1、外文 翻译 外文资料 The Basel Committee on Banking Supervision: Risk Management Principles for Electronic Banking ( part) : Principle 6: Banks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems, databases and applications. Segregation of du
2、ties is a basic internal control measure designed to reduce the risk of fraud in operational processes and systems and ensure that transactions and company assets are properly authorised, recorded and safeguarded. Segregation of duties is critical to ensuring the accuracy and integrity of data and i
3、s used to prevent the perpetration of fraud by an individual. If duties are adequately separated, fraud can only be committed through collusion. E-banking services may necessitate modifying the ways in which segregation of duties are established and maintained because transactions take place over el
4、ectronic systems where identities can be more readily masked or faked. In addition, operational and transactionbased functions have in many cases become more compressed and integrated in e-banking applications. Therefore, the controls traditionally required to maintain segregation of duties need to
5、be reviewed and adapted to ensure an appropriate level of control is maintained. Because access to poorly secured databases can be more easily gained through internal or external networks, strict authorisation and identification procedures, safe and sound architecture of the straight-through process
6、es, and adequate audit trails should be emphasised. Common practices used to establish and maintain segregation of duties within an e-banking environment include the following: Transaction processes and systems should be designed to ensure that no single employee/outsourced service provider could en
7、ter, authorise and complete a transaction. Segregation should be maintained between those initiating static data (including web page content) and those responsible for verifying its integrity. E-banking systems should be tested to ensure that segregation of duties cannot be bypassed. Segregation sho
8、uld be maintained between those developing and those administrating e-banking systems. Principle 7: Banks should ensure that proper authorisation controls and access privileges are in place for e-banking systems, databases and applications. In order to maintain segregation of duties, banks need to s
9、trictly control authorisation and access privileges. Failure to provide adequate authorisation control could allow individuals to alter their authority, circumvent segregation and gain access to e-banking systems ,databases or applications to which they are not privileged. In e-banking systems, the
10、authorisations and access rights can be established in either a centralised or distributed manner within a bank and are generally stored in databases. The protection of those databases from tampering or corruption is therefore essential for effective authorisation control. Appendix III identifies a
11、number of sound practices to help establish proper control over authorisation and access rights to e-banking systems, databases and applications. Principle 10: Banks should take appropriate measures to preserve the confidentiality of key e-banking information. Measures taken to preserve confidential
12、ity should be commensurate with the sensitivity of the information being transmitted and/or stored in databases. Confidentiality is the assurance that key information remains private to the bank and is not viewed or used by those unauthorised to do so. Misuse or unauthorised disclosure of data expos
13、es a bank to both reputation and legal risk. The advent of e-banking presents additional security challenges for banks because it increases the exposure that information transmitted over the public network or stored in databases may be accessible by unauthorised or inappropriate parties or used in w
14、ays the customer providing the information did not intend. Additionally, increased use of service providers may expose key bank data to other parties. To meet these challenges concerning the preservation of confidentiality of key e-banking information, banks need to ensure that: All confidential ban
15、k data and records are only accessible by duly authorised and authenticated individuals, agents or systems. All confidential bank data are maintained in a secure manner and protected from unauthorised viewing or modification during transmission over public, private or internal networks. The banks st
16、andards and controls for data use and protection must be met when third parties have access to the data through outsourcing relationships. All access to restricted data is logged and appropriate efforts are made to ensure that access logs are resistant to tampering. 中文翻译 巴塞尔银行监管委员会: 电子银行业务的风险管理原则 (部
17、分 ): 原则 6:在电子银行系统、数据库和应用程序中银行应该采取适当的措施,以保证有效地分解职责。 内部控制的基本措施之一就是职责分解,这样做可以减少操作程序和系统中的欺诈风险,确保有关交易和银行资产得到正当授权、记录和保护。职责分解可以确保数据的准确性和完整性,也可以用于防止个人欺诈行为。如果对职责已经做了充分的分解,那么欺诈只有通过共谋才能实现。 因为通过电子系统进行交易时,交易对象的身份很容易被掩饰或伪造,因此在提供电子银行服务时,有必要对现行的职责分解方法进行修改。此外,在电子银行业务中,许多操作交易职能已经被压缩得越来越一体化了。因此,需要对传统的职责分解控制措施作重新检查和修改,
18、确保其维持合适 的控制水平。因为通过内部或外部网络,进入安全措施不严的数据库变得更加容易,有必要作进一步严格的授权和识别步骤、安全和稳健的直通程序结构,以及充足的审计跟踪强化。 在电子银行业务环境中,建立和维护职责分解的通常做法包括如下: 交易程序和系统在设计时,要防止单个雇员或业务外包的服务供应商单独进入、授权和完成一笔交易。 录入初始静态数据(包括网页内容)的人员和负责复核完整性的人员之间职责分明。 应该对电子银行系统进行测试,以确保职责分解不会被省略。 电子银行系统的开发人员和管理人员之间,职责要分明。 原则 7:银行应确保对电子银行系统、数据库和应用程序拥有适当的授权控制和进入特权制度。 为了保证职责分解,银行需要严格控制授权和进入特权。如果不能进行足够的授权控制,某些个人就可能会修改他们的权限,规避职责分解和进入未经特许授权的电子银行系统、数据库或应用程序。 在电子银行系统中,银行内的授权和进入权力的认定,可以采取集中的方式,也可以采取分散的方式。为了进行有效的授权控制,有必要对这些数据库加以保护,避免被篡改或毁损。 数据的完整性是指,确保传递或储存的信息,在没有授权的情况下不能被修改。如果不能维持交易、记录 和信息等数据的完整性,银行就可能蒙受经济损失或承受重大法律和声誉风险。
