| | |
Notice of the China Insurance Regulatory Commission on Issuing the Guidelines for the Administration of Information System Disaster Recovery in the Insurance Industry
(No. 20 [2008], China Insurance Regulatory Commission)
All insurance companies and insurance asset management companies:
To enhance the infrastructure construction for insurance information security and promote work on information system disaster recovery, in accordance with the Insurance Law of the People's Republic of China and other laws and regulations regarding information security, this Commission has adopted the Guidelines for the Administration of Information System Disaster Recovery in the Insurance Industry, which are hereby issued for your compliance and implementation.
March 21, 2008
Guidelines for the Administration of Information System Disaster Recovery in the Insurance Industry
| | 中国保险监督管理委员会关于印发《保险业信息系统灾难恢复管理指引》的通知
(保监发〔2008〕20号)
各保险公司、保险资产管理公司:
为加强保险信息安全基础设施建设,推进信息系统灾难恢复工作,根据《中华人民共和国保险法》和国家有关信息安全法律法规,我会制订了《保险业信息系统灾难恢复管理指引》,现印发给你们,请遵照执行。
二○○八年三月二十一日
保险业信息系统灾难恢复管理指引
|
Chapter I General Provisions
| | 第一章 总则
|
Article 1 To regulate and guide the information system disaster recovery work in the insurance industry, improve the insurance industry's ability to prevent disaster risks, ensure continual operation, and protect the lawful rights and interests of customers and shareholders, these Guidelines are formulated in accordance with the Insurance Law of the People's Republic of China, laws and regulations regarding information security, and other relevant provisions of the state.
| | 第一条 为规范并指导我国保险业信息系统灾难恢复工作,提高防范灾难风险的能力,保障持续运营,保护客户和股东的合法权益,根据《中华人民共和国保险法》、国家信息安全法律法规及有关规定,制定本指引。
|
Article 2 The information system disaster recovery work in the insurance industry shall adhere to the principle of “overall planning, information sharing, including disaster recovery in routine operations, and graded disaster preparedness” to balance costs and risks and ensure work efficiency.
| | 第二条 保险业信息系统灾难恢复工作应坚持“统筹规划、资源共享、平战结合、等级灾备”的原则,平衡成本与风险,确保工作的有效性。
|
Article 3 For the purposes of these Guidelines, “insurance institutions” means insurance companies, insurance asset management companies, China branches of foreign insurance companies, and mainland branches of Hong Kong, Macau and Taiwan insurance companies, established with the approval of the China Insurance Regulatory Commission (“CIRC”) and registered in accordance with the law.
| | 第三条 本指引所称保险机构是指,经中国保险监督管理委员会(以下简称“中国保监会”)批准设立,并依法登记注册的保险公司、保险资产管理公司、外国保险公司分公司及港、澳、台地区保险公司在大陆地区的分公司。
|
Article 4 For the purposes of these Guidelines, “disaster recovery” means the disaster recovery of information systems; and “disaster recovery work” means a series of work conducted to ensure continual operation of information systems, prevent disaster risks and reduce losses and adverse effects caused by disasters, including the formation and duties of the organizing body, analysis of disaster recovery demands, determination of disaster recovery policies, adoption of a disaster backup system, construction, operation and maintenance of a disaster backup center, management of disaster recovery plans, and emergency response and recovery.
For the purposes of these Guidelines, “regional disaster” means an event that causes serious damage to the transport, telecommunication, electricity, or other critical infrastructure, causes damage to or destruction of critical information network devices, or causes large-scale human evacuation in the affected region or a closely related adjacent region, as a result of which information systems cannot operate normally, such as an earthquake, a large-scale public health event, a terrorist attack, a regional telecommunication network breakdown, a regional grid breakdown, or damage to or destruction of key computer room equipment.
For the purposes of these Guidelines, “intra-city disaster backup” means that the production center and the disaster backup center, located within the same geographical area, usually a couple of ten kilometers away from each other, are exposed to the same regional disaster risks and are capable of withstanding disasters affecting a small area such as blackout, fire, and device breakdown within a small area.
For the purposes of these Guidelines, “remote disaster backup” means that the production center and the disaster backup center, located in different geographical areas, usually several hundred kilometers away from each other, are usually not exposed to the same regional disaster risks and are capable of withstanding disasters affecting a large area such as large-scale blackout, earthquake, or war.
For the purposes of these Guidelines, “self-built” means that a disaster backup center is built with one's own funds and owned by one to provide disaster recovery services for oneself.
For the purposes of these Guidelines, “jointly-built” means that a disaster backup center is built with funds from two or more institutions and jointly owned by them to provide disaster recovery services for them.
For the purposes of these Guidelines, “outsourcing” means external resources are chosen to assume or assist in the planning, implementation, operation and maintenance, and emergency response and recovery in connection with information system disaster recovery.
| | 第四条 本指引所称灾难恢复为信息系统灾难恢复。灾难恢复工作是指,为保障信息系统持续运营,防范灾难风险并减轻灾难造成的损失和不良影响而开展的一系列工作,包括:组织机构设立和职责、灾难恢复需求分析、灾难恢复策略制定、灾难备份系统实施、灾难备份中心的建设与运行维护、灾难恢复预案管理、应急响应和恢复。
本指引所称区域性灾难是指,造成所在地区或有紧密联系的邻近地区的交通、电讯、电力及其它关键基础设施受到严重破坏,关键信息网络设备毁损、重大故障或大规模人口疏散的事件,将会导致信息系统无法正常运行。例如:地震、大型公共卫生事件、恐怖袭击、区域性通信网故障、区域性电网故障、机房内关键设备毁损等。
本指引所称同城灾备是指,生产中心与灾难备份中心处于同一地理区域,面临同一区域性灾难风险,能够抵御小范围区域内的灾难,例如小面积停电、火灾、设备故障等,距离通常在数十公里左右。
本指引所称异地灾备是指,生产中心与灾难备份中心处于不同地理区域,一般不会同时面临同一区域性灾难风险,能够抵御较大范围区域内的灾难,例如大面积停电、地震、战争等,距离通常在数百公里以上。
本指引所称自建是指,自行出资建设和拥有灾难备份中心,为自身提供灾难恢复服务。
本指引所称共建是指,多个机构共同出资建设和拥有灾难备份中心,为参与单位提供灾难恢复服务。
本指引所称外包是指,选择外部资源来承担或协助完成信息系统灾难恢复的规划、实施、运营维护,以及应急响应和恢复工作。
|
Article 5 The CIRC shall conduct the supervision and administration regarding the information system disaster recovery in the insurance industry.
| | 第五条 中国保监会负责对保险业信息系统灾难恢复工作实施监督和管理。
|
Article 6 Clauses of the Information Security Technology - Disaster Recovery Specifications for Information Systems (GB/T 20988-2007) referred to in these Guidelines shall become part of these Guidelines.
| | 第六条 《信息安全技术信息系统灾难恢复规范》(GB/T20988-2007)中的条款通过本指引的引用而成为本指引的条款。
|
Chapter II General Work Requirements
| | 第二章 总体工作要求
|
Article 7 An insurance institution shall make overall planning on information system disaster recovery and reach at least the minimal level for disaster recovery capability required by these Guidelines within five years from the effective date of these Guidelines.
When building a new information system, an insurance institution shall simultaneously plan and implement the building of a disaster backup system. An insurance institution established after the effective date of these Guidelines shall reach the minimal level for disaster recovery capability required by these Guidelines within five years after its establishment.
| | 第七条 保险机构应统筹规划信息系统灾难恢复工作,自本指引生效起五年内至少达到本指引规定的最低灾难恢复能力等级要求。
保险机构新建信息系统时,应同步规划和实施灾难备份系统建设。本指引生效后新成立的保险机构应在成立五年内达到本指引规定的最低灾难恢复能力等级要求。
|
Article 8 An insurance institution shall continuously conduct disaster recovery work to ensure the applicability of disaster recovery strategies, disaster backup systems and disaster recovery plans.
Re-analysis of disaster recovery demands shall be conducted on a regular basis. The maximum cycle for disaster recovery demand re-analysis is three years. In the event of any material change of the information system or related business workflow, re-analysis of disaster recovery demands shall be immediately initiated, and disaster recovery strategies shall be reviewed and revised based on the latest disaster recovery demand analysis.
An insurance institution shall, according to its disaster recovery strategies, regularly review and adjust its disaster recovery technical schemes and disaster recovery plans and regularly conduct training and drills under disaster recovery plans.
| | 第八条 保险机构应持续开展灾难恢复工作,以保障灾难恢复策略、灾难备份系统和灾难恢复预案的适用性。
灾难恢复的需求应定期进行再分析。灾难恢复需求再分析周期最长为三年。当信息系统及相关业务流程发生重大变更时,应立即启动灾难恢复需求的再分析,并根据最新的灾难恢复需求分析重审和修订灾难恢复策略。
保险机构应根据灾难恢复策略定期复审和调整灾难恢复技术方案、灾难恢复预案,并定期开展灾难恢复预案培训和演练工作。
|
Article 9 An insurance institution shall strengthen coordination with institutions closely related to its business, jointly assess risks faced, and make coordinated disaster recovery strategies to improve its overall risk prevention and disaster recovery capabilities.
| | 第九条 保险机构应加强与其业务密切相关的机构间的协调,共同评估面临的风险,协同制定灾难恢复策略,提高整体风险防范和灾难恢复能力。
|
Chapter III Organizing Body
| | 第三章 组织机构
|
Article 10 The legal representative or the first person in charge of an insurance institution is the person responsible for disaster recovery work.
The board of directors or the top decision-making level of an insurance institution shall participate in the formulation and review of disaster recovery strategies to ensure consistency between its disaster recovery strategies and business objectives.
| | 第十条 保险机构法定代表人或主要负责人是灾难恢复工作的责任人。
保险机构董事会或最高决策层应参与制定和审核灾难恢复策略,保证灾难恢复策略与经营目标的一致性。
|
Article 11 The organizing body for disaster recovery of an insurance institution shall be composed of the relevant managerial, business, technical, finance, administrative, logistical, and other personnel of the insurance institution.
An insurance institution shall establish a disaster recovery management committee for the uniform management and decision-making in connection with disaster recovery planning, implementation, operation and maintenance, and emergency response and recovery.
An insurance institution shall establish a disaster recovery work office separately or within an existing department as the standing office of the disaster recovery management committee to handle specific matters involved in disaster recovery work.
| | 第十一条 灾难恢复的组织机构由保险机构的管理、业务、技术、财务和行政后勤等相关人员组成。
保险机构应设立灾难恢复管理委员会,统一负责灾难恢复的规划、实施、运营维护、应急响应和恢复的管理和决策工作。
保险机构应设立或依托现有部门设立灾难恢复工作办公室作为灾难恢复管理委员会的常设办公机构,负责处理灾难恢复工作的具体事务。
|
Article 12 The main duties of the disaster recovery organizing body of an insurance institution during disaster recovery planning, implementation, and operation and maintenance stages are:
| | 第十二条 保险机构灾难恢复组织机构在灾难恢复规划、实施和运营维护阶段的主要职责:
|
1. analysis of disaster recovery demands and formulation of strategies;
| | (一)灾难恢复需求分析和策略制订;
|
2. resource preparation and fund approval;
| | (二)资源准备和经费审批;
|
3. selection and building of a disaster backup center;
| | (三)灾难备份中心的选择和建设;
|
4. daily operation and maintenance of a disaster backup center;
| | (四)灾难备份中心的日常运行和维护;
|
5. preparation of a disaster recovery plan, maintenance, and drills;
| | (五)灾难恢复预案的制订、维护和演练;
|
6. personnel education and training; and
| | (六)人员的教育和培训;
|
7. supervision, inspection, and auditing.
The main duties of the disaster recovery organizing body of an insurance institution during the emergency response and recovery stage are:
| | (七)监督检查和审计。
保险机构灾难恢复组织机构在应急响应和恢复阶段的主要职责:
|
1. emergency response and alarm reporting;
| | (一)应急响应和预警报告;
|
2. event notification and communication;
| | (二)事件通报和沟通;
|
3. damage evaluation, emergency repair and rescue, and protection of sensitive data;
| | (三)损害评估、抢修拯救和敏感数据保护;
|
4. major decision making for disaster recovery work;
| | (四)灾难恢复工作的重大决策;
|
5. recovery or rebuilding of and return to the production center;
| | (五)生产中心的恢复、重建和回退;
|
6. business resumption and customer service;
| | (六)业务恢复和客户服务;
|
7. resource safeguard and supply;
| | (七)资源保障和供应;
|
8. public relations through press and information disclosure; and
| | (八)媒体公关和信息通报;
|
9. recovery evaluation and summarization.
| | (九)恢复成效评估和总结。
|
Article 13 The professional personnel engaged in disaster recovery shall:
| | 第十三条 从事灾难恢复的专业工作人员应符合以下要求:
|
1. have good professional ethics and risk awareness and expertise required for performing the functions of relevant disaster recovery posts; and
| | (一)具备良好的职业道德和风险意识,掌握履行灾难恢复相关岗位职责所需的专业知识和技能;
|
2. not assume posts without receiving advance training or before passing such training; and be adjusted in a timely manner if deemed incompetent after assessment.
| | (二)未经岗前培训或培训不合格者不得上岗;经考核不适宜的工作人员,应及时进行调整。
|
Chapter IV Demand Analysis and Strategy Formulation
| | 第四章 需求分析和策略制定
|
Article 14 Disaster recovery demand analysis includes risk analysis and business impact analysis. The risk analysis and business impact analysis of an insurance institution shall meet the following requirements:
...... | | 第十四条 灾难恢复需求分析包括风险分析和业务影响分析。保险机构的风险分析和业务影响分析应符合以下要求:
...... |
Dear visitor,you are attempting to view a subscription-based section of lawinfochina.com. If you are already a subscriber, please login to enjoy access to our databases . If you are not a subscriber, please subscribe . Should you have any questions, please contact us at:
+86 (10) 8268-9699 or +86 (10) 8266-8266 (ext. 153)
Mobile: +86 133-1157-0713
Fax: +86 (10) 8266-8268
database@chinalawinfo.com
| |
您好:您现在要进入的是北大法律英文网会员专区,如您是我们英文用户可直接 登录,进入会员专区查询您所需要的信息;如您还不是我们 的英文用户,请注册并交纳相应费用成为我们的英文会员 。如有问题请来电咨询;
Tel: +86 (10) 82689699, +86 (10) 82668266 ext. 153
Mobile: +86 13311570713
Fax: +86 (10) 82668268
E-mail: database@chinalawinfo.com
|
| | | |
| | | |