non-disclosure of confidential information, authorized use of information systems, and adherence to IT policies and procedures; and
(4) Evaluation of the risk of losing key IT personnel, especially during major IT development stage or in a period of unstable IT operations, and the relevant risk mitigation measures such as staff backup arrangement and staff succession plan.
Article 10. Commercial banks should establish or designate a particular department for IT risk management. It should report directly to the CIO and the Chief Risk Officer (or risk management committee), serve as a member of the IT incident response team, and be responsible for coordinating the establishment of policies regarding IT risk management, especially the areas of information security, BCP, and compliance with the CBRC regulations, advising the business departments and IT department in implementing these policies, providing relevant compliance information, conducting on-going assessment of IT risks, and ensuring the follow-up of remediation advice, monitoring and escalating management of IT threats and non-compliance events.
Article 11. Commercial banks should establish a special IT audit role and responsibility within internal audit function, which should put in place IT audit policies and procedures, develop and execute IT audit plan.
Article 12. Commercial banks should put in place policies and procedures to protect intellectual property rights according to laws regarding intellectual properties, ensure purchase of legitimate software and hardware, prevention of the use of pirated software, and the protection of the proprietary rights of IT products developed by the bank, and ensure that these are fully understood and complied by all employees.
Article 13. Commercial banks should, in accordance with relevant laws and regulations, disclose the risk profile of their IT normatively and timely.
Chapter III IT Risk Management
Article 14. Commercial banks should formulate an IT strategy that aligns with the overall business plan of the bank, IT risk assessment plan and an IT operational plan that can ensure adequate financial resources and human resources to maintain a stable and secure IT environment.
Article 15. Commercial banks should put in place a comprehensive set of IT risk management policies that include the following areas:
(1) Information security classification policy
(2) System development, testing and maintenance policy
(3) IT operation and maintenance policy
(4) Access control policy
(5) Physical security policy
(6) Personnel security policy
(7) Business Continuity Planning and Crisis and Emergency Management procedure
Article 16. Commercial banks should maintain an ongoing risk identification and assessment process that allows the bank to pinpoint the areas of concern in its information systems, assess the potential impact of the risks on its business, rank the risks, and prioritize mitigation actions and the necessary resources (including outsourcing vendors, product vendors and service vendors).
Article 17. Commercial banks should implement a comprehensive set of risk mitigation measures complying with the IT risk management policies and commensurate with the risk assessment of the bank. These mitigation measures should include:
(1) A set of clearly documented IT risk policies, technical standards, and operational procedures, which should be communicated to the staff frequently and kept up to date in a timely manner;
(2) Areas of potential conflicts of interest should be identified, minimized, and subject to careful, independent monitoring. Also it requires that an appropriate control structure is set up to facilitate checks and balances, with control activities defined at every business level, which should include:
- Top level reviews;
- Controls over physical and logical access to data and system;
- Access granted on “need to know” and “minimum authorization” basis;
- A system of approvals and authorizations; and
- A system of verification and reconciliation.
Article 18. Commercial banks should put in place a set of ongoing risk measurement and monitoring mechanisms, which should include
(1) Pre and post-implementation review of IT projects;
(2) Benchmarks for periodic review of system performance;
(3) Reports of incidents and complaints about IT services;
(4) Reports of internal audit, external audit, and issues identified by CBRC; and
(5) Arrangement with vendors and business units for periodic review of service level agreements (SLAs).
(6) The possible impact of new development of technology and new threats to software deployed.
(7) Timely review of operational risk and management controls in operation area.
(8) Assess the risk profile on IT outsourcing projects periodically.
Article 19. Chinese commercial banks operating offshore and the foreign commercial banks in China should comply with the relevant regulatory requirements on information systems in and outside the People’s Republic of China.
Chapter IV Information Security
Article 20. Information technology department of commercial banks should oversee the establishment of an information classification and protection scheme. All employees of the bank should be made aware of the importance of ensuring information confidentiality and provided with the necessary training to fully understand the information protection procedures within their responsibilities.
Article 21. Commercial banks should put in place an information security management function to develop and maintain an ongoing information security management program, promote information security awareness, advise other IT functions on security issues, serve as the leader of IT incident response team, and report the evaluation of the information security of the bank to the IT steering committee periodically. The Information security management program should include Information security standards, strategy, an implementation plan, and an ongoing maintenance plan.
Information security policy should include the following areas:
(1) IT security policy management
(2) Organization information security
(3) Asset management
(4) Personnel security
(5) Physical and environment security
(6) Communication and operation security
(7) Access control and authentication
(8) Acquirement, development and maintenance of information system
(9) Information security event management
(10) Business continuity management
(11) Compliance
Article 22. Commercial banks should have an effective process to manage user authentication and access control. Access to data and system should be strictly limited to authorized individuals whose identity is clearly established, and their activities in the information systems should be limited to the minimum required for their legitimate business use. Appropriate user authentication mechanism commensurate with the classification of information to be accessed should be selected. Timely review and removal of user identity from the system should be implemented when user transfers to a new job or leave the commercial bank.
Article 23. Commercial banks should ensure all physical security zones, such as computer centers or data centers, network closets, areas containing confidential information or critical IT equipment, and respective accountabilities are clearly defined, and appropriate preventive, detective, and recuperative controls are put in place.
Article 24. Commercial banks should divide their networks into logical security domains (hereinafter referred to as the “domain”) with different levels of security. The following security factors have to be assessed in order to define and implement effective security controls, such as physical or logical segregation of network, network filtering, logical access control, traffic encryption, network monitoring, activity log, etc., for each domain and the whole network.
(1) criticality of the applications and user groups within the domain;
(2) Access points to the domain through various communication channels;
(3) Network protocols and ports used by the applications and network equipment deployed within the domain;
(4) Performance requirement or benchmark;
(5) Nature of the domain, i.e. production or testing, internal or external;
(6) Connectivity between various domains; and
(7) Trustworthiness of the domain.
Article 25. Commercial banks should secure the operating system and system software of all computer systems by
(1) Developing baseline security requirement for each operating system and ensuring all systems meet the baseline security requirement;
(2) Clearly defining a set of access privileges for different groups of users, namely, end-users, system development staff, computer operators, and system administrators and user administrators;
(3) Setting up a system of approval, verification, and monitoring procedures for using the highest privileged system accounts;
(4) Requiring technical staff to review available security patches, and report the patch status periodically; and
(5) Requiring technical staff to include important items such as unsuccessful logins, access to critical system files, changes made to user accounts, etc. in system logs, monitors the systems for any abnormal event manually or automatically, and report the monitoring periodically.
Article 26. Commercial banks should ensure the security of all the application systems by
(1) Clearly defining the roles and responsibilities of end-users and IT staff regarding the application security;
(2) Implementing a robust authentication method commensurate with the criticality and sensibility of the application system;
(3) Enforcing segregation of duties and dual control over critical or sensitive functions;
(4) Requiring verification of input or reconciliation of output at critical junctures;
(5) Requiring the input and output of confidential information are handled in a secure manner to prevent theft, tampering, intentional leakage, or inadvertent leakage;
(6) Ensuring system can handle exceptions in a predefined way and provide meaningful message to users when the system is forced to terminate; and
(7) Maintaining audit trail in either paper or electronic format.
(8) Requiring user administrator to monitor and review unsuccessful logins and changes to users accounts.
Article 27. Commercial banks should have a set of policies and procedures controlling the logging of activities in all production systems to support effective auditing, security forensic analysis, and fraud prevention. Logging can be implemented in different layers of software and on different computer and networking equipment, which falls into two broad categories:
(1) Transaction journals. They are generated by application software and database management system, and contain authentication attempts, modification to data, error messages, etc. Transaction journals should be kept according to the national accounting policy.
(2) System logs. They are generated by operating systems, database management system, firewalls, intrusion detection systems, and routers, etc., and contain authentication attempts, system events, network events, error messages, etc. System logs should be kept for a period scaled to the risk classification, but no less than one year.
Banks should ensure that sufficient items be included in the logs to facilitate effective internal controls, system troubleshooting, and auditing while taking appropriate measures to ensure time synchronization on all logs. Sufficient disk space should be allocated to prevent logs from being overwritten. System logs should be reviewed for any exception. The review frequency and retention period for transaction logs or database logs should be determined jointly by IT organization and pertinent business lines, and approved by the IT steering committee.
Article 28. Commercial banks should have the capacity to employ encryption technologies to mitigate the risk of losing confidential information in the information systems or during its transmission. Appropriate management processes of the encryption facilities should be put in place to ensure that
(1) Encryption facilities in use should meet national security standards or requirements;
(2) Staff in charge of encryption facilities are well trained and screened;
(3) Encryption strength is adequate to protect the confidentiality of the information; and
(4) Effective and efficient key management procedures, especially key lifecycle management and certificate lifecycle management, are in place.
Article 29. Commercial banks should put in place an effective and efficient system of securing all end-user computing equipment which include desktop personal computers (PCs), portable PCs, teller terminals, automatic teller machines (ATMs), passbook printers, debit or credit card readers, point of sale (POS) terminals, personal digital assistant (PDAs), etc and conduct periodic security checks on all equipments.
Article 30. Commercial banks should put in place a set of policies and procedures to govern the collection, processing, storage, transmission, dissemination, and disposal of customer information.
Article 31. All employees, including contract staff, should be provided with the necessary trainings to fully understand these policies procedures and the consequences of their violation. Commercial banks should adopt a zero tolerance policy against security violation.
Chapter V Application System Development, Testing and Maintenance
Article 32. Commercial banks should have the capability to identify, plan, acquire, develop, test, deploy, maintain, upgrade, and retire information systems. Policies and procedures should be in place to govern the initiation, prioritization, approval, and control of IT projects. Progress reports of major IT projects should be submitted to and reviewed by the IT steering committee periodically. Decisions involving significant change of schedule, change of key personnel, change of vendors, and major expenditures should be included in the progress report.
Article 33. Commercial banks should recognize the risks associated with IT projects, which include the possibilities of incurring various kinds of operational risk, financial losses, and opportunity costs stemming from ineffective project planning or inadequate project management controls of the bank. Therefore, appropriate project management methodologies should be adopted and implemented to control the risks associated with IT projects.
Article 34. Commercial banks should adopt and implement a system development methodology to control the life cycle of Information systems. The typical phases of system life cycle include system analysis, design, development or acquisition, testing, trial run, deployment, maintenance, and retirement. The system development methodology to be used should be commensurate with the size, nature, and complexity of the IT project, and, generally speaking, should facilitate the management of the following risks.
Article 35. Commercial banks should ensure system reliability, integrity, and maintainability by controlling system changes with a set of policies and procedures, which should include the following elements.
(1) Ensure that production systems are separated from development or testing systems;
(2) Separating the duties of managing production systems and managing development or testing systems;
(3) Prohibiting application development and maintenance staff from accessing production system under normal circumstances unless management approval is granted to perform emergency repair, and all emergency repair activities should be recorded and reviewed promptly;
(4) Promoting changes of program or system configuration from development and testing systems to production systems should be jointly approved by IT organization and business departments, properly documented, and reviewed periodically.
Article 36. Commercial banks should have in place a set of policies, standards, and procedures to ensure data integrity, confidentiality, and availability. These policies should be in accordance with data integrity amid IT development procedure.
Article 37. Commercial banks should ensure that Information system problems could be tracked, analyzed, and resolved systematically through an effective problem management process. Problems should be documented, categorized, and indexed. Support services or technical assistance from vendors, if necessary, should also be documented. Contacts and relevant contract information should be made readily available to the employees concerned. Accountability and line of command should be delineated clearly and communicated to all employees concerned, which is of utmost importance to performing emergency repair.
Article 38. Commercial banks should have a set of policies and procedures controlling the process of system upgrade. System upgrade is needed when the hardware reaches its lifespan or runs out of capacity, the underpinning software, namely, operating system, database management system, middleware, has to be upgraded, or the application software has to be upgraded. The system upgrade should be treated as a project and managed by all pertinent project management controls including user acceptance testing.
Chapter VI IT Operations
Article 39. Commercial banks should consider fully the environmental threats (e.g. proximity to natural disaster zones, dangerous or hazardous facilities or busy/major roads) when selecting the locations of their data centers. Physical and environmental controls should be implemented to monitor environmental conditions could affect adversely the operation of information processing facilities. Equipment facilities should be protected from power failures and electrical supply interference.
Article 40. In controlling access by third-party personnel (e.g. service providers) to secured areas, proper approval of access should be enforced and their activities should be closely monitored. It is important that proper screening procedures including verification and background checks, especially for sensitive technology-related jobs, are developed for permanent and temporary technical staff and contractors.
Article 41. Commercial banks should separate IT operations or computer center operations from system development and maintenance to ensure segregation of duties within the IT organization. The commercial banks should document the roles and responsibilities of data center functions.
Article 42. Commercial banks are required to retain transactional records in compliance with the national accounting policy. Procedures and technology are needed to be put in place to ensure the integrity, safekeeping and retrieval requirements of the archived data.
Article 43. Commercial banks should detail operational instructions such as computer operator tasks, job scheduling and execution in the IT operations manual. The IT operations manual should also cover the procedures and requirements for on-site and off-site backup of data and software in both the production and development environments (i.e. frequency, scope and retention periods of back-up).
Article 44. Commercial banks should have in place a problem management and processing system to respond promptly to IT operations incidents, to escalate reported incidents to relevant IT management staff and to record, analyze and keep tracks of all these incidents until rectification of the incidents with root cause analysis completed. A helpdesk function should be set up to provide front-line support to users on all technology-related problems and to direct the problems to relevant IT functions for investigation and resolution.
Article 45. Commercial banks should establish service level agreement and assess the IT service level standard attained.
Article 46. Commercial banks should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and comprehensive manner. The performance monitoring process should include forecasting capability to enable exceptions to be identified and corrected before they affect system performance.
Article 47. Commercial banks should carry out capacity plan to cater for business growth and transaction increases due to changes of economic conditions. Capacity plan should be extended to cover back-up systems and related facilities in addition to the production environment.
Article 48. Commercial banks should ensure the continued availability of technology related services with timely maintenance and appropriate system upgrades. Proper record keeping (including suspected and actual faults and preventive and corrective maintenance records) is necessary for effective facility and equipment maintenance.
Article 49. Commercial banks should have an effective change management process in place to ensure integrity and reliability of the production environment. Commercial banks should develop a formal change management process.
Chapter VII Business Continuity Management
Article 50. Commercial banks should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.
Article 51. Commercial banks should consider the likelihood and impact of a disruption to the continuity of its operation from unexpected events. This should include assessing the disruptions to which it is particularly susceptible including but not limited to:
(1) Loss of failure of internal and external resources (such as people, systems and other assets);
(2) The loss or corruption of its information; and
(3) External events (such as war, earthquake, typhoon, etc).
Article 52. Commercial bank should act to reduce both the likelihood of disruptions (including system resilience and dual processing); and the impact of disruptions (including by contingency arrangements and insurance).
Article 53. Commercial bank should document its strategy for maintaining continuity of its operations, and its plans for communicating and regularly testing the adequacy and effectiveness of this strategy. Commercial bank should establish:
(1) Formal business continuity plans that outline arrangements to reduce the impact of a short, medium and long-term disruption, including:
a) Resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
b) The recovery priorities for the commercial bank’s operations; and
c) Communication arrangements for internal and external concerned parties (including CBRC, clients and the press);
(2) Escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
(3) Processes to validate the integrity of information affected by the disruption;
(4) Processes to review and update (1) to (3) following changes to the commercial bank’s operations or risk profile.
Article 54. A final BCP plan and an annual drill result must be signed off by the IT Risk management, or internal auditor and IT Steering Committee.
Chapter VIII Outsourcing
Article 55. Commercial banks cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourcing functions.
Article 56. Commercial banks should take particular care to manage material outsourcing arrangement (such as outsourcing of data center, IT infrastructure, etc.), and should notify CBRC when it intends to enter into material outsourcing arrangement.
Article 57. Before entering into, or significantly changing, an outsourcing arrangement, the commercial bank should:
(1) Analyze how the arrangement will fit with its organization and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
(2) Consider whether the arrangements will allow it to monitor and control its operational risk exposure relating to the outsourcing;
(3) Conduct appropriate due diligence of the service provider’s financial stability, expertise and risk assessment of the service provider, facilities and ability to cover the potential liabilities;
(4) Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract); and
(5) Consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms.
Article 58. In negotiating its contract with a service provider, the commercial bank should have regard to ( but not limited to ):
(1) Reporting and negotiation requirements it may wish to impose on the service provider;
(2) Whether sufficient access will be available to its internal auditors, external auditors and banking regulators;
(3) Information ownership rights, confidentiality agreements and Firewalls to protect client and other information (including arrangements at the termination of contract);
(4) The adequacy of any guarantees and indemnities;
(5) The extent to which the service provider must comply with the commercial bank’s polices and procedures covering IT Risk;
(6) The extent to which the service provider will provide business continuity for outsourced operations, and whether exclusive access to its resources is agreed;
(7) The need for continued availability of software following difficulty at a third party supplier;
(8) The processes for making changes to the outsourcing arrangement and the conditions under which the commercial bank or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:
a) A change of ownership or control of the service provider or commercial bank; or
b) Significant change in the business operations of the service provider or commercial bank; or
c) Inadequate provision of services that may lead to the commercial bank being unable to meet its regulatory obligations.
Article 59. In implementing a relationship management framework, and drafting the service level agreement with the service provider, the commercial bank should have regarded to (but not limited to):
(1) The identification of qualitative and quantitative performance targets to assess the adequacy of service provision, to both the commercial bank and its clients, where appropriate;
(2) The evaluation of performance through service delivery reports and periodic self assessment and independent review by internal or external auditors; and
(3) Remediation action and escalation process for dealing with inadequate performance.
Article 60. The commercial bank should enhance IT related outsourcing management, in place following (not limited to ) measures to ensure data security of sensitive information such as customer information:
(1) Effectively separated from other customer information of the service provider;
(2) The related staff of service provider should be authorized on “need to know” and “minimum authorization” basis;
(3) Ensure service provider guarantee its staff for meeting the confidential requests;
(4) All outsourcing arrangements related to customer information should be identified as material outsourcing arrangements and the customers should be notified;
(5) Strictly monitor re-outsourcing actions of the service provider, and implement adequate control measures to ensure information security of the bank;
(6) Ensure all related sensitive information be refunded or deleted from the service provider’s storage when terminating the outsourcing arrangement.
Article 61. The commercial bank should ensure that it has appropriate contingency in the event of a significant loss of services from the service provider. Particular issues to consider include a significant loss of resources, turnover of key staff, or financial failure of, the service provider, and unexpected termination of the outsourcing agreement.
Article 62. All outsourcing contracts must be reviewed or signed off by IT Risk management, internal IT auditors, legal department and IT Steering Committee. There should be a process to periodically review and refine the service level agreements.
Chapter IX Internal Audit
Article 63. Depending on the nature, scale and complexity of its business, it may be appropriate for the commercial banks to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the commercial bank and have appropriate access to the bank’s records.
Article 64. The responsibilities of the internal IT audit function are:
(1) To establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the bank’s systems and internal control mechanisms and arrangements;
(2) To issue recommendations based on the result of work carried out in accordance with 1;
(3) To verify compliance with those recommendations;
(4) To carry out special audit on information technology. The term “special audit” of information technology refers to the investigation, analysis and assessment on the security incidents of the information system, or the audit performed on a special subject based on IT risk assessment result as deemed necessary by the audit department.
Article 65. Based on the nature, scale and complexity of its business, deployment of information technology and IT risk assessment, commercial banks could determine the scope and frequency of IT internal audit. However, a comprehensive IT internal audit shall be performed at a minimum once every 3 years.
Article 66. Commercial banks should engage its internal audit department and IT Risk management department when implementing system development of significant size and scale to ensure it meets the IT Risk standards of the Commercial banks.
Chapter X External Audit
Article 67. The external information technology audit of commercial banks can be carried out by certified service providers in accordance with laws, rules and regulations.
Article 68. The commercial bank should ensure IT audit service provider to review and examine bank’s hardware, software, documentation and data to identify IT risk when they are commissioned to perform the audit. Vital commercial and technical information which is protected by national laws and regulations should not be reviewed.
Article 69. Commercial bank should communicate with the service provider in depth before the audit to determine audit scope, and should not withhold the truth or do not corporate with the service provider intentionally.
Article 70. CBRC and its local offices could designate certified service providers to carry out IT audit or related review on commercial banks when needed. When carrying out audit on commercial banks, as commissioned or authorized by CBRC or its local offices, the service providers shall present the letter of authority, and carry out the audit in accordance to the scope prescribed in the letter of authority.
Article 71. Once the IT audit report produced by the service providers is reviewed and approved by CBRC or its local offices, the report will have the same legal status as if it is produced by the CBRC itself. Commercial banks should come up with a correction action plan prescribed in the report and implement the corrective actions according to the timeframe.
Article 72. Commercial banks should ensure the service providers to strictly comply with laws and regulations to keep confidential and data security of any commercial secrets and private information learnt and IT risk information when conducting the audit. The service provider should not modify copy or take away any documents provided by the commercial banks.
Chapter XI Supplementary Provisions
Article 73. Commercial banks with no board of directors should have their operating decision-making bodies perform the responsibilities of the board with regard to IT risk management specified herein.
Article 74. The China Banking Regulatory Commission supervises and regulates the IT risk management of commercial banks under its authority by law.
Article 75. The power of interpretation and modification of the Guidelines shall rest with the China Banking Regulatory Commission.
Article 76. The Guidelines shall become effective as of the date of its issuance and the former Guidelines on the Risk Management of Banking Institutions’ Information Systems shall be revoked at the same time.
福建省人民政府关于印发福建省重点建设管理暂行办法的通知
福建省人民政府关于印发福建省重点建设管理暂行办法的通知
闽政[2002]29号
各市、县(区)人民政府,省人民政府各部门、各直属机构,各大企业,各高等院校:
经研究同意,现将《福建省重点建设管理暂行办法》印发给你们,请认真组织实施。
福 建 省 人 民 政 府
二○○二年六月二十七日
ⅳⅳ
福建省重点建设管理暂行办法
为加强和规范省重点建设项目的管理,确保省重点建设项目优质高效地建成投入使用,促进省级社会事业重点项目顺利建设,实现我省国民经济持续、快速、健康发展和社会事业的全面进步,根据国家有关规定,结合我省实际,制定本暂行办法。
第一条 本暂行办法所称省重点建设项目(以下简称省重点项目),是指使用或主要使用国有资金(含国有融资资金)建设、事关我省国民经济和社会发展大局的骨干项目,从以下六个方面的项目中选定:
ⅴ (一)大中型基础设施建设项目;
ⅴ (二)重大高技术产业化项目;
ⅴ (三)重大工业或技改基建项目;
ⅴ (四)重大社会事业项目;
ⅴ (五)其他对全省经济社会发展有重大影响的项目;
ⅴ (六)本省辖区内的国家重点建设项目直接列为省重点建设项目。
第二条 省重点项目开工报告已获批准或已取得施工许可证的,列为在建省重点项目;按建设程序已经批准可行性研究报告、尚未批准开工的,列为预备省重点项目。工业技改类省重点项目的开工条件按有关规定执行。
跨年度在建省重点项目,原则上转为下一年度省重点项目;列为预备省重点项目后两年内未能获准开工的,暂不列为省重点项目。
第三条 省重点项目名单每年确定一次。每年底由省发展计划委员会(以下简称省计委)对全省的建设项目进行综合比选后,商省有关行业主管部门和财政部门提出下一年度预备省重点项目与在建省重点项目名单,报省人民政府审定公布。
各设区市人民政府和省有关行业主管部门可以按本暂行办法规定的条件,向省计委提出本地区和本部门的下年度省重点项目建议名单或推荐省重点项目。
第四条 省人民政府根据需要和可能,适时制定保障省重点项目实施的有关政策和措施。
第五条 省重点项目建设应采用科学管理方法,积极采用新技术、新工艺、新材料、新的施工方法,努力提高建设科技含量和管理水平。
第六条 省人民政府成立省重点项目建设领导小组,研究、协调、解决省重点项目实施过程中的有关重大问题;对在省重点项目实施过程中作出显著成绩的单位和个人给予表彰和奖励。领导小组下设省重点项目建设领导小组办公室(以下简称省重点办),作为省重点项目建设领导小组的办事机构,挂靠省计委。省重点办的主要职责是:
ⅴ (一)检查、督促、指导省重点项目的建设,协调省重点项目实施过程中的有关问题。跟踪省重点项目的建设实施情况,参与省重点项目质量、安全事故的调查处理;
ⅴ (二)对预备重点项目的前期工作进行协调;
ⅴ (三)组织省重点项目的宣传工作;
ⅴ (四)指导省重点项目竣工验收工作;
ⅴ (五)向省重点项目建设领导小组报告省重点项目建设情况;
ⅴ (六)承办省政府和省重点项目建设领导小组交办的其他事项。
第七条 项目所在地的设区市人民政府和项目所属的省行业主管部门按照职责分工在省重点项目建设管理中履行以下职责:
ⅴ (一)提出年度省重点项目名单的意见或推荐省重点项目。
ⅴ (二)按照国家和省有关规定,组建其直接管理的省重点项目法人,对项目法人进行监督管理。
ⅴ (三)负责项目资金拼盘中地方自筹资金或部门资金的筹措到位。
ⅴ (四)协调解决项目建设中涉及地方人民政府和部门职责的问题。
ⅴ (五)对主管的省重点项目的建设质量、工程进度、投资控制进行监督管理。
项目所在地的设区市人民政府和项目所属的省行业主管部门应指定一名领导分管省重点项目工作,负责省重点建设项目有关工作的协调。省重点项目的完成情况作为考核行业主管部门与市人民政府分管领导政绩的内容之一。
第八条 参加省重点项目建设的主要勘察、设计、监理、施工单位应确定一名主要领导对所承担的项目负全面责任,该领导名单应报省行业主管部门和省重点办备案。
第九条 省重点项目建设实行项目法人责任制,对项目的筹划、筹资、建设、生产经营、偿还债务和资产的保值增值等负全面责任。国家另有规定的,从其规定。
建设项目法人的组织形式、组织机构依照《中华人民共和国公司法》和国家有关规定执行。
第十条 国有资金控股的省重点项目建设单位主要管理人员实行培训上岗制度。
第十一条 省重点项目实行建设目标管理制度。项目建设单位应制定项目年度投资目标计划和主要阶段性形象进度计划,经省行业主管部门、省重点办审核后报省人民政府下达执行。
第十二条 省重点建设项目的勘察、设计、监理和施工单位选择,以及重要设备和大宗材料采购等活动,必须依照国家和省有关法律规章规定进行招标。
第十三条 除法律、法规和规章另有规定外,省重点项目建设有关的选址意见书、施工图审查、开工报告及施工许可审批、项目用地预审、超限建筑抗震设防、环保、消防、劳动安全、职业卫生、人防、审计、档案等专项的行政性审查、审批、监督、验收等工作,由省级行政主管部门为主负责(厦门市的省重点建设项目除外)。
第十四条 省重点项目建成后,项目建设单位应及时组织验收报备工作,有关验收报告、质量监督报告应同时抄送省重点办备案。省重点办应会同省行业、行政主管部门加强对省重点项目验收工作的指导,督促项目建设单位的竣工验收工作。
第十五条 省重点项目实行工程监理制,严格控制和管理项目的建设资金、建设工期、工程质量、施工安全等。
第十六条 省重点项目应当按照国家有关法规要求征用土地、林地;项目建设必须厉行节约用地,大力保护环境和森林植被,防止水土流失。
第十七条 省重点项目施工应当建立完善的安全文明生产规章制度,做到安全、文明施工。施工中应切实维护项目所在地群众的合法利益。
第十八条 省重点项目建设应当贯彻勤俭节约精神,开展合理化建议活动,减少浪费,节约投资。
第十九条 省重点项目建设应建立健全廉政监督机制,防止贪污腐败现象。
第二十条 省重点项目建设单位应及时向省重点办及项目主管部门报告项目的建设动态情况和存在问题,发生重大质量或安全事故应立即报告。
第二十一条 省重大建设项目稽察特派员办公室应加强对省重点项目建设的稽察工作。
第二十二条 省重点办对省重点项目进展情况进行不定期的检查,并根据情况向省人民政府、项目主管部门、设区市人民政府通报检查结果、存在问题和整改意见。
第二十三条 省财政等有关部门和有自筹资金任务的地方人民政府和企事业单位,应当按省重点项目的投资计划和工程进度优先安排并及时拨付财政资金、自筹资金,确保项目的建设需要。任何单位和个人不得截留或挪用省重点项目的建设资金。
第二十四条 省国土资源部门、林业部门和地方人民政府应当依法优先保证省重点项目的用地。省重点项目建设单位应按照国家有关规定及时支付征地费用。负责征地的地方人民政府或有关单位应依法做好被征地单位和个人的补偿安置工作,及时交付土地,保证项目的施工需要。
第二十五条 省有关行业主管部门及行业协会应当根据职能积极主动地指导、支持本行业省重点项目的建设,做好服务。
第二十六条 地方各级人民政府必须及时协调解决辖区范围内省重点项目建设中遇到的征地拆迁、地材供应、社会治安、后勤保障等问题,为重点项目创造良好的建设环境。严禁任意阻挠、干扰重点项目建设的行为,任何单位和个人不得向省重点项目乱收费、乱摊派、乱罚款。
第二十七条 省、市各有关政府职能部门必须积极主动地对省重点项目建设提供服务,制定保障省重点项目实施的具体措施、办法,明确职责,限定办事期限和优先办理有关事项,简化各项审批环节,提高工作效率,为省重点项目创造优良的建设软环境;省重点项目按规定必须要交纳的费用,按规定标准的下限收取。
第二十八条 电力、供水、交通、邮电、通信等单位,应当优先保证省重点项目施工和生产的用电、用水、物资运输和邮电通信等方面的需要。
第二十九条 参加省重点项目建设的施工、监理单位必须按合同约定按时配足人员、设备、机具。勘察设计单位应按合同要求及时交付勘察成果和设计文件,并派驻现场代表及时解决现场遇到的技术问题。设备、材料供应单位必须按合同约定及时保质供应重点项目所需的设备、材料。
第三十条 为省重点项目直接配套的项目,必须按照省重点项目的建设进度要求,同步安排建设。为配套项目提供建设资金的部门和单位,必须按照项目的建设进度及时拨付建设资金。
第三十一条 省政府每年对省重点项目年度工作目标计划完成情况进行考核并通报考核结果。对因工作不力或管理不善导致项目目标计划完成差或出现重大质量安全责任事故的项目,将给予处理处分:
(一)对该项目建设单位及其责任人给予通报批评。
(二)根据具体情况,暂停拨付或收回该重点项目或该重点项目所在行业前期工作补助经费;
(三)暂停该项目下一年度列为省重点项目,并责成有关地方人民政府或行业主管部门调整建设单位主要领导成员;
(四)追究项目行业主管部门或项目所在地设区市人民政府有关责任人的责任。
第三十二条 省重点项目建设单位负责人及其行政分管领导组织项目实施的工作业绩,由省重点办通报省和设区市党委组织部门。
第三十三条 建立省重点项目立功竞赛制度,对在省重点项目建设中做出显著成绩的建设单位、勘察、设计、施工、监理、材料设备供应厂商、有关政府部门、金融、新闻等单位和个人,由省重点项目建设领导小组给予表彰和奖励。
对成绩特别突出的个人由省人民政府授予“福建省重点建设功臣”称号,并由省总工会授予省“五一奖章”。
对质量优、工期短、投资省、组织管理好并已经竣工验收投产的建设项目,省人民政府授予“福建省重点建设优胜项目”称号,同时,对项目建设单位负责人及有功人员予以一次性奖金奖励,具体奖励办法由省计委会同省财政厅等有关部门共同制定。
表彰工作每年进行一次。具体表彰办法由省重点办会同省人事厅、省总工会制定,表彰具体工作由省重点办组织实施。
第三十四条 建立省重点项目参建单位业绩信誉登记报备制度。每年底对参加省重点项目建设的施工企业和勘察、设计、监理单位的当年工作业绩、合同履约信誉情况进行登记报备,登记按信誉好差分甲、乙、丙三等,其中信誉好的甲等单位和信誉差的丙等单位在省级报刊上一并予以公布。登记为丙等的单位,自登报次日起一年内参加其它省重点项目招投标资格预审时,列为信誉不良情况处理。具体登记报备办法由省重点办会同省有关部门制定。
第三十五条 省重点项目经稽察或审计发现有重大问题的,按有关规定对项目法定代表人、责任人进行处理。
第三十六条 社会公共设施项目中使用或主要使用省级、设区市级财政性资金(含省、设区市财政融资资金)建设的教育、科技、文化、卫生、体育等方面的省级社会事业重点项目,参照本暂行办法执行。
第三十七条 对我省经济和社会发展有重大影响的非国有投资项目,经研究视同省重点建设项目,享受本暂行办法规定的有关扶持和奖励措施。
第三十八条 本暂行办法由省发展计划委员会负责解释。
第三十九条 本暂行办法自公布之日起执行。
